diff --git a/apps/dependency/csrf.py b/apps/dependency/csrf.py
index 587e52ec1f7f1e0e1c978e3dde9ffe3756e6a31f..054d94b3cb95daa10282724dfd1f0b38dab214d8 100644
--- a/apps/dependency/csrf.py
+++ b/apps/dependency/csrf.py
@@ -12,23 +12,23 @@ from apps.manager.session import SessionManager
 
 async def verify_csrf_token(request: Request, response: Response) -> Optional[Response]:
     """验证CSRF Token"""
-    # if not config["ENABLE_CSRF"]:
-    #     return None
+    if not config["ENABLE_CSRF"]:
+        return None
 
-    # csrf_token = request.headers["x-csrf-token"].strip('"')
-    # session = request.cookies["ECSESSION"]
+    csrf_token = request.headers["x-csrf-token"].strip('"')
+    session = request.cookies["ECSESSION"]
 
-    # if not await SessionManager.verify_csrf_token(session, csrf_token):
-    #     raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="CSRF token is invalid.")
+    if not await SessionManager.verify_csrf_token(session, csrf_token):
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="CSRF token is invalid.")
 
-    # new_csrf_token = await SessionManager.create_csrf_token(session)
-    # if not new_csrf_token:
-    #     raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail="Renew CSRF token failed.")
+    new_csrf_token = await SessionManager.create_csrf_token(session)
+    if not new_csrf_token:
+        raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail="Renew CSRF token failed.")
 
-    # if config["COOKIE_MODE"] == "DEBUG":
-    #     response.set_cookie("_csrf_tk", new_csrf_token, max_age=config["SESSION_TTL"] * 60,
-    #                         domain=config["DOMAIN"])
-    # else:
-    #     response.set_cookie("_csrf_tk", new_csrf_token, max_age=config["SESSION_TTL"] * 60,
-    #                         secure=True, domain=config["DOMAIN"], samesite="strict")
+    if config["COOKIE_MODE"] == "DEBUG":
+        response.set_cookie("_csrf_tk", new_csrf_token, max_age=config["SESSION_TTL"] * 60,
+                            domain=config["DOMAIN"])
+    else:
+        response.set_cookie("_csrf_tk", new_csrf_token, max_age=config["SESSION_TTL"] * 60,
+                            secure=True, domain=config["DOMAIN"], samesite="strict")
     return response
diff --git a/apps/dependency/user.py b/apps/dependency/user.py
index 80841cab7a90ed30fedccf115084e9a65e17ae9c..ea9e069aa6484fb0268aade23e6c3e43892e76c7 100644
--- a/apps/dependency/user.py
+++ b/apps/dependency/user.py
@@ -20,10 +20,10 @@ async def verify_user(request: HTTPConnection) -> None:
     :param request: HTTP请求
     :return:
     """
-    # session_id = request.cookies["ECSESSION"]
-    # if not await SessionManager.verify_user(session_id):
-    #     raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Authentication Error.")
-    pass
+    session_id = request.cookies["ECSESSION"]
+    if not await SessionManager.verify_user(session_id):
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Authentication Error.")
+    # pass
 
 async def get_session(request: HTTPConnection) -> str:
     """验证Session是否已鉴权，并返回Session ID；未鉴权则抛出HTTP 401；参数级dependence
@@ -31,11 +31,11 @@ async def get_session(request: HTTPConnection) -> str:
     :param request: HTTP请求
     :return: Session ID
     """
-    # session_id = request.cookies["ECSESSION"]
-    # if not await SessionManager.verify_user(session_id):
-    #     raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Authentication Error.")
-    # return session_id
-    return "test"
+    session_id = request.cookies["ECSESSION"]
+    if not await SessionManager.verify_user(session_id):
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Authentication Error.")
+    return session_id
+    # return "test"
 
 async def get_user(request: HTTPConnection) -> str:
     """验证Session是否已鉴权；若已鉴权，查询对应的user_sub；若未鉴权，抛出HTTP 401；参数级dependence
@@ -43,12 +43,12 @@ async def get_user(request: HTTPConnection) -> str:
     :param request: HTTP请求体
     :return: 用户sub
     """
-    # session_id = request.cookies["ECSESSION"]
-    # user = await SessionManager.get_user(session_id)
-    # if not user:
-    #     raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Authentication Error.")
-    # return user
-    return "test"
+    session_id = request.cookies["ECSESSION"]
+    user = await SessionManager.get_user(session_id)
+    if not user:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Authentication Error.")
+    return user
+    # return "test"
 
 async def verify_api_key(api_key: str = Depends(oauth2_scheme)) -> None:
     """验证API Key是否有效；无效则抛出HTTP 401；接口级dependence