Fix stale sessions after container restart

Author: so

docs/changelog.md

@@ -1,5 +1,28 @@
 # 版本更新日志
 
+## v0.0.3
+
+发布时间：2026-05-24
+
+### 修复
+
+- 修复 Docker 容器重启后旧页面继续轮询导致 `invalid or expired session` 反复刷错误日志的问题。
+  - 面板接口返回登录过期后，前端会自动清理本地登录状态、停止轮询并回到登录页。
+  - 后端将登录过期类请求从 `ERROR` 降为 `INFO`，避免正常会话失效刷屏污染错误日志。
+
+- 修复容器重启后旧页面可能使用旧 RSA 公钥提交登录或配置请求，导致 `failed to decrypt request key: decryption error` 的问题。
+  - 前端每次提交加密请求前都会重新获取当前后端公钥。
+  - `/api/public-key` 返回 `Cache-Control: no-store`，避免浏览器或中间代理缓存旧公钥。
+  - 解密失败这类请求格式问题调整为 `WARN` 日志。
+
+### 验证
+
+- `cargo fmt --check`
+- `cargo clippy --all-targets -- -D warnings`
+- `cargo test`
+- `cd frontend && npm run build`
+- `cargo build --release --locked`
+
 ## v0.0.2
 
 发布时间：2026-05-24

frontend/src/App.vue

@@ -974,10 +974,28 @@ async function api<T>(path: string, init: RequestInit = {}): Promise<T> {
   headers.set('Content-Type', 'application/json')
   if (token.value) headers.set('Authorization', `Bearer ${token.value}`)
   const response = await fetch(path, { ...init, headers })
-  if (!response.ok) throw new Error(await response.text())
+  if (!response.ok) {
+    const message = await response.text()
+    if (response.status === 401 && token.value && !isAuthBootstrapPath(path)) {
+      handleAuthExpired()
+    }
+    throw new Error(message)
+  }
   return response.json() as Promise<T>
 }
 
+function isAuthBootstrapPath(path: string) {
+  return path === '/api/login' || path === '/api/setup' || path === '/api/setup-status'
+}
+
+function handleAuthExpired() {
+  token.value = ''
+  clearStoredToken()
+  stopDashboardPolling()
+  mode.value = 'login'
+  error.value = '登录已过期，请重新登录'
+}
+
 async function fetchPublicKey() {
   const response = await api<PublicKeyResponse>('/api/public-key')
   if (!hasWebCrypto()) {
@@ -999,7 +1017,7 @@ async function fetchPublicKey() {
 }
 
 async function encryptPayload(name: string, value: unknown) {
-  if (!publicKey.value) publicKey.value = await fetchPublicKey()
+  publicKey.value = await fetchPublicKey()
   const aesKey = randomBytes(32)
   const fieldName = randomFieldName()
   const iv = randomBytes(12)

src/crypto_api.rs

@@ -4,7 +4,12 @@ use aes_gcm::{
     Aes256Gcm, Nonce,
     aead::{Aead, KeyInit},
 };
-use axum::{Json, extract::State};
+use axum::{
+    Json,
+    extract::State,
+    http::header,
+    response::{IntoResponse, Response},
+};
 use base64::{Engine, engine::general_purpose::URL_SAFE_NO_PAD};
 use rsa::{
     Oaep, RsaPrivateKey, RsaPublicKey,
@@ -112,11 +117,15 @@ struct PlainField {
     value: Value,
 }
 
-pub async fn public_key(State(state): State<AppState>) -> Json<PublicKeyResponse> {
-    Json(PublicKeyResponse {
-        algorithm: "RSA-OAEP-256/AES-256-GCM",
-        public_key_pem: (*state.crypto_keys.public_key_pem).clone(),
-    })
+pub async fn public_key(State(state): State<AppState>) -> Response {
+    (
+        [(header::CACHE_CONTROL, "no-store")],
+        Json(PublicKeyResponse {
+            algorithm: "RSA-OAEP-256/AES-256-GCM",
+            public_key_pem: (*state.crypto_keys.public_key_pem).clone(),
+        }),
+    )
+        .into_response()
 }
 
 fn decode_b64(value: &str) -> AppResult<Vec<u8>> {

src/error.rs

@@ -63,7 +63,11 @@ impl AppError {
 
 impl IntoResponse for AppError {
     fn into_response(self) -> Response {
-        tracing::error!(error = %self, "request failed");
+        match &self {
+            Self::Unauthorized(_) => tracing::info!(error = %self, "request unauthorized"),
+            Self::Validation(_) => tracing::warn!(error = %self, "request validation failed"),
+            _ => tracing::error!(error = %self, "request failed"),
+        }
         (self.status(), self.client_message()).into_response()
     }
 }