Merge pull request #972 from EstrellaXD/3.2-dev

3.2.3

Author: EstrellaXD

CHANGELOG.md

@@ -1,3 +1,57 @@
+# [3.2.3] - 2026-02-23
+
+## Backend
+
+### Added
+
+- 新增 MCP (Model Context Protocol) 服务器，支持通过 Claude Desktop 等 LLM 工具管理番剧订阅
+  - SSE 传输层挂载在 `/mcp/sse`，支持 MCP 客户端连接
+  - 10 个工具：list_anime、get_anime、search_anime、subscribe_anime、unsubscribe_anime、list_downloads、list_rss_feeds、get_program_status、refresh_feeds、update_anime
+  - 4 个资源：anime/list、anime/{id}、status、rss/feeds
+  - 本地网络 IP 白名单安全中间件（RFC 1918 + 回环地址），无需 JWT 认证
+- 新增通知系统重构，支持多通知渠道同时启用
+  - 支持 Telegram、Bark、Server 酱、企业微信、Discord、Gotify、Pushover、Webhook 八种渠道
+  - 新增通知管理 API：`GET/PUT /api/notification/providers`
+- 新增 E2E 集成测试套件，覆盖 RSS→下载→重命名全流程
+
+### Fixes
+
+- 修复第 0 集（SP/OVA）被错误重命名为第 1 集的问题 (#977)
+  - Episode 0 现在免受集数偏移影响，不再覆盖正常集数文件
+- 修复 RSS 过滤器包含特殊字符（如 `[字幕组`）时导致程序崩溃的问题 (#974)
+  - 无效正则表达式自动降级为字面量匹配
+- 修复聚合 RSS 解析时 `title_raw` 为空导致 `TypeError` 崩溃的问题 (#976)
+- 修复解析器处理无括号种子名称时 `IndexError` 崩溃的问题 (#973)
+- 修复删除番剧时未清理关联种子记录的问题
+- 修复认证路由、JWT 刷新和 WebAuthn 注册流程的多个安全问题
+- 修复程序生命周期管理和后台任务取消逻辑
+- 修复数据库迁移在部分场景下未正确执行的问题
+
+### Performance
+
+- 优化日志系统：`RotatingFileHandler` 轮转（5 MB × 3）、`QueueHandler` 异步写入、`GET /api/log` 限读 512 KB
+- 优化重命名器：批量数据库查询，并发获取种子文件列表
+- 所有 `logger.debug(f"...")` 转为惰性 `%s` 格式化（~80 处）
+
+### Tests
+
+- 新增 26 个回归测试覆盖 #974、#976、#977、#986
+- 扩展 raw_parser、torrent_parser、path_parser 测试覆盖率
+
+## Frontend
+
+### Fixes
+
+- 修复认证路由守卫和 i18n 初始化顺序问题
+- 修复通知设置组件与项目设计系统的对齐问题
+- 修复组件生命周期管理问题
+
+## Docs
+
+- README 移除未实现的 Aria2 和 Transmission 下载器 (#987)
+
+---
+
 # [3.2.0-beta.13] - 2026-01-26
 
 ## Frontend

README.md

@@ -80,8 +80,6 @@
 ***已支持的下载器：***
 
 - qBittorrent
-- Aria2
-- Transmission
 
 ## Star History
 

backend/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "auto-bangumi"
-version = "3.2.3-beta.1"
+version = "3.2.3"
 description = "AutoBangumi - Automated anime download manager"
 requires-python = ">=3.13"
 dependencies = [
@@ -24,6 +24,7 @@ dependencies = [
     "sse-starlette>=1.6.5",
     "webauthn>=2.0.0",
     "urllib3>=2.0.3",
+    "mcp[cli]>=1.8.0",
 ]
 
 [dependency-groups]
@@ -40,6 +41,9 @@ dev = [
 testpaths = ["src/test"]
 pythonpath = ["src"]
 asyncio_mode = "auto"
+markers = [
+    "e2e: End-to-end integration tests (require Docker)",
+]
 
 [tool.ruff]
 line-length = 88

backend/src/main.py

@@ -1,15 +1,19 @@
 import logging
 import os
 from contextlib import asynccontextmanager
+from pathlib import Path
 
 import uvicorn
 from fastapi import FastAPI, Request
+from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import FileResponse, HTMLResponse, RedirectResponse
 from fastapi.staticfiles import StaticFiles
 from fastapi.templating import Jinja2Templates
+
 from module.api import v1
 from module.api.program import program
 from module.conf import VERSION, settings, setup_logger
+from module.mcp import create_mcp_app
 
 setup_logger(reset=True)
 logger = logging.getLogger(__name__)
@@ -42,21 +46,35 @@ async def lifespan(app: FastAPI):
 def create_app() -> FastAPI:
     app = FastAPI(lifespan=lifespan)
 
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origins=[],
+        allow_credentials=True,
+        allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE"],
+        allow_headers=["*"],
+    )
+
     # mount routers
     app.include_router(v1, prefix="/api")
 
+    # mount MCP server (SSE transport for LLM tool integration)
+    app.mount("/mcp", create_mcp_app())
+
     return app
 
 
 app = create_app()
 
 
+_POSTERS_BASE = Path("data/posters").resolve()
+
+
 @app.get("/posters/{path:path}", tags=["posters"])
 def posters(path: str):
-    # prevent path traversal
-    if ".." in path:
+    resolved = (_POSTERS_BASE / path).resolve()
+    if not str(resolved).startswith(str(_POSTERS_BASE)):
         return HTMLResponse(status_code=403)
-    return FileResponse(f"data/posters/{path}")
+    return FileResponse(str(resolved))
 
 
 if VERSION != "DEV_VERSION":
@@ -73,6 +91,7 @@ def html(request: Request, path: str):
         else:
             context = {"request": request}
             return templates.TemplateResponse("index.html", context)
+
 else:
 
     @app.get("/", status_code=302, tags=["html"])

backend/src/module/ab_decorator/__init__.py

@@ -2,11 +2,15 @@
 import functools
 import logging
 
+import httpx
+
 from .timeout import timeout
 
 logger = logging.getLogger(__name__)
 _lock = asyncio.Lock()
 
+_RETRY_DELAYS = [5, 15, 45, 120, 300]
+
 
 def qb_connect_failed_wait(func):
     @functools.wraps(func)
@@ -15,11 +19,21 @@ async def wrapper(*args, **kwargs):
         while times < 5:
             try:
                 return await func(*args, **kwargs)
-            except Exception as e:
-                logger.debug(f"URL: {args[0]}")
+            except (
+                ConnectionError,
+                TimeoutError,
+                OSError,
+                httpx.ConnectError,
+                httpx.TimeoutException,
+                httpx.RequestError,
+            ) as e:
+                delay = _RETRY_DELAYS[times]
+                logger.debug("URL: %s", args[0])
                 logger.warning(e)
-                logger.warning("Cannot connect to qBittorrent. Wait 5 min and retry...")
-                await asyncio.sleep(300)
+                logger.warning(
+                    "Cannot connect to qBittorrent. Wait %ds and retry...", delay
+                )
+                await asyncio.sleep(delay)
                 times += 1
 
     return wrapper
@@ -31,7 +45,7 @@ async def wrapper(*args, **kwargs):
         try:
             return await func(*args, **kwargs)
         except Exception as e:
-            logger.debug(f"URL: {args[0]}")
+            logger.debug("URL: %s", args[0])
             logger.warning("Wrong API response.")
             logger.debug(e)
 

backend/src/module/api/__init__.py

@@ -10,6 +10,7 @@
 from .rss import router as rss_router
 from .search import router as search_router
 from .setup import router as setup_router
+from .notification import router as notification_router
 
 __all__ = "v1"
 
@@ -25,3 +26,4 @@
 v1.include_router(rss_router)
 v1.include_router(search_router)
 v1.include_router(setup_router)
+v1.include_router(notification_router)

backend/src/module/api/auth.py

@@ -1,6 +1,6 @@
-from datetime import timedelta
+from datetime import datetime, timedelta
 
-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Cookie, Depends, HTTPException, status
 from fastapi.responses import JSONResponse, Response
 from fastapi.security import OAuth2PasswordRequestForm
 
@@ -12,7 +12,7 @@
     get_current_user,
     update_user_info,
 )
-from module.security.jwt import create_access_token
+from module.security.jwt import create_access_token, decode_token
 
 from .response import u_response
 
@@ -35,19 +35,29 @@ async def login(response: Response, form_data=Depends(OAuth2PasswordRequestForm)
 @router.get(
     "/refresh_token", response_model=dict, dependencies=[Depends(get_current_user)]
 )
-async def refresh(response: Response):
-    token = create_access_token(
-        data={"sub": active_user[0]}, expires_delta=timedelta(days=1)
+async def refresh(response: Response, token: str = Cookie(None)):
+    payload = decode_token(token)
+    username = payload.get("sub") if payload else None
+    if not username:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized"
+        )
+    active_user[username] = datetime.now()
+    new_token = create_access_token(
+        data={"sub": username}, expires_delta=timedelta(days=1)
     )
-    response.set_cookie(key="token", value=token, httponly=True, max_age=86400)
-    return {"access_token": token, "token_type": "bearer"}
+    response.set_cookie(key="token", value=new_token, httponly=True, max_age=86400)
+    return {"access_token": new_token, "token_type": "bearer"}
 
 
 @router.get(
     "/logout", response_model=APIResponse, dependencies=[Depends(get_current_user)]
 )
-async def logout(response: Response):
-    active_user.clear()
+async def logout(response: Response, token: str = Cookie(None)):
+    payload = decode_token(token)
+    username = payload.get("sub") if payload else None
+    if username:
+        active_user.pop(username, None)
     response.delete_cookie(key="token")
     return JSONResponse(
         status_code=200,
@@ -56,8 +66,15 @@ async def logout(response: Response):
 
 
 @router.post("/update", response_model=dict, dependencies=[Depends(get_current_user)])
-async def update_user(user_data: UserUpdate, response: Response):
-    old_user = active_user[0]
+async def update_user(
+    user_data: UserUpdate, response: Response, token: str = Cookie(None)
+):
+    payload = decode_token(token)
+    old_user = payload.get("sub") if payload else None
+    if not old_user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized"
+        )
     if update_user_info(user_data, old_user):
         token = create_access_token(
             data={"sub": old_user}, expires_delta=timedelta(days=1)

backend/src/module/api/config.py

@@ -10,10 +10,24 @@
 router = APIRouter(prefix="/config", tags=["config"])
 logger = logging.getLogger(__name__)
 
+_SENSITIVE_KEYS = ("password", "api_key", "token", "secret")
 
-@router.get("/get", response_model=Config, dependencies=[Depends(get_current_user)])
+
+def _sanitize_dict(d: dict) -> dict:
+    result = {}
+    for k, v in d.items():
+        if isinstance(v, dict):
+            result[k] = _sanitize_dict(v)
+        elif any(s in k.lower() for s in _SENSITIVE_KEYS):
+            result[k] = "********"
+        else:
+            result[k] = v
+    return result
+
+
+@router.get("/get", dependencies=[Depends(get_current_user)])
 async def get_config():
-    return settings
+    return _sanitize_dict(settings.dict())
 
 
 @router.patch(
@@ -27,7 +41,10 @@ async def update_config(config: Config):
         logger.info("Config updated")
         return JSONResponse(
             status_code=200,
-            content={"msg_en": "Update config successfully.", "msg_zh": "更新配置成功。"},
+            content={
+                "msg_en": "Update config successfully.",
+                "msg_zh": "更新配置成功。",
+            },
         )
     except Exception as e:
         logger.warning(e)