Pass are stored unencrypted in local storage

[lonuslan]

Clear and concise description of the problem

在设置完 site_password后，验证密码是否正确的逻辑是直接将输入的pass和env.site_password做比较，正确的话就把pass存储到local storage中，建议加密存储！

const realPassword = import.meta.env.SITE_PASSWORD
const { pass } = body
  return new Response(JSON.stringify({
    code: (!realPassword || pass === realPassword) ? 0 : -1,
  }))
······························································

const response = await fetch('/api/auth', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({
      pass: password,
    }),
  })
  const responseJson = await response.json()
  if (responseJson.code === 0) {
    localStorage.setItem('pass', password)
    window.location.href = '/'
  } else {
    inputContainer.classList.add('invalid')
    setTimeout(() => {
      inputContainer.classList.remove('invalid')
    }, 300)
  }

建议优化！

Suggested solution

密码正确时，将 pass 非对称加密以密文形式保存在 local_storage 中，防止密码泄露！

Alternative

密码正确时，将 pass 非对称加密以密文形式保存在 local_storage 中，防止密码泄露！

Additional context

nope

Validations

• Follow our Code of Conduct
• Read the Contributing Guide.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.

[yzh990918]

PR welcome!

[lonuslan]

修改了代码之后 ，我在本地部署测试一切正常，发布到github上面使用 netlify 部署就报错：

2:16:41 PM:  ERR_PNPM_OUTDATED_LOCKFILE  Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with package.json
2:16:41 PM: Note that in CI environments this setting is true by default. If you still need to run install in such cases, use "pnpm install --no-frozen-lockfile"

看意思是lockfile 和 file 不一致造成的，但是对比了一下新引入的包都一样啊，为什么还会提示这个？无解....

[lonuslan]

附图：




import * as CryptoJS from 'crypto-js'

[lonuslan]

我尝试把它提示的 pnpm install --no-frozen-lockfile 放在 dockfile 中 构建之前 ，还是不行 ... 大佬有空看看吗？搞了一中午没睡觉了.

[ddiu8081]

修改了代码之后 ，我在本地部署测试一切正常，发布到github上面使用 netlify 部署就报错：

看意思是lockfile 和 file 不一致造成的，但是对比了一下新引入的包都一样啊，为什么还会提示这个？无解....

If you add a dependency, you will need to commit the lock file besides the package.json. Just committing package.json is not enough.

[lonuslan]

I compared these two files on my GitHub Package-Lock.json and Package.json. Their dependencies are the same

[lonuslan]

I find a file which name pnpm-lock.yaml, do i need to add the dependency into it? the error log displays some errors about pnpm,
i think maybe they have something related

[ddiu8081]

I find a file which name pnpm-lock.yaml, do i need to add the dependency into it? the error log displays some errors about pnpm, i think maybe they have something related

Yes, Netlify will use pnpm to compile. You need to develop and add dependencies with pnpm locally, and commit the automatically generated pnpm-lock.yaml file to the repository.

[chenyhd]

When you add a new dependency, and pnpm install the pnpm-lock.yaml file not changed automatically? If it was changed just commit it

I find a file which name pnpm-lock.yaml, do i need to add the dependency into it? the error log displays some errors about pnpm, i think maybe they have something related

[lonuslan]

When you add a new dependency, and pnpm install the pnpm-lock.yaml file not changed automatically? If it was changed just commit it

I find a file which name pnpm-lock.yaml, do i need to add the dependency into it? the error log displays some errors about pnpm, i think maybe they have something related

yeah, i use this pnpm install to install then pnpm-lock.yaml shows modified, so i commit it to github. now it show a new error, which below:

5:12:12 PM: 09:12:12 AM [content] No content directory found. Skipping type generation.
5:12:12 PM: 09:12:12 AM [build] output target: server
5:12:12 PM: 09:12:12 AM [build] deploy adapter: @astrojs/netlify/edge-functions
5:12:12 PM: 09:12:12 AM [build] Collecting build info...
5:12:12 PM: 09:12:12 AM [build] Completed in 335ms.
5:12:12 PM: 09:12:12 AM [build] Building server entrypoints...
5:12:12 PM: [commonjs--resolver] Cannot bundle Node.js built-in "crypto" imported from "node_modules/.pnpm/crypto-js@4.1.1/node_modules/crypto-js/core.js". Consider disabling ssr.noExternal or remove the built-in dependency.
5:12:12 PM: file: /opt/build/repo/node_modules/.pnpm/crypto-js@4.1.1/node_modules/crypto-js/index.js
5:12:13 PM:  error   Cannot bundle Node.js built-in "crypto" imported from "node_modules/.pnpm/crypto-js@4.1.1/node_modules/crypto-js/core.js". Consider disabling ssr.noExternal or remove the built-in dependency.
5:12:13 PM:   File:
5:12:13 PM:     /opt/build/repo/node_modules/.pnpm/crypto-js@4.1.1/node_modules/crypto-js/index.js
5:12:13 PM:   Stacktrace:
5:12:13 PM: RollupError: Cannot bundle Node.js built-in "crypto" imported from "node_modules/.pnpm/crypto-js@4.1.1/node_modules/crypto-js/core.js". Consider disabling ssr.noExternal or remove the built-in dependency.
5:12:13 PM:     at error (file:///opt/build/repo/node_modules/.pnpm/rollup@3.19.1/node_modules/rollup/dist/es/shared/node-entry.js:2125:30)
5:12:13 PM:     at Object.error (file:///opt/build/repo/node_modules/.pnpm/rollup@3.19.1/node_modules/rollup/dist/es/shared/node-entry.js:24144:20)
5:12:13 PM:     at Object.resolveId (file:///opt/build/repo/node_modules/.pnpm/vite@4.1.4/node_modules/vite/dist/node/chunks/dep-ca21228b.js:21501:34)
5:12:13 PM:     at Object.handler (file:///opt/build/repo/node_modules/.pnpm/vite@4.1.4/node_modules/vite/dist/node/chunks/dep-ca21228b.js:44872:19)
5:12:13 PM:     at file:///opt/build/repo/node_modules/.pnpm/rollup@3.19.1/node_modules/rollup/dist/es/shared/node-entry.js:24343:40
5:12:13 PM:     at async PluginDriver.hookFirstAndGetPlugin (file:///opt/build/repo/node_modules/.pnpm/rollup@3.19.1/node_modules/rollup/dist/es/shared/node-entry.js:24243:28)
5:12:13 PM:     at async resolveId (file:///opt/build/repo/node_modules/.pnpm/rollup@3.19.1/node_modules/rollup/dist/es/shared/node-entry.js:23187:26)
5:12:13 PM:     at async ModuleLoader.resolveId (file:///opt/build/repo/node_modules/.pnpm/rollup@3.19.1/node_modules/rollup/dist/es/shared/node-entry.js:23451:15)
5:12:13 PM:     at async Object.resolveId (file:///opt/build/repo/node_modules/.pnpm/astro@2.1.3/node_modules/astro/dist/vite-plugin-config-alias/index.js:48:26)
5:12:13 PM:     at async PluginDriver.hookFirstAndGetPlugin (file:///opt/build/repo/node_modules/.pnpm/rollup@3.19.1/node_modules/rollup/dist/es/shared/node-entry.js:24243:28)
5:12:13 PM:     at async resolveId (file:///opt/build/repo/node_modules/.pnpm/rollup@3.19.1/node_modules/rollup/dist/es/shared/node-entry.js:23187:26)
5:12:13 PM:     at async ModuleLoader.resolveId (file:///opt/build/repo/node_modules/.pnpm/rollup@3.19.1/node_modules/rollup/dist/es/shared/node-entry.js:23451:15)
5:12:13 PM:     at async file:///opt/build/repo/node_modules/.pnpm/vite@4.1.4/node_modules/vite/dist/node/chunks/dep-ca21228b.js:8169:16
5:12:13 PM:     at async Promise.all (index 0)
5:12:13 PM:     at async file:///opt/build/repo/node_modules/.pnpm/vite@4.1.4/node_modules/vite/dist/node/chunks/dep-ca21228b.js:8161:32
5:12:13 PM:     at async rewriteRequireExpressionsAndGetImportBlock (file:///opt/build/repo/node_modules/.pnpm/vite@4.1.4/node_modules/vite/dist/node/chunks/dep-ca21228b.js:8707:28)
5:12:13 PM:     at async transformCommonjs (file:///opt/build/repo/node_modules/.pnpm/vite@4.1.4/node_modules/vite/dist/node/chunks/dep-ca21228b.js:9269:23)
5:12:13 PM:     at async transform (file:///opt/build/repo/node_modules/.pnpm/rollup@3.19.1/node_modules/rollup/dist/es/shared/node-entry.js:23363:16)
5:12:13 PM:     at async ModuleLoader.addModuleSource (file:///opt/build/repo/node_modules/.pnpm/rollup@3.19.1/node_modules/rollup/dist/es/shared/node-entry.js:23569:30)
5:12:13 PM: ​
5:12:13 PM:   "build.command" failed         

then i think i maybe follow the guide, so i add a config in astro.config.mjs, my config like this below: but it did not work,
i do not konw how to fix it, Could you help me, with great thanks.

export default {
  // ...
  buildOptions: {
    ssr: {
      noExternal: ['crypto']
    }
  },
  // ...
}

[yzh990918]

You don't seem to need the crypto-js package as it's built in, but compatibility is required before use.

[lonuslan]

I finally use the func digestMessage, now it works fine, but i still have a question, How could i use another package to custom new features？

[lonuslan]

PR welcome!

Pls check my pull request.