fix: 修复 JWT 幽灵令牌漏洞，新增 Dify 权限过滤服务

2026-05-18 16:16:50 +08:00
parent d1e49c343c
commit 3cb31c2b67
5 changed files with 481 additions and 54 deletions
--- a/inventory-web/index.html
+++ b/inventory-web/index.html
@ -10,56 +10,71 @@
    <div id="app"></div>
    <script type="module" src="/src/main.ts"></script>
    <script>
-      window.difyChatbotConfig = {
-        token: 'Zp6B44AgCUPKprFG',
-        baseUrl: 'http://172.16.0.198:8080',
-        inputs: {},
-        systemVariables: {},
-        userVariables: {},
-      };
-    </script>
+  // 获取当前用户的登录凭证 (Token)
+  var currentToken = localStorage.getItem('access_token') || localStorage.getItem('token') || '';

-    <script
-      src="http://172.16.0.198:8080/embed.min.js"
-      id="Zp6B44AgCUPKprFG"
-      defer>
-    </script>
+  window.difyChatbotConfig = {
+    token: '6T0eTgukUEqzK0iW',
+    baseUrl: 'http://172.16.0.198:8080',
+    inputs: {
+      "user_token": currentToken
+    },
+    systemVariables: {},
+    userVariables: {},
+  }
+</script>

-    <style>
-      #dify-chatbot-bubble-button {
-        background-color: #409EFF !important;
-        box-shadow: 0 4px 12px rgba(64, 158, 255, 0.4) !important;
+<script
+  src="http://172.16.0.198:8080/embed.min.js"
+  id="6T0eTgukUEqzK0iW"
+  defer>
+</script>
+
+<style>
+  #dify-chatbot-bubble-button {
+    background-color: #409EFF !important;
+    box-shadow: 0 4px 12px rgba(64, 158, 255, 0.4) !important;
+  }
+
+  #dify-chatbot-bubble-window {
+    width: 28rem !important;
+    height: 42rem !important;
+    border-radius: 12px !important;
+    box-shadow: 0 8px 24px rgba(0, 0, 0, 0.12) !important;
+
+    /* 👇 核心：开启拖拽改变大小功能 👇 */
+    resize: both !important;
+    overflow: hidden !important; /* 必须配合 overflow: hidden 才能生效 */
+
+    /* 防止缩得太小或拉得太大导致页面崩坏 */
+    min-width: 24rem !important;
+    min-height: 35rem !important;
+    max-width: 90vw !important;  /* 最大不超过屏幕宽度的 90% */
+    max-height: 90vh !important; /* 最大不超过屏幕高度的 90% */
+  }
+
+  /* 确保内部的网页容器 100% 填满外壳，丝滑缩放 */
+  #dify-chatbot-bubble-window iframe {
+    width: 100% !important;
+    height: 100% !important;
+  }
+</style>
+
+<script>
+  document.addEventListener('DOMContentLoaded', function() {
+    document.addEventListener('click', function(event) {
+      var bubbleWindow = document.getElementById('dify-chatbot-bubble-window');
+      var bubbleButton = document.getElementById('dify-chatbot-bubble-button');
+
+      if (bubbleWindow && bubbleButton) {
+        var isWindowOpen = window.getComputedStyle(bubbleWindow).display !== 'none';
+
+        if (isWindowOpen && !bubbleWindow.contains(event.target) && !bubbleButton.contains(event.target)) {
+          bubbleButton.click();
+        }
      }
-
-      #dify-chatbot-bubble-window {
-        width: 28rem !important;
-        height: 42rem !important;
-        border-radius: 12px !important;
-        box-shadow: 0 8px 24px rgba(0, 0, 0, 0.12) !important;
-      }
-    </style>
-
-    <script>
-      // 等待页面加载完毕
-      document.addEventListener('DOMContentLoaded', function() {
-        // 给整个网页添加点击监听器
-        document.addEventListener('click', function(event) {
-          // 获取 Dify 的聊天窗口和按钮元素
-          var bubbleWindow = document.getElementById('dify-chatbot-bubble-window');
-          var bubbleButton = document.getElementById('dify-chatbot-bubble-button');
-
-          if (bubbleWindow && bubbleButton) {
-            // 判断窗口当前是否处于打开状态 (不为 none 说明是打开的)
-            var isWindowOpen = window.getComputedStyle(bubbleWindow).display !== 'none';
-
-            // 如果窗口是打开的，并且点击的位置既不在窗口内，也不在按钮上
-            if (isWindowOpen && !bubbleWindow.contains(event.target) && !bubbleButton.contains(event.target)) {
-              // 模拟点击按钮，关闭窗口
-              bubbleButton.click();
-            }
-          }
-        });
-      });
-    </script>
+    });
+  });
+</script>
  </body>
 </html>