feat: 重构模型配置存储与 API Key 加密管理
主要修改点:
1. 遗留密码格式兼容 (server/src/app/core/admin_secret.py)
- 新增 legacy_admin_secret_to_password_hash(): 将旧版 admin secret 记录转换为标准 scrypt 哈希格式
2. Scrypt 密码验证增强 (server/src/app/core/security.py)
- verify_password(): 新增 scrypt$ 前缀检测,分流到专用验证函数
- 新增 verify_scrypt_password(): 解析 scrypt$ 格式哈希并验证
3. 模型配置存储重构 (server/src/app/models/system_model_setting.py)
- 新增 SystemModelSetting 模型(slot 为 PK)
- 字段: slot, provider, model_name, endpoint, capability, priority, enabled, api_key_encrypted, created_at, updated_at
4. Settings Repository 扩展 (server/src/app/repositories/settings.py)
- 新增 get_model_settings(): 获取所有模型配置
- 新增 get_model_setting(slot): 按 slot 获取单个模型配置
5. Settings Service 重构 (server/src/app/services/settings.py)
- 新增 ModelSlotConfig dataclass: 封装单个模型槽位的配置属性
- 新增 MODEL_SLOT_CONFIGS 字典: main/backup/vlm/embedding 四个槽位配置
- 重构 save_model_settings(): 批量保存模型配置到 SystemModelSetting 表
- 新增 load_model_settings(): 从 SystemModelSetting 表加载所有模型配置
- read_settings(): 整合 legacy secrets 与新的 SystemModelSetting 表数据
- write_settings(): 拆分 model secrets 到 SystemModelSetting 表
- decrypt_model_secret(): 新增从数据库读取加密的 API Key
6. 数据库模型注册 (server/src/app/db/base.py)
- 注册 SystemModelSetting 模型
7. 前端 API URL 智能解析 (web/src/services/api.js)
- 新增 isLoopbackHost(): 判断是否为回环地址
- 新增 resolveBrowserReachableApiBaseUrl(): 当后端配置为回环地址但浏览器非回环时,自动替换为浏览器 host
- 改进错误信息: "无法连接 FastAPI 后端服务,请确认后端已启动且浏览器可访问后端端口。"
8. 前端 Session 导航增强 (web/src/composables/useSystemState.js)
- installSessionNavigation(): 调用 fetchBootstrapState 后设置运行时 API Base URL
9. Settings 视图增强 (web/src/views/SettingsView.vue)
- API Key 输入框: 新增 @focus="clearModelSecretMask('xxx')" 清除遮罩
- 新增 .secret-bound-state 提示: 显示"已从数据库加密加载,测试会使用已保存密钥"
10. Settings 脚本增强 (web/src/views/scripts/SettingsView.js)
- 新增 clearModelSecretMask(slot): 清除指定槽位的 API Key 遮罩状态
11. CSS 样式 (web/src/assets/styles/views/settings-view.css)
- 新增 .secret-bound-state 样式: 显示数据库已加载密钥的提示样式
This commit is contained in:
@@ -6,8 +6,10 @@ from sqlalchemy.pool import StaticPool
|
||||
|
||||
from app.db.base import Base
|
||||
from app.schemas.auth import LoginRequest
|
||||
from app.schemas.settings import SettingsWrite
|
||||
from app.services.auth import AuthService
|
||||
from app.services.employee import EmployeeService
|
||||
from app.services.settings import SettingsService
|
||||
|
||||
|
||||
def build_session() -> Session:
|
||||
@@ -35,18 +37,14 @@ def test_employee_can_login_with_seed_default_password() -> None:
|
||||
assert result.user.isAdmin is False
|
||||
|
||||
|
||||
def test_admin_can_login_with_secret(monkeypatch) -> None:
|
||||
def test_admin_can_login_with_database_password() -> None:
|
||||
with build_session() as db:
|
||||
monkeypatch.setattr(
|
||||
"app.services.auth.read_admin_secret",
|
||||
lambda: {
|
||||
"username": "superadmin",
|
||||
"algorithm": "scrypt",
|
||||
"salt": "00",
|
||||
"derived_key": "00",
|
||||
},
|
||||
)
|
||||
monkeypatch.setattr("app.services.auth.verify_admin_secret", lambda password, record: password == "admin123")
|
||||
settings_service = SettingsService(db)
|
||||
payload = settings_service.get_settings_snapshot().model_dump()
|
||||
payload["adminForm"]["adminAccount"] = "superadmin"
|
||||
payload["adminForm"]["newPassword"] = "admin123"
|
||||
payload["adminForm"]["confirmPassword"] = "admin123"
|
||||
settings_service.save_settings_snapshot(SettingsWrite(**payload))
|
||||
|
||||
result = AuthService(db).login(
|
||||
LoginRequest(username="superadmin", password="admin123")
|
||||
|
||||
Reference in New Issue
Block a user