From bdac0b65f426e00b5b9ced8ba924189cbe6d2ae4 Mon Sep 17 00:00:00 2001
From: orbisai0security <mediratta01.pally@gmail.com>
Date: Thu, 12 Mar 2026 21:23:47 +0530
Subject: [PATCH] fix: resolve critical vulnerability V-004 (#6093)

Automatically generated security fix

Co-authored-by: orbisai0security <orbisai0security@users.noreply.github.com>
---
 astrbot/dashboard/routes/backup.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/astrbot/dashboard/routes/backup.py b/astrbot/dashboard/routes/backup.py
index 952806beb..49722c6a3 100644
--- a/astrbot/dashboard/routes/backup.py
+++ b/astrbot/dashboard/routes/backup.py
@@ -977,7 +977,17 @@ class BackupRoute(Route):
                 if not jwt_secret:
                     return Response().error("服务器配置错误").__dict__
 
-                jwt.decode(token, jwt_secret, algorithms=["HS256"])
+                # Verify JWT token with strict security options
+                jwt.decode(
+                    token,
+                    jwt_secret,
+                    algorithms=["HS256"],
+                    options={
+                        "require": ["exp"],  # Require expiration claim
+                        "verify_signature": True,  # Explicitly verify signature
+                        "verify_exp": True,  # Verify expiration
+                    }
+                )
             except jwt.ExpiredSignatureError:
                 return Response().error("Token 已过期，请刷新页面后重试").__dict__
             except jwt.InvalidTokenError: