ok

Dockerfile

@@ -1,5 +1,8 @@
 FROM node:20
 
+ARG ADMIN_USERNAME=admin
+ARG ADMIN_PASSWORD=password
+
 WORKDIR /app
 
 COPY package*.json ./
@@ -10,4 +13,7 @@ COPY . .
 
 EXPOSE 7860
 
+ENV ADMIN_USERNAME=${ADMIN_USERNAME}
+ENV ADMIN_PASSWORD=${ADMIN_PASSWORD}
+
 CMD ["node", "app.js"]

app.js

@@ -1,25 +1,82 @@
 const express = require('express');
-const { exec } = require('child_process');
+const winston = require('winston');
+const fs = require('fs').promises;
+const path = require('path');
+const rateLimit = require('express-rate-limit');
+const helmet = require('helmet');
+const jwt = require('jsonwebtoken');
+
 const app = express();
-const port = 7860;
+const port = process.env.PORT || 7860;
+
+// 配置日志记录器
+const logger = winston.createLogger({
+    level: process.env.LOG_LEVEL || 'info',
+    format: winston.format.combine(
+        winston.format.timestamp(),
+        winston.format.json()
+    ),
+    transports: [
+        new winston.transports.File({ filename: 'error.log', level: 'error' }),
+        new winston.transports.File({ filename: 'combined.log' })
+    ]
+});
+
+if (process.env.NODE_ENV !== 'production') {
+    logger.add(new winston.transports.Console({
+        format: winston.format.simple()
+    }));
+}
+
+// 安全中间件
+app.use(helmet());
+
+// 速率限制
+const limiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15分钟
+    max: 100 // 每个IP限制100个请求
+});
+app.use('/api', limiter);
 
 app.use(express.json());
 app.use(express.static('public'));
 
-app.get('/', (req, res) => {
-    res.sendFile(__dirname + '/public/index.html');
-});
+// JWT 密钥
+const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key';
+
+// 中间件：验证 JWT
+const authenticateJWT = (req, res, next) => {
+    const authHeader = req.headers.authorization;
+
+    if (authHeader) {
+        const token = authHeader.split(' ')[1];
+
+        jwt.verify(token, JWT_SECRET, (err, user) => {
+            if (err) {
+                return res.sendStatus(403);
+            }
+
+            req.user = user;
+            next();
+        });
+    } else {
+        res.sendStatus(401);
+    }
+};
+
+// 路由
+const authRoutes = require('./routes/auth');
+const commandRoutes = require('./routes/command');
+
+app.use('/api', authRoutes);
+app.use('/api', authenticateJWT, commandRoutes);
 
-app.post('/execute', (req, res) => {
-    exec(req.body.command, (error, stdout, stderr) => {
-        if (error) {
-            console.error(`执行错误: ${error}`);
-            return res.status(500).json({ error: error.message });
-        }
-        res.json({ output: stdout, error: stderr });
-    });
+// 错误处理中间件
+app.use((err, req, res, next) => {
+    logger.error(`未捕获的错误: ${err.message}`);
+    res.status(500).json({ error: '服务器内部错误' });
 });
 
 app.listen(port, () => {
-    console.log(`Web 命令执行应用正在监听 http://localhost:${port}`);
+    logger.info(`Web 命令执行应用正在监听 http://localhost:${port}`);
 });

package.json

@@ -1,12 +1,26 @@
 {
-    "name": "web-ssh-app",
-    "version": "1.0.0",
+    "name": "web-command-executor",
+    "version": "1.2.0",
     "main": "app.js",
     "scripts": {
-        "start": "node app.js"
+        "start": "node app.js",
+        "dev": "nodemon app.js",
+        "lint": "eslint .",
+        "test": "jest"
     },
     "dependencies": {
         "express": "^4.17.1",
-        "ssh2": "^1.11.0"
+        "winston": "^3.3.3",
+        "helmet": "^4.6.0",
+        "express-rate-limit": "^5.3.0",
+        "jsonwebtoken": "^8.5.1"
+    },
+    "devDependencies": {
+        "nodemon": "^2.0.7",
+        "eslint": "^7.32.0",
+        "jest": "^27.0.6"
+    },
+    "engines": {
+        "node": ">=14.0.0"
     }
 }

public/index.html

@@ -1,41 +1,42 @@
 <!DOCTYPE html>
-<html lang="en">
+<html lang="zh-CN">
+
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>Web SSH</title>
-    <style>
-        body { font-family: Arial, sans-serif; max-width: 800px; margin: 0 auto; padding: 20px; }
-        #output { white-space: pre-wrap; background-color: #f0f0f0; padding: 10px; border-radius: 5px; max-height: 400px; overflow-y: auto; }
-        #command { width: 70%; padding: 5px; }
-        button { padding: 5px 10px; }
-    </style>
+    <title>Web 命令执行</title>
+    <script src="https://cdn.tailwindcss.com"></script>
+    <script src="https://cdn.jsdelivr.net/npm/xss@1.0.14/dist/xss.min.js"></script>
 </head>
-<body>
-    <h1>Web SSH</h1>
-    <p>This application allows you to execute SSH commands on the server. Enter your command below and click "Execute".</p>
-    <input type="text" id="command" placeholder="Enter SSH command">
-    <button onclick="executeCommand()">Execute</button>
-    <div id="output"></div>
 
-    <script>
-        async function executeCommand() {
-            const command = document.getElementById('command').value;
-            const output = document.getElementById('output');
-            output.textContent = 'Executing command...';
+<body class="bg-gray-100 p-8">
+    <div class="max-w-2xl mx-auto bg-white p-6 rounded-lg shadow-md">
+        <h1 class="text-3xl font-bold mb-4">Web 命令执行</h1>
+
+        <div id="loginForm">
+            <input type="text" id="username" placeholder="用户名" class="p-2 border rounded mb-2 w-full">
+            <input type="password" id="password" placeholder="密码" class="p-2 border rounded mb-2 w-full">
+            <button id="loginButton" class="bg-blue-500 text-white px-4 py-2 rounded hover:bg-blue-600">登录</button>
+        </div>
 
-            try {
-                const response = await fetch('/execute', {
-                    method: 'POST',
-                    headers: { 'Content-Type': 'application/json' },
-                    body: JSON.stringify({ command })
-                });
-                const data = await response.json();
-                output.textContent = data.output || data.error;
-            } catch (error) {
-                output.textContent = 'Error: ' + error.message;
-            }
-        }
-    </script>
+        <div id="commandInterface" style="display: none;">
+            <p class="mb-4">此应用允许您在服务器上执行特定的命令。请在下方输入命令并点击"执行"或按回车键。</p>
+            <div class="flex mb-4">
+                <input type="text" id="command" placeholder="输入命令"
+                    class="flex-grow p-2 border rounded-l focus:outline-none focus:ring-2 focus:ring-blue-500">
+                <button id="executeButton"
+                    class="bg-blue-500 text-white px-4 py-2 rounded-r hover:bg-blue-600 focus:outline-none focus:ring-2 focus:ring-blue-500">执行</button>
+            </div>
+            <div id="loadingIndicator" class="text-center mb-4" style="display: none;">
+                <div class="inline-block animate-spin rounded-full h-8 w-8 border-t-2 border-b-2 border-blue-500"></div>
+            </div>
+            <div id="output" class="bg-gray-200 p-4 rounded h-64 overflow-y-auto font-mono mb-4"></div>
+            <h2 class="text-2xl font-bold mb-2">命令历史</h2>
+            <ul id="history" class="list-disc pl-5"></ul>
+        </div>
+    </div>
+
+    <script src="/js/main.js"></script>
 </body>
+
 </html>

public/js/main.js

@@ -0,0 +1,97 @@
+const commandInput = document.getElementById('command');
+const output = document.getElementById('output');
+const history = document.getElementById('history');
+const executeButton = document.getElementById('executeButton');
+const loadingIndicator = document.getElementById('loadingIndicator');
+
+commandInput.addEventListener('keypress', function (event) {
+    if (event.key === 'Enter') {
+        executeCommand();
+    }
+});
+
+async function executeCommand() {
+    const command = commandInput.value;
+    if (!command.trim()) return;
+
+    showLoading(true);
+    output.textContent = '正在执行命令...';
+
+    try {
+        const response = await fetch('/api/execute', {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': `Bearer ${localStorage.getItem('token')}`
+            },
+            body: JSON.stringify({ command })
+        });
+        const data = await response.json();
+        if (response.ok) {
+            output.textContent = data.output || data.error;
+            commandInput.value = '';
+            loadCommandHistory();
+        } else {
+            output.textContent = `错误: ${data.error}`;
+        }
+    } catch (error) {
+        output.textContent = '错误: ' + error.message;
+    } finally {
+        showLoading(false);
+    }
+}
+
+async function loadCommandHistory() {
+    try {
+        const response = await fetch('/api/command-history', {
+            headers: {
+                'Authorization': `Bearer ${localStorage.getItem('token')}`
+            }
+        });
+        const data = await response.json();
+        history.innerHTML = '';
+        data.reverse().forEach(item => {
+            const li = document.createElement('li');
+            li.textContent = `${filterXSS(item.command)} (${new Date(item.timestamp).toLocaleString()})`;
+            li.className = 'cursor-pointer hover:text-blue-500';
+            li.onclick = () => {
+                commandInput.value = item.command;
+            };
+            history.appendChild(li);
+        });
+    } catch (error) {
+        console.error('加载命令历史失败:', error);
+    }
+}
+
+function showLoading(isLoading) {
+    loadingIndicator.style.display = isLoading ? 'block' : 'none';
+    executeButton.disabled = isLoading;
+}
+
+async function login() {
+    const username = document.getElementById('username').value;
+    const password = document.getElementById('password').value;
+    try {
+        const response = await fetch('/api/login', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ username, password })
+        });
+        const data = await response.json();
+        if (response.ok) {
+            localStorage.setItem('token', data.token);
+            document.getElementById('loginForm').style.display = 'none';
+            document.getElementById('commandInterface').style.display = 'block';
+            loadCommandHistory();
+        } else {
+            alert('登录失败: ' + data.error);
+        }
+    } catch (error) {
+        alert('登录错误: ' + error.message);
+    }
+}
+
+document.getElementById('loginButton').addEventListener('click', login);
+
+loadCommandHistory();

routes/auth.js

@@ -0,0 +1,27 @@
+const express = require('express');
+const jwt = require('jsonwebtoken');
+const router = express.Router();
+
+const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key';
+
+const users = [
+    {
+        id: 1,
+        username: process.env.ADMIN_USERNAME,
+        password: process.env.ADMIN_PASSWORD
+    }
+];
+
+router.post('/login', (req, res) => {
+    const { username, password } = req.body;
+    const user = users.find(u => u.username === username && u.password === password);
+
+    if (user) {
+        const token = jwt.sign({ id: user.id, username: user.username }, JWT_SECRET, { expiresIn: '1h' });
+        res.json({ token });
+    } else {
+        res.status(401).json({ error: '无效的用户名或密码' });
+    }
+});
+
+module.exports = router;

routes/command.js

@@ -0,0 +1,63 @@
+const express = require('express');
+const { execFile } = require('child_process');
+const fs = require('fs').promises;
+const path = require('path');
+const router = express.Router();
+
+const logger = require('../utils/logger');
+
+// 命令白名单
+const allowedCommands = ['ls', 'pwd', 'whoami', 'date', 'echo', 'cat'];
+
+// 历史命令文件路径
+const historyFilePath = path.join(__dirname, '..', 'command_history.json');
+
+router.get('/command-history', async (req, res) => {
+    try {
+        const history = await fs.readFile(historyFilePath, 'utf-8');
+        res.json(JSON.parse(history));
+    } catch (error) {
+        logger.error('读取命令历史失败:', error);
+        res.status(500).json({ error: '无法读取命令历史' });
+    }
+});
+
+router.post('/execute', async (req, res) => {
+    const { command } = req.body;
+    const baseCommand = command.split(' ')[0];
+
+    if (!allowedCommands.includes(baseCommand)) {
+        logger.warn(`用户 ${req.user.username} 尝试执行未授权的命令: ${command}`);
+        return res.status(403).json({ error: '未授权的命令' });
+    }
+
+    execFile(baseCommand, command.split(' ').slice(1), { timeout: 5000 }, async (error, stdout, stderr) => {
+        if (error) {
+            logger.error(`命令执行错误: ${error.message}`);
+            return res.status(500).json({ error: error.message });
+        }
+
+        // 记录命令历史
+        try {
+            let history = [];
+            try {
+                const historyData = await fs.readFile(historyFilePath, 'utf-8');
+                history = JSON.parse(historyData);
+            } catch (readError) {
+                // 如果文件不存在或为空，使用空数组
+            }
+
+            history.push({ command, timestamp: new Date().toISOString(), user: req.user.username });
+            if (history.length > 100) history.shift(); // 保留最近100条命令
+
+            await fs.writeFile(historyFilePath, JSON.stringify(history, null, 2));
+        } catch (writeError) {
+            logger.error('写入命令历史失败:', writeError);
+        }
+
+        logger.info(`用户 ${req.user.username} 成功执行命令: ${command}`);
+        res.json({ output: stdout, error: stderr });
+    });
+});
+
+module.exports = router;

start.sh

@@ -1,67 +0,0 @@
-#!/bin/bash
-
-echo "===== Application Startup at $(date) ====="
-whoami
-cat /etc/passwd
-
-echo "===== System Information ====="
-uname -a
-echo "CPU: $(lscpu | grep 'Model name' | cut -f 2 -d ":")"
-echo "Memory: $(free -h | awk '/^Mem:/ {print $2}')"
-echo "Disk: $(df -h / | awk 'NR==2 {print $2}')"
-echo "==============================="
-
-# 检查并生成 SSH 主机密钥（如果不存在）
-if [ ! -f /etc/dropbear/dropbear_rsa_host_key ]; then
-    echo "Generating RSA host key..."
-    dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
-fi
-
-# 启动 Dropbear，使用 2202 端口，允许密码认证，后台运行
-echo "Starting Dropbear..."
-dropbear -R -p 2202 -w -E -F &
-
-# 检查 Dropbear 是否成功启动
-for i in {1..10}; do
-    if netstat -tuln | grep :2202 > /dev/null; then
-        echo "Dropbear started successfully on port 2202"
-        break
-    fi
-    if [ $i -eq 10 ]; then
-        echo "Failed to start Dropbear after 10 attempts"
-        exit 1
-    fi
-    echo "Waiting for Dropbear to start... (attempt $i)"
-    sleep 1
-done
-
-echo "Dropbear version: $(dropbear -V 2>&1)"
-
-# 测试 SSH 连接
-echo "Testing SSH connection..."
-if ssh -p 2202 -o StrictHostKeyChecking=no user@localhost 'echo "SSH connection successful"'; then
-    echo "SSH connection test passed"
-else
-    echo "SSH connection test failed"
-    exit 1
-fi
-
-# 显示 Dropbear 进程信息
-echo "Dropbear process:"
-ps aux | grep dropbear | grep -v grep
-
-# 显示监听端口
-echo "Listening ports:"
-netstat -tuln | grep LISTEN
-
-# 启动 Node.js 应用
-echo "Starting Node.js application..."
-npm start
-
-# 检查 Node.js 应用是否成功启动
-if ! pgrep -f "node app.js" > /dev/null; then
-    echo "Failed to start Node.js application"
-    exit 1
-fi
-
-echo "Node.js application started successfully"

utils/logger.js

@@ -0,0 +1,21 @@
+const winston = require('winston');
+
+const logger = winston.createLogger({
+    level: process.env.LOG_LEVEL || 'info',
+    format: winston.format.combine(
+        winston.format.timestamp(),
+        winston.format.json()
+    ),
+    transports: [
+        new winston.transports.File({ filename: 'error.log', level: 'error' }),
+        new winston.transports.File({ filename: 'combined.log' })
+    ]
+});
+
+if (process.env.NODE_ENV !== 'production') {
+    logger.add(new winston.transports.Console({
+        format: winston.format.simple()
+    }));
+}
+
+module.exports = logger;