From 9064f9d60eef3332d83c89215c7c624fb608f293 Mon Sep 17 00:00:00 2001
From: kqjy <jun@jzwsite.com>
Date: Sat, 22 Nov 2025 15:13:33 +0800
Subject: [PATCH] Fix CSRF token issue on login

---
 app/__init__.py |  5 +++++
 app/config.py   | 22 ++++++++++++++++++----
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/app/__init__.py b/app/__init__.py
index cf75a06..5afd75c 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -81,6 +81,11 @@ def create_app(
     app.extensions["connections"] = connections
     app.extensions["replication"] = replication
 
+    @app.after_request
+    def set_server_header(response):
+        response.headers["Server"] = "MyFSIO"
+        return response
+
     @app.errorhandler(500)
     def internal_error(error):
         return render_template('500.html'), 500
diff --git a/app/config.py b/app/config.py
index 282b3a9..2033cbd 100644
--- a/app/config.py
+++ b/app/config.py
@@ -78,11 +78,25 @@ class AppConfig:
         multipart_min_part_size = int(_get("MULTIPART_MIN_PART_SIZE", 5 * 1024 * 1024))
         default_secret = "dev-secret-key"
         secret_key = str(_get("SECRET_KEY", default_secret))
+        
+        # If using default/missing secret, try to load/persist a generated one from disk
+        # This ensures consistency across Gunicorn workers
         if not secret_key or secret_key == default_secret:
-            generated = secrets.token_urlsafe(32)
-            if secret_key == default_secret:
-                warnings.warn("Using insecure default SECRET_KEY. A random value has been generated; set SECRET_KEY for production", RuntimeWarning)
-            secret_key = generated
+            secret_file = storage_root / ".myfsio.sys" / "config" / ".secret"
+            if secret_file.exists():
+                secret_key = secret_file.read_text().strip()
+            else:
+                generated = secrets.token_urlsafe(32)
+                if secret_key == default_secret:
+                    warnings.warn("Using insecure default SECRET_KEY. A random value has been generated and persisted; set SECRET_KEY for production", RuntimeWarning)
+                try:
+                    secret_file.parent.mkdir(parents=True, exist_ok=True)
+                    secret_file.write_text(generated)
+                    secret_key = generated
+                except OSError:
+                    # Fallback if we can't write to disk (e.g. read-only fs)
+                    secret_key = generated
+
         iam_env_override = "IAM_CONFIG" in overrides or "IAM_CONFIG" in os.environ
         bucket_policy_override = "BUCKET_POLICY_PATH" in overrides or "BUCKET_POLICY_PATH" in os.environ