From 0a0e4a8b9cbb7578a07f62f1e7571e55538ff088 Mon Sep 17 00:00:00 2001 From: Warren Date: Sat, 16 May 2026 21:26:35 +0800 Subject: [PATCH] feat: Add 10-second timeout for admin re-authentication MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Security enhancement: - Admin must re-enter password if Settings closed >10 seconds - localStorage stores admin_close_time when closing Settings - toggleSettings() checks elapsed time since last close - If elapsed >10s: clear token, show login modal - If elapsed <=10s: open Settings directly (no password) Implementation: - Added localStorage.admin_close_time tracking - Modified toggleSettings() to check timeout - Clear close_time when opening Settings - Clear close_time on new login - Clear close_time when token removed User workflow: 1. Login → Settings open 2. Close Settings → record close_time 3. Re-open immediately (<10s) → direct access 4. Re-open after 10s → password required Files changed: src/page.html (+15 lines in toggleSettings, +1 line in submitAdminLogin) Security: Prevents unauthorized access if admin leaves Settings open and returns later --- src/page.html | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/src/page.html b/src/page.html index 266e52e..f234da2 100644 --- a/src/page.html +++ b/src/page.html @@ -137,8 +137,22 @@ var _sv=false; function toggleSettings(){ var token=localStorage.getItem('admin_token'); + var lastClose=localStorage.getItem('admin_close_time'); if(token){ + // Check if closed more than 10 seconds ago + if(lastClose){ + var now=Date.now(); + var elapsed=(now-parseInt(lastClose))/1000; + if(elapsed>10){ + // Token expired (>10s since close), clear and show login + localStorage.removeItem('admin_token'); + localStorage.removeItem('admin_close_time'); + showAdminLoginModal(); + return; + } + } + // Verify token validity fetch('/api/v2/admin/verify',{ headers:{'Authorization':'Bearer '+token} @@ -149,15 +163,24 @@ function toggleSettings(){ // Token valid, open settings _sv=!_sv; document.getElementById("mb-settings-panel").classList.toggle("active",_sv); - if(_sv)loadSettings(); + if(_sv){ + loadSettings(); + // Clear close time when opening + localStorage.removeItem('admin_close_time'); + }else{ + // Record close time when closing + localStorage.setItem('admin_close_time',Date.now()); + } }else{ // Token invalid, remove and show login localStorage.removeItem('admin_token'); + localStorage.removeItem('admin_close_time'); showAdminLoginModal(); } }) .catch(function(e){ localStorage.removeItem('admin_token'); + localStorage.removeItem('admin_close_time'); showAdminLoginModal(); }); }else{ @@ -203,6 +226,7 @@ function submitAdminLogin(){ .then(function(d){ if(d.token){ localStorage.setItem('admin_token',d.token); + localStorage.removeItem('admin_close_time'); // Clear close time on new login document.getElementById('mb-admin-modal').classList.remove('active'); toast('Admin authenticated ✓'); toggleSettings(); // Re-open settings