nsgm-cli 2.1.10 → 2.1.11

package/client/utils/fetch.ts

@@ -1,54 +1,389 @@
+// GraphQL 客户端与 CSRF 保护工具
+
 import axios from 'axios'
 import { getLocalApiPrefix } from './common'
 
-// 添加缓存机制
-const queryCache = new Map<string, { data: any; timestamp: number }>()
-const CACHE_DURATION = 5 * 60 * 1000 // 5分钟缓存
+// 配置 axios 默认行为
+axios.defaults.withCredentials = true
+
+// ==================== GraphQL 配置 ====================
+
+export const GRAPHQL_CONFIG = {
+  // GraphQL 端点
+  endpoint: '/graphql',
+  
+  // 默认请求头
+  defaultHeaders: {
+    'Content-Type': 'application/json',
+    'Accept': 'application/json'
+  },
+  
+  // 缓存配置
+  cache: {
+    defaultTTL: 5 * 60 * 1000, // 5分钟
+    maxSize: 100,
+    enabled: true
+  },
+  
+  // CSRF 配置
+  csrf: {
+    enabled: true,
+    tokenHeader: 'X-CSRF-Token',
+    cookieName: 'csrfToken'
+  },
+  
+  // 开发模式配置
+  development: {
+    enableDebugLogs: process.env.NODE_ENV === 'development'
+  }
+}
+
+// GraphQL 操作类型
+export enum GraphQLOperationType {
+  QUERY = 'query',
+  MUTATION = 'mutation',
+  SUBSCRIPTION = 'subscription'
+}
+
+// GraphQL 工具函数
+export const GraphQLUtils = {
+  // 检测操作类型
+  getOperationType(query: string): GraphQLOperationType {
+    const trimmed = query.trim().toLowerCase()
+    if (trimmed.startsWith('mutation')) return GraphQLOperationType.MUTATION
+    if (trimmed.startsWith('subscription')) return GraphQLOperationType.SUBSCRIPTION
+    return GraphQLOperationType.QUERY
+  },
+  
+  // 提取操作名称
+  getOperationName(query: string): string | null {
+    const match = query.match(/(?:query|mutation|subscription)\s+(\w+)/)
+    return match ? match[1] : null
+  },
+  
+  // 生成缓存键
+  generateCacheKey(query: string, variables?: any): string {
+    const operationName = this.getOperationName(query) || 'anonymous'
+    const variablesHash = variables ? JSON.stringify(variables) : ''
+    return `${operationName}_${btoa(variablesHash)}`
+  },
+  
+  // 验证 GraphQL 查询语法
+  isValidQuery(query: string): boolean {
+    try {
+      const trimmed = query.trim()
+      return (
+        trimmed.length > 0 &&
+        (trimmed.includes('query') || trimmed.includes('mutation') || trimmed.includes('subscription')) &&
+        trimmed.includes('{') &&
+        trimmed.includes('}')
+      )
+    } catch {
+      return false
+    }
+  }
+}
+
+// ==================== CSRF 工具 ====================
 
-export const getLocalGraphql = (query: string, variables: any = {}, useCache = false) => {
-  return new Promise((resolve, reject) => {
-    // 生成缓存键
-    const cacheKey = `${query}:${JSON.stringify(variables)}`
+/**
+ * 获取 CSRF token
+ * @returns Promise<string> CSRF token
+ */
+export const getCSRFToken = async (): Promise<string> => {
+  try {
+    const response = await axios.get(getLocalApiPrefix() + '/csrf-token', {
+      withCredentials: true
+    })
     
-    // 检查缓存
-    if (useCache && queryCache.has(cacheKey)) {
-      const cached = queryCache.get(cacheKey)!
-      if (Date.now() - cached.timestamp < CACHE_DURATION) {
-        resolve(cached.data)
-        return
+    if (!response.data || !response.data.csrfToken) {
+      throw new Error('服务器返回的 CSRF token 为空')
+    }
+    
+    return response.data.csrfToken
+  } catch (error) {
+    console.error('获取 CSRF token 错误:', error)
+    throw error
+  }
+}
+
+// ==================== GraphQL 客户端 ====================
+
+// GraphQL 查询缓存
+const queryCache = new Map<string, { data: any; timestamp: number }>()
+const CACHE_DURATION = GRAPHQL_CONFIG.cache.defaultTTL
+
+/**
+ * GraphQL 客户端主函数
+ * 自动处理 CSRF 保护、缓存、错误重试
+ */
+export const getLocalGraphql = async (query: string, variables: any = {}, useCache = false) => {
+  // 验证查询语法
+  if (!GraphQLUtils.isValidQuery(query)) {
+    throw new Error('Invalid GraphQL query syntax')
+  }
+  
+  // 生成缓存键
+  const cacheKey = GraphQLUtils.generateCacheKey(query, variables)
+  
+  // 检查缓存
+  if (useCache && queryCache.has(cacheKey)) {
+    const cached = queryCache.get(cacheKey)!
+    if (Date.now() - cached.timestamp < CACHE_DURATION) {
+      if (GRAPHQL_CONFIG.development.enableDebugLogs) {
+        console.log('GraphQL cache hit:', cacheKey)
       }
+      return cached.data
     }
+  }
+  
+  try {
+    // 检测操作类型
+    const operationType = GraphQLUtils.getOperationType(query)
+    const isMutation = operationType === GraphQLOperationType.MUTATION
     
-    axios
-      .post(getLocalApiPrefix() + '/graphql', {
-        query,
-        variables
-      })
-      .then((res) => {
-        if (res) {
-          const { data } = res
-          
-          // 缓存结果
-          if (useCache && data && !data.errors) {
-            queryCache.set(cacheKey, {
-              data,
-              timestamp: Date.now()
-            })
+    const headers: Record<string, string> = {
+      ...GRAPHQL_CONFIG.defaultHeaders
+    }
+    
+    let response
+    
+    if (isMutation) {
+      // Mutation 使用 POST 方法并需要 CSRF token
+      if (GRAPHQL_CONFIG.csrf.enabled) {
+        try {
+          const csrfToken = await getCSRFToken()
+          headers[GRAPHQL_CONFIG.csrf.tokenHeader] = csrfToken
+        } catch (csrfError) {
+          console.warn('获取 CSRF token 失败，继续执行 GraphQL 请求:', csrfError)
+        }
+      }
+      
+      response = await axios.post(
+        getLocalApiPrefix() + '/graphql',
+        {
+          query,
+          variables
+        },
+        {
+          headers,
+          withCredentials: true
+        }
+      )
+    } else {
+      // Query 和 Subscription 使用 GET 方法，不需要 CSRF token
+      const params = new URLSearchParams()
+      params.append('query', query)
+      if (variables && Object.keys(variables).length > 0) {
+        params.append('variables', JSON.stringify(variables))
+      }
+      
+      response = await axios.get(
+        getLocalApiPrefix() + '/graphql?' + params.toString(),
+        {
+          headers: {
+            'Accept': 'application/json'
+          },
+          withCredentials: true
+        }
+      )
+    }
+
+    if (response && response.data) {
+      // 缓存查询结果
+      if (useCache && !isMutation) {
+        queryCache.set(cacheKey, {
+          data: response.data,
+          timestamp: Date.now()
+        })
+      }
+      
+      return response.data
+    } else {
+      throw new Error('GraphQL response is empty')
+    }
+  } catch (error) {
+    // 只为 mutation 检查 CSRF 错误 (403)，因为 query 使用 GET 不需要 CSRF token
+    if (axios.isAxiosError(error) && error.response?.status === 403) {
+      const operationType = GraphQLUtils.getOperationType(query)
+      
+      if (operationType === GraphQLOperationType.MUTATION) {
+        console.warn('🔄 CSRF token 可能已过期，尝试重试 mutation...')
+        try {
+          // 重新获取 token 并重试 mutation
+          const newCsrfToken = await getCSRFToken()
+          const retryHeaders = {
+            ...GRAPHQL_CONFIG.defaultHeaders,
+            [GRAPHQL_CONFIG.csrf.tokenHeader]: newCsrfToken
           }
           
-          resolve(data)
+          const retryResponse = await axios.post(
+            getLocalApiPrefix() + '/graphql',
+            { query, variables },
+            { headers: retryHeaders, withCredentials: true }
+          )
+          
+          return retryResponse.data
+        } catch (retryError) {
+          console.error('❌ CSRF mutation 重试失败:', retryError)
+          throw retryError
+        }
+      }
+    }
+    
+    console.error('GraphQL request failed:', error)
+    throw error
+  }
+}
+
+// ==================== 文件上传工具 ====================
+
+/**
+ * 创建受 CSRF 保护的文件上传配置
+ */
+export const createCSRFUploadProps = (
+  action: string,
+  options: {
+    name?: string
+    onSuccess?: (fileName: string) => void
+    onError?: (fileName: string) => void
+    beforeUpload?: (file: File) => boolean | Promise<boolean>
+    accept?: string
+    multiple?: boolean
+  } = {}
+) => {
+  const {
+    name = 'file',
+    onSuccess,
+    onError,
+    beforeUpload: customBeforeUpload,
+    accept,
+    multiple = false
+  } = options
+
+  return {
+    name,
+    action,
+    accept,
+    multiple,
+    customRequest: async (options: any) => {
+      const { onProgress, onError: onUploadError, onSuccess: onUploadSuccess, file } = options
+
+      try {
+        // 获取 CSRF token
+        const csrfToken = await getCSRFToken()
+        if (!csrfToken) {
+          throw new Error('CSRF Token 获取失败')
+        }
+
+        // 创建 FormData
+        const formData = new FormData()
+        formData.append(name, file)
+
+        // 发送请求
+        const uploadUrl = action.startsWith('http') ? action : getLocalApiPrefix() + action
+        const response = await axios.post(uploadUrl, formData, {
+          headers: {
+            [GRAPHQL_CONFIG.csrf.tokenHeader]: csrfToken
+          },
+          withCredentials: true
+        })
+
+        if (response.status >= 200 && response.status < 300) {
+          onUploadSuccess(response)
         } else {
-          reject(new Error('No data received'))
+          throw new Error(`Upload failed: ${response.statusText}`)
+        }
+      } catch (error) {
+        onUploadError(error)
+      }
+    },
+    beforeUpload: async (file: File) => {
+      try {
+        // 验证 CSRF token
+        const validation = await validateCSRFForUpload()
+        if (!validation.valid) {
+          throw new Error(validation.error)
+        }
+
+        // 执行自定义的 beforeUpload 检查
+        if (customBeforeUpload) {
+          const result = await customBeforeUpload(file)
+          return result
+        }
+
+        return true
+      } catch (error) {
+        console.error('Upload preparation failed:', error)
+        return false
+      }
+    },
+    onChange(info: any) {
+      const { status, name: fileName } = info.file
+
+      if (status === 'done') {
+        if (onSuccess) {
+          onSuccess(fileName)
+        }
+      } else if (status === 'error') {
+        if (onError) {
+          onError(fileName)
         }
-      })
-      .catch((error) => {
-        console.error('GraphQL query failed:', error)
-        reject(error)
-      })
-  })
+      }
+    }
+  }
 }
 
+/**
+ * 验证上传前的 CSRF 状态
+ */
+export const validateCSRFForUpload = async (): Promise<{ valid: boolean; token?: string; error?: string }> => {
+  try {
+    const csrfToken = await getCSRFToken()
+    if (!csrfToken) {
+      return {
+        valid: false,
+        error: 'CSRF Token 获取失败，请刷新页面重试'
+      }
+    }
+    return {
+      valid: true,
+      token: csrfToken
+    }
+  } catch (error) {
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : '获取 CSRF Token 时发生未知错误'
+    }
+  }
+}
+
+// ==================== 工具函数 ====================
+
 // 清除缓存
 export const clearGraphqlCache = () => {
   queryCache.clear()
 }
+
+// GraphQL 查询辅助函数
+export const graphqlQuery = async (query: string, variables?: any, useCache = true) => {
+  return getLocalGraphql(query, variables, useCache)
+}
+
+// GraphQL 变更辅助函数 (Mutation)
+export const graphqlMutation = async (mutation: string, variables?: any) => {
+  return getLocalGraphql(mutation, variables, false) // 变更操作不使用缓存
+}
+
+// 检查 GraphQL 响应是否有错误
+export const hasGraphqlErrors = (response: any): boolean => {
+  return response && response.errors && response.errors.length > 0
+}
+
+// 获取 GraphQL 错误信息
+export const getGraphqlErrorMessage = (response: any): string => {
+  if (hasGraphqlErrors(response)) {
+    return response.errors.map((error: any) => error.message).join('; ')
+  }
+  return ''
+}

package/generation/README.md

@@ -8,34 +8,37 @@
 - [Styled-components](https://github.com/styled-components/styled-components) - CSS-in-JS 解决方案
 - [GraphQL](https://graphql.org/) - API 查询语言
 - [MySQL](https://www.mysql.com/) - 关系型数据库
+- 安全登录系统 - 基于 bcrypt 加密
 
 ## 快速入门
 
 ### 开发命令
 
-| 命令 | 说明 |
-|---------|-------------|
-| `npm run dev` | 开发模式 |
-| `npm run start` | 生产模式 |
-| `npm run build` | 编译项目 |
+| 命令             | 说明         |
+| ---------------- | ------------ |
+| `npm run dev`    | 开发模式     |
+| `npm run start`  | 生产模式     |
+| `npm run build`  | 编译项目     |
 | `npm run export` | 导出静态页面 |
 
 ### 代码生成命令
 
-| 命令 | 说明 |
-|---------|-------------|
+| 命令             | 说明         |
+| ---------------- | ------------ |
 | `npm run create` | 创建模板页面 |
 | `npm run delete` | 删除模板页面 |
 
 ### 项目维护命令
 
-| 命令 | 说明 |
-|---------|-------------|
-| `npm run upgrade` | 升级项目基础文件 |
+| 命令                        | 说明             |
+| --------------------------- | ---------------- |
+| `npm run upgrade`           | 升级项目基础文件 |
+| `npm run generate-password` | 生成安全密码哈希 |
 
 ## 参数说明
 
 ### controller
+
 - 用于 `create`/`delete` 命令
 - 必填参数
 - 示例:
@@ -44,6 +47,7 @@
   ```
 
 ### action
+
 - 用于 `create`/`delete` 命令
 - 默认值为 `manage`
 - 跟在 controller 参数后面
@@ -53,6 +57,7 @@
   ```
 
 ### dictionary
+
 - 用于 `export` 命令
 - 默认值为 `webapp`
 - 示例:
@@ -88,14 +93,17 @@
 const { nextConfig } = require('nsgm-cli')
 const projectConfig = require('./project.config')
 
-const { version, prefix, protocol, host } = projectConfig 
+const { version, prefix, protocol, host } = projectConfig
 
 module.exports = (phase, defaultConfig) => {
-    let configObj = nextConfig(phase, defaultConfig, { 
-        version, prefix, protocol, host
-    })
+  let configObj = nextConfig(phase, defaultConfig, {
+    version,
+    prefix,
+    protocol,
+    host
+  })
 
-    return configObj
+  return configObj
 }
 ```
 
@@ -107,13 +115,13 @@ const { mysqlOptions } = mysqlConfig
 const { user, password, host, port, database } = mysqlOptions
 
 module.exports = {
-    mysqlOptions: {
-        user,
-        password,
-        host,
-        port,
-        database
-    }
+  mysqlOptions: {
+    user,
+    password,
+    host,
+    port,
+    database
+  }
 }
 ```
 
@@ -127,14 +135,46 @@ const { prefix, protocol, host, port } = projectConfig
 const { version } = pkg
 
 module.exports = {
-    version,
-    prefix,
-    protocol,
-    host,
-    port
+  version,
+  prefix,
+  protocol,
+  host,
+  port
 }
 ```
 
+## 安全配置
+
+项目集成了安全的登录系统，使用 bcrypt 加密。在部署前请配置登录凭证：
+
+### 快速设置
+
+1. **生成密码哈希**：
+
+   ```bash
+   npm run generate-password yourSecurePassword
+   ```
+
+2. **创建环境变量文件**：
+
+   ```bash
+   # 在项目根目录创建 .env 文件
+   LOGIN_USERNAME=admin
+   LOGIN_PASSWORD_HASH=your_generated_hash_here
+   ```
+
+3. **确保 .env 文件在 .gitignore 中**（已预配置）
+
+### 详细安全配置
+
+更多安全配置和最佳实践，请参考 [SECURITY.md](./SECURITY.md) 文档。
+
+**⚠️ 重要提醒：**
+
+- 不要在代码中硬编码密码
+- 不要将 `.env` 文件提交到版本控制系统
+- 定期更换登录密码
+
 ## 开发指南
 
 1. **创建新页面**：使用 `npm run create [controller] [action]` 命令
@@ -144,4 +184,4 @@ module.exports = {
 
 ## 更多资源
 
-更多详细信息，请参考 [NSGM CLI 文档](https://github.com/erishen/nsgm-cli)。
+更多详细信息，请参考 [NSGM CLI 文档](https://github.com/erishen/nsgm-cli)。

package/lib/index.js

@@ -5,6 +5,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.startExpress = void 0;
+// 加载环境变量
+require('dotenv').config();
 // 仅在开发环境中禁用TLS证书验证
 if (process.env.NODE_ENV === 'development') {
     process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
@@ -23,6 +25,8 @@ const config_1 = __importDefault(require("next/config"));
 const generate_1 = require("./generate");
 const lodash_1 = __importDefault(require("lodash"));
 const cors_1 = __importDefault(require("cors"));
+const express_session_1 = __importDefault(require("express-session"));
+const csrf_1 = require("./server/csrf");
 const { resolve } = path_1.default;
 const curFolder = process.cwd();
 const processArgvs = (0, args_1.getProcessArgvs)(2);
@@ -90,19 +94,48 @@ const startExpress = (options, callback) => {
             // 不要因为数据库连接失败就退出，允许应用继续运行
         }
         const server = (0, express_1.default)();
+        // 配置 session（CSRF 保护需要）
+        server.use((0, express_session_1.default)({
+            secret: process.env.SESSION_SECRET || 'nsgm-default-secret-key-change-in-production',
+            resave: false,
+            saveUninitialized: true, // 改为 true，确保 session 被创建
+            name: 'sessionId', // 明确指定 session cookie 名称
+            cookie: {
+                secure: false, // 开发环境总是使用 false，生产环境再考虑 HTTPS
+                httpOnly: true,
+                maxAge: 24 * 60 * 60 * 1000, // 24小时
+                sameSite: 'lax', // 设置 SameSite 策略
+                domain: undefined // 不设置 domain，使用默认
+            }
+        }));
+        // 初始化 CSRF token - 移除全局初始化，让每个端点自己处理
+        // server.use(setupCSRFToken)
         server.use(body_parser_1.default.urlencoded({
             extended: false
         }));
         // 支持跨域，nsgm export 之后前后分离
-        server.use((0, cors_1.default)());
+        server.use((0, cors_1.default)({
+            credentials: true, // 允许发送 cookies
+            origin: process.env.ALLOWED_ORIGINS?.split(',') || ['http://localhost:3000']
+        }));
         server.use(body_parser_1.default.json());
+        // 添加基本安全中间件
+        server.use(csrf_1.securityMiddleware.basicHeaders);
+        if (process.env.NODE_ENV === 'production') {
+            server.use((0, csrf_1.createCSPMiddleware)()); // 内容安全策略
+        }
+        // 添加 CSRF 保护中间件（在解析 body 之后）
+        server.use(csrf_1.csrfProtection);
         server.use((0, express_fileupload_1.default)());
         server.use('/static', express_1.default.static(path_1.default.join(__dirname, 'public')));
         server.use('/graphql', (0, graphql_1.default)(command));
         const nextConfig = (0, config_1.default)();
         const { publicRuntimeConfig } = nextConfig;
         const { host, port, prefix } = publicRuntimeConfig;
+        // 提供 CSRF token 的端点
+        server.get('/csrf-token', csrf_1.getCSRFToken);
         if (prefix !== '') {
+            server.get(`${prefix}/csrf-token`, csrf_1.getCSRFToken);
             server.use(`${prefix}/static`, express_1.default.static(path_1.default.join(__dirname, 'public')));
             server.use(`${prefix}/graphql`, (0, graphql_1.default)(command));
         }

package/lib/server/csrf.d.ts

@@ -0,0 +1,17 @@
+import { Request, Response, NextFunction } from 'express';
+declare module 'express-session' {
+    interface SessionData {
+        _csrf?: string;
+    }
+}
+declare module 'express-serve-static-core' {
+    interface Request {
+        csrfToken?: () => string;
+    }
+}
+export declare const csrfProtection: (req: Request, res: Response, next: NextFunction) => unknown;
+export declare const getCSRFToken: (req: Request, res: Response) => void;
+export declare const securityMiddleware: {
+    basicHeaders: import("express").RequestHandler<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>;
+};
+export declare const createCSPMiddleware: () => import("express").RequestHandler<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>;