Update server.js

server.js

@@ -9,6 +9,14 @@ const port = process.env.PORT || 8080;
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
 
+// 添加安全响应头
+app.use((req, res, next) => {
+  res.setHeader('X-Content-Type-Options', 'nosniff');
+  res.setHeader('X-Frame-Options', 'DENY');
+  res.setHeader('X-XSS-Protection', '1; mode=block');
+  next();
+});
+
 // 从环境变量获取 HuggingFace 用户名和对应的 API Token 映射
 const userTokenMapping = {};
 const usernames = [];
@@ -35,7 +43,7 @@ const ADMIN_PASSWORD = process.env.USER_PASSWORD || 'password';
 const sessions = new Map();
 const SESSION_TIMEOUT = 24 * 60 * 60 * 1000; // 24小时超时
 
-// 缓存管理
+// 缓存管理 - 修改后的类
 class SpaceCache {
   constructor() {
     this.spaces = {};
@@ -50,15 +58,34 @@ class SpaceCache {
   getAll() {
     return Object.values(this.spaces);
   }
+  
+  // 新增：获取安全的空间数据（不包含token）
+  getSafeSpaces() {
+    return Object.values(this.spaces).map(space => {
+      const { token, ...safeSpace } = space;
+      return safeSpace;
+    });
+  }
 
   isExpired(expireMinutes = 5) {
     if (!this.lastUpdate) return true;
     return (Date.now() - this.lastUpdate) > (expireMinutes * 60 * 1000);
   }
+  
+  // 根据repo_id获取单个space的token
+  getToken(repoId) {
+    return this.spaces[repoId]?.token || '';
+  }
 }
 
 const spaceCache = new SpaceCache();
 
+// 添加API请求日志中间件
+app.use('/api/proxy', (req, res, next) => {
+  console.log(`[${new Date().toISOString()}] ${req.method} ${req.originalUrl} - IP: ${req.ip}`);
+  next();
+});
+
 // 提供静态文件（前端文件）
 app.use(express.static(path.join(__dirname, 'public')));
 
@@ -126,12 +153,13 @@ const authenticateToken = (req, res, next) => {
   }
 };
 
-// 获取所有 spaces 列表（包括私有）
+// 获取所有 spaces 列表（包括私有）- 修改后的路由处理函数
 app.get('/api/proxy/spaces', async (req, res) => {
   try {
     if (!spaceCache.isExpired()) {
       console.log('从缓存获取 Spaces 数据');
-      return res.json(spaceCache.getAll());
+      // 返回不包含token的安全数据
+      return res.json(spaceCache.getSafeSpaces());
     }
 
     const allSpaces = [];
@@ -155,12 +183,13 @@ app.get('/api/proxy/spaces', async (req, res) => {
             const spaceInfo = spaceInfoResponse.data;
             const spaceRuntime = spaceInfo.runtime || {};
 
+            // 存储完整信息到缓存（包括token）
             allSpaces.push({
               repo_id: spaceInfo.id,
               name: spaceInfo.cardData?.title || spaceInfo.id.split('/')[1],
               owner: spaceInfo.author,
               username: username,
-              token: token || '',
+              token: token || '',  // 仍然存储token到缓存中，用于后续API调用
               url: `https://${spaceInfo.author}-${spaceInfo.id.split('/')[1]}.hf.space`,
               status: spaceRuntime.stage || 'unknown',
               last_modified: spaceInfo.lastModified || 'unknown',
@@ -182,7 +211,9 @@ app.get('/api/proxy/spaces', async (req, res) => {
     allSpaces.sort((a, b) => a.name.localeCompare(b.name));
     spaceCache.updateAll(allSpaces);
     console.log(`总共获取到 ${allSpaces.length} 个 Spaces`);
-    res.json(allSpaces);
+    
+    // 返回不包含token的安全数据
+    res.json(spaceCache.getSafeSpaces());
   } catch (error) {
     console.error(`代理获取 spaces 列表失败:`, error.message);
     res.status(500).json({ error: '获取 spaces 列表失败', details: error.message });
@@ -194,14 +225,15 @@ app.post('/api/proxy/restart/:repoId(*)', authenticateToken, async (req, res) =>
   try {
     const { repoId } = req.params;
     console.log(`尝试重启 Space: ${repoId}`);
-    const spaces = spaceCache.getAll();
-    const space = spaces.find(s => s.repo_id === repoId);
-    if (!space || !space.token) {
+    
+    // 从缓存中获取token，而不是完整的space对象
+    const token = spaceCache.getToken(repoId);
+    if (!token) {
       console.error(`Space ${repoId} 未找到或无 Token 配置`);
       return res.status(404).json({ error: 'Space 未找到或无 Token 配置' });
     }
 
-    const headers = { 'Authorization': `Bearer ${space.token}`, 'Content-Type': 'application/json' };
+    const headers = { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' };
     const response = await axios.post(`https://huggingface.co/api/spaces/${repoId}/restart`, {}, { headers });
     console.log(`重启 Space ${repoId} 成功，状态码: ${response.status}`);
     res.json({ success: true, message: `Space ${repoId} 重启成功` });
@@ -221,14 +253,15 @@ app.post('/api/proxy/rebuild/:repoId(*)', authenticateToken, async (req, res) =>
   try {
     const { repoId } = req.params;
     console.log(`尝试重建 Space: ${repoId}`);
-    const spaces = spaceCache.getAll();
-    const space = spaces.find(s => s.repo_id === repoId);
-    if (!space || !space.token) {
+    
+    // 从缓存中获取token，而不是完整的space对象
+    const token = spaceCache.getToken(repoId);
+    if (!token) {
       console.error(`Space ${repoId} 未找到或无 Token 配置`);
       return res.status(404).json({ error: 'Space 未找到或无 Token 配置' });
     }
 
-    const headers = { 'Authorization': `Bearer ${space.token}`, 'Content-Type': 'application/json' };
+    const headers = { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' };
     // 将 factory_reboot 参数作为查询参数传递，而非请求体
     const response = await axios.post(
       `https://huggingface.co/api/spaces/${repoId}/restart?factory=true`,
@@ -426,4 +459,4 @@ app.listen(port, () => {
   console.log(`Server running on port ${port}`);
   console.log(`User configurations:`, usernames.map(user => `${user}: ${userTokenMapping[user] ? 'Token Configured' : 'No Token'}`).join(', ') || 'None');
   console.log(`Admin login enabled: Username=${ADMIN_USERNAME}, Password=${ADMIN_PASSWORD ? 'Configured' : 'Not Configured'}`);
-});
+});