From 107192b14cece4d1e8a3513ab703e7a2edc76f5e Mon Sep 17 00:00:00 2001
From: ddrwode <34234@3来 34>
Date: Wed, 4 Feb 2026 14:13:17 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BC=98=E5=8C=96=E6=A1=88=E4=BB=B6=E7=94=9F?=
 =?UTF-8?q?=E6=88=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 User/utils.py             |  6 ++----
 jyls_django/middleware.py | 33 ++++++++++++++++++---------------
 2 files changed, 20 insertions(+), 19 deletions(-)

diff --git a/User/utils.py b/User/utils.py
index e4cfe5b..b9b993a 100644
--- a/User/utils.py
+++ b/User/utils.py
@@ -214,12 +214,10 @@ def log_operation(request, operation_type, module, action, target_type, target_i
         operator_id = None
         
         if token:
-            try:
-                user = User.objects.get(token=token, is_deleted=False)
+            user = User.objects.filter(token=token, is_deleted=False).first()
+            if user:
                 operator = user.username
                 operator_id = user.id
-            except User.DoesNotExist:
-                pass
         
         # 获取IP地址
         ip_address = request.META.get('HTTP_X_FORWARDED_FOR', '').split(',')[0].strip()
diff --git a/jyls_django/middleware.py b/jyls_django/middleware.py
index 443f7b2..7e3d928 100644
--- a/jyls_django/middleware.py
+++ b/jyls_django/middleware.py
@@ -92,27 +92,30 @@ class JWTAuthenticationMiddleware(MiddlewareMixin):
         # 允许登录接口（支持 /api2/user/login 和 /user/login）
         if request.path == '/api2/user/login' or request.path == '/user/login':
             return None
-        try:
-
-            if not token:
-                # 标记为未授权请求（可能是正常的前端访问，也可能是恶意扫描）
-                request.META['_is_unauthorized'] = True
-                return JsonResponse(
-                    {'status': 401,'message':"token为空"},
-                    status=401,
-                    content_type='application/json',
-                    headers={'Access-Control-Allow-Origin': '*'}
-                )
-            User.objects.get(token=token, is_deleted=False)
-        except User.DoesNotExist:
-            # 标记为未授权请求
+        if not token:
             request.META['_is_unauthorized'] = True
             return JsonResponse(
-                {'status': 401,'message':"身份过期"},
+                {'status': 401, 'message': "token为空"},
                 status=401,
                 content_type='application/json',
                 headers={'Access-Control-Allow-Origin': '*'}
             )
+        # 使用 filter().first() 避免同一 token 存在多条用户时 get() 抛出 MultipleObjectsReturned
+        users = User.objects.filter(token=token, is_deleted=False)
+        user = users.first()
+        if user is None:
+            request.META['_is_unauthorized'] = True
+            return JsonResponse(
+                {'status': 401, 'message': "身份过期"},
+                status=401,
+                content_type='application/json',
+                headers={'Access-Control-Allow-Origin': '*'}
+            )
+        if users.count() > 1:
+            logger.warning(
+                '同一 token 存在 %s 个用户（token 应唯一），请检查 User 表并清理重复数据。',
+                users.count()
+            )
         return None