From 24c81035e840142c61bde2c563a626cbc8050367 Mon Sep 17 00:00:00 2001
From: Marsway <liwei@marsway.red>
Date: Mon, 5 Jan 2026 17:18:23 +0800
Subject: [PATCH] update

---
 app/security/fernet.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/app/security/fernet.py b/app/security/fernet.py
index a7f3fe4..5bbe8f5 100644
--- a/app/security/fernet.py
+++ b/app/security/fernet.py
@@ -55,6 +55,11 @@ def decrypt_json(token: str) -> dict[str, Any]:
     if not token:
         return {}
     token = token.strip()
+    # 常见脏数据：被包了引号
+    if (token.startswith('"') and token.endswith('"')) or (token.startswith("'") and token.endswith("'")):
+        token = token[1:-1].strip()
+    # 常见脏数据：中间混入换行/空白（复制粘贴/渲染导致）
+    token = "".join(token.split())
 
     # 兼容：历史/手工输入导致误存明文 JSON
     if token.startswith("{"):
@@ -66,6 +71,10 @@ def decrypt_json(token: str) -> dict[str, Any]:
             pass
 
     # 兼容：末尾 padding '=' 被裁剪导致 base64 解码失败（len % 4 != 0）
+    data_len = len(token.rstrip("="))
+    # base64 非 padding 字符长度为 4n+1 时不可恢复：大概率是 token 被截断/丢字符
+    if data_len % 4 == 1:
+        raise ValueError("Invalid secret_cfg token (looks truncated). Please re-save secret_cfg to re-encrypt.")
     if token and (len(token) % 4) != 0:
         token = token + ("=" * (-len(token) % 4))
     try: