ok

app.js

@@ -1,11 +1,10 @@
 const express = require('express');
 const winston = require('winston');
-const fs = require('fs').promises;
 const path = require('path');
 const rateLimit = require('express-rate-limit');
-const { promises: fsPromises } = require('fs');
 const helmet = require('helmet');
 const jwt = require('jsonwebtoken');
+const cors = require('cors');
 
 const app = express();
 const port = process.env.PORT || 7860;
@@ -31,11 +30,12 @@ if (process.env.NODE_ENV !== 'production') {
 
 // 安全中间件
 app.use(helmet());
+app.use(cors());
 
 // 速率限制
 const limiter = rateLimit({
-    windowMs: 15 * 60 * 1000, // 15分钟
-    max: 100 // 每个IP限制100个请求
+    windowMs: 15 * 60 * 1000,
+    max: 100
 });
 app.use('/api', limiter);
 
@@ -78,16 +78,19 @@ app.use((err, req, res, next) => {
     res.status(500).json({ error: '服务器内部错误' });
 });
 
-// 确保命令历史文件存在
-const historyFilePath = path.join(__dirname, 'data', 'command_history.json');
-fsPromises.access(historyFilePath)
-    .catch(() => fsPromises.writeFile(historyFilePath, '[]'))
-    .then(() => {
+// 启动服务器
+const startServer = async () => {
+    try {
+        const historyFilePath = path.join(__dirname, 'data', 'command_history.json');
+        await fs.promises.access(historyFilePath).catch(() => fs.promises.writeFile(historyFilePath, '[]'));
+
         app.listen(port, () => {
             logger.info(`Web 命令执行应用正在监听 http://localhost:${port}`);
         });
-    })
-    .catch(err => {
+    } catch (err) {
         logger.error('无法创建命令历史文件:', err);
         process.exit(1);
-    });
+    }
+};
+
+startServer();

public/index.html

@@ -7,9 +7,8 @@
     <title>Web 命令执行</title>
     <script src="https://cdn.tailwindcss.com"></script>
     <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/xss.min.js"></script>
+    <link href="https://fonts.googleapis.com/css2?family=Noto+Sans+SC:wght@400;700&display=swap" rel="stylesheet">
     <style>
-        @import url('https://fonts.googleapis.com/css2?family=Noto+Sans+SC:wght@400;700&display=swap');
-
         body {
             font-family: 'Noto Sans SC', sans-serif;
         }

public/js/main.js

@@ -11,8 +11,8 @@ commandInput.addEventListener('keypress', function (event) {
 });
 
 async function executeCommand() {
-    const command = commandInput.value;
-    if (!command.trim()) return;
+    const command = commandInput.value.trim();
+    if (!command) return;
 
     showLoading(true);
     output.textContent = '正在执行命令...';
@@ -30,7 +30,7 @@ async function executeCommand() {
         if (response.ok) {
             output.textContent = data.output || data.error;
             commandInput.value = '';
-            loadCommandHistory();
+            await loadCommandHistory();
         } else {
             output.textContent = `错误: ${data.error}`;
         }
@@ -83,7 +83,7 @@ async function login() {
             localStorage.setItem('token', data.token);
             document.getElementById('loginForm').style.display = 'none';
             document.getElementById('commandInterface').style.display = 'block';
-            loadCommandHistory();
+            await loadCommandHistory();
         } else {
             alert('登录失败: ' + data.error);
         }
@@ -94,8 +94,6 @@ async function login() {
 
 document.getElementById('loginButton').addEventListener('click', login);
 
-loadCommandHistory();
-
 function checkLoginStatus() {
     const token = localStorage.getItem('token');
     if (token) {
@@ -105,7 +103,5 @@ function checkLoginStatus() {
     }
 }
 
-// 在页面加载时调用此函数
 window.addEventListener('load', checkLoginStatus);
-
 document.getElementById('executeButton').addEventListener('click', executeCommand);

routes/auth.js

@@ -1,23 +1,25 @@
 const express = require('express');
 const jwt = require('jsonwebtoken');
 const router = express.Router();
+const bcrypt = require('bcrypt');
 
 const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key';
+const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || '1h';
 
 const users = [
     {
         id: 1,
         username: process.env.ADMIN_USERNAME,
-        password: process.env.ADMIN_PASSWORD
+        password: bcrypt.hashSync(process.env.ADMIN_PASSWORD, 10)
     }
 ];
 
-router.post('/login', (req, res) => {
+router.post('/login', async (req, res) => {
     const { username, password } = req.body;
-    const user = users.find(u => u.username === username && u.password === password);
+    const user = users.find(u => u.username === username);
 
-    if (user) {
-        const token = jwt.sign({ id: user.id, username: user.username }, JWT_SECRET, { expiresIn: '1h' });
+    if (user && await bcrypt.compare(password, user.password)) {
+        const token = jwt.sign({ id: user.id, username: user.username }, JWT_SECRET, { expiresIn: JWT_EXPIRES_IN });
         res.json({ token });
     } else {
         res.status(401).json({ error: '无效的用户名或密码' });

routes/command.js

@@ -6,21 +6,13 @@ const router = express.Router();
 
 const logger = require('../utils/logger');
 
-// 命令白名单
 const allowedCommands = ['ls', 'pwd', 'whoami', 'date', 'echo', 'cat'];
-
-// 历史命令文件路径
 const historyFilePath = path.join(__dirname, '..', 'data', 'command_history.json');
 
 router.get('/command-history', async (req, res) => {
     try {
-        let history = [];
-        try {
-            const historyData = await fs.readFile(historyFilePath, 'utf-8');
-            history = JSON.parse(historyData);
-        } catch (readError) {
-            logger.warn('读取命令历史失败,使用空数组:', readError);
-        }
+        const historyData = await fs.readFile(historyFilePath, 'utf-8');
+        const history = JSON.parse(historyData);
         res.json(history);
     } catch (error) {
         logger.error('处理命令历史请求失败:', error);
@@ -32,7 +24,6 @@ router.post('/execute', async (req, res) => {
     const { command } = req.body;
     const baseCommand = command.split(' ')[0];
 
-    // 白名单检查的部分
     // if (!allowedCommands.includes(baseCommand)) {
     //     logger.warn(`用户 ${req.user.username} 尝试执行未授权的命令: ${command}`);
     //     return res.status(403).json({ error: '未授权的命令' });
@@ -44,19 +35,11 @@ router.post('/execute', async (req, res) => {
             return res.status(500).json({ error: error.message });
         }
 
-        // 记录命令历史
         try {
-            let history = [];
-            try {
-                const historyData = await fs.readFile(historyFilePath, 'utf-8');
-                history = JSON.parse(historyData);
-            } catch (readError) {
-                // 如果文件不存在或为空，使用空数组
-            }
-
+            const historyData = await fs.readFile(historyFilePath, 'utf-8');
+            let history = JSON.parse(historyData);
             history.push({ command, timestamp: new Date().toISOString(), user: req.user.username });
-            if (history.length > 100) history.shift(); // 保留最近100条命令
-
+            history = history.slice(-100); // 保留最近100条命令
             await fs.writeFile(historyFilePath, JSON.stringify(history, null, 2));
         } catch (writeError) {
             logger.error('写入命令历史失败:', writeError);

utils/logger.js

@@ -1,4 +1,7 @@
 const winston = require('winston');
+const path = require('path');
+
+const logDir = path.join(__dirname, '..', 'logs');
 
 const logger = winston.createLogger({
     level: process.env.LOG_LEVEL || 'info',
@@ -7,8 +10,8 @@ const logger = winston.createLogger({
         winston.format.json()
     ),
     transports: [
-        new winston.transports.File({ filename: 'error.log', level: 'error' }),
-        new winston.transports.File({ filename: 'combined.log' })
+        new winston.transports.File({ filename: path.join(logDir, 'error.log'), level: 'error' }),
+        new winston.transports.File({ filename: path.join(logDir, 'combined.log') })
     ]
 });