fix: harden login for MLPS requirements

This commit is contained in:
2026-05-14 11:05:20 +08:00
parent ecf3ee1ef0
commit 879677516f
39 changed files with 1230 additions and 71 deletions
+30 -1
View File
@@ -43,6 +43,7 @@ type App struct {
JWT *auth.Manager
Sessions *auth.SessionStore
LoginGuard *auth.LoginGuard
PasswordCipher *auth.PasswordCipher
LLM llm.Client
ReloadableLLM *llm.ReloadableClient
RetrievalProvider retrieval.Provider
@@ -116,6 +117,17 @@ func New(configPath string) (*App, error) {
jwtMgr := auth.NewManager(cfg.JWT.Secret, cfg.JWT.AccessTTL, cfg.JWT.RefreshTTL)
sessions := auth.NewSessionStore(rdb)
passwordCipher, err := buildPasswordCipher(cfg.Auth.PasswordCipher)
if err != nil {
pool.Close()
monitoringPool.Close()
_ = rdb.Close()
_ = mqClient.Close()
return nil, fmt.Errorf("init password cipher: %w", err)
}
if passwordCipher == nil {
logger.Warn("auth password cipher disabled; login request payloads may expose plaintext passwords in browser developer tools")
}
loginGuardCfg := auth.DefaultLoginGuardConfig("tenant")
loginGuardCfg.Enabled = cfg.Auth.LoginGuard.Enabled
if !loginGuardCfg.Enabled {
@@ -173,8 +185,14 @@ func New(configPath string) (*App, error) {
middleware.Recovery(logger),
middleware.RequestID(),
middleware.Logger(logger),
middleware.CORS(),
)
if cfg.Server.SecurityHeaders.Enabled {
engine.Use(middleware.SecurityHeaders())
}
engine.Use(middleware.CORSWithConfig(middleware.CORSConfig{
AllowedOrigins: cfg.Server.AllowedOrigins,
AllowAll: len(cfg.Server.AllowedOrigins) == 0,
}))
engine.GET("/api/health/live", func(c *gin.Context) {
response.Success(c, gin.H{"status": "alive"})
@@ -210,6 +228,7 @@ func New(configPath string) (*App, error) {
JWT: jwtMgr,
Sessions: sessions,
LoginGuard: loginGuard,
PasswordCipher: passwordCipher,
LLM: llmClient,
ReloadableLLM: llmClient,
RetrievalProvider: retrievalProvider,
@@ -237,6 +256,16 @@ func New(configPath string) (*App, error) {
}, nil
}
func buildPasswordCipher(cfg config.PasswordCipherConfig) (*auth.PasswordCipher, error) {
if !cfg.Enabled {
return nil, nil
}
if cfg.PrivateKeyPEM == "" {
return auth.NewEphemeralPasswordCipher(cfg.KeyID)
}
return auth.NewPasswordCipher(cfg.PrivateKeyPEM, cfg.KeyID)
}
func (a *App) Config() *config.Config {
if a == nil || a.ConfigStore == nil {
return nil