iven/zclaw_openfang
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat: 新增管理后台前端项目及安全加固
Some checks failed
CI / Lint & TypeCheck (push) Has been cancelled
Details
CI / Unit Tests (push) Has been cancelled
Details
CI / Build Frontend (push) Has been cancelled
Details
CI / Rust Check (push) Has been cancelled
Details
CI / Security Scan (push) Has been cancelled
Details
CI / E2E Tests (push) Has been cancelled
Details

Browse Source 
refactor(saas): 重构认证中间件与限流策略
- 登录限流调整为5次/分钟/IP
- 注册限流调整为3次/小时/IP
- GET请求不计入限流

fix(saas): 修复调度器时间戳处理
- 使用NOW()替代文本时间戳
- 兼容TEXT和TIMESTAMPTZ列类型

feat(saas): 实现环境变量插值
- 支持${ENV_VAR}语法解析
- 数据库密码支持环境变量注入

chore: 新增前端管理界面
- 基于React+Ant Design Pro
- 包含路由守卫/错误边界
- 对接58个API端点

docs: 更新安全加固文档
- 新增密钥管理规范
- 记录P0安全项审计结果
- 补充TLS终止说明

test: 完善配置解析单元测试
- 新增环境变量插值测试用例
This commit is contained in:
iven
2026-03-31 00:11:33 +08:00
parent 6821df5f44
commit eb956d0dce
129 changed files with 11913 additions and 863 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
desktop/src/lib/kernel-client.ts
View File

@@ -957,29 +957,19 @@ export class KernelClient {
}
/**
* Execute a skill by ID with optional input parameters.
* Checks autonomy level before execution.
*/
async executeSkill(id: string, input?: Record<string, unknown>): Promise<{
success: boolean;
output?: unknown;
error?: string;
durationMs?: number;
}> {
// Autonomy check before executing skill
const { canAutoExecute, getAutonomyManager } = await import('./autonomy-manager');
const { canProceed, decision } = canAutoExecute('skill_install', 5);
if (!canProceed) {
return {
success: false,
error: `自主授权拒绝: ${decision.reason}`,
};
}
const autonomyLevel = getAutonomyManager().getConfig().level;
return invoke('skill_execute', {
id,
context: {},
input: input || {},
autonomyLevel,
});
}

9
desktop/src/lib/llm-service.ts
View File

@@ -494,11 +494,12 @@ class SaasLLMAdapter implements LLMServiceAdapter {
}
isAvailable(): boolean {
// Check synchronously via localStorage for availability check
// Dynamic import would be async, so we use a simpler check
// Check synchronously via localStorage for availability check.
// Auth is cookie-based — check connection mode + URL presence.
try {
const token = localStorage.getItem('zclaw-saas-token');
return !!token;
const mode = localStorage.getItem('zclaw-connection-mode');
const saasUrl = localStorage.getItem('zclaw-saas-url');
return mode === 'saas' && !!saasUrl;
} catch {
return false;
}

141
desktop/src/lib/saas-client.ts
View File

@@ -5,12 +5,20 @@
* Handles authentication, model listing, chat relay, and config management.
*
* API base path: /api/v1/...
* Auth: Bearer token in Authorization header
* Auth: HttpOnly cookie (primary) + Bearer token fallback
*
* Security: Tokens are NO LONGER persisted to localStorage.
* The backend sets HttpOnly cookies on login/register/refresh.
* On page reload, cookie-based auth is verified via GET /api/v1/auth/me.
*/
// === Storage Keys ===
// Token is stored in secure storage (OS keyring), NOT in plain localStorage.
// Auth state is carried by HttpOnly cookies when possible (same-origin).
// On page reload, token is restored from secure storage as Bearer fallback.
const SAASTOKEN_KEY = 'zclaw-saas-token';
const SAAS_TOKEN_SECURE_KEY = 'zclaw-saas-token'; // OS keyring key
const SAASTOKEN_KEY = 'zclaw-saas-token'; // legacy localStorage — only used for cleanup
const SAASURL_KEY = 'zclaw-saas-url';
const SAASACCOUNT_KEY = 'zclaw-saas-account';
const SAASMODE_KEY = 'zclaw-connection-mode';
@@ -439,25 +447,42 @@ export class SaaSApiError extends Error {
// === Session Persistence ===
export interface SaaSSession {
token: string;
token: string | null; // null when using cookie-based auth (page reload)
account: SaaSAccountInfo | null;
saasUrl: string;
}
/**
* Load a persisted SaaS session from localStorage.
* Returns null if no valid session exists.
* Load a persisted SaaS session.
* Token is stored in secure storage (OS keyring), not plain localStorage.
* Returns null if no URL is stored (never logged in).
*
* NOTE: Token loading is async due to secure storage access.
* For synchronous checks, use loadSaaSSessionSync() (URL + account only).
*/
export function loadSaaSSession(): SaaSSession | null {
export async function loadSaaSSession(): Promise<SaaSSession | null> {
try {
const token = localStorage.getItem(SAASTOKEN_KEY);
const saasUrl = localStorage.getItem(SAASURL_KEY);
const accountRaw = localStorage.getItem(SAASACCOUNT_KEY);
if (!token || !saasUrl) {
if (!saasUrl) {
return null;
}
// Clean up any legacy plaintext token from localStorage
const legacyToken = localStorage.getItem(SAASTOKEN_KEY);
if (legacyToken) {
localStorage.removeItem(SAASTOKEN_KEY);
}
// Load token from secure storage
let token: string | null = null;
try {
const { secureStorage } = await import('./secure-storage');
token = await secureStorage.get(SAAS_TOKEN_SECURE_KEY);
} catch {
// Secure storage unavailable — token stays null (cookie auth will be attempted)
}
const accountRaw = localStorage.getItem(SAASACCOUNT_KEY);
const account: SaaSAccountInfo | null = accountRaw
? (JSON.parse(accountRaw) as SaaSAccountInfo)
: null;
@@ -471,10 +496,46 @@ export function loadSaaSSession(): SaaSSession | null {
}
/**
* Persist a SaaS session to localStorage.
* Synchronous version — returns URL + account only (no token).
* Used during store initialization where async is not available.
*/
export function saveSaaSSession(session: SaaSSession): void {
localStorage.setItem(SAASTOKEN_KEY, session.token);
export function loadSaaSSessionSync(): { saasUrl: string; account: SaaSAccountInfo | null } | null {
try {
const saasUrl = localStorage.getItem(SAASURL_KEY);
if (!saasUrl) return null;
// Clean up legacy plaintext token
const legacyToken = localStorage.getItem(SAASTOKEN_KEY);
if (legacyToken) {
localStorage.removeItem(SAASTOKEN_KEY);
}
const accountRaw = localStorage.getItem(SAASACCOUNT_KEY);
const account: SaaSAccountInfo | null = accountRaw
? (JSON.parse(accountRaw) as SaaSAccountInfo)
: null;
return { saasUrl, account };
} catch {
return null;
}
}
/**
* Persist SaaS session.
* Token goes to secure storage (OS keyring), metadata to localStorage.
*/
export async function saveSaaSSession(session: SaaSSession): Promise<void> {
// Store token in secure storage (OS keyring), not plain localStorage
if (session.token) {
try {
const { secureStorage } = await import('./secure-storage');
await secureStorage.set(SAAS_TOKEN_SECURE_KEY, session.token);
} catch {
// Secure storage unavailable — token only in memory
}
}
localStorage.setItem(SAASURL_KEY, session.saasUrl);
if (session.account) {
localStorage.setItem(SAASACCOUNT_KEY, JSON.stringify(session.account));
@@ -482,9 +543,15 @@ export function saveSaaSSession(session: SaaSSession): void {
}
/**
* Clear the persisted SaaS session from localStorage.
* Clear the persisted SaaS session from all storage.
*/
export function clearSaaSSession(): void {
export async function clearSaaSSession(): Promise<void> {
// Remove from secure storage
try {
const { secureStorage } = await import('./secure-storage');
await secureStorage.set(SAAS_TOKEN_SECURE_KEY, '');
} catch { /* non-blocking */ }
localStorage.removeItem(SAASTOKEN_KEY);
localStorage.removeItem(SAASURL_KEY);
localStorage.removeItem(SAASACCOUNT_KEY);
@@ -525,14 +592,33 @@ export class SaaSClient {
return this.baseUrl;
}
/** Set or clear the auth token */
/** Set or clear the auth token (in-memory only, never persisted) */
setToken(token: string | null): void {
this.token = token;
}
/** Check if the client has an auth token */
/** Check if the client is authenticated (token in memory or cookie-based) */
isAuthenticated(): boolean {
return !!this.token;
return !!this.token || this._cookieAuth;
}
/** Track cookie-based auth state (page reload) */
private _cookieAuth: boolean = false;
/**
* Attempt to restore auth state from HttpOnly cookie.
* Called on page reload when no token is in memory.
* Returns account info if cookie is valid, null otherwise.
*/
async restoreFromCookie(): Promise<SaaSAccountInfo | null> {
try {
const account = await this.me();
this._cookieAuth = true;
return account;
} catch {
this._cookieAuth = false;
return null;
}
}
/** Check if a path is an auth endpoint (avoid infinite refresh loop) */
@@ -569,6 +655,7 @@ export class SaaSClient {
const headers: Record<string, string> = {
'Content-Type': 'application/json',
};
// Bearer token as fallback — primary auth is HttpOnly cookie
if (this.token) {
headers['Authorization'] = `Bearer ${this.token}`;
}
@@ -577,6 +664,7 @@ export class SaaSClient {
const response = await fetch(`${this.baseUrl}${path}`, {
method,
headers,
credentials: 'include', // Send HttpOnly cookies
body: body !== undefined ? JSON.stringify(body) : undefined,
signal: AbortSignal.timeout(timeoutMs),
});
@@ -588,24 +676,12 @@ export class SaaSClient {
try {
const newToken = await this.refreshToken();
if (newToken) {
// Persist refreshed token to localStorage
try {
const raw = localStorage.getItem('zclaw-saas-session');
if (raw) {
const session = JSON.parse(raw);
session.token = newToken;
localStorage.setItem('zclaw-saas-session', JSON.stringify(session));
}
} catch { /* non-blocking */ }
return this.request<T>(method, path, body, timeoutMs, true);
}
} catch (refreshErr) {
// Token refresh failed — clear session and trigger logout
try {
const { clearSaaSSession } = require('./saas-client');
clearSaaSSession();
localStorage.removeItem('zclaw-connection-mode');
} catch { /* non-blocking */ }
clearSaaSSession().catch(() => {}); // async cleanup, fire-and-forget
localStorage.removeItem('zclaw-connection-mode');
throw new SaaSApiError(401, 'SESSION_EXPIRED', '会话已过期,请重新登录');
}
throw new SaaSApiError(401, 'UNAUTHORIZED', '认证已过期,请重新登录');
@@ -844,6 +920,7 @@ export class SaaSClient {
{
method: 'POST',
headers,
credentials: 'include', // Send HttpOnly cookies
body: JSON.stringify(body),
signal: effectiveSignal,
},