lzh/picoclaw
1
0
Fork 0
mirror of https://github.com/sipeed/picoclaw.git synced 2026-06-12 18:08:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(web): protect launcher dashboard with token and SPA login (#1953)

Browse Source 
Add token-based authentication for the Launcher's embedded Web Dashboard.

- Ephemeral token generated in-memory each run (or via PICOCLAW_LAUNCHER_TOKEN env var)
- HMAC-SHA256 session cookie (HttpOnly, SameSite=Lax, Secure when HTTPS)
- Bearer token support for API/script access
- Rate limiting on login (10 attempts/IP/min)
- Referrer-Policy: no-referrer on all responses
- POST-only logout with JSON content-type (CSRF-safe)
- System tray "Copy dashboard token" action
- Login page shows contextual help (console/tray/log file path)
- Path traversal protection via path.Clean
- X-Forwarded-Host/Port/Proto support for reverse proxy deployments
- Full i18n support (English, Chinese)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
zeed zhao
2026-03-29 13:11:43 +08:00
committed by GitHub
parent 27f638e909
commit 6ea364e67d
44 changed files with 1617 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/frontend/src/components/config/config-page.tsx
+2 -1
View File
@@ -6,6 +6,7 @@ import { useTranslation } from "react-i18next"
import { toast } from "sonner"
import { patchAppConfig } from "@/api/channels"
import { launcherFetch } from "@/api/http"
import {
getAutoStartStatus,
getLauncherConfig,
@@ -50,7 +51,7 @@ export function ConfigPage() {
const { data, isLoading, error } = useQuery({
queryKey: ["config"],
queryFn: async () => {
const res = await fetch("/api/config")
const res = await launcherFetch("/api/config")
if (!res.ok) {
throw new Error("Failed to load config")
}
web/frontend/src/components/config/raw-config-page.tsx
+3 -2
View File
@@ -5,6 +5,7 @@ import { useState } from "react"
import { useTranslation } from "react-i18next"
import { toast } from "sonner"
import { launcherFetch } from "@/api/http"
import { PageHeader } from "@/components/page-header"
import {
AlertDialog,
@@ -28,7 +29,7 @@ export function RawConfigPage() {
const { data: config, isLoading } = useQuery({
queryKey: ["config"],
queryFn: async () => {
const res = await fetch("/api/config")
const res = await launcherFetch("/api/config")
if (!res.ok) {
throw new Error("Failed to fetch config")
}
@@ -38,7 +39,7 @@ export function RawConfigPage() {
const mutation = useMutation({
mutationFn: async (newConfig: string) => {
const res = await fetch("/api/config", {
const res = await launcherFetch("/api/config", {
method: "PUT",
headers: { "Content-Type": "application/json" },
body: newConfig,