fix: harden authentication system (JWT, cookies, rate limiting, password policy)

- Replace hardcoded JWT secret with randomly generated key persisted to file - Replace hardcoded default password with random password shown in logs - Migrate token storage from localStorage to HttpOnly SameSite=strict cookie - Add IP-based login rate limiter (5 attempts / 15 min, 429 on lockout) - Add token_version for JWT revocation on password change - Add password strength validation (min 6 chars, 3+ unique characters) - Inject decoded user payload into request.state.user in auth middleware - Add /api/auth/me and /api/auth/logout endpoints - Narrow auth middleware exception handling (JWTError only, not all Exception) - Update updated_at timestamp on password change - Remove localStorage token management from frontend (axios, router, store) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-17 15:54:45 +08:00
parent 1047bcece9
commit 9d4d869d57
13 changed files with 249 additions and 75 deletions
--- a/api/webui/index.html
+++ b/api/webui/index.html
@@ -5,10 +5,10 @@
    <link rel="icon" type="image/svg+xml" href="/vite.svg" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>webui</title>
-    <script type="module" crossorigin src="/assets/index-J10jhinj.js"></script>
+    <script type="module" crossorigin src="/assets/index-BMiBC4ZK.js"></script>
    <link rel="modulepreload" crossorigin href="/assets/vendor-CwFI-VDq.js">
    <link rel="modulepreload" crossorigin href="/assets/element-plus-DsX44Q4d.js">
-    <link rel="stylesheet" crossorigin href="/assets/index-Cg0jXGKF.css">
+    <link rel="stylesheet" crossorigin href="/assets/index-BI3KBgCV.css">
  </head>
  <body>
    <div id="app"></div>