SECURITY: Eliminate complex fallback storage, enforce environment variables

Core changes: - Remove file/database fallback storage complexity - Enforce JWT_SECRET and DATABASE_KEY as environment variables only - Auto-generate keys on first startup with clear user guidance - Eliminate circular dependencies and storage layer abstractions Security improvements: - Single source of truth for secrets (environment variables) - No persistent storage of secrets in files or database - Clear deployment guidance for production environments - Simplified attack surface by removing storage complexity WebSocket authentication: - Implement JWT authentication for WebSocket handshake - Add connection limits and user tracking - Update frontend to pass JWT tokens in WebSocket URLs - Configure Nginx for authenticated WebSocket proxy Additional fixes: - Replace CORS wildcard with specific origins - Remove password logging security vulnerability - Streamline encryption architecture following Linus principles
2025-09-22 08:57:37 +08:00
parent ed11b309f4
commit dfc92428e0
6 changed files with 316 additions and 315 deletions
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -72,25 +72,37 @@ http {
            proxy_set_header X-Forwarded-Proto $scheme;
        }

+        # WebSocket proxy for authenticated terminal connections
        location /ssh/websocket/ {
+            # Pass to WebSocket server with authentication support
            proxy_pass http://127.0.0.1:8082/;
            proxy_http_version 1.1;
+
+            # WebSocket upgrade headers
            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "Upgrade";
+            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;

-            proxy_read_timeout 300s;
-            proxy_send_timeout 300s;
-            proxy_connect_timeout 75s;
-            proxy_set_header Connection "";
-            
-            proxy_buffering off;
-            proxy_request_buffering off;
-            
+            # Pass client information for authentication logging
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # Important: Pass query parameters (contains JWT token)
+            proxy_pass_request_args on;
+
+            # WebSocket timeouts (longer for terminal sessions)
+            proxy_read_timeout 86400s;  # 24 hours
+            proxy_send_timeout 86400s;  # 24 hours
+            proxy_connect_timeout 10s;  # Quick auth check
+
+            # Disable buffering for real-time terminal
+            proxy_buffering off;
+            proxy_request_buffering off;
+
+            # Handle connection errors gracefully
+            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
        }

        location /ssh/tunnel/ {