From 7f01d5b6b6361b0f2666629e4dacd92733ab2645 Mon Sep 17 00:00:00 2001
From: Marsway <liwei@marsway.red>
Date: Wed, 4 Mar 2026 10:57:03 +0800
Subject: [PATCH] fixing

---
 app/security/session.py | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/app/security/session.py b/app/security/session.py
index 810386f..783d5df 100644
--- a/app/security/session.py
+++ b/app/security/session.py
@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, timezone
 from uuid import uuid4
 
 from fastapi import Request, Response
@@ -8,14 +8,21 @@ from sqlalchemy import delete, select
 
 from app.core.config import settings
 from app.db.engine import get_session
-from app.db.models import Session
+from app.db.models import Session, User
 
 
 SESSION_COOKIE_NAME = "session_id"
 
 
 def _now_utc() -> datetime:
-    return datetime.utcnow()
+    return datetime.now(timezone.utc)
+
+
+def _as_utc(dt: datetime) -> datetime:
+    # 兼容历史脏数据：若为 naive，按 UTC 解释；若为 aware，统一转换到 UTC。
+    if dt.tzinfo is None:
+        return dt.replace(tzinfo=timezone.utc)
+    return dt.astimezone(timezone.utc)
 
 
 def create_session(user_id: int, request: Request) -> str:
@@ -75,7 +82,7 @@ def get_current_user(request: Request) -> User | None:
         if not record:
             request.state.user = None
             return None
-        if record.expires_at <= _now_utc():
+        if _as_utc(record.expires_at) <= _now_utc():
             db.execute(delete(Session).where(Session.id == session_id))
             db.commit()
             request.state.user = None