fix: harden authentication system (JWT, cookies, rate limiting, password policy)
- Replace hardcoded JWT secret with randomly generated key persisted to file - Replace hardcoded default password with random password shown in logs - Migrate token storage from localStorage to HttpOnly SameSite=strict cookie - Add IP-based login rate limiter (5 attempts / 15 min, 429 on lockout) - Add token_version for JWT revocation on password change - Add password strength validation (min 6 chars, 3+ unique characters) - Inject decoded user payload into request.state.user in auth middleware - Add /api/auth/me and /api/auth/logout endpoints - Narrow auth middleware exception handling (JWTError only, not all Exception) - Update updated_at timestamp on password change - Remove localStorage token management from frontend (axios, router, store) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
祀梦
@@ -1,8 +1,7 @@
|
||||
import { post } from './request'
|
||||
import { post, get } from './request'
|
||||
|
||||
export interface LoginResponse {
|
||||
access_token: string
|
||||
token_type: string
|
||||
message: string
|
||||
}
|
||||
|
||||
export interface ChangePasswordData {
|
||||
@@ -10,10 +9,23 @@ export interface ChangePasswordData {
|
||||
new_password: string
|
||||
}
|
||||
|
||||
export interface AuthStatusResponse {
|
||||
authenticated: boolean
|
||||
user_id: string
|
||||
}
|
||||
|
||||
export function login(password: string): Promise<LoginResponse> {
|
||||
return post<LoginResponse>('/auth/login', { password })
|
||||
}
|
||||
|
||||
export function logout(): Promise<{ message: string }> {
|
||||
return post<{ message: string }>('/auth/logout')
|
||||
}
|
||||
|
||||
export function checkAuth(): Promise<AuthStatusResponse> {
|
||||
return get<AuthStatusResponse>('/auth/me')
|
||||
}
|
||||
|
||||
export function changePassword(data: ChangePasswordData): Promise<{ message: string }> {
|
||||
return post<{ message: string }>('/auth/change-password', data)
|
||||
}
|
||||
|
||||
@@ -1,24 +1,15 @@
|
||||
import axios, { type AxiosInstance, type AxiosRequestConfig, type AxiosResponse } from 'axios'
|
||||
import { ElMessage } from 'element-plus'
|
||||
|
||||
const TOKEN_KEY = 'elysia_auth_token'
|
||||
|
||||
const instance: AxiosInstance = axios.create({
|
||||
baseURL: '/api',
|
||||
timeout: 10000,
|
||||
withCredentials: true,
|
||||
headers: {
|
||||
'Content-Type': 'application/json'
|
||||
}
|
||||
})
|
||||
|
||||
instance.interceptors.request.use((config) => {
|
||||
const token = localStorage.getItem(TOKEN_KEY)
|
||||
if (token) {
|
||||
config.headers.Authorization = `Bearer ${token}`
|
||||
}
|
||||
return config
|
||||
})
|
||||
|
||||
instance.interceptors.response.use(
|
||||
(response: AxiosResponse) => {
|
||||
return response
|
||||
@@ -28,7 +19,7 @@ instance.interceptors.response.use(
|
||||
if (error.response) {
|
||||
const data = error.response.data
|
||||
if (data?.detail) {
|
||||
message = Array.isArray(data.detail)
|
||||
message = Array.isArray(data.detail)
|
||||
? data.detail.map((d: any) => d.msg || d.loc?.join('.')).join('; ')
|
||||
: data.detail
|
||||
}
|
||||
@@ -38,7 +29,6 @@ instance.interceptors.response.use(
|
||||
break
|
||||
case 401:
|
||||
message = '登录状态已失效~'
|
||||
localStorage.removeItem(TOKEN_KEY)
|
||||
window.location.href = '/login'
|
||||
return Promise.reject(error)
|
||||
case 403:
|
||||
@@ -47,6 +37,9 @@ instance.interceptors.response.use(
|
||||
case 404:
|
||||
message = '请求的资源不存在~'
|
||||
break
|
||||
case 429:
|
||||
message = data?.detail || '请求过于频繁,请稍后再试~'
|
||||
break
|
||||
case 500:
|
||||
message = '服务器内部错误~'
|
||||
break
|
||||
|
||||
@@ -22,9 +22,9 @@ function setView(view: string) {
|
||||
router.push(`/${view === 'list' ? 'tasks' : view}`)
|
||||
}
|
||||
|
||||
function handleCommand(command: string) {
|
||||
async function handleCommand(command: string) {
|
||||
if (command === 'logout') {
|
||||
authStore.logout()
|
||||
await authStore.logout()
|
||||
router.push('/login')
|
||||
return
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
import { createRouter, createWebHistory } from 'vue-router'
|
||||
import type { RouteRecordRaw } from 'vue-router'
|
||||
import { useUserSettingsStore } from '@/stores/useUserSettingsStore'
|
||||
import { useAuthStore } from '@/stores/useAuthStore'
|
||||
|
||||
const routes: RouteRecordRaw[] = [
|
||||
{
|
||||
@@ -68,9 +69,7 @@ const router = createRouter({
|
||||
}
|
||||
})
|
||||
|
||||
const TOKEN_KEY = 'elysia_auth_token'
|
||||
|
||||
router.beforeEach((to, from) => {
|
||||
router.beforeEach(async (to, from) => {
|
||||
const page = (to.meta.title as string) || ''
|
||||
const userStore = useUserSettingsStore()
|
||||
const siteName = userStore.siteName || '爱莉希雅待办'
|
||||
@@ -78,8 +77,13 @@ router.beforeEach((to, from) => {
|
||||
|
||||
if (to.meta.noAuth) return
|
||||
|
||||
const token = localStorage.getItem(TOKEN_KEY)
|
||||
if (!token) {
|
||||
const authStore = useAuthStore()
|
||||
if (!authStore.checked) {
|
||||
const ok = await authStore.checkAuth()
|
||||
if (!ok) {
|
||||
return { path: '/login', query: { redirect: to.fullPath } }
|
||||
}
|
||||
} else if (!authStore.isLoggedIn) {
|
||||
return { path: '/login', query: { redirect: to.fullPath } }
|
||||
}
|
||||
})
|
||||
|
||||
@@ -1,35 +1,33 @@
|
||||
import { defineStore } from 'pinia'
|
||||
import { ref, computed } from 'vue'
|
||||
import { login as apiLogin } from '@/api/auth'
|
||||
|
||||
const TOKEN_KEY = 'elysia_auth_token'
|
||||
|
||||
function getStoredToken(): string {
|
||||
return localStorage.getItem(TOKEN_KEY) || ''
|
||||
}
|
||||
|
||||
function setStoredToken(token: string) {
|
||||
localStorage.setItem(TOKEN_KEY, token)
|
||||
}
|
||||
|
||||
function clearStoredToken() {
|
||||
localStorage.removeItem(TOKEN_KEY)
|
||||
}
|
||||
import { ref } from 'vue'
|
||||
import { login as apiLogin, logout as apiLogout, checkAuth as apiCheckAuth } from '@/api/auth'
|
||||
|
||||
export const useAuthStore = defineStore('auth', () => {
|
||||
const token = ref<string>(getStoredToken())
|
||||
const isLoggedIn = ref(false)
|
||||
const checked = ref(false)
|
||||
const loading = ref(false)
|
||||
const error = ref('')
|
||||
|
||||
const isLoggedIn = computed(() => !!token.value)
|
||||
async function checkAuth(): Promise<boolean> {
|
||||
try {
|
||||
const res = await apiCheckAuth()
|
||||
isLoggedIn.value = res.authenticated
|
||||
checked.value = true
|
||||
return isLoggedIn.value
|
||||
} catch {
|
||||
isLoggedIn.value = false
|
||||
checked.value = true
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
async function login(password: string): Promise<boolean> {
|
||||
loading.value = true
|
||||
error.value = ''
|
||||
try {
|
||||
const res = await apiLogin(password)
|
||||
token.value = res.access_token
|
||||
setStoredToken(res.access_token)
|
||||
await apiLogin(password)
|
||||
isLoggedIn.value = true
|
||||
checked.value = true
|
||||
return true
|
||||
} catch (e: any) {
|
||||
error.value = e?.response?.data?.detail || '登录失败'
|
||||
@@ -39,11 +37,15 @@ export const useAuthStore = defineStore('auth', () => {
|
||||
}
|
||||
}
|
||||
|
||||
function logout() {
|
||||
token.value = ''
|
||||
error.value = ''
|
||||
clearStoredToken()
|
||||
async function logout() {
|
||||
try {
|
||||
await apiLogout()
|
||||
} finally {
|
||||
isLoggedIn.value = false
|
||||
checked.value = true
|
||||
error.value = ''
|
||||
}
|
||||
}
|
||||
|
||||
return { token, loading, error, isLoggedIn, login, logout }
|
||||
return { isLoggedIn, checked, loading, error, login, logout, checkAuth }
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user