fix: auth logout, Nginx configs, missing dependency, CORS
- auth: logout endpoint now accepts refresh_token (was admin_id which frontend can't know) — added logout_by_token() to AuthService - api.js: sendBeacon uses Blob with application/json content-type (was sending text/plain which FastAPI couldn't parse) - Nginx: fixed SPA fallback to 404 (not SPA), added install.php PHP-FPM handler, added production HTTPS config for api.synaglobal.vip - requirements: added cryptography==44.0.0 (used by crypto.py but was missing from requirements.txt) - models: removed unused Fernet import from domain models - CORS: added http://api.synaglobal.vip origin Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -50,9 +50,18 @@ server {
|
|||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
}
|
}
|
||||||
|
|
||||||
# ── Legacy install.php redirect ──
|
# ── install.php (PHP-FPM for installer, root = /web/) ──
|
||||||
location = /install.php {
|
location ~ ^/install\.php$ {
|
||||||
return 301 /app/install.html;
|
root /www/wwwroot/api.synaglobal.vip/web;
|
||||||
|
fastcgi_pass unix:/tmp/php-cgi-82.sock;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
|
include fastcgi_params;
|
||||||
|
}
|
||||||
|
|
||||||
|
# ── Installer assets (CSS/JS in /web/) ──
|
||||||
|
location ~ ^/(css|js|vendor)/ {
|
||||||
|
root /www/wwwroot/api.synaglobal.vip/web;
|
||||||
|
try_files $uri =404;
|
||||||
}
|
}
|
||||||
|
|
||||||
# ── Static assets ──
|
# ── Static assets ──
|
||||||
@@ -70,9 +79,9 @@ server {
|
|||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
|
|
||||||
# ── SPA fallback: all paths → index.html ──
|
# ── Static HTML pages (no SPA — each page is standalone) ──
|
||||||
location / {
|
location / {
|
||||||
try_files $uri $uri/ /index.html;
|
try_files $uri $uri/ =404;
|
||||||
}
|
}
|
||||||
|
|
||||||
# ── Logging ──
|
# ── Logging ──
|
||||||
|
|||||||
@@ -0,0 +1,111 @@
|
|||||||
|
# Nexus v6.0 — Nginx Production Config (HTTPS)
|
||||||
|
# Domain: api.synaglobal.vip (宝塔面板管理)
|
||||||
|
# Backend: uvicorn 0.0.0.0:8600
|
||||||
|
# Frontend: /www/wwwroot/api.synaglobal.vip/web/app/ (Tailwind CSS v4 + Alpine.js)
|
||||||
|
|
||||||
|
# ── Upstream: Python FastAPI backend ──
|
||||||
|
upstream nexus_api {
|
||||||
|
server 127.0.0.1:8600;
|
||||||
|
keepalive 32;
|
||||||
|
}
|
||||||
|
|
||||||
|
# ── HTTP → HTTPS redirect ──
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name api.synaglobal.vip;
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
# ── HTTPS ──
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
server_name api.synaglobal.vip;
|
||||||
|
|
||||||
|
# SSL (宝塔面板自动管理证书)
|
||||||
|
ssl_certificate /www/server/panel/vhost/cert/api.synaglobal.vip/fullchain.pem;
|
||||||
|
ssl_certificate_key /www/server/panel/vhost/cert/api.synaglobal.vip/privkey.pem;
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
ssl_session_timeout 10m;
|
||||||
|
|
||||||
|
# HSTS
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
|
|
||||||
|
# Document root = new Tailwind app directory
|
||||||
|
root /www/wwwroot/api.synaglobal.vip/web/app;
|
||||||
|
index index.html;
|
||||||
|
|
||||||
|
# ── install.php (PHP-FPM for installer, root = /web/) ──
|
||||||
|
location ~ ^/install\.php$ {
|
||||||
|
root /www/wwwroot/api.synaglobal.vip/web;
|
||||||
|
fastcgi_pass unix:/tmp/php-cgi-82.sock;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
|
include fastcgi_params;
|
||||||
|
}
|
||||||
|
|
||||||
|
# ── Installer assets (CSS/JS in /web/) ──
|
||||||
|
location ~ ^/(css|js|vendor)/ {
|
||||||
|
root /www/wwwroot/api.synaglobal.vip/web;
|
||||||
|
try_files $uri =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
# ── Python API proxy ──
|
||||||
|
location /api/ {
|
||||||
|
proxy_pass http://nexus_api;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_read_timeout 300s;
|
||||||
|
proxy_send_timeout 300s;
|
||||||
|
proxy_connect_timeout 10s;
|
||||||
|
}
|
||||||
|
|
||||||
|
# ── WebSocket proxy (alerts + WebSSH terminal) ──
|
||||||
|
location /ws/ {
|
||||||
|
proxy_pass http://nexus_api;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_read_timeout 3600s;
|
||||||
|
proxy_send_timeout 3600s;
|
||||||
|
}
|
||||||
|
|
||||||
|
# ── Health endpoint ──
|
||||||
|
location /health {
|
||||||
|
proxy_pass http://nexus_api;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
}
|
||||||
|
|
||||||
|
# ── Static assets (cache aggressively) ──
|
||||||
|
location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
|
||||||
|
expires 7d;
|
||||||
|
add_header Cache-Control "public, immutable";
|
||||||
|
try_files $uri =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
# ── Deny sensitive files ──
|
||||||
|
location ~ /\. {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
location ~ /data/config\.php$ {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
|
||||||
|
# ── Static HTML pages (no SPA — each page is standalone) ──
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
# ── Logging ──
|
||||||
|
access_log /www/wwwlogs/api.synaglobal.vip.log;
|
||||||
|
error_log /www/wwwlogs/api.synaglobal.vip.error.log;
|
||||||
|
|
||||||
|
# ── Upload limit ──
|
||||||
|
client_max_body_size 100m;
|
||||||
|
}
|
||||||
@@ -18,6 +18,7 @@ paramiko==3.5.0
|
|||||||
asyncssh==2.17.0
|
asyncssh==2.17.0
|
||||||
PyJWT==2.10.1
|
PyJWT==2.10.1
|
||||||
bcrypt==4.2.1
|
bcrypt==4.2.1
|
||||||
|
cryptography==44.0.0
|
||||||
pyyaml==6.0.2
|
pyyaml==6.0.2
|
||||||
rich==13.9.4
|
rich==13.9.4
|
||||||
redis[hiredis]==5.2.1
|
redis[hiredis]==5.2.1
|
||||||
+5
-2
@@ -29,7 +29,7 @@ class RefreshRequest(BaseModel):
|
|||||||
|
|
||||||
|
|
||||||
class LogoutRequest(BaseModel):
|
class LogoutRequest(BaseModel):
|
||||||
admin_id: int
|
refresh_token: Optional[str] = None
|
||||||
|
|
||||||
|
|
||||||
class TotpSetupRequest(BaseModel):
|
class TotpSetupRequest(BaseModel):
|
||||||
@@ -85,7 +85,10 @@ async def logout(
|
|||||||
service: AuthService = Depends(get_auth_service),
|
service: AuthService = Depends(get_auth_service),
|
||||||
):
|
):
|
||||||
"""Invalidate refresh token (client should also discard access token)"""
|
"""Invalidate refresh token (client should also discard access token)"""
|
||||||
result = await service.logout(payload.admin_id)
|
if payload.refresh_token:
|
||||||
|
result = await service.logout_by_token(payload.refresh_token)
|
||||||
|
else:
|
||||||
|
return {"success": True, "message": "已登出"}
|
||||||
return result
|
return result
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -148,7 +148,7 @@ class AuthService:
|
|||||||
return admin
|
return admin
|
||||||
|
|
||||||
async def logout(self, admin_id: int) -> dict:
|
async def logout(self, admin_id: int) -> dict:
|
||||||
"""Invalidate refresh token"""
|
"""Invalidate refresh token by admin ID"""
|
||||||
admin = await self.admin_repo.get_by_id(admin_id)
|
admin = await self.admin_repo.get_by_id(admin_id)
|
||||||
if admin:
|
if admin:
|
||||||
admin.jwt_refresh_token = None
|
admin.jwt_refresh_token = None
|
||||||
@@ -156,6 +156,16 @@ class AuthService:
|
|||||||
await self.admin_repo.update(admin)
|
await self.admin_repo.update(admin)
|
||||||
return {"success": True, "message": "已登出"}
|
return {"success": True, "message": "已登出"}
|
||||||
|
|
||||||
|
async def logout_by_token(self, refresh_token: str) -> dict:
|
||||||
|
"""Invalidate refresh token by token value (used by frontend logout)"""
|
||||||
|
admin = await self.admin_repo.get_by_refresh_token(refresh_token)
|
||||||
|
if admin:
|
||||||
|
admin.jwt_refresh_token = None
|
||||||
|
admin.jwt_token_expires = None
|
||||||
|
await self.admin_repo.update(admin)
|
||||||
|
await self._audit("logout", "admin", admin.id, f"Logout: {admin.username}")
|
||||||
|
return {"success": True, "message": "已登出"}
|
||||||
|
|
||||||
async def setup_totp(self, admin_id: int) -> dict:
|
async def setup_totp(self, admin_id: int) -> dict:
|
||||||
"""Generate TOTP secret for an admin user (before enabling)"""
|
"""Generate TOTP secret for an admin user (before enabling)"""
|
||||||
import base64
|
import base64
|
||||||
|
|||||||
@@ -13,8 +13,6 @@ from sqlalchemy import (
|
|||||||
)
|
)
|
||||||
from sqlalchemy.orm import declarative_base, relationship
|
from sqlalchemy.orm import declarative_base, relationship
|
||||||
|
|
||||||
from cryptography.fernet import Fernet
|
|
||||||
|
|
||||||
|
|
||||||
Base = declarative_base()
|
Base = declarative_base()
|
||||||
|
|
||||||
|
|||||||
+2
-1
@@ -171,8 +171,9 @@ app.add_middleware(DbSessionMiddleware)
|
|||||||
app.add_middleware(
|
app.add_middleware(
|
||||||
CORSMiddleware,
|
CORSMiddleware,
|
||||||
allow_origins=[
|
allow_origins=[
|
||||||
"http://172.31.170.47", # WSL development
|
|
||||||
"https://api.synaglobal.vip", # Production HTTPS
|
"https://api.synaglobal.vip", # Production HTTPS
|
||||||
|
"http://api.synaglobal.vip", # Production HTTP (redirects to HTTPS)
|
||||||
|
"http://172.31.170.47", # WSL development
|
||||||
"http://localhost:8600", # Local dev
|
"http://localhost:8600", # Local dev
|
||||||
],
|
],
|
||||||
allow_credentials=True,
|
allow_credentials=True,
|
||||||
|
|||||||
+4
-3
@@ -88,10 +88,11 @@ function doLogout() {
|
|||||||
const { access, refresh } = _getTokens();
|
const { access, refresh } = _getTokens();
|
||||||
if (access) {
|
if (access) {
|
||||||
try {
|
try {
|
||||||
navigator.sendBeacon(
|
const blob = new Blob(
|
||||||
API + '/auth/logout',
|
[JSON.stringify({ refresh_token: refresh })],
|
||||||
JSON.stringify({ refresh_token: refresh })
|
{ type: 'application/json' }
|
||||||
);
|
);
|
||||||
|
navigator.sendBeacon(API + '/auth/logout', blob);
|
||||||
} catch {}
|
} catch {}
|
||||||
}
|
}
|
||||||
_logout();
|
_logout();
|
||||||
|
|||||||
Reference in New Issue
Block a user