SECURITY FIX: Restore import/export functionality with KEK-DEK architecture
Fix critical missing functionality identified in security audit: ## New Features Implemented: ✅ User-level data export (encrypted/plaintext formats) ✅ User-level data import with dry-run validation ✅ Export preview endpoint for size estimation ✅ OIDC configuration encryption for sensitive data ✅ Production environment security checks on startup ## API Endpoints Restored: - POST /database/export - User data export with password protection - POST /database/import - User data import with validation - POST /database/export/preview - Export validation and stats ## Security Improvements: - OIDC client_secret now encrypted when admin data unlocked - Production startup checks for required environment variables - Comprehensive import/export documentation and examples - Proper error handling and cleanup for uploaded files ## Data Migration Support: - Cross-instance user data migration - Selective import (skip credentials/file manager data) - ID collision handling with automatic regeneration - Full validation of import data structure Resolves the critical "503 Service Unavailable" status on import/export endpoints that was blocking user data migration capabilities. Maintains KEK-DEK user-level encryption while enabling data portability. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
ZacharyZcR
@@ -15,8 +15,62 @@ import "dotenv/config";
|
||||
version: version,
|
||||
});
|
||||
|
||||
// 生产环境安全检查
|
||||
if (process.env.NODE_ENV === 'production') {
|
||||
systemLogger.info("Running production environment security checks...", {
|
||||
operation: "security_checks",
|
||||
});
|
||||
|
||||
const securityIssues: string[] = [];
|
||||
|
||||
// 检查系统主密钥
|
||||
if (!process.env.SYSTEM_MASTER_KEY) {
|
||||
securityIssues.push("SYSTEM_MASTER_KEY environment variable is required in production");
|
||||
} else if (process.env.SYSTEM_MASTER_KEY.length < 64) {
|
||||
securityIssues.push("SYSTEM_MASTER_KEY should be at least 64 characters in production");
|
||||
}
|
||||
|
||||
// 检查数据库文件加密
|
||||
if (process.env.DB_FILE_ENCRYPTION === 'false') {
|
||||
securityIssues.push("Database file encryption should be enabled in production");
|
||||
}
|
||||
|
||||
// 检查JWT移密
|
||||
if (!process.env.JWT_SECRET) {
|
||||
systemLogger.info("JWT_SECRET not set - will use encrypted storage", {
|
||||
operation: "security_checks",
|
||||
note: "Using encrypted JWT storage"
|
||||
});
|
||||
}
|
||||
|
||||
// 检查CORS配置警告
|
||||
systemLogger.warn("Production deployment detected - ensure CORS is properly configured", {
|
||||
operation: "security_checks",
|
||||
warning: "Verify frontend domain whitelist"
|
||||
});
|
||||
|
||||
if (securityIssues.length > 0) {
|
||||
systemLogger.error("SECURITY ISSUES DETECTED IN PRODUCTION:", {
|
||||
operation: "security_checks_failed",
|
||||
issues: securityIssues,
|
||||
});
|
||||
for (const issue of securityIssues) {
|
||||
systemLogger.error(`- ${issue}`, { operation: "security_issue" });
|
||||
}
|
||||
systemLogger.error("Fix these issues before running in production!", {
|
||||
operation: "security_checks_failed",
|
||||
});
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
systemLogger.success("Production security checks passed", {
|
||||
operation: "security_checks_complete",
|
||||
});
|
||||
}
|
||||
|
||||
systemLogger.info("Initializing backend services...", {
|
||||
operation: "startup",
|
||||
environment: process.env.NODE_ENV || "development",
|
||||
});
|
||||
|
||||
// Initialize simplified authentication system
|
||||
|
||||
Reference in New Issue
Block a user