Fix CSRF token issue on login

2025-11-22 15:13:33 +08:00
parent 36c08b0ac1
commit 9064f9d60e
2 changed files with 23 additions and 4 deletions
--- a/app/init.py
+++ b/app/init.py
@@ -81,6 +81,11 @@ def create_app(
    app.extensions["connections"] = connections
    app.extensions["replication"] = replication

+    @app.after_request
+    def set_server_header(response):
+        response.headers["Server"] = "MyFSIO"
+        return response
+
    @app.errorhandler(500)
    def internal_error(error):
        return render_template('500.html'), 500
--- a/app/config.py
+++ b/app/config.py
@@ -78,11 +78,25 @@ class AppConfig:
        multipart_min_part_size = int(_get("MULTIPART_MIN_PART_SIZE", 5 * 1024 * 1024))
        default_secret = "dev-secret-key"
        secret_key = str(_get("SECRET_KEY", default_secret))
+        
+        # If using default/missing secret, try to load/persist a generated one from disk
+        # This ensures consistency across Gunicorn workers
        if not secret_key or secret_key == default_secret:
-            generated = secrets.token_urlsafe(32)
-            if secret_key == default_secret:
-                warnings.warn("Using insecure default SECRET_KEY. A random value has been generated; set SECRET_KEY for production", RuntimeWarning)
-            secret_key = generated
+            secret_file = storage_root / ".myfsio.sys" / "config" / ".secret"
+            if secret_file.exists():
+                secret_key = secret_file.read_text().strip()
+            else:
+                generated = secrets.token_urlsafe(32)
+                if secret_key == default_secret:
+                    warnings.warn("Using insecure default SECRET_KEY. A random value has been generated and persisted; set SECRET_KEY for production", RuntimeWarning)
+                try:
+                    secret_file.parent.mkdir(parents=True, exist_ok=True)
+                    secret_file.write_text(generated)
+                    secret_key = generated
+                except OSError:
+                    # Fallback if we can't write to disk (e.g. read-only fs)
+                    secret_key = generated
+
        iam_env_override = "IAM_CONFIG" in overrides or "IAM_CONFIG" in os.environ
        bucket_policy_override = "BUCKET_POLICY_PATH" in overrides or "BUCKET_POLICY_PATH" in os.environ