Merge pull request #579 from maikirakiwi/main

Remove token from window.localStorage​ (fix XSS leak)

webui/src/App.vue

@@ -11,10 +11,12 @@ const theme: GlobalThemeOverrides = {
   },
 };
 
-const { refresh, isLogin } = useAuth();
-if (isLogin.value) {
+const { refresh, isLoggedin } = useAuth();
+
+if(isLoggedin.value){
   refresh();
 }
+
 </script>
 
 <template>

webui/src/hooks/useAppInfo.ts

@@ -1,5 +1,5 @@
 export const useAppInfo = createSharedComposable(() => {
-  const { auth } = useAuth();
+  const { isLoggedin } = useAuth();
   const running = ref<boolean>(false);
   const version = ref<string>('');
 
@@ -11,7 +11,7 @@ export const useAppInfo = createSharedComposable(() => {
       version.value = res.version;
     });
 
-    if (auth.value !== '') {
+    if (isLoggedin.value) {
       execute();
     }
   }

webui/src/hooks/useAuth.ts

@@ -2,7 +2,7 @@ import type { User } from '#/auth';
 import type { ApiError } from '#/api';
 
 export const useAuth = createSharedComposable(() => {
-  const auth = useLocalStorage('auth', '');
+  const isLoggedin = useLocalStorage('isLoggedin', false);
   const message = useMessage();
 
   const user = reactive<User>({
@@ -10,7 +10,6 @@ export const useAuth = createSharedComposable(() => {
     password: '',
   });
 
-  const isLogin = computed(() => auth.value !== '');
 
   function clearUser() {
     user.username = '';
@@ -39,7 +38,7 @@ export const useAuth = createSharedComposable(() => {
     });
 
     onResult((res) => {
-      auth.value = `${res.token_type} ${res.access_token}`;
+      isLoggedin.value = true;
       clearUser();
     });
 
@@ -68,7 +67,7 @@ export const useAuth = createSharedComposable(() => {
 
   onLogoutResult(() => {
     clearUser();
-    auth.value = '';
+    isLoggedin.value = false;
   });
 
   const { execute: refresh, onResult: onRefreshResult } = useApi(
@@ -76,7 +75,7 @@ export const useAuth = createSharedComposable(() => {
   );
 
   onRefreshResult((res) => {
-    auth.value = `${res.token_type} ${res.access_token}`;
+    isLoggedin.value = true;
   });
 
   function update() {
@@ -90,7 +89,6 @@ export const useAuth = createSharedComposable(() => {
 
     onResult((res) => {
       if (res.message === 'update success') {
-        auth.value = `${res.token_type} ${res.access_token}`;
         clearUser();
       } else {
         user.password = '';
@@ -107,9 +105,8 @@ export const useAuth = createSharedComposable(() => {
   }
 
   return {
-    auth,
+    isLoggedin,
     user,
-    isLogin,
 
     login,
     logout,

webui/src/router/index.ts

@@ -5,14 +5,14 @@ const router = createRouter({
 });
 
 router.beforeEach((to) => {
-  const { isLogin } = useAuth();
+  const { isLoggedin } = useAuth();
   const { type, url } = storeToRefs(usePlayerStore());
 
-  if (!isLogin.value && to.path !== '/login') {
+  if (!isLoggedin.value && to.path !== '/login') {
     return { name: 'Login' };
   }
 
-  if (isLogin.value && to.path === '/login') {
+  if (isLoggedin.value && to.path === '/login') {
     return { name: 'Index' };
   }
 
@@ -21,7 +21,7 @@ router.beforeEach((to) => {
     return false;
   }
 
-  watch(isLogin, (val) => {
+  watch(isLoggedin, (val) => {
     if (to.path === '/login' && val) {
       router.replace({ name: 'Index' });
     }

webui/src/store/log.ts

@@ -1,6 +1,6 @@
 export const useLogStore = defineStore('log', () => {
   const log = ref('');
-  const { auth } = useAuth();
+  const { isLoggedin } = useAuth();
   const message = useMessage();
 
   function get() {
@@ -10,7 +10,7 @@ export const useLogStore = defineStore('log', () => {
       log.value = value;
     });
 
-    if (auth.value !== '') {
+    if (isLoggedin.value) {
       execute();
     }
   }

webui/src/utils/axios.ts

@@ -35,8 +35,8 @@ axios.interceptors.response.use(
 
     /** token 过期 */
     if (error.status === 401) {
-      const { auth } = useAuth();
-      auth.value = '';
+      const { isLoggedin } = useAuth();
+      isLoggedin.value = false;
     }
 
     /** 执行失败 */