feat: 支持 ONLYOFFICE 持久化配置管理

- 添加 SettingsRenderForm schema 和 renderForm 字段 - 实现数据库 schema 自动迁移（onlyoffice_enabled, onlyoffice_public_url, onlyoffice_jwt_secret_encrypted） - 新增 resolve_onlyoffice_settings() 函数支持运行时配置解析 - 知识库服务改用数据库配置替代运行时配置 - 前端添加文件渲染配置页面，支持 JWT 密钥管理 - 完善相关测试覆盖
2026-05-09 08:02:01 +00:00
parent 94122fd34b
commit 4fbd313f35
14 changed files with 735 additions and 314 deletions
--- a/server/src/app/services/knowledge.py
+++ b/server/src/app/services/knowledge.py
@@ -18,16 +18,17 @@ import jwt
 from app.api.deps import CurrentUserContext
 from app.core.config import get_settings
 from app.core.logging import get_logger
-from app.schemas.knowledge import (
-    KnowledgeDocumentDetailRead,
+from app.schemas.knowledge import (
+    KnowledgeDocumentDetailRead,
    KnowledgeDocumentRead,
    KnowledgeFolderRead,
    KnowledgeLibraryRead,
    KnowledgeOnlyOfficeConfigRead,
    KnowledgePreviewBlockRead,
-    KnowledgePreviewPageRead,
-    KnowledgePreviewStatRead,
-)
+    KnowledgePreviewPageRead,
+    KnowledgePreviewStatRead,
+)
+from app.services.settings import resolve_onlyoffice_settings

 logger = get_logger("app.services.knowledge")

@@ -239,51 +240,52 @@ class KnowledgeService:
    ) -> KnowledgeOnlyOfficeConfigRead:
        self.ensure_library_ready()
        settings = get_settings()
-        if not settings.onlyoffice_enabled:
+        onlyoffice_settings = resolve_onlyoffice_settings()
+        if not onlyoffice_settings.enabled:
            logger.warning(
                "ONLYOFFICE disabled in runtime config doc=%s enabled=%s public_url=%s backend_url=%s jwt_set=%s",
                document_id,
-                settings.onlyoffice_enabled,
-                settings.onlyoffice_public_url,
-                settings.onlyoffice_backend_url,
-                bool(settings.onlyoffice_jwt_secret),
+                onlyoffice_settings.enabled,
+                onlyoffice_settings.public_url,
+                onlyoffice_settings.backend_url,
+                bool(onlyoffice_settings.jwt_secret),
            )
            raise ValueError("ONLYOFFICE 预览未启用。")
-        if not settings.onlyoffice_public_url or not settings.onlyoffice_backend_url:
+        if not onlyoffice_settings.public_url or not onlyoffice_settings.backend_url:
            logger.warning(
                "ONLYOFFICE config incomplete doc=%s enabled=%s public_url=%s backend_url=%s jwt_set=%s",
                document_id,
-                settings.onlyoffice_enabled,
-                settings.onlyoffice_public_url,
-                settings.onlyoffice_backend_url,
-                bool(settings.onlyoffice_jwt_secret),
+                onlyoffice_settings.enabled,
+                onlyoffice_settings.public_url,
+                onlyoffice_settings.backend_url,
+                bool(onlyoffice_settings.jwt_secret),
            )
            raise ValueError("ONLYOFFICE 地址配置不完整。")
-        if not settings.onlyoffice_jwt_secret:
+        if not onlyoffice_settings.jwt_secret:
            logger.warning(
                "ONLYOFFICE JWT missing doc=%s enabled=%s public_url=%s backend_url=%s jwt_set=%s",
                document_id,
-                settings.onlyoffice_enabled,
-                settings.onlyoffice_public_url,
-                settings.onlyoffice_backend_url,
-                bool(settings.onlyoffice_jwt_secret),
+                onlyoffice_settings.enabled,
+                onlyoffice_settings.public_url,
+                onlyoffice_settings.backend_url,
+                bool(onlyoffice_settings.jwt_secret),
            )
            raise ValueError("ONLYOFFICE JWT 密钥未配置。")

        index = self._load_index()
        entry = self._require_entry(index, document_id)
        extension = self._extract_extension(entry["original_name"])
-        if extension not in ONLYOFFICE_EDITABLE_EXTENSIONS:
-            raise ValueError("当前文件格式不支持 ONLYOFFICE 预览。")
-
-        document_type = self._resolve_onlyoffice_document_type(extension)
-        backend_base_url = settings.onlyoffice_backend_url.rstrip("/")
-        public_url = settings.onlyoffice_public_url.rstrip("/")
-        access_token = self._build_onlyoffice_access_token(document_id)
-        document_url = (
-            f"{backend_base_url}{settings.api_v1_prefix}/knowledge/documents/{document_id}/onlyoffice/content"
-            f"?access_token={access_token}"
-        )
+        if extension not in ONLYOFFICE_EDITABLE_EXTENSIONS:
+            raise ValueError("当前文件格式不支持 ONLYOFFICE 预览。")
+
+        document_type = self._resolve_onlyoffice_document_type(extension)
+        backend_base_url = onlyoffice_settings.backend_url.rstrip("/")
+        public_url = onlyoffice_settings.public_url.rstrip("/")
+        access_token = self._build_onlyoffice_access_token(document_id)
+        document_url = (
+            f"{backend_base_url}{settings.api_v1_prefix}/knowledge/documents/{document_id}/onlyoffice/content"
+            f"?access_token={access_token}"
+        )
        callback_url = (
            f"{backend_base_url}{settings.api_v1_prefix}/knowledge/documents/{document_id}/onlyoffice/callback"
        )
@@ -322,23 +324,23 @@ class KnowledgeService:
            "width": "100%",
            "height": "100%",
        }
-        config["token"] = jwt.encode(config, settings.onlyoffice_jwt_secret, algorithm="HS256")
+        config["token"] = jwt.encode(config, onlyoffice_settings.jwt_secret, algorithm="HS256")

        return KnowledgeOnlyOfficeConfigRead(
            documentServerUrl=public_url,
            config=config,
        )

-    def validate_onlyoffice_access_token(self, document_id: str, access_token: str) -> None:
-        settings = get_settings()
-        try:
-            payload = jwt.decode(
-                access_token,
-                settings.onlyoffice_jwt_secret,
-                algorithms=["HS256"],
-            )
-        except jwt.PyJWTError as exc:
-            raise ValueError("ONLYOFFICE 文件访问令牌无效。") from exc
+    def validate_onlyoffice_access_token(self, document_id: str, access_token: str) -> None:
+        onlyoffice_settings = resolve_onlyoffice_settings()
+        try:
+            payload = jwt.decode(
+                access_token,
+                onlyoffice_settings.jwt_secret,
+                algorithms=["HS256"],
+            )
+        except jwt.PyJWTError as exc:
+            raise ValueError("ONLYOFFICE 文件访问令牌无效。") from exc

        if payload.get("scope") != "onlyoffice-content" or payload.get("document_id") != document_id:
            raise ValueError("ONLYOFFICE 文件访问令牌无效。")
@@ -665,13 +667,13 @@ class KnowledgeService:
        checksum = str(entry.get("sha256") or "")[:12]
        return f"{entry['id']}-v{version}-{checksum or 'nochecksum'}"

-    def _build_onlyoffice_access_token(self, document_id: str) -> str:
-        settings = get_settings()
-        payload = {
-            "scope": "onlyoffice-content",
-            "document_id": document_id,
-        }
-        return jwt.encode(payload, settings.onlyoffice_jwt_secret, algorithm="HS256")
+    def _build_onlyoffice_access_token(self, document_id: str) -> str:
+        onlyoffice_settings = resolve_onlyoffice_settings()
+        payload = {
+            "scope": "onlyoffice-content",
+            "document_id": document_id,
+        }
+        return jwt.encode(payload, onlyoffice_settings.jwt_secret, algorithm="HS256")

    @staticmethod
    def _resolve_onlyoffice_document_type(extension: str) -> str: