feat: Add 10-second timeout for admin re-authentication

Security enhancement: - Admin must re-enter password if Settings closed >10 seconds - localStorage stores admin_close_time when closing Settings - toggleSettings() checks elapsed time since last close - If elapsed >10s: clear token, show login modal - If elapsed <=10s: open Settings directly (no password) Implementation: - Added localStorage.admin_close_time tracking - Modified toggleSettings() to check timeout - Clear close_time when opening Settings - Clear close_time on new login - Clear close_time when token removed User workflow: 1. Login → Settings open 2. Close Settings → record close_time 3. Re-open immediately (<10s) → direct access 4. Re-open after 10s → password required Files changed: src/page.html (+15 lines in toggleSettings, +1 line in submitAdminLogin) Security: Prevents unauthorized access if admin leaves Settings open and returns later
2026-05-16 21:26:35 +08:00
parent ed9f4490c8
commit 0a0e4a8b9c
1 changed files with 25 additions and 1 deletions
--- a/src/page.html
+++ b/src/page.html
@@ -137,8 +137,22 @@ var _sv=false;

 function toggleSettings(){
    var token=localStorage.getItem('admin_token');
+    var lastClose=localStorage.getItem('admin_close_time');
    
    if(token){
+        // Check if closed more than 10 seconds ago
+        if(lastClose){
+            var now=Date.now();
+            var elapsed=(now-parseInt(lastClose))/1000;
+            if(elapsed>10){
+                // Token expired (>10s since close), clear and show login
+                localStorage.removeItem('admin_token');
+                localStorage.removeItem('admin_close_time');
+                showAdminLoginModal();
+                return;
+            }
+        }
+        
        // Verify token validity
        fetch('/api/v2/admin/verify',{
            headers:{'Authorization':'Bearer '+token}
@@ -149,15 +163,24 @@ function toggleSettings(){
                // Token valid, open settings
                _sv=!_sv;
                document.getElementById("mb-settings-panel").classList.toggle("active",_sv);
-                if(_sv)loadSettings();
+                if(_sv){
+                    loadSettings();
+                    // Clear close time when opening
+                    localStorage.removeItem('admin_close_time');
+                }else{
+                    // Record close time when closing
+                    localStorage.setItem('admin_close_time',Date.now());
+                }
            }else{
                // Token invalid, remove and show login
                localStorage.removeItem('admin_token');
+                localStorage.removeItem('admin_close_time');
                showAdminLoginModal();
            }
        })
        .catch(function(e){
            localStorage.removeItem('admin_token');
+            localStorage.removeItem('admin_close_time');
            showAdminLoginModal();
        });
    }else{
@@ -203,6 +226,7 @@ function submitAdminLogin(){
    .then(function(d){
        if(d.token){
            localStorage.setItem('admin_token',d.token);
+            localStorage.removeItem('admin_close_time'); // Clear close time on new login
            document.getElementById('mb-admin-modal').classList.remove('active');
            toast('Admin authenticated ✓');
            toggleSettings(); // Re-open settings