mirror of
https://github.com/NoFxAiOS/nofx.git
synced 2026-07-06 20:41:14 +08:00
Dev Crypto (#730)
* feat: remove admin mode * feat: bugfix * feat(crypto): 添加RSA-OAEP + AES-GCM混合加密服务 - 实现CryptoService加密服务,支持RSA-OAEP-2048 + AES-256-GCM混合加密 - 集成数据库层加密,自动加密存储敏感字段(API密钥、私钥等) - 支持环境变量DATA_ENCRYPTION_KEY配置数据加密密钥 - 适配SQLite数据库加密存储(从PostgreSQL移植) - 保持Hyperliquid代理钱包处理兼容性 - 更新.gitignore以正确处理crypto模块代码 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: tinkle-community <tinklefund@gmail.com> * feat(scripts): 添加加密环境一键设置脚本 - setup_encryption.sh: 一键生成RSA密钥对+数据加密密钥+JWT密钥 - generate_rsa_keys.sh: 专业的RSA-2048密钥对生成工具 - generate_data_key.sh: 生成AES-256数据加密密钥和JWT认证密钥 - ENCRYPTION_README.md: 详细的加密系统说明文档 - 支持自动检测现有密钥并只生成缺失的密钥 - 完善的权限管理和安全验证 - 兼容macOS和Linux的跨平台支持 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: tinkle-community <tinklefund@gmail.com> * feat(api): 添加加密API端点和Gin框架集成 - 新增CryptoHandler处理加密相关API请求 - 提供/api/crypto/public-key端点获取RSA公钥 - 提供/api/crypto/decrypt端点解密敏感数据 - 适配Gin框架的HTTP处理器格式 - 集成CryptoService到API服务器 - 支持前端加密数据传输和解密 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: tinkle-community <tinklefund@gmail.com> * feat(web): 添加前端加密服务和两阶段密钥输入组件 - CryptoService: Web Crypto API集成,支持RSA-OAEP加密 - TwoStageKeyModal: 安全的两阶段私钥输入组件,支持剪贴板混淆 - 完善国际化翻译支持加密相关UI文本 - 修复TypeScript类型错误和编译问题 - 支持前端敏感数据加密传输到后端 - 增强用户隐私保护和数据安全 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: tinkle-community <tinklefund@gmail.com> * feat(auth): 增强JWT认证安全性 - 优先使用环境变量JWT_SECRET而不是数据库配置 - 支持通过.env文件安全配置JWT认证密钥 - 保留数据库配置作为回退机制 - 改进JWT密钥来源日志显示 - 增强系统启动时的安全配置检查 - 支持运行时动态JWT密钥切换 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: tinkle-community <tinklefund@gmail.com> * feat(docker): 集成加密环境变量到Docker部署 - 添加DATA_ENCRYPTION_KEY环境变量传递到容器 - 添加JWT_SECRET环境变量支持 - 挂载secrets目录使容器可访问RSA密钥文件 - 确保容器内加密服务正常工作 - 解决容器启动失败和加密初始化问题 - 完善Docker Compose加密环境配置 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: tinkle-community <tinklefund@gmail.com> * feat(start): 集成自动加密环境检测和设置 - 增强check_encryption()函数检测JWT_SECRET和DATA_ENCRYPTION_KEY - 自动运行setup_encryption.sh当检测到缺失密钥时 - 改进加密状态显示,包含RSA+AES+JWT全套加密信息 - 优化用户体验,提供清晰的加密配置反馈 - 支持一键设置完整加密环境 - 确保容器启动前加密环境就绪 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: tinkle-community <tinklefund@gmail.com> * feat: format fix * fix(security): 修复前端模型和交易所配置敏感数据明文传输 - 在handleSaveModelConfig中对API密钥进行RSA-OAEP加密 - 在handleSaveExchangeConfig中对API密钥、Secret密钥和Aster私钥进行加密 - 只有非空敏感数据才进行加密处理 - 添加加密失败错误处理和用户友好提示 - 增加encryptionFailed翻译键的中英文支持 - 使用用户ID和会话ID作为加密上下文增强安全性 这修复了之前敏感数据在网络传输中以明文形式发送的安全漏洞。 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: tinkle-community <tinklefund@gmail.com> * fix(crypto): 修复后端加密服务集成和缺失的加密端点 - 添加Server结构体缺少的cryptoService字段 - 实现handleUpdateModelConfigsEncrypted处理器用于模型配置加密传输 - 修复handleUpdateExchangeConfigsEncrypted中的函数调用 - 在前端API中添加updateModelConfigsEncrypted方法 - 统一RSA密钥路径从secrets/rsa_key改为keys/rsa_private.key - 确保前端可以使用加密端点安全传输敏感数据 - 兼容原有加密通信模式和二段输入私钥功能 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: tinkle-community <tinklefund@gmail.com> --------- Co-authored-by: icy <icyoung520@gmail.com> Co-authored-by: tinkle-community <tinklefund@gmail.com>
This commit is contained in:
@@ -251,7 +251,7 @@ function App() {
|
||||
onLanguageChange={setLanguage}
|
||||
user={user}
|
||||
onLogout={logout}
|
||||
onPageChange={(page) => {
|
||||
onPageChange={(page) => {
|
||||
console.log('Competition page onPageChange called with:', page)
|
||||
console.log('Current route:', route, 'Current page:', currentPage)
|
||||
|
||||
@@ -314,7 +314,7 @@ function App() {
|
||||
onLanguageChange={setLanguage}
|
||||
user={user}
|
||||
onLogout={logout}
|
||||
onPageChange={(page) => {
|
||||
onPageChange={(page) => {
|
||||
console.log('Main app onPageChange called with:', page)
|
||||
|
||||
if (page === 'competition') {
|
||||
|
||||
@@ -13,6 +13,10 @@ import { useAuth } from '../contexts/AuthContext'
|
||||
import { getExchangeIcon } from './ExchangeIcons'
|
||||
import { getModelIcon } from './ModelIcons'
|
||||
import { TraderConfigModal } from './TraderConfigModal'
|
||||
import {
|
||||
TwoStageKeyModal,
|
||||
type TwoStageKeyModalResult,
|
||||
} from './TwoStageKeyModal'
|
||||
import {
|
||||
Bot,
|
||||
Brain,
|
||||
@@ -147,10 +151,7 @@ export function AITradersPage({ onTraderSelect }: AITradersPageProps) {
|
||||
}
|
||||
// Hyperliquid 需要检查钱包地址(后端会返回这个字段)
|
||||
if (e.id === 'hyperliquid') {
|
||||
return (
|
||||
e.hyperliquidWalletAddr &&
|
||||
e.hyperliquidWalletAddr.trim() !== ''
|
||||
)
|
||||
return e.hyperliquidWalletAddr && e.hyperliquidWalletAddr.trim() !== ''
|
||||
}
|
||||
// 其他交易所:如果已启用,说明已配置(后端返回的已配置交易所会有 enabled: true)
|
||||
return e.enabled
|
||||
@@ -175,10 +176,7 @@ export function AITradersPage({ onTraderSelect }: AITradersPageProps) {
|
||||
|
||||
// Hyperliquid 需要钱包地址(后端会返回这个字段)
|
||||
if (e.id === 'hyperliquid') {
|
||||
return (
|
||||
e.hyperliquidWalletAddr &&
|
||||
e.hyperliquidWalletAddr.trim() !== ''
|
||||
)
|
||||
return e.hyperliquidWalletAddr && e.hyperliquidWalletAddr.trim() !== ''
|
||||
}
|
||||
|
||||
// 其他交易所:如果已启用,说明已配置完整(后端只返回已配置的交易所)
|
||||
@@ -622,7 +620,7 @@ export function AITradersPage({ onTraderSelect }: AITradersPageProps) {
|
||||
),
|
||||
}
|
||||
|
||||
await api.updateExchangeConfigs(request)
|
||||
await api.updateExchangeConfigsEncrypted(request)
|
||||
|
||||
// 重新获取用户配置以确保数据同步
|
||||
const refreshedExchanges = await api.getExchangeConfigs()
|
||||
@@ -1699,6 +1697,11 @@ function ExchangeConfigModal({
|
||||
// Hyperliquid 特定字段
|
||||
const [hyperliquidWalletAddr, setHyperliquidWalletAddr] = useState('')
|
||||
|
||||
// 安全输入状态
|
||||
const [secureInputTarget, setSecureInputTarget] = useState<
|
||||
null | 'hyperliquid' | 'aster'
|
||||
>(null)
|
||||
|
||||
// 获取当前编辑的交易所信息
|
||||
const selectedExchange = allExchanges?.find(
|
||||
(e) => e.id === selectedExchangeId
|
||||
@@ -1747,6 +1750,44 @@ function ExchangeConfigModal({
|
||||
})
|
||||
}
|
||||
|
||||
// 安全输入处理函数
|
||||
const secureInputContextLabel =
|
||||
secureInputTarget === 'aster'
|
||||
? t('asterExchangeName', language)
|
||||
: secureInputTarget === 'hyperliquid'
|
||||
? t('hyperliquidExchangeName', language)
|
||||
: undefined
|
||||
|
||||
const handleSecureInputCancel = () => {
|
||||
setSecureInputTarget(null)
|
||||
}
|
||||
|
||||
const handleSecureInputComplete = ({
|
||||
value,
|
||||
obfuscationLog,
|
||||
}: TwoStageKeyModalResult) => {
|
||||
const trimmed = value.trim()
|
||||
if (secureInputTarget === 'hyperliquid') {
|
||||
setApiKey(trimmed)
|
||||
}
|
||||
if (secureInputTarget === 'aster') {
|
||||
setAsterPrivateKey(trimmed)
|
||||
}
|
||||
console.log('Secure input obfuscation log:', obfuscationLog)
|
||||
setSecureInputTarget(null)
|
||||
}
|
||||
|
||||
// 掩盖敏感数据显示
|
||||
const maskSecret = (secret: string) => {
|
||||
if (!secret || secret.length === 0) return ''
|
||||
if (secret.length <= 8) return '*'.repeat(secret.length)
|
||||
return (
|
||||
secret.slice(0, 4) +
|
||||
'*'.repeat(Math.max(secret.length - 8, 4)) +
|
||||
secret.slice(-4)
|
||||
)
|
||||
}
|
||||
|
||||
const handleSubmit = async (e: React.FormEvent) => {
|
||||
e.preventDefault()
|
||||
if (!selectedExchangeId) return
|
||||
@@ -2160,19 +2201,58 @@ function ExchangeConfigModal({
|
||||
>
|
||||
{t('hyperliquidAgentPrivateKey', language)}
|
||||
</label>
|
||||
<input
|
||||
type="password"
|
||||
value={apiKey}
|
||||
onChange={(e) => setApiKey(e.target.value)}
|
||||
placeholder={t('enterHyperliquidAgentPrivateKey', language)}
|
||||
className="w-full px-3 py-2 rounded"
|
||||
style={{
|
||||
background: '#0B0E11',
|
||||
border: '1px solid #2B3139',
|
||||
color: '#EAECEF',
|
||||
}}
|
||||
required
|
||||
/>
|
||||
<div className="flex flex-col gap-2">
|
||||
<div className="flex gap-2">
|
||||
<input
|
||||
type="text"
|
||||
value={maskSecret(apiKey)}
|
||||
readOnly
|
||||
placeholder={t(
|
||||
'enterHyperliquidAgentPrivateKey',
|
||||
language
|
||||
)}
|
||||
className="w-full px-3 py-2 rounded"
|
||||
style={{
|
||||
background: '#0B0E11',
|
||||
border: '1px solid #2B3139',
|
||||
color: '#EAECEF',
|
||||
}}
|
||||
/>
|
||||
<button
|
||||
type="button"
|
||||
onClick={() => setSecureInputTarget('hyperliquid')}
|
||||
className="px-3 py-2 rounded text-xs font-semibold transition-all hover:scale-105"
|
||||
style={{
|
||||
background: '#F0B90B',
|
||||
color: '#000',
|
||||
whiteSpace: 'nowrap',
|
||||
}}
|
||||
>
|
||||
{apiKey
|
||||
? t('secureInputReenter', language)
|
||||
: t('secureInputButton', language)}
|
||||
</button>
|
||||
{apiKey && (
|
||||
<button
|
||||
type="button"
|
||||
onClick={() => setApiKey('')}
|
||||
className="px-3 py-2 rounded text-xs font-semibold transition-all hover:scale-105"
|
||||
style={{
|
||||
background: '#1B1F2B',
|
||||
color: '#848E9C',
|
||||
whiteSpace: 'nowrap',
|
||||
}}
|
||||
>
|
||||
{t('secureInputClear', language)}
|
||||
</button>
|
||||
)}
|
||||
</div>
|
||||
{apiKey && (
|
||||
<div className="text-xs" style={{ color: '#848E9C' }}>
|
||||
{t('secureInputHint', language)}
|
||||
</div>
|
||||
)}
|
||||
</div>
|
||||
<div className="text-xs mt-1" style={{ color: '#848E9C' }}>
|
||||
{t('hyperliquidAgentPrivateKeyDesc', language)}
|
||||
</div>
|
||||
@@ -2190,7 +2270,10 @@ function ExchangeConfigModal({
|
||||
type="text"
|
||||
value={hyperliquidWalletAddr}
|
||||
onChange={(e) => setHyperliquidWalletAddr(e.target.value)}
|
||||
placeholder={t('enterHyperliquidMainWalletAddress', language)}
|
||||
placeholder={t(
|
||||
'enterHyperliquidMainWalletAddress',
|
||||
language
|
||||
)}
|
||||
className="w-full px-3 py-2 rounded"
|
||||
style={{
|
||||
background: '#0B0E11',
|
||||
@@ -2278,19 +2361,55 @@ function ExchangeConfigModal({
|
||||
/>
|
||||
</Tooltip>
|
||||
</label>
|
||||
<input
|
||||
type="password"
|
||||
value={asterPrivateKey}
|
||||
onChange={(e) => setAsterPrivateKey(e.target.value)}
|
||||
placeholder={t('enterPrivateKey', language)}
|
||||
className="w-full px-3 py-2 rounded"
|
||||
style={{
|
||||
background: '#0B0E11',
|
||||
border: '1px solid #2B3139',
|
||||
color: '#EAECEF',
|
||||
}}
|
||||
required
|
||||
/>
|
||||
<div className="flex flex-col gap-2">
|
||||
<div className="flex gap-2">
|
||||
<input
|
||||
type="text"
|
||||
value={maskSecret(asterPrivateKey)}
|
||||
readOnly
|
||||
placeholder={t('enterPrivateKey', language)}
|
||||
className="w-full px-3 py-2 rounded"
|
||||
style={{
|
||||
background: '#0B0E11',
|
||||
border: '1px solid #2B3139',
|
||||
color: '#EAECEF',
|
||||
}}
|
||||
/>
|
||||
<button
|
||||
type="button"
|
||||
onClick={() => setSecureInputTarget('aster')}
|
||||
className="px-3 py-2 rounded text-xs font-semibold transition-all hover:scale-105"
|
||||
style={{
|
||||
background: '#F0B90B',
|
||||
color: '#000',
|
||||
whiteSpace: 'nowrap',
|
||||
}}
|
||||
>
|
||||
{asterPrivateKey
|
||||
? t('secureInputReenter', language)
|
||||
: t('secureInputButton', language)}
|
||||
</button>
|
||||
{asterPrivateKey && (
|
||||
<button
|
||||
type="button"
|
||||
onClick={() => setAsterPrivateKey('')}
|
||||
className="px-3 py-2 rounded text-xs font-semibold transition-all hover:scale-105"
|
||||
style={{
|
||||
background: '#1B1F2B',
|
||||
color: '#848E9C',
|
||||
whiteSpace: 'nowrap',
|
||||
}}
|
||||
>
|
||||
{t('secureInputClear', language)}
|
||||
</button>
|
||||
)}
|
||||
</div>
|
||||
{asterPrivateKey && (
|
||||
<div className="text-xs" style={{ color: '#848E9C' }}>
|
||||
{t('secureInputHint', language)}
|
||||
</div>
|
||||
)}
|
||||
</div>
|
||||
</div>
|
||||
</>
|
||||
)}
|
||||
@@ -2419,6 +2538,16 @@ function ExchangeConfigModal({
|
||||
</div>
|
||||
</div>
|
||||
)}
|
||||
|
||||
{/* Two Stage Key Modal */}
|
||||
<TwoStageKeyModal
|
||||
isOpen={secureInputTarget !== null}
|
||||
language={language}
|
||||
contextLabel={secureInputContextLabel}
|
||||
expectedLength={64}
|
||||
onCancel={handleSecureInputCancel}
|
||||
onComplete={handleSecureInputComplete}
|
||||
/>
|
||||
</div>
|
||||
)
|
||||
}
|
||||
|
||||
@@ -17,7 +17,6 @@ export function LoginPage() {
|
||||
const [adminPassword, setAdminPassword] = useState('')
|
||||
const adminMode = false
|
||||
|
||||
|
||||
const handleAdminLogin = async (e: React.FormEvent) => {
|
||||
e.preventDefault()
|
||||
setError('')
|
||||
|
||||
324
web/src/components/TwoStageKeyModal.tsx
Normal file
324
web/src/components/TwoStageKeyModal.tsx
Normal file
@@ -0,0 +1,324 @@
|
||||
import { useEffect, useMemo, useRef, useState } from 'react'
|
||||
import { createPortal } from 'react-dom'
|
||||
import { t, type Language } from '../i18n/translations'
|
||||
|
||||
const DEFAULT_LENGTH = 64
|
||||
|
||||
function generateObfuscation(): string {
|
||||
const bytes = new Uint8Array(32)
|
||||
crypto.getRandomValues(bytes)
|
||||
return Array.from(bytes, (byte) => byte.toString(16).padStart(2, '0')).join(
|
||||
''
|
||||
)
|
||||
}
|
||||
|
||||
function validatePrivateKeyFormat(
|
||||
value: string,
|
||||
expectedLength: number
|
||||
): boolean {
|
||||
const normalized = value.startsWith('0x') ? value.slice(2) : value
|
||||
if (normalized.length !== expectedLength) {
|
||||
return false
|
||||
}
|
||||
return /^[0-9a-fA-F]+$/.test(normalized)
|
||||
}
|
||||
|
||||
export interface TwoStageKeyModalResult {
|
||||
value: string
|
||||
obfuscationLog: string[]
|
||||
}
|
||||
|
||||
interface TwoStageKeyModalProps {
|
||||
isOpen: boolean
|
||||
language: Language
|
||||
onCancel: () => void
|
||||
onComplete: (result: TwoStageKeyModalResult) => void
|
||||
expectedLength?: number
|
||||
contextLabel?: string
|
||||
}
|
||||
|
||||
export function TwoStageKeyModal({
|
||||
isOpen,
|
||||
language,
|
||||
onCancel,
|
||||
onComplete,
|
||||
expectedLength = DEFAULT_LENGTH,
|
||||
contextLabel,
|
||||
}: TwoStageKeyModalProps) {
|
||||
const [stage, setStage] = useState<1 | 2>(1)
|
||||
const [part1, setPart1] = useState('')
|
||||
const [part2, setPart2] = useState('')
|
||||
const [error, setError] = useState<string | null>(null)
|
||||
const [clipboardStatus, setClipboardStatus] = useState<
|
||||
'idle' | 'copied' | 'failed'
|
||||
>('idle')
|
||||
const [obfuscationLog, setObfuscationLog] = useState<string[]>([])
|
||||
const [processing, setProcessing] = useState(false)
|
||||
const [manualObfuscationValue, setManualObfuscationValue] = useState<
|
||||
string | null
|
||||
>(null)
|
||||
|
||||
const stage1Ref = useRef<HTMLInputElement>(null)
|
||||
const stage2Ref = useRef<HTMLInputElement>(null)
|
||||
|
||||
const expectedPart1Length = Math.ceil(expectedLength / 2)
|
||||
const expectedPart2Length = expectedLength - expectedPart1Length
|
||||
|
||||
useEffect(() => {
|
||||
if (isOpen && stage === 1 && stage1Ref.current) {
|
||||
stage1Ref.current.focus()
|
||||
} else if (isOpen && stage === 2 && stage2Ref.current) {
|
||||
stage2Ref.current.focus()
|
||||
}
|
||||
}, [isOpen, stage])
|
||||
|
||||
const handleStage1Next = async () => {
|
||||
if (part1.length < expectedPart1Length) {
|
||||
setError(
|
||||
t('errors.privatekeyIncomplete', language, {
|
||||
expected: expectedPart1Length,
|
||||
})
|
||||
)
|
||||
return
|
||||
}
|
||||
|
||||
setError(null)
|
||||
setProcessing(true)
|
||||
|
||||
try {
|
||||
// 生成混淆字符串
|
||||
const obfuscation = generateObfuscation()
|
||||
setManualObfuscationValue(obfuscation)
|
||||
|
||||
// 尝试复制到剪贴板
|
||||
if (navigator.clipboard) {
|
||||
try {
|
||||
await navigator.clipboard.writeText(obfuscation)
|
||||
setClipboardStatus('copied')
|
||||
setObfuscationLog([
|
||||
...obfuscationLog,
|
||||
`Stage 1: ${new Date().toISOString()} - Auto copied obfuscation`,
|
||||
])
|
||||
} catch {
|
||||
setClipboardStatus('failed')
|
||||
setObfuscationLog([
|
||||
...obfuscationLog,
|
||||
`Stage 1: ${new Date().toISOString()} - Auto copy failed, manual required`,
|
||||
])
|
||||
}
|
||||
} else {
|
||||
setClipboardStatus('failed')
|
||||
setObfuscationLog([
|
||||
...obfuscationLog,
|
||||
`Stage 1: ${new Date().toISOString()} - Clipboard API not available`,
|
||||
])
|
||||
}
|
||||
|
||||
setTimeout(() => {
|
||||
setStage(2)
|
||||
setProcessing(false)
|
||||
}, 2000)
|
||||
} catch (err) {
|
||||
setError(t('errors.privatekeyObfuscationFailed', language))
|
||||
setProcessing(false)
|
||||
}
|
||||
}
|
||||
|
||||
const handleStage2Complete = () => {
|
||||
if (part2.length < expectedPart2Length) {
|
||||
setError(
|
||||
t('errors.privatekeyIncomplete', language, {
|
||||
expected: expectedPart2Length,
|
||||
})
|
||||
)
|
||||
return
|
||||
}
|
||||
|
||||
const fullKey = part1 + part2
|
||||
if (!validatePrivateKeyFormat(fullKey, expectedLength)) {
|
||||
setError(t('errors.privatekeyInvalidFormat', language))
|
||||
return
|
||||
}
|
||||
|
||||
const finalLog = [
|
||||
...obfuscationLog,
|
||||
`Stage 2: ${new Date().toISOString()} - Completed`,
|
||||
]
|
||||
onComplete({
|
||||
value: fullKey,
|
||||
obfuscationLog: finalLog,
|
||||
})
|
||||
}
|
||||
|
||||
const handleReset = () => {
|
||||
setStage(1)
|
||||
setPart1('')
|
||||
setPart2('')
|
||||
setError(null)
|
||||
setClipboardStatus('idle')
|
||||
setObfuscationLog([])
|
||||
setProcessing(false)
|
||||
setManualObfuscationValue(null)
|
||||
}
|
||||
|
||||
const modalContent = useMemo(() => {
|
||||
if (!isOpen) return null
|
||||
|
||||
return (
|
||||
<div className="fixed inset-0 z-50 flex items-center justify-center bg-black/80">
|
||||
<div className="bg-gray-900 p-8 rounded-xl max-w-lg w-full mx-4 border border-gray-700">
|
||||
<div className="text-center mb-6">
|
||||
<h2 className="text-xl font-bold text-white mb-2">
|
||||
🔐 {t('twoStageKey.title', language)}
|
||||
{contextLabel && (
|
||||
<span className="text-gray-300 text-base font-normal ml-2">
|
||||
({contextLabel})
|
||||
</span>
|
||||
)}
|
||||
</h2>
|
||||
<p className="text-gray-300 text-sm">
|
||||
{stage === 1
|
||||
? t('twoStageKey.stage1Description', language, {
|
||||
length: expectedPart1Length,
|
||||
})
|
||||
: t('twoStageKey.stage2Description', language, {
|
||||
length: expectedPart2Length,
|
||||
})}
|
||||
</p>
|
||||
</div>
|
||||
|
||||
{/* Stage 1 */}
|
||||
{stage === 1 && (
|
||||
<div className="space-y-4">
|
||||
<div>
|
||||
<label className="block text-gray-300 text-sm mb-2">
|
||||
{t('twoStageKey.stage1InputLabel', language)} (
|
||||
{expectedPart1Length} {t('twoStageKey.characters', language)})
|
||||
</label>
|
||||
<input
|
||||
ref={stage1Ref}
|
||||
type="password"
|
||||
value={part1}
|
||||
onChange={(e) => setPart1(e.target.value)}
|
||||
placeholder="0x1234..."
|
||||
className="w-full bg-gray-800 border border-gray-600 rounded-lg px-4 py-3 text-white font-mono text-sm focus:border-blue-500 focus:outline-none"
|
||||
maxLength={expectedPart1Length + 2} // +2 for optional 0x prefix
|
||||
disabled={processing}
|
||||
/>
|
||||
</div>
|
||||
|
||||
{error && <div className="text-red-400 text-sm">{error}</div>}
|
||||
|
||||
<div className="flex gap-3">
|
||||
<button
|
||||
onClick={handleStage1Next}
|
||||
disabled={part1.length < expectedPart1Length || processing}
|
||||
className="flex-1 bg-blue-600 hover:bg-blue-700 disabled:bg-gray-600 text-white font-medium py-3 px-4 rounded-lg transition-colors"
|
||||
>
|
||||
{processing
|
||||
? t('twoStageKey.processing', language)
|
||||
: t('twoStageKey.nextButton', language)}
|
||||
</button>
|
||||
<button
|
||||
onClick={onCancel}
|
||||
disabled={processing}
|
||||
className="px-6 py-3 text-gray-300 hover:text-white border border-gray-600 rounded-lg transition-colors"
|
||||
>
|
||||
{t('twoStageKey.cancelButton', language)}
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
)}
|
||||
|
||||
{/* Transition Message */}
|
||||
{stage === 2 && clipboardStatus !== 'idle' && (
|
||||
<div className="mb-4 p-4 rounded-lg bg-blue-900/50 border border-blue-600">
|
||||
{clipboardStatus === 'copied' && (
|
||||
<div className="text-blue-300">
|
||||
<div className="font-medium">
|
||||
{t('twoStageKey.obfuscationCopied', language)}
|
||||
</div>
|
||||
<div className="text-sm mt-1">
|
||||
{t('twoStageKey.obfuscationInstruction', language)}
|
||||
</div>
|
||||
</div>
|
||||
)}
|
||||
{clipboardStatus === 'failed' && manualObfuscationValue && (
|
||||
<div className="text-yellow-300">
|
||||
<div className="font-medium">
|
||||
{t('twoStageKey.obfuscationManual', language)}
|
||||
</div>
|
||||
<div className="text-xs mt-2 p-2 bg-gray-800 rounded font-mono break-all border">
|
||||
{manualObfuscationValue}
|
||||
</div>
|
||||
<div className="text-sm mt-1">
|
||||
{t('twoStageKey.obfuscationInstruction', language)}
|
||||
</div>
|
||||
</div>
|
||||
)}
|
||||
</div>
|
||||
)}
|
||||
|
||||
{/* Stage 2 */}
|
||||
{stage === 2 && (
|
||||
<div className="space-y-4">
|
||||
<div>
|
||||
<label className="block text-gray-300 text-sm mb-2">
|
||||
{t('twoStageKey.stage2InputLabel', language)} (
|
||||
{expectedPart2Length} {t('twoStageKey.characters', language)})
|
||||
</label>
|
||||
<input
|
||||
ref={stage2Ref}
|
||||
type="password"
|
||||
value={part2}
|
||||
onChange={(e) => setPart2(e.target.value)}
|
||||
placeholder="...5678"
|
||||
className="w-full bg-gray-800 border border-gray-600 rounded-lg px-4 py-3 text-white font-mono text-sm focus:border-blue-500 focus:outline-none"
|
||||
maxLength={expectedPart2Length + 2}
|
||||
/>
|
||||
</div>
|
||||
|
||||
{error && <div className="text-red-400 text-sm">{error}</div>}
|
||||
|
||||
<div className="flex gap-3">
|
||||
<button
|
||||
onClick={handleStage2Complete}
|
||||
disabled={part2.length < expectedPart2Length}
|
||||
className="flex-1 bg-green-600 hover:bg-green-700 disabled:bg-gray-600 text-white font-medium py-3 px-4 rounded-lg transition-colors"
|
||||
>
|
||||
🔒 {t('twoStageKey.encryptButton', language)}
|
||||
</button>
|
||||
<button
|
||||
onClick={handleReset}
|
||||
className="px-6 py-3 text-gray-300 hover:text-white border border-gray-600 rounded-lg transition-colors"
|
||||
>
|
||||
{t('twoStageKey.backButton', language)}
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
)}
|
||||
</div>
|
||||
</div>
|
||||
)
|
||||
}, [
|
||||
isOpen,
|
||||
stage,
|
||||
part1,
|
||||
part2,
|
||||
error,
|
||||
processing,
|
||||
clipboardStatus,
|
||||
manualObfuscationValue,
|
||||
language,
|
||||
expectedPart1Length,
|
||||
expectedPart2Length,
|
||||
contextLabel,
|
||||
obfuscationLog,
|
||||
onCancel,
|
||||
onComplete,
|
||||
])
|
||||
|
||||
if (!isOpen) return null
|
||||
|
||||
return createPortal(modalContent, document.body)
|
||||
}
|
||||
@@ -474,18 +474,16 @@ export default function HeaderBar({
|
||||
>
|
||||
{t('signIn', language)}
|
||||
</a>
|
||||
{true && (
|
||||
<a
|
||||
href="/register"
|
||||
className="px-4 py-2 rounded font-semibold text-sm transition-colors hover:opacity-90"
|
||||
style={{
|
||||
background: 'var(--brand-yellow)',
|
||||
color: 'var(--brand-black)',
|
||||
}}
|
||||
>
|
||||
{t('signUp', language)}
|
||||
</a>
|
||||
)}
|
||||
<a
|
||||
href="/register"
|
||||
className="px-4 py-2 rounded font-semibold text-sm transition-colors hover:opacity-90"
|
||||
style={{
|
||||
background: 'var(--brand-yellow)',
|
||||
color: 'var(--brand-black)',
|
||||
}}
|
||||
>
|
||||
{t('signUp', language)}
|
||||
</a>
|
||||
</div>
|
||||
)
|
||||
)}
|
||||
@@ -914,19 +912,17 @@ export default function HeaderBar({
|
||||
>
|
||||
{t('signIn', language)}
|
||||
</a>
|
||||
{true && (
|
||||
<a
|
||||
href="/register"
|
||||
className="block w-full px-4 py-2 rounded font-semibold text-sm text-center transition-colors"
|
||||
style={{
|
||||
background: 'var(--brand-yellow)',
|
||||
color: 'var(--brand-black)',
|
||||
}}
|
||||
onClick={() => setMobileMenuOpen(false)}
|
||||
>
|
||||
{t('signUp', language)}
|
||||
</a>
|
||||
)}
|
||||
<a
|
||||
href="/register"
|
||||
className="block w-full px-4 py-2 rounded font-semibold text-sm text-center transition-colors"
|
||||
style={{
|
||||
background: 'var(--brand-yellow)',
|
||||
color: 'var(--brand-black)',
|
||||
}}
|
||||
onClick={() => setMobileMenuOpen(false)}
|
||||
>
|
||||
{t('signUp', language)}
|
||||
</a>
|
||||
</div>
|
||||
)}
|
||||
</div>
|
||||
|
||||
@@ -206,6 +206,44 @@ export const translations = {
|
||||
'API wallet private key - Get from https://www.asterdex.com/en/api-wallet (only used locally for signing, never transmitted)',
|
||||
asterUsdtWarning:
|
||||
'Important: Aster only tracks USDT balance. Please ensure you use USDT as margin currency to avoid P&L calculation errors caused by price fluctuations of other assets (BNB, ETH, etc.)',
|
||||
|
||||
// Exchange names
|
||||
hyperliquidExchangeName: 'Hyperliquid',
|
||||
asterExchangeName: 'Aster DEX',
|
||||
|
||||
// Secure input
|
||||
secureInputButton: 'Secure Input',
|
||||
secureInputReenter: 'Re-enter Securely',
|
||||
secureInputClear: 'Clear',
|
||||
secureInputHint:
|
||||
'Captured via secure two-step input. Use "Re-enter Securely" to update this value.',
|
||||
|
||||
// Two Stage Key Modal
|
||||
twoStageModalTitle: 'Secure Key Input',
|
||||
twoStageModalDescription:
|
||||
'Use a two-step flow to enter your {length}-character private key safely.',
|
||||
twoStageStage1Title: 'Step 1 · Enter the first half',
|
||||
twoStageStage1Placeholder: 'First 32 characters (include 0x if present)',
|
||||
twoStageStage1Hint:
|
||||
'Continuing copies an obfuscation string to your clipboard as a diversion.',
|
||||
twoStageStage1Error: 'Please enter the first part before continuing.',
|
||||
twoStageNext: 'Next',
|
||||
twoStageProcessing: 'Processing…',
|
||||
twoStageCancel: 'Cancel',
|
||||
twoStageStage2Title: 'Step 2 · Enter the rest',
|
||||
twoStageStage2Placeholder: 'Remaining characters of your private key',
|
||||
twoStageStage2Hint:
|
||||
'Paste the obfuscation string somewhere neutral, then finish entering your key.',
|
||||
twoStageClipboardSuccess:
|
||||
'Obfuscation string copied. Paste it into any text field once before completing.',
|
||||
twoStageClipboardReminder:
|
||||
'Remember to paste the obfuscation string before submitting to avoid clipboard leaks.',
|
||||
twoStageClipboardManual:
|
||||
'Automatic copy failed. Copy the obfuscation string below manually.',
|
||||
twoStageBack: 'Back',
|
||||
twoStageSubmit: 'Confirm',
|
||||
twoStageInvalidFormat:
|
||||
'Invalid private key format. Expected {length} hexadecimal characters (optional 0x prefix).',
|
||||
testnetDescription:
|
||||
'Enable to connect to exchange test environment for simulated trading',
|
||||
securityWarning: 'Security Warning',
|
||||
@@ -321,6 +359,7 @@ export const translations = {
|
||||
exchangeNotExist: 'Exchange does not exist',
|
||||
deleteExchangeConfigFailed: 'Failed to delete exchange configuration',
|
||||
saveSignalSourceFailed: 'Failed to save signal source configuration',
|
||||
encryptionFailed: 'Failed to encrypt sensitive data',
|
||||
|
||||
// Login & Register
|
||||
login: 'Sign In',
|
||||
@@ -684,6 +723,35 @@ export const translations = {
|
||||
faqGetHelp: 'Where can I get help?',
|
||||
faqGetHelpAnswer:
|
||||
'Check GitHub Discussions, join our Telegram Community, or open an issue on GitHub.',
|
||||
|
||||
// Two-Stage Key Modal
|
||||
twoStageKey: {
|
||||
title: 'Two-Stage Private Key Input',
|
||||
stage1Description:
|
||||
'Enter the first {length} characters of your private key',
|
||||
stage2Description:
|
||||
'Enter the remaining {length} characters of your private key',
|
||||
stage1InputLabel: 'First Part',
|
||||
stage2InputLabel: 'Second Part',
|
||||
characters: 'characters',
|
||||
processing: 'Processing...',
|
||||
nextButton: 'Next',
|
||||
cancelButton: 'Cancel',
|
||||
backButton: 'Back',
|
||||
encryptButton: 'Encrypt & Submit',
|
||||
obfuscationCopied: 'Obfuscation data copied to clipboard',
|
||||
obfuscationInstruction:
|
||||
'Paste something else to clear clipboard, then continue',
|
||||
obfuscationManual: 'Manual obfuscation required',
|
||||
},
|
||||
|
||||
// Error Messages
|
||||
errors: {
|
||||
privatekeyIncomplete: 'Please enter at least {expected} characters',
|
||||
privatekeyInvalidFormat:
|
||||
'Invalid private key format (should be 64 hex characters)',
|
||||
privatekeyObfuscationFailed: 'Clipboard obfuscation failed',
|
||||
},
|
||||
},
|
||||
zh: {
|
||||
// Header
|
||||
@@ -887,6 +955,41 @@ export const translations = {
|
||||
'API 钱包私钥 - 从 https://www.asterdex.com/zh-CN/api-wallet 获取(仅在本地用于签名,不会被传输)',
|
||||
asterUsdtWarning:
|
||||
'重要提示:Aster 仅统计 USDT 余额。请确保您使用 USDT 作为保证金币种,避免其他资产(BNB、ETH等)的价格波动导致盈亏统计错误',
|
||||
|
||||
// Exchange names
|
||||
hyperliquidExchangeName: 'Hyperliquid',
|
||||
asterExchangeName: 'Aster DEX',
|
||||
|
||||
// Secure input
|
||||
secureInputButton: '安全输入',
|
||||
secureInputReenter: '重新安全输入',
|
||||
secureInputClear: '清除',
|
||||
secureInputHint:
|
||||
'已通过安全双阶段输入设置。若需修改,请点击"重新安全输入"。',
|
||||
|
||||
// Two Stage Key Modal
|
||||
twoStageModalTitle: '安全私钥输入',
|
||||
twoStageModalDescription: '使用双阶段流程安全输入长度为 {length} 的私钥。',
|
||||
twoStageStage1Title: '步骤一 · 输入前半段',
|
||||
twoStageStage1Placeholder: '前 32 位字符(若有 0x 前缀请保留)',
|
||||
twoStageStage1Hint:
|
||||
'继续后会将扰动字符串复制到剪贴板,用于迷惑剪贴板监控。',
|
||||
twoStageStage1Error: '请先输入第一段私钥。',
|
||||
twoStageNext: '下一步',
|
||||
twoStageProcessing: '处理中…',
|
||||
twoStageCancel: '取消',
|
||||
twoStageStage2Title: '步骤二 · 输入剩余部分',
|
||||
twoStageStage2Placeholder: '剩余的私钥字符',
|
||||
twoStageStage2Hint: '将扰动字符串粘贴到任意位置后,再完成私钥输入。',
|
||||
twoStageClipboardSuccess:
|
||||
'扰动字符串已复制。请在完成前在任意文本处粘贴一次以迷惑剪贴板记录。',
|
||||
twoStageClipboardReminder:
|
||||
'记得在提交前粘贴一次扰动字符串,降低剪贴板泄漏风险。',
|
||||
twoStageClipboardManual: '自动复制失败,请手动复制下面的扰动字符串。',
|
||||
twoStageBack: '返回',
|
||||
twoStageSubmit: '确认',
|
||||
twoStageInvalidFormat:
|
||||
'私钥格式不正确,应为 {length} 位十六进制字符(可选 0x 前缀)。',
|
||||
testnetDescription: '启用后将连接到交易所测试环境,用于模拟交易',
|
||||
securityWarning: '安全提示',
|
||||
saveConfiguration: '保存配置',
|
||||
@@ -981,6 +1084,7 @@ export const translations = {
|
||||
exchangeNotExist: '交易所不存在',
|
||||
deleteExchangeConfigFailed: '删除交易所配置失败',
|
||||
saveSignalSourceFailed: '保存信号源配置失败',
|
||||
encryptionFailed: '加密敏感数据失败',
|
||||
|
||||
// Login & Register
|
||||
login: '登录',
|
||||
@@ -1325,6 +1429,31 @@ export const translations = {
|
||||
faqGetHelp: '在哪里可以获得帮助?',
|
||||
faqGetHelpAnswer:
|
||||
'查看 GitHub Discussions、加入 Telegram 社区或在 GitHub 上提出 issue。',
|
||||
|
||||
// Two-Stage Key Modal
|
||||
twoStageKey: {
|
||||
title: '两阶段私钥输入',
|
||||
stage1Description: '请输入私钥的前 {length} 位字符',
|
||||
stage2Description: '请输入私钥的后 {length} 位字符',
|
||||
stage1InputLabel: '第一部分',
|
||||
stage2InputLabel: '第二部分',
|
||||
characters: '位字符',
|
||||
processing: '处理中...',
|
||||
nextButton: '下一步',
|
||||
cancelButton: '取消',
|
||||
backButton: '返回',
|
||||
encryptButton: '加密并提交',
|
||||
obfuscationCopied: '混淆数据已复制到剪贴板',
|
||||
obfuscationInstruction: '请粘贴其他内容清空剪贴板,然后继续',
|
||||
obfuscationManual: '需要手动混淆',
|
||||
},
|
||||
|
||||
// Error Messages
|
||||
errors: {
|
||||
privatekeyIncomplete: '请输入至少 {expected} 位字符',
|
||||
privatekeyInvalidFormat: '私钥格式无效(应为64位十六进制字符)',
|
||||
privatekeyObfuscationFailed: '剪贴板混淆失败',
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
@@ -1333,7 +1462,15 @@ export function t(
|
||||
lang: Language,
|
||||
params?: Record<string, string | number>
|
||||
): string {
|
||||
let text = translations[lang][key as keyof (typeof translations)['en']] || key
|
||||
// Handle nested keys like 'twoStageKey.title'
|
||||
const keys = key.split('.')
|
||||
let value: any = translations[lang]
|
||||
|
||||
for (const k of keys) {
|
||||
value = value?.[k]
|
||||
}
|
||||
|
||||
let text = typeof value === 'string' ? value : key
|
||||
|
||||
// Replace parameters like {count}, {gap}, etc.
|
||||
if (params) {
|
||||
|
||||
@@ -12,6 +12,7 @@ import type {
|
||||
UpdateExchangeConfigRequest,
|
||||
CompetitionData,
|
||||
} from '../types'
|
||||
import { CryptoService } from './crypto'
|
||||
|
||||
const API_BASE = '/api'
|
||||
|
||||
@@ -138,6 +139,36 @@ export const api = {
|
||||
if (!res.ok) throw new Error('更新模型配置失败')
|
||||
},
|
||||
|
||||
// 使用加密传输更新模型配置
|
||||
async updateModelConfigsEncrypted(
|
||||
request: UpdateModelConfigRequest
|
||||
): Promise<void> {
|
||||
// 获取RSA公钥
|
||||
const publicKey = await CryptoService.fetchPublicKey()
|
||||
|
||||
// 初始化加密服务
|
||||
await CryptoService.initialize(publicKey)
|
||||
|
||||
// 获取用户信息(从localStorage或其他地方)
|
||||
const userId = localStorage.getItem('user_id') || ''
|
||||
const sessionId = sessionStorage.getItem('session_id') || ''
|
||||
|
||||
// 加密敏感数据
|
||||
const encryptedPayload = await CryptoService.encryptSensitiveData(
|
||||
JSON.stringify(request),
|
||||
userId,
|
||||
sessionId
|
||||
)
|
||||
|
||||
// 发送加密数据
|
||||
const res = await fetch(`${API_BASE}/models/encrypted`, {
|
||||
method: 'PUT',
|
||||
headers: getAuthHeaders(),
|
||||
body: JSON.stringify(encryptedPayload),
|
||||
})
|
||||
if (!res.ok) throw new Error('更新模型配置失败')
|
||||
},
|
||||
|
||||
// 交易所配置接口
|
||||
async getExchangeConfigs(): Promise<Exchange[]> {
|
||||
const res = await fetch(`${API_BASE}/exchanges`, {
|
||||
@@ -165,6 +196,36 @@ export const api = {
|
||||
if (!res.ok) throw new Error('更新交易所配置失败')
|
||||
},
|
||||
|
||||
// 使用加密传输更新交易所配置
|
||||
async updateExchangeConfigsEncrypted(
|
||||
request: UpdateExchangeConfigRequest
|
||||
): Promise<void> {
|
||||
// 获取RSA公钥
|
||||
const publicKey = await CryptoService.fetchPublicKey()
|
||||
|
||||
// 初始化加密服务
|
||||
await CryptoService.initialize(publicKey)
|
||||
|
||||
// 获取用户信息(从localStorage或其他地方)
|
||||
const userId = localStorage.getItem('user_id') || ''
|
||||
const sessionId = sessionStorage.getItem('session_id') || ''
|
||||
|
||||
// 加密敏感数据
|
||||
const encryptedPayload = await CryptoService.encryptSensitiveData(
|
||||
JSON.stringify(request),
|
||||
userId,
|
||||
sessionId
|
||||
)
|
||||
|
||||
// 发送加密数据
|
||||
const res = await fetch(`${API_BASE}/exchanges/encrypted`, {
|
||||
method: 'PUT',
|
||||
headers: getAuthHeaders(),
|
||||
body: JSON.stringify(encryptedPayload),
|
||||
})
|
||||
if (!res.ok) throw new Error('更新交易所配置失败')
|
||||
},
|
||||
|
||||
// 获取系统状态(支持trader_id)
|
||||
async getStatus(traderId?: string): Promise<SystemStatus> {
|
||||
const url = traderId
|
||||
|
||||
@@ -1,326 +1,188 @@
|
||||
/**
|
||||
* 端到端加密模組
|
||||
* 使用混合加密: RSA-OAEP (密鑰交換) + AES-256-GCM (數據加密)
|
||||
*/
|
||||
|
||||
// ==================== 核心加密函數 ====================
|
||||
|
||||
/**
|
||||
* 生成隨機混淆字串 (用於剪貼簿混淆)
|
||||
*/
|
||||
export function generateObfuscation(): string {
|
||||
const array = new Uint8Array(32)
|
||||
crypto.getRandomValues(array)
|
||||
return Array.from(array, (byte) => byte.toString(16).padStart(2, '0')).join(
|
||||
''
|
||||
)
|
||||
export interface EncryptedPayload {
|
||||
wrappedKey: string // RSA-OAEP(K)
|
||||
iv: string // 12 bytes
|
||||
ciphertext: string // AES-GCM 输出(含 tag)
|
||||
aad?: string // 可选:额外认证数据
|
||||
kid?: string // 可选:服务端公钥标识
|
||||
ts?: number // 可选:unix 秒,用于重放保护
|
||||
}
|
||||
|
||||
/**
|
||||
* 使用伺服器公鑰加密私鑰
|
||||
* @param plaintext 明文私鑰
|
||||
* @param serverPublicKeyPEM 伺服器 RSA 公鑰 (PEM 格式)
|
||||
* @returns Base64 編碼的加密數據
|
||||
*/
|
||||
export async function encryptWithServerPublicKey(
|
||||
plaintext: string,
|
||||
serverPublicKeyPEM: string
|
||||
): Promise<string> {
|
||||
try {
|
||||
// 1. 導入伺服器公鑰
|
||||
const publicKey = await importRSAPublicKey(serverPublicKeyPEM)
|
||||
export class CryptoService {
|
||||
private static publicKey: CryptoKey | null = null
|
||||
private static publicKeyPEM: string | null = null
|
||||
|
||||
// 2. 生成隨機 AES 密鑰 (256-bit)
|
||||
static async initialize(publicKeyPEM: string) {
|
||||
if (this.publicKey && this.publicKeyPEM === publicKeyPEM) {
|
||||
return
|
||||
}
|
||||
this.publicKeyPEM = publicKeyPEM
|
||||
this.publicKey = await this.importPublicKey(publicKeyPEM)
|
||||
}
|
||||
|
||||
private static async importPublicKey(pem: string): Promise<CryptoKey> {
|
||||
const pemHeader = '-----BEGIN PUBLIC KEY-----'
|
||||
const pemFooter = '-----END PUBLIC KEY-----'
|
||||
const headerIndex = pem.indexOf(pemHeader)
|
||||
const footerIndex = pem.indexOf(pemFooter)
|
||||
|
||||
if (
|
||||
headerIndex === -1 ||
|
||||
footerIndex === -1 ||
|
||||
headerIndex >= footerIndex
|
||||
) {
|
||||
throw new Error('Invalid PEM formatted public key')
|
||||
}
|
||||
|
||||
const pemContents = pem
|
||||
.substring(headerIndex + pemHeader.length, footerIndex)
|
||||
.replace(/\s+/g, '') // 移除所有空白字符(包括换行符、空格等)
|
||||
|
||||
const binaryDerString = atob(pemContents)
|
||||
const binaryDer = new Uint8Array(binaryDerString.length)
|
||||
for (let i = 0; i < binaryDerString.length; i++) {
|
||||
binaryDer[i] = binaryDerString.charCodeAt(i)
|
||||
}
|
||||
|
||||
return crypto.subtle.importKey(
|
||||
'spki',
|
||||
binaryDer,
|
||||
{
|
||||
name: 'RSA-OAEP',
|
||||
hash: 'SHA-256',
|
||||
},
|
||||
false,
|
||||
['encrypt']
|
||||
)
|
||||
}
|
||||
|
||||
static async encryptSensitiveData(
|
||||
plaintext: string,
|
||||
userId?: string,
|
||||
sessionId?: string
|
||||
): Promise<EncryptedPayload> {
|
||||
if (!this.publicKey) {
|
||||
throw new Error(
|
||||
'Crypto service not initialized. Call initialize() first.'
|
||||
)
|
||||
}
|
||||
|
||||
// 1. 生成 256-bit AES 密钥
|
||||
const aesKey = await crypto.subtle.generateKey(
|
||||
{ name: 'AES-GCM', length: 256 },
|
||||
{
|
||||
name: 'AES-GCM',
|
||||
length: 256,
|
||||
},
|
||||
true,
|
||||
['encrypt']
|
||||
)
|
||||
|
||||
// 3. 使用 AES-GCM 加密數據
|
||||
const iv = crypto.getRandomValues(new Uint8Array(12)) // 96-bit nonce
|
||||
const encodedText = new TextEncoder().encode(plaintext)
|
||||
const encryptedData = await crypto.subtle.encrypt(
|
||||
{ name: 'AES-GCM', iv },
|
||||
// 2. 生成 12 字节随机 IV
|
||||
const iv = crypto.getRandomValues(new Uint8Array(12))
|
||||
|
||||
// 3. 准备 AAD (额外认证数据)
|
||||
const ts = Math.floor(Date.now() / 1000)
|
||||
const aadObject = {
|
||||
userId: userId || '',
|
||||
sessionId: sessionId || '',
|
||||
ts: ts,
|
||||
purpose: 'sensitive_data_encryption',
|
||||
}
|
||||
const aadString = JSON.stringify(aadObject)
|
||||
const aadBytes = new TextEncoder().encode(aadString)
|
||||
|
||||
// 4. 使用 AES-GCM 加密数据
|
||||
const plaintextBytes = new TextEncoder().encode(plaintext)
|
||||
const ciphertext = await crypto.subtle.encrypt(
|
||||
{
|
||||
name: 'AES-GCM',
|
||||
iv: iv,
|
||||
additionalData: aadBytes,
|
||||
tagLength: 128, // 16 bytes tag
|
||||
},
|
||||
aesKey,
|
||||
encodedText
|
||||
plaintextBytes
|
||||
)
|
||||
|
||||
// 4. 導出 AES 密鑰並用 RSA 加密
|
||||
const exportedAESKey = await crypto.subtle.exportKey('raw', aesKey)
|
||||
const encryptedAESKey = await crypto.subtle.encrypt(
|
||||
{ name: 'RSA-OAEP' },
|
||||
publicKey,
|
||||
exportedAESKey
|
||||
// 5. 导出 AES 密钥
|
||||
const rawAesKey = await crypto.subtle.exportKey('raw', aesKey)
|
||||
|
||||
// 6. 使用 RSA-OAEP 加密 AES 密钥
|
||||
const wrappedKey = await crypto.subtle.encrypt(
|
||||
{
|
||||
name: 'RSA-OAEP',
|
||||
},
|
||||
this.publicKey,
|
||||
rawAesKey
|
||||
)
|
||||
|
||||
// 5. 組合: [加密的 AES 密鑰長度(4字節)] + [加密的 AES 密鑰] + [IV] + [加密數據]
|
||||
const result = new Uint8Array(
|
||||
4 + encryptedAESKey.byteLength + iv.length + encryptedData.byteLength
|
||||
)
|
||||
const view = new DataView(result.buffer)
|
||||
view.setUint32(0, encryptedAESKey.byteLength, false) // 大端序
|
||||
result.set(new Uint8Array(encryptedAESKey), 4)
|
||||
result.set(iv, 4 + encryptedAESKey.byteLength)
|
||||
result.set(
|
||||
new Uint8Array(encryptedData),
|
||||
4 + encryptedAESKey.byteLength + iv.length
|
||||
)
|
||||
|
||||
// 6. Base64 編碼
|
||||
return arrayBufferToBase64(result)
|
||||
} catch (error) {
|
||||
console.error('加密失敗:', error)
|
||||
throw new Error('加密過程中發生錯誤,請檢查伺服器公鑰是否有效')
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* 導入 PEM 格式的 RSA 公鑰
|
||||
*/
|
||||
async function importRSAPublicKey(pem: string): Promise<CryptoKey> {
|
||||
// 移除 PEM header/footer 和換行符
|
||||
const pemContents = pem
|
||||
.replace(/-----BEGIN PUBLIC KEY-----/, '')
|
||||
.replace(/-----END PUBLIC KEY-----/, '')
|
||||
.replace(/\s/g, '')
|
||||
|
||||
// Base64 解碼
|
||||
const binaryDer = base64ToArrayBuffer(pemContents)
|
||||
|
||||
// 導入為 CryptoKey
|
||||
return crypto.subtle.importKey(
|
||||
'spki',
|
||||
binaryDer,
|
||||
{
|
||||
name: 'RSA-OAEP',
|
||||
hash: 'SHA-256',
|
||||
},
|
||||
true,
|
||||
['encrypt']
|
||||
)
|
||||
}
|
||||
|
||||
// ==================== 二階段輸入 UI ====================
|
||||
|
||||
export interface TwoStageInputResult {
|
||||
encryptedKey: string
|
||||
obfuscationLog: string[] // 混淆記錄(用於審計)
|
||||
}
|
||||
|
||||
/**
|
||||
* 二階段私鑰輸入流程
|
||||
* @param serverPublicKey 伺服器公鑰
|
||||
* @returns 加密後的私鑰 + 混淆記錄
|
||||
*/
|
||||
export async function twoStagePrivateKeyInput(
|
||||
serverPublicKey: string
|
||||
): Promise<TwoStageInputResult> {
|
||||
const obfuscationLog: string[] = []
|
||||
|
||||
return new Promise((resolve, reject) => {
|
||||
// 創建自定義 Modal
|
||||
const modal = createTwoStageModal(async (part1: string, part2: string) => {
|
||||
try {
|
||||
const fullKey = part1 + part2
|
||||
|
||||
// 驗證私鑰格式
|
||||
if (!validatePrivateKeyFormat(fullKey)) {
|
||||
throw new Error('私鑰格式不正確(應為 64 位十六進制或 0x 開頭)')
|
||||
}
|
||||
|
||||
// 加密
|
||||
const encrypted = await encryptWithServerPublicKey(
|
||||
fullKey,
|
||||
serverPublicKey
|
||||
)
|
||||
|
||||
// 清除敏感數據
|
||||
part1 = ''
|
||||
part2 = ''
|
||||
|
||||
resolve({ encryptedKey: encrypted, obfuscationLog })
|
||||
} catch (error) {
|
||||
reject(error)
|
||||
}
|
||||
}, obfuscationLog)
|
||||
|
||||
document.body.appendChild(modal)
|
||||
})
|
||||
}
|
||||
|
||||
/**
|
||||
* 創建二階段輸入 Modal
|
||||
*/
|
||||
function createTwoStageModal(
|
||||
onSubmit: (part1: string, part2: string) => void,
|
||||
obfuscationLog: string[]
|
||||
): HTMLElement {
|
||||
const modal = document.createElement('div')
|
||||
modal.style.cssText = `
|
||||
position: fixed; top: 0; left: 0; right: 0; bottom: 0;
|
||||
background: rgba(0,0,0,0.8); z-index: 10000;
|
||||
display: flex; align-items: center; justify-content: center;
|
||||
`
|
||||
|
||||
const content = document.createElement('div')
|
||||
content.style.cssText = `
|
||||
background: #1a1a2e; padding: 2rem; border-radius: 8px;
|
||||
max-width: 500px; width: 90%; color: white;
|
||||
`
|
||||
|
||||
let stage = 1
|
||||
let part1 = ''
|
||||
|
||||
const render = () => {
|
||||
if (stage === 1) {
|
||||
content.innerHTML = `
|
||||
<h2 style="margin-bottom: 1rem;">🔐 安全輸入 - 第一階段</h2>
|
||||
<p style="margin-bottom: 1rem; color: #888;">請輸入私鑰的<strong>前 32 位</strong>字符</p>
|
||||
<input
|
||||
id="stage1-input"
|
||||
type="password"
|
||||
placeholder="0x1234..."
|
||||
style="width: 100%; padding: 0.75rem; border-radius: 4px;
|
||||
background: #0f0f1e; border: 1px solid #333; color: white;
|
||||
font-family: monospace; font-size: 14px;"
|
||||
maxlength="34"
|
||||
/>
|
||||
<button
|
||||
id="stage1-next"
|
||||
style="margin-top: 1rem; width: 100%; padding: 0.75rem;
|
||||
background: #4CAF50; border: none; border-radius: 4px;
|
||||
color: white; font-weight: bold; cursor: pointer;"
|
||||
>下一步 →</button>
|
||||
<button
|
||||
id="cancel"
|
||||
style="margin-top: 0.5rem; width: 100%; padding: 0.5rem;
|
||||
background: transparent; border: 1px solid #555; border-radius: 4px;
|
||||
color: #888; cursor: pointer;"
|
||||
>取消</button>
|
||||
`
|
||||
|
||||
const input = content.querySelector('#stage1-input') as HTMLInputElement
|
||||
const nextBtn = content.querySelector('#stage1-next') as HTMLButtonElement
|
||||
const cancelBtn = content.querySelector('#cancel') as HTMLButtonElement
|
||||
|
||||
input.focus()
|
||||
input.addEventListener('input', () => {
|
||||
nextBtn.disabled = input.value.length < 10
|
||||
})
|
||||
|
||||
nextBtn.addEventListener('click', async () => {
|
||||
part1 = input.value
|
||||
input.value = '' // 立即清除
|
||||
|
||||
// 生成混淆字串並強制複製
|
||||
const obfuscation = generateObfuscation()
|
||||
await navigator.clipboard.writeText(obfuscation)
|
||||
obfuscationLog.push(`Stage1: ${new Date().toISOString()}`)
|
||||
|
||||
alert(
|
||||
'⚠️ 已複製混淆字串到剪貼簿\n\n請在任意地方貼上一次(避免監控),然後點擊確定繼續'
|
||||
)
|
||||
stage = 2
|
||||
render()
|
||||
})
|
||||
|
||||
cancelBtn.addEventListener('click', () => {
|
||||
modal.remove()
|
||||
})
|
||||
} else if (stage === 2) {
|
||||
content.innerHTML = `
|
||||
<h2 style="margin-bottom: 1rem;">🔐 安全輸入 - 第二階段</h2>
|
||||
<p style="margin-bottom: 1rem; color: #888;">請輸入私鑰的<strong>剩餘字符</strong></p>
|
||||
<input
|
||||
id="stage2-input"
|
||||
type="password"
|
||||
placeholder="...5678"
|
||||
style="width: 100%; padding: 0.75rem; border-radius: 4px;
|
||||
background: #0f0f1e; border: 1px solid #333; color: white;
|
||||
font-family: monospace; font-size: 14px;"
|
||||
maxlength="34"
|
||||
/>
|
||||
<button
|
||||
id="stage2-submit"
|
||||
style="margin-top: 1rem; width: 100%; padding: 0.75rem;
|
||||
background: #2196F3; border: none; border-radius: 4px;
|
||||
color: white; font-weight: bold; cursor: pointer;"
|
||||
>🔒 加密並提交</button>
|
||||
<button
|
||||
id="back"
|
||||
style="margin-top: 0.5rem; width: 100%; padding: 0.5rem;
|
||||
background: transparent; border: 1px solid #555; border-radius: 4px;
|
||||
color: #888; cursor: pointer;"
|
||||
>← 返回上一步</button>
|
||||
`
|
||||
|
||||
const input = content.querySelector('#stage2-input') as HTMLInputElement
|
||||
const submitBtn = content.querySelector(
|
||||
'#stage2-submit'
|
||||
) as HTMLButtonElement
|
||||
const backBtn = content.querySelector('#back') as HTMLButtonElement
|
||||
|
||||
input.focus()
|
||||
submitBtn.addEventListener('click', async () => {
|
||||
const part2 = input.value
|
||||
input.value = '' // 立即清除
|
||||
|
||||
obfuscationLog.push(`Stage2: ${new Date().toISOString()}`)
|
||||
|
||||
modal.remove()
|
||||
onSubmit(part1, part2)
|
||||
})
|
||||
|
||||
backBtn.addEventListener('click', () => {
|
||||
stage = 1
|
||||
render()
|
||||
})
|
||||
// 7. 编码为 base64url
|
||||
return {
|
||||
wrappedKey: this.arrayBufferToBase64Url(wrappedKey),
|
||||
iv: this.arrayBufferToBase64Url(iv.buffer),
|
||||
ciphertext: this.arrayBufferToBase64Url(ciphertext),
|
||||
aad: this.arrayBufferToBase64Url(aadBytes.buffer),
|
||||
ts: ts,
|
||||
}
|
||||
}
|
||||
|
||||
render()
|
||||
modal.appendChild(content)
|
||||
return modal
|
||||
}
|
||||
|
||||
/**
|
||||
* 驗證私鑰格式
|
||||
*/
|
||||
function validatePrivateKeyFormat(key: string): boolean {
|
||||
// EVM 私鑰: 64 位十六進制 (可選 0x 前綴)
|
||||
const evmPattern = /^(0x)?[0-9a-fA-F]{64}$/
|
||||
return evmPattern.test(key)
|
||||
}
|
||||
|
||||
// ==================== 工具函數 ====================
|
||||
|
||||
function arrayBufferToBase64(buffer: ArrayBuffer | Uint8Array): string {
|
||||
const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer)
|
||||
let binary = ''
|
||||
for (let i = 0; i < bytes.byteLength; i++) {
|
||||
binary += String.fromCharCode(bytes[i])
|
||||
private static arrayBufferToBase64Url(buffer: ArrayBuffer): string {
|
||||
const bytes = new Uint8Array(buffer)
|
||||
let binary = ''
|
||||
for (let i = 0; i < bytes.length; i++) {
|
||||
binary += String.fromCharCode(bytes[i])
|
||||
}
|
||||
return btoa(binary)
|
||||
.replace(/\+/g, '-')
|
||||
.replace(/\//g, '_')
|
||||
.replace(/=/g, '')
|
||||
}
|
||||
|
||||
static async fetchPublicKey(): Promise<string> {
|
||||
const response = await fetch('/api/crypto/public-key')
|
||||
if (!response.ok) {
|
||||
throw new Error(`Failed to fetch public key: ${response.statusText}`)
|
||||
}
|
||||
const data = await response.json()
|
||||
return data.public_key
|
||||
}
|
||||
|
||||
static async decryptSensitiveData(
|
||||
payload: EncryptedPayload
|
||||
): Promise<string> {
|
||||
const response = await fetch('/api/crypto/decrypt', {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json',
|
||||
},
|
||||
body: JSON.stringify(payload),
|
||||
})
|
||||
|
||||
if (!response.ok) {
|
||||
throw new Error(`Decryption failed: ${response.statusText}`)
|
||||
}
|
||||
|
||||
const result = await response.json()
|
||||
return result.plaintext
|
||||
}
|
||||
return btoa(binary)
|
||||
}
|
||||
|
||||
function base64ToArrayBuffer(base64: string): ArrayBuffer {
|
||||
const binary = atob(base64)
|
||||
const bytes = new Uint8Array(binary.length)
|
||||
for (let i = 0; i < binary.length; i++) {
|
||||
bytes[i] = binary.charCodeAt(i)
|
||||
}
|
||||
return bytes.buffer
|
||||
// 生成混淆字符串(用于剪贴板混淆)
|
||||
export function generateObfuscation(): string {
|
||||
const bytes = new Uint8Array(32)
|
||||
crypto.getRandomValues(bytes)
|
||||
return Array.from(bytes, (byte) => byte.toString(16).padStart(2, '0')).join(
|
||||
''
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* 從伺服器獲取公鑰
|
||||
*/
|
||||
export async function fetchServerPublicKey(): Promise<string> {
|
||||
const response = await fetch('/api/crypto/public-key')
|
||||
if (!response.ok) {
|
||||
throw new Error('無法獲取伺服器公鑰')
|
||||
// 验证私钥格式
|
||||
export function validatePrivateKeyFormat(
|
||||
value: string,
|
||||
expectedLength: number = 64
|
||||
): boolean {
|
||||
const normalized = value.startsWith('0x') ? value.slice(2) : value
|
||||
if (normalized.length !== expectedLength) {
|
||||
return false
|
||||
}
|
||||
const data = await response.json()
|
||||
return data.public_key
|
||||
return /^[0-9a-fA-F]+$/.test(normalized)
|
||||
}
|
||||
|
||||
@@ -38,7 +38,7 @@ export function FAQPage() {
|
||||
onLanguageChange={setLanguage}
|
||||
user={user}
|
||||
onLogout={logout}
|
||||
onPageChange={(page) => {
|
||||
onPageChange={(page) => {
|
||||
if (page === 'competition') {
|
||||
window.history.pushState({}, '', '/competition')
|
||||
window.location.href = '/competition'
|
||||
|
||||
Reference in New Issue
Block a user