OmniAI/omniai-server
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: harden launch server runtime and public config

Browse Source
This commit is contained in:
stringadmin
2026-06-04 18:58:45 +08:00
parent 1a5992845a
commit df5ea8c65e
14 changed files with 926 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/routes/context.js
+71
View File
@@ -53,6 +53,10 @@ const SMS_PURPOSES = new Set(["register", "login"]);
const SMS_CODE_TTL_MINUTES = Math.max(1, Number(process.env.SMS_CODE_TTL_MINUTES) || 10);
const SMS_CODE_COOLDOWN_SECONDS = Math.max(10, Number(process.env.SMS_CODE_COOLDOWN_SECONDS) || 60);
const SMS_CODE_MAX_ATTEMPTS = Math.max(1, Number(process.env.SMS_CODE_MAX_ATTEMPTS) || 5);
const EMAIL_PURPOSES = new Set(["register", "login", "reset"]);
const EMAIL_CODE_TTL_MINUTES = Math.max(1, Number(process.env.EMAIL_CODE_TTL_MINUTES) || 10);
const EMAIL_CODE_COOLDOWN_SECONDS = Math.max(10, Number(process.env.EMAIL_CODE_COOLDOWN_SECONDS) || 60);
const EMAIL_CODE_MAX_ATTEMPTS = Math.max(1, Number(process.env.EMAIL_CODE_MAX_ATTEMPTS) || 5);
function validateUsername(username) {
if (!username) return "缺少用户名";
@@ -201,6 +205,66 @@ async function consumeSmsCode(phone, code, purpose) {
await pool.query("UPDATE sms_verification_codes SET consumed_at = NOW() WHERE id = $1", [row.id]);
return true;
}
function hashEmailCode(email, code) {
const secret = process.env.EMAIL_CODE_SECRET || process.env.JWT_SECRET || "omniai-dev-email-secret";
return crypto.createHash("sha256").update(email + ":" + code + ":" + secret).digest("hex");
}
async function sendEmailCode(email, code, purpose) {
const provider = String(process.env.EMAIL_PROVIDER || "mock").trim().toLowerCase();
if (provider === "smtp") {
const nodemailer = require("nodemailer");
const transporter = nodemailer.createTransport({
host: process.env.SMTP_HOST,
port: Number(process.env.SMTP_PORT) || 587,
secure: process.env.SMTP_SECURE === "1",
auth: {
user: process.env.SMTP_USER,
pass: process.env.SMTP_PASS,
},
});
const purposeText = purpose === "register" ? "注册" : purpose === "login" ? "登录" : "重置密码";
await transporter.sendMail({
from: process.env.SMTP_FROM || process.env.SMTP_USER,
to: email,
subject: "[OmniAI] \u90ae\u7bb1\u9a8c\u8bc1\u7801",
text: "\u60a8\u7684\u9a8c\u8bc1\u7801\u662f\uff1a" + code + "\n\u7528\u9014\uff1a" + purposeText + "\n\u6709\u6548\u671f\uff1a" + String(process.env.EMAIL_CODE_TTL_MINUTES || 10) + " \u5206\u949f\n\u5982\u679c\u4e0d\u662f\u60a8\u672c\u4eba\u64cd\u4f5c\uff0c\u8bf7\u5ffd\u7565\u6b64\u90ae\u4ef6\u3002",
html: "<div style=\"font-family:sans-serif;max-width:480px;margin:0 auto;padding:24px\"><h2 style=\"color:#333\">OmniAI \u90ae\u7bb1\u9a8c\u8bc1</h2><p style=\"font-size:16px;color:#555\">\u60a8\u7684\u9a8c\u8bc1\u7801\u662f\uff1a</p><p style=\"font-size:32px;font-weight:bold;letter-spacing:6px;color:#1677ff;margin:16px 0\">" + code + "</p><p style=\"color:#888\">\u7528\u9014\uff1a" + purposeText + "</p><p style=\"color:#888\">\u6709\u6548\u671f\uff1a" + String(process.env.EMAIL_CODE_TTL_MINUTES || 10) + " \u5206\u949f</p><hr style=\"border:none;border-top:1px solid #eee;margin:24px 0\"><p style=\"color:#aaa;font-size:13px\">\u5982\u679c\u4e0d\u662f\u60a8\u672c\u4eba\u64cd\u4f5c\uff0c\u8bf7\u5ffd\u7565\u6b64\u90ae\u4ef6\u3002</p></div>",
});
return { provider: "smtp" };
}
console.log("[email:" + purpose + "] " + email + " verification code: " + code + " (mock provider)");
return {
provider: "mock",
devCode: process.env.EMAIL_DEV_RETURN_CODE === "1" ? code : undefined,
};
}
async function consumeEmailCode(email, code, purpose) {
const { rows } = await pool.query(
"SELECT id, code_hash, attempts FROM email_verification_codes WHERE email = $1 AND purpose = $2 AND consumed_at IS NULL AND expires_at > NOW() ORDER BY created_at DESC LIMIT 1",
[email, purpose]
);
const row = rows[0];
if (!row) return false;
if (Number(row.attempts || 0) >= EMAIL_CODE_MAX_ATTEMPTS) {
return false;
}
const expectedHash = hashEmailCode(email, String(code || "").trim());
if (row.code_hash !== expectedHash) {
await pool.query("UPDATE email_verification_codes SET attempts = attempts + 1 WHERE id = $1", [row.id]);
return false;
}
await pool.query("UPDATE email_verification_codes SET consumed_at = NOW() WHERE id = $1", [row.id]);
return true;
}
function getWechatLoginConfig() {
const appId = process.env.WECHAT_LOGIN_APP_ID || process.env.WECHAT_APP_ID || "";
@@ -742,6 +806,10 @@ module.exports = {
PRICE_TYPES,
PHONE_PATTERN,
EMAIL_PATTERN,
EMAIL_PURPOSES,
EMAIL_CODE_TTL_MINUTES,
EMAIL_CODE_COOLDOWN_SECONDS,
EMAIL_CODE_MAX_ATTEMPTS,
SMS_PURPOSES,
SMS_CODE_TTL_MINUTES,
SMS_CODE_COOLDOWN_SECONDS,
@@ -755,6 +823,9 @@ module.exports = {
hashSmsCode,
generateSmsCode,
sendSmsCode,
hashEmailCode,
sendEmailCode,
consumeEmailCode,
createLoginResultForUserId,
sanitizeUsernameSeed,
generateUniqueUsername,