auto-save 2026-05-11 17:44 (~3)

2026-05-11 17:44:38 +08:00
parent 0ec86e845e
commit 8028179ae9
3 changed files with 32 additions and 17 deletions
--- a/server/feishu_bridge.py
+++ b/server/feishu_bridge.py
@@ -1114,16 +1114,28 @@ def handle_ui_config_post(headers: dict[str, str], body: dict[str, Any]) -> tupl
    return 200, {"code": 0, "msg": "ok", "config": config}


+def admin_allowed_origins(headers: dict[str, str]) -> set[str]:
+    origins = _csv_set(_env("HERMES_ADMIN_ORIGINS", "https://hermes.kang-kang.com"))
+    host = (headers.get("x-forwarded-host") or headers.get("host") or "").split(",", 1)[0].strip()
+    proto = (headers.get("x-forwarded-proto") or "").split(",", 1)[0].strip()
+    if host:
+        origins.add(f"{proto or 'https'}://{host}")
+        origins.add(f"http://{host}")
+    return origins
+
+
 def is_admin_request(headers: dict[str, str]) -> tuple[bool, int, str]:
    cookie = headers.get("cookie", "")
    if "hermes_auth=ok" not in cookie:
        return False, 401, "login required"
    origin = headers.get("origin", "")
    referer = headers.get("referer", "")
-    allowed = "https://hermes.kang-kang.com"
-    if origin and origin != allowed:
+    allowed = admin_allowed_origins(headers)
+    if origin and origin not in allowed:
        return False, 403, "invalid origin"
-    if not origin and referer and not referer.startswith(allowed + "/"):
+    if not origin and referer and not any(
+        referer.startswith(item.rstrip("/") + "/") for item in allowed
+    ):
        return False, 403, "invalid referer"
    return True, 200, "ok"