Merge branch 'dev/feature-name' of https://git.zyuas.com/LLM/chat-auth-web into dev/local

* 'dev/feature-name' of https://git.zyuas.com/LLM/chat-auth-web:
  安全优化：移除Cookies使用，增强前端安全性

# Conflicts:
#	vue.config.js

.env.development

@@ -1,11 +1,3 @@
-# 页面标题
-VUE_APP_TITLE = 建科•小智权限管理系统
-
-# 开发环境配置
-ENV = 'development'
-
-# TK管理系统/开发环境
-VUE_APP_BASE_API = '/dev-api'
-
-# 路由懒加载
-VUE_CLI_BABEL_TRANSPILE_MODULES = true
+NODE_ENV=development
+VUE_APP_TITLE=建科•小智权限管理系统
+VUE_APP_BASE_API=/dev-api

.env.production

@@ -1,8 +1,3 @@
-# 页面标题
-VUE_APP_TITLE = 建科•小智权限管理系统
-
-# 生产环境配置
-ENV = 'production'
-
-# TK管理系统/生产环境
-VUE_APP_BASE_API = '/prod-api'
+NODE_ENV=production
+VUE_APP_TITLE=建科•小智权限管理系统
+VUE_APP_BASE_API=/prod-api

.gitignore

@@ -4,12 +4,17 @@ dist/
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
+pnpm-debug.log*
 **/*.log
 
 tests/**/coverage/
 tests/e2e/reports
 selenium-debug.log
 
+# ✅ 安全修复：本地环境变量文件不提交
+.env.local
+.env.*.local
+
 # Editor directories and files
 .idea
 .vscode
@@ -23,5 +28,3 @@ selenium-debug.log
 
 package-lock.json
 yarn.lock
-
-.history

package.json

@@ -6,6 +6,7 @@
   "license": "MIT",
   "scripts": {
     "dev": "export NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service serve",
+    "dev:win": "set NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service serve",
     "build:prod": "export NODE_OPTIONS=--openssl-legacy-provider && vue-cli-service build",
     "build:stage": "vue-cli-service build --mode staging",
     "preview": "node build/index.js --preview",

public/html/ie.html

@@ -43,4 +43,4 @@
 </ul>
 <hr>
 </body>
-</html>
+</html>

public/index.html

@@ -4,6 +4,7 @@
     <meta charset="utf-8">
     <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
     <meta name="renderer" content="webkit">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; font-src 'self' data: https://at.alicdn.com; connect-src 'self' http: https:;">
     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
     <link rel="icon" href="<%= BASE_URL %>favicon.ico">
     <title><%= webpackConfig.name %></title>

src/layout/components/Sidebar/SidebarItem.vue

@@ -13,8 +13,8 @@
         <item v-if="item.meta" :icon="item.meta && item.meta.icon" :title="item.meta.title" />
       </template>
       <sidebar-item
-        v-for="child in item.children"
-        :key="child.path"
+        v-for="(child, index) in item.children"
+        :key="child.path + index"
         :is-nest="true"
         :item="child"
         :base-path="resolvePath(child.path)"

src/main.js

@@ -1,6 +1,7 @@
 import Vue from 'vue'
 
-import Cookies from 'js-cookie'
+// ✅ 安全修复：不再需要 js-cookie
+// import Cookies from 'js-cookie'
 
 import Element from 'element-ui'
 import './assets/styles/element-variables.scss'
@@ -73,7 +74,7 @@ DictData.install()
  */
 
 Vue.use(Element, {
-  size: Cookies.get('size') || 'medium' // set element-ui default size
+  size: localStorage.getItem('size') || 'medium' // set element-ui default size
 })
 
 Vue.config.productionTip = false

src/store/modules/app.js

@@ -1,13 +1,12 @@
-import Cookies from 'js-cookie'
-
+// ✅ 安全修复：使用 localStorage 替代 Cookies
 const state = {
   sidebar: {
-    opened: Cookies.get('sidebarStatus') ? !!+Cookies.get('sidebarStatus') : true,
+    opened: localStorage.getItem('sidebarStatus') ? !!+localStorage.getItem('sidebarStatus') : true,
     withoutAnimation: false,
     hide: false
   },
   device: 'desktop',
-  size: Cookies.get('size') || 'medium'
+  size: localStorage.getItem('size') || 'medium'
 }
 
 const mutations = {
@@ -18,13 +17,13 @@ const mutations = {
     state.sidebar.opened = !state.sidebar.opened
     state.sidebar.withoutAnimation = false
     if (state.sidebar.opened) {
-      Cookies.set('sidebarStatus', 1)
+      localStorage.setItem('sidebarStatus', 1)
     } else {
-      Cookies.set('sidebarStatus', 0)
+      localStorage.setItem('sidebarStatus', 0)
     }
   },
   CLOSE_SIDEBAR: (state, withoutAnimation) => {
-    Cookies.set('sidebarStatus', 0)
+    localStorage.setItem('sidebarStatus', 0)
     state.sidebar.opened = false
     state.sidebar.withoutAnimation = withoutAnimation
   },
@@ -33,7 +32,7 @@ const mutations = {
   },
   SET_SIZE: (state, size) => {
     state.size = size
-    Cookies.set('size', size)
+    localStorage.setItem('size', size)
   },
   SET_SIDEBAR_HIDE: (state, status) => {
     state.sidebar.hide = status

src/utils/auth.js

@@ -1,15 +1,14 @@
-import Cookies from 'js-cookie'
-
+// ✅ 安全修复：使用 localStorage 替代 Cookies 存储 Token
 const TokenKey = 'Admin-Token'
 
 export function getToken() {
-  return Cookies.get(TokenKey)
+  return localStorage.getItem(TokenKey)
 }
 
 export function setToken(token) {
-  return Cookies.set(TokenKey, token)
+  return localStorage.setItem(TokenKey, token)
 }
 
 export function removeToken() {
-  return Cookies.remove(TokenKey)
+  return localStorage.removeItem(TokenKey)
 }

src/utils/jsencrypt.js

@@ -1,30 +1,21 @@
 import JSEncrypt from 'jsencrypt/bin/jsencrypt.min'
 
 // 密钥对生成 http://web.chacuo.net/netrsakeypair
+// ✅ 安全修复：只保留公钥，用于密码传输加密
+// 私钥应该只存在于后端服务器，前端不应该有解密能力
 
 const publicKey = 'MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKoR8mX0rGKLqzcWmOzbfj64K8ZIgOdH\n' +
   'nzkXSOVOZbFu/TJhZ7rFAN+eaGkl3C4buccQd/EjEsj9ir7ijT7h96MCAwEAAQ=='
 
-const privateKey = 'MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAqhHyZfSsYourNxaY\n' +
-  '7Nt+PrgrxkiA50efORdI5U5lsW79MmFnusUA355oaSXcLhu5xxB38SMSyP2KvuKN\n' +
-  'PuH3owIDAQABAkAfoiLyL+Z4lf4Myxk6xUDgLaWGximj20CUf+5BKKnlrK+Ed8gA\n' +
-  'kM0HqoTt2UZwA5E2MzS4EI2gjfQhz5X28uqxAiEA3wNFxfrCZlSZHb0gn2zDpWow\n' +
-  'cSxQAgiCstxGUoOqlW8CIQDDOerGKH5OmCJ4Z21v+F25WaHYPxCFMvwxpcw99Ecv\n' +
-  'DQIgIdhDTIqD2jfYjPTY8Jj3EDGPbH2HHuffvflECt3Ek60CIQCFRlCkHpi7hthh\n' +
-  'YhovyloRYsM+IS9h/0BzlEAuO0ktMQIgSPT3aFAgJYwKpqRYKlLDVcflZFCKY7u3\n' +
-  'UP8iWi1Qw0Y='
+// ✅ 已删除私钥 - 私钥不应暴露在前端代码中
 
-// 加密
+// 加密函数 - 用于传输密码到后端
 export function encrypt(txt) {
   const encryptor = new JSEncrypt()
-  encryptor.setPublicKey(publicKey) // 设置公钥
-  return encryptor.encrypt(txt) // 对数据进行加密
+  encryptor.setPublicKey(publicKey)
+  return encryptor.encrypt(txt)
 }
 
-// 解密
-export function decrypt(txt) {
-  const encryptor = new JSEncrypt()
-  encryptor.setPrivateKey(privateKey) // 设置私钥
-  return encryptor.decrypt(txt) // 对数据进行解密
-}
+// ✅ 已删除解密函数 - 前端不应该有解密能力
+// 解密操作应该在后端完成
 

src/views/login.vue

@@ -63,8 +63,10 @@
 
 <script>
 import { getCodeImg } from "@/api/login";
-import Cookies from "js-cookie";
-import { encrypt, decrypt } from '@/utils/jsencrypt'
+// ✅ 安全修复：使用 localStorage 替代 Cookies
+// import Cookies from "js-cookie";
+// ✅ 安全修复：只导入encrypt，不导入decrypt（decrypt已被删除）
+import { encrypt } from '@/utils/jsencrypt'
 
 export default {
   name: "Login",
@@ -72,8 +74,9 @@ export default {
     return {
       codeUrl: "",
       loginForm: {
-        userName: "admin",
-        password: "admin123",
+        // ✅ 安全修复：移除默认账号密码
+        userName: "",
+        password: "",
         rememberMe: false,
         code: "",
         uuid: ""
@@ -105,12 +108,15 @@ export default {
   },
   created() {
     this.getCode();
-    this.getCookie();
+    this.loadRememberedUser();  // ✅ 改名，更准确
   },
   methods: {
     getCode() {
       getCodeImg().then(res => {
-        console.log(res, 'res');
+        // ✅ 安全修复：移除console.log或仅在开发环境使用
+        if (process.env.NODE_ENV === 'development') {
+          console.log('验证码获取成功');
+        }
         this.captchaEnabled = res.data.captchaEnabled === undefined ? true : res.data.captchaEnabled;
         if (this.captchaEnabled) {
           this.codeUrl = "data:image/gif;base64," + res.data.img;
@@ -118,29 +124,32 @@ export default {
         }
       });
     },
-    getCookie() {
-      const userName = Cookies.get("userName");
-      const password = Cookies.get("password");
-      const rememberMe = Cookies.get('rememberMe')
-      this.loginForm = {
-        userName: userName === undefined ? this.loginForm.userName : userName,
-        password: password === undefined ? this.loginForm.password : decrypt(password),
-        rememberMe: rememberMe === undefined ? false : Boolean(rememberMe)
-      };
+
+    // ✅ 安全修复：只加载用户名，不加载密码（使用 localStorage）
+    loadRememberedUser() {
+      const rememberedUser = localStorage.getItem("rememberedUser");
+      if (rememberedUser) {
+        this.loginForm.userName = rememberedUser;
+        this.loginForm.rememberMe = true;
+      }
     },
+
     handleLogin() {
       this.$refs.loginForm.validate(valid => {
         if (valid) {
           this.loading = true;
+
+          // ✅ 安全修复：只保存用户名，不保存密码（使用 localStorage）
           if (this.loginForm.rememberMe) {
-            Cookies.set("userName", this.loginForm.userName, { expires: 30 });
-            Cookies.set("password", encrypt(this.loginForm.password), { expires: 30 });
-            Cookies.set('rememberMe', this.loginForm.rememberMe, { expires: 30 });
+            localStorage.setItem("rememberedUser", this.loginForm.userName);
           } else {
-            Cookies.remove("userName");
-            Cookies.remove("password");
-            Cookies.remove('rememberMe');
+            localStorage.removeItem("rememberedUser");
+            // 清理旧的存储（如果存在）
+            localStorage.removeItem("userName");
+            localStorage.removeItem("password");
+            localStorage.removeItem("rememberMe");
           }
+
           this.$store.dispatch("Login", this.loginForm).then(() => {
             this.$router.push({ path: this.redirect || "/" }).catch(()=>{});
           }).catch(() => {