tinkle-community
1aea7abc38
fix(security): remove decrypt oracle, redact secret logs, harden auth, bump Go
...
Address multiple vulnerabilities found during security review:
- Remove unauthenticated POST /api/crypto/decrypt decryption oracle (route,
handler, dead frontend helper) + regression test. Transport encryption is
one-directional; the server never needs to decrypt arbitrary client payloads.
- Redact secrets in config-update logs: handler_ai_model/handler_exchange logged
%+v of decrypted requests, leaking API keys / secret keys / passphrases /
private keys. Use named types shared with the log sanitizer so the masking
can never drift again; extend masking to passphrase + lighter_api_key_private_key.
- crypto: require a valid timestamp in DecryptPayload (a missing ts previously
skipped replay protection entirely).
- crypto: EncryptedString.Value() now fails closed instead of silently
persisting plaintext secrets when encryption errors.
- auth: per-IP token-bucket rate limiting on /login and /register against online
brute-force; raise registration password minimum 6 -> 8; add dummy bcrypt
compare on unknown-email login to close the user-enumeration timing channel.
- IDOR: getTraderFromQuery no longer falls back to the global in-memory trader
map; trader access is strictly scoped to the authenticated caller.
- Bump Go 1.25.10 -> 1.25.11 to resolve reachable net/textproto and crypto/x509
stdlib advisories (govulncheck now reports 0 affecting vulnerabilities).
2026-06-05 22:08:26 +08:00
tinkle-community
c720d663f1
feat: add TRANSPORT_ENCRYPTION toggle for easier deployment
...
- Add TRANSPORT_ENCRYPTION env config (default: false)
- Allow HTTP/IP access when transport encryption is disabled
- Add /api/crypto/config endpoint to expose encryption status
- Update WebCryptoEnvironmentCheck with 'disabled' status
- Update ExchangeConfigModal and AITradersPage to allow form submission when disabled
- Add i18n translations for disabled status (EN/CN)
- Update README with two deployment modes documentation
2025-12-09 18:04:42 +08:00
Ember
dbb05f7fde
feat(ui): Add an automated Web Crypto environment check ( #908 )
...
* feat: add web crypto environment check
* fix: auto check env
* refactor: WebCryptoEnvironmentCheck swtich to map
2025-11-11 21:22:55 -05:00
Icyoung
89085173f9
Dev Crypto ( #730 )
...
* feat: remove admin mode
* feat: bugfix
* feat(crypto): 添加RSA-OAEP + AES-GCM混合加密服务
- 实现CryptoService加密服务,支持RSA-OAEP-2048 + AES-256-GCM混合加密
- 集成数据库层加密,自动加密存储敏感字段(API密钥、私钥等)
- 支持环境变量DATA_ENCRYPTION_KEY配置数据加密密钥
- 适配SQLite数据库加密存储(从PostgreSQL移植)
- 保持Hyperliquid代理钱包处理兼容性
- 更新.gitignore以正确处理crypto模块代码
🤖 Generated with [Claude Code](https://claude.ai/code )
Co-Authored-By: tinkle-community <tinklefund@gmail.com >
* feat(scripts): 添加加密环境一键设置脚本
- setup_encryption.sh: 一键生成RSA密钥对+数据加密密钥+JWT密钥
- generate_rsa_keys.sh: 专业的RSA-2048密钥对生成工具
- generate_data_key.sh: 生成AES-256数据加密密钥和JWT认证密钥
- ENCRYPTION_README.md: 详细的加密系统说明文档
- 支持自动检测现有密钥并只生成缺失的密钥
- 完善的权限管理和安全验证
- 兼容macOS和Linux的跨平台支持
🤖 Generated with [Claude Code](https://claude.ai/code )
Co-Authored-By: tinkle-community <tinklefund@gmail.com >
* feat(api): 添加加密API端点和Gin框架集成
- 新增CryptoHandler处理加密相关API请求
- 提供/api/crypto/public-key端点获取RSA公钥
- 提供/api/crypto/decrypt端点解密敏感数据
- 适配Gin框架的HTTP处理器格式
- 集成CryptoService到API服务器
- 支持前端加密数据传输和解密
🤖 Generated with [Claude Code](https://claude.ai/code )
Co-Authored-By: tinkle-community <tinklefund@gmail.com >
* feat(web): 添加前端加密服务和两阶段密钥输入组件
- CryptoService: Web Crypto API集成,支持RSA-OAEP加密
- TwoStageKeyModal: 安全的两阶段私钥输入组件,支持剪贴板混淆
- 完善国际化翻译支持加密相关UI文本
- 修复TypeScript类型错误和编译问题
- 支持前端敏感数据加密传输到后端
- 增强用户隐私保护和数据安全
🤖 Generated with [Claude Code](https://claude.ai/code )
Co-Authored-By: tinkle-community <tinklefund@gmail.com >
* feat(auth): 增强JWT认证安全性
- 优先使用环境变量JWT_SECRET而不是数据库配置
- 支持通过.env文件安全配置JWT认证密钥
- 保留数据库配置作为回退机制
- 改进JWT密钥来源日志显示
- 增强系统启动时的安全配置检查
- 支持运行时动态JWT密钥切换
🤖 Generated with [Claude Code](https://claude.ai/code )
Co-Authored-By: tinkle-community <tinklefund@gmail.com >
* feat(docker): 集成加密环境变量到Docker部署
- 添加DATA_ENCRYPTION_KEY环境变量传递到容器
- 添加JWT_SECRET环境变量支持
- 挂载secrets目录使容器可访问RSA密钥文件
- 确保容器内加密服务正常工作
- 解决容器启动失败和加密初始化问题
- 完善Docker Compose加密环境配置
🤖 Generated with [Claude Code](https://claude.ai/code )
Co-Authored-By: tinkle-community <tinklefund@gmail.com >
* feat(start): 集成自动加密环境检测和设置
- 增强check_encryption()函数检测JWT_SECRET和DATA_ENCRYPTION_KEY
- 自动运行setup_encryption.sh当检测到缺失密钥时
- 改进加密状态显示,包含RSA+AES+JWT全套加密信息
- 优化用户体验,提供清晰的加密配置反馈
- 支持一键设置完整加密环境
- 确保容器启动前加密环境就绪
🤖 Generated with [Claude Code](https://claude.ai/code )
Co-Authored-By: tinkle-community <tinklefund@gmail.com >
* feat: format fix
* fix(security): 修复前端模型和交易所配置敏感数据明文传输
- 在handleSaveModelConfig中对API密钥进行RSA-OAEP加密
- 在handleSaveExchangeConfig中对API密钥、Secret密钥和Aster私钥进行加密
- 只有非空敏感数据才进行加密处理
- 添加加密失败错误处理和用户友好提示
- 增加encryptionFailed翻译键的中英文支持
- 使用用户ID和会话ID作为加密上下文增强安全性
这修复了之前敏感数据在网络传输中以明文形式发送的安全漏洞。
🤖 Generated with [Claude Code](https://claude.ai/code )
Co-Authored-By: tinkle-community <tinklefund@gmail.com >
* fix(crypto): 修复后端加密服务集成和缺失的加密端点
- 添加Server结构体缺少的cryptoService字段
- 实现handleUpdateModelConfigsEncrypted处理器用于模型配置加密传输
- 修复handleUpdateExchangeConfigsEncrypted中的函数调用
- 在前端API中添加updateModelConfigsEncrypted方法
- 统一RSA密钥路径从secrets/rsa_key改为keys/rsa_private.key
- 确保前端可以使用加密端点安全传输敏感数据
- 兼容原有加密通信模式和二段输入私钥功能
🤖 Generated with [Claude Code](https://claude.ai/code )
Co-Authored-By: tinkle-community <tinklefund@gmail.com >
---------
Co-authored-by: icy <icyoung520@gmail.com >
Co-authored-by: tinkle-community <tinklefund@gmail.com >
2025-11-08 02:03:09 +08:00
SkywalkerJi
deac456703
fix: Fixed go vet issues. ( #658 )
...
* Fixed vet ./... errors.
* Fixed ESLint issues.
2025-11-07 02:28:01 +08:00
0xYYBB | ZYY | Bobo
43561a4ad7
fix(web): resolve TypeScript type error in crypto.ts and add missing test dependencies ( #647 )
...
```
src/lib/crypto.ts(66,32): error TS2345: Argument of type 'Uint8Array<ArrayBuffer>'
is not assignable to parameter of type 'ArrayBuffer'.
```
`arrayBufferToBase64` function expected `ArrayBuffer` but received `Uint8Array.buffer`.
TypeScript strict type checking flagged the mismatch.
1. Update `arrayBufferToBase64` signature to accept `ArrayBuffer | Uint8Array`
2. Pass `result` directly instead of `result.buffer` (more accurate)
3. Add runtime type check with instanceof
```
error TS2307: Cannot find module 'vitest'
error TS2307: Cannot find module '@testing-library/react'
```
Install missing devDependencies:
- vitest
- @testing-library/react
- @testing-library/jest-dom
✅ Frontend builds successfully
✅ TypeScript compilation passes
✅ No type errors
Related-To: Docker frontend build failures
2025-11-07 01:19:48 +08:00
ZhouYongyou
feeaa14050
feat(security): add end-to-end encryption for sensitive data
...
## Summary
Add comprehensive encryption system to protect private keys and API secrets.
## Core Components
- `crypto/encryption.go`: RSA-4096 + AES-256-GCM encryption manager
- `crypto/secure_storage.go`: Database encryption layer + audit logs
- `crypto/aliyun_kms.go`: Optional Aliyun KMS integration
- `api/crypto_handler.go`: Encryption API endpoints
- `web/src/lib/crypto.ts`: Frontend two-stage encryption
- `scripts/migrate_encryption.go`: Data migration tool
- `deploy_encryption.sh`: One-click deployment
## Security Architecture
```
Frontend: Two-stage input + clipboard obfuscation
↓
Transport: RSA-4096 + AES-256-GCM hybrid encryption
↓
Storage: Database encryption + audit logs
```
## Features
✅ Zero breaking changes (backward compatible)
✅ Automatic migration of existing data
✅ <25ms overhead per operation
✅ Complete audit trail
✅ Optional cloud KMS support
## Migration
```bash
./deploy_encryption.sh # 5 minutes, zero downtime
```
## Testing
```bash
go test ./crypto -v
```
Related-To: security-enhancement
2025-11-06 23:55:33 +08:00