3.1 KiB
3.1 KiB
Phase 1 Delta 审计 — Wave D6(认证链 / Login)
日期: 2026-06-04
范围: 登录页 + auth store + HTTP 客户端 + 路由守卫 + WS URL
标准: standards/line-walk-audit-standard-v2.md 8 步
登记
| # | 文件 | 语言 | 行数 N | Read 范围 |
|---|---|---|---|---|
| 1 | frontend/src/pages/LoginPage.vue |
Vue | 244 | 1–244 全文 |
| 2 | frontend/src/stores/auth.ts |
TS | 132 | 1–132 全文 |
| 3 | frontend/src/api/index.ts |
TS | 308 | 1–308 全文 |
| 4 | frontend/src/router/index.ts |
TS | 68 | 1–68 全文 |
| 5 | frontend/src/utils/wsUrl.ts |
TS | 23 | 1–23 全文 |
Step 3 — 规则扫描 H(摘要)
| 文件 | H 命中 |
|---|---|
| LoginPage.vue | H-Secret, H-Redirect, H-Lockout, H-XSS |
| auth.ts | H-Token, H-Refresh, H-Profile |
| api/index.ts | H-Auth, H-Refresh, H-401 |
| router/index.ts | H-Guard, H-Redirect |
| wsUrl.ts | H-WS |
入口表
| 模块 | 入口 | 鉴权 |
|---|---|---|
| LoginPage | POST /auth/login |
公开 |
| LoginPage | GET /settings/bing-wallpapers |
公开(auth_jwt 白名单) |
| auth store | POST /auth/refresh, /auth/logout, GET /auth/me |
refresh cookie / Bearer |
| api | fetchAuthed 全站 API |
Bearer + credentials |
| router | beforeEach |
bootstrapped + isLoggedIn |
| wsUrl | WS URL 构建 | 供 terminal/sync 使用 |
Closure 表
| H | 文件:行号 | 判定 | 理由 |
|---|---|---|---|
| H-Secret | LoginPage.vue:102-103 | SAFE | password 仅组件 ref,不落 localStorage |
| H-Secret | auth.ts:26-27 | SAFE | access token 内存 Pinia ref |
| H-Redirect | LoginPage.vue:178-179 | SAFE | startsWith('/') && !startsWith('//') 防 open redirect |
| H-Lockout | LoginPage.vue:186-188 | SAFE | 429 → 15min 本地 lockout UI |
| H-TOTP | LoginPage.vue:182-184 | SAFE | TotpRequiredError → 显示 TOTP 字段 |
| H-XSS | LoginPage.vue:11-12 | SAFE | {{ error }} 文本插值,无 v-html |
| H-Refresh | auth.ts:45-66 | SAFE | HttpOnly cookie refresh;失败 silent |
| H-Token | auth.ts:36-38 | SAFE | exp 解码仅用于续期阈值 |
| H-Profile | auth.ts:89-97 | SAFE | 401 → forceLogout |
| H-Auth | api/index.ts:68-70 | SAFE | Bearer 注入 |
| H-Refresh | api/index.ts:19-44 | SAFE | 单飞 refreshInFlight 防并发 |
| H-Refresh | api/index.ts:84-86 | SAFE | 过期前 5min 主动 refresh |
| H-401 | api/index.ts:94-110 | SAFE | 401 重试一次后 forceLogout |
| H-Cookie | api/index.ts:27-28,91 | SAFE | credentials: include |
| H-Guard | router/index.ts:55-65 | SAFE | 非 public 路由需 isLoggedIn |
| H-Guard | router/index.ts:57-58 | SAFE | bootstrapped 前 tryRestoreSession |
| H-Public | router/index.ts:18 | SAFE | Login meta.public |
| H-WS | wsUrl.ts:17-20 | RISK | token 放 query;已接受 |
| H-Wallpaper | LoginPage.vue:121-123 | SAFE | 公开壁纸 API intentional |
len(H)=19, Closure=19
FINDING
无 P0/P1 新 FINDING。
DoD
- len(H) == Closure
- 五文件全文 Read
- 认证链:内存 token + HttpOnly refresh + 路由守卫
验证
bash scripts/local_verify.sh — 全绿