开启强制加密时，account 路由必须参数加密

jonechenug · jonechenug · commit 58b150a6f5dc · 2025-12-29T18:11:39.000+08:00
diff --git a/src/SecurityTokenService/Middlewares/DecryptRequestMiddleware.cs b/src/SecurityTokenService/Middlewares/DecryptRequestMiddleware.cs
@@ -14,13 +14,27 @@ public class DecryptRequestMiddleware(RequestDelegate next)
     private const string VersionHeader = "Z-Encrypt-Version";
     private const string KeyHeader = "Z-Encrypt-Key";
 
+    private static readonly bool ForceEncryptedBody =
+        bool.Parse(Environment.GetEnvironmentVariable("STS_FORCE_ENCRYPTED_BODY") ?? "false");
+
     public async Task InvokeAsync(HttpContext context, ILogger<DecryptRequestMiddleware> logger)
     {
         var encryptVersion = context.Request.Headers[VersionHeader].ElementAtOrDefault(0);
         var encryptKey = context.Request.Headers[KeyHeader].ElementAtOrDefault(0);
 
         var encryptVersionIsNullOrEmpty = string.IsNullOrEmpty(encryptVersion);
         var encryptKeyIsNullOrEmpty = string.IsNullOrEmpty(encryptKey);
+        var path = context.Request.Path.Value?.ToLowerInvariant();
+        if (
+            ForceEncryptedBody && path != null &&
+            path.Contains("/account/", StringComparison.InvariantCultureIgnoreCase) &&
+            (encryptVersionIsNullOrEmpty || encryptKeyIsNullOrEmpty)
+        )
+        {
+            // 检查到开启强制加密时，account 路由必须参数加密
+            context.Response.StatusCode = StatusCodes.Status403Forbidden;
+            return;
+        }
 
         // 若未传加密版本号和加密密钥， 则不解密
         if (encryptVersionIsNullOrEmpty && encryptKeyIsNullOrEmpty)
