feat: add TRANSPORT_ENCRYPTION toggle for easier deployment

- Add TRANSPORT_ENCRYPTION env config (default: false)
- Allow HTTP/IP access when transport encryption is disabled
- Add /api/crypto/config endpoint to expose encryption status
- Update WebCryptoEnvironmentCheck with 'disabled' status
- Update ExchangeConfigModal and AITradersPage to allow form submission when disabled
- Add i18n translations for disabled status (EN/CN)
- Update README with two deployment modes documentation
This commit is contained in:
tinkle-community
2025-12-09 18:04:42 +08:00
parent 5f3797e255
commit c720d663f1
11 changed files with 225 additions and 13 deletions

View File

@@ -1844,7 +1844,10 @@ function ExchangeConfigModal({
color: '#EAECEF',
}}
aria-label={t('selectExchange', language)}
disabled={webCryptoStatus !== 'secure'}
disabled={
webCryptoStatus !== 'secure' &&
webCryptoStatus !== 'disabled'
}
required
>
<option value="">

View File

@@ -1,6 +1,6 @@
import { useCallback, useEffect, useState, type ReactNode } from 'react'
import { Loader2, ShieldAlert, ShieldCheck } from 'lucide-react'
import { diagnoseWebCryptoEnvironment } from '../lib/crypto'
import { Loader2, ShieldAlert, ShieldCheck, ShieldMinus } from 'lucide-react'
import { CryptoService, diagnoseWebCryptoEnvironment } from '../lib/crypto'
import { t, type Language } from '../i18n/translations'
export type WebCryptoCheckStatus =
@@ -9,6 +9,7 @@ export type WebCryptoCheckStatus =
| 'secure'
| 'insecure'
| 'unsupported'
| 'disabled' // Transport encryption disabled
interface WebCryptoEnvironmentCheckProps {
language: Language
@@ -28,11 +29,19 @@ export function WebCryptoEnvironmentCheck({
onStatusChange?.(status)
}, [onStatusChange, status])
const runCheck = useCallback(() => {
const runCheck = useCallback(async () => {
setStatus('checking')
setSummary(null)
setTimeout(() => {
try {
// First check if transport encryption is enabled on the server
const config = await CryptoService.fetchCryptoConfig()
if (!config.transport_encryption) {
setStatus('disabled')
return
}
const result = diagnoseWebCryptoEnvironment()
setSummary(
t('environmentCheck.summary', language, {
@@ -52,8 +61,11 @@ export function WebCryptoEnvironmentCheck({
}
setStatus('secure')
}, 0)
}, [language, t])
} catch {
// If we can't fetch config, assume encryption is disabled
setStatus('disabled')
}
}, [language])
useEffect(() => {
runCheck()
@@ -109,6 +121,17 @@ export function WebCryptoEnvironmentCheck({
<div>{t('environmentCheck.unsupportedDesc', language)}</div>
</div>
),
disabled: () => (
<div className="flex items-start gap-2 text-gray-400 text-xs">
<ShieldMinus className="w-4 h-4 flex-shrink-0" />
<div>
<div className="font-semibold">
{t('environmentCheck.disabledTitle', language)}
</div>
<div>{t('environmentCheck.disabledDesc', language)}</div>
</div>
</div>
),
checking: () => (
<div
className="flex items-center gap-2 text-xs"

View File

@@ -382,7 +382,10 @@ export function ExchangeConfigModal({
color: '#EAECEF',
}}
aria-label={t('selectExchange', language)}
disabled={webCryptoStatus !== 'secure'}
disabled={
webCryptoStatus !== 'secure' &&
webCryptoStatus !== 'disabled'
}
required
>
<option value="">

View File

@@ -963,6 +963,9 @@ export const translations = {
unsupportedDesc:
'Open NOFX over HTTPS (or http://localhost during development) and avoid insecure iframes/reverse proxies so the browser can enable Web Crypto.',
summary: 'Current origin: {origin} • Protocol: {protocol}',
disabledTitle: 'Transport encryption disabled',
disabledDesc:
'Server-side transport encryption is disabled. API keys will be transmitted in plaintext. Enable TRANSPORT_ENCRYPTION=true for enhanced security.',
},
environmentSteps: {
@@ -1905,6 +1908,9 @@ export const translations = {
unsupportedDesc:
'请通过 HTTPS 或本机 localhost 访问 NOFX并避免嵌入不安全 iframe/反向代理,以符合浏览器的 Web Crypto 规则。',
summary: '当前来源:{origin} · 协议:{protocol}',
disabledTitle: '传输加密已禁用',
disabledDesc:
'服务端传输加密已关闭API 密钥将以明文传输。如需增强安全性,请设置 TRANSPORT_ENCRYPTION=true。',
},
environmentSteps: {

View File

@@ -7,6 +7,10 @@ export interface EncryptedPayload {
ts?: number // 可选unix 秒,用于重放保护
}
export interface CryptoConfig {
transport_encryption: boolean
}
export interface WebCryptoEnvironmentInfo {
isBrowser: boolean
isSecureContext: boolean
@@ -20,6 +24,11 @@ export interface WebCryptoEnvironmentInfo {
export class CryptoService {
private static publicKey: CryptoKey | null = null
private static publicKeyPEM: string | null = null
private static _transportEncryption: boolean | null = null
static get transportEncryption(): boolean {
return this._transportEncryption === true
}
static async initialize(publicKeyPEM: string) {
if (this.publicKey && this.publicKeyPEM === publicKeyPEM) {
@@ -29,6 +38,16 @@ export class CryptoService {
this.publicKey = await this.importPublicKey(publicKeyPEM)
}
static async fetchCryptoConfig(): Promise<CryptoConfig> {
const response = await fetch('/api/crypto/config')
if (!response.ok) {
throw new Error(`Failed to fetch crypto config: ${response.statusText}`)
}
const data = await response.json()
this._transportEncryption = data.transport_encryption
return data
}
private static async importPublicKey(pem: string): Promise<CryptoKey> {
const pemHeader = '-----BEGIN PUBLIC KEY-----'
const pemFooter = '-----END PUBLIC KEY-----'
@@ -153,7 +172,11 @@ export class CryptoService {
throw new Error(`Failed to fetch public key: ${response.statusText}`)
}
const data = await response.json()
return data.public_key
// Update transport encryption flag from server response
if (typeof data.transport_encryption === 'boolean') {
this._transportEncryption = data.transport_encryption
}
return data.public_key || ''
}
static async decryptSensitiveData(