iven/hms
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(miniprogram): 小程序审计修复 — 安全加固+功能链路+输入验证
Some checks failed
CI / rust-check (push) Has been cancelled
Details
CI / rust-test (push) Has been cancelled
Details
CI / frontend-build (push) Has been cancelled
Details
CI / security-audit (push) Has been cancelled
Details

Browse Source 
安全修复:
- H1: Token 刷新竞态条件 → Singleton Promise 模式防止并发刷新
- H4: 移除 store 中的 token 明文状态,统一走 secure storage
- H5: 登录/绑定手机号添加 loading 防重复点击保护
- H6: Analytics 改用 request.ts 统一请求层,不再绕过认证
- M1: logout 清理所有残留数据(openid/tenant_id/analytics_queue)
- M2/M7: 敏感数据(user/openid/tenant_id)统一走加密存储
- M3: 移除开发日志中的请求体打印
- M4: secure-storage 解密失败返回 null 而非空串

功能修复:
- F1: 今日体征概览 API 支持 patient_id 查询参数(后端+前端)
- F2: 积分商城对无患者档案用户展示引导 UI
- M6: daily-monitoring 添加 Zod 数值范围验证

清理:
- L4: 移除 devLogin 开发辅助函数
This commit is contained in:
iven
2026-04-27 00:41:30 +08:00
parent 2defbd7ab3
commit 3424a33b6b
12 changed files with 198 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
apps/miniprogram/src/services/request.ts
View File

@@ -16,12 +16,21 @@ async function getHeaders(): Promise<Record<string, string>> {
if (token) headers['Authorization'] = `Bearer ${token}`;
const patientId = Taro.getStorageSync('current_patient_id');
if (patientId) headers['X-Patient-Id'] = patientId;
const tenantId = Taro.getStorageSync('tenant_id');
const tenantId = secureGet('tenant_id');
if (tenantId) headers['X-Tenant-Id'] = tenantId;
return headers;
}
let refreshPromise: Promise<boolean> | null = null;
async function tryRefreshToken(): Promise<boolean> {
if (refreshPromise) return refreshPromise;
refreshPromise = doRefresh();
refreshPromise.finally(() => { refreshPromise = null; });
return refreshPromise;
}
async function doRefresh(): Promise<boolean> {
const refreshToken = secureGet('refresh_token');
if (!refreshToken) return false;
try {
@@ -35,8 +44,8 @@ async function tryRefreshToken(): Promise<boolean> {
secureSet('refresh_token', res.data.data.refresh_token);
return true;
}
} catch (err) {
console.error('[tryRefreshToken] token 刷新失败:', err);
} catch {
// token 刷新失败
}
secureRemove('access_token');
secureRemove('refresh_token');
@@ -47,7 +56,7 @@ export async function request<T>(method: string, path: string, data?: unknown):
const headers = await getHeaders();
const url = `${BASE_URL}${path}`;
if (IS_DEV) {
console.log(`[API] ${method} ${path}`, data ?? '');
console.log(`[API] ${method} ${path}`);
}
const res = await Taro.request({ url, method: method as any, data, header: headers, timeout: 30000 });
if (IS_DEV) {