search

NapNeko / NapCatQQ

现代化的基于 NTQQ 的 Bot 协议端实现
https://napcat.napneko.icu
Other
2.62k stars 190 forks source link

[BUG] 反向 websocket 鉴权失效? #82

Closed InoryS closed 5 months ago

InoryS commented 5 months ago

系统版本

AlmaLinux 8

QQNT 版本

Linux 3.2.9-248156-AMD64-RPM

NapCat 版本

v1.6.1 V1.5.8

OneBot 客户端

nonebot 2.3.1

发生了什么?

使用 HTTP POST 连接到自制客户端时,没有携带 Token 能正常触发 403 使用 NoneBot2 使用反向 websocket 鉴权时,不填写任何 token,仍然能连接成功

如何复现

1.安装 NapCatQQ 并登录 2.修改 onebot11_1960000000.json

{
  "http": {
    "enable": true,
    "host": "",
    "port": 5700,
    "secret": "somesecret",
    "enableHeart": false,
    "enablePost": true,
    "postUrls": [
      "https://127.0.0.1:8999/cqhttp"
    ]
  },
  "ws": {
    "enable": false,
    "host": "",
    "port": 3001
  },
  "reverseWs": {
    "enable": true,
    "urls": [
      "ws://127.0.0.1:7999/onebot/v11/ws"
    ]
  },
  "debug": false,
  "heartInterval": 30000,
  "messagePostFormat": "array",
  "enableLocalFile2Url": true,
  "musicSignUrl": "",
  "reportSelfMessage": false,
  "token": "sometoken",
  "GroupLocalTime": {
    "Record": false,
    "RecordList": []
  }
}

3.配置文件中已填写 token, 5.重启 NapCatQQ 4.HTTP Post 客户端不携带 Authorization 头,得到 403 5.全新安装 Nonebot 2.3.1 启用内置 echo 插件,.env 如下

DRIVER=~fastapi+~websockets
HOST=127.0.0.1  # 配置 NoneBot 监听的 IP / 主机名
PORT=7999  # 配置 NoneBot 监听的端口
COMMAND_START=["/"]  # 配置命令起始字符
COMMAND_SEP=["."]  # 配置命令分割字符
LOG_LEVEL=DEBUG

6.Nonebot 能正常连接至 NapCatQQ 7.且 /echo 能得到回复

期望的结果?

Nonebot 中未填写 token,不应该能连接到 NapCatQQ

NapCat 运行日志

6月 22 17:56:51 qq[2337759]: 2024-06-22 17:56:51 [DEBUG] () | 配置文件/opt/NapCat.linux.x64/config/napcat_19630000000.json已 >
6月 22 17:56:51 qq[2337759]: 2024-06-22 17:56:51 [INFO] (19630000000) |
6月 22 17:56:51 qq[2337759]:     HTTP服务 已启动, :5700
6月 22 17:56:51 qq[2337759]:     HTTP上报服务 已启动, 上报地址: https://127.0.0.1:8999/cqhttp
6月 22 17:56:51 qq[2337759]:     WebSocket服务 未启动, :3001
6月 22 17:56:51 qq[2337759]:     WebSocket反向服务 已启动, 反向地址: ws://127.0.0.1:7999/onebot/v11/ws
6月 22 17:56:51 qq[2337759]:      
6月 22 17:56:51 qq[2337759]: 2024-06-22 17:56:51 [INFO] (19630000000) | 开始连接反向ws ws://127.0.0.1:7999/onebot/v11/ws
6月 22 17:56:51 qq[2337759]: 2024-06-22 17:56:51 [INFO] (19630000000) | 登录成功!
6月 22 17:56:51 qq[2337759]: 2024-06-22 17:56:51 [INFO] (19630000000) | OneBot V11 server started 0.0.0.0:5700

OneBot 客户端运行日志

6月 22 18:07:12 python[2664052]: 06-22 18:07:12 [INFO] uvicorn | Started server process [2664052]
6月 22 18:07:12 python[2664052]: 06-22 18:07:12 [INFO] uvicorn | Waiting for application startup.
6月 22 18:07:12 python[2664052]: 06-22 18:07:12 [INFO] uvicorn | Application startup complete.
6月 22 18:07:12 python[2664052]: 06-22 18:07:12 [INFO] uvicorn | Uvicorn running on http://127.0.0.1:7999 (Press CTRL+C to quit)
6月 22 18:07:14 python[2664052]: 06-22 18:07:14 [INFO] uvicorn | ('127.0.0.1', 39346) - "WebSocket /onebot/v11/ws" [accepted]
6月 22 18:07:14 python[2664052]: 06-22 18:07:14 [INFO] nonebot | OneBot V11 | Bot 19630000000 connected
6月 22 18:07:14 python[2664052]: 06-22 18:07:14 [INFO] websockets | connection open
MliKiowa commented 5 months ago

反向无须鉴权

MliKiowa commented 5 months ago

就算反向鉴权也应该在应用端