e51666c52e
- 新增 web_sessions 表(sqlc):refresh_token 以 AES-256-GCM 落盘,密钥取自 CDROP_SESSION_SECRET(env、不在库内);cookie 仅存不透明随机串,表 id 存其 SHA-256,故 DB 单独泄露既换不出可用 cookie、也解不出 token - /auth/exchange 建 session 并下发 HttpOnly; Secure; SameSite=Lax; Path=/api/auth cookie,响应体不再回传 refresh_token - /auth/refresh 改为 cookie 驱动(7 天滑动失活),同时即开机静默免重登; 新增 /auth/logout(删 session + 清 cookie)、/auth/device(写设备名入 session) - device_name 随 session 存,开机 refresh 带回前端,抗 iOS PWA 存储清除; setup / 改名时 syncWebDeviceName 推送服务端 - striped per-session 锁串行化同会话并发 refresh,防一次性 refresh_token 被 花两次而把用户从所有 tab 登出 - 前端 store 移除 refreshToken 字段(长寿命凭据彻底不进 JS);main.tsx 首屏前 bootstrapAuth 用 cookie 静默续期,命中直接进已登录态、避免登录页闪现 - config:prod 强制 CDROP_SESSION_SECRET,缺失拒启动 - 桌面端不受影响(自有 loopback flow + Go keyring,不碰这两个端点)
109 lines
2.8 KiB
Go
109 lines
2.8 KiB
Go
package main
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"log/slog"
|
|
"net/http"
|
|
"os"
|
|
"os/signal"
|
|
"syscall"
|
|
"time"
|
|
|
|
"commilitia.net/cdrop/internal/calls"
|
|
"commilitia.net/cdrop/internal/clipboard"
|
|
"commilitia.net/cdrop/internal/config"
|
|
"commilitia.net/cdrop/internal/db"
|
|
"commilitia.net/cdrop/internal/httpapi"
|
|
"commilitia.net/cdrop/internal/hub"
|
|
"commilitia.net/cdrop/internal/jwtauth"
|
|
"commilitia.net/cdrop/internal/relay"
|
|
"commilitia.net/cdrop/internal/transfer"
|
|
)
|
|
|
|
func main() {
|
|
logger := slog.New(slog.NewJSONHandler(os.Stdout, nil))
|
|
slog.SetDefault(logger)
|
|
|
|
cfg, err := config.Load()
|
|
if err != nil {
|
|
slog.Error("config load failed", "err", err)
|
|
os.Exit(1)
|
|
}
|
|
slog.Info("cdropd booting",
|
|
"auth_mode", cfg.AuthMode,
|
|
"listen", cfg.Listen,
|
|
"db_path", cfg.DBPath,
|
|
)
|
|
|
|
ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
|
|
defer cancel()
|
|
|
|
dbConn, err := db.Open(cfg.DBPath)
|
|
if err != nil {
|
|
slog.Error("db open failed", "err", err)
|
|
os.Exit(1)
|
|
}
|
|
defer dbConn.Close()
|
|
|
|
if err := db.Bootstrap(ctx, dbConn); err != nil {
|
|
slog.Error("db bootstrap failed", "err", err)
|
|
os.Exit(1)
|
|
}
|
|
|
|
queries := db.New(dbConn)
|
|
auth := jwtauth.New(cfg, queries)
|
|
h := hub.New(queries)
|
|
defer h.Close()
|
|
relayMgr := relay.NewManager(relay.DefaultMaxSessions, relay.DefaultSessionCap)
|
|
transfers := transfer.NewService(queries, h, relayMgr)
|
|
|
|
var cfTurn *calls.Provider
|
|
if cfg.CFTurnKeyID != "" && cfg.CFTurnAPIToken != "" {
|
|
cfTurn = calls.NewProvider(cfg.CFTurnKeyID, cfg.CFTurnAPIToken, calls.DefaultTTL)
|
|
slog.Info("cloudflare realtime TURN enabled")
|
|
} else {
|
|
slog.Info("cloudflare TURN not configured; falling back to STUN-only")
|
|
}
|
|
|
|
clip := clipboard.New(
|
|
queries,
|
|
h,
|
|
cfg.ClipboardMaxBytes,
|
|
time.Duration(cfg.ClipboardDebounceSec)*time.Second,
|
|
time.Duration(cfg.ClipboardTTLSec)*time.Second,
|
|
)
|
|
|
|
go transfer.RunSweeper(ctx, transfers)
|
|
go relayMgr.RunReaper(ctx)
|
|
go jwtauth.RunDeviceSweeper(ctx, queries, time.Duration(cfg.DeviceTTLHours)*time.Hour)
|
|
go httpapi.RunWebSessionReaper(ctx, queries)
|
|
if cfg.ClipboardTTLSec > 0 {
|
|
go clipboard.RunSweeper(ctx, clip)
|
|
}
|
|
|
|
srv := &http.Server{
|
|
Addr: cfg.Listen,
|
|
Handler: httpapi.New(cfg, dbConn, queries, auth, h, transfers, relayMgr, cfTurn, clip).Handler(),
|
|
ReadHeaderTimeout: 5 * time.Second,
|
|
}
|
|
|
|
go func() {
|
|
slog.Info("http server listening", "addr", cfg.Listen)
|
|
if err := srv.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
|
|
slog.Error("http server error", "err", err)
|
|
cancel()
|
|
}
|
|
}()
|
|
|
|
<-ctx.Done()
|
|
slog.Info("shutdown initiated")
|
|
|
|
shutCtx, shutCancel := context.WithTimeout(context.Background(), 5*time.Second)
|
|
defer shutCancel()
|
|
if err := srv.Shutdown(shutCtx); err != nil {
|
|
slog.Error("http shutdown error", "err", err)
|
|
}
|
|
slog.Info("cdropd stopped")
|
|
}
|