34 lines
886 B
Markdown
34 lines
886 B
Markdown
|
|
# 2026-06-04 — Phase1 D6 认证链 / LoginPage delta 审计
|
|||
|
|
|
|||
|
|
## 摘要
|
|||
|
|
|
|||
|
|
Wave D6:LoginPage + auth store + api client + router + wsUrl 五文件 8 步 closure;无 P0/P1 新 FINDING。
|
|||
|
|
|
|||
|
|
## 动机
|
|||
|
|
|
|||
|
|
接续 Phase 1 D6,覆盖 SPA 登录、JWT 续期、路由守卫与 WebSocket URL 构建。
|
|||
|
|
|
|||
|
|
## 涉及文件
|
|||
|
|
|
|||
|
|
| 文件 | 说明 |
|
|||
|
|
|------|------|
|
|||
|
|
| `docs/reports/audit-delta-2026-06-04-waveD6.md` | 19 H closure |
|
|||
|
|
| `frontend/src/pages/LoginPage.vue` 等 | 只读审计 |
|
|||
|
|
|
|||
|
|
## 结论
|
|||
|
|
|
|||
|
|
- 密码/ access token 不落 localStorage
|
|||
|
|
- refresh 走 HttpOnly cookie + 单飞 dedup
|
|||
|
|
- 登录后 redirect 防 `//` open redirect
|
|||
|
|
- 429 锁定与 TOTP 202 流程完整
|
|||
|
|
- WS query token 为已接受 RISK
|
|||
|
|
|
|||
|
|
## 验证
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
bash scripts/local_verify.sh
|
|||
|
|
cd frontend && npm run type-check
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
进度:`☑实现 ☑本地验证 ☑审计8步 □部署 □健康检查 □浏览器验证 ☑changelog`
|