fix(relay): API Key 解密失败自愈 — 启动迁移 + 容错跳过
Some checks failed
CI / Lint & TypeCheck (push) Has been cancelled
CI / Unit Tests (push) Has been cancelled
CI / Build Frontend (push) Has been cancelled
CI / Rust Check (push) Has been cancelled
CI / Security Scan (push) Has been cancelled
CI / E2E Tests (push) Has been cancelled
Some checks failed
CI / Lint & TypeCheck (push) Has been cancelled
CI / Unit Tests (push) Has been cancelled
CI / Build Frontend (push) Has been cancelled
CI / Rust Check (push) Has been cancelled
CI / Security Scan (push) Has been cancelled
CI / E2E Tests (push) Has been cancelled
根因: select_best_key 遇到解密失败时直接 500 返回, 不会尝试下一个 key。如果 DB 中有旧的加密格式 key, 整个 relay 请求被阻断。 修复: - key_pool: 解密失败时 warn + skip 到下一个 key,不再 500 - key_pool: 新增 heal_provider_keys() 启动自愈迁移 - 逐个尝试解密所有加密 key - 解密成功 → 用当前密钥重新加密(幂等) - 解密失败 → 标记 is_active=false + warn - main.rs: 启动时调用自愈迁移(在 TOTP 迁移之后)
This commit is contained in:
iven
@@ -99,6 +99,8 @@ async fn main() -> anyhow::Result<()> {
|
||||
if let Err(e) = zclaw_saas::crypto::migrate_legacy_totp_secrets(&db, &enc_key).await {
|
||||
tracing::warn!("TOTP legacy migration check failed: {}", e);
|
||||
}
|
||||
// Self-heal: re-encrypt provider keys with current key
|
||||
zclaw_saas::relay::key_pool::heal_provider_keys(&db, &enc_key).await;
|
||||
} else {
|
||||
drop(config_for_migration);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user