# Phase 1 Delta 审计 — Wave D6(认证链 / Login) **日期**: 2026-06-04 **范围**: 登录页 + auth store + HTTP 客户端 + 路由守卫 + WS URL **标准**: `standards/line-walk-audit-standard-v2.md` 8 步 ## 登记 | # | 文件 | 语言 | 行数 N | Read 范围 | |---|------|------|--------|-----------| | 1 | `frontend/src/pages/LoginPage.vue` | Vue | 244 | 1–244 全文 | | 2 | `frontend/src/stores/auth.ts` | TS | 132 | 1–132 全文 | | 3 | `frontend/src/api/index.ts` | TS | 308 | 1–308 全文 | | 4 | `frontend/src/router/index.ts` | TS | 68 | 1–68 全文 | | 5 | `frontend/src/utils/wsUrl.ts` | TS | 23 | 1–23 全文 | ## Step 3 — 规则扫描 H(摘要) | 文件 | H 命中 | |------|--------| | LoginPage.vue | H-Secret, H-Redirect, H-Lockout, H-XSS | | auth.ts | H-Token, H-Refresh, H-Profile | | api/index.ts | H-Auth, H-Refresh, H-401 | | router/index.ts | H-Guard, H-Redirect | | wsUrl.ts | H-WS | ## 入口表 | 模块 | 入口 | 鉴权 | |------|------|------| | LoginPage | POST `/auth/login` | 公开 | | LoginPage | GET `/settings/bing-wallpapers` | 公开(auth_jwt 白名单) | | auth store | POST `/auth/refresh`, `/auth/logout`, GET `/auth/me` | refresh cookie / Bearer | | api | `fetchAuthed` 全站 API | Bearer + credentials | | router | `beforeEach` | bootstrapped + isLoggedIn | | wsUrl | WS URL 构建 | 供 terminal/sync 使用 | ## Closure 表 | H | 文件:行号 | 判定 | 理由 | |---|-----------|------|------| | H-Secret | LoginPage.vue:102-103 | SAFE | password 仅组件 ref,不落 localStorage | | H-Secret | auth.ts:26-27 | SAFE | access token 内存 Pinia ref | | H-Redirect | LoginPage.vue:178-179 | SAFE | `startsWith('/') && !startsWith('//')` 防 open redirect | | H-Lockout | LoginPage.vue:186-188 | SAFE | 429 → 15min 本地 lockout UI | | H-TOTP | LoginPage.vue:182-184 | SAFE | TotpRequiredError → 显示 TOTP 字段 | | H-XSS | LoginPage.vue:11-12 | SAFE | `{{ error }}` 文本插值,无 v-html | | H-Refresh | auth.ts:45-66 | SAFE | HttpOnly cookie refresh;失败 silent | | H-Token | auth.ts:36-38 | SAFE | exp 解码仅用于续期阈值 | | H-Profile | auth.ts:89-97 | SAFE | 401 → forceLogout | | H-Auth | api/index.ts:68-70 | SAFE | Bearer 注入 | | H-Refresh | api/index.ts:19-44 | SAFE | 单飞 refreshInFlight 防并发 | | H-Refresh | api/index.ts:84-86 | SAFE | 过期前 5min 主动 refresh | | H-401 | api/index.ts:94-110 | SAFE | 401 重试一次后 forceLogout | | H-Cookie | api/index.ts:27-28,91 | SAFE | credentials: include | | H-Guard | router/index.ts:55-65 | SAFE | 非 public 路由需 isLoggedIn | | H-Guard | router/index.ts:57-58 | SAFE | bootstrapped 前 tryRestoreSession | | H-Public | router/index.ts:18 | SAFE | Login meta.public | | H-WS | wsUrl.ts:17-20 | RISK | token 放 query;已接受 | | H-Wallpaper | LoginPage.vue:121-123 | SAFE | 公开壁纸 API intentional | **len(H)=19, Closure=19** ## FINDING 无 P0/P1 新 FINDING。 ## DoD - [x] len(H) == Closure - [x] 五文件全文 Read - [x] 认证链:内存 token + HttpOnly refresh + 路由守卫 ## 验证 `bash scripts/local_verify.sh` — 全绿