codex-endpoint-switcher 1.6.1 → 1.6.3

package/README.md

@@ -68,6 +68,7 @@ codex-switcher remove-access
 - `sync-server`：启动账号同步服务，服务端使用 SQLite 单文件数据库
 - `install-access`：创建桌面快捷方式和开机启动项
 - `remove-access`：移除桌面快捷方式和开机启动项
+- 启动器现在会优先记录并复用自己的 PID 文件，关闭和重启比之前更稳
 
 ## 网页地址
 
@@ -142,6 +143,8 @@ codex-switcher sync-server
 
 - 拉取前会自动备份本机 `~/.codex/endpoint-presets.json` 和 `~/.codex/endpoint-switcher-state.json`
 - 服务端数据库是 SQLite，部署只需要一个 Node 进程和一个 `.db` 文件
+- `/api/auth/register` 和 `/api/auth/login` 已内置限流与失败冻结，默认会在连续错误后短时封禁
+- Windows 客户端会优先用 DPAPI 加密本地同步令牌，不再把登录 token 明文写进 `~/.codex/cloud-sync-config.json`
 
 ## 版本更新提示
 
@@ -149,7 +152,7 @@ codex-switcher sync-server
 - 如果你发布了新版本，其他用户打开控制台后会看到“发现新版本”的提示
 - 用户可以直接点 `立即更新`，程序会自动关闭、更新并重新打开
 - 也可以继续使用“复制升级命令”手动更新
-- 上一次自动更新的成功或失败结果会记录到本地，下次打开控制台会显示结果
+- 自动更新成功记录只会提示一次，失败记录会保留，方便排查问题
 
 也可以用 CLI 手动检查：
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codex-endpoint-switcher",
-  "version": "1.6.1",
+  "version": "1.6.3",
   "description": "用于切换 Codex URL 和 Key 的本地网页控制台与 npm CLI",
   "main": "src/main/main.js",
   "bin": {

package/src/main/auto-update-runner.js

@@ -3,6 +3,8 @@ const { spawn } = require("node:child_process");
 
 const WAIT_PARENT_EXIT_TIMEOUT_MS = 20000;
 const WAIT_PARENT_POLL_MS = 400;
+const INSTALL_RETRY_TIMES = 3;
+const INSTALL_RETRY_BASE_DELAY_MS = 1500;
 
 function sleep(timeoutMs) {
   return new Promise((resolve) => {
@@ -38,9 +40,10 @@ function runProcess(command, args, options = {}) {
       stderr += chunk.toString("utf8");
     });
 
-    child.on("exit", (code) => {
+    child.on("exit", (code, signal) => {
       resolve({
-        code: Number(code || 0),
+        code: normalizeExitCode(code),
+        signal: signal || "",
         stdout,
         stderr,
       });
@@ -56,6 +59,78 @@ function runProcess(command, args, options = {}) {
   });
 }
 
+function normalizeExitCode(code) {
+  const safeCode = Number(code || 0);
+  if (!Number.isFinite(safeCode)) {
+    return 0;
+  }
+
+  if (safeCode > 0x7fffffff) {
+    return safeCode - 0x100000000;
+  }
+
+  return safeCode;
+}
+
+function isBusyInstallFailure(result) {
+  const combined = `${result.stdout || ""}\n${result.stderr || ""}`.toUpperCase();
+  return (
+    result.code === -4082 ||
+    combined.includes("EBUSY") ||
+    combined.includes("RESOURCE BUSY OR LOCKED") ||
+    combined.includes("EPERM") ||
+    combined.includes("OPERATION NOT PERMITTED")
+  );
+}
+
+async function installLatestPackage(payload) {
+  let lastResult = null;
+
+  for (let attempt = 1; attempt <= INSTALL_RETRY_TIMES; attempt += 1) {
+    if (attempt > 1) {
+      await appendLog(
+        payload.logPath,
+        `[${new Date().toISOString()}] 检测到文件占用，开始第 ${attempt} 次重试安装。\n`,
+      );
+      await sleep(INSTALL_RETRY_BASE_DELAY_MS * attempt);
+    }
+
+    const result = await runProcess(
+      payload.nodePath,
+      [payload.npmCliPath, "install", "-g", `${payload.packageName}@latest`],
+      {
+        cwd: process.cwd(),
+        env: process.env,
+      },
+    );
+
+    if (result.stdout) {
+      await appendLog(payload.logPath, result.stdout);
+    }
+    if (result.stderr) {
+      await appendLog(payload.logPath, result.stderr);
+    }
+
+    lastResult = result;
+    if (result.code === 0) {
+      return result;
+    }
+
+    if (!isBusyInstallFailure(result) || attempt >= INSTALL_RETRY_TIMES) {
+      return result;
+    }
+  }
+
+  return (
+    lastResult || {
+      code: 1,
+      signal: "",
+      stdout: "",
+      stderr: "自动更新安装没有返回结果。",
+    }
+  );
+}
+
 function isProcessAlive(pid) {
   try {
     process.kill(pid, 0);
@@ -145,25 +220,13 @@ async function main() {
   await sleep(Number(payload.waitSeconds || 3) * 1000);
   await waitForProcessExit(Number(payload.parentPid || 0), payload.logPath);
 
-  const installResult = await runProcess(
-    payload.nodePath,
-    [payload.npmCliPath, "install", "-g", `${payload.packageName}@latest`],
-    {
-      cwd: process.cwd(),
-      env: process.env,
-    },
-  );
-
-  if (installResult.stdout) {
-    await appendLog(payload.logPath, installResult.stdout);
-  }
-  if (installResult.stderr) {
-    await appendLog(payload.logPath, installResult.stderr);
-  }
+  const installResult = await installLatestPackage(payload);
 
   if (installResult.code !== 0) {
     const finishedAt = new Date().toISOString();
-    const errorMessage = `npm 安装失败，退出码：${installResult.code}`;
+    const errorMessage = isBusyInstallFailure(installResult)
+      ? `npm 安装失败：文件仍被占用，请稍后重试或先手动关闭占用进程。退出码：${installResult.code}`
+      : `npm 安装失败，退出码：${installResult.code}`;
     await appendLog(payload.logPath, `[${finishedAt}] ${errorMessage}\n`);
     await writeState(payload.statePath, {
       status: "failed",

package/src/main/cloud-sync-client.js

@@ -1,10 +1,15 @@
 const fs = require("node:fs/promises");
 const path = require("node:path");
 const os = require("node:os");
+const crypto = require("node:crypto");
+const { execFile } = require("node:child_process");
+const { promisify } = require("node:util");
 const profileManager = require("./profile-manager");
 
 const codexRoot = path.join(os.homedir(), ".codex");
 const cloudSyncConfigPath = path.join(codexRoot, "cloud-sync-config.json");
+const cloudSyncKeyPath = path.join(codexRoot, "cloud-sync.key");
+const execFileAsync = promisify(execFile);
 
 function normalizeServerUrl(value) {
   const raw = String(value || "").trim();
@@ -80,6 +85,8 @@ async function ensureStorage() {
           serverUrl: getDefaultServerUrl(),
           username: "",
           authToken: "",
+          authTokenProtection: "",
+          authTokenProtected: "",
           tokenExpiresAt: "",
           lastPushAt: "",
           lastPullAt: "",
@@ -92,15 +99,177 @@ async function ensureStorage() {
   }
 }
 
+async function runPowerShell(command, env = {}) {
+  const result = await execFileAsync(
+    "powershell.exe",
+    [
+      "-NoProfile",
+      "-NonInteractive",
+      "-ExecutionPolicy",
+      "Bypass",
+      "-Command",
+      command,
+    ],
+    {
+      windowsHide: true,
+      env: {
+        ...process.env,
+        ...env,
+      },
+      maxBuffer: 1024 * 1024,
+    },
+  );
+
+  return String(result.stdout || "").trim();
+}
+
+async function protectWithWindowsDpapi(plainText) {
+  const payload = Buffer.from(String(plainText || ""), "utf8").toString("base64");
+  return runPowerShell(
+    [
+      "Add-Type -AssemblyName System.Security",
+      "$plainBytes = [Convert]::FromBase64String($env:CODEX_SWITCHER_PLAIN_BASE64)",
+      "$cipherBytes = [System.Security.Cryptography.ProtectedData]::Protect($plainBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)",
+      "[Convert]::ToBase64String($cipherBytes)",
+    ].join("; "),
+    {
+      CODEX_SWITCHER_PLAIN_BASE64: payload,
+    },
+  );
+}
+
+async function unprotectWithWindowsDpapi(cipherText) {
+  return runPowerShell(
+    [
+      "Add-Type -AssemblyName System.Security",
+      "$cipherBytes = [Convert]::FromBase64String($env:CODEX_SWITCHER_CIPHER_BASE64)",
+      "$plainBytes = [System.Security.Cryptography.ProtectedData]::Unprotect($cipherBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)",
+      "[System.Text.Encoding]::UTF8.GetString($plainBytes)",
+    ].join("; "),
+    {
+      CODEX_SWITCHER_CIPHER_BASE64: String(cipherText || "").trim(),
+    },
+  );
+}
+
+async function ensureLocalAesKey() {
+  await ensureStorage();
+
+  try {
+    const stored = await fs.readFile(cloudSyncKeyPath, "utf8");
+    const normalized = stored.trim();
+    if (normalized) {
+      return Buffer.from(normalized, "base64");
+    }
+  } catch {
+    // 首次写入时继续生成本地密钥。
+  }
+
+  const key = crypto.randomBytes(32);
+  await fs.writeFile(cloudSyncKeyPath, `${key.toString("base64")}\n`, "utf8");
+  return key;
+}
+
+async function protectWithLocalAes(plainText) {
+  const key = await ensureLocalAesKey();
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+  const encrypted = Buffer.concat([cipher.update(String(plainText || ""), "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([iv, tag, encrypted]).toString("base64");
+}
+
+async function unprotectWithLocalAes(cipherText) {
+  const key = await ensureLocalAesKey();
+  const payload = Buffer.from(String(cipherText || "").trim(), "base64");
+  if (payload.length < 29) {
+    throw new Error("本地同步令牌数据不完整。");
+  }
+
+  const iv = payload.subarray(0, 12);
+  const tag = payload.subarray(12, 28);
+  const encrypted = payload.subarray(28);
+  const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(encrypted), decipher.final()]).toString("utf8");
+}
+
+async function protectToken(plainText) {
+  const value = String(plainText || "").trim();
+  if (!value) {
+    return {
+      protection: "",
+      protectedValue: "",
+    };
+  }
+
+  if (process.platform === "win32") {
+    try {
+      return {
+        protection: "dpapi",
+        protectedValue: await protectWithWindowsDpapi(value),
+      };
+    } catch {
+      // Windows DPAPI 不可用时回退到本地 AES，避免登录态明文落盘。
+    }
+  }
+
+  return {
+    protection: "aes-256-gcm",
+    protectedValue: await protectWithLocalAes(value),
+  };
+}
+
+async function unprotectToken(config) {
+  const protection = String(config.authTokenProtection || "").trim();
+  const protectedValue = String(config.authTokenProtected || "").trim();
+  const legacyToken = String(config.authToken || "").trim();
+
+  if (protectedValue) {
+    if (protection === "dpapi") {
+      return {
+        authToken: await unprotectWithWindowsDpapi(protectedValue),
+        hasStoredToken: true,
+        tokenError: "",
+      };
+    }
+
+    if (protection === "aes-256-gcm") {
+      return {
+        authToken: await unprotectWithLocalAes(protectedValue),
+        hasStoredToken: true,
+        tokenError: "",
+      };
+    }
+
+    return {
+      authToken: "",
+      hasStoredToken: true,
+      tokenError: "本地同步令牌保护方式无法识别，请重新登录。",
+    };
+  }
+
+  return {
+    authToken: legacyToken,
+    hasStoredToken: Boolean(legacyToken),
+    tokenError: "",
+  };
+}
+
 async function readConfig() {
   await ensureStorage();
   const content = await fs.readFile(cloudSyncConfigPath, "utf8");
   const config = JSON.parse(content);
+  const tokenInfo = await unprotectToken(config);
 
   return {
     serverUrl: String(config.serverUrl || getDefaultServerUrl()).trim(),
     username: String(config.username || "").trim(),
-    authToken: String(config.authToken || "").trim(),
+    authToken: String(tokenInfo.authToken || "").trim(),
+    hasStoredToken: Boolean(tokenInfo.hasStoredToken),
+    authTokenProtection: String(config.authTokenProtection || "").trim(),
+    authTokenProtected: String(config.authTokenProtected || "").trim(),
+    tokenError: String(tokenInfo.tokenError || "").trim(),
     tokenExpiresAt: String(config.tokenExpiresAt || "").trim(),
     lastPushAt: String(config.lastPushAt || "").trim(),
     lastPullAt: String(config.lastPullAt || "").trim(),
@@ -109,7 +278,25 @@ async function readConfig() {
 
 async function writeConfig(config) {
   await ensureStorage();
-  await fs.writeFile(cloudSyncConfigPath, `${JSON.stringify(config, null, 2)}\n`, "utf8");
+  const tokenPayload = await protectToken(config.authToken);
+  await fs.writeFile(
+    cloudSyncConfigPath,
+    `${JSON.stringify(
+      {
+        serverUrl: String(config.serverUrl || getDefaultServerUrl()).trim(),
+        username: String(config.username || "").trim(),
+        authToken: "",
+        authTokenProtection: tokenPayload.protection,
+        authTokenProtected: tokenPayload.protectedValue,
+        tokenExpiresAt: String(config.tokenExpiresAt || "").trim(),
+        lastPushAt: String(config.lastPushAt || "").trim(),
+        lastPullAt: String(config.lastPullAt || "").trim(),
+      },
+      null,
+      2,
+    )}\n`,
+    "utf8",
+  );
 }
 
 async function requestJson(serverUrl, pathname, options = {}) {
@@ -150,14 +337,14 @@ async function getCloudSyncStatus() {
     configPath: cloudSyncConfigPath,
     serverUrl: config.serverUrl,
     username: config.username,
-    hasToken: Boolean(config.authToken),
+    hasToken: Boolean(config.hasStoredToken),
     loggedIn: false,
     tokenExpiresAt: config.tokenExpiresAt,
     lastPushAt: config.lastPushAt,
     lastPullAt: config.lastPullAt,
     remoteUser: "",
     remoteProfileUpdatedAt: "",
-    lastError: "",
+    lastError: config.tokenError || "",
   };
 
   if (!config.serverUrl || !config.authToken) {
@@ -252,6 +439,10 @@ async function logoutAccount() {
 
 async function requireLoggedInConfig() {
   const config = await readConfig();
+  if (config.tokenError) {
+    throw new Error(config.tokenError);
+  }
+
   if (!config.authToken) {
     throw new Error("当前还没有登录同步账号。");
   }

package/src/main/profile-manager.js

@@ -559,23 +559,54 @@ async function updateEndpoint(id, payload) {
   }
 
   const endpoint = validateEndpointPayload(payload);
-  const endpoints = await readEndpointStore();
+  const [endpoints, currentState, state] = await Promise.all([
+    readEndpointStore(),
+    readCurrentConfigAndAuth(),
+    readEndpointState(),
+  ]);
   const index = endpoints.findIndex((item) => item.id === safeId);
 
   if (index === -1) {
     throw new Error("未找到要更新的端点。");
   }
 
-  endpoints[index] = {
-    ...endpoints[index],
+  const previousEndpoint = endpoints[index];
+  const nextEndpoint = {
+    ...previousEndpoint,
     note: endpoint.note,
     url: endpoint.url,
     key: endpoint.key,
     updatedAt: new Date().toISOString(),
   };
+  endpoints[index] = nextEndpoint;
+
+  const shouldSyncDirectConfig = Boolean(
+    !currentState.proxyModeEnabled && state.activeEndpointId === safeId && currentState.provider,
+  );
+
+  let backupPaths = {};
+  if (shouldSyncDirectConfig) {
+    const nextConfigContent = updateProviderBaseUrl(
+      currentState.configContent,
+      currentState.provider,
+      nextEndpoint.url,
+    );
+    const nextAuthConfig = {
+      ...currentState.authConfig,
+      OPENAI_API_KEY: nextEndpoint.key,
+    };
+
+    backupPaths = await backupCurrentState();
+    await writeTextFile(mainConfigPath, nextConfigContent);
+    await writeJsonFile(authConfigPath, nextAuthConfig);
+  }
 
   await writeEndpointStore(endpoints);
-  return buildEndpointResponse(endpoints[index], "");
+  return {
+    ...backupPaths,
+    syncedCurrentConfig: shouldSyncDirectConfig,
+    ...buildEndpointResponse(nextEndpoint, ""),
+  };
 }
 
 async function deleteEndpoint(id) {
@@ -592,19 +623,28 @@ async function deleteEndpoint(id) {
   }
 
   const [removed] = endpoints.splice(index, 1);
-  await writeEndpointStore(endpoints);
-
   const state = await readEndpointState();
-  if (state.activeEndpointId === removed.id) {
-    await writeEndpointState({
-      ...state,
-      activeEndpointId: "",
-    });
+  const deletingActiveEndpoint = state.activeEndpointId === removed.id;
+
+  if (state.proxyModeEnabled && deletingActiveEndpoint && endpoints.length === 0) {
+    throw new Error("当前正在使用这条热更新连接，至少保留一条连接后再删除。");
+  }
+
+  let nextActiveEndpointId = state.activeEndpointId;
+  if (deletingActiveEndpoint) {
+    nextActiveEndpointId = endpoints[0]?.id || "";
   }
 
+  await writeEndpointStore(endpoints);
+  await writeEndpointState({
+    ...state,
+    activeEndpointId: nextActiveEndpointId,
+  });
+
   return {
     id: removed.id,
     note: removed.note,
+    nextActiveEndpointId,
   };
 }
 

package/src/main/update-service.js

@@ -26,6 +26,36 @@ function getAutoUpdateStatePath() {
   return path.join(stateDir, "codex-switcher-auto-update.json");
 }
 
+function getAutoUpdateRuntimeDir() {
+  const runtimeDir = path.join(os.homedir(), ".codex", "runtime");
+  fs.mkdirSync(runtimeDir, { recursive: true });
+  return runtimeDir;
+}
+
+function cleanupStagedAutoUpdateRunners(runtimeDir) {
+  const staleBeforeMs = Date.now() - 24 * 60 * 60 * 1000;
+
+  for (const entry of fs.readdirSync(runtimeDir, { withFileTypes: true })) {
+    if (
+      !entry.isFile() ||
+      !entry.name.startsWith("codex-switcher-auto-update-runner-") ||
+      !entry.name.endsWith(".js")
+    ) {
+      continue;
+    }
+
+    const fullPath = path.join(runtimeDir, entry.name);
+    try {
+      const stats = fs.statSync(fullPath);
+      if (stats.mtimeMs < staleBeforeMs) {
+        fs.unlinkSync(fullPath);
+      }
+    } catch {
+      // 文件被占用或刚被其他进程删除时忽略。
+    }
+  }
+}
+
 function readAutoUpdateState() {
   try {
     const content = fs.readFileSync(getAutoUpdateStatePath(), "utf8");
@@ -44,6 +74,35 @@ function writeAutoUpdateState(payload) {
   );
 }
 
+function clearAutoUpdateState() {
+  try {
+    fs.unlinkSync(getAutoUpdateStatePath());
+  } catch {
+    // 状态文件不存在时忽略。
+  }
+}
+
+function consumeAutoUpdateState() {
+  const state = readAutoUpdateState();
+  if (!state) {
+    return null;
+  }
+
+  if (state.status === "succeeded") {
+    if (state.reportedAt) {
+      clearAutoUpdateState();
+      return null;
+    }
+
+    writeAutoUpdateState({
+      ...state,
+      reportedAt: new Date().toISOString(),
+    });
+  }
+
+  return state;
+}
+
 function resolveRuntimePaths() {
   const nodePath = process.execPath;
   const nodeDir = path.dirname(nodePath);
@@ -71,6 +130,17 @@ function resolveRuntimePaths() {
   };
 }
 
+function stageAutoUpdateRunner() {
+  const runtimeDir = getAutoUpdateRuntimeDir();
+  cleanupStagedAutoUpdateRunners(runtimeDir);
+  const stagedRunnerPath = path.join(
+    runtimeDir,
+    `codex-switcher-auto-update-runner-${Date.now()}.js`,
+  );
+  fs.copyFileSync(runnerEntryPath, stagedRunnerPath);
+  return stagedRunnerPath;
+}
+
 function sleep(timeoutMs) {
   return new Promise((resolve) => {
     setTimeout(resolve, timeoutMs);
@@ -109,7 +179,7 @@ function buildStatus(payload = {}) {
   const currentVersion = packageInfo.version;
   const latestVersion = payload.latestVersion || currentVersion;
   const hasUpdate = compareVersions(latestVersion, currentVersion) > 0;
-  const autoUpdateState = payload.autoUpdateState || readAutoUpdateState();
+  const autoUpdateState = payload.autoUpdateState || consumeAutoUpdateState();
 
   return {
     packageName: packageInfo.name,
@@ -188,6 +258,7 @@ function scheduleAutoUpdate(options = {}) {
   const logPath = getAutoUpdateLogPath();
   const statePath = getAutoUpdateStatePath();
   const runtimePaths = resolveRuntimePaths();
+  const stagedRunnerPath = stageAutoUpdateRunner();
 
   writeAutoUpdateState({
     status: "scheduled",
@@ -217,7 +288,7 @@ function scheduleAutoUpdate(options = {}) {
     "utf8",
   ).toString("base64url");
 
-  const child = spawn(process.execPath, [runnerEntryPath, payload], {
+  const child = spawn(process.execPath, [stagedRunnerPath, payload], {
     cwd: os.homedir(),
     detached: true,
     stdio: "ignore",
@@ -237,6 +308,7 @@ function scheduleAutoUpdate(options = {}) {
 }
 
 module.exports = {
+  clearAutoUpdateState,
   getUpdateStatus,
   scheduleAutoUpdate,
 };

package/src/renderer/renderer.js

@@ -724,15 +724,21 @@ async function handleSubmitEndpoint(event) {
   }
 
   try {
+    let result;
     if (id) {
-      await bridge.updateEndpoint({ id, note, url, key });
+      result = await bridge.updateEndpoint({ id, note, url, key });
     } else {
-      await bridge.createEndpoint({ note, url, key });
+      result = await bridge.createEndpoint({ note, url, key });
     }
 
     await refreshDashboard(false);
     closeEndpointModal();
     resetForm();
+    if (id && result?.syncedCurrentConfig) {
+      setStatus(`已更新连接：${note}，并同步到当前 Codex 配置。`, "success");
+      return;
+    }
+
     setStatus(id ? `已更新连接：${note}` : `已新增连接：${note}`, "success");
   } catch (error) {
     if (isUnauthorizedError(error)) {

package/src/web/cloud-sync-server.js

@@ -10,6 +10,12 @@ const defaultDbPath = path.join(defaultRoot, "cloud-sync.db");
 const defaultHost = process.env.SYNC_SERVER_HOST || "127.0.0.1";
 const defaultPort = Number(process.env.SYNC_SERVER_PORT || 3190);
 const sessionTtlDays = Number(process.env.SYNC_SERVER_SESSION_DAYS || 30);
+const authWindowMs = Number(process.env.SYNC_SERVER_AUTH_WINDOW_MS || 10 * 60 * 1000);
+const authBlockMs = Number(process.env.SYNC_SERVER_AUTH_BLOCK_MS || 15 * 60 * 1000);
+const authMaxAttemptsPerIp = Number(process.env.SYNC_SERVER_AUTH_IP_ATTEMPTS || 18);
+const authMaxAttemptsPerAccount = Number(process.env.SYNC_SERVER_AUTH_ACCOUNT_ATTEMPTS || 10);
+const authMaxFailuresPerIp = Number(process.env.SYNC_SERVER_AUTH_IP_FAILURES || 10);
+const authMaxFailuresPerAccount = Number(process.env.SYNC_SERVER_AUTH_ACCOUNT_FAILURES || 5);
 
 function wrapAsync(handler) {
   return async (req, res, next) => {
@@ -30,6 +36,132 @@ function addDaysToNow(days) {
   return new Date(Date.now() + days * 24 * 60 * 60 * 1000).toISOString();
 }
 
+function getClientIp(req) {
+  const forwardedFor = String(req.headers["x-forwarded-for"] || "").trim();
+  const firstForwarded = forwardedFor.split(",")[0]?.trim();
+  const rawIp = firstForwarded || req.socket?.remoteAddress || "unknown";
+  return rawIp.replace(/^::ffff:/, "");
+}
+
+function toAccountKey(username) {
+  return String(username || "").trim().toLowerCase() || "__anonymous__";
+}
+
+function formatBlockMessage(scopeLabel, blockedUntil) {
+  const seconds = Math.max(1, Math.ceil((blockedUntil - Date.now()) / 1000));
+  return `${scopeLabel}尝试过于频繁，请在 ${seconds} 秒后重试。`;
+}
+
+function createAttemptBucket() {
+  return {
+    attempts: [],
+    failures: [],
+    blockedUntil: 0,
+    updatedAt: 0,
+  };
+}
+
+function pruneBucket(bucket, now) {
+  bucket.attempts = bucket.attempts.filter((value) => now - value < authWindowMs);
+  bucket.failures = bucket.failures.filter((value) => now - value < authWindowMs);
+  bucket.updatedAt = now;
+}
+
+function markBlocked(bucket, now) {
+  bucket.blockedUntil = Math.max(bucket.blockedUntil || 0, now + authBlockMs);
+}
+
+function cleanupAttemptMap(store, now) {
+  for (const [key, bucket] of store.entries()) {
+    pruneBucket(bucket, now);
+    if (
+      (!bucket.attempts.length && !bucket.failures.length && bucket.blockedUntil <= now) ||
+      now - bucket.updatedAt > authWindowMs * 3
+    ) {
+      store.delete(key);
+    }
+  }
+}
+
+function createAuthRateGuard() {
+  const ipBuckets = new Map();
+  const accountBuckets = new Map();
+
+  function getBucket(store, key, now) {
+    if (!store.has(key)) {
+      store.set(key, createAttemptBucket());
+    }
+
+    const bucket = store.get(key);
+    pruneBucket(bucket, now);
+    return bucket;
+  }
+
+  function assertBucketAllowed(bucket, scopeLabel, maxAttempts, now) {
+    if (bucket.blockedUntil > now) {
+      const error = new Error(formatBlockMessage(scopeLabel, bucket.blockedUntil));
+      error.statusCode = 429;
+      throw error;
+    }
+
+    if (bucket.attempts.length >= maxAttempts) {
+      markBlocked(bucket, now);
+      const error = new Error(formatBlockMessage(scopeLabel, bucket.blockedUntil));
+      error.statusCode = 429;
+      throw error;
+    }
+  }
+
+  function recordAttempt(bucket, now) {
+    bucket.attempts.push(now);
+    bucket.updatedAt = now;
+  }
+
+  function recordFailure(bucket, maxFailures, now) {
+    bucket.failures.push(now);
+    bucket.updatedAt = now;
+    if (bucket.failures.length >= maxFailures) {
+      markBlocked(bucket, now);
+    }
+  }
+
+  function recordSuccess(bucket, now) {
+    bucket.failures = [];
+    bucket.blockedUntil = 0;
+    bucket.updatedAt = now;
+  }
+
+  return {
+    assertAllowed(req, username) {
+      const now = Date.now();
+      const ipKey = getClientIp(req);
+      const accountKey = toAccountKey(username);
+      const ipBucket = getBucket(ipBuckets, ipKey, now);
+      const accountBucket = getBucket(accountBuckets, accountKey, now);
+
+      assertBucketAllowed(ipBucket, "当前 IP ", authMaxAttemptsPerIp, now);
+      assertBucketAllowed(accountBucket, "当前账号", authMaxAttemptsPerAccount, now);
+
+      recordAttempt(ipBucket, now);
+      recordAttempt(accountBucket, now);
+      cleanupAttemptMap(ipBuckets, now);
+      cleanupAttemptMap(accountBuckets, now);
+    },
+    recordFailure(req, username) {
+      const now = Date.now();
+      const ipBucket = getBucket(ipBuckets, getClientIp(req), now);
+      const accountBucket = getBucket(accountBuckets, toAccountKey(username), now);
+      recordFailure(ipBucket, authMaxFailuresPerIp, now);
+      recordFailure(accountBucket, authMaxFailuresPerAccount, now);
+    },
+    recordSuccess(req, username) {
+      const now = Date.now();
+      recordSuccess(getBucket(ipBuckets, getClientIp(req), now), now);
+      recordSuccess(getBucket(accountBuckets, toAccountKey(username), now), now);
+    },
+  };
+}
+
 function normalizeUsername(value) {
   const username = String(value || "").trim();
   if (!username) {
@@ -220,6 +352,7 @@ function createCloudSyncApp(options = {}) {
   const host = options.host || defaultHost;
   const port = Number(options.port || defaultPort);
   const db = createDatabase(dbPath);
+  const authRateGuard = createAuthRateGuard();
   const authRequired = buildAuthMiddleware(db);
   const app = express();
 
@@ -240,62 +373,80 @@ function createCloudSyncApp(options = {}) {
   app.post(
     "/api/auth/register",
     wrapAsync(async (req) => {
-      const username = normalizeUsername(req.body.username);
-      const password = normalizePassword(req.body.password);
-      const existing = getUserByUsername(db, username);
-
-      if (existing) {
-        const error = new Error("这个账号已经存在，请直接登录。");
-        error.statusCode = 409;
+      const usernameCandidate = String(req.body.username || "").trim();
+      authRateGuard.assertAllowed(req, usernameCandidate);
+
+      try {
+        const username = normalizeUsername(usernameCandidate);
+        const password = normalizePassword(req.body.password);
+        const existing = getUserByUsername(db, username);
+
+        if (existing) {
+          const error = new Error("这个账号已经存在，请直接登录。");
+          error.statusCode = 409;
+          throw error;
+        }
+
+        const salt = randomBytes(16).toString("base64url");
+        const createdAt = nowIso();
+        const inserted = db
+          .prepare(
+            `
+              INSERT INTO users (username, password_salt, password_hash, created_at, updated_at)
+              VALUES (?, ?, ?, ?, ?)
+            `,
+          )
+          .run(username, salt, hashPassword(password, salt), createdAt, createdAt);
+        const userId = Number(inserted.lastInsertRowid);
+        const session = createSession(db, userId);
+        authRateGuard.recordSuccess(req, username);
+
+        return {
+          token: session.token,
+          expiresAt: session.expiresAt,
+          user: {
+            id: userId,
+            username,
+          },
+        };
+      } catch (error) {
+        authRateGuard.recordFailure(req, usernameCandidate);
         throw error;
       }
-
-      const salt = randomBytes(16).toString("base64url");
-      const createdAt = nowIso();
-      const inserted = db
-        .prepare(
-          `
-            INSERT INTO users (username, password_salt, password_hash, created_at, updated_at)
-            VALUES (?, ?, ?, ?, ?)
-          `,
-        )
-        .run(username, salt, hashPassword(password, salt), createdAt, createdAt);
-      const userId = Number(inserted.lastInsertRowid);
-      const session = createSession(db, userId);
-
-      return {
-        token: session.token,
-        expiresAt: session.expiresAt,
-        user: {
-          id: userId,
-          username,
-        },
-      };
     }),
   );
 
   app.post(
     "/api/auth/login",
     wrapAsync(async (req) => {
-      const username = normalizeUsername(req.body.username);
-      const password = normalizePassword(req.body.password);
-      const user = getUserByUsername(db, username);
-
-      if (!user || !verifyPassword(password, user.passwordSalt, user.passwordHash)) {
-        const error = new Error("账号或密码不正确。");
-        error.statusCode = 401;
+      const usernameCandidate = String(req.body.username || "").trim();
+      authRateGuard.assertAllowed(req, usernameCandidate);
+
+      try {
+        const username = normalizeUsername(usernameCandidate);
+        const password = normalizePassword(req.body.password);
+        const user = getUserByUsername(db, username);
+
+        if (!user || !verifyPassword(password, user.passwordSalt, user.passwordHash)) {
+          const error = new Error("账号或密码不正确。");
+          error.statusCode = 401;
+          throw error;
+        }
+
+        const session = createSession(db, user.id);
+        authRateGuard.recordSuccess(req, username);
+        return {
+          token: session.token,
+          expiresAt: session.expiresAt,
+          user: {
+            id: user.id,
+            username: user.username,
+          },
+        };
+      } catch (error) {
+        authRateGuard.recordFailure(req, usernameCandidate);
         throw error;
       }
-
-      const session = createSession(db, user.id);
-      return {
-        token: session.token,
-        expiresAt: session.expiresAt,
-        user: {
-          id: user.id,
-          username: user.username,
-        },
-      };
     }),
   );
 

package/src/web/launcher.js

@@ -1,7 +1,7 @@
 const fs = require("node:fs");
 const path = require("node:path");
 const http = require("node:http");
-const { exec, spawn } = require("node:child_process");
+const { exec, execFile, spawn } = require("node:child_process");
 
 const projectRoot = path.resolve(__dirname, "../..");
 const runtimeDir = path.join(projectRoot, "runtime");
@@ -12,11 +12,44 @@ const healthUrl = `http://127.0.0.1:${port}/api/health`;
 const closeUrl = `http://127.0.0.1:${port}/api/app/close`;
 const proxyHealthUrl = `http://127.0.0.1:${proxyPort}/__switcher/health`;
 const consoleUrl = `http://localhost:${port}`;
+const pidFilePath = path.join(runtimeDir, "web-server.pid.json");
 
 function ensureRuntimeDir() {
   fs.mkdirSync(runtimeDir, { recursive: true });
 }
 
+function readPidFile() {
+  try {
+    const content = fs.readFileSync(pidFilePath, "utf8");
+    const parsed = JSON.parse(content);
+    return parsed && typeof parsed === "object" ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+
+function writePidFile(payload) {
+  ensureRuntimeDir();
+  fs.writeFileSync(pidFilePath, `${JSON.stringify(payload, null, 2)}\n`, "utf8");
+}
+
+function clearPidFile() {
+  try {
+    fs.unlinkSync(pidFilePath);
+  } catch {
+    // 文件不存在时忽略。
+  }
+}
+
+function isProcessAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
 function requestJson(url, timeoutMs = 1200) {
   return new Promise((resolve, reject) => {
     const request = http.get(url, (response) => {
@@ -133,11 +166,98 @@ function spawnServerInBackground() {
   });
 
   child.unref();
+  writePidFile({
+    pid: child.pid,
+    createdAt: new Date().toISOString(),
+    nodePath: process.execPath,
+    serverEntryPath,
+    port,
+    proxyPort,
+  });
   return child.pid;
 }
 
+function inspectProcessCommandLine(pid) {
+  return new Promise((resolve) => {
+    execFile(
+      "powershell.exe",
+      [
+        "-NoProfile",
+        "-NonInteractive",
+        "-ExecutionPolicy",
+        "Bypass",
+        "-Command",
+        `& { $p = Get-CimInstance Win32_Process -Filter "ProcessId = ${pid}"; if ($null -eq $p) { '' } else { $p.CommandLine } }`,
+      ],
+      {
+        windowsHide: true,
+      },
+      (error, stdout) => {
+        if (error) {
+          resolve("");
+          return;
+        }
+
+        resolve(String(stdout || "").trim());
+      },
+    );
+  });
+}
+
+async function isManagedServerPid(pid) {
+  if (!Number.isFinite(pid) || pid <= 0 || !isProcessAlive(pid)) {
+    return false;
+  }
+
+  const commandLine = await inspectProcessCommandLine(pid);
+  if (!commandLine) {
+    return false;
+  }
+
+  return commandLine.includes(serverEntryPath);
+}
+
+async function stopTrackedServerProcess() {
+  const pidInfo = readPidFile();
+  const pid = Number(pidInfo?.pid || 0);
+  if (!(await isManagedServerPid(pid))) {
+    clearPidFile();
+    return false;
+  }
+
+  await new Promise((resolve, reject) => {
+    exec(`cmd /c taskkill /PID ${pid} /T /F`, (error) => {
+      if (error) {
+        reject(error);
+        return;
+      }
+
+      resolve();
+    });
+  });
+
+  clearPidFile();
+  return true;
+}
+
 async function ensureServerRunning() {
   if (await checkServerHealth()) {
+    const pidInfo = readPidFile();
+    const trackedPid = Number(pidInfo?.pid || 0);
+    if (!(await isManagedServerPid(trackedPid))) {
+      const listeningPid = await getListeningPid();
+      if (await isManagedServerPid(listeningPid)) {
+        writePidFile({
+          pid: listeningPid,
+          createdAt: pidInfo?.createdAt || new Date().toISOString(),
+          nodePath: process.execPath,
+          serverEntryPath,
+          port,
+          proxyPort,
+        });
+      }
+    }
+
     return {
       started: false,
       running: true,
@@ -150,6 +270,7 @@ async function ensureServerRunning() {
   const ready = await waitForServer();
 
   if (!ready) {
+    clearPidFile();
     throw new Error("本地网页服务启动失败，请检查 runtime 日志。");
   }
 
@@ -204,21 +325,8 @@ function getListeningPid() {
 }
 
 async function restartServer() {
-  const pid = await getListeningPid();
-  if (pid) {
-    await new Promise((resolve, reject) => {
-      exec(`cmd /c taskkill /PID ${pid} /F`, (error) => {
-        if (error) {
-          reject(error);
-          return;
-        }
-
-        resolve();
-      });
-    });
-    await sleep(800);
-  }
-
+  await stopServer();
+  await sleep(600);
   return ensureServerRunning();
 }
 
@@ -269,11 +377,14 @@ async function stopServer() {
     await sleep(1000);
   }
 
-  const webKilled = await killListeningPid(port);
-  const proxyKilled = await killListeningPid(proxyPort);
+  const trackedKilled = await stopTrackedServerProcess().catch(() => false);
+  const webKilled = trackedKilled ? true : await killListeningPid(port);
+  const proxyKilled = trackedKilled ? true : await killListeningPid(proxyPort);
+  clearPidFile();
 
   return {
     stopped: true,
+    trackedKilled,
     webKilled,
     proxyKilled,
     port,