Files
Commilitia-Drop/cmd/cdropd/main.go
T
admin e51666c52e 浏览器免重登:HttpOnly cookie + 服务端 session 表 + 设备名持久化
- 新增 web_sessions 表(sqlc):refresh_token 以 AES-256-GCM 落盘,密钥取自
  CDROP_SESSION_SECRET(env、不在库内);cookie 仅存不透明随机串,表 id 存其
  SHA-256,故 DB 单独泄露既换不出可用 cookie、也解不出 token
- /auth/exchange 建 session 并下发 HttpOnly; Secure; SameSite=Lax; Path=/api/auth
  cookie,响应体不再回传 refresh_token
- /auth/refresh 改为 cookie 驱动(7 天滑动失活),同时即开机静默免重登;
  新增 /auth/logout(删 session + 清 cookie)、/auth/device(写设备名入 session)
- device_name 随 session 存,开机 refresh 带回前端,抗 iOS PWA 存储清除;
  setup / 改名时 syncWebDeviceName 推送服务端
- striped per-session 锁串行化同会话并发 refresh,防一次性 refresh_token 被
  花两次而把用户从所有 tab 登出
- 前端 store 移除 refreshToken 字段(长寿命凭据彻底不进 JS);main.tsx 首屏前
  bootstrapAuth 用 cookie 静默续期,命中直接进已登录态、避免登录页闪现
- config:prod 强制 CDROP_SESSION_SECRET,缺失拒启动
- 桌面端不受影响(自有 loopback flow + Go keyring,不碰这两个端点)
2026-06-16 00:54:40 +08:00

109 lines
2.8 KiB
Go

package main
import (
"context"
"errors"
"log/slog"
"net/http"
"os"
"os/signal"
"syscall"
"time"
"commilitia.net/cdrop/internal/calls"
"commilitia.net/cdrop/internal/clipboard"
"commilitia.net/cdrop/internal/config"
"commilitia.net/cdrop/internal/db"
"commilitia.net/cdrop/internal/httpapi"
"commilitia.net/cdrop/internal/hub"
"commilitia.net/cdrop/internal/jwtauth"
"commilitia.net/cdrop/internal/relay"
"commilitia.net/cdrop/internal/transfer"
)
func main() {
logger := slog.New(slog.NewJSONHandler(os.Stdout, nil))
slog.SetDefault(logger)
cfg, err := config.Load()
if err != nil {
slog.Error("config load failed", "err", err)
os.Exit(1)
}
slog.Info("cdropd booting",
"auth_mode", cfg.AuthMode,
"listen", cfg.Listen,
"db_path", cfg.DBPath,
)
ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
defer cancel()
dbConn, err := db.Open(cfg.DBPath)
if err != nil {
slog.Error("db open failed", "err", err)
os.Exit(1)
}
defer dbConn.Close()
if err := db.Bootstrap(ctx, dbConn); err != nil {
slog.Error("db bootstrap failed", "err", err)
os.Exit(1)
}
queries := db.New(dbConn)
auth := jwtauth.New(cfg, queries)
h := hub.New(queries)
defer h.Close()
relayMgr := relay.NewManager(relay.DefaultMaxSessions, relay.DefaultSessionCap)
transfers := transfer.NewService(queries, h, relayMgr)
var cfTurn *calls.Provider
if cfg.CFTurnKeyID != "" && cfg.CFTurnAPIToken != "" {
cfTurn = calls.NewProvider(cfg.CFTurnKeyID, cfg.CFTurnAPIToken, calls.DefaultTTL)
slog.Info("cloudflare realtime TURN enabled")
} else {
slog.Info("cloudflare TURN not configured; falling back to STUN-only")
}
clip := clipboard.New(
queries,
h,
cfg.ClipboardMaxBytes,
time.Duration(cfg.ClipboardDebounceSec)*time.Second,
time.Duration(cfg.ClipboardTTLSec)*time.Second,
)
go transfer.RunSweeper(ctx, transfers)
go relayMgr.RunReaper(ctx)
go jwtauth.RunDeviceSweeper(ctx, queries, time.Duration(cfg.DeviceTTLHours)*time.Hour)
go httpapi.RunWebSessionReaper(ctx, queries)
if cfg.ClipboardTTLSec > 0 {
go clipboard.RunSweeper(ctx, clip)
}
srv := &http.Server{
Addr: cfg.Listen,
Handler: httpapi.New(cfg, dbConn, queries, auth, h, transfers, relayMgr, cfTurn, clip).Handler(),
ReadHeaderTimeout: 5 * time.Second,
}
go func() {
slog.Info("http server listening", "addr", cfg.Listen)
if err := srv.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
slog.Error("http server error", "err", err)
cancel()
}
}()
<-ctx.Done()
slog.Info("shutdown initiated")
shutCtx, shutCancel := context.WithTimeout(context.Background(), 5*time.Second)
defer shutCancel()
if err := srv.Shutdown(shutCtx); err != nil {
slog.Error("http shutdown error", "err", err)
}
slog.Info("cdropd stopped")
}