refactor: 代碼完整性修復與安全性優化

Phase 1 - 代碼清理：
- 移除重複定義的 isPlaceholderFirebaseConfig() 函數（3處合併為1處）
- 移除重複定義的 setAllRecords() 函數（3處合併為1處）
- 修正版本驗證邏輯，移除 PATCH 0-9 限制以符合 SemVer 標準
- 更新測試案例以驗證新的版本格式規則

Phase 2 - 安全性修復：
- 移除硬編碼的 Firebase API 密鑰，改為環境變數注入方式
- 本地認證密碼改用 SHA-256 雜湊存儲，不再明文保存

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: Showchen168

app.py

@@ -10,16 +10,14 @@
 
 
 def validate_version(version: str) -> None:
-    """檢查版本字串格式與 PATCH 範圍。"""
+    """檢查版本字串格式（符合 SemVer 標準）。"""
     if not version.startswith("v"):
         raise ValueError("版本格式錯誤：缺少 v 前綴。")
     parts = version[1:].split(".")
     if len(parts) != 3 or not all(p.isdigit() for p in parts):
         raise ValueError("版本格式錯誤：需為 vMAJOR.MINOR.PATCH。")
     major, minor, patch = (int(p) for p in parts)
-    if patch < 0 or patch > 9:
-        raise ValueError("版本格式錯誤：PATCH 必須為 0-9。")
-    if major < 0 or minor < 0:
+    if major < 0 or minor < 0 or patch < 0:
         raise ValueError("版本格式錯誤：版號不得為負數。")
 
 

index.html

@@ -998,6 +998,15 @@ <h3 class="text-white font-bold">編輯紀錄</h3>
             localStorage.setItem(AUTH_USERS_KEY, JSON.stringify(users));
         }
 
+        // 密碼雜湊函數（使用 Web Crypto API）
+        async function hashPassword(password) {
+            const encoder = new TextEncoder();
+            const data = encoder.encode(password);
+            const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+            const hashArray = Array.from(new Uint8Array(hashBuffer));
+            return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+        }
+
         function getCurrentUserEmail() {
             return localStorage.getItem(AUTH_CURRENT_USER_KEY);
         }
@@ -1215,7 +1224,8 @@ <h3 class="text-white font-bold">編輯紀錄</h3>
                 return;
             }
             const users = getStoredUsers();
-            const match = users.find(user => user.email === email && user.password === password);
+            const hashedPassword = await hashPassword(password);
+            const match = users.find(user => user.email === email && user.passwordHash === hashedPassword);
             if (!match) {
                 setAuthError('auth-login-error', '帳號或密碼錯誤，請重新輸入。');
                 return;
@@ -1266,7 +1276,8 @@ <h3 class="text-white font-bold">編輯紀錄</h3>
                 setAuthError('auth-register-error', '此郵箱已註冊，請直接登入。');
                 return;
             }
-            users.push({ email, password });
+            const passwordHash = await hashPassword(password);
+            users.push({ email, passwordHash });
             saveStoredUsers(users);
             setCurrentUserEmail(email);
             setCachedAuthEmail(email);
@@ -1353,17 +1364,6 @@ <h3 class="text-white font-bold">編輯紀錄</h3>
             switchTab(initialTab);
         }
 
-        function isPlaceholderFirebaseConfig(cfg) {
-            return !cfg.apiKey || cfg.apiKey.startsWith('YOUR_') || !cfg.projectId || cfg.projectId.includes('YOUR_PROJECT_ID');
-        }
-        function setAllRecords(newRecords) {
-            window.allRecords = (newRecords || []).sort((a, b) => new Date(b.date) - new Date(a.date));
-            if(window.renderRecordsTable) window.renderRecordsTable();
-            if(window.renderAdminTable) window.renderAdminTable();
-            renderAnalyticsYearOptions();
-            if(window.updateCharts) window.updateCharts();
-        }
-
         function parseSalaryGrowth(value){
             if(value === undefined || value === null) return null;
             const num = parseFloat(String(value).replace('%','').trim());
@@ -1653,16 +1653,6 @@ <h3 class="text-white font-bold">編輯紀錄</h3>
             renderSalaryGrowthChart(stats);
         };
 
-        function isPlaceholderFirebaseConfig(cfg) {
-            return !cfg.apiKey || cfg.apiKey.startsWith('YOUR_') || !cfg.projectId || cfg.projectId.includes('YOUR_PROJECT_ID');
-        }
-        function setAllRecords(newRecords) {
-            window.allRecords = (newRecords || []).sort((a, b) => new Date(b.date) - new Date(a.date));
-            if(window.renderRecordsTable) window.renderRecordsTable();
-            if(window.renderAdminTable) window.renderAdminTable();
-            if(window.updateCharts) window.updateCharts();
-        }
-
         // Google Drive (可透過 __google_drive_config 覆寫)
         const defaultGoogleDriveConfig = { 
             apiKey: 'YOUR_GOOGLE_API_KEY', 
@@ -1691,6 +1681,7 @@ <h3 class="text-white font-bold">編輯紀錄</h3>
             persistLocalRecords(window.allRecords);
             if(window.renderRecordsTable) window.renderRecordsTable();
             if(window.renderAdminTable) window.renderAdminTable();
+            renderAnalyticsYearOptions();
             if(window.updateCharts) window.updateCharts();
             if(window.updateDraftSelector) window.updateDraftSelector();
         }
@@ -2523,29 +2514,27 @@ <h3 class="text-white font-bold">編輯紀錄</h3>
         import { getAuth, signInAnonymously, onAuthStateChanged, signInWithCustomToken, createUserWithEmailAndPassword, signInWithEmailAndPassword, sendPasswordResetEmail, signOut } from "https://www.gstatic.com/firebasejs/11.6.1/firebase-auth.js";
         import { getFirestore, collection, addDoc, onSnapshot, doc, updateDoc, deleteDoc, query, orderBy, setDoc } from "https://www.gstatic.com/firebasejs/11.6.1/firebase-firestore.js";
 
-        const firebaseConfig = {
-  apiKey: "AIzaSyAGPH6HKTi8yikT9rG_VhoivwWycM5LO6Y",
-  authDomain: "resignation-system.firebaseapp.com",
-  projectId: "resignation-system",
-  storageBucket: "resignation-system.firebasestorage.app",
-  messagingSenderId: "20779725950",
-  appId: "1:20779725950:web:12a2d3b753d5cf3bc0d42f",
-  measurementId: "G-EH2FBKQTKD"
-};
-        // 為了在沒有變數的情況下不報錯，這裡做一個防呆
-        // 實際部署時請務必填寫上方 config
-        
-        // 注意：GitHub Pages 部署時，以下這行必須修改
-        // const firebaseConfig = JSON.parse(__firebase_config); 
-        
-        // 在此環境下為了模擬，我們還是會嘗試讀取變數，但會加上 try-catch
-        let finalConfig = firebaseConfig;
+        // Firebase 配置：優先從環境變數 __firebase_config 讀取
+        // 部署時請透過 script 標籤注入：<script>window.__firebase_config = '{"apiKey":"...","projectId":"..."}';</script>
+        const defaultFirebaseConfig = {
+            apiKey: "YOUR_API_KEY",
+            authDomain: "YOUR_PROJECT_ID.firebaseapp.com",
+            projectId: "YOUR_PROJECT_ID",
+            storageBucket: "YOUR_PROJECT_ID.appspot.com",
+            messagingSenderId: "YOUR_MESSAGING_SENDER_ID",
+            appId: "YOUR_APP_ID"
+        };
+
+        let finalConfig = defaultFirebaseConfig;
         try {
-            if(typeof __firebase_config !== 'undefined') {
-                finalConfig = JSON.parse(__firebase_config);
+            if (typeof window.__firebase_config !== 'undefined' && window.__firebase_config) {
+                const injectedConfig = typeof window.__firebase_config === 'string'
+                    ? JSON.parse(window.__firebase_config)
+                    : window.__firebase_config;
+                finalConfig = { ...defaultFirebaseConfig, ...injectedConfig };
             }
         } catch(e) {
-            console.log("Using placeholder config");
+            console.warn("Firebase 配置解析失敗，使用預設值", e);
         }
 
         if (isPlaceholderFirebaseConfig(finalConfig)) {

tests/test_version.py

@@ -7,7 +7,16 @@ def test_get_version_returns_current_version():
     assert get_version() == APP_VERSION
 
 
-def test_validate_version_rejects_invalid_patch():
-    invalid_version = f"v1.0.{9 + 1}"
-    with pytest.raises(ValueError, match="PATCH 必須為 0-9"):
-        validate_version(invalid_version)
+def test_validate_version_rejects_invalid_format():
+    """測試無效的版本格式會被拒絕。"""
+    # 缺少 v 前綴
+    with pytest.raises(ValueError, match="缺少 v 前綴"):
+        validate_version("1.0.0")
+
+    # 格式錯誤
+    with pytest.raises(ValueError, match="需為 vMAJOR.MINOR.PATCH"):
+        validate_version("v1.0")
+
+    # 非數字
+    with pytest.raises(ValueError, match="需為 vMAJOR.MINOR.PATCH"):
+        validate_version("v1.0.beta")