CloudFlare-ImgBed

mirror of https://github.com/MarSeventh/CloudFlare-ImgBed.git synced 2026-04-24 22:25:07 +00:00

Author	SHA1	Message	Date
MarSeventh	143bda1ce2	feat: 会话安全策略 - 后端支持动态 Secure/MaxAge 配置 - 扩展 getSecurityConfig 和 fetchSecurityConfig 默认值，新增 sessionSecure、userSessionMaxAge、adminSessionMaxAge 字段 - 改造 buildSessionCookie 支持 secure 参数 - createSession 根据 authType 动态读取配置计算 maxAge - destroySession 读取 sessionSecure 确保清除 Cookie 属性一致	2026-04-21 10:58:54 +08:00
MarSeventh	40f091db05	fix: sessionCheck adminRequired should also consider password-only config	2026-04-18 16:23:20 +08:00
MarSeventh	888dba1a80	refactor: extract rehashIfNeeded to passwordHash.js, deduplicate login rehash logic	2026-04-18 15:35:13 +08:00
MarSeventh	23a7f69dc4	fix: return explicit authType instead of null when auth is unconfigured - checkAdmin: return 'admin' when admin auth not configured - checkUser: return 'user' when authCode not configured - directoryTree: use authType !== 'admin' to gate user-only checks	2026-04-18 15:28:01 +08:00
MarSeventh	7ad7bf364b	refactor: remove Basic Auth, add /api/auth/adminLogin endpoint - Remove Basic Auth (verifyBasicAuth, parseBasicAuth) from authCore.js - Add /api/auth/adminLogin POST endpoint for admin login via JSON body - Delete legacy /api/manage/check, login, logout (no longer referenced) - Fix adminConfigured to consider password-only config	2026-04-18 14:49:01 +08:00
MarSeventh	1e96f2e27b	refactor: unify auth logic into authCore with authScope parameter - Extract shared authentication logic into utils/auth/authCore.js - Replace enableBasicAuth/enableAuthCode flags with clear authScope enum (ADMIN/USER/EITHER) - Move all auth-related files into utils/auth/ subdirectory - Eliminate duplicated admin auth logic between _middleware.js and dualAuth.js - Fix: user session no longer grants access to admin-only endpoints - Fix: dualAuth no longer bypasses authCode when admin is not configured - Update all 17 import references across the codebase - Preserve original function signatures (userAuthCheck, dualAuthCheck) for zero caller changes	2026-04-18 13:24:53 +08:00
MarSeventh	baca53a631	security: upgrade password hashing to PBKDF2 and fix API token generation - Replace single-round SHA-256 with PBKDF2 (100k iterations) via Web Crypto API - Auto-rehash old SHA-256/plaintext passwords to PBKDF2 on successful login - Add timing-safe comparison to prevent timing attacks - Replace Math.random() with crypto.getRandomValues() for API token and token ID generation - Maintain full backward compatibility with existing SHA-256 hashes and plaintext passwords	2026-04-18 00:45:04 +08:00
MarSeventh	cb8f0fd1f7	refactor: move auth endpoints to /api/auth/ subdirectory - login.js -> auth/login.js (/api/auth/login) - logout.js -> auth/logout.js (/api/auth/logout) - sessionCheck.js -> auth/sessionCheck.js (/api/auth/sessionCheck) - resetAuth.js -> auth/resetAuth.js (/api/auth/resetAuth) - Update import paths in moved files	2026-04-17 23:46:24 +08:00
MarSeventh	43e662ecd7	feat: add /api/resetAuth endpoint for password recovery Allows resetting all auth config when locked out: - Requires RESET_KEY environment variable to be set - GET /api/resetAuth?key=YOUR_RESET_KEY - Clears security config from database (falls back to env vars) - Destroys all active sessions	2026-04-17 23:37:11 +08:00
MarSeventh	05b7d21ff1	fix: use ?? for config fallback, add clear password support and auth-required check - Fix getSecurityConfig: use ?? instead of \|\| so empty string is preserved - Handle _clear flag to explicitly remove passwords - Clear adminUsername together with adminPassword on _clear - sessionCheck now returns adminRequired/userRequired fields - Return 200 instead of 401 from sessionCheck for frontend to decide	2026-04-17 23:32:27 +08:00
MarSeventh	5e48fde2ca	feat: session-based auth with password hashing - Add passwordHash.js: SHA-256 + salt hashing with plaintext backward compatibility - Add sessionManager.js: HttpOnly cookie sessions with separate admin_session/user_session - Add sessionCheck.js: session validation endpoint for frontend route guards - Add logout.js: session destruction endpoint with authType support - Update login.js: return user_session cookie on successful login - Update check.js: return admin_session cookie on successful admin auth - Update _middleware.js: check admin_session before Basic Auth, remove WWW-Authenticate header - Update security.js: hash passwords on save, mask in GET, clear sessions on password change - Update dualAuth.js/userAuth.js: use verifyPassword and session validation	2026-04-17 23:11:45 +08:00
MarSeventh	7c0875bd67	feat: add i18n English labels for page config API	2026-03-28 22:06:46 +08:00
MarSeventh	3d44022947	Feat:细化Token权限，支持设置管理权限	2026-03-10 18:59:03 +08:00
MarSeventh	9441468a5b	feat: 添加 API Token 过期时间后端支持 - 新增 tokenExpiration.js 工具模块（过期判定、自动删除过滤） - apiTokens.js 支持 expiresAt/autoDelete 字段的创建、更新、自动清理 - 新增 getTokenData 导出函数 - tokenValidator.js 增加过期检查逻辑	2026-03-10 10:52:01 +08:00
MarSeventh	fc9eab6194	提升索引重建在不同网络环境下的鲁棒性	2026-03-05 12:26:56 +08:00
copilot-swe-agent[bot]	81661a3fdb	Replace URL rewrite with fetch interceptor to fix url.origin-based logic; fix folder delete/move body consumption bug Co-authored-by: MarSeventh <108160987+MarSeventh@users.noreply.github.com>	2026-03-03 18:05:41 +00:00
MarSeventh	26226c2e10	目录树设置和体验优化	2026-03-01 11:25:39 +08:00
MarSeventh	cfb6e638e2	目录树设置和体验优化	2026-03-01 11:13:43 +08:00
MarSeventh	4955ed1b8d	v2.6.1:增加文件夹候选项；部分安全和体验优化	2026-02-28 16:58:42 +08:00
MarSeventh	50ff6d98b1	v2.6.1:增加文件夹候选项；部分安全和体验优化	2026-02-28 16:50:46 +08:00
MarSeventh	1be23d730a	路径安全处理逻辑优化	2026-02-24 10:52:32 +08:00
MarSeventh	d1f5c9bd3d	路径穿越检测增强	2026-02-23 15:05:32 +08:00
MarSeventh	8eebf7ed49	重建索引功能优化，提升安全性	2026-02-23 14:43:34 +08:00
MarSeventh	a67d29e471	优化公告设置体验	2026-02-23 14:04:26 +08:00
MarSeventh	91983dcb53	hf渠道大文件上传优化	2026-02-23 13:44:49 +08:00
MarSeventh	978ed2bcf6	v2.5.12:增加路径穿越防护	2026-02-23 13:20:42 +08:00
MarSeventh	12069fc3cd	v2.5.10:支持文件重命名和文件元数据编辑	2026-02-07 16:00:28 +08:00
MarSeventh	013eb7cfee	尺寸提取功能优化	2026-01-30 17:15:22 +08:00
MarSeventh	a03766a9f9	update v2.5.7	2026-01-30 16:14:19 +08:00
MarSeventh	88c617395f	update v2.5.6	2026-01-29 19:59:29 +08:00
Zhang Chao	cdfd983f42	fix(s3/storage): 恢复因合并异常丢失的S3 CDN代码，导致功能失效的问题	2026-01-27 04:20:24 +00:00
MarSeventh	5d34052a1f	update v2.5.5	2026-01-25 15:29:35 +08:00
MarSeventh	1625d32ff3	update v2.5.4	2026-01-23 22:40:21 +08:00
MarSeventh	9d4d9fb7bf	update v2.5.4	2026-01-23 21:58:25 +08:00
MarSeventh	7d2b8a5f60	update v2.5.4	2026-01-23 20:50:26 +08:00
MarSeventh	1233e3cbe7	chore: fix nasty build artifact conflicts	2026-01-23 20:44:04 +08:00
MarSeventh	4fe586412a	Feat:优化备份恢复使用体验	2026-01-23 20:27:36 +08:00
zcwwww1996	84be024140	Feat: 为 S3 存储渠道添加 CDN 加速支持新增功能： - 支持为 S3 渠道配置自定义 CDN 域名 - 上传时自动生成完整的 CDN 文件路径并存储到 metadata - 读取文件时优先使用 CDN，失败时自动回退到 S3 API - 管理面板支持配置和查看 CDN 域名 - 文件详情页面新增 S3 CDN URL 标签页	2026-01-23 19:50:11 +08:00
MarSeventh	0a22cf9844	Feat:上传支持指定渠道名;webdav支持设置上传渠道	2026-01-10 14:31:14 +08:00
MarSeventh	1ca7a284a5	Fix:HuggingFace渠道文件命名和读取问题	2026-01-08 19:51:34 +08:00
MarSeventh	18ebe4876c	Feat:支持自定义上传页面logo跳转链接;管理端支持跳转到指定页码;一些使用细节优化	2026-01-08 12:03:57 +08:00
MarSeventh	67c4355c13	Feat:支持上传前转换为webp格式	2026-01-07 22:40:53 +08:00
MarSeventh	6583fcc926	Feat:telegram渠道支持设置代理;优化上传设置页面使用体验	2026-01-07 18:37:03 +08:00
MarSeventh	bdc94f80a2	Feat:telegram渠道支持设置代理;优化上传设置页面使用体验	2026-01-07 17:44:33 +08:00
axibayuit	0426591d4d	feat: 公开浏览功能增强 & Discord API 429重试	2026-01-03 00:35:27 +08:00
MarSeventh	51f4ab6659	Feat:优化访客图库展示效果，支持根目录展示;Bug:修复Telegram渠道无法关闭服务端压缩重试的问题	2026-01-01 15:57:49 +08:00
MarSeventh	71100c8181	Feat:优化上传错误处理;优化上传时清除文件的逻辑;优化Telegram渠道上传体验	2026-01-01 01:10:19 +08:00
axibayuit	579d835255	fix: remove duplicate url variable declaration in commitUpload.js	2025-12-31 21:46:40 +08:00
axibayuit	2292a4eda6	feat: 添加公开浏览功能后端API - 新增 /api/public/list 公开列表API - others.js 添加 publicBrowse 配置支持 - 支持配置允许公开访问的目录 - 后端强制权限校验，隐藏敏感元数据	2025-12-31 18:12:29 +08:00
MarSeventh	77e04fa2a7	Feat:新增discord/huggingface渠道支持;优化telegram大文件上传体验	2025-12-31 09:23:38 +08:00

1 2 3 4

151 Commits