ok

Dockerfile

@@ -11,14 +11,10 @@ RUN npm install
 
 COPY . .
 
-RUN mkdir -p /app/data /app/logs && \
-    chown -R node:node /app
-
-USER node
+RUN mkdir -p /app/data && chown -R node:node /app /app/data
 
 EXPOSE 7860
 
-ENV NODE_ENV=production
 ENV ADMIN_USERNAME=${ADMIN_USERNAME}
 ENV ADMIN_PASSWORD=${ADMIN_PASSWORD}
 

app.js

@@ -1,11 +1,11 @@
 const express = require('express');
 const winston = require('winston');
+const fs = require('fs').promises;
 const path = require('path');
 const rateLimit = require('express-rate-limit');
+const { promises: fsPromises } = require('fs');
 const helmet = require('helmet');
 const jwt = require('jsonwebtoken');
-const cors = require('cors');
-const fs = require('fs');
 
 const app = express();
 const port = process.env.PORT || 7860;
@@ -31,12 +31,11 @@ if (process.env.NODE_ENV !== 'production') {
 
 // 安全中间件
 app.use(helmet());
-app.use(cors());
 
 // 速率限制
 const limiter = rateLimit({
-    windowMs: 15 * 60 * 1000,
-    max: 100
+    windowMs: 15 * 60 * 1000, // 15分钟
+    max: 100 // 每个IP限制100个请求
 });
 app.use('/api', limiter);
 
@@ -79,19 +78,16 @@ app.use((err, req, res, next) => {
     res.status(500).json({ error: '服务器内部错误' });
 });
 
-// 启动服务器
-const startServer = async () => {
-    try {
-        const historyFilePath = path.join(__dirname, 'data', 'command_history.json');
-        await fs.promises.access(historyFilePath).catch(() => fs.promises.writeFile(historyFilePath, '[]'));
-
+// 确保命令历史文件存在
+const historyFilePath = path.join(__dirname, 'data', 'command_history.json');
+fsPromises.access(historyFilePath)
+    .catch(() => fsPromises.writeFile(historyFilePath, '[]'))
+    .then(() => {
         app.listen(port, () => {
             logger.info(`Web 命令执行应用正在监听 http://localhost:${port}`);
         });
-    } catch (err) {
+    })
+    .catch(err => {
         logger.error('无法创建命令历史文件:', err);
         process.exit(1);
-    }
-};
-
-startServer();
+    });

package.json

@@ -9,20 +9,18 @@
         "test": "jest"
     },
     "dependencies": {
-        "express": "^4.18.2",
-        "winston": "^3.10.0",
-        "helmet": "^7.0.0",
-        "express-rate-limit": "^6.9.0",
-        "jsonwebtoken": "^9.0.1",
-        "cors": "^2.8.5",
-        "bcrypt": "^5.1.0"
+        "express": "^4.17.1",
+        "winston": "^3.3.3",
+        "helmet": "^4.6.0",
+        "express-rate-limit": "^5.3.0",
+        "jsonwebtoken": "^8.5.1"
     },
     "devDependencies": {
-        "nodemon": "^3.0.1",
-        "eslint": "^8.47.0",
-        "jest": "^29.6.2"
+        "nodemon": "^2.0.7",
+        "eslint": "^7.32.0",
+        "jest": "^27.0.6"
     },
     "engines": {
-        "node": ">=18.0.0"
+        "node": ">=14.0.0"
     }
 }

public/index.html

@@ -7,8 +7,9 @@
     <title>Web 命令执行</title>
     <script src="https://cdn.tailwindcss.com"></script>
     <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/xss.min.js"></script>
-    <link href="https://fonts.googleapis.com/css2?family=Noto+Sans+SC:wght@400;700&display=swap" rel="stylesheet">
     <style>
+        @import url('https://fonts.googleapis.com/css2?family=Noto+Sans+SC:wght@400;700&display=swap');
+
         body {
             font-family: 'Noto Sans SC', sans-serif;
         }

public/js/main.js

@@ -11,8 +11,8 @@ commandInput.addEventListener('keypress', function (event) {
 });
 
 async function executeCommand() {
-    const command = commandInput.value.trim();
-    if (!command) return;
+    const command = commandInput.value;
+    if (!command.trim()) return;
 
     showLoading(true);
     output.textContent = '正在执行命令...';
@@ -30,7 +30,7 @@ async function executeCommand() {
         if (response.ok) {
             output.textContent = data.output || data.error;
             commandInput.value = '';
-            await loadCommandHistory();
+            loadCommandHistory();
         } else {
             output.textContent = `错误: ${data.error}`;
         }
@@ -83,7 +83,7 @@ async function login() {
             localStorage.setItem('token', data.token);
             document.getElementById('loginForm').style.display = 'none';
             document.getElementById('commandInterface').style.display = 'block';
-            await loadCommandHistory();
+            loadCommandHistory();
         } else {
             alert('登录失败: ' + data.error);
         }
@@ -94,6 +94,8 @@ async function login() {
 
 document.getElementById('loginButton').addEventListener('click', login);
 
+loadCommandHistory();
+
 function checkLoginStatus() {
     const token = localStorage.getItem('token');
     if (token) {
@@ -103,5 +105,7 @@ function checkLoginStatus() {
     }
 }
 
+// 在页面加载时调用此函数
 window.addEventListener('load', checkLoginStatus);
+
 document.getElementById('executeButton').addEventListener('click', executeCommand);

routes/auth.js

@@ -1,25 +1,23 @@
 const express = require('express');
 const jwt = require('jsonwebtoken');
 const router = express.Router();
-const bcrypt = require('bcrypt');
 
 const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key';
-const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || '1h';
 
 const users = [
     {
         id: 1,
         username: process.env.ADMIN_USERNAME,
-        password: bcrypt.hashSync(process.env.ADMIN_PASSWORD, 10)
+        password: process.env.ADMIN_PASSWORD
     }
 ];
 
-router.post('/login', async (req, res) => {
+router.post('/login', (req, res) => {
     const { username, password } = req.body;
-    const user = users.find(u => u.username === username);
+    const user = users.find(u => u.username === username && u.password === password);
 
-    if (user && await bcrypt.compare(password, user.password)) {
-        const token = jwt.sign({ id: user.id, username: user.username }, JWT_SECRET, { expiresIn: JWT_EXPIRES_IN });
+    if (user) {
+        const token = jwt.sign({ id: user.id, username: user.username }, JWT_SECRET, { expiresIn: '1h' });
         res.json({ token });
     } else {
         res.status(401).json({ error: '无效的用户名或密码' });

routes/command.js

@@ -6,13 +6,21 @@ const router = express.Router();
 
 const logger = require('../utils/logger');
 
+// 命令白名单
 const allowedCommands = ['ls', 'pwd', 'whoami', 'date', 'echo', 'cat'];
+
+// 历史命令文件路径
 const historyFilePath = path.join(__dirname, '..', 'data', 'command_history.json');
 
 router.get('/command-history', async (req, res) => {
     try {
-        const historyData = await fs.readFile(historyFilePath, 'utf-8');
-        const history = JSON.parse(historyData);
+        let history = [];
+        try {
+            const historyData = await fs.readFile(historyFilePath, 'utf-8');
+            history = JSON.parse(historyData);
+        } catch (readError) {
+            logger.warn('读取命令历史失败,使用空数组:', readError);
+        }
         res.json(history);
     } catch (error) {
         logger.error('处理命令历史请求失败:', error);
@@ -24,6 +32,7 @@ router.post('/execute', async (req, res) => {
     const { command } = req.body;
     const baseCommand = command.split(' ')[0];
 
+    // 白名单检查的部分
     // if (!allowedCommands.includes(baseCommand)) {
     //     logger.warn(`用户 ${req.user.username} 尝试执行未授权的命令: ${command}`);
     //     return res.status(403).json({ error: '未授权的命令' });
@@ -35,11 +44,19 @@ router.post('/execute', async (req, res) => {
             return res.status(500).json({ error: error.message });
         }
 
+        // 记录命令历史
         try {
-            const historyData = await fs.readFile(historyFilePath, 'utf-8');
-            let history = JSON.parse(historyData);
+            let history = [];
+            try {
+                const historyData = await fs.readFile(historyFilePath, 'utf-8');
+                history = JSON.parse(historyData);
+            } catch (readError) {
+                // 如果文件不存在或为空，使用空数组
+            }
+
             history.push({ command, timestamp: new Date().toISOString(), user: req.user.username });
-            history = history.slice(-100); // 保留最近100条命令
+            if (history.length > 100) history.shift(); // 保留最近100条命令
+
             await fs.writeFile(historyFilePath, JSON.stringify(history, null, 2));
         } catch (writeError) {
             logger.error('写入命令历史失败:', writeError);

utils/logger.js

@@ -1,7 +1,4 @@
 const winston = require('winston');
-const path = require('path');
-
-const logDir = path.join(__dirname, '..', 'logs');
 
 const logger = winston.createLogger({
     level: process.env.LOG_LEVEL || 'info',
@@ -10,8 +7,8 @@ const logger = winston.createLogger({
         winston.format.json()
     ),
     transports: [
-        new winston.transports.File({ filename: path.join(logDir, 'error.log'), level: 'error' }),
-        new winston.transports.File({ filename: path.join(logDir, 'combined.log') })
+        new winston.transports.File({ filename: 'error.log', level: 'error' }),
+        new winston.transports.File({ filename: 'combined.log' })
     ]
 });