feat(miniprogram): Token XOR 混淆存储

- 新增 secure-storage 工具：XOR + Base64 混淆 token 存储 - request.ts 和 auth.ts 中所有 access_token/refresh_token 存取均通过 secure-storage，避免明文暴露在 Storage 中
2026-04-24 12:52:20 +08:00
parent 37ff907815
commit 60a8a591a8
3 changed files with 58 additions and 14 deletions
--- a/apps/miniprogram/src/utils/secure-storage.ts
+++ b/apps/miniprogram/src/utils/secure-storage.ts
@@ -0,0 +1,42 @@
+import Taro from '@tarojs/taro';
+
+const XOR_KEY = 'hms_mp_2026_secure_key';
+
+function xorTransform(value: string): string {
+  let result = '';
+  for (let i = 0; i < value.length; i++) {
+    result += String.fromCharCode(value.charCodeAt(i) ^ XOR_KEY.charCodeAt(i % XOR_KEY.length));
+  }
+  return result;
+}
+
+function toBase64(str: string): string {
+  return btoa(unescape(encodeURIComponent(str)));
+}
+
+function fromBase64(b64: string): string {
+  try {
+    return decodeURIComponent(escape(atob(b64)));
+  } catch {
+    return '';
+  }
+}
+
+export function secureSet(key: string, value: string): void {
+  const obfuscated = toBase64(xorTransform(value));
+  Taro.setStorageSync(key, obfuscated);
+}
+
+export function secureGet(key: string): string {
+  const raw = Taro.getStorageSync(key);
+  if (!raw || typeof raw !== 'string') return '';
+  try {
+    return xorTransform(fromBase64(raw));
+  } catch {
+    return '';
+  }
+}
+
+export function secureRemove(key: string): void {
+  Taro.removeStorageSync(key);
+}