237899745/vue-driven-cloud-storage
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
551646244e7c44ba4c672a139a534367cfc4e56b
vue-driven-cloud-storage/backend/auth.js
yuyx 209aa4a865 🐛 修复主题偏好刷新后丢失的问题 
原因:authMiddleware 中的 req.user 对象没有包含 theme_preference 字段,
导致 /api/user/theme 接口始终返回 undefined,用户设置的主题无法被正确读取。

修复:在 req.user 中添加 theme_preference 字段

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-27 23:25:25 +08:00

149 lines
4.6 KiB
JavaScript
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
const jwt = require('jsonwebtoken');
const { UserDB } = require('./database');
// JWT密钥必须在环境变量中设置
const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key-change-in-production';
// 安全检查验证JWT密钥配置
const DEFAULT_SECRETS = [
'your-secret-key-change-in-production',
'your-secret-key-change-in-production-PLEASE-CHANGE-THIS'
];
if (DEFAULT_SECRETS.includes(JWT_SECRET)) {
const errorMsg = `
╔═══════════════════════════════════════════════════════════════╗
║ ⚠️ 安全警告 ⚠️ ║
╠═══════════════════════════════════════════════════════════════╣
║ JWT_SECRET 使用默认值,存在严重安全风险! ║
║ ║
║ 请立即设置环境变量 JWT_SECRET ║
║ 生成随机密钥: ║
║ node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
║ ║
║ 在 backend/.env 文件中设置: ║
║ JWT_SECRET=你生成的随机密钥 ║
╚═══════════════════════════════════════════════════════════════╝
`;
if (process.env.NODE_ENV === 'production') {
console.error(errorMsg);
throw new Error('生产环境必须设置 JWT_SECRET');
} else {
console.warn(errorMsg);
}
}
console.log('[安全] JWT密钥已配置');
// 生成JWT Token
function generateToken(user) {
return jwt.sign(
{
id: user.id,
username: user.username,
is_admin: user.is_admin
},
JWT_SECRET,
{ expiresIn: '7d' }
);
}
// 验证Token中间件
function authMiddleware(req, res, next) {
// 从请求头或HttpOnly Cookie获取token不再接受URL参数以避免泄露
const token = req.headers.authorization?.replace('Bearer ', '') || req.cookies?.token;
if (!token) {
return res.status(401).json({
success: false,
message: '未提供认证令牌'
});
}
try {
const decoded = jwt.verify(token, JWT_SECRET);
const user = UserDB.findById(decoded.id);
if (!user) {
return res.status(401).json({
success: false,
message: '用户不存在'
});
}
if (user.is_banned) {
return res.status(403).json({
success: false,
message: '账号已被封禁'
});
}
if (!user.is_active) {
return res.status(403).json({
success: false,
message: '账号未激活'
});
}
// 将用户信息附加到请求对象(包含所有存储相关字段)
req.user = {
id: user.id,
username: user.username,
email: user.email,
is_admin: user.is_admin,
has_ftp_config: user.has_ftp_config,
ftp_host: user.ftp_host,
ftp_port: user.ftp_port,
ftp_user: user.ftp_user,
ftp_password: user.ftp_password,
http_download_base_url: user.http_download_base_url,
// 存储相关字段v2.0新增)
storage_permission: user.storage_permission || 'sftp_only',
current_storage_type: user.current_storage_type || 'sftp',
local_storage_quota: user.local_storage_quota || 1073741824,
local_storage_used: user.local_storage_used || 0,
// 主题偏好
theme_preference: user.theme_preference || null
};
next();
} catch (error) {
if (error.name === 'TokenExpiredError') {
return res.status(401).json({
success: false,
message: '令牌已过期'
});
}
return res.status(401).json({
success: false,
message: '无效的令牌'
});
}
}
// 管理员权限中间件
function adminMiddleware(req, res, next) {
if (!req.user || !req.user.is_admin) {
return res.status(403).json({
success: false,
message: '需要管理员权限'
});
}
next();
}
// 检查JWT密钥是否安全
function isJwtSecretSecure() {
return !DEFAULT_SECRETS.includes(JWT_SECRET) && JWT_SECRET.length >= 32;
}
module.exports = {
JWT_SECRET,
generateToken,
authMiddleware,
adminMiddleware,
isJwtSecretSecure
};
Reference in New Issue View Git Blame Copy Permalink