fix(miniprogram): 小程序审计修复 — 安全加固+功能链路+输入验证
安全修复: - H1: Token 刷新竞态条件 → Singleton Promise 模式防止并发刷新 - H4: 移除 store 中的 token 明文状态,统一走 secure storage - H5: 登录/绑定手机号添加 loading 防重复点击保护 - H6: Analytics 改用 request.ts 统一请求层,不再绕过认证 - M1: logout 清理所有残留数据(openid/tenant_id/analytics_queue) - M2/M7: 敏感数据(user/openid/tenant_id)统一走加密存储 - M3: 移除开发日志中的请求体打印 - M4: secure-storage 解密失败返回 null 而非空串 功能修复: - F1: 今日体征概览 API 支持 patient_id 查询参数(后端+前端) - F2: 积分商城对无患者档案用户展示引导 UI - M6: daily-monitoring 添加 Zod 数值范围验证 清理: - L4: 移除 devLogin 开发辅助函数
This commit is contained in:
iven
@@ -10,8 +10,6 @@ interface BindPhoneResp {
|
||||
}
|
||||
|
||||
interface AuthState {
|
||||
token: string | null;
|
||||
refreshToken: string | null;
|
||||
user: { id: string; username: string; display_name?: string; phone?: string; tenant_id?: string } | null;
|
||||
roles: string[];
|
||||
currentPatient: authApi.PatientInfo | null;
|
||||
@@ -25,11 +23,10 @@ interface AuthState {
|
||||
logout: () => void;
|
||||
restore: () => void;
|
||||
isMedicalStaff: () => boolean;
|
||||
hasPatientProfile: () => boolean;
|
||||
}
|
||||
|
||||
export const useAuthStore = create<AuthState>((set, get) => ({
|
||||
token: null,
|
||||
refreshToken: null,
|
||||
user: null,
|
||||
roles: [],
|
||||
currentPatient: null,
|
||||
@@ -41,31 +38,36 @@ export const useAuthStore = create<AuthState>((set, get) => ({
|
||||
return roles.some((r) => r === 'doctor' || r === 'nurse' || r === 'admin');
|
||||
},
|
||||
|
||||
hasPatientProfile: () => {
|
||||
return !!get().currentPatient;
|
||||
},
|
||||
|
||||
restore: () => {
|
||||
const token = secureGet('access_token') || null;
|
||||
const refreshToken = secureGet('refresh_token') || null;
|
||||
const user = Taro.getStorageSync('user') || null;
|
||||
const roles = Taro.getStorageSync('user_roles') || [];
|
||||
const currentPatient = Taro.getStorageSync('current_patient') || null;
|
||||
set({ token, refreshToken, user, roles, currentPatient });
|
||||
set({ user, roles, currentPatient });
|
||||
},
|
||||
|
||||
login: async (code: string) => {
|
||||
if (get().loading) return false;
|
||||
set({ loading: true });
|
||||
try {
|
||||
const resp = await authApi.wechatLogin(code);
|
||||
if (resp.bound && resp.token) {
|
||||
const { access_token, refresh_token, user } = resp.token;
|
||||
const roles = (resp as any).roles?.map((r: any) => r.code || r.name || r) || [];
|
||||
const roles = (resp as Record<string, unknown>).roles instanceof Array
|
||||
? ((resp as Record<string, unknown>).roles as Array<Record<string, string>>).map((r) => r.code || r.name || String(r))
|
||||
: [];
|
||||
secureSet('access_token', access_token);
|
||||
secureSet('refresh_token', refresh_token);
|
||||
Taro.setStorageSync('user', user);
|
||||
Taro.setStorageSync('user_roles', roles);
|
||||
Taro.setStorageSync('tenant_id', (user as any).tenant_id || '');
|
||||
set({ token: access_token, refreshToken: refresh_token, user, roles, loading: false });
|
||||
secureSet('user_data', JSON.stringify(user));
|
||||
secureSet('user_roles', JSON.stringify(roles));
|
||||
secureSet('tenant_id', user.tenant_id || '');
|
||||
set({ user, roles, loading: false });
|
||||
return true;
|
||||
}
|
||||
Taro.setStorageSync('wechat_openid', resp.openid);
|
||||
secureSet('wechat_openid', resp.openid);
|
||||
set({ loading: false });
|
||||
return false;
|
||||
} catch {
|
||||
@@ -75,23 +77,26 @@ export const useAuthStore = create<AuthState>((set, get) => ({
|
||||
},
|
||||
|
||||
bindPhone: async (encryptedData: string, iv: string) => {
|
||||
if (get().loading) return false;
|
||||
set({ loading: true });
|
||||
try {
|
||||
const openid = Taro.getStorageSync('wechat_openid') || '';
|
||||
const openid = secureGet('wechat_openid') || '';
|
||||
if (!openid) {
|
||||
set({ loading: false });
|
||||
return false;
|
||||
}
|
||||
const resp = await authApi.wechatBindPhone(openid, encryptedData, iv) as any;
|
||||
const { access_token, refresh_token, user } = resp;
|
||||
const roles = resp.roles?.map((r: any) => r.code || r.name || r) || [];
|
||||
secureSet('access_token', access_token);
|
||||
secureSet('refresh_token', refresh_token);
|
||||
Taro.setStorageSync('user', user);
|
||||
Taro.setStorageSync('user_roles', roles);
|
||||
Taro.setStorageSync('tenant_id', user.tenant_id || '');
|
||||
Taro.removeStorageSync('wechat_openid');
|
||||
set({ token: access_token, refreshToken: refresh_token, user, roles, loading: false });
|
||||
const resp = await authApi.wechatBindPhone(openid, encryptedData, iv) as Record<string, unknown>;
|
||||
const tokenData = resp as { access_token: string; refresh_token: string; user: AuthState['user'] };
|
||||
const roles = resp.roles instanceof Array
|
||||
? (resp.roles as Array<Record<string, string>>).map((r) => r.code || r.name || String(r))
|
||||
: [];
|
||||
secureSet('access_token', tokenData.access_token);
|
||||
secureSet('refresh_token', tokenData.refresh_token);
|
||||
secureSet('user_data', JSON.stringify(tokenData.user));
|
||||
secureSet('user_roles', JSON.stringify(roles));
|
||||
secureSet('tenant_id', tokenData.user?.tenant_id || '');
|
||||
secureRemove('wechat_openid');
|
||||
set({ user: tokenData.user, roles, loading: false });
|
||||
return true;
|
||||
} catch {
|
||||
set({ loading: false });
|
||||
@@ -113,18 +118,22 @@ export const useAuthStore = create<AuthState>((set, get) => ({
|
||||
get().setCurrentPatient(patients[0]);
|
||||
}
|
||||
} catch {
|
||||
// ignore
|
||||
// 患者列表加载失败不阻塞流程
|
||||
}
|
||||
},
|
||||
|
||||
logout: () => {
|
||||
secureRemove('access_token');
|
||||
secureRemove('refresh_token');
|
||||
Taro.removeStorageSync('user');
|
||||
Taro.removeStorageSync('user_roles');
|
||||
secureRemove('user_data');
|
||||
secureRemove('user_roles');
|
||||
secureRemove('tenant_id');
|
||||
secureRemove('wechat_openid');
|
||||
Taro.removeStorageSync('current_patient');
|
||||
Taro.removeStorageSync('current_patient_id');
|
||||
set({ token: null, refreshToken: null, user: null, roles: [], currentPatient: null, patients: [] });
|
||||
Taro.removeStorageSync('analytics_queue');
|
||||
Taro.removeStorageSync('edit_patient');
|
||||
set({ user: null, roles: [], currentPatient: null, patients: [] });
|
||||
Taro.redirectTo({ url: '/pages/login/index' });
|
||||
},
|
||||
}));
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
import { create } from 'zustand';
|
||||
import Taro from '@tarojs/taro';
|
||||
import * as healthApi from '@/services/health';
|
||||
|
||||
interface CachedTrend {
|
||||
@@ -25,7 +26,8 @@ export const useHealthStore = create<HealthState>((set, get) => ({
|
||||
refreshToday: async () => {
|
||||
set({ loading: true });
|
||||
try {
|
||||
const data = await healthApi.getTodaySummary();
|
||||
const patientId = Taro.getStorageSync('current_patient_id') || undefined;
|
||||
const data = await healthApi.getTodaySummary(patientId);
|
||||
set({ todaySummary: data, loading: false });
|
||||
} catch {
|
||||
set({ loading: false });
|
||||
|
||||
Reference in New Issue
Block a user