From e903b03afe95b55da43e4b6d30059182982790dc Mon Sep 17 00:00:00 2001 From: commilitia Date: Tue, 16 Jun 2026 01:08:05 +0800 Subject: [PATCH] =?UTF-8?q?docs=EF=BC=9A=E8=A1=A5=E5=85=85=E6=B5=8F?= =?UTF-8?q?=E8=A7=88=E5=99=A8=E5=85=8D=E9=87=8D=E7=99=BB=20+=20CDROP=5FSES?= =?UTF-8?q?SION=5FSECRET=20=E9=85=8D=E7=BD=AE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - README:已落地补「浏览器免重登 + PWA」一项;prod 配置清单新增 CDROP_SESSION_SECRET(prod 强制非空,缺则拒启动) - .env.example、docker/compose.snippet.yaml:补 CDROP_SESSION_SECRET 模板项 --- .env.example | 3 +++ README.md | 6 ++++-- docker/compose.snippet.yaml | 2 ++ 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.env.example b/.env.example index 8fd390d..dd6a8c3 100644 --- a/.env.example +++ b/.env.example @@ -14,6 +14,9 @@ CDROP_DEV_TOKEN=replace-with-32-byte-random-base64 # CDROP_OIDC_CLIENT_ID=your-client-id # CDROP_OIDC_REDIRECT_URI=https://your-domain.example/oauth/callback # CDROP_OIDC_SCOPES=openid profile email +# prod 强制非空:浏览器免重登会话的 refresh_token 落盘加密密钥(任意长度高熵串, +# 内部 SHA-256 派生为 32 字节 AES-256 密钥)。留空则 prod 启动期校验失败、拒启动。 +# CDROP_SESSION_SECRET= # CDROP_HS256_SECRET= # CDROP_TURN_URL=stun:your-stun.example:3478 diff --git a/README.md b/README.md index 8c0158d..40d8192 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,7 @@ MVP(M0–M13)已上线 prod(OIDC PKCE 接入自建 Casdoor,Cloudflare Re - **剪贴板同步**:单条覆写式云剪贴板(短 TTL 限暴露面)+ 文本消息一次性通道 - **桌面客户端**:Wails v2(macOS universal `.app` + Windows `.exe`)—— 瘦客户端复用 web,业务全走后端 API;refresh_token 存系统密钥库(信封加密) +- **浏览器免重登 + PWA**:可安装为独立 PWA;浏览器侧 refresh_token 不再进 JS,改由服务端 HttpOnly cookie 会话持有(AES-256-GCM 落盘),关闭重开自动免重登(7 天滑动失活),设备名随会话持久化(抗 PWA 存储清除) - **iOS Shortcut**:HS256 scoped token 手动签发路径(网页签发 UI 暂停) - **安全加固**:中继会话防耗尽、HS256 强制 jti、prod 强制 audience、TURN 短 TTL、OAuth 端点限流(详见 CHANGELOG) @@ -156,6 +157,7 @@ env 见 [`.env.example`](.env.example) / `compose.snippet.yaml`。要点: 1. `CDROP_AUTH_MODE=prod`,删掉 `CDROP_DEV_TOKEN` 2. 填 `CDROP_OIDC_*`(你的 OIDC provider,如自建 Casdoor / Keycloak);在 IdP 建 confidential + PKCE client,回调白名单加 `https:///oauth/callback` 3. **`CDROP_OIDC_AUDIENCE` 必须非空**(你的 client_id,多值逗号分隔)—— 留空会跳过 audience 校验,同一 JWKS 下其他应用的 token 也能验过;后端 prod 启动期强制此项,缺则拒启动 -4. 设 `CDROP_HS256_SECRET`(iOS Shortcut scoped token 用,不用可留空) -5. 可选 `CDROP_CF_TURN_KEY_ID` + `CDROP_CF_TURN_API_TOKEN` 启用 Cloudflare Realtime TURN over TLS(不配则前端 STUN-only 兜底) +4. **`CDROP_SESSION_SECRET` 必须非空**(任意长度高熵串)—— 浏览器免重登会话的 refresh_token 落盘加密密钥(内部 SHA-256 派生 AES-256 密钥);后端 prod 启动期强制此项,缺则拒启动 +5. 设 `CDROP_HS256_SECRET`(iOS Shortcut scoped token 用,不用可留空) +6. 可选 `CDROP_CF_TURN_KEY_ID` + `CDROP_CF_TURN_API_TOKEN` 启用 Cloudflare Realtime TURN over TLS(不配则前端 STUN-only 兜底) diff --git a/docker/compose.snippet.yaml b/docker/compose.snippet.yaml index 131536a..4348d1f 100644 --- a/docker/compose.snippet.yaml +++ b/docker/compose.snippet.yaml @@ -31,6 +31,8 @@ NN-cdrop: # CDROP_OIDC_CLIENT_ID: <你的 OAuth client_id> # CDROP_OIDC_REDIRECT_URI: https://your-domain.example/oauth/callback # CDROP_OIDC_SCOPES: "openid profile email" + # prod 强制非空:浏览器免重登会话 refresh_token 落盘加密密钥(SHA-256 派生 AES-256) + # CDROP_SESSION_SECRET: REPLACE_WITH_RANDOM_HEX64 # CDROP_HS256_SECRET: REPLACE_WITH_RANDOM_HEX64 # ---- 可选:Cloudflare Realtime TURN over TLS(不配则前端 STUN-only 兜底)----