From 813425ff64f42cb793a784183c00ec534b50fde3 Mon Sep 17 00:00:00 2001
From: orbisai0security <orbisai0security@users.noreply.github.com>
Date: Thu, 12 Mar 2026 03:29:17 +0000
Subject: [PATCH] fix: resolve critical vulnerability V-004

Automatically generated security fix
---
 astrbot/dashboard/routes/backup.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/astrbot/dashboard/routes/backup.py b/astrbot/dashboard/routes/backup.py
index 952806beb7..49722c6a3e 100644
--- a/astrbot/dashboard/routes/backup.py
+++ b/astrbot/dashboard/routes/backup.py
@@ -977,7 +977,17 @@ async def download_backup(self):
                 if not jwt_secret:
                     return Response().error("服务器配置错误").__dict__
 
-                jwt.decode(token, jwt_secret, algorithms=["HS256"])
+                # Verify JWT token with strict security options
+                jwt.decode(
+                    token,
+                    jwt_secret,
+                    algorithms=["HS256"],
+                    options={
+                        "require": ["exp"],  # Require expiration claim
+                        "verify_signature": True,  # Explicitly verify signature
+                        "verify_exp": True,  # Verify expiration
+                    }
+                )
             except jwt.ExpiredSignatureError:
                 return Response().error("Token 已过期，请刷新页面后重试").__dict__
             except jwt.InvalidTokenError: