mirror of
https://github.com/NoFxAiOS/nofx.git
synced 2026-07-11 23:07:01 +08:00
feat: add TRANSPORT_ENCRYPTION toggle for easier deployment
- Add TRANSPORT_ENCRYPTION env config (default: false) - Allow HTTP/IP access when transport encryption is disabled - Add /api/crypto/config endpoint to expose encryption status - Update WebCryptoEnvironmentCheck with 'disabled' status - Update ExchangeConfigModal and AITradersPage to allow form submission when disabled - Add i18n translations for disabled status (EN/CN) - Update README with two deployment modes documentation
This commit is contained in:
@@ -1844,7 +1844,10 @@ function ExchangeConfigModal({
|
||||
color: '#EAECEF',
|
||||
}}
|
||||
aria-label={t('selectExchange', language)}
|
||||
disabled={webCryptoStatus !== 'secure'}
|
||||
disabled={
|
||||
webCryptoStatus !== 'secure' &&
|
||||
webCryptoStatus !== 'disabled'
|
||||
}
|
||||
required
|
||||
>
|
||||
<option value="">
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import { useCallback, useEffect, useState, type ReactNode } from 'react'
|
||||
import { Loader2, ShieldAlert, ShieldCheck } from 'lucide-react'
|
||||
import { diagnoseWebCryptoEnvironment } from '../lib/crypto'
|
||||
import { Loader2, ShieldAlert, ShieldCheck, ShieldMinus } from 'lucide-react'
|
||||
import { CryptoService, diagnoseWebCryptoEnvironment } from '../lib/crypto'
|
||||
import { t, type Language } from '../i18n/translations'
|
||||
|
||||
export type WebCryptoCheckStatus =
|
||||
@@ -9,6 +9,7 @@ export type WebCryptoCheckStatus =
|
||||
| 'secure'
|
||||
| 'insecure'
|
||||
| 'unsupported'
|
||||
| 'disabled' // Transport encryption disabled
|
||||
|
||||
interface WebCryptoEnvironmentCheckProps {
|
||||
language: Language
|
||||
@@ -28,11 +29,19 @@ export function WebCryptoEnvironmentCheck({
|
||||
onStatusChange?.(status)
|
||||
}, [onStatusChange, status])
|
||||
|
||||
const runCheck = useCallback(() => {
|
||||
const runCheck = useCallback(async () => {
|
||||
setStatus('checking')
|
||||
setSummary(null)
|
||||
|
||||
setTimeout(() => {
|
||||
try {
|
||||
// First check if transport encryption is enabled on the server
|
||||
const config = await CryptoService.fetchCryptoConfig()
|
||||
|
||||
if (!config.transport_encryption) {
|
||||
setStatus('disabled')
|
||||
return
|
||||
}
|
||||
|
||||
const result = diagnoseWebCryptoEnvironment()
|
||||
setSummary(
|
||||
t('environmentCheck.summary', language, {
|
||||
@@ -52,8 +61,11 @@ export function WebCryptoEnvironmentCheck({
|
||||
}
|
||||
|
||||
setStatus('secure')
|
||||
}, 0)
|
||||
}, [language, t])
|
||||
} catch {
|
||||
// If we can't fetch config, assume encryption is disabled
|
||||
setStatus('disabled')
|
||||
}
|
||||
}, [language])
|
||||
|
||||
useEffect(() => {
|
||||
runCheck()
|
||||
@@ -109,6 +121,17 @@ export function WebCryptoEnvironmentCheck({
|
||||
<div>{t('environmentCheck.unsupportedDesc', language)}</div>
|
||||
</div>
|
||||
),
|
||||
disabled: () => (
|
||||
<div className="flex items-start gap-2 text-gray-400 text-xs">
|
||||
<ShieldMinus className="w-4 h-4 flex-shrink-0" />
|
||||
<div>
|
||||
<div className="font-semibold">
|
||||
{t('environmentCheck.disabledTitle', language)}
|
||||
</div>
|
||||
<div>{t('environmentCheck.disabledDesc', language)}</div>
|
||||
</div>
|
||||
</div>
|
||||
),
|
||||
checking: () => (
|
||||
<div
|
||||
className="flex items-center gap-2 text-xs"
|
||||
|
||||
@@ -382,7 +382,10 @@ export function ExchangeConfigModal({
|
||||
color: '#EAECEF',
|
||||
}}
|
||||
aria-label={t('selectExchange', language)}
|
||||
disabled={webCryptoStatus !== 'secure'}
|
||||
disabled={
|
||||
webCryptoStatus !== 'secure' &&
|
||||
webCryptoStatus !== 'disabled'
|
||||
}
|
||||
required
|
||||
>
|
||||
<option value="">
|
||||
|
||||
@@ -963,6 +963,9 @@ export const translations = {
|
||||
unsupportedDesc:
|
||||
'Open NOFX over HTTPS (or http://localhost during development) and avoid insecure iframes/reverse proxies so the browser can enable Web Crypto.',
|
||||
summary: 'Current origin: {origin} • Protocol: {protocol}',
|
||||
disabledTitle: 'Transport encryption disabled',
|
||||
disabledDesc:
|
||||
'Server-side transport encryption is disabled. API keys will be transmitted in plaintext. Enable TRANSPORT_ENCRYPTION=true for enhanced security.',
|
||||
},
|
||||
|
||||
environmentSteps: {
|
||||
@@ -1905,6 +1908,9 @@ export const translations = {
|
||||
unsupportedDesc:
|
||||
'请通过 HTTPS 或本机 localhost 访问 NOFX,并避免嵌入不安全 iframe/反向代理,以符合浏览器的 Web Crypto 规则。',
|
||||
summary: '当前来源:{origin} · 协议:{protocol}',
|
||||
disabledTitle: '传输加密已禁用',
|
||||
disabledDesc:
|
||||
'服务端传输加密已关闭,API 密钥将以明文传输。如需增强安全性,请设置 TRANSPORT_ENCRYPTION=true。',
|
||||
},
|
||||
|
||||
environmentSteps: {
|
||||
|
||||
@@ -7,6 +7,10 @@ export interface EncryptedPayload {
|
||||
ts?: number // 可选:unix 秒,用于重放保护
|
||||
}
|
||||
|
||||
export interface CryptoConfig {
|
||||
transport_encryption: boolean
|
||||
}
|
||||
|
||||
export interface WebCryptoEnvironmentInfo {
|
||||
isBrowser: boolean
|
||||
isSecureContext: boolean
|
||||
@@ -20,6 +24,11 @@ export interface WebCryptoEnvironmentInfo {
|
||||
export class CryptoService {
|
||||
private static publicKey: CryptoKey | null = null
|
||||
private static publicKeyPEM: string | null = null
|
||||
private static _transportEncryption: boolean | null = null
|
||||
|
||||
static get transportEncryption(): boolean {
|
||||
return this._transportEncryption === true
|
||||
}
|
||||
|
||||
static async initialize(publicKeyPEM: string) {
|
||||
if (this.publicKey && this.publicKeyPEM === publicKeyPEM) {
|
||||
@@ -29,6 +38,16 @@ export class CryptoService {
|
||||
this.publicKey = await this.importPublicKey(publicKeyPEM)
|
||||
}
|
||||
|
||||
static async fetchCryptoConfig(): Promise<CryptoConfig> {
|
||||
const response = await fetch('/api/crypto/config')
|
||||
if (!response.ok) {
|
||||
throw new Error(`Failed to fetch crypto config: ${response.statusText}`)
|
||||
}
|
||||
const data = await response.json()
|
||||
this._transportEncryption = data.transport_encryption
|
||||
return data
|
||||
}
|
||||
|
||||
private static async importPublicKey(pem: string): Promise<CryptoKey> {
|
||||
const pemHeader = '-----BEGIN PUBLIC KEY-----'
|
||||
const pemFooter = '-----END PUBLIC KEY-----'
|
||||
@@ -153,7 +172,11 @@ export class CryptoService {
|
||||
throw new Error(`Failed to fetch public key: ${response.statusText}`)
|
||||
}
|
||||
const data = await response.json()
|
||||
return data.public_key
|
||||
// Update transport encryption flag from server response
|
||||
if (typeof data.transport_encryption === 'boolean') {
|
||||
this._transportEncryption = data.transport_encryption
|
||||
}
|
||||
return data.public_key || ''
|
||||
}
|
||||
|
||||
static async decryptSensitiveData(
|
||||
|
||||
Reference in New Issue
Block a user