fix: address multiple code audit findings
- CORS: replace wildcard with explicit origin list from CORS_ORIGINS env - Auth: enforce strong defaults, JWT blacklist (RevokedToken model), login rate limiting - Auth: validate password length before bcrypt (72-byte limit) - Scheduler: single-threaded worker to mitigate SQLite write contention - Scheduler: graceful shutdown (wait=True) - Snapshots: add prune_snapshots() with configurable retention count - Storage: isolate localStorage keys via VITE_APP_KEY prefix - Config: add cors_origins, login_rate_limit, snapshot_retention_count settings
This commit is contained in:
SmartUp Developer
+5
-3
@@ -1,11 +1,13 @@
|
||||
# ===== 必填 =====
|
||||
# 管理员账号(首次启动自动创建)
|
||||
ADMIN_EMAIL=admin@smartup.local
|
||||
ADMIN_PASSWORD=changeme123
|
||||
ADMIN_PASSWORD=replace-with-a-strong-password
|
||||
|
||||
# ===== 推荐配置 =====
|
||||
# JWT 签名密钥(生产环境请替换): openssl rand -hex 32
|
||||
JWT_SECRET=change-me-in-production
|
||||
# JWT 签名密钥: openssl rand -hex 32
|
||||
JWT_SECRET=replace-with-openssl-rand-hex-32
|
||||
# 允许访问 API 的前端源,多个用逗号分隔
|
||||
CORS_ORIGINS=http://localhost:8899,http://127.0.0.1:8899
|
||||
|
||||
# ===== 可选 =====
|
||||
# 监听端口(默认 8899)
|
||||
|
||||
Reference in New Issue
Block a user