security(auth): P1 Token Refresh + sessionStorage
- 新增三個 refresh 端點(member/provider/admin),revoke 舊 token 發行新 7 天 token - axios.js / coachAxios.js:401 interceptor 改為 refresh-then-retry,含 isRefreshing queue 防並發、isRedirecting flag 防雙重 redirect - auth.js / coachAuth.js / AuthCallbackView.vue:localStorage 全改為 sessionStorage - echo.js / notificationAxios.js:同步改為 sessionStorage - notifications.js:401 時停止 polling(stopPolling),不印 error log - 新增 TokenRefreshTest.php(11 tests / 24 assertions):refresh 成功/失效/跨角色 403 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+60
-11
@@ -6,26 +6,75 @@ const api = axios.create({
|
||||
})
|
||||
|
||||
api.interceptors.request.use((config) => {
|
||||
const token = localStorage.getItem('token')
|
||||
const token = sessionStorage.getItem('token')
|
||||
if (token) {
|
||||
config.headers.Authorization = `Bearer ${token}`
|
||||
}
|
||||
return config
|
||||
})
|
||||
|
||||
let isRefreshing = false
|
||||
let isRedirecting = false
|
||||
let pendingRequests = []
|
||||
|
||||
function resolvePending(token) {
|
||||
pendingRequests.forEach((cb) => cb(token))
|
||||
pendingRequests = []
|
||||
}
|
||||
|
||||
function rejectPending(error) {
|
||||
pendingRequests.forEach((cb) => cb(null, error))
|
||||
pendingRequests = []
|
||||
}
|
||||
|
||||
api.interceptors.response.use(
|
||||
(response) => response,
|
||||
(error) => {
|
||||
if (
|
||||
error.response?.status === 401 &&
|
||||
!error.config.url.includes('/login') &&
|
||||
!error.config.url.includes('/register')
|
||||
) {
|
||||
localStorage.removeItem('token')
|
||||
localStorage.removeItem('user')
|
||||
window.location.href = '/login'
|
||||
async (error) => {
|
||||
const config = error.config
|
||||
const status = error.response?.status
|
||||
|
||||
const isAuthEndpoint =
|
||||
config.url.includes('/login') ||
|
||||
config.url.includes('/register') ||
|
||||
config.url.includes('/refresh')
|
||||
|
||||
if (status !== 401 || isAuthEndpoint || config._retry) {
|
||||
return Promise.reject(error)
|
||||
}
|
||||
|
||||
if (isRefreshing) {
|
||||
return new Promise((resolve, reject) => {
|
||||
pendingRequests.push((token, err) => {
|
||||
if (err) return reject(err)
|
||||
config.headers.Authorization = `Bearer ${token}`
|
||||
resolve(api(config))
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
config._retry = true
|
||||
isRefreshing = true
|
||||
|
||||
try {
|
||||
const { data } = await api.post('/member/refresh')
|
||||
const newToken = data.data.token
|
||||
sessionStorage.setItem('token', newToken)
|
||||
api.defaults.headers.common['Authorization'] = `Bearer ${newToken}`
|
||||
resolvePending(newToken)
|
||||
config.headers.Authorization = `Bearer ${newToken}`
|
||||
return api(config)
|
||||
} catch {
|
||||
rejectPending(error)
|
||||
if (!isRedirecting) {
|
||||
isRedirecting = true
|
||||
sessionStorage.removeItem('token')
|
||||
sessionStorage.removeItem('user')
|
||||
window.location.href = '/login'
|
||||
}
|
||||
return Promise.reject(error)
|
||||
} finally {
|
||||
isRefreshing = false
|
||||
}
|
||||
return Promise.reject(error)
|
||||
}
|
||||
)
|
||||
|
||||
|
||||
@@ -6,26 +6,75 @@ const coachApi = axios.create({
|
||||
})
|
||||
|
||||
coachApi.interceptors.request.use((config) => {
|
||||
const token = localStorage.getItem('coach_token')
|
||||
const token = sessionStorage.getItem('coach_token')
|
||||
if (token) {
|
||||
config.headers.Authorization = `Bearer ${token}`
|
||||
}
|
||||
return config
|
||||
})
|
||||
|
||||
let isRefreshing = false
|
||||
let isRedirecting = false
|
||||
let pendingRequests = []
|
||||
|
||||
function resolvePending(token) {
|
||||
pendingRequests.forEach((cb) => cb(token))
|
||||
pendingRequests = []
|
||||
}
|
||||
|
||||
function rejectPending(error) {
|
||||
pendingRequests.forEach((cb) => cb(null, error))
|
||||
pendingRequests = []
|
||||
}
|
||||
|
||||
coachApi.interceptors.response.use(
|
||||
(response) => response,
|
||||
(error) => {
|
||||
if (
|
||||
error.response?.status === 401 &&
|
||||
!error.config.url.includes('/login') &&
|
||||
!error.config.url.includes('/register')
|
||||
) {
|
||||
localStorage.removeItem('coach_token')
|
||||
localStorage.removeItem('coach_user')
|
||||
window.location.href = '/coach/login'
|
||||
async (error) => {
|
||||
const config = error.config
|
||||
const status = error.response?.status
|
||||
|
||||
const isAuthEndpoint =
|
||||
config.url.includes('/login') ||
|
||||
config.url.includes('/register') ||
|
||||
config.url.includes('/refresh')
|
||||
|
||||
if (status !== 401 || isAuthEndpoint || config._retry) {
|
||||
return Promise.reject(error)
|
||||
}
|
||||
|
||||
if (isRefreshing) {
|
||||
return new Promise((resolve, reject) => {
|
||||
pendingRequests.push((token, err) => {
|
||||
if (err) return reject(err)
|
||||
config.headers.Authorization = `Bearer ${token}`
|
||||
resolve(coachApi(config))
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
config._retry = true
|
||||
isRefreshing = true
|
||||
|
||||
try {
|
||||
const { data } = await coachApi.post('/provider/refresh')
|
||||
const newToken = data.data.token
|
||||
sessionStorage.setItem('coach_token', newToken)
|
||||
coachApi.defaults.headers.common['Authorization'] = `Bearer ${newToken}`
|
||||
resolvePending(newToken)
|
||||
config.headers.Authorization = `Bearer ${newToken}`
|
||||
return coachApi(config)
|
||||
} catch {
|
||||
rejectPending(error)
|
||||
if (!isRedirecting) {
|
||||
isRedirecting = true
|
||||
sessionStorage.removeItem('coach_token')
|
||||
sessionStorage.removeItem('coach_user')
|
||||
window.location.href = '/coach/login'
|
||||
}
|
||||
return Promise.reject(error)
|
||||
} finally {
|
||||
isRefreshing = false
|
||||
}
|
||||
return Promise.reject(error)
|
||||
}
|
||||
)
|
||||
|
||||
|
||||
@@ -10,8 +10,8 @@ notificationApi.interceptors.request.use((config) => {
|
||||
// 兩者都存在時(測試情境),以當前頁面路徑決定:/coach 開頭用 coach_token,其餘用 token
|
||||
const isCoachPage = window.location.pathname.startsWith('/coach')
|
||||
const token = isCoachPage
|
||||
? (localStorage.getItem('coach_token') || localStorage.getItem('token'))
|
||||
: (localStorage.getItem('token') || localStorage.getItem('coach_token'))
|
||||
? (sessionStorage.getItem('coach_token') || sessionStorage.getItem('token'))
|
||||
: (sessionStorage.getItem('token') || sessionStorage.getItem('coach_token'))
|
||||
if (token) {
|
||||
config.headers.Authorization = `Bearer ${token}`
|
||||
}
|
||||
|
||||
@@ -4,7 +4,7 @@ import Pusher from 'pusher-js'
|
||||
window.Pusher = Pusher
|
||||
|
||||
function getAuthToken() {
|
||||
return localStorage.getItem('coach_token') || localStorage.getItem('token') || null
|
||||
return sessionStorage.getItem('coach_token') || sessionStorage.getItem('token') || null
|
||||
}
|
||||
|
||||
const echo = new Echo({
|
||||
|
||||
@@ -11,8 +11,8 @@ export const useAuthStore = defineStore('auth', () => {
|
||||
const isLoggedIn = computed(() => !!token.value)
|
||||
|
||||
function init() {
|
||||
const saved = localStorage.getItem('token')
|
||||
const savedUser = localStorage.getItem('user')
|
||||
const saved = sessionStorage.getItem('token')
|
||||
const savedUser = sessionStorage.getItem('user')
|
||||
if (saved) {
|
||||
token.value = saved
|
||||
user.value = savedUser ? JSON.parse(savedUser) : null
|
||||
@@ -25,8 +25,8 @@ export const useAuthStore = defineStore('auth', () => {
|
||||
function setAuth(userData, tokenValue) {
|
||||
user.value = userData
|
||||
token.value = tokenValue
|
||||
localStorage.setItem('token', tokenValue)
|
||||
localStorage.setItem('user', JSON.stringify(userData))
|
||||
sessionStorage.setItem('token', tokenValue)
|
||||
sessionStorage.setItem('user', JSON.stringify(userData))
|
||||
const ns = useNotificationStore()
|
||||
ns.startPolling()
|
||||
updateEchoToken()
|
||||
@@ -42,8 +42,8 @@ export const useAuthStore = defineStore('auth', () => {
|
||||
ns.stopPolling()
|
||||
user.value = null
|
||||
token.value = null
|
||||
localStorage.removeItem('token')
|
||||
localStorage.removeItem('user')
|
||||
sessionStorage.removeItem('token')
|
||||
sessionStorage.removeItem('user')
|
||||
}
|
||||
|
||||
return { user, token, isLoggedIn, init, setAuth, logout }
|
||||
|
||||
@@ -11,8 +11,8 @@ export const useCoachAuthStore = defineStore('coachAuth', () => {
|
||||
const isLoggedIn = computed(() => !!token.value)
|
||||
|
||||
function init() {
|
||||
const savedToken = localStorage.getItem('coach_token')
|
||||
const savedUser = localStorage.getItem('coach_user')
|
||||
const savedToken = sessionStorage.getItem('coach_token')
|
||||
const savedUser = sessionStorage.getItem('coach_user')
|
||||
if (savedToken) {
|
||||
token.value = savedToken
|
||||
user.value = savedUser ? JSON.parse(savedUser) : null
|
||||
@@ -25,8 +25,8 @@ export const useCoachAuthStore = defineStore('coachAuth', () => {
|
||||
function setAuth(userData, tokenValue) {
|
||||
user.value = userData
|
||||
token.value = tokenValue
|
||||
localStorage.setItem('coach_token', tokenValue)
|
||||
localStorage.setItem('coach_user', JSON.stringify(userData))
|
||||
sessionStorage.setItem('coach_token', tokenValue)
|
||||
sessionStorage.setItem('coach_user', JSON.stringify(userData))
|
||||
const ns = useNotificationStore()
|
||||
ns.startPolling()
|
||||
updateEchoToken()
|
||||
@@ -42,8 +42,8 @@ export const useCoachAuthStore = defineStore('coachAuth', () => {
|
||||
ns.stopPolling()
|
||||
user.value = null
|
||||
token.value = null
|
||||
localStorage.removeItem('coach_token')
|
||||
localStorage.removeItem('coach_user')
|
||||
sessionStorage.removeItem('coach_token')
|
||||
sessionStorage.removeItem('coach_user')
|
||||
}
|
||||
|
||||
return { user, token, isLoggedIn, init, setAuth, logout }
|
||||
|
||||
@@ -25,6 +25,7 @@ export const useNotificationStore = defineStore('notifications', () => {
|
||||
}
|
||||
}
|
||||
} catch (e) {
|
||||
if (e?.response?.status === 401) { stopPolling(); return }
|
||||
console.error('[NotificationStore] fetchUnreadCount failed:', e?.response?.status, e?.message)
|
||||
}
|
||||
}
|
||||
@@ -35,6 +36,7 @@ export const useNotificationStore = defineStore('notifications', () => {
|
||||
notifications.value = res.data.data
|
||||
unreadCount.value = res.data.unread_count
|
||||
} catch (e) {
|
||||
if (e?.response?.status === 401) { stopPolling(); return }
|
||||
console.error('[NotificationStore] fetchNotifications failed:', e?.response?.status, e?.message)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -18,7 +18,7 @@ onMounted(async () => {
|
||||
}
|
||||
|
||||
// 存 token 先,再拉 profile
|
||||
localStorage.setItem('token', token)
|
||||
sessionStorage.setItem('token', token)
|
||||
try {
|
||||
const res = await api.get('/member/profile')
|
||||
auth.setAuth(res.data.data, token)
|
||||
|
||||
Reference in New Issue
Block a user