feat: enhance cookie management and implement pure JS SHA-256 hashing for improved compatibility and security

Author: linyuchen

doc/更新日志.txt

@@ -1,3 +1,9 @@
+V6.3.3
+更新时间 2025-10-11
+
+* 修复
+
+=================
 V6.3.2
 更新时间 2025-10-10
 

package-dist.json

@@ -1 +1 @@
-{"name":"llonebot","version":"6.3.2","type":"module","description":"","main":"llonebot.js","author":"linyuchen"}
+{"name":"llonebot","version":"6.3.3","type":"module","description":"","main":"llonebot.js","author":"linyuchen"}

src/version.ts

@@ -1,7 +1,7 @@
 import fs from 'fs'
 import packageJson from '../package-dist.json'
 
-export const version = '6.3.2'
+export const version = '6.3.3'
 
 export const writeVersion = ()=>{
   const pkgJsonPath = './package-dist.json'

src/webui/FE/utils/cookie.ts

@@ -12,15 +12,34 @@ export function setCookie(name: string, value: string, days: number = 30): void
   const date = new Date();
   date.setTime(date.getTime() + days * 24 * 60 * 60 * 1000);
   const expires = `expires=${date.toUTCString()}`;
-  
+
   // 设置 Cookie 属性
-  // SameSite=Strict: 防止 CSRF 攻击
+  // SameSite=Lax: 允许同站和顶级导航携带Cookie，适合局域网IP访问
+  //   - Strict: 完全禁止跨站请求（会导致局域网IP访问时Cookie丢失）
+  //   - Lax: 允许顶级导航（如直接访问链接），但禁止第三方站点嵌入
+  //   - None: 允许所有跨站请求（需配合Secure标志，仅HTTPS可用）
   // Secure: 仅在 HTTPS 下传输（开发环境可能是 HTTP，所以条件判断）
   // HttpOnly: 无法通过 JS 设置（但我们需要 JS 访问，所以不设置）
   const isSecure = window.location.protocol === 'https:';
   const secureFlag = isSecure ? '; Secure' : '';
-  
-  document.cookie = `${name}=${value}; ${expires}; path=/; SameSite=Strict${secureFlag}`;
+
+  // 对于非localhost的IP访问（如局域网IP），不设置SameSite属性以确保兼容性
+  const hostname = window.location.hostname;
+  const isIpAddress = /^\d+\.\d+\.\d+\.\d+$/.test(hostname);
+  const sameSiteFlag = isIpAddress ? '' : '; SameSite=Lax';
+
+  const cookieString = `${name}=${value}; ${expires}; path=/${sameSiteFlag}${secureFlag}`;
+  document.cookie = cookieString;
+
+  // 调试日志
+  // console.log('[Cookie] 设置Cookie:', {
+  //   name,
+  //   hostname,
+  //   isIpAddress,
+  //   isSecure,
+  //   cookieString,
+  //   currentCookies: document.cookie
+  // });
 }
 
 /**
@@ -31,13 +50,18 @@ export function setCookie(name: string, value: string, days: number = 30): void
 export function getCookie(name: string): string | null {
   const nameEQ = name + '=';
   const ca = document.cookie.split(';');
-  
+
   for (let i = 0; i < ca.length; i++) {
     let c = ca[i];
     while (c.charAt(0) === ' ') c = c.substring(1, c.length);
-    if (c.indexOf(nameEQ) === 0) return c.substring(nameEQ.length, c.length);
+    if (c.indexOf(nameEQ) === 0) {
+      const value = c.substring(nameEQ.length, c.length);
+      // console.log('[Cookie] 获取Cookie:', { name, value, allCookies: document.cookie });
+      return value;
+    }
   }
-  
+
+  console.log('[Cookie] 未找到Cookie:', { name, allCookies: document.cookie });
   return null;
 }
 

src/webui/FE/utils/passwordHash.ts

@@ -3,23 +3,123 @@
  * 使用 SHA-256 对密码进行哈希处理
  */
 
+/**
+ * 纯 JavaScript 实现的 SHA-256（兼容所有浏览器环境）
+ * 来源：简化版本，符合 SHA-256 标准
+ */
+function sha256Pure(message: string): string {
+  // 初始化哈希值
+  const K = [
+    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+  ];
+
+  const utf8Encode = new TextEncoder();
+  const messageBytes = utf8Encode.encode(message);
+  const messageBits = messageBytes.length * 8;
+
+  // 填充消息
+  const paddedLength = Math.ceil((messageBits + 65) / 512) * 64;
+  const padded = new Uint8Array(paddedLength);
+  padded.set(messageBytes);
+  padded[messageBytes.length] = 0x80;
+
+  // 添加消息长度
+  const view = new DataView(padded.buffer);
+  view.setUint32(paddedLength - 4, messageBits & 0xffffffff, false);
+
+  // 初始化哈希值
+  let h0 = 0x6a09e667, h1 = 0xbb67ae85, h2 = 0x3c6ef372, h3 = 0xa54ff53a;
+  let h4 = 0x510e527f, h5 = 0x9b05688c, h6 = 0x1f83d9ab, h7 = 0x5be0cd19;
+
+  // 处理每个512位块
+  for (let chunk = 0; chunk < paddedLength; chunk += 64) {
+    const w = new Uint32Array(64);
+    for (let i = 0; i < 16; i++) {
+      w[i] = view.getUint32(chunk + i * 4, false);
+    }
+    for (let i = 16; i < 64; i++) {
+      const s0 = ((w[i - 15] >>> 7) | (w[i - 15] << 25)) ^ ((w[i - 15] >>> 18) | (w[i - 15] << 14)) ^ (w[i - 15] >>> 3);
+      const s1 = ((w[i - 2] >>> 17) | (w[i - 2] << 15)) ^ ((w[i - 2] >>> 19) | (w[i - 2] << 13)) ^ (w[i - 2] >>> 10);
+      w[i] = (w[i - 16] + s0 + w[i - 7] + s1) >>> 0;
+    }
+
+    let a = h0, b = h1, c = h2, d = h3, e = h4, f = h5, g = h6, h = h7;
+
+    for (let i = 0; i < 64; i++) {
+      const S1 = ((e >>> 6) | (e << 26)) ^ ((e >>> 11) | (e << 21)) ^ ((e >>> 25) | (e << 7));
+      const ch = (e & f) ^ (~e & g);
+      const temp1 = (h + S1 + ch + K[i] + w[i]) >>> 0;
+      const S0 = ((a >>> 2) | (a << 30)) ^ ((a >>> 13) | (a << 19)) ^ ((a >>> 22) | (a << 10));
+      const maj = (a & b) ^ (a & c) ^ (b & c);
+      const temp2 = (S0 + maj) >>> 0;
+
+      h = g;
+      g = f;
+      f = e;
+      e = (d + temp1) >>> 0;
+      d = c;
+      c = b;
+      b = a;
+      a = (temp1 + temp2) >>> 0;
+    }
+
+    h0 = (h0 + a) >>> 0;
+    h1 = (h1 + b) >>> 0;
+    h2 = (h2 + c) >>> 0;
+    h3 = (h3 + d) >>> 0;
+    h4 = (h4 + e) >>> 0;
+    h5 = (h5 + f) >>> 0;
+    h6 = (h6 + g) >>> 0;
+    h7 = (h7 + h) >>> 0;
+  }
+
+  // 输出哈希值
+  return [
+    h0.toString(16).padStart(8, '0'),
+    h1.toString(16).padStart(8, '0'),
+    h2.toString(16).padStart(8, '0'),
+    h3.toString(16).padStart(8, '0'),
+    h4.toString(16).padStart(8, '0'),
+    h5.toString(16).padStart(8, '0'),
+    h6.toString(16).padStart(8, '0'),
+    h7.toString(16).padStart(8, '0')
+  ].join('');
+}
+
 /**
  * 将字符串转换为 SHA-256 哈希
  * @param message 要哈希的字符串
  * @returns 十六进制格式的哈希值
  */
 export async function sha256(message: string): Promise<string> {
-  // 将字符串编码为 UTF-8
-  const msgBuffer = new TextEncoder().encode(message);
-  
-  // 计算哈希
-  const hashBuffer = await crypto.subtle.digest('SHA-256', msgBuffer);
-  
-  // 转换为十六进制字符串
-  const hashArray = Array.from(new Uint8Array(hashBuffer));
-  const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
-  
-  return hashHex;
+  // 优先使用纯JS实现，以确保在所有环境下都可用（包括局域网IP访问）
+  try {
+    return sha256Pure(message);
+  } catch (error) {
+    console.error('[PasswordHash] 纯JS SHA-256实现失败:', error);
+    
+    // 如果纯JS实现失败，尝试使用 Web Crypto API
+    if (typeof crypto !== 'undefined' && crypto.subtle) {
+      try {
+        const msgBuffer = new TextEncoder().encode(message);
+        const hashBuffer = await crypto.subtle.digest('SHA-256', msgBuffer);
+        const hashArray = Array.from(new Uint8Array(hashBuffer));
+        return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+      } catch (cryptoError) {
+        console.error('[PasswordHash] Web Crypto API失败:', cryptoError);
+      }
+    }
+    
+    // 如果所有方法都失败，抛出错误
+    throw new Error('无法计算SHA-256哈希');
+  }
 }
 
 /**