fix: harden login for MLPS requirements

This commit is contained in:
2026-05-14 11:05:20 +08:00
parent ecf3ee1ef0
commit 879677516f
39 changed files with 1230 additions and 71 deletions
+15 -1
View File
@@ -94,8 +94,21 @@ func main() {
auditSvc := app.NewAuditService(auditsRepo, logger).WithIPRegionResolver(ipRegionResolver)
issuer := app.NewTokenIssuer(cfg.JWT.Secret, cfg.JWT.AccessTTL)
var passwordCipher *sharedauth.PasswordCipher
if cfg.Auth.PasswordCipher.Enabled {
if cfg.Auth.PasswordCipher.PrivateKeyPEM == "" {
passwordCipher, err = sharedauth.NewEphemeralPasswordCipher(cfg.Auth.PasswordCipher.KeyID)
} else {
passwordCipher, err = sharedauth.NewPasswordCipher(cfg.Auth.PasswordCipher.PrivateKeyPEM, cfg.Auth.PasswordCipher.KeyID)
}
if err != nil {
logger.Sugar().Fatalf("ops-api init password cipher: %v", err)
}
} else {
logger.Warn("ops auth password cipher disabled; login request payloads may expose plaintext passwords in browser developer tools")
}
loginGuard := sharedauth.NewLoginGuard(rdb, sharedauth.DefaultLoginGuardConfig("ops"))
authSvc := app.NewAuthService(accountsRepo, auditSvc, issuer, loginGuard)
authSvc := app.NewAuthService(accountsRepo, auditSvc, issuer, loginGuard).WithPasswordCipher(passwordCipher)
accountSvc := app.NewAccountService(accountsRepo, auditSvc)
tenantLoginGuard := sharedauth.NewLoginGuard(rdb, sharedauth.DefaultLoginGuardConfig("tenant"))
adminUserSvc := app.NewAdminUserService(adminUsersRepo, auditSvc, cfg.AdminUsers.DefaultPlanCode).
@@ -139,6 +152,7 @@ func main() {
transport.RegisterRoutes(transport.Deps{
Engine: engine,
Server: cfg.Server,
Logger: logger,
DB: pool,
MonitoringDB: monitoringPool,