zclaw_openfang

iven/zclaw_openfang

Fork 0

Commit Graph

Author	SHA1	Message	Date
iven	e3b93ff96d	fix(security): implement all 15 security fixes from penetration test V1 Security audit (2026-03-31): 5 HIGH + 10 MEDIUM issues, all fixed. HIGH: - H1: JWT password_version mechanism (pwv in Claims, middleware verification, auto-increment on password change) - H2: Docker saas port bound to 127.0.0.1 - H3: TOTP encryption key decoupled from JWT secret (production bailout) - H4+H5: Tauri CSP hardened (removed unsafe-inline, restricted connect-src) MEDIUM: - M1: Persistent rate limiting (PostgreSQL rate_limit_events table) - M2: Account lockout (5 failures -> 15min lock) - M3: RFC 5322 email validation with regex - M4: Device registration typed struct with length limits - M5: Provider URL validation on create/update (SSRF prevention) - M6: Legacy TOTP secret migration (fixed nonce -> random nonce) - M7: Legacy frontend crypto migration (static salt -> random salt) - M8+M9: Admin frontend: removed JS token storage, HttpOnly cookie only - M10: Pipeline debug log sanitization (keys only, 100-char truncation) Also: fixed CLAUDE.md Section 12 (was corrupted), added title.rs middleware skeleton, fixed RegisterDeviceRequest visibility.	2026-04-01 08:38:37 +08:00
iven	c2aff09811	feat(security): Auth Token HttpOnly Cookie — XSS 安全加固后端: - axum-extra 启用 cookie feature - login/register/refresh 设置 HttpOnly + Secure + SameSite=Strict cookies - 新增 POST /api/v1/auth/logout 清除 cookies - auth_middleware 支持 cookie 提取路径（fallback from header） - CORS: 添加 allow_credentials(true) + COOKIE header 前端 (admin-v2): - authStore: token 仅存内存，不再写 localStorage（account 保留） - request.ts: 添加 withCredentials: true 发送 cookies - 修复 refresh token rotation bug（之前不更新 stored refreshToken） - logout 调用后端清除 cookie 端点向后兼容: API 客户端仍可用 Authorization: Bearer header Desktop (Ed25519 设备认证) 完全不受影响	2026-03-30 19:30:42 +08:00
iven	a7d33d0207	feat(admin): Admin V2 — Ant Design Pro 纯 SPA 重写 Some checks failed CI / Lint & TypeCheck (push) Has been cancelled Details CI / Unit Tests (push) Has been cancelled Details CI / Build Frontend (push) Has been cancelled Details CI / Rust Check (push) Has been cancelled Details CI / Security Scan (push) Has been cancelled Details CI / E2E Tests (push) Has been cancelled Details Next.js SSR/hydration 与 SWR fetch-on-mount 存在根本冲突： hydration 卸载组件时 abort 的请求仍占用后端 DB 连接， retry 循环耗尽 PostgreSQL 连接池导致后端完全卡死。 admin-v2 使用 Vite + React + antd 纯 SPA 彻底消除此问题： - 12 页面全部完成（Login, Dashboard, Accounts, Providers, Models, API Keys, Usage, Relay, Config, Prompts, Logs, Agent Templates） - ProTable + ProForm + ProLayout 统一 UI 模式 - TanStack Query + Axios + Zustand 数据层 - JWT 自动刷新 + 401 重试机制 - 全部 18 网络请求 200 OK，零 ERR_ABORTED 同时更新 troubleshooting 第 13 节和 SaaS 平台文档。	2026-03-30 09:35:59 +08:00

Author

SHA1

Message

Date

iven

e3b93ff96d

fix(security): implement all 15 security fixes from penetration test V1

Security audit (2026-03-31): 5 HIGH + 10 MEDIUM issues, all fixed.

HIGH:
- H1: JWT password_version mechanism (pwv in Claims, middleware verification,
  auto-increment on password change)
- H2: Docker saas port bound to 127.0.0.1
- H3: TOTP encryption key decoupled from JWT secret (production bailout)
- H4+H5: Tauri CSP hardened (removed unsafe-inline, restricted connect-src)

MEDIUM:
- M1: Persistent rate limiting (PostgreSQL rate_limit_events table)
- M2: Account lockout (5 failures -> 15min lock)
- M3: RFC 5322 email validation with regex
- M4: Device registration typed struct with length limits
- M5: Provider URL validation on create/update (SSRF prevention)
- M6: Legacy TOTP secret migration (fixed nonce -> random nonce)
- M7: Legacy frontend crypto migration (static salt -> random salt)
- M8+M9: Admin frontend: removed JS token storage, HttpOnly cookie only
- M10: Pipeline debug log sanitization (keys only, 100-char truncation)

Also: fixed CLAUDE.md Section 12 (was corrupted), added title.rs middleware
skeleton, fixed RegisterDeviceRequest visibility.

2026-04-01 08:38:37 +08:00

iven

c2aff09811

feat(security): Auth Token HttpOnly Cookie — XSS 安全加固

后端:
- axum-extra 启用 cookie feature
- login/register/refresh 设置 HttpOnly + Secure + SameSite=Strict cookies
- 新增 POST /api/v1/auth/logout 清除 cookies
- auth_middleware 支持 cookie 提取路径（fallback from header）
- CORS: 添加 allow_credentials(true) + COOKIE header

前端 (admin-v2):
- authStore: token 仅存内存，不再写 localStorage（account 保留）
- request.ts: 添加 withCredentials: true 发送 cookies
- 修复 refresh token rotation bug（之前不更新 stored refreshToken）
- logout 调用后端清除 cookie 端点

向后兼容: API 客户端仍可用 Authorization: Bearer header
Desktop (Ed25519 设备认证) 完全不受影响

2026-03-30 19:30:42 +08:00

iven

a7d33d0207

feat(admin): Admin V2 — Ant Design Pro 纯 SPA 重写

CI / Lint & TypeCheck (push) Has been cancelled

Details

CI / Unit Tests (push) Has been cancelled

Details

CI / Build Frontend (push) Has been cancelled

Details

CI / Rust Check (push) Has been cancelled

Details

CI / Security Scan (push) Has been cancelled

Details

CI / E2E Tests (push) Has been cancelled

Details

Next.js SSR/hydration 与 SWR fetch-on-mount 存在根本冲突：
hydration 卸载组件时 abort 的请求仍占用后端 DB 连接，
retry 循环耗尽 PostgreSQL 连接池导致后端完全卡死。

admin-v2 使用 Vite + React + antd 纯 SPA 彻底消除此问题：
- 12 页面全部完成（Login, Dashboard, Accounts, Providers, Models,
  API Keys, Usage, Relay, Config, Prompts, Logs, Agent Templates）
- ProTable + ProForm + ProLayout 统一 UI 模式
- TanStack Query + Axios + Zustand 数据层
- JWT 自动刷新 + 401 重试机制
- 全部 18 网络请求 200 OK，零 ERR_ABORTED

同时更新 troubleshooting 第 13 节和 SaaS 平台文档。

2026-03-30 09:35:59 +08:00

3 Commits