fix: harden login for MLPS requirements

This commit is contained in:
2026-05-14 11:05:20 +08:00
parent ecf3ee1ef0
commit 879677516f
39 changed files with 1230 additions and 71 deletions
@@ -10,11 +10,13 @@ import type {
DesktopRuntimeSessionSyncRequest,
LoginRequest,
LoginResponse,
PasswordPublicKeyResponse,
RefreshResponse,
UserInfo,
} from '@geo/shared-types'
import { normalizeDesktopApiBaseURL } from '../../shared/api-base-url'
import { browserSupportsPasswordCipher, encryptPasswordForLogin } from '../lib/password-cipher'
type SessionMode = 'authenticated' | 'preview'
@@ -596,9 +598,10 @@ async function performLogin(payload: LoginRequest): Promise<void> {
error.value = null
try {
const loginPayload = await buildSecureLoginPayload(payload)
const authData = await createPublicClient().post<LoginResponse, LoginRequest>(
'/api/auth/login',
payload,
loginPayload,
)
persistSession({
@@ -633,6 +636,26 @@ async function performLogin(payload: LoginRequest): Promise<void> {
}
}
async function buildSecureLoginPayload(payload: LoginRequest): Promise<LoginRequest> {
if (!payload.password || !browserSupportsPasswordCipher()) {
return { ...payload }
}
try {
const key = await createPublicClient().get<PasswordPublicKeyResponse>('/api/auth/password-key')
const encrypted = await encryptPasswordForLogin(payload.password, key)
return {
identifier: payload.identifier,
email: payload.email,
...encrypted,
}
} catch (err) {
if (err instanceof ApiClientError && err.status === 404) {
return { ...payload }
}
throw err
}
}
async function login(payload: LoginRequest): Promise<void> {
if (loginPromise) {
return loginPromise
@@ -0,0 +1,59 @@
import type { PasswordPublicKeyResponse } from '@geo/shared-types'
const textEncoder = new TextEncoder()
export function browserSupportsPasswordCipher(): boolean {
return typeof window !== 'undefined' && Boolean(window.crypto?.subtle)
}
export async function encryptPasswordForLogin(
password: string,
key: PasswordPublicKeyResponse,
): Promise<{ encrypted_password: string; password_key_id: string }> {
const cryptoKey = await importRSAOAEPKey(key.public_key)
const encrypted = await window.crypto.subtle.encrypt(
{ name: 'RSA-OAEP' },
cryptoKey,
textEncoder.encode(password),
)
return {
encrypted_password: arrayBufferToBase64(encrypted),
password_key_id: key.key_id,
}
}
async function importRSAOAEPKey(publicKeyPEM: string): Promise<CryptoKey> {
const binaryDER = pemToArrayBuffer(publicKeyPEM)
return window.crypto.subtle.importKey(
'spki',
binaryDER,
{
name: 'RSA-OAEP',
hash: 'SHA-256',
},
false,
['encrypt'],
)
}
function pemToArrayBuffer(pem: string): ArrayBuffer {
const base64 = pem
.replace(/-----BEGIN PUBLIC KEY-----/g, '')
.replace(/-----END PUBLIC KEY-----/g, '')
.replace(/\s/g, '')
const binary = window.atob(base64)
const bytes = new Uint8Array(binary.length)
for (let i = 0; i < binary.length; i += 1) {
bytes[i] = binary.charCodeAt(i)
}
return bytes.buffer
}
function arrayBufferToBase64(buffer: ArrayBuffer): string {
const bytes = new Uint8Array(buffer)
let binary = ''
for (const byte of bytes) {
binary += String.fromCharCode(byte)
}
return window.btoa(binary)
}
@@ -7,7 +7,7 @@ const { apiBaseURL, error, pending, setApiBaseURL, login } = useDesktopSession()
const menuOpen = ref(false)
const showServerDialog = ref(false)
const showPassword = ref(false)
const rememberPassword = ref(!!localStorage.getItem('geo_rankly_saved_password'))
const rememberAccount = ref(!!localStorage.getItem('geo_rankly_saved_identifier'))
const savedIdentifier =
localStorage.getItem('geo_rankly_saved_identifier') ??
localStorage.getItem('geo_rankly_saved_email') ??
@@ -16,7 +16,7 @@ const savedIdentifier =
const form = reactive({
apiBaseURL: apiBaseURL.value,
identifier: savedIdentifier,
password: localStorage.getItem('geo_rankly_saved_password') || '',
password: '',
})
const menuRef = ref<HTMLElement | null>(null)
@@ -26,7 +26,7 @@ function toggleMenu() {
}
function onRememberChange(event: Event) {
rememberPassword.value = (event.target as HTMLInputElement).checked
rememberAccount.value = (event.target as HTMLInputElement).checked
}
function handleOutsideClick(event: MouseEvent) {
@@ -53,14 +53,13 @@ function saveServerSettings() {
}
async function submitLogin() {
if (rememberPassword.value) {
localStorage.removeItem('geo_rankly_saved_password')
if (rememberAccount.value) {
localStorage.setItem('geo_rankly_saved_identifier', form.identifier)
localStorage.removeItem('geo_rankly_saved_email')
localStorage.setItem('geo_rankly_saved_password', form.password)
} else {
localStorage.removeItem('geo_rankly_saved_identifier')
localStorage.removeItem('geo_rankly_saved_email')
localStorage.removeItem('geo_rankly_saved_password')
}
await login({
@@ -179,8 +178,8 @@ onBeforeUnmount(() => {
<div class="options-row">
<label class="check-label">
<input type="checkbox" :checked="rememberPassword" @change="onRememberChange" />
<span>记住密码</span>
<input type="checkbox" :checked="rememberAccount" @change="onRememberChange" />
<span>记住账号</span>
</label>
</div>