feat: 修复安全性问题

Author: Taois

apps/image-manager/index.html

@@ -383,6 +383,53 @@ <h2>📋 图片列表</h2>
             }
         }
 
+        // 获取图片信息
+        async function getImageInfo() {
+            const imageId = document.getElementById('getImageId').value.trim();
+            
+            if (!imageId) {
+                showResult('getResult', '请输入图片ID', 'error');
+                return;
+            }
+            
+            try {
+                showLoading('getResult');
+                
+                // 通过图片列表API获取特定图片信息
+                const response = await fetch('/image/list');
+                const result = await response.json();
+                
+                if (result.success) {
+                    const targetImage = result.data.images.find(img => img.imageId === imageId);
+                    
+                    if (targetImage) {
+                        showResult('getResult', 
+                            `图片信息：\n` +
+                            `ID: ${targetImage.imageId}\n` +
+                            `大小: ${(targetImage.size / 1024).toFixed(2)} KB\n` +
+                            `MIME类型: ${targetImage.mimeType}\n` +
+                            `上传时间: ${new Date(targetImage.timestamp).toLocaleString()}\n` +
+                            `访问URL: ${targetImage.imageUrl}`, 
+                            'success'
+                        );
+                        
+                        // 显示图片预览
+                        document.getElementById('getPreview').innerHTML = 
+                            `<img src="${targetImage.imageUrl}" alt="图片: ${imageId}">`;
+                    } else {
+                        showResult('getResult', `未找到图片ID为 "${imageId}" 的图片`, 'error');
+                        document.getElementById('getPreview').innerHTML = '';
+                    }
+                } else {
+                    showResult('getResult', `获取图片信息失败: ${result.message}`, 'error');
+                }
+                
+            } catch (error) {
+                showResult('getResult', `获取图片信息失败: ${error.message}`, 'error');
+                document.getElementById('getPreview').innerHTML = '';
+            }
+        }
+        
         // 获取图片列表
         async function getImageList() {
             try {

controllers/image-store.js

@@ -1,8 +1,10 @@
 import {imageManager} from '../utils/imageManager.js'
+import {validateBasicAuth} from '../utils/api_validate.js'
 
 // Fastify插件导出
 export default (fastify, options, done) => {
     fastify.post('/image/upload', {
+        preHandler: validateBasicAuth,
         schema: {
             body: {
                 type: 'object',
@@ -119,6 +121,7 @@ export default (fastify, options, done) => {
 
     // 删除图片 - DELETE /image/:imageId
     fastify.delete('/image/:imageId', {
+        preHandler: validateBasicAuth,
         schema: {
             params: {
                 type: 'object',
@@ -172,6 +175,7 @@ export default (fastify, options, done) => {
 
     // 清理过期图片 - POST /image/cleanup
     fastify.post('/image/cleanup', {
+        preHandler: validateBasicAuth,
         schema: {
             body: {
                 type: 'object',
@@ -204,6 +208,7 @@ export default (fastify, options, done) => {
 
     // 更新图片 - PUT /image/:imageId
     fastify.put('/image/:imageId', {
+        preHandler: validateBasicAuth,
         schema: {
             params: {
                 type: 'object',

docs/updateRecord.md

@@ -13,6 +13,7 @@
 7. 修复 `番茄小说` 宝盒因为缺少返回章节标题导致的不可看正文问题
 8. 设置中心增加百度扫码
 9. 新增图片储存插件(内存版，兼容vercel)
+10. 紧急撤包，修复图片接口的安全性问题
 
 ### 20250913
 

libs/drpyS.js

@@ -59,7 +59,8 @@ initializeGlobalDollar();
 const {Ali, Baidu, Baidu2, Cloud, Pan, Quark, UC, Yun} = PanS;
 const {
     sleep, sleepSync, getNowTime, computeHash, deepCopy,
-    urljoin, urljoin2, joinUrl, keysToLowerCase, naturalSort, $js
+    urljoin, urljoin2, joinUrl, keysToLowerCase, naturalSort, $js,
+    createBasicAuthHeaders
 } = utils;
 // 缓存已初始化的模块和文件 hash 值
 const moduleCache = new Map();
@@ -156,6 +157,7 @@ export async function getSandbox(env = {}) {
         joinUrl,
         naturalSort,
         $js,
+        createBasicAuthHeaders,
         $,
         pupWebview,
         getProxyUrl,

spider/js/设置中心.js

@@ -1082,17 +1082,21 @@ var rule = {
             log('[百度扫码] 图片上传接口 imageUploadUrl:', imageUploadUrl);
             // log('[百度扫码] qrCode:', qrCode);
             try {
+                const basicHeader = createBasicAuthHeaders();
                 const baiduQrcode = (await axios({
                     url: httpUrl,
                     method: "POST",
                     data: {
                         url: imageUploadUrl,
                         method: "POST",
+                        headers: {
+                            ...basicHeader
+                        },
                         data: {imageId: 'baiduQrcode', base64Data: qrCode}
                     },
                 })).data.data;
                 log('[百度扫码] baiduQrcode:', baiduQrcode);
-                qrcodeUrl = requestHost + baiduQrcode.data.imageUrl;
+                qrcodeUrl = requestHost + baiduQrcode.data.imageUrl + `?t=${requestId}`;
                 log('[百度扫码] ds代理 qrcodeUrl:', qrcodeUrl);
             } catch (e) {
                 log('[百度扫码] error:', e.message);
@@ -1113,9 +1117,11 @@ var rule = {
                     msg: '请使用百度APP扫码登录获取',
                     width: 500,
                     button: 1,
-                    timeout: 20,
-                    qrcode: qrcodeUrl,
-                    isQrcode: 1, // 告诉壳子我已经是二维码了，你不要再去生成了(图片链接或者base64文本)！！！
+                    timeout: 30,
+                    imageUrl: qrcodeUrl,
+                    imageHeight: 400,
+                    // qrcode: qrcodeUrl,
+                    // isQrcode: 1, // 告诉壳子我已经是二维码了，你不要再去生成了(图片链接或者base64文本)！！！
                     qrcodeSize: '400',
                     initAction: 'baiduScanCheck',
                     initValue: requestId,

utils/utils.js

@@ -224,6 +224,27 @@ export function naturalSortAny(arr, key, customOrder = []) {
     });
 }
 
+/**
+ * 构造Basic验证请求头
+ * @param {string} username - 用户名，如果不提供则从环境变量API_AUTH_NAME获取
+ * @param {string} password - 密码，如果不提供则从环境变量API_AUTH_CODE获取
+ * @returns {Object} - 包含Authorization头的对象
+ */
+export function createBasicAuthHeaders(username, password) {
+    const authName = username || process.env.API_AUTH_NAME;
+    const authCode = password || process.env.API_AUTH_CODE;
+
+    // if (!authName || !authCode) {
+    //     throw new Error('Basic认证信息不完整，请检查用户名和密码或环境变量API_AUTH_NAME和API_AUTH_CODE');
+    // }
+
+    const credentials = Buffer.from(`${authName}:${authCode}`).toString('base64');
+
+    return {
+        'Authorization': `Basic ${credentials}`
+    };
+}
+
 export const $js = {
     toString(func) {
         let strfun = func.toString();