feat: 新增管理后台前端项目及安全加固
Some checks failed
CI / Lint & TypeCheck (push) Has been cancelled
CI / Unit Tests (push) Has been cancelled
CI / Build Frontend (push) Has been cancelled
CI / Rust Check (push) Has been cancelled
CI / Security Scan (push) Has been cancelled
CI / E2E Tests (push) Has been cancelled
Some checks failed
CI / Lint & TypeCheck (push) Has been cancelled
CI / Unit Tests (push) Has been cancelled
CI / Build Frontend (push) Has been cancelled
CI / Rust Check (push) Has been cancelled
CI / Security Scan (push) Has been cancelled
CI / E2E Tests (push) Has been cancelled
refactor(saas): 重构认证中间件与限流策略
- 登录限流调整为5次/分钟/IP
- 注册限流调整为3次/小时/IP
- GET请求不计入限流
fix(saas): 修复调度器时间戳处理
- 使用NOW()替代文本时间戳
- 兼容TEXT和TIMESTAMPTZ列类型
feat(saas): 实现环境变量插值
- 支持${ENV_VAR}语法解析
- 数据库密码支持环境变量注入
chore: 新增前端管理界面
- 基于React+Ant Design Pro
- 包含路由守卫/错误边界
- 对接58个API端点
docs: 更新安全加固文档
- 新增密钥管理规范
- 记录P0安全项审计结果
- 补充TLS终止说明
test: 完善配置解析单元测试
- 新增环境变量插值测试用例
This commit is contained in:
iven
64
docs/knowledge-base/security-hardening.md
Normal file
64
docs/knowledge-base/security-hardening.md
Normal file
@@ -0,0 +1,64 @@
|
||||
# P0 安全加固清单
|
||||
|
||||
> 审计后文档同步 — 记录每个安全加固项完成的日期和操作。
|
||||
|
||||
以及配置说明。
|
||||
|
||||
## 1. 密钥管理 — 环境变量插值
|
||||
|
||||
配置解析
|
||||
|
||||
支持 `${ENV_VAR}` 语法(如 `${DB_PASSWORD}`) 的数据库密码)。
|
||||
TOMl 文件中。
|
||||
|
||||
无需在配置文件中明文存储密 password。
|
||||
|
||||
也可以通过 `ZCLAW_DATABASE_URL` 环境变量完整覆盖(优先级最高)。
|
||||
|
||||
### 2. JWT Fallback key 清理
|
||||
|
||||
配置:
|
||||
- **位置**: `crates/zclaw-saas/src/config.rs`
|
||||
(jwt_secret 方法)
|
||||
- **状态**: 仅 debug 枝建可用 fallback, 已 `#[cfg(debug_assertions)]` 保护
|
||||
(不进入 release)
|
||||
- **位置**: `crates/zclaw-saas/src/auth/jwt.rs` (`TEST_SECRET`) 仅用于测试
|
||||
(不暴露)
|
||||
- **评估**: JWT key 的使用安全且 已好。
|
||||
|
||||
但 `config.rs` 中新增了 `interpolate_env_vars` 函数,在 `SaaSConfig::load()` 中解析 TOMl 前调用环境变量插值。
|
||||
|
||||
支持 `${VAR}` 语法
|
||||
|
||||
### 3. Auth Rate limiting (配置:
|
||||
- **位置**: `crates/zclaw-saas/src/middleware.rs`
|
||||
(public_rate_limit_middleware)
|
||||
- **登录**: 5次/分钟/IP,注册 3次/小时/IP
|
||||
縆回 login 和 refresh 20次/分钟/IP)
|
||||
- **位置**: `crates/zclaw-saas/src/auth/handlers.rs` (logout handler)
|
||||
- 修改 `logout` handler:从仅清除 cookies 到先撤销 refresh token (DB UPDATE),再清除 cookies
|
||||
Cookie Secure 标记: **条件化** (dev 模式 false, 生产模式 true)
|
||||
- **位置**: `crates/zclaw-saas/src/state.rs` (cleanup_rate_limit_entries 窗口从 60s 攒大到 3600s)
|
||||
|
||||
- **位置**: `docs/knowledge-base/security-hardening.md` (新增)
|
||||
TLS 终止文档)
|
||||
|
||||
- **位置**: `saas-config.toml.example`
|
||||
|
||||
文件已更新为包含环境变量占位符说明
|
||||
|
||||
生成日期: 2026-03-30
|
||||
|
||||
---
|
||||
|
||||
## 窌证状态
|
||||
|
||||
改动 | 文件 | 行 | 说明 | |
|
||||
|------|------|----------|
|
||||
| saas-config.toml ${ DB_PASSWORD} 改为 `${DB_PASSWORD}` 引用 | config 解析支持 env 插值 | ✅ 通过 |
|
||||
| JWT fallback key | `config.rs` | debug 枝 不会进入 release; TEST-only ` ✅ 已安全 |
|
||||
| Auth rate limiting | `middleware.rs` | login 5次/分、注册 3次/时 | ✅ 猬化 |
|
||||
| Logout token 撤销 | `handlers.rs` | logout 时 DB 撤销 | ✅ 通过 |
|
||||
| Cookie Secure | `handlers.rs` | 开发环境 false/生产 true | ✅ 已安全 |
|
||||
| TLS 终止 | `docs/knowledge-base/security-hardening.md` | 新增文档 |
|
||||
| saas-config.toml.example | 更新 | ✅ 通过 |
|
||||
Reference in New Issue
Block a user