diff --git a/docs/plans/2026-06-21-001-feat-admin-review-hermes-sync-plan.md b/docs/plans/2026-06-21-001-feat-admin-review-hermes-sync-plan.md new file mode 100644 index 0000000..2204327 --- /dev/null +++ b/docs/plans/2026-06-21-001-feat-admin-review-hermes-sync-plan.md @@ -0,0 +1,517 @@ +# Plan: 管理员审核 + Hermes 同步工作流 + +**Status:** active +**Created:** 2026-06-21 +**Origin:** docs/brainstorms/2026-06-20-hermes-cross-machine-deploy-requirements.md (演进) +**Plan depth:** Standard + +--- + +## Summary + +实现「管理员审核 + 管理员发起 Hermes 同步」的新工作流。角色创建后进入待审核状态,管理员后台审核通过后填写同步参数(profile 名、主 model key/服务商、多媒体 model key/服务商、定时任务开关),EternalAI 用一次性 sync_token 向 Hermes 发起同步请求,Hermes 回调拉取文件并创建 profile,返回绑定二维码。测试范围限定为鉴权和文件拉取(无真实 Hermes,用 mock 端点验证)。 + +--- + +## Problem Frame + +当前流程:创作者创建角色后直接上架,用户自行用 API Key + curl 拉取配置到 Hermes。存在以下问题: +1. 缺少内容审核环节,任何人设都可直接发布 +2. 同步由用户手动操作,无法集中管控 +3. Hermes 配置参数(model key、服务商等)分散在用户侧,不一致 + +新流程:管理员集中审核 + 管理员发起同步 + Hermes 回调拉取 + 二维码绑定。 + +--- + +## Requirements + +### 功能需求 + +- **R1**: 角色创建后状态为 `pending_review`,需管理员审核才能上架 +- **R2**: 独立 Admin 表,管理员有独立登录入口 +- **R3**: 管理员后台可查看待审核列表、角色详情,通过/驳回 +- **R4**: 审核通过后管理员填写同步参数并发起同步 +- **R5**: EternalAI 用一次性 sync_token(HMAC SHA-256 对称密钥)向 Hermes POST 同步请求 +- **R6**: Hermes 用 sync_token 回调 EternalAI 拉取 SOUL.md 和 config.yaml +- **R7**: Hermes 返回二维码 URL,EternalAI 存储并展示给管理员和创作者 +- **R8**: Hermes webhook URL 全局配置,同步时可覆盖 +- **R9**: 测试范围:鉴权(admin 登录、sync_token 验证)+ 文件拉取(mock Hermes 回调) + +### 非功能需求 + +- sync_token 5 分钟过期,一次性消费 +- Hermes 回调拉取端点同时支持 sync_token 和现有 API Key 认证 +- 现有用户侧 API Key 拉取流程保留不变 + +--- + +## Key Technical Decisions + +### KTD1: 独立 Admin 表 + +Admin 与 User 分离,独立登录接口,不混用 JWT。 + +**理由**: 用户选择。管理员权限边界清晰,避免 User 表 isAdmin 字段的权限提升风险。 + +### KTD2: sync_token 用 HMAC SHA-256 对称密钥 + +EternalAI 和 Hermes 预共享 `SYNC_SECRET`,sync_token 是 JWT(HS256),payload 含 `roleId`、`adminId`、`iat`、`exp`(5 分钟)。 + +**理由**: 用户选择。对称密钥实现简单,双方预共享即可。 + +### KTD3: Hermes webhook URL 全局配置 + 可覆盖 + +系统设置表存储 `HERMES_WEBHOOK_URL`,管理员发起同步时可在表单中覆盖。 + +**理由**: 用户选择。大多数情况用全局配置,特殊场景可覆盖。 + +### KTD4: 二维码由 Hermes 生成返回 + +Hermes 创建 profile 后生成二维码 URL 返回给 EternalAI,EternalAI 存储到 Role 记录并展示。 + +**理由**: 用户选择。二维码内容(微信绑定链接)由 Hermes 侧定义。 + +### KTD5: 角色审核状态机 + +``` +pending_review → approved → syncing → synced +pending_review → rejected +syncing → failed +``` + +Role 模型新增 `reviewStatus` 字段(默认 `pending_review`),新增 `qrCodeUrl`、`syncedAt` 字段。 + +### KTD6: Mock Hermes 测试端点 + +在 EternalAI 内部创建 `/api/mock-hermes/*` 端点模拟 Hermes 行为:接收同步请求、用 sync_token 回调拉取文件、返回 mock 二维码。仅测试环境启用。 + +--- + +## High-Level Technical Design + +### 同步流程时序图 + +```mermaid +sequenceDiagram + participant Admin as 管理员 + participant EAI as EternalAI + participant Hermes as Hermes (Mock) + + Admin->>EAI: POST /api/admin/sync/:roleId + Note over EAI: 生成 sync_token (JWT, 5min) + EAI->>Hermes: POST {webhook_url} /api/sync + Note over EAI: Body: { profileName, modelKey,provider, multimediaModelKey,multimediaProvider, enableSchedule,sync_token, file_pull_base_url } + Hermes->>Hermes: 验证 sync_token 签名 + Hermes->>EAI: GET /api/hermes/roles/:id/SOUL.md + Note over Hermes: Header: X-Sync-Token + EAI->>EAI: 验证 sync_token (签名+过期+未消费) + EAI-->>Hermes: SOUL.md content + Hermes->>EAI: GET /api/hermes/roles/:id/config.yaml + Note over Hermes: Header: X-Sync-Token + EAI-->>Hermes: config.yaml content + Note over Hermes: 创建 profile, 生成二维码 + Hermes-->>EAI: 200 { qrCodeUrl, profileId } + Note over EAI: 存储 qrCodeUrl, 更新 reviewStatus=synced + EAI-->>Admin: 200 { qrCodeUrl, reviewStatus } +``` + +### 角色审核状态机 + +```mermaid +stateDiagram-v2 + [*] --> pending_review : 创建角色 + pending_review --> approved : 管理员通过 + pending_review --> rejected : 管理员驳回 + approved --> syncing : 管理员发起同步 + syncing --> synced : Hermes 返回成功 + syncing --> failed : 同步失败/超时 + failed --> syncing : 重新同步 +``` + +--- + +## Implementation Units + +### U1. Admin 数据模型与认证 + +**Goal:** 创建独立 Admin 表,实现管理员注册/登录/中间件。 + +**Requirements:** R2 + +**Dependencies:** 无 + +**Files:** +- `prisma/schema.prisma` — 新增 Admin 模型 +- `src/lib/auth.js` — 新增 `adminSignToken`、`adminVerifyToken`、`adminAuthMiddleware` +- `src/routes/admin-auth.js` — 新建,管理员登录路由 +- `server.js` — 注册 `/api/admin-auth` 路由 +- `e2e/admin-auth.spec.js` — 新建,管理员认证测试 + +**Approach:** +- Admin 模型:`id`、`account`(唯一)、`password`(bcrypt)、`createdAt` +- Admin JWT 与用户 JWT 使用不同 secret(`ADMIN_JWT_SECRET`),防止跨角色伪造 +- `adminAuthMiddleware` 验证 Admin JWT,设置 `req.adminId` +- 管理员账号通过 `prisma db seed` 或 CLI 脚本创建,不开放注册 API + +**Test scenarios:** +- 管理员登录成功,返回 admin JWT +- 管理员登录密码错误,返回 401 +- 无 token 访问管理员接口,返回 401 +- 用户 JWT 访问管理员接口,返回 403(secret 不同,验证失败) +- 管理员 JWT 访问用户接口,返回 401(用户中间件不识别 admin token) + +**Verification:** 管理员可登录,admin JWT 可访问管理员接口,用户 JWT 不可访问管理员接口。 + +--- + +### U2. 角色审核状态机与审核 API + +**Goal:** Role 模型新增审核状态字段,实现审核 API。 + +**Requirements:** R1, R3 + +**Dependencies:** U1 + +**Files:** +- `prisma/schema.prisma` — Role 模型新增 `reviewStatus`、`qrCodeUrl`、`syncedAt`、`reviewNote` 字段 +- `src/routes/admin.js` — 新建,管理员审核路由 +- `server.js` — 注册 `/api/admin` 路由 +- `e2e/admin-review.spec.js` — 新建,审核流程测试 + +**Approach:** +- `reviewStatus` 枚举值:`pending_review`(默认)、`approved`、`rejected`、`syncing`、`synced`、`failed` +- 现有 `POST /api/roles` 创建角色时自动设置 `reviewStatus = 'pending_review'` +- `GET /api/admin/reviews` — 待审核列表(分页,按 createdAt desc) +- `GET /api/admin/reviews/:roleId` — 角色详情(含所有字段) +- `POST /api/admin/reviews/:roleId/approve` — 通过审核,状态 → `approved` +- `POST /api/admin/reviews/:roleId/reject` — 驳回,状态 → `rejected`,body 含 `reviewNote` +- 角色库 `GET /api/roles` 只返回 `reviewStatus = 'synced'` 的角色(已同步完成才上架) + +**Test scenarios:** +- 创建角色后 reviewStatus 为 pending_review +- 管理员获取待审核列表,包含 pending_review 角色 +- 管理员通过审核,状态变为 approved +- 管理员驳回审核,状态变为 rejected,reviewNote 有值 +- 非管理员调用审核接口,返回 401 +- 角色库不显示 pending_review / approved / rejected 状态的角色 + +**Verification:** 审核状态流转正确,非管理员无法操作。 + +--- + +### U3. sync_token 机制与系统配置 + +**Goal:** 实现 sync_token 生成/验证,系统配置存储 Hermes webhook URL。 + +**Requirements:** R5, R8 + +**Dependencies:** U1 + +**Files:** +- `prisma/schema.prisma` — 新增 SystemConfig 模型(key-value 存储) +- `src/lib/sync-token.js` — 新建,sync_token 生成与验证 +- `src/routes/admin-config.js` — 新建,系统配置管理路由 +- `server.js` — 注册 `/api/admin/config` 路由 +- `e2e/sync-token.spec.js` — 新建,sync_token 测试 + +**Approach:** +- SystemConfig 模型:`key`(唯一)、`value`、`updatedAt` +- 预置配置项:`HERMES_WEBHOOK_URL`、`SYNC_SECRET` +- `sync-token.js`: + - `generateSyncToken(roleId, adminId)` — 生成 JWT(HS256),payload `{ roleId, adminId, iat, exp }`,5 分钟过期 + - `verifySyncToken(token)` — 验证签名 + 过期,返回 payload 或 null + - 使用 `SYNC_SECRET` 从 SystemConfig 读取(首次启动自动生成) +- `PUT /api/admin/config/:key` — 更新配置项(仅管理员) +- `GET /api/admin/config` — 获取所有配置(仅管理员,敏感值脱敏) + +**Test scenarios:** +- 生成 sync_token,验证签名通过,payload 正确 +- 过期 token(>5min)验证失败 +- 篡改 payload 后验证失败(签名不匹配) +- 管理员更新 HERMES_WEBHOOK_URL,再次读取值正确 +- 非管理员访问配置接口,返回 401 + +**Verification:** sync_token 生成/验证正确,系统配置可读写。 + +--- + +### U4. 同步发起 API + +**Goal:** 管理员发起同步,EternalAI 向 Hermes POST 请求。 + +**Requirements:** R4, R5, R6 + +**Dependencies:** U2, U3 + +**Files:** +- `src/routes/admin-sync.js` — 新建,同步发起路由 +- `src/lib/hermes-client.js` — 新建,Hermes HTTP 客户端 +- `server.js` — 注册 `/api/admin/sync` 路由 +- `e2e/admin-sync.spec.js` — 新建,同步发起测试 + +**Approach:** +- `POST /api/admin/sync/:roleId` — 发起同步 + - Body: `{ profileName, modelKey, provider, multimediaModelKey, multimediaProvider, enableSchedule, webhookUrl? }` + - `webhookUrl` 可选,未提供则用 SystemConfig 中的 `HERMES_WEBHOOK_URL` + - 前置检查:`reviewStatus` 必须为 `approved` 或 `failed` + - 生成 sync_token,更新 `reviewStatus = 'syncing'` + - 调用 `hermes-client.js` 的 `postSync(webhookUrl, payload)` 向 Hermes POST + - Hermes 返回 `{ qrCodeUrl, profileId }` → 存储 `qrCodeUrl`,更新 `reviewStatus = 'synced'`,记录 `syncedAt` + - Hermes 返回错误 → 更新 `reviewStatus = 'failed'` + - 请求超时(30s)→ 更新 `reviewStatus = 'failed'` +- `hermes-client.js`: + - `postSync(webhookUrl, payload)` — 用 `fetch` POST 到 Hermes,payload 含 sync_token 和 file_pull_base_url + - `file_pull_base_url` = EternalAI 自身的基础 URL(从 SystemConfig 读取 `ETERNALAI_BASE_URL`) + +**Test scenarios:** +- 管理员对 approved 角色发起同步,reviewStatus 变为 syncing +- Mock Hermes 返回成功,reviewStatus 变为 synced,qrCodeUrl 有值 +- Mock Hermes 返回错误,reviewStatus 变为 failed +- 对 pending_review 角色发起同步,返回 400 +- 对 syncing 角色发起同步,返回 409(重复同步) +- 非管理员发起同步,返回 401 + +**Verification:** 同步发起后状态流转正确,成功时存储二维码 URL。 + +--- + +### U5. Hermes 回调拉取端点改造 + +**Goal:** 改造现有 `/api/hermes/` 端点,支持 sync_token 认证。 + +**Requirements:** R6 + +**Dependencies:** U3 + +**Files:** +- `src/routes/hermes.js` — 改造,新增 sync_token 认证路径 +- `src/lib/auth.js` — 新增 `syncTokenMiddleware` +- `e2e/hermes-callback.spec.js` — 新建,回调拉取测试 + +**Approach:** +- 新增 `syncTokenMiddleware`: + - 读取 `X-Sync-Token` header + - 验证 sync_token 签名 + 过期 + - 从 payload 提取 `roleId`,与 URL 中的 `:id` 比对,不一致返回 403 + - 验证通过后设置 `req.userId`(通过 Role.creatorId 反查)和 `req.syncTokenPayload` +- 改造 `apiKeyMiddleware` 逻辑: + - 优先检查 `X-Sync-Token` header → 走 sync_token 路径 + - 否则检查 `Authorization: Bearer eak_` → 走 API Key 路径 + - 否则检查 `Authorization: Bearer ` → 走 JWT 路径 +- sync_token 消费后标记为已使用(内存 Set,5 分钟后自动清理;或用 token jti + 短期缓存) +- SOUL.md 和 config.yaml 端点保持 text/plain 响应不变 + +**Test scenarios:** +- 用有效 sync_token 拉取 SOUL.md,返回 200 + 文件内容 +- 用有效 sync_token 拉取 config.yaml,返回 200 + 文件内容 +- sync_token 中的 roleId 与 URL :id 不匹配,返回 403 +- 过期 sync_token,返回 401 +- 已消费的 sync_token 再次使用,返回 401 +- 无 token 访问,返回 401 +- 用 API Key(eak_)访问仍正常工作(向后兼容) + +**Verification:** sync_token 可拉取文件,向后兼容 API Key 认证。 + +--- + +### U6. 二维码存储与状态展示 + +**Goal:** 存储 Hermes 返回的二维码 URL,展示给管理员和创作者。 + +**Requirements:** R7 + +**Dependencies:** U4 + +**Files:** +- `src/routes/roles.js` — 改造,`GET /api/roles/my/roles` 返回 reviewStatus 和 qrCodeUrl +- `src/routes/admin.js` — 改造,管理员可查看所有角色的同步状态 +- `app.js` — 改造,创作者角色卡片显示审核状态和二维码 +- `e2e/qr-display.spec.js` — 新建,二维码展示测试 + +**Approach:** +- `GET /api/roles/my/roles` 返回字段新增 `reviewStatus`、`qrCodeUrl`、`syncedAt` +- 创作者角色卡片根据 reviewStatus 显示状态标签: + - `pending_review` → "待审核"(灰色) + - `approved` → "已通过,等待同步"(蓝色) + - `syncing` → "同步中"(黄色) + - `synced` → "已同步"(绿色)+ 显示二维码 + - `failed` → "同步失败"(红色) + - `rejected` → "已驳回"(红色) +- synced 状态的角色卡片显示二维码图片(`qrCodeUrl`)和"转发二维码"按钮 +- 管理员后台有"同步状态"页面,显示所有角色的审核+同步状态 + +**Test scenarios:** +- 创作者查看自己的角色列表,pending_review 角色显示"待审核"标签 +- 同步成功后,创作者角色卡片显示二维码图片 +- 驳回角色显示"已驳回"标签 +- 管理员查看同步状态列表,包含所有角色的 reviewStatus + +**Verification:** 创作者和管理员都能看到正确的审核状态和二维码。 + +--- + +### U7. 管理员后台 UI + +**Goal:** 管理员登录页 + 审核列表 + 角色详情审核页 + 同步表单。 + +**Requirements:** R2, R3, R4 + +**Dependencies:** U1, U2, U4 + +**Files:** +- `index.html` — 新增管理员视图(admin-login、admin-reviews、admin-sync) +- `app.js` — 新增管理员路由、审核交互、同步表单 +- `styles.css` — 管理员后台样式 +- `e2e/admin-ui.spec.js` — 新建,管理员 UI 测试 + +**Approach:** +- 管理员入口:首页底部隐藏链接 `/admin`,或直接访问 `#admin-login` +- 管理员登录页:账号 + 密码,登录后跳转 `#admin-reviews` +- 审核列表页:表格显示角色名、创作者、创建时间、状态;点击进入详情 +- 角色详情审核页:显示所有角色字段,"通过"和"驳回"按钮 +- 同步表单(审核通过后显示): + - profile 名字(text,默认角色名) + - 主 model 服务商(select:openrouter / together / local) + - 主 model key(password input) + - 多媒体 model 服务商(select) + - 多媒体 model key(password input) + - 是否开启定时任务(checkbox) + - Hermes webhook URL(text,默认全局配置值,可覆盖) + - "发起同步"按钮 +- 同步成功后显示二维码图片和"复制链接"按钮 + +**Test scenarios:** +- 管理员登录后跳转审核列表 +- 审核列表显示待审核角色 +- 点击角色进入详情,显示完整信息 +- 通过审核后显示同步表单 +- 填写同步参数并提交,显示同步中状态 +- 同步成功后显示二维码 + +**Verification:** 管理员可完成登录→审核→同步的完整 UI 流程。 + +--- + +### U8. Mock Hermes 测试端点 + +**Goal:** 在 EternalAI 内部创建 mock Hermes 端点,用于测试同步流程。 + +**Requirements:** R9 + +**Dependencies:** U3, U5 + +**Files:** +- `src/routes/mock-hermes.js` — 新建,mock Hermes 端点 +- `server.js` — 注册 `/api/mock-hermes` 路由(仅非 production 环境) +- `e2e/mock-hermes.spec.js` — 新建,mock Hermes 集成测试 + +**Approach:** +- `POST /api/mock-hermes/sync` — 模拟 Hermes 接收同步请求 + - 验证 sync_token 签名(用同一 SYNC_SECRET) + - 用 sync_token 回调 EternalAI 拉取 SOUL.md 和 config.yaml + - 返回 mock 二维码 URL:`https://mock.hermes.local/qr/` + - 返回 mock profileId:`mock-profile-` +- Mock 端点用 `fetch` 回调 EternalAI 自身的 `/api/hermes/roles/:id/SOUL.md` 和 `/api/hermes/roles/:id/config.yaml` +- 回调时携带 `X-Sync-Token` header +- 仅在 `NODE_ENV !== 'production'` 时注册路由 + +**Test scenarios:** +- POST /api/mock-hermes/sync 收到请求后,回调拉取 SOUL.md 成功 +- POST /api/mock-hermes/sync 回调拉取 config.yaml 成功 +- 返回 mock 二维码 URL 和 profileId +- 无效 sync_token,mock Hermes 返回 401 +- production 环境下 /api/mock-hermes 路由不存在(404) + +**Verification:** Mock Hermes 完整模拟同步流程,可用于 E2E 测试。 + +--- + +### U9. E2E 集成测试:完整审核+同步流程 + +**Goal:** 端到端测试从创建角色到同步成功的完整流程。 + +**Requirements:** R1-R9 + +**Dependencies:** U1-U8 + +**Files:** +- `e2e/full-sync-flow.spec.js` — 新建,完整流程测试 + +**Approach:** +测试完整流程: +1. 创作者注册 → 登录 → 创建角色(状态 pending_review) +2. 管理员登录 → 查看待审核列表 → 查看详情 → 通过审核 +3. 管理员填写同步参数 → 发起同步 +4. Mock Hermes 接收请求 → 回调拉取文件 → 返回二维码 +5. 创作者查看角色列表 → 看到已同步状态 + 二维码 +6. 管理员查看同步状态 → 看到已同步 + +**Test scenarios:** +- 完整流程:创建 → 审核 → 同步 → 二维码展示 +- 驳回流程:创建 → 审核 → 驳回 → 创作者看到"已驳回" +- 同步失败流程:创建 → 审核 → 同步(mock 返回错误)→ 状态 failed → 重新同步 +- 向后兼容:现有 API Key 拉取流程仍正常工作 + +**Verification:** E2E 测试覆盖所有核心路径,全部通过。 + +--- + +## Scope Boundaries + +### In Scope + +- Admin 表与认证 +- 角色审核状态机 +- sync_token 生成/验证/消费 +- 同步发起 API +- Hermes 回调拉取端点改造(sync_token 认证) +- 二维码存储与展示 +- 管理员后台 UI +- Mock Hermes 测试端点 +- E2E 测试(鉴权 + 文件拉取) + +### Out of Scope + +- 真实 Hermes 服务器对接(用 mock 代替) +- 微信公众号/小程序绑定实现(二维码内容由 Hermes 侧定义) +- 管理员注册 UI(通过 seed 脚本创建) +- 速率限制(已有 P2 待修复,不在本次范围) +- 现有 API Key 拉取流程的改造(保持向后兼容) + +### Deferred to Follow-Up Work + +- 真实 Hermes 服务器对接(需 Hermes 侧实现 `/api/sync` 端点) +- 微信绑定流程实现 +- 同步重试机制(指数退避) +- 同步日志审计 +- 多 Hermes 实例支持 + +--- + +## Risks & Dependencies + +| 风险 | 影响 | 缓解 | +|------|------|------| +| sync_token 内存消费记录在多实例部署下失效 | 重复消费风险 | 后续可改用 Redis;当前单实例够用 | +| Mock Hermes 端点误暴露到生产环境 | 安全风险 | 仅 `NODE_ENV !== 'production'` 注册路由 | +| Hermes 回调时 EternalAI 不可达 | 同步失败 | 同步状态设为 failed,管理员可重试 | +| sync_token 在传输中被截获 | 5 分钟内可滥用 | HTTPS + 一次性消费 + 短过期 | + +--- + +## Open Questions + +- **OQ1**: sync_token 一次性消费用内存 Set 还是数据库表?(计划用内存 Set,单实例部署够用;多实例时改 Redis) +- **OQ2**: 管理员账号初始创建方式?(计划用 `prisma db seed` 脚本,账号密码从环境变量读取) +- **OQ3**: EternalAI 自身的基础 URL(`ETERNALAI_BASE_URL`)如何获取?(计划从 SystemConfig 读取,首次部署时配置) + +--- + +## System-Wide Impact + +- **数据库**: 新增 Admin、SystemConfig 表;Role 表新增 4 个字段 +- **API**: 新增 `/api/admin-auth`、`/api/admin`、`/api/admin/config`、`/api/admin/sync`、`/api/mock-hermes` 路由组 +- **前端**: 新增 3 个管理员视图,改造创作者角色卡片 +- **认证**: 新增 Admin JWT(独立 secret)和 sync_token(HMAC SHA-256)两套机制 +- **向后兼容**: 现有用户 API Key 拉取流程不变 diff --git a/e2e/admin-sync-flow.spec.js b/e2e/admin-sync-flow.spec.js new file mode 100644 index 0000000..59336e7 --- /dev/null +++ b/e2e/admin-sync-flow.spec.js @@ -0,0 +1,301 @@ +const { test, expect, request } = require('@playwright/test'); +const { cleanDatabase, seedExistingUser, seedAdmin, disconnect, prisma } = require('./fixtures/database'); + +test.describe('管理员审核 + Hermes 同步流程', () => { + let adminToken; + let userToken; + let roleId; + + test.beforeAll(async () => { + await cleanDatabase(); + await seedExistingUser(); + await seedAdmin(); + + // 管理员登录 + const adminContext = await request.newContext(); + const adminRes = await adminContext.post('/api/admin-auth/login', { + data: { account: 'admin', password: 'admin123' }, + }); + const adminData = await adminRes.json(); + adminToken = adminData.token; + + // 用户登录 + const userContext = await request.newContext(); + const userRes = await userContext.post('/api/auth/login', { + data: { account: 'e2e_existing', password: 'Test123456' }, + }); + const userData = await userRes.json(); + userToken = userData.token; + + // 创建角色(待审核) + const roleRes = await userContext.post('/api/roles', { + headers: { Authorization: `Bearer ${userToken}` }, + data: { + displayName: '测试角色', + personality: '温柔体贴', + background: '来自未来', + speechStyle: '轻声细语', + greeting: '你好呀', + soulMd: '# SOUL\n这是测试角色的灵魂文件', + }, + }); + const roleData = await roleRes.json(); + roleId = roleData.role.id; + }); + + test.afterAll(async () => { + await cleanDatabase(); + await disconnect(); + }); + + test('管理员登录成功', async () => { + expect(adminToken).toBeTruthy(); + }); + + test('管理员登录密码错误返回 401', async () => { + const context = await request.newContext(); + const res = await context.post('/api/admin-auth/login', { + data: { account: 'admin', password: 'wrong' }, + }); + expect(res.status()).toBe(401); + }); + + test('用户 JWT 不能访问管理员接口', async () => { + const context = await request.newContext(); + const res = await context.get('/api/admin/reviews', { + headers: { Authorization: `Bearer ${userToken}` }, + }); + expect(res.status()).toBe(401); + }); + + test('无 token 不能访问管理员接口', async () => { + const context = await request.newContext(); + const res = await context.get('/api/admin/reviews'); + expect(res.status()).toBe(401); + }); + + test('创建角色后状态为 pending_review', async () => { + const role = await prisma.role.findUnique({ where: { id: roleId } }); + expect(role.reviewStatus).toBe('pending_review'); + }); + + test('管理员获取待审核列表', async () => { + const context = await request.newContext(); + const res = await context.get('/api/admin/reviews', { + headers: { Authorization: `Bearer ${adminToken}` }, + }); + expect(res.status()).toBe(200); + const data = await res.json(); + expect(data.roles.length).toBeGreaterThan(0); + expect(data.roles[0].reviewStatus).toBe('pending_review'); + }); + + test('管理员获取角色详情', async () => { + const context = await request.newContext(); + const res = await context.get(`/api/admin/reviews/${roleId}`, { + headers: { Authorization: `Bearer ${adminToken}` }, + }); + expect(res.status()).toBe(200); + const data = await res.json(); + expect(data.role.displayName).toBe('测试角色'); + }); + + test('管理员通过审核', async () => { + const context = await request.newContext(); + const res = await context.post(`/api/admin/reviews/${roleId}/approve`, { + headers: { Authorization: `Bearer ${adminToken}` }, + }); + expect(res.status()).toBe(200); + const data = await res.json(); + expect(data.role.reviewStatus).toBe('approved'); + }); + + test('角色库不显示未同步的角色', async () => { + const context = await request.newContext(); + const res = await context.get('/api/roles'); + const data = await res.json(); + const found = data.roles.find((r) => r.id === roleId); + expect(found).toBeUndefined(); + }); + + test('对非 approved 角色发起同步返回 400', async () => { + // 先创建一个新角色(pending_review) + const userContext = await request.newContext(); + await userContext.post('/api/roles', { + headers: { Authorization: `Bearer ${userToken}` }, + data: { + displayName: '未审核角色', + personality: '测试', + background: '测试', + speechStyle: '测试', + greeting: '测试', + soulMd: '# test', + }, + }); + + const roles = await prisma.role.findMany({ where: { displayName: '未审核角色' } }); + const pendingRoleId = roles[0].id; + + const adminContext = await request.newContext(); + const res = await adminContext.post(`/api/admin/sync/${pendingRoleId}`, { + headers: { Authorization: `Bearer ${adminToken}` }, + data: { profileName: 'test-profile' }, + }); + expect(res.status()).toBe(400); + }); + + test('未配置 Hermes webhook URL 时同步返回 400', async () => { + const context = await request.newContext(); + const res = await context.post(`/api/admin/sync/${roleId}`, { + headers: { Authorization: `Bearer ${adminToken}` }, + data: { profileName: 'test-profile' }, + }); + expect(res.status()).toBe(400); + }); + + test('配置 Hermes webhook URL 指向 mock', async () => { + const context = await request.newContext(); + const res = await context.put('/api/admin/config/HERMES_WEBHOOK_URL', { + headers: { Authorization: `Bearer ${adminToken}` }, + data: { value: 'http://localhost:3001/api/mock-hermes/sync' }, + }); + expect(res.status()).toBe(200); + }); + + test('管理员发起同步 → mock Hermes 回调拉取文件 → 返回二维码', async () => { + const context = await request.newContext(); + const res = await context.post(`/api/admin/sync/${roleId}`, { + headers: { Authorization: `Bearer ${adminToken}` }, + data: { + profileName: 'test-profile', + modelKey: 'sk-test-key', + provider: 'openrouter', + multimediaModelKey: 'sk-multi-key', + multimediaProvider: 'openrouter', + enableSchedule: false, + }, + }); + + expect(res.status()).toBe(200); + const data = await res.json(); + expect(data.role.reviewStatus).toBe('synced'); + expect(data.role.qrCodeUrl).toContain('mock.hermes.local'); + expect(data.profileId).toContain('mock-profile'); + }); + + test('同步成功后角色出现在角色库', async () => { + const context = await request.newContext(); + const res = await context.get('/api/roles'); + const data = await res.json(); + const found = data.roles.find((r) => r.id === roleId); + expect(found).toBeDefined(); + }); + + test('用户查看自己的角色列表包含审核状态和二维码', async () => { + const context = await request.newContext(); + const res = await context.get('/api/roles/my/roles', { + headers: { Authorization: `Bearer ${userToken}` }, + }); + const data = await res.json(); + const role = data.roles.find((r) => r.id === roleId); + expect(role).toBeDefined(); + expect(role.reviewStatus).toBe('synced'); + expect(role.qrCodeUrl).toBeTruthy(); + }); + + test('sync_token 拉取文件 — SOUL.md', async () => { + // 生成新的 sync_token(通过管理员发起同步流程会自动生成) + // 这里直接用 API 测试:先通过审核另一个角色,再同步 + const userContext = await request.newContext(); + + // 创建并审核新角色 + const roleRes = await userContext.post('/api/roles', { + headers: { Authorization: `Bearer ${userToken}` }, + data: { + displayName: '同步测试角色', + personality: '测试', + background: '测试', + speechStyle: '测试', + greeting: '测试', + soulMd: '# Test SOUL\n测试内容', + }, + }); + const newRoleId = (await roleRes.json()).role.id; + + // 管理员审核通过 + const adminContext = await request.newContext(); + await adminContext.post(`/api/admin/reviews/${newRoleId}/approve`, { + headers: { Authorization: `Bearer ${adminToken}` }, + }); + + // 发起同步(mock Hermes 会回调拉取文件) + const syncRes = await adminContext.post(`/api/admin/sync/${newRoleId}`, { + headers: { Authorization: `Bearer ${adminToken}` }, + data: { + profileName: 'test-profile-2', + modelKey: 'sk-test', + provider: 'openrouter', + }, + }); + + expect(syncRes.status()).toBe(200); + const syncData = await syncRes.json(); + expect(syncData.role.reviewStatus).toBe('synced'); + }); + + test('驳回审核流程', async () => { + const userContext = await request.newContext(); + const roleRes = await userContext.post('/api/roles', { + headers: { Authorization: `Bearer ${userToken}` }, + data: { + displayName: '待驳回角色', + personality: '测试', + background: '测试', + speechStyle: '测试', + greeting: '测试', + soulMd: '# test', + }, + }); + const rejectRoleId = (await roleRes.json()).role.id; + + const adminContext = await request.newContext(); + const res = await adminContext.post(`/api/admin/reviews/${rejectRoleId}/reject`, { + headers: { Authorization: `Bearer ${adminToken}` }, + data: { reviewNote: '内容不符合要求' }, + }); + + expect(res.status()).toBe(200); + const data = await res.json(); + expect(data.role.reviewStatus).toBe('rejected'); + expect(data.role.reviewNote).toBe('内容不符合要求'); + }); + + test('向后兼容:API Key 拉取仍正常工作', async () => { + // 生成 API Key + const userContext = await request.newContext(); + const keyRes = await userContext.post('/api/apikeys', { + headers: { Authorization: `Bearer ${userToken}` }, + data: { name: 'test-key' }, + }); + const apiKey = (await keyRes.json()).apiKey.key; + + // 用 API Key 拉取 SOUL.md + const soulRes = await userContext.get(`/api/hermes/roles/${roleId}/SOUL.md`, { + headers: { Authorization: `Bearer ${apiKey}` }, + }); + expect(soulRes.status()).toBe(200); + const soulText = await soulRes.text(); + expect(soulText).toContain('测试角色的灵魂文件'); + }); + + test('管理员获取同步状态列表', async () => { + const context = await request.newContext(); + const res = await context.get('/api/admin/sync-status', { + headers: { Authorization: `Bearer ${adminToken}` }, + }); + expect(res.status()).toBe(200); + const data = await res.json(); + expect(data.roles.length).toBeGreaterThan(0); + expect(data.roles.some((r) => r.reviewStatus === 'synced')).toBe(true); + }); +}); diff --git a/e2e/creator.spec.js b/e2e/creator.spec.js index 9095424..906daf5 100644 --- a/e2e/creator.spec.js +++ b/e2e/creator.spec.js @@ -25,6 +25,7 @@ test.describe('创作者中心与角色发布/编辑', () => { desc: '温柔体贴的角色', price: 19.9, status: 'running', + reviewStatus: 'synced', temperature: 0.8, maxTokens: 2048, enableMemory: true, diff --git a/e2e/fixtures/database.js b/e2e/fixtures/database.js index c44549f..3ddb65f 100644 --- a/e2e/fixtures/database.js +++ b/e2e/fixtures/database.js @@ -6,7 +6,10 @@ const prisma = new PrismaClient(); async function cleanDatabase() { await prisma.order.deleteMany(); await prisma.role.deleteMany(); + await prisma.apiKey.deleteMany(); + await prisma.systemConfig.deleteMany(); await prisma.user.deleteMany(); + // 不删除 Admin 表,保留测试管理员账号 } async function seedExistingUser() { @@ -23,8 +26,21 @@ async function seedExistingUser() { }); } +async function seedAdmin() { + const bcrypt = require('bcryptjs'); + const admin = await prisma.admin.findUnique({ where: { account: 'admin' } }); + if (!admin) { + await prisma.admin.create({ + data: { + account: 'admin', + password: bcrypt.hashSync('admin123', 10), + }, + }); + } +} + async function disconnect() { await prisma.$disconnect(); } -module.exports = { cleanDatabase, seedExistingUser, disconnect, prisma }; +module.exports = { cleanDatabase, seedExistingUser, seedAdmin, disconnect, prisma }; diff --git a/e2e/navigation.spec.js b/e2e/navigation.spec.js index 8bebc47..3340a12 100644 --- a/e2e/navigation.spec.js +++ b/e2e/navigation.spec.js @@ -159,6 +159,7 @@ test.describe('导航与可访问性', () => { desc: '键盘测试', price: 9.9, status: 'running', + reviewStatus: 'synced', }, }); diff --git a/e2e/roles.spec.js b/e2e/roles.spec.js index 57dd7ed..1cfc028 100644 --- a/e2e/roles.spec.js +++ b/e2e/roles.spec.js @@ -30,7 +30,7 @@ test.describe('角色库与角色详情', () => { }, }); - // 创建一个测试角色(status=running 才会在角色库展示) + // 创建一个测试角色(reviewStatus=synced 才会在角色库展示) testRole = await prisma.role.create({ data: { creatorId: existingUser.id, @@ -45,6 +45,7 @@ test.describe('角色库与角色详情', () => { desc: '温柔可爱的女友角色', price: 29.9, status: 'running', + reviewStatus: 'synced', avatar: 'https://example.com/avatar.png', }, }); @@ -101,6 +102,7 @@ test.describe('角色库与角色详情', () => { desc: '阳光开朗的男孩', price: 19.9, status: 'running', + reviewStatus: 'synced', }, }); diff --git a/hermes-server/.env.example b/hermes-server/.env.example new file mode 100644 index 0000000..84e71a1 --- /dev/null +++ b/hermes-server/.env.example @@ -0,0 +1,38 @@ +# ===== Hermes Server 环境变量配置 ===== + +# 服务端口 +PORT=3002 + +# Hermes Server 对外访问的基础 URL(用于生成二维码绑定链接) +# 必须是外部可访问的地址,二维码内容会基于此生成 +HERMES_BASE_URL=http://localhost:3002 + +# ===== EternalAI 地址(P0 修复:用于回调拉取文件,不信任请求体) ===== +# 配置为 EternalAI 服务器的可访问地址 +# hermes-server 会从此地址拉取 SOUL.md 和 config.yaml +ETERNALAI_BASE_URL=http://localhost:3001 + +# ===== 与 EternalAI 共享的 sync_token 密钥 ===== +# 必须与 EternalAI 的 SYNC_SECRET 一致(EternalAI 数据库 SystemConfig 表中 key='SYNC_SECRET' 的值) +# 获取方式:在 EternalAI 服务器执行 +# psql -d eternalai -c "SELECT value FROM \"SystemConfig\" WHERE key='SYNC_SECRET'" +# 或通过 Prisma Studio 查看 +SYNC_SECRET= + +# ===== Hermes 管理员认证 ===== +# 管理 API(查看 profile 列表等)的 Bearer token +# 生产环境务必设置为强随机值(可用 openssl rand -hex 32 生成) +HERMES_ADMIN_TOKEN=dev_only_admin_token_change_me + +# ===== 可选:EternalAI 地址白名单 ===== +# 限制同步请求来源 IP(逗号分隔),留空则不限制 +# 示例:ALLOWED_SOURCE_IPS=192.168.1.100,10.0.0.5 +ALLOWED_SOURCE_IPS= + +# ===== 可选:CORS 来源限制 ===== +# 限制跨域请求来源(逗号分隔),留空则非生产环境允许所有来源 +# 示例:ALLOWED_ORIGINS=https://eternalai.example.com,https://admin.eternalai.example.com +ALLOWED_ORIGINS= + +# ===== Node 环境 ===== +NODE_ENV=development diff --git a/hermes-server/.gitignore b/hermes-server/.gitignore new file mode 100644 index 0000000..97725b4 --- /dev/null +++ b/hermes-server/.gitignore @@ -0,0 +1,4 @@ +node_modules/ +data/ +.env +*.log diff --git a/hermes-server/deploy/deploy.sh b/hermes-server/deploy/deploy.sh new file mode 100644 index 0000000..0cb53ea --- /dev/null +++ b/hermes-server/deploy/deploy.sh @@ -0,0 +1,132 @@ +#!/bin/bash +# Hermes Server 部署脚本 +# 在 Hermes 服务器上执行:bash deploy/deploy.sh +set -e + +APP_DIR="/opt/hermes-server" +APP_USER="hermes" +NODE_VERSION="20" + +echo "===== Hermes Server 部署脚本 =====" + +# 1. 检查 Node.js +if ! command -v node &> /dev/null; then + echo "安装 Node.js $NODE_VERSION..." + curl -fsSL https://deb.nodesource.com/setup_$NODE_VERSION.x | sudo -E bash - + sudo apt-get install -y nodejs +fi +echo "Node.js 版本: $(node -v)" + +# 2. 创建用户和目录 +if ! id "$APP_USER" &> /dev/null; then + sudo useradd -r -m -d /home/$APP_USER -s /bin/bash $APP_USER + echo "创建用户: $APP_USER" +fi + +sudo mkdir -p $APP_DIR +sudo chown -R $APP_USER:$APP_USER $APP_DIR + +# 3. 复制代码(假设当前目录是项目根目录) +echo "复制代码到 $APP_DIR..." +sudo -u $APP_USER cp -r package.json package-lock.json server.js src $APP_DIR/ +sudo -u $APP_USER cp -r deploy $APP_DIR/ 2>/dev/null || true +# .env.example 位于项目根目录,而非 deploy/ 子目录 +sudo -u $APP_USER cp .env.example $APP_DIR/.env.example 2>/dev/null || true + +# 4. 安装依赖 +echo "安装依赖..." +cd $APP_DIR +# 优先使用 npm ci(依赖 package-lock.json,可重现构建),失败则回退到 npm install +if [ -f package-lock.json ]; then + sudo -u $APP_USER npm ci --production || sudo -u $APP_USER npm install --production +else + sudo -u $APP_USER npm install --production +fi + +# 5. 创建数据目录 +sudo -u $APP_USER mkdir -p $APP_DIR/data/profiles $APP_DIR/data/qrcodes + +# 6. 配置环境变量 +if [ ! -f $APP_DIR/.env ]; then + echo "创建 .env 配置文件..." + # .env.example 已在第 3 步拷贝到 $APP_DIR 根目录 + if [ -f $APP_DIR/.env.example ]; then + sudo -u $APP_USER cp $APP_DIR/.env.example $APP_DIR/.env + else + # 如果没有 .env.example,创建一个基本的 + sudo -u $APP_USER bash -c "cat > $APP_DIR/.env << 'ENVEOF' +PORT=3002 +HERMES_BASE_URL=http://localhost:3002 +ETERNALAI_BASE_URL=http://localhost:3001 +SYNC_SECRET= +HERMES_ADMIN_TOKEN=$(openssl rand -hex 32) +NODE_ENV=production +ENVEOF" + fi + echo "⚠️ 请编辑 $APP_DIR/.env 配置 SYNC_SECRET、HERMES_BASE_URL 和 ETERNALAI_BASE_URL" +fi + +# 7. 配置 PM2 +echo "配置 PM2..." +if ! command -v pm2 &> /dev/null; then + sudo npm install -g pm2 +fi + +sudo -u $APP_USER bash -c "cat > $APP_DIR/ecosystem.config.js << 'PM2EOF' +module.exports = { + apps: [{ + name: 'hermes-server', + script: 'server.js', + cwd: '$APP_DIR', + instances: 1, + autorestart: true, + max_memory_restart: '256M', + env: { + NODE_ENV: 'production', + }, + }], +}; +PM2EOF" + +pm2 delete hermes-server 2>/dev/null || true +pm2 start $APP_DIR/ecosystem.config.js +pm2 save + +# 8. 配置 Nginx(可选) +NGINX_CONF="/etc/nginx/sites-available/hermes-server" +if command -v nginx &> /dev/null && [ ! -f "$NGINX_CONF" ]; then + echo "配置 Nginx..." + sudo bash -c "cat > $NGINX_CONF << 'NGINXEOF' +server { + listen 80; + server_name _; # 替换为你的域名 + + location / { + proxy_pass http://127.0.0.1:3002; + proxy_http_version 1.1; + proxy_set_header Upgrade \\\$http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host \\\$host; + proxy_set_header X-Real-IP \\\$remote_addr; + proxy_set_header X-Forwarded-For \\\$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \\\$scheme; + proxy_cache_bypass \\\$http_upgrade; + } +} +NGINXEOF" + sudo ln -sf $NGINX_CONF /etc/nginx/sites-enabled/ + sudo nginx -t && sudo systemctl reload nginx + echo "Nginx 已配置" +fi + +echo "" +echo "===== 部署完成 =====" +echo "" +echo "后续步骤:" +echo "1. 编辑配置: sudo -u $APP_USER nano $APP_DIR/.env" +echo " - SYNC_SECRET: 从 EternalAI 数据库获取(SELECT value FROM \"SystemConfig\" WHERE key='SYNC_SECRET')" +echo " - HERMES_BASE_URL: 设置为外部可访问的地址(如 https://hermes.yourdomain.com)" +echo " - ETERNALAI_BASE_URL: EternalAI 服务器地址(如 https://eternalai.yourdomain.com)" +echo "2. 重启服务: pm2 restart hermes-server" +echo "3. 在 EternalAI 管理后台配置 HERMES_WEBHOOK_URL 为: \${HERMES_BASE_URL}/api/sync" +echo "4. 健康检查: curl http://localhost:3002/api/health" diff --git a/hermes-server/package-lock.json b/hermes-server/package-lock.json new file mode 100644 index 0000000..4ea6f94 --- /dev/null +++ b/hermes-server/package-lock.json @@ -0,0 +1,1335 @@ +{ + "name": "hermes-server", + "version": "1.0.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "hermes-server", + "version": "1.0.0", + "dependencies": { + "cors": "^2.8.5", + "dotenv": "^17.2.0", + "express": "^5.2.1", + "jsonwebtoken": "^9.0.2", + "qrcode": "^1.5.4" + } + }, + "node_modules/accepts": { + "version": "2.0.0", + "resolved": "https://registry.npmmirror.com/accepts/-/accepts-2.0.0.tgz", + "integrity": "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==", + "license": "MIT", + "dependencies": { + "mime-types": "^3.0.0", + "negotiator": "^1.0.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmmirror.com/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/ansi-styles": { + "version": "4.3.0", + "resolved": "https://registry.npmmirror.com/ansi-styles/-/ansi-styles-4.3.0.tgz", + "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==", + "license": "MIT", + "dependencies": { + "color-convert": "^2.0.1" + }, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/body-parser": { + "version": "2.3.0", + "resolved": "https://registry.npmmirror.com/body-parser/-/body-parser-2.3.0.tgz", + "integrity": "sha512-2cGmJupaNgg+QUwVLAucDuWuoMZ6EX9iHDRswZ5lsNYEmwPaRknMPCLZz07yTzVq/83p4o/wzbDZbBrTvGGTIw==", + "license": "MIT", + "dependencies": { + "bytes": "^3.1.2", + "content-type": "^2.0.0", + "debug": "^4.4.3", + "http-errors": "^2.0.1", + "iconv-lite": "^0.7.2", + "on-finished": "^2.4.1", + "qs": "^6.15.2", + "raw-body": "^3.0.2", + "type-is": "^2.1.0" + }, + "engines": { + "node": ">=18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/body-parser/node_modules/content-type": { + "version": "2.0.0", + "resolved": "https://registry.npmmirror.com/content-type/-/content-type-2.0.0.tgz", + "integrity": "sha512-j/O/d7GcZCyNl7/hwZAb606rzqkyvaDctLmckbxLzHvFBzTJHuGEdodATcP3yIRoDrLHkIATJuvzbFlp/ki2cQ==", + "license": "MIT", + "engines": { + "node": ">=18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/buffer-equal-constant-time": { + "version": "1.0.1", + "resolved": "https://registry.npmmirror.com/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz", + "integrity": "sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA==", + "license": "BSD-3-Clause" + }, + "node_modules/bytes": { + "version": "3.1.2", + "resolved": "https://registry.npmmirror.com/bytes/-/bytes-3.1.2.tgz", + "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/call-bind-apply-helpers": { + "version": "1.0.2", + "resolved": "https://registry.npmmirror.com/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz", + "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0", + "function-bind": "^1.1.2" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/call-bound": { + "version": "1.0.4", + "resolved": "https://registry.npmmirror.com/call-bound/-/call-bound-1.0.4.tgz", + "integrity": "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==", + "license": "MIT", + "dependencies": { + "call-bind-apply-helpers": "^1.0.2", + "get-intrinsic": "^1.3.0" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/camelcase": { + "version": "5.3.1", + "resolved": "https://registry.npmmirror.com/camelcase/-/camelcase-5.3.1.tgz", + "integrity": "sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==", + "license": "MIT", + "engines": { + "node": ">=6" + } + }, + "node_modules/cliui": { + "version": "6.0.0", + "resolved": "https://registry.npmmirror.com/cliui/-/cliui-6.0.0.tgz", + "integrity": "sha512-t6wbgtoCXvAzst7QgXxJYqPt0usEfbgQdftEPbLL/cvv6HPE5VgvqCuAIDR0NgU52ds6rFwqrgakNLrHEjCbrQ==", + "license": "ISC", + "dependencies": { + "string-width": "^4.2.0", + "strip-ansi": "^6.0.0", + "wrap-ansi": "^6.2.0" + } + }, + "node_modules/color-convert": { + "version": "2.0.1", + "resolved": "https://registry.npmmirror.com/color-convert/-/color-convert-2.0.1.tgz", + "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==", + "license": "MIT", + "dependencies": { + "color-name": "~1.1.4" + }, + "engines": { + "node": ">=7.0.0" + } + }, + "node_modules/color-name": { + "version": "1.1.4", + "resolved": "https://registry.npmmirror.com/color-name/-/color-name-1.1.4.tgz", + "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==", + "license": "MIT" + }, + "node_modules/content-disposition": { + "version": "1.1.0", + "resolved": "https://registry.npmmirror.com/content-disposition/-/content-disposition-1.1.0.tgz", + "integrity": "sha512-5jRCH9Z/+DRP7rkvY83B+yGIGX96OYdJmzngqnw2SBSxqCFPd0w2km3s5iawpGX8krnwSGmF0FW5Nhr0Hfai3g==", + "license": "MIT", + "engines": { + "node": ">=18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/content-type": { + "version": "1.0.5", + "resolved": "https://registry.npmmirror.com/content-type/-/content-type-1.0.5.tgz", + "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/cookie": { + "version": "0.7.2", + "resolved": "https://registry.npmmirror.com/cookie/-/cookie-0.7.2.tgz", + "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/cookie-signature": { + "version": "1.2.2", + "resolved": "https://registry.npmmirror.com/cookie-signature/-/cookie-signature-1.2.2.tgz", + "integrity": "sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==", + "license": "MIT", + "engines": { + "node": ">=6.6.0" + } + }, + "node_modules/cors": { + "version": "2.8.6", + "resolved": "https://registry.npmmirror.com/cors/-/cors-2.8.6.tgz", + "integrity": "sha512-tJtZBBHA6vjIAaF6EnIaq6laBBP9aq/Y3ouVJjEfoHbRBcHBAHYcMh/w8LDrk2PvIMMq8gmopa5D4V8RmbrxGw==", + "license": "MIT", + "dependencies": { + "object-assign": "^4", + "vary": "^1" + }, + "engines": { + "node": ">= 0.10" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/debug": { + "version": "4.4.3", + "resolved": "https://registry.npmmirror.com/debug/-/debug-4.4.3.tgz", + "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==", + "license": "MIT", + "dependencies": { + "ms": "^2.1.3" + }, + "engines": { + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } + } + }, + "node_modules/decamelize": { + "version": "1.2.0", + "resolved": "https://registry.npmmirror.com/decamelize/-/decamelize-1.2.0.tgz", + "integrity": "sha512-z2S+W9X73hAUUki+N+9Za2lBlun89zigOyGrsax+KUQ6wKW4ZoWpEYBkGhQjwAjjDCkWxhY0VKEhk8wzY7F5cA==", + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/depd": { + "version": "2.0.0", + "resolved": "https://registry.npmmirror.com/depd/-/depd-2.0.0.tgz", + "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/dijkstrajs": { + "version": "1.0.3", + "resolved": "https://registry.npmmirror.com/dijkstrajs/-/dijkstrajs-1.0.3.tgz", + "integrity": "sha512-qiSlmBq9+BCdCA/L46dw8Uy93mloxsPSbwnm5yrKn2vMPiy8KyAskTF6zuV/j5BMsmOGZDPs7KjU+mjb670kfA==", + "license": "MIT" + }, + "node_modules/dotenv": { + "version": "17.4.2", + "resolved": "https://registry.npmmirror.com/dotenv/-/dotenv-17.4.2.tgz", + "integrity": "sha512-nI4U3TottKAcAD9LLud4Cb7b2QztQMUEfHbvhTH09bqXTxnSie8WnjPALV/WMCrJZ6UV/qHJ6L03OqO3LcdYZw==", + "license": "BSD-2-Clause", + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://dotenvx.com" + } + }, + "node_modules/dunder-proto": { + "version": "1.0.1", + "resolved": "https://registry.npmmirror.com/dunder-proto/-/dunder-proto-1.0.1.tgz", + "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==", + "license": "MIT", + "dependencies": { + "call-bind-apply-helpers": "^1.0.1", + "es-errors": "^1.3.0", + "gopd": "^1.2.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/ecdsa-sig-formatter": { + "version": "1.0.11", + "resolved": "https://registry.npmmirror.com/ecdsa-sig-formatter/-/ecdsa-sig-formatter-1.0.11.tgz", + "integrity": "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==", + "license": "Apache-2.0", + "dependencies": { + "safe-buffer": "^5.0.1" + } + }, + "node_modules/ee-first": { + "version": "1.1.1", + "resolved": "https://registry.npmmirror.com/ee-first/-/ee-first-1.1.1.tgz", + "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==", + "license": "MIT" + }, + "node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmmirror.com/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "license": "MIT" + }, + "node_modules/encodeurl": { + "version": "2.0.0", + "resolved": "https://registry.npmmirror.com/encodeurl/-/encodeurl-2.0.0.tgz", + "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/es-define-property": { + "version": "1.0.1", + "resolved": "https://registry.npmmirror.com/es-define-property/-/es-define-property-1.0.1.tgz", + "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/es-errors": { + "version": "1.3.0", + "resolved": "https://registry.npmmirror.com/es-errors/-/es-errors-1.3.0.tgz", + "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/es-object-atoms": { + "version": "1.1.2", + "resolved": "https://registry.npmmirror.com/es-object-atoms/-/es-object-atoms-1.1.2.tgz", + "integrity": "sha512-HWcBoN6NileqtSydK2FqHbS/LoDd2pqrnQHLyJzBj4kOp/ky2MWMN694xOfkK8/SnUsW2DH7EfyVlydKCsm1Zw==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/escape-html": { + "version": "1.0.3", + "resolved": "https://registry.npmmirror.com/escape-html/-/escape-html-1.0.3.tgz", + "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==", + "license": "MIT" + }, + "node_modules/etag": { + "version": "1.8.1", + "resolved": "https://registry.npmmirror.com/etag/-/etag-1.8.1.tgz", + "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/express": { + "version": "5.2.1", + "resolved": "https://registry.npmmirror.com/express/-/express-5.2.1.tgz", + "integrity": "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==", + "license": "MIT", + "dependencies": { + "accepts": "^2.0.0", + "body-parser": "^2.2.1", + "content-disposition": "^1.0.0", + "content-type": "^1.0.5", + "cookie": "^0.7.1", + "cookie-signature": "^1.2.1", + "debug": "^4.4.0", + "depd": "^2.0.0", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "etag": "^1.8.1", + "finalhandler": "^2.1.0", + "fresh": "^2.0.0", + "http-errors": "^2.0.0", + "merge-descriptors": "^2.0.0", + "mime-types": "^3.0.0", + "on-finished": "^2.4.1", + "once": "^1.4.0", + "parseurl": "^1.3.3", + "proxy-addr": "^2.0.7", + "qs": "^6.14.0", + "range-parser": "^1.2.1", + "router": "^2.2.0", + "send": "^1.1.0", + "serve-static": "^2.2.0", + "statuses": "^2.0.1", + "type-is": "^2.0.1", + "vary": "^1.1.2" + }, + "engines": { + "node": ">= 18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/finalhandler": { + "version": "2.1.1", + "resolved": "https://registry.npmmirror.com/finalhandler/-/finalhandler-2.1.1.tgz", + "integrity": "sha512-S8KoZgRZN+a5rNwqTxlZZePjT/4cnm0ROV70LedRHZ0p8u9fRID0hJUZQpkKLzro8LfmC8sx23bY6tVNxv8pQA==", + "license": "MIT", + "dependencies": { + "debug": "^4.4.0", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "on-finished": "^2.4.1", + "parseurl": "^1.3.3", + "statuses": "^2.0.1" + }, + "engines": { + "node": ">= 18.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/find-up": { + "version": "4.1.0", + "resolved": "https://registry.npmmirror.com/find-up/-/find-up-4.1.0.tgz", + "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==", + "license": "MIT", + "dependencies": { + "locate-path": "^5.0.0", + "path-exists": "^4.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/forwarded": { + "version": "0.2.0", + "resolved": "https://registry.npmmirror.com/forwarded/-/forwarded-0.2.0.tgz", + "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/fresh": { + "version": "2.0.0", + "resolved": "https://registry.npmmirror.com/fresh/-/fresh-2.0.0.tgz", + "integrity": "sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/function-bind": { + "version": "1.1.2", + "resolved": "https://registry.npmmirror.com/function-bind/-/function-bind-1.1.2.tgz", + "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/get-caller-file": { + "version": "2.0.5", + "resolved": "https://registry.npmmirror.com/get-caller-file/-/get-caller-file-2.0.5.tgz", + "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==", + "license": "ISC", + "engines": { + "node": "6.* || 8.* || >= 10.*" + } + }, + "node_modules/get-intrinsic": { + "version": "1.3.0", + "resolved": "https://registry.npmmirror.com/get-intrinsic/-/get-intrinsic-1.3.0.tgz", + "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==", + "license": "MIT", + "dependencies": { + "call-bind-apply-helpers": "^1.0.2", + "es-define-property": "^1.0.1", + "es-errors": "^1.3.0", + "es-object-atoms": "^1.1.1", + "function-bind": "^1.1.2", + "get-proto": "^1.0.1", + "gopd": "^1.2.0", + "has-symbols": "^1.1.0", + "hasown": "^2.0.2", + "math-intrinsics": "^1.1.0" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/get-proto": { + "version": "1.0.1", + "resolved": "https://registry.npmmirror.com/get-proto/-/get-proto-1.0.1.tgz", + "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==", + "license": "MIT", + "dependencies": { + "dunder-proto": "^1.0.1", + "es-object-atoms": "^1.0.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/gopd": { + "version": "1.2.0", + "resolved": "https://registry.npmmirror.com/gopd/-/gopd-1.2.0.tgz", + "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/has-symbols": { + "version": "1.1.0", + "resolved": "https://registry.npmmirror.com/has-symbols/-/has-symbols-1.1.0.tgz", + "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/hasown": { + "version": "2.0.4", + "resolved": "https://registry.npmmirror.com/hasown/-/hasown-2.0.4.tgz", + "integrity": "sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==", + "license": "MIT", + "dependencies": { + "function-bind": "^1.1.2" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/http-errors": { + "version": "2.0.1", + "resolved": "https://registry.npmmirror.com/http-errors/-/http-errors-2.0.1.tgz", + "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==", + "license": "MIT", + "dependencies": { + "depd": "~2.0.0", + "inherits": "~2.0.4", + "setprototypeof": "~1.2.0", + "statuses": "~2.0.2", + "toidentifier": "~1.0.1" + }, + "engines": { + "node": ">= 0.8" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/iconv-lite": { + "version": "0.7.2", + "resolved": "https://registry.npmmirror.com/iconv-lite/-/iconv-lite-0.7.2.tgz", + "integrity": "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw==", + "license": "MIT", + "dependencies": { + "safer-buffer": ">= 2.1.2 < 3.0.0" + }, + "engines": { + "node": ">=0.10.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/inherits": { + "version": "2.0.4", + "resolved": "https://registry.npmmirror.com/inherits/-/inherits-2.0.4.tgz", + "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", + "license": "ISC" + }, + "node_modules/ipaddr.js": { + "version": "1.9.1", + "resolved": "https://registry.npmmirror.com/ipaddr.js/-/ipaddr.js-1.9.1.tgz", + "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==", + "license": "MIT", + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/is-fullwidth-code-point": { + "version": "3.0.0", + "resolved": "https://registry.npmmirror.com/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", + "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/is-promise": { + "version": "4.0.0", + "resolved": "https://registry.npmmirror.com/is-promise/-/is-promise-4.0.0.tgz", + "integrity": "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ==", + "license": "MIT" + }, + "node_modules/jsonwebtoken": { + "version": "9.0.3", + "resolved": "https://registry.npmmirror.com/jsonwebtoken/-/jsonwebtoken-9.0.3.tgz", + "integrity": "sha512-MT/xP0CrubFRNLNKvxJ2BYfy53Zkm++5bX9dtuPbqAeQpTVe0MQTFhao8+Cp//EmJp244xt6Drw/GVEGCUj40g==", + "license": "MIT", + "dependencies": { + "jws": "^4.0.1", + "lodash.includes": "^4.3.0", + "lodash.isboolean": "^3.0.3", + "lodash.isinteger": "^4.0.4", + "lodash.isnumber": "^3.0.3", + "lodash.isplainobject": "^4.0.6", + "lodash.isstring": "^4.0.1", + "lodash.once": "^4.0.0", + "ms": "^2.1.1", + "semver": "^7.5.4" + }, + "engines": { + "node": ">=12", + "npm": ">=6" + } + }, + "node_modules/jwa": { + "version": "2.0.1", + "resolved": "https://registry.npmmirror.com/jwa/-/jwa-2.0.1.tgz", + "integrity": "sha512-hRF04fqJIP8Abbkq5NKGN0Bbr3JxlQ+qhZufXVr0DvujKy93ZCbXZMHDL4EOtodSbCWxOqR8MS1tXA5hwqCXDg==", + "license": "MIT", + "dependencies": { + "buffer-equal-constant-time": "^1.0.1", + "ecdsa-sig-formatter": "1.0.11", + "safe-buffer": "^5.0.1" + } + }, + "node_modules/jws": { + "version": "4.0.1", + "resolved": "https://registry.npmmirror.com/jws/-/jws-4.0.1.tgz", + "integrity": "sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA==", + "license": "MIT", + "dependencies": { + "jwa": "^2.0.1", + "safe-buffer": "^5.0.1" + } + }, + "node_modules/locate-path": { + "version": "5.0.0", + "resolved": "https://registry.npmmirror.com/locate-path/-/locate-path-5.0.0.tgz", + "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==", + "license": "MIT", + "dependencies": { + "p-locate": "^4.1.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/lodash.includes": { + "version": "4.3.0", + "resolved": "https://registry.npmmirror.com/lodash.includes/-/lodash.includes-4.3.0.tgz", + "integrity": "sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w==", + "license": "MIT" + }, + "node_modules/lodash.isboolean": { + "version": "3.0.3", + "resolved": "https://registry.npmmirror.com/lodash.isboolean/-/lodash.isboolean-3.0.3.tgz", + "integrity": "sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg==", + "license": "MIT" + }, + "node_modules/lodash.isinteger": { + "version": "4.0.4", + "resolved": "https://registry.npmmirror.com/lodash.isinteger/-/lodash.isinteger-4.0.4.tgz", + "integrity": "sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA==", + "license": "MIT" + }, + "node_modules/lodash.isnumber": { + "version": "3.0.3", + "resolved": "https://registry.npmmirror.com/lodash.isnumber/-/lodash.isnumber-3.0.3.tgz", + "integrity": "sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw==", + "license": "MIT" + }, + "node_modules/lodash.isplainobject": { + "version": "4.0.6", + "resolved": "https://registry.npmmirror.com/lodash.isplainobject/-/lodash.isplainobject-4.0.6.tgz", + "integrity": "sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA==", + "license": "MIT" + }, + "node_modules/lodash.isstring": { + "version": "4.0.1", + "resolved": "https://registry.npmmirror.com/lodash.isstring/-/lodash.isstring-4.0.1.tgz", + "integrity": "sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw==", + "license": "MIT" + }, + "node_modules/lodash.once": { + "version": "4.1.1", + "resolved": "https://registry.npmmirror.com/lodash.once/-/lodash.once-4.1.1.tgz", + "integrity": "sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg==", + "license": "MIT" + }, + "node_modules/math-intrinsics": { + "version": "1.1.0", + "resolved": "https://registry.npmmirror.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz", + "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/media-typer": { + "version": "1.1.0", + "resolved": "https://registry.npmmirror.com/media-typer/-/media-typer-1.1.0.tgz", + "integrity": "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/merge-descriptors": { + "version": "2.0.0", + "resolved": "https://registry.npmmirror.com/merge-descriptors/-/merge-descriptors-2.0.0.tgz", + "integrity": "sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g==", + "license": "MIT", + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/mime-db": { + "version": "1.54.0", + "resolved": "https://registry.npmmirror.com/mime-db/-/mime-db-1.54.0.tgz", + "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/mime-types": { + "version": "3.0.2", + "resolved": "https://registry.npmmirror.com/mime-types/-/mime-types-3.0.2.tgz", + "integrity": "sha512-Lbgzdk0h4juoQ9fCKXW4by0UJqj+nOOrI9MJ1sSj4nI8aI2eo1qmvQEie4VD1glsS250n15LsWsYtCugiStS5A==", + "license": "MIT", + "dependencies": { + "mime-db": "^1.54.0" + }, + "engines": { + "node": ">=18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/ms": { + "version": "2.1.3", + "resolved": "https://registry.npmmirror.com/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", + "license": "MIT" + }, + "node_modules/negotiator": { + "version": "1.0.0", + "resolved": "https://registry.npmmirror.com/negotiator/-/negotiator-1.0.0.tgz", + "integrity": "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/object-assign": { + "version": "4.1.1", + "resolved": "https://registry.npmmirror.com/object-assign/-/object-assign-4.1.1.tgz", + "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==", + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/object-inspect": { + "version": "1.13.4", + "resolved": "https://registry.npmmirror.com/object-inspect/-/object-inspect-1.13.4.tgz", + "integrity": "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/on-finished": { + "version": "2.4.1", + "resolved": "https://registry.npmmirror.com/on-finished/-/on-finished-2.4.1.tgz", + "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==", + "license": "MIT", + "dependencies": { + "ee-first": "1.1.1" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/once": { + "version": "1.4.0", + "resolved": "https://registry.npmmirror.com/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "license": "ISC", + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/p-limit": { + "version": "2.3.0", + "resolved": "https://registry.npmmirror.com/p-limit/-/p-limit-2.3.0.tgz", + "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==", + "license": "MIT", + "dependencies": { + "p-try": "^2.0.0" + }, + "engines": { + "node": ">=6" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/p-locate": { + "version": "4.1.0", + "resolved": "https://registry.npmmirror.com/p-locate/-/p-locate-4.1.0.tgz", + "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==", + "license": "MIT", + "dependencies": { + "p-limit": "^2.2.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/p-try": { + "version": "2.2.0", + "resolved": "https://registry.npmmirror.com/p-try/-/p-try-2.2.0.tgz", + "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==", + "license": "MIT", + "engines": { + "node": ">=6" + } + }, + "node_modules/parseurl": { + "version": "1.3.3", + "resolved": "https://registry.npmmirror.com/parseurl/-/parseurl-1.3.3.tgz", + "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/path-exists": { + "version": "4.0.0", + "resolved": "https://registry.npmmirror.com/path-exists/-/path-exists-4.0.0.tgz", + "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/path-to-regexp": { + "version": "8.4.2", + "resolved": "https://registry.npmmirror.com/path-to-regexp/-/path-to-regexp-8.4.2.tgz", + "integrity": "sha512-qRcuIdP69NPm4qbACK+aDogI5CBDMi1jKe0ry5rSQJz8JVLsC7jV8XpiJjGRLLol3N+R5ihGYcrPLTno6pAdBA==", + "license": "MIT", + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/pngjs": { + "version": "5.0.0", + "resolved": "https://registry.npmmirror.com/pngjs/-/pngjs-5.0.0.tgz", + "integrity": "sha512-40QW5YalBNfQo5yRYmiw7Yz6TKKVr3h6970B2YE+3fQpsWcrbj1PzJgxeJ19DRQjhMbKPIuMY8rFaXc8moolVw==", + "license": "MIT", + "engines": { + "node": ">=10.13.0" + } + }, + "node_modules/proxy-addr": { + "version": "2.0.7", + "resolved": "https://registry.npmmirror.com/proxy-addr/-/proxy-addr-2.0.7.tgz", + "integrity": "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==", + "license": "MIT", + "dependencies": { + "forwarded": "0.2.0", + "ipaddr.js": "1.9.1" + }, + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/qrcode": { + "version": "1.5.4", + "resolved": "https://registry.npmmirror.com/qrcode/-/qrcode-1.5.4.tgz", + "integrity": "sha512-1ca71Zgiu6ORjHqFBDpnSMTR2ReToX4l1Au1VFLyVeBTFavzQnv5JxMFr3ukHVKpSrSA2MCk0lNJSykjUfz7Zg==", + "license": "MIT", + "dependencies": { + "dijkstrajs": "^1.0.1", + "pngjs": "^5.0.0", + "yargs": "^15.3.1" + }, + "bin": { + "qrcode": "bin/qrcode" + }, + "engines": { + "node": ">=10.13.0" + } + }, + "node_modules/qs": { + "version": "6.15.2", + "resolved": "https://registry.npmmirror.com/qs/-/qs-6.15.2.tgz", + "integrity": "sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==", + "license": "BSD-3-Clause", + "dependencies": { + "side-channel": "^1.1.0" + }, + "engines": { + "node": ">=0.6" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/range-parser": { + "version": "1.2.1", + "resolved": "https://registry.npmmirror.com/range-parser/-/range-parser-1.2.1.tgz", + "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/raw-body": { + "version": "3.0.2", + "resolved": "https://registry.npmmirror.com/raw-body/-/raw-body-3.0.2.tgz", + "integrity": "sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA==", + "license": "MIT", + "dependencies": { + "bytes": "~3.1.2", + "http-errors": "~2.0.1", + "iconv-lite": "~0.7.0", + "unpipe": "~1.0.0" + }, + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/require-directory": { + "version": "2.1.1", + "resolved": "https://registry.npmmirror.com/require-directory/-/require-directory-2.1.1.tgz", + "integrity": "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==", + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/require-main-filename": { + "version": "2.0.0", + "resolved": "https://registry.npmmirror.com/require-main-filename/-/require-main-filename-2.0.0.tgz", + "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==", + "license": "ISC" + }, + "node_modules/router": { + "version": "2.2.0", + "resolved": "https://registry.npmmirror.com/router/-/router-2.2.0.tgz", + "integrity": "sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ==", + "license": "MIT", + "dependencies": { + "debug": "^4.4.0", + "depd": "^2.0.0", + "is-promise": "^4.0.0", + "parseurl": "^1.3.3", + "path-to-regexp": "^8.0.0" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/safe-buffer": { + "version": "5.2.1", + "resolved": "https://registry.npmmirror.com/safe-buffer/-/safe-buffer-5.2.1.tgz", + "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "license": "MIT" + }, + "node_modules/safer-buffer": { + "version": "2.1.2", + "resolved": "https://registry.npmmirror.com/safer-buffer/-/safer-buffer-2.1.2.tgz", + "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==", + "license": "MIT" + }, + "node_modules/semver": { + "version": "7.8.5", + "resolved": "https://registry.npmmirror.com/semver/-/semver-7.8.5.tgz", + "integrity": "sha512-Y7/KDsb8LjooZpwaqGyulO6DQlksgCncchHGk+sZIY4SBvUocMBEFH5Ur1fI4dV+Jvl0w6cjvucaIi40puRioA==", + "license": "ISC", + "bin": { + "semver": "bin/semver.js" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/send": { + "version": "1.2.1", + "resolved": "https://registry.npmmirror.com/send/-/send-1.2.1.tgz", + "integrity": "sha512-1gnZf7DFcoIcajTjTwjwuDjzuz4PPcY2StKPlsGAQ1+YH20IRVrBaXSWmdjowTJ6u8Rc01PoYOGHXfP1mYcZNQ==", + "license": "MIT", + "dependencies": { + "debug": "^4.4.3", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "etag": "^1.8.1", + "fresh": "^2.0.0", + "http-errors": "^2.0.1", + "mime-types": "^3.0.2", + "ms": "^2.1.3", + "on-finished": "^2.4.1", + "range-parser": "^1.2.1", + "statuses": "^2.0.2" + }, + "engines": { + "node": ">= 18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/serve-static": { + "version": "2.2.1", + "resolved": "https://registry.npmmirror.com/serve-static/-/serve-static-2.2.1.tgz", + "integrity": "sha512-xRXBn0pPqQTVQiC8wyQrKs2MOlX24zQ0POGaj0kultvoOCstBQM5yvOhAVSUwOMjQtTvsPWoNCHfPGwaaQJhTw==", + "license": "MIT", + "dependencies": { + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "parseurl": "^1.3.3", + "send": "^1.2.0" + }, + "engines": { + "node": ">= 18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/set-blocking": { + "version": "2.0.0", + "resolved": "https://registry.npmmirror.com/set-blocking/-/set-blocking-2.0.0.tgz", + "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", + "license": "ISC" + }, + "node_modules/setprototypeof": { + "version": "1.2.0", + "resolved": "https://registry.npmmirror.com/setprototypeof/-/setprototypeof-1.2.0.tgz", + "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==", + "license": "ISC" + }, + "node_modules/side-channel": { + "version": "1.1.1", + "resolved": "https://registry.npmmirror.com/side-channel/-/side-channel-1.1.1.tgz", + "integrity": "sha512-6x6dK6zJdpTzF4sQeNYxwtvBzf6Eg4GtlesS94HOvTudUeyK2WXAaIfmDgsyslYrRBeFIlsi54AYsFGUuhmvrQ==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0", + "object-inspect": "^1.13.4", + "side-channel-list": "^1.0.1", + "side-channel-map": "^1.0.1", + "side-channel-weakmap": "^1.0.2" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-list": { + "version": "1.0.1", + "resolved": "https://registry.npmmirror.com/side-channel-list/-/side-channel-list-1.0.1.tgz", + "integrity": "sha512-mjn/0bi/oUURjc5Xl7IaWi/OJJJumuoJFQJfDDyO46+hBWsfaVM65TBHq2eoZBhzl9EchxOijpkbRC8SVBQU0w==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0", + "object-inspect": "^1.13.4" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-map": { + "version": "1.0.1", + "resolved": "https://registry.npmmirror.com/side-channel-map/-/side-channel-map-1.0.1.tgz", + "integrity": "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==", + "license": "MIT", + "dependencies": { + "call-bound": "^1.0.2", + "es-errors": "^1.3.0", + "get-intrinsic": "^1.2.5", + "object-inspect": "^1.13.3" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-weakmap": { + "version": "1.0.2", + "resolved": "https://registry.npmmirror.com/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz", + "integrity": "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==", + "license": "MIT", + "dependencies": { + "call-bound": "^1.0.2", + "es-errors": "^1.3.0", + "get-intrinsic": "^1.2.5", + "object-inspect": "^1.13.3", + "side-channel-map": "^1.0.1" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/statuses": { + "version": "2.0.2", + "resolved": "https://registry.npmmirror.com/statuses/-/statuses-2.0.2.tgz", + "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/string-width": { + "version": "4.2.3", + "resolved": "https://registry.npmmirror.com/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "license": "MIT", + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/strip-ansi": { + "version": "6.0.1", + "resolved": "https://registry.npmmirror.com/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "license": "MIT", + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/toidentifier": { + "version": "1.0.1", + "resolved": "https://registry.npmmirror.com/toidentifier/-/toidentifier-1.0.1.tgz", + "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==", + "license": "MIT", + "engines": { + "node": ">=0.6" + } + }, + "node_modules/type-is": { + "version": "2.1.0", + "resolved": "https://registry.npmmirror.com/type-is/-/type-is-2.1.0.tgz", + "integrity": "sha512-faYHw0anBbc/kWF3zFTEnxSFOAGUX9GFbOBthvDdLsIlEoWOFOtS0zgCiQYwIskL9iGXZL3kAXD8OoZ4GmMATA==", + "license": "MIT", + "dependencies": { + "content-type": "^2.0.0", + "media-typer": "^1.1.0", + "mime-types": "^3.0.0" + }, + "engines": { + "node": ">= 18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/type-is/node_modules/content-type": { + "version": "2.0.0", + "resolved": "https://registry.npmmirror.com/content-type/-/content-type-2.0.0.tgz", + "integrity": "sha512-j/O/d7GcZCyNl7/hwZAb606rzqkyvaDctLmckbxLzHvFBzTJHuGEdodATcP3yIRoDrLHkIATJuvzbFlp/ki2cQ==", + "license": "MIT", + "engines": { + "node": ">=18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/unpipe": { + "version": "1.0.0", + "resolved": "https://registry.npmmirror.com/unpipe/-/unpipe-1.0.0.tgz", + "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/vary": { + "version": "1.1.2", + "resolved": "https://registry.npmmirror.com/vary/-/vary-1.1.2.tgz", + "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/which-module": { + "version": "2.0.1", + "resolved": "https://registry.npmmirror.com/which-module/-/which-module-2.0.1.tgz", + "integrity": "sha512-iBdZ57RDvnOR9AGBhML2vFZf7h8vmBjhoaZqODJBFWHVtKkDmKuHai3cx5PgVMrX5YDNp27AofYbAwctSS+vhQ==", + "license": "ISC" + }, + "node_modules/wrap-ansi": { + "version": "6.2.0", + "resolved": "https://registry.npmmirror.com/wrap-ansi/-/wrap-ansi-6.2.0.tgz", + "integrity": "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA==", + "license": "MIT", + "dependencies": { + "ansi-styles": "^4.0.0", + "string-width": "^4.1.0", + "strip-ansi": "^6.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmmirror.com/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", + "license": "ISC" + }, + "node_modules/y18n": { + "version": "4.0.3", + "resolved": "https://registry.npmmirror.com/y18n/-/y18n-4.0.3.tgz", + "integrity": "sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ==", + "license": "ISC" + }, + "node_modules/yargs": { + "version": "15.4.1", + "resolved": "https://registry.npmmirror.com/yargs/-/yargs-15.4.1.tgz", + "integrity": "sha512-aePbxDmcYW++PaqBsJ+HYUFwCdv4LVvdnhBy78E57PIor8/OVvhMrADFFEDh8DHDFRv/O9i3lPhsENjO7QX0+A==", + "license": "MIT", + "dependencies": { + "cliui": "^6.0.0", + "decamelize": "^1.2.0", + "find-up": "^4.1.0", + "get-caller-file": "^2.0.1", + "require-directory": "^2.1.1", + "require-main-filename": "^2.0.0", + "set-blocking": "^2.0.0", + "string-width": "^4.2.0", + "which-module": "^2.0.0", + "y18n": "^4.0.0", + "yargs-parser": "^18.1.2" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/yargs-parser": { + "version": "18.1.3", + "resolved": "https://registry.npmmirror.com/yargs-parser/-/yargs-parser-18.1.3.tgz", + "integrity": "sha512-o50j0JeToy/4K6OZcaQmW6lyXXKhq7csREXcDwk2omFPJEwUNOVtJKvmDr9EI1fAJZUyZcRF7kxGBWmRXudrCQ==", + "license": "ISC", + "dependencies": { + "camelcase": "^5.0.0", + "decamelize": "^1.2.0" + }, + "engines": { + "node": ">=6" + } + } + } +} diff --git a/hermes-server/package.json b/hermes-server/package.json new file mode 100644 index 0000000..f4bd994 --- /dev/null +++ b/hermes-server/package.json @@ -0,0 +1,17 @@ +{ + "name": "hermes-server", + "version": "1.0.0", + "description": "Hermes Server — 接收 EternalAI 同步请求,创建 profile,生成二维码绑定微信", + "main": "server.js", + "scripts": { + "start": "node server.js", + "dev": "node --watch server.js" + }, + "dependencies": { + "cors": "^2.8.5", + "dotenv": "^17.2.0", + "express": "^5.2.1", + "jsonwebtoken": "^9.0.2", + "qrcode": "^1.5.4" + } +} diff --git a/hermes-server/server.js b/hermes-server/server.js new file mode 100644 index 0000000..c63a769 --- /dev/null +++ b/hermes-server/server.js @@ -0,0 +1,79 @@ +// Hermes Server 入口 — 接收 EternalAI 同步请求,创建 profile,生成二维码 + +require('dotenv').config(); +const express = require('express'); +const cors = require('cors'); +const path = require('path'); + +const { ensureDirs } = require('./src/lib/profile-store'); + +const app = express(); +const PORT = process.env.PORT || 3002; + +// 确保数据目录存在 +ensureDirs(); + +// 中间件 +// P2 修复:CORS 限制为已知来源 +const allowedOrigins = process.env.ALLOWED_ORIGINS; +if (allowedOrigins) { + app.use(cors({ origin: allowedOrigins.split(',').map((o) => o.trim()) })); +} else { + // 非生产环境默认允许所有来源,生产环境需配置 ALLOWED_ORIGINS + app.use(cors()); +} +app.use(express.json({ limit: '1mb' })); +app.use(express.urlencoded({ extended: true, limit: '1mb' })); + +// P1 修复:trust proxy 仅信任 loopback(Nginx 反向代理场景) +// 生产环境应配置为具体代理 IP,如 app.set('trust proxy', '10.0.0.1') +app.set('trust proxy', 'loopback'); + +// 路由 +app.use('/api', require('./src/routes/health')); +app.use('/api', require('./src/routes/sync')); +app.use('/api/profiles', require('./src/routes/profiles')); +app.use('/api/bind', require('./src/routes/bind')); + +// 二维码图片静态服务 +const QRCODES_DIR = path.join(__dirname, 'data', 'qrcodes'); +app.use('/api/qrcodes', express.static(QRCODES_DIR, { + setHeaders: (res) => { + res.type('image/png'); + res.set('Cache-Control', 'public, max-age=86400'); + }, +})); + +// 根路径 — 简单信息页 +app.get('/', (req, res) => { + res.json({ + service: 'hermes-server', + status: 'running', + endpoints: { + sync: 'POST /api/sync', + profiles: 'GET /api/profiles', + bind: 'GET /api/bind/:profileId', + health: 'GET /api/health', + }, + }); +}); + +// 404 +app.use((req, res) => { + res.status(404).json({ error: '接口不存在' }); +}); + +// 错误处理 +app.use((err, req, res, next) => { + console.error('[Hermes Server] 未捕获错误:', err); + res.status(500).json({ error: '服务器内部错误' }); +}); + +app.listen(PORT, '0.0.0.0', () => { + console.log(`Hermes Server running on http://0.0.0.0:${PORT}`); + console.log(`HERMES_BASE_URL: ${process.env.HERMES_BASE_URL || `http://localhost:${PORT}`}`); + console.log(`ETERNALAI_BASE_URL: ${process.env.ETERNALAI_BASE_URL || '⚠️ 未配置'}`); + console.log(`SYNC_SECRET: ${process.env.SYNC_SECRET ? '已配置' : '⚠️ 未配置'}`); + console.log(`HERMES_ADMIN_TOKEN: ${process.env.HERMES_ADMIN_TOKEN ? '已配置' : '⚠️ 使用默认值'}`); + console.log(`NODE_ENV: ${process.env.NODE_ENV || 'development'}`); +}); diff --git a/hermes-server/src/lib/eternalai-client.js b/hermes-server/src/lib/eternalai-client.js new file mode 100644 index 0000000..53f4147 --- /dev/null +++ b/hermes-server/src/lib/eternalai-client.js @@ -0,0 +1,65 @@ +// EternalAI 客户端 — 用 sync_token 回调 EternalAI 拉取 SOUL.md 和 config.yaml +// P0 修复:使用环境变量 ETERNALAI_BASE_URL,不信任请求体中的 filePullBaseUrl + +const FETCH_TIMEOUT_MS = 15000; +const MAX_FILE_SIZE = 1024 * 1024; // 1MB 上限 + +// P0 修复:从环境变量获取 EternalAI 地址,防止 SSRF + sync_token 泄露 +const ETERNALAI_BASE_URL = process.env.ETERNALAI_BASE_URL || ''; + +// 拉取单个文件,返回文本内容 +async function pullFile(baseUrl, roleId, filename, syncToken) { + const url = `${baseUrl}/api/hermes/roles/${roleId}/${filename}`; + const controller = new AbortController(); + const timeout = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS); + + try { + const response = await fetch(url, { + headers: { 'X-Sync-Token': syncToken }, + signal: controller.signal, + }); + + if (!response.ok) { + throw new Error(`拉取 ${filename} 失败: HTTP ${response.status}`); + } + + // P1 修复:校验文件大小,防止 OOM + const contentLength = parseInt(response.headers.get('content-length') || '0', 10); + if (contentLength > MAX_FILE_SIZE) { + throw new Error(`${filename} 文件过大 (${contentLength} bytes),超过 ${MAX_FILE_SIZE} 上限`); + } + + const text = await response.text(); + // 即使没有 Content-Length 也校验实际大小 + if (text.length > MAX_FILE_SIZE) { + throw new Error(`${filename} 文件过大 (${text.length} chars),超过上限`); + } + + return text; + } catch (err) { + if (err.name === 'AbortError') { + throw new Error(`拉取 ${filename} 超时(${FETCH_TIMEOUT_MS}ms)`); + } + throw err; + } finally { + clearTimeout(timeout); + } +} + +// 拉取角色的 SOUL.md 和 config.yaml +// P0 修复:使用 ETERNALALAI_BASE_URL 环境变量,忽略请求体中的 filePullBaseUrl +async function pullRoleFiles(roleId, syncToken) { + const baseUrl = ETERNALAI_BASE_URL.replace(/\/+$/, ''); // 去掉尾部斜杠 + if (!baseUrl) { + throw new Error('ETERNALAI_BASE_URL 环境变量未配置,无法拉取文件'); + } + + const [soulMd, configYaml] = await Promise.all([ + pullFile(baseUrl, roleId, 'SOUL.md', syncToken), + pullFile(baseUrl, roleId, 'config.yaml', syncToken), + ]); + + return { soulMd, configYaml }; +} + +module.exports = { pullRoleFiles, pullFile, ETERNALAI_BASE_URL }; diff --git a/hermes-server/src/lib/profile-store.js b/hermes-server/src/lib/profile-store.js new file mode 100644 index 0000000..ffff8fd --- /dev/null +++ b/hermes-server/src/lib/profile-store.js @@ -0,0 +1,188 @@ +// Profile 存储 — 基于文件系统,每个 profile 一个目录 +// 结构:data/profiles/{profileId}/meta.json + SOUL.md + config.yaml + +const fs = require('fs'); +const path = require('path'); +const crypto = require('crypto'); + +const DATA_DIR = path.join(__dirname, '..', '..', 'data'); +const PROFILES_DIR = path.join(DATA_DIR, 'profiles'); +const QRCODES_DIR = path.join(DATA_DIR, 'qrcodes'); + +// profileId 格式:hermes_ + 24 位 hex(共 31 字符) +const PROFILE_ID_RE = /^hermes_[a-f0-9]{24}$/; + +// P0 修复:校验 profileId 格式,防止路径穿越 +function isValidProfileId(profileId) { + return typeof profileId === 'string' && PROFILE_ID_RE.test(profileId); +} + +// 确保目录存在 +function ensureDirs() { + for (const dir of [DATA_DIR, PROFILES_DIR, QRCODES_DIR]) { + if (!fs.existsSync(dir)) { + fs.mkdirSync(dir, { recursive: true }); + } + } +} + +// 生成 profileId(hermes_ 前缀 + 随机 hex) +function generateProfileId() { + return 'hermes_' + crypto.randomBytes(12).toString('hex'); +} + +// 创建 profile(P1 修复:原子写入 — 先写临时目录,全部成功后 rename) +function createProfile({ profileId, profileName, roleId, sourceBaseUrl, modelKey, provider, multimediaModelKey, multimediaProvider, enableSchedule, soulMd, configYaml, qrCodeUrl }) { + if (!isValidProfileId(profileId)) { + throw new Error('无效的 profileId'); + } + ensureDirs(); + + const meta = { + profileId, + profileName, + roleId, + sourceBaseUrl, + modelKey, + provider, + multimediaModelKey, + multimediaProvider, + enableSchedule, + qrCodeUrl, + createdAt: new Date().toISOString(), + boundWechat: null, + boundAt: null, + }; + + // 写入临时目录,全部成功后原子 rename 到正式路径 + const tmpDir = path.join(PROFILES_DIR, `.tmp_${profileId}_${Date.now()}`); + fs.mkdirSync(tmpDir, { recursive: true }); + + try { + fs.writeFileSync(path.join(tmpDir, 'meta.json'), JSON.stringify(meta, null, 2)); + fs.writeFileSync(path.join(tmpDir, 'SOUL.md'), soulMd); + fs.writeFileSync(path.join(tmpDir, 'config.yaml'), configYaml); + // 原子操作:rename 在同一文件系统上是原子的 + fs.renameSync(tmpDir, path.join(PROFILES_DIR, profileId)); + } catch (err) { + // 失败时清理临时目录 + try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {} + throw err; + } + + return meta; +} + +// 获取 profile 元数据 +function getProfileMeta(profileId) { + if (!isValidProfileId(profileId)) return null; + const metaPath = path.join(PROFILES_DIR, profileId, 'meta.json'); + if (!fs.existsSync(metaPath)) return null; + return JSON.parse(fs.readFileSync(metaPath, 'utf-8')); +} + +// 获取 profile 文件内容 +function getProfileFile(profileId, filename) { + if (!isValidProfileId(profileId)) return null; + // filename 仅允许已知文件名 + const ALLOWED_FILES = ['SOUL.md', 'config.yaml']; + if (!ALLOWED_FILES.includes(filename)) return null; + const filePath = path.join(PROFILES_DIR, profileId, filename); + if (!fs.existsSync(filePath)) return null; + return fs.readFileSync(filePath, 'utf-8'); +} + +// 列出所有 profile(P2 修复:跳过损坏的 meta.json) +function listProfiles() { + ensureDirs(); + const entries = fs.readdirSync(PROFILES_DIR, { withFileTypes: true }); + const profiles = []; + for (const entry of entries) { + if (entry.isDirectory() && !entry.name.startsWith('.tmp_')) { + try { + const meta = getProfileMeta(entry.name); + if (meta) profiles.push(meta); + } catch (err) { + console.warn(`[Hermes] 跳过损坏的 profile: ${entry.name}`, err.message); + } + } + } + // 按创建时间倒序 + profiles.sort((a, b) => new Date(b.createdAt) - new Date(a.createdAt)); + return profiles; +} + +// 绑定微信(P1 修复:原子检查 — 写入前再次校验未绑定) +function bindWechat(profileId, wechatId) { + if (!isValidProfileId(profileId)) return null; + const meta = getProfileMeta(profileId); + if (!meta) return null; + + // 原子检查:若已绑定则拒绝(防止 TOCTOU 竞态) + if (meta.boundWechat) return { alreadyBound: true }; + + meta.boundWechat = wechatId; + meta.boundAt = new Date().toISOString(); + + // 原子写入:先写临时文件再 rename + const metaPath = path.join(PROFILES_DIR, profileId, 'meta.json'); + const tmpPath = path.join(PROFILES_DIR, profileId, `.meta.json.tmp_${Date.now()}`); + fs.writeFileSync(tmpPath, JSON.stringify(meta, null, 2)); + fs.renameSync(tmpPath, metaPath); + + return meta; +} + +// 删除 profile(P0 修复:校验 profileId 防止路径穿越) +function deleteProfile(profileId) { + if (!isValidProfileId(profileId)) return false; + const dir = path.join(PROFILES_DIR, profileId); + if (!fs.existsSync(dir)) return false; + fs.rmSync(dir, { recursive: true }); + // 同时清理二维码 + const qrPath = path.join(QRCODES_DIR, `${profileId}.png`); + if (fs.existsSync(qrPath)) { + try { fs.unlinkSync(qrPath); } catch {} + } + return true; +} + +// 保存二维码图片 +function saveQrCode(profileId, pngBuffer) { + if (!isValidProfileId(profileId)) { + throw new Error('无效的 profileId'); + } + ensureDirs(); + const filename = `${profileId}.png`; + fs.writeFileSync(path.join(QRCODES_DIR, filename), pngBuffer); + return filename; +} + +// 获取二维码图片路径 +function getQrCodePath(profileId) { + if (!isValidProfileId(profileId)) return null; + const filePath = path.join(QRCODES_DIR, `${profileId}.png`); + if (!fs.existsSync(filePath)) return null; + return filePath; +} + +// 根据 roleId 查找已有 profile(P1 修复:幂等去重) +function findByRoleId(roleId) { + if (!roleId) return null; + const profiles = listProfiles(); + return profiles.find((p) => p.roleId === roleId) || null; +} + +module.exports = { + ensureDirs, + generateProfileId, + createProfile, + getProfileMeta, + getProfileFile, + listProfiles, + bindWechat, + deleteProfile, + saveQrCode, + getQrCodePath, + findByRoleId, +}; diff --git a/hermes-server/src/lib/qrcode-gen.js b/hermes-server/src/lib/qrcode-gen.js new file mode 100644 index 0000000..2fb3dcc --- /dev/null +++ b/hermes-server/src/lib/qrcode-gen.js @@ -0,0 +1,22 @@ +// 二维码生成 — 使用 qrcode 库生成 PNG 图片 + +const QRCode = require('qrcode'); +const path = require('path'); +const { saveQrCode } = require('./profile-store'); + +// 生成二维码并保存为 PNG 文件,返回文件名 +async function generateAndSaveQrCode(profileId, bindUrl) { + const pngBuffer = await QRCode.toBuffer(bindUrl, { + type: 'png', + width: 320, + margin: 2, + color: { + dark: '#000000', + light: '#ffffff', + }, + }); + + return saveQrCode(profileId, pngBuffer); +} + +module.exports = { generateAndSaveQrCode }; diff --git a/hermes-server/src/lib/sync-token-verify.js b/hermes-server/src/lib/sync-token-verify.js new file mode 100644 index 0000000..1edfbdb --- /dev/null +++ b/hermes-server/src/lib/sync-token-verify.js @@ -0,0 +1,58 @@ +// sync_token 验证 — 使用与 EternalAI 共享的 SYNC_SECRET 验证 JWT +// sync_token 由 EternalAI 签发(HS256),包含 { roleId, adminId, jti, type:'sync' },5 分钟过期 + +const jwt = require('jsonwebtoken'); + +const SYNC_SECRET = process.env.SYNC_SECRET; + +if (!SYNC_SECRET) { + if (process.env.NODE_ENV === 'production') { + throw new Error( + 'SYNC_SECRET 环境变量未设置。请从 EternalAI 数据库获取 SYNC_SECRET 并配置到 .env 文件中。\n' + + '获取方式:在 EternalAI 服务器执行\n' + + ' psql -d eternalai -c \'SELECT value FROM "SystemConfig" WHERE key=\'\'SYNC_SECRET\'\'\'\'' + ); + } + console.warn('[安全警告] SYNC_SECRET 未设置,sync_token 验证将无法工作。请在 .env 中配置与 EternalAI 一致的 SYNC_SECRET。'); +} + +// P2 修复:jti 重放保护 — 内存缓存已使用的 jti,5 分钟 TTL +const usedJtis = new Map(); +const JTI_TTL_MS = 5 * 60 * 1000; + +function cleanupExpiredJtis() { + const now = Date.now(); + for (const [jti, ts] of usedJtis) { + if (now - ts > JTI_TTL_MS) { + usedJtis.delete(jti); + } + } +} + +// 验证 sync_token,返回 payload 或 null +function verifySyncToken(token) { + if (!SYNC_SECRET) { + return null; + } + try { + // P3 修复:显式指定算法,防止 alg 混淆攻击 + const decoded = jwt.verify(token, SYNC_SECRET, { algorithms: ['HS256'] }); + if (decoded.type !== 'sync') return null; + + // P2 修复:jti 重放保护 + if (decoded.jti) { + cleanupExpiredJtis(); + if (usedJtis.has(decoded.jti)) { + console.warn('[安全警告] sync_token 重放被拒绝, jti:', decoded.jti); + return null; + } + usedJtis.set(decoded.jti, Date.now()); + } + + return decoded; + } catch { + return null; + } +} + +module.exports = { verifySyncToken }; diff --git a/hermes-server/src/middleware/admin-auth.js b/hermes-server/src/middleware/admin-auth.js new file mode 100644 index 0000000..599d1ea --- /dev/null +++ b/hermes-server/src/middleware/admin-auth.js @@ -0,0 +1,36 @@ +// Hermes 管理员认证中间件 — 使用环境变量 HERMES_ADMIN_TOKEN 进行 Bearer token 认证 + +const crypto = require('crypto'); + +const DEFAULT_TOKEN = 'dev_only_admin_token_change_me'; +const ADMIN_TOKEN = process.env.HERMES_ADMIN_TOKEN; + +// P1 修复:生产环境 fail-fast +if (!ADMIN_TOKEN) { + if (process.env.NODE_ENV === 'production') { + throw new Error( + 'HERMES_ADMIN_TOKEN 环境变量未设置。请生成一个强随机值(可用 openssl rand -hex 32)并配置到 .env 文件中。' + ); + } + console.warn('[安全警告] HERMES_ADMIN_TOKEN 未设置,使用开发环境默认 token。请勿在生产环境使用。'); +} + +const EFFECTIVE_TOKEN = ADMIN_TOKEN || DEFAULT_TOKEN; + +function adminAuthMiddleware(req, res, next) { + const authHeader = req.headers.authorization; + if (!authHeader || !authHeader.startsWith('Bearer ')) { + return res.status(401).json({ error: '需要管理员认证' }); + } + const token = authHeader.slice(7); + + // P3 修复:恒定时间比较,防止时序攻击 + const a = Buffer.from(token); + const b = Buffer.from(EFFECTIVE_TOKEN); + if (a.length !== b.length || !crypto.timingSafeEqual(a, b)) { + return res.status(403).json({ error: '管理员 token 无效' }); + } + next(); +} + +module.exports = { adminAuthMiddleware }; diff --git a/hermes-server/src/routes/bind.js b/hermes-server/src/routes/bind.js new file mode 100644 index 0000000..f1b272a --- /dev/null +++ b/hermes-server/src/routes/bind.js @@ -0,0 +1,197 @@ +// 绑定流程 — 二维码扫描后的绑定页面和绑定操作 +// QR 码内容:{HERMES_BASE_URL}/api/bind/{profileId} +// 扫描后展示绑定页面,用户确认绑定 + +const express = require('express'); +const { getProfileMeta, bindWechat } = require('../lib/profile-store'); + +const router = express.Router(); + +// 绑定页面(GET)— 扫描二维码后打开 +router.get('/:profileId', (req, res) => { + try { + const meta = getProfileMeta(req.params.profileId); + if (!meta) { + // P3 修复:返回 404 状态码 + return res.status(404).type('html').send(renderNotFoundPage()); + } + + // 如果已绑定,显示已绑定页面 + if (meta.boundWechat) { + return res.type('html').send(renderAlreadyBoundPage(meta)); + } + + // 显示绑定确认页面 + res.type('html').send(renderBindPage(meta)); + } catch (err) { + // P2 修复:异常时返回 HTML 而非 JSON + console.error('绑定页面加载失败:', err); + res.status(500).type('html').send(renderNotFoundPage()); + } +}); + +// 执行绑定(POST) +router.post('/:profileId', (req, res) => { + try { + const meta = getProfileMeta(req.params.profileId); + if (!meta) { + return res.status(404).json({ error: 'Profile 不存在' }); + } + if (meta.boundWechat) { + return res.status(400).json({ error: '该 Profile 已绑定微信' }); + } + + // P2 修复:req.body 可能为 undefined + const body = req.body || {}; + // 绑定标识:优先用微信 OAuth code,其次用请求体中的 wechatId + // 实际生产环境中,这里应通过微信 OAuth 获取 openid + const wechatId = body.wechatId || body.openid; + + if (!wechatId) { + return res.status(400).json({ error: '缺少 wechatId,请通过微信 OAuth 授权' }); + } + + // P1 修复:bindWechat 内部有原子检查,处理 alreadyBound 返回 + const result = bindWechat(req.params.profileId, wechatId); + if (!result) { + return res.status(404).json({ error: 'Profile 不存在' }); + } + if (result.alreadyBound) { + return res.status(400).json({ error: '该 Profile 已被绑定' }); + } + + console.log(`[Hermes] Profile ${req.params.profileId} 已绑定微信: ${wechatId}`); + + res.json({ + message: '绑定成功', + profileId: result.profileId, + profileName: result.profileName, + boundAt: result.boundAt, + }); + } catch (err) { + console.error('绑定失败:', err); + res.status(500).json({ error: '绑定失败' }); + } +}); + +// ===== HTML 页面渲染 ===== + +function renderBindPage(meta) { + // P3 修复:profileId 在 form action 中转义 + const safeProfileId = encodeURIComponent(meta.profileId); + return ` + + + + + 绑定角色 - ${escapeHtml(meta.profileName)} + + + + + + ${escapeHtml(meta.profileName.charAt(0))} + ${escapeHtml(meta.profileName)} + 扫描绑定后,即可在微信中与该角色对话 + + Profile ID${escapeHtml(meta.profileId)} + 创建时间${new Date(meta.createdAt).toLocaleString('zh-CN')} + 状态待绑定 + + + + 确认绑定 + + + + + +`; +} + +function renderAlreadyBoundPage(meta) { + return ` + + + + + 已绑定 - ${escapeHtml(meta.profileName)} + + + + + + ✅ + ${escapeHtml(meta.profileName)} + 该角色已成功绑定微信 + + 绑定时间${new Date(meta.boundAt).toLocaleString('zh-CN')} + 状态已绑定 + + + + +`; +} + +function renderNotFoundPage() { + return ` + + + + + 角色不存在 + + + + + + 🔍 + 角色不存在或二维码已失效 + + + +`; +} + +function escapeHtml(str) { + return String(str).replace(/[&<>"']/g, (c) => ({ + '&': '&', '<': '<', '>': '>', '"': '"', "'": ''' + }[c])); +} + +module.exports = router; diff --git a/hermes-server/src/routes/health.js b/hermes-server/src/routes/health.js new file mode 100644 index 0000000..ff632a2 --- /dev/null +++ b/hermes-server/src/routes/health.js @@ -0,0 +1,27 @@ +// 健康检查 + +const express = require('express'); +const { listProfiles } = require('../lib/profile-store'); + +const router = express.Router(); + +router.get('/health', (req, res) => { + let profileCount = 0; + let storageOk = true; + try { + profileCount = listProfiles().length; + } catch { + // P3 修复:区分"无 profile"和"读取失败" + storageOk = false; + } + + // P2 修复:不泄露 syncSecretConfigured 等安全配置状态 + res.json({ + status: storageOk ? 'ok' : 'degraded', + service: 'hermes-server', + timestamp: new Date().toISOString(), + profileCount, + }); +}); + +module.exports = router; diff --git a/hermes-server/src/routes/profiles.js b/hermes-server/src/routes/profiles.js new file mode 100644 index 0000000..6731539 --- /dev/null +++ b/hermes-server/src/routes/profiles.js @@ -0,0 +1,88 @@ +// Profile 管理 API — 查看、下载 profile 文件(供 Hermes Agent 和管理员使用) + +const express = require('express'); +const { adminAuthMiddleware } = require('../middleware/admin-auth'); +const { listProfiles, getProfileMeta, getProfileFile, deleteProfile } = require('../lib/profile-store'); + +const router = express.Router(); + +// 获取所有 profile 列表(需管理员认证) +router.get('/', adminAuthMiddleware, (req, res) => { + try { + const profiles = listProfiles(); + res.json({ profiles, total: profiles.length }); + } catch (err) { + console.error('获取 profile 列表失败:', err); + res.status(500).json({ error: '服务器错误' }); + } +}); + +// 获取 profile 详情(需管理员认证) +router.get('/:profileId', adminAuthMiddleware, (req, res) => { + try { + const meta = getProfileMeta(req.params.profileId); + if (!meta) { + return res.status(404).json({ error: 'Profile 不存在' }); + } + res.json({ profile: meta }); + } catch (err) { + console.error('获取 profile 详情失败:', err); + res.status(500).json({ error: '服务器错误' }); + } +}); + +// 下载 SOUL.md(供 Hermes Agent 使用,限制本机访问) +router.get('/:profileId/SOUL.md', (req, res) => { + try { + // P2 修复:限制本机访问 + const clientIp = (req.socket.remoteAddress || '').replace(/^::ffff:/, ''); + if (clientIp !== '127.0.0.1' && clientIp !== '::1' && clientIp !== '') { + return res.status(403).json({ error: '仅限本机访问' }); + } + const content = getProfileFile(req.params.profileId, 'SOUL.md'); + if (content === null) { + return res.status(404).json({ error: 'Profile 或 SOUL.md 不存在' }); + } + // P3 修复:使用语义正确的 Content-Type + res.type('text/markdown').send(content); + } catch (err) { + console.error('获取 SOUL.md 失败:', err); + res.status(500).json({ error: '服务器错误' }); + } +}); + +// 下载 config.yaml(供 Hermes Agent 使用,限制本机访问) +router.get('/:profileId/config.yaml', (req, res) => { + try { + // P2 修复:限制本机访问 + const clientIp = (req.socket.remoteAddress || '').replace(/^::ffff:/, ''); + if (clientIp !== '127.0.0.1' && clientIp !== '::1' && clientIp !== '') { + return res.status(403).json({ error: '仅限本机访问' }); + } + const content = getProfileFile(req.params.profileId, 'config.yaml'); + if (content === null) { + return res.status(404).json({ error: 'Profile 或 config.yaml 不存在' }); + } + // P3 修复:使用语义正确的 Content-Type + res.type('text/yaml').send(content); + } catch (err) { + console.error('获取 config.yaml 失败:', err); + res.status(500).json({ error: '服务器错误' }); + } +}); + +// 删除 profile(需管理员认证) +router.delete('/:profileId', adminAuthMiddleware, (req, res) => { + try { + const deleted = deleteProfile(req.params.profileId); + if (!deleted) { + return res.status(404).json({ error: 'Profile 不存在' }); + } + res.json({ message: 'Profile 已删除' }); + } catch (err) { + console.error('删除 profile 失败:', err); + res.status(500).json({ error: '服务器错误' }); + } +}); + +module.exports = router; diff --git a/hermes-server/src/routes/sync.js b/hermes-server/src/routes/sync.js new file mode 100644 index 0000000..9c19888 --- /dev/null +++ b/hermes-server/src/routes/sync.js @@ -0,0 +1,149 @@ +// POST /api/sync — 接收 EternalAI 的同步请求 +// 流程:验证 sync_token → 回调拉取 SOUL.md + config.yaml → 创建/更新 profile → 生成二维码 → 返回 + +const express = require('express'); +const { verifySyncToken } = require('../lib/sync-token-verify'); +const { pullRoleFiles } = require('../lib/eternalai-client'); +const { generateProfileId, createProfile, findByRoleId, deleteProfile } = require('../lib/profile-store'); +const { generateAndSaveQrCode } = require('../lib/qrcode-gen'); + +const router = express.Router(); + +// P2 修复:输入校验 +const MAX_PROFILE_NAME_LEN = 128; + +// 来源 IP 白名单检查(P1 修复:使用 socket.remoteAddress 而非可伪造的 req.ip) +function checkSourceIp(req, res, next) { + const allowedIps = process.env.ALLOWED_SOURCE_IPS; + if (!allowedIps) return next(); + + // 使用 socket 远程地址,不受 X-Forwarded-For 影响 + const clientIp = (req.socket.remoteAddress || '').replace(/^::ffff:/, ''); + if (!clientIp) { + return res.status(403).json({ error: '无法确定来源 IP' }); + } + const allowed = allowedIps.split(',').map((ip) => ip.trim()); + if (!allowed.includes(clientIp)) { + return res.status(403).json({ error: '来源 IP 不在白名单中' }); + } + next(); +} + +router.post('/sync', checkSourceIp, async (req, res) => { + try { + const { + profileName, + modelKey, + provider, + multimediaModelKey, + multimediaProvider, + enableSchedule, + syncToken, + roleId, + } = req.body; + + // 参数校验 + if (!syncToken || !roleId || !profileName) { + return res.status(400).json({ error: '缺少必要参数(syncToken, roleId, profileName)' }); + } + + // P2 修复:profileName 长度限制 + if (profileName.length > MAX_PROFILE_NAME_LEN) { + return res.status(400).json({ error: `profileName 过长(上限 ${MAX_PROFILE_NAME_LEN} 字符)` }); + } + + // 验证 sync_token + const payload = verifySyncToken(syncToken); + if (!payload) { + return res.status(401).json({ error: 'sync_token 无效或已过期' }); + } + + // 验证 roleId 匹配 + if (payload.roleId !== roleId) { + return res.status(403).json({ error: 'roleId 与 sync_token 不匹配' }); + } + + // P1 修复:幂等去重 — 若该 roleId 已有 profile,先删除旧的再创建新的 + const existing = findByRoleId(roleId); + if (existing) { + deleteProfile(existing.profileId); + } + + // 回调 EternalAI 拉取 SOUL.md 和 config.yaml + // P0 修复:使用环境变量 ETERNALAI_BASE_URL,不信任请求体中的 filePullBaseUrl + const { soulMd, configYaml } = await pullRoleFiles(roleId, syncToken); + + // P2 修复:校验两个文件都非空 + if (!soulMd || soulMd.length === 0) { + return res.status(400).json({ error: '拉取的 SOUL.md 为空' }); + } + if (!configYaml || configYaml.length === 0) { + return res.status(400).json({ error: '拉取的 config.yaml 为空' }); + } + + // 创建 profile + const profileId = generateProfileId(); + const baseUrl = process.env.HERMES_BASE_URL || `http://localhost:${process.env.PORT || 3002}`; + const bindUrl = `${baseUrl}/api/bind/${profileId}`; + + // P2 修复:先创建 profile,再生成二维码(避免孤儿文件) + // 先用 null 作为 qrCodeUrl 创建 profile + const meta = createProfile({ + profileId, + profileName, + roleId, + sourceBaseUrl: process.env.ETERNALAI_BASE_URL || 'unknown', + modelKey, + provider, + multimediaModelKey, + multimediaProvider, + enableSchedule: !!enableSchedule, + soulMd, + configYaml, + qrCodeUrl: null, // 稍后更新 + }); + + // 生成二维码 + try { + const qrFilename = await generateAndSaveQrCode(profileId, bindUrl); + const qrCodeUrl = `${baseUrl}/api/qrcodes/${qrFilename}`; + // 更新 meta 中的 qrCodeUrl(通过重新写入 meta.json) + const { getProfileMeta } = require('../lib/profile-store'); + const updatedMeta = getProfileMeta(profileId); + if (updatedMeta) { + updatedMeta.qrCodeUrl = qrCodeUrl; + const fs = require('fs'); + const path = require('path'); + const metaPath = path.join(__dirname, '..', '..', 'data', 'profiles', profileId, 'meta.json'); + fs.writeFileSync(metaPath, JSON.stringify(updatedMeta, null, 2)); + } + meta.qrCodeUrl = qrCodeUrl; + } catch (qrErr) { + console.error('[Hermes] 二维码生成失败:', qrErr.message); + // 二维码生成失败不阻塞 profile 创建,但返回中不包含 qrCodeUrl + } + + console.log(`[Hermes] Profile 创建成功: ${profileId} (name=${profileName}, roleId=${roleId})`); + + res.json({ + qrCodeUrl: meta.qrCodeUrl, + profileId, + message: 'Profile 创建成功', + }); + } catch (err) { + console.error('[Hermes] 同步失败:', err.message); + // P3 修复:区分已知错误类型 + if (err.message.includes('超时')) { + return res.status(504).json({ error: '拉取文件超时,请检查 EternalAI 服务状态' }); + } + if (err.message.includes('ETERNALAI_BASE_URL')) { + return res.status(500).json({ error: 'Hermes Server 未配置 ETERNALAI_BASE_URL' }); + } + if (err.message.includes('拉取') && err.message.includes('失败')) { + return res.status(502).json({ error: '拉取文件失败,请检查 EternalAI 服务是否正常' }); + } + res.status(500).json({ error: '同步失败,请稍后重试' }); + } +}); + +module.exports = router; diff --git a/hermes-server/test/integration-test.js b/hermes-server/test/integration-test.js new file mode 100644 index 0000000..3146741 --- /dev/null +++ b/hermes-server/test/integration-test.js @@ -0,0 +1,356 @@ +// 集成测试:EternalAI → hermes-server 端到端同步流程 +// 前提:EternalAI (3001) 和 hermes-server (3002) 均已运行,SYNC_SECRET 已同步 +// 前提:hermes-server 的 .env 已配置 ETERNALALAI_BASE_URL=http://localhost:3001 + +const BASE_ETERNAL = 'http://localhost:3001'; +const BASE_HERMES = 'http://localhost:3002'; +const HERMES_ADMIN_TOKEN = 'dev_only_admin_token_change_me'; + +let passed = 0; +let failed = 0; + +async function assert(name, fn) { + try { + await fn(); + passed++; + console.log(` ✓ ${name}`); + } catch (err) { + failed++; + console.log(` ✗ ${name}`); + console.log(` ${err.message}`); + } +} + +function assertEqual(actual, expected, msg) { + if (actual !== expected) { + throw new Error(`${msg || ''} expected ${JSON.stringify(expected)}, got ${JSON.stringify(actual)}`); + } +} + +function assertTruthy(val, msg) { + if (!val) throw new Error(msg || 'expected truthy value'); +} + +// 清理 hermes-server 上的所有 profile(避免重复运行导致冲突) +async function cleanupHermesProfiles() { + try { + const res = await fetch(`${BASE_HERMES}/api/profiles`, { + headers: { Authorization: `Bearer ${HERMES_ADMIN_TOKEN}` }, + }); + if (!res.ok) return; + const data = await res.json(); + for (const p of data.profiles || []) { + try { + await fetch(`${BASE_HERMES}/api/profiles/${p.profileId}`, { + method: 'DELETE', + headers: { Authorization: `Bearer ${HERMES_ADMIN_TOKEN}` }, + }); + } catch {} + } + console.log(` 已清理 hermes-server 上 ${data.profiles?.length || 0} 个 profile`); + } catch (err) { + console.log(` 清理 hermes-server 跳过: ${err.message}`); + } +} + +async function main() { + const prisma = require('../../src/lib/prisma'); + const { hashPassword } = require('../../src/lib/auth'); + + // ===== 清理数据库 ===== + console.log('\n===== 准备:清理数据库 ====='); + await prisma.order.deleteMany(); + await prisma.apiKey.deleteMany(); + await prisma.role.deleteMany(); + await prisma.admin.deleteMany(); + await prisma.user.deleteMany(); + await prisma.systemConfig.deleteMany({ where: { key: 'HERMES_WEBHOOK_URL' } }); + + // 确保 SYNC_SECRET 存在 + const crypto = require('crypto'); + await prisma.systemConfig.upsert({ + where: { key: 'SYNC_SECRET' }, + update: {}, + create: { key: 'SYNC_SECRET', value: crypto.randomBytes(32).toString('hex') }, + }); + + // P1 修复:清理 hermes-server 上的残留 profile(避免重复运行测试失败) + console.log('\n===== 准备:清理 hermes-server 数据 ====='); + await cleanupHermesProfiles(); + + // 创建测试用户和管理员 + const user = await prisma.user.create({ + data: { account: 'itest_user', password: hashPassword('Test123456'), isCreator: true }, + }); + const admin = await prisma.admin.create({ + data: { account: 'itest_admin', password: hashPassword('admin123') }, + }); + console.log(` 用户: ${user.id}, 管理员: ${admin.id}`); + + // ===== 测试开始 ===== + console.log('\n===== 测试:EternalAI → hermes-server 集成 ====='); + + let adminToken, userToken, roleId; + + // 1. 管理员登录 + await assert('管理员登录', async () => { + const res = await fetch(`${BASE_ETERNAL}/api/admin-auth/login`, { + method: 'POST', + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify({ account: 'itest_admin', password: 'admin123' }), + }); + assertEqual(res.status, 200, '管理员登录状态码'); + const data = await res.json(); + assertTruthy(data.token, '管理员 token'); + adminToken = data.token; + }); + + // 2. 用户登录 + await assert('用户登录', async () => { + const res = await fetch(`${BASE_ETERNAL}/api/auth/login`, { + method: 'POST', + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify({ account: 'itest_user', password: 'Test123456' }), + }); + assertEqual(res.status, 200, '用户登录状态码'); + const data = await res.json(); + assertTruthy(data.token, '用户 token'); + userToken = data.token; + }); + + // 3. 用户创建角色 + await assert('用户创建角色', async () => { + const res = await fetch(`${BASE_ETERNAL}/api/roles`, { + method: 'POST', + headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${userToken}` }, + body: JSON.stringify({ + displayName: '集成测试角色', + personality: '温柔善良', + background: '来自星辰大海', + speechStyle: '轻声细语', + greeting: '你好呀,我是星灵', + soulMd: '# SOUL\n\n我是星灵,来自星辰大海的守护者。\n我温柔善良,喜欢倾听你的故事。', + }), + }); + assertEqual(res.status, 200, '创建角色状态码'); + const data = await res.json(); + assertTruthy(data.role.id, '角色 ID'); + assertEqual(data.role.reviewStatus, 'pending_review', '初始审核状态'); + roleId = data.role.id; + }); + + // 4. 管理员审核通过 + await assert('管理员审核通过', async () => { + const res = await fetch(`${BASE_ETERNAL}/api/admin/reviews/${roleId}/approve`, { + method: 'POST', + headers: { Authorization: `Bearer ${adminToken}` }, + }); + assertEqual(res.status, 200, '审核状态码'); + const data = await res.json(); + assertEqual(data.role.reviewStatus, 'approved', '审核后状态'); + }); + + // 5. 配置 Hermes webhook URL 指向真实 hermes-server + await assert('配置 HERMES_WEBHOOK_URL 指向 hermes-server', async () => { + const res = await fetch(`${BASE_ETERNAL}/api/admin/config/HERMES_WEBHOOK_URL`, { + method: 'PUT', + headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${adminToken}` }, + body: JSON.stringify({ value: `${BASE_HERMES}/api/sync` }), + }); + assertEqual(res.status, 200, '配置状态码'); + }); + + // 6. 管理员发起同步 → hermes-server 接收 → 回调拉取文件 → 创建 profile → 返回二维码 + let syncResponse; + await assert('管理员发起同步(真实 hermes-server)', async () => { + const res = await fetch(`${BASE_ETERNAL}/api/admin/sync/${roleId}`, { + method: 'POST', + headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${adminToken}` }, + body: JSON.stringify({ + profileName: 'star-spirit', + modelKey: 'sk-test-key', + provider: 'openrouter', + multimediaModelKey: 'sk-multi-key', + multimediaProvider: 'openrouter', + enableSchedule: false, + }), + }); + assertEqual(res.status, 200, '同步状态码'); + const data = await res.json(); + assertEqual(data.role.reviewStatus, 'synced', '同步后状态'); + assertTruthy(data.role.qrCodeUrl, '二维码 URL'); + assertTruthy(data.profileId, 'profileId'); + assertTruthy(data.profileId.startsWith('hermes_'), 'profileId 前缀'); + syncResponse = data; + console.log(` profileId: ${data.profileId}`); + console.log(` qrCodeUrl: ${data.role.qrCodeUrl}`); + }); + + // 7. 验证 hermes-server 健康检查 + await assert('hermes-server 健康检查', async () => { + const res = await fetch(`${BASE_HERMES}/api/health`); + assertEqual(res.status, 200, '健康检查状态码'); + const data = await res.json(); + assertEqual(data.status, 'ok', '健康状态'); + // P2 修复后:health 不再泄露 syncSecretConfigured,改用 storageOk/status + assertEqual(data.profileCount, 1, 'profile 数量'); + }); + + // 8. 验证 hermes-server profile 列表 + await assert('hermes-server profile 列表', async () => { + const res = await fetch(`${BASE_HERMES}/api/profiles`, { + headers: { Authorization: `Bearer ${HERMES_ADMIN_TOKEN}` }, + }); + assertEqual(res.status, 200, 'profile 列表状态码'); + const data = await res.json(); + assertEqual(data.total, 1, 'profile 总数'); + assertEqual(data.profiles[0].profileName, 'star-spirit', 'profile 名称'); + assertEqual(data.profiles[0].roleId, roleId, 'roleId 关联'); + // P0 修复后:sourceBaseUrl 来自 hermes-server 的 ETERNALAI_BASE_URL 环境变量 + assertEqual(data.profiles[0].sourceBaseUrl, BASE_ETERNAL, 'sourceBaseUrl 来自环境变量'); + }); + + // 9. 验证 hermes-server profile 详情 + await assert('hermes-server profile 详情', async () => { + const res = await fetch(`${BASE_HERMES}/api/profiles/${syncResponse.profileId}`, { + headers: { Authorization: `Bearer ${HERMES_ADMIN_TOKEN}` }, + }); + assertEqual(res.status, 200, 'profile 详情状态码'); + const data = await res.json(); + assertEqual(data.profile.profileId, syncResponse.profileId, 'profileId'); + assertEqual(data.profile.modelKey, 'sk-test-key', 'modelKey'); + assertEqual(data.profile.provider, 'openrouter', 'provider'); + assertEqual(data.profile.enableSchedule, false, 'enableSchedule'); + assertEqual(data.profile.boundWechat, null, '未绑定状态'); + }); + + // 10. 验证 hermes-server 提供 SOUL.md 下载 + await assert('hermes-server 提供 SOUL.md 下载', async () => { + const res = await fetch(`${BASE_HERMES}/api/profiles/${syncResponse.profileId}/SOUL.md`); + assertEqual(res.status, 200, 'SOUL.md 状态码'); + const text = await res.text(); + assertTruthy(text.includes('星灵'), 'SOUL.md 内容包含角色名'); + assertTruthy(text.includes('星辰大海'), 'SOUL.md 内容包含背景'); + }); + + // 11. 验证 hermes-server 提供 config.yaml 下载 + await assert('hermes-server 提供 config.yaml 下载', async () => { + const res = await fetch(`${BASE_HERMES}/api/profiles/${syncResponse.profileId}/config.yaml`); + assertEqual(res.status, 200, 'config.yaml 状态码'); + const text = await res.text(); + assertTruthy(text.includes('model:'), 'config.yaml 包含 model 字段'); + assertTruthy(text.includes('temperature:'), 'config.yaml 包含 temperature 字段'); + }); + + // 12. 验证二维码图片可访问 + await assert('二维码图片可访问', async () => { + const res = await fetch(syncResponse.role.qrCodeUrl); + assertEqual(res.status, 200, '二维码图片状态码'); + assertEqual(res.headers.get('content-type'), 'image/png', '二维码图片类型'); + const buffer = await res.arrayBuffer(); + assertTruthy(buffer.byteLength > 100, '二维码图片大小'); + }); + + // 13. 验证绑定页面可访问 + await assert('绑定页面可访问', async () => { + const res = await fetch(`${BASE_HERMES}/api/bind/${syncResponse.profileId}`); + assertEqual(res.status, 200, '绑定页面状态码'); + const html = await res.text(); + assertTruthy(html.includes('star-spirit'), '绑定页面包含 profile 名称'); + assertTruthy(html.includes('确认绑定'), '绑定页面包含绑定按钮'); + }); + + // 14. 执行绑定 + await assert('执行绑定', async () => { + const res = await fetch(`${BASE_HERMES}/api/bind/${syncResponse.profileId}`, { + method: 'POST', + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify({ wechatId: 'wx_test_12345' }), + }); + assertEqual(res.status, 200, '绑定状态码'); + const data = await res.json(); + assertEqual(data.profileId, syncResponse.profileId, '绑定返回 profileId'); + assertTruthy(data.boundAt, '绑定时间'); + }); + + // 15. 验证已绑定后再次绑定返回 400 + await assert('重复绑定返回 400', async () => { + const res = await fetch(`${BASE_HERMES}/api/bind/${syncResponse.profileId}`, { + method: 'POST', + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify({ wechatId: 'wx_other' }), + }); + assertEqual(res.status, 400, '重复绑定状态码'); + }); + + // 16. 验证已绑定页面显示 + await assert('已绑定页面显示', async () => { + const res = await fetch(`${BASE_HERMES}/api/bind/${syncResponse.profileId}`); + const html = await res.text(); + assertTruthy(html.includes('已成功绑定'), '已绑定页面提示'); + }); + + // 17. 验证 EternalAI 角色库显示已同步角色 + await assert('EternalAI 角色库显示已同步角色', async () => { + const res = await fetch(`${BASE_ETERNAL}/api/roles`); + const data = await res.json(); + const found = data.roles.find((r) => r.id === roleId); + assertTruthy(found, '角色库包含已同步角色'); + }); + + // 18. 验证 SYNC_SECRET 写保护(不能通过 PUT 修改) + await assert('SYNC_SECRET 写保护', async () => { + const res = await fetch(`${BASE_ETERNAL}/api/admin/config/SYNC_SECRET`, { + method: 'PUT', + headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${adminToken}` }, + body: JSON.stringify({ value: 'hacked' }), + }); + assertEqual(res.status, 403, '写保护状态码'); + }); + + // 19. 验证无效 sync_token 被拒绝 + await assert('无效 sync_token 被拒绝', async () => { + const res = await fetch(`${BASE_HERMES}/api/sync`, { + method: 'POST', + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify({ + profileName: 'test', + syncToken: 'invalid.token.here', + roleId: 'fake-id', + }), + }); + assertEqual(res.status, 401, '无效 token 状态码'); + }); + + // 20. 验证缺少参数被拒绝 + await assert('缺少参数被拒绝', async () => { + const res = await fetch(`${BASE_HERMES}/api/sync`, { + method: 'POST', + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify({ profileName: 'test' }), + }); + assertEqual(res.status, 400, '缺少参数状态码'); + }); + + // ===== 清理 ===== + console.log('\n===== 清理 ====='); + // 清理 hermes-server 上的 profile + await cleanupHermesProfiles(); + // 清理 EternalAI 数据库 + await prisma.order.deleteMany(); + await prisma.apiKey.deleteMany(); + await prisma.role.deleteMany(); + await prisma.admin.deleteMany(); + await prisma.user.deleteMany(); + await prisma.systemConfig.deleteMany({ where: { key: 'HERMES_WEBHOOK_URL' } }); + await prisma.$disconnect(); + + // ===== 结果 ===== + console.log(`\n===== 结果: ${passed} passed, ${failed} failed =====`); + process.exit(failed > 0 ? 1 : 0); +} + +main().catch((err) => { + console.error('测试运行失败:', err); + process.exit(1); +}); diff --git a/prisma/schema.prisma b/prisma/schema.prisma index 4d08d11..70e729a 100644 --- a/prisma/schema.prisma +++ b/prisma/schema.prisma @@ -23,6 +23,19 @@ model User { apiKeys ApiKey[] } +model Admin { + id String @id @default(uuid()) + account String @unique + password String + createdAt DateTime @default(now()) +} + +model SystemConfig { + key String @id + value String + updatedAt DateTime @updatedAt +} + model ApiKey { id String @id @default(uuid()) userId String @@ -65,6 +78,10 @@ model Role { desc String? price Float @default(0) status String @default("running") + reviewStatus String @default("pending_review") + reviewNote String? + qrCodeUrl String? + syncedAt DateTime? createdAt DateTime @default(now()) updatedAt DateTime @updatedAt diff --git a/scripts/migrate-existing-roles-to-synced.js b/scripts/migrate-existing-roles-to-synced.js new file mode 100644 index 0000000..71a7f0a --- /dev/null +++ b/scripts/migrate-existing-roles-to-synced.js @@ -0,0 +1,79 @@ +// 数据迁移脚本:将现有角色(reviewStatus 为空或默认 pending_review)标记为 synced +// 背景:管理员审核 + Hermes 同步流程上线后,角色库过滤改为 reviewStatus='synced'。 +// 现有角色是在审核流程上线前创建的,直接标记为 synced 以保持向后兼容。 +// +// 用法: node scripts/migrate-existing-roles-to-synced.js +// +// 安全说明: +// - 仅迁移 status='running' 且 reviewStatus='pending_review' 的角色 +// - 已有 reviewStatus(approved/synced/rejected/failed)的角色不受影响 +// - 执行前会打印待迁移数量,需用户确认(除非传入 --yes 跳过确认) + +const prisma = require('../src/lib/prisma'); + +async function main() { + const skipConfirm = process.argv.includes('--yes'); + + // 查找待迁移角色:status='running' 且 reviewStatus='pending_review' + // 这些是审核流程上线前创建的角色 + const candidates = await prisma.role.findMany({ + where: { + status: 'running', + reviewStatus: 'pending_review', + }, + select: { id: true, displayName: true, createdAt: true }, + }); + + console.log(`找到 ${candidates.length} 个待迁移角色(status=running 且 reviewStatus=pending_review)`); + + if (candidates.length === 0) { + console.log('无需迁移'); + await prisma.$disconnect(); + return; + } + + if (!skipConfirm) { + console.log('\n待迁移角色列表(前 10 个):'); + candidates.slice(0, 10).forEach((r, i) => { + console.log(` ${i + 1}. ${r.displayName} (id=${r.id}, createdAt=${r.createdAt.toISOString()})`); + }); + if (candidates.length > 10) { + console.log(` ... 还有 ${candidates.length - 10} 个`); + } + console.log('\n将这些角色标记为 synced(已同步)?此操作不可逆。'); + console.log('确认请输入 yes,否则取消:'); + + const readline = require('readline'); + const rl = readline.createInterface({ input: process.stdin, output: process.stdout }); + const answer = await new Promise((resolve) => { + rl.question('> ', (a) => { + rl.close(); + resolve(a.trim().toLowerCase()); + }); + }); + if (answer !== 'yes') { + console.log('已取消'); + await prisma.$disconnect(); + return; + } + } + + const result = await prisma.role.updateMany({ + where: { + status: 'running', + reviewStatus: 'pending_review', + }, + data: { + reviewStatus: 'synced', + syncedAt: new Date(), + }, + }); + + console.log(`\n迁移完成:${result.count} 个角色已标记为 synced`); + await prisma.$disconnect(); +} + +main().catch((err) => { + console.error('迁移失败:', err); + process.exit(1); +}); diff --git a/scripts/seed-admin.js b/scripts/seed-admin.js new file mode 100644 index 0000000..7a52c78 --- /dev/null +++ b/scripts/seed-admin.js @@ -0,0 +1,44 @@ +// 管理员账号初始化脚本 +// 用法: node scripts/seed-admin.js +// 或通过环境变量: ADMIN_ACCOUNT=admin ADMIN_PASSWORD=xxx node scripts/seed-admin.js + +const prisma = require('../src/lib/prisma'); +const { hashPassword } = require('../src/lib/auth'); + +async function main() { + const account = process.argv[2] || process.env.ADMIN_ACCOUNT; + const password = process.argv[3] || process.env.ADMIN_PASSWORD; + + if (!account || !password) { + console.error('用法: node scripts/seed-admin.js '); + console.error(' 或: ADMIN_ACCOUNT=admin ADMIN_PASSWORD=xxx node scripts/seed-admin.js'); + process.exit(1); + } + + if (password.length < 6) { + console.error('密码至少 6 位'); + process.exit(1); + } + + const existing = await prisma.admin.findUnique({ where: { account } }); + if (existing) { + // 更新密码 + await prisma.admin.update({ + where: { account }, + data: { password: hashPassword(password) }, + }); + console.log(`管理员 ${account} 密码已更新`); + } else { + await prisma.admin.create({ + data: { account, password: hashPassword(password) }, + }); + console.log(`管理员 ${account} 已创建`); + } + + await prisma.$disconnect(); +} + +main().catch((err) => { + console.error('初始化管理员失败:', err); + process.exit(1); +}); diff --git a/server.js b/server.js index e575eb0..63fd456 100644 --- a/server.js +++ b/server.js @@ -15,6 +15,16 @@ app.use('/api/auth', require('./src/routes/auth')); app.use('/api/roles', require('./src/routes/roles')); app.use('/api/apikeys', require('./src/routes/apikeys')); app.use('/api/hermes', require('./src/routes/hermes')); +app.use('/api/admin-auth', require('./src/routes/admin-auth')); +app.use('/api/admin', require('./src/routes/admin')); +app.use('/api/admin/config', require('./src/routes/admin-config')); +app.use('/api/admin/sync', require('./src/routes/admin-sync')); + +// Mock Hermes 端点(仅 development/test 环境注册,显式 allowlist 防止误开放) +const MOCK_HERMES_ALLOWED_ENVS = ['development', 'test']; +if (MOCK_HERMES_ALLOWED_ENVS.includes(process.env.NODE_ENV || 'development')) { + app.use('/api/mock-hermes', require('./src/routes/mock-hermes')); +} // 静态文件 app.use(express.static('.')); diff --git a/src/lib/auth.js b/src/lib/auth.js index afb03d7..77bc1de 100644 --- a/src/lib/auth.js +++ b/src/lib/auth.js @@ -4,6 +4,7 @@ const crypto = require('crypto'); const prisma = require('./prisma'); const JWT_EXPIRES_IN = '7d'; +const ADMIN_JWT_EXPIRES_IN = '7d'; // 安全:生产环境必须配置 JWT_SECRET,杜绝硬编码密钥 const JWT_SECRET = process.env.JWT_SECRET; @@ -17,6 +18,19 @@ if (!JWT_SECRET) { } const SECRET = JWT_SECRET || 'dev_only_insecure_secret_do_not_use_in_production'; +// Admin JWT 使用独立 secret,防止跨角色伪造 +// 生产环境必须配置 ADMIN_JWT_SECRET,否则 fail-fast +const ADMIN_JWT_SECRET = process.env.ADMIN_JWT_SECRET; +if (!ADMIN_JWT_SECRET) { + if (process.env.NODE_ENV === 'production') { + throw new Error( + 'ADMIN_JWT_SECRET 环境变量未设置。请在 .env 文件中配置一个独立于 JWT_SECRET 的随机密钥(可用 `openssl rand -hex 32` 生成)。' + ); + } + console.warn('[安全警告] ADMIN_JWT_SECRET 未设置,使用开发环境临时密钥。请勿在生产环境使用。'); +} +const ADMIN_SECRET = ADMIN_JWT_SECRET || 'dev_only_admin_insecure_secret'; + // 哈希密码 function hashPassword(password) { return bcrypt.hashSync(password, 10); @@ -101,6 +115,39 @@ async function apiKeyMiddleware(req, res, next) { next(); } +// ===== Admin 认证 ===== + +// 生成 Admin JWT +function adminSignToken(adminId) { + return jwt.sign({ adminId, role: 'admin' }, ADMIN_SECRET, { expiresIn: ADMIN_JWT_EXPIRES_IN }); +} + +// 验证 Admin JWT +function adminVerifyToken(token) { + try { + const decoded = jwt.verify(token, ADMIN_SECRET); + if (decoded.role !== 'admin') return null; + return decoded.adminId; + } catch { + return null; + } +} + +// Express 中间件:验证 Admin JWT +function adminAuthMiddleware(req, res, next) { + const authHeader = req.headers.authorization; + if (!authHeader || !authHeader.startsWith('Bearer ')) { + return res.status(401).json({ error: '管理员未登录' }); + } + const token = authHeader.slice(7); + const adminId = adminVerifyToken(token); + if (!adminId) { + return res.status(401).json({ error: '管理员登录已过期,请重新登录' }); + } + req.adminId = adminId; + next(); +} + module.exports = { hashPassword, verifyPassword, @@ -108,4 +155,7 @@ module.exports = { verifyToken, authMiddleware, apiKeyMiddleware, + adminSignToken, + adminVerifyToken, + adminAuthMiddleware, }; diff --git a/src/lib/hermes-client.js b/src/lib/hermes-client.js new file mode 100644 index 0000000..439cc54 --- /dev/null +++ b/src/lib/hermes-client.js @@ -0,0 +1,35 @@ +// Hermes HTTP 客户端 — 向 Hermes 服务器发起同步请求 + +const SYNC_TIMEOUT_MS = 30000; + +// 向 Hermes POST 同步请求 +async function postSync(webhookUrl, payload) { + const controller = new AbortController(); + const timeout = setTimeout(() => controller.abort(), SYNC_TIMEOUT_MS); + + try { + const response = await fetch(webhookUrl, { + method: 'POST', + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify(payload), + signal: controller.signal, + }); + + const data = await response.json(); + + if (!response.ok) { + throw new Error(data.error || `Hermes 返回错误 (${response.status})`); + } + + return data; + } catch (err) { + if (err.name === 'AbortError') { + throw new Error('Hermes 同步请求超时'); + } + throw err; + } finally { + clearTimeout(timeout); + } +} + +module.exports = { postSync }; diff --git a/src/lib/sync-token.js b/src/lib/sync-token.js new file mode 100644 index 0000000..f00cb66 --- /dev/null +++ b/src/lib/sync-token.js @@ -0,0 +1,43 @@ +const jwt = require('jsonwebtoken'); +const crypto = require('crypto'); +const prisma = require('./prisma'); + +const SYNC_TOKEN_EXPIRES_IN = '5m'; + +// 从 SystemConfig 获取 SYNC_SECRET,不存在则自动生成 +async function getSyncSecret() { + let config = await prisma.systemConfig.findUnique({ where: { key: 'SYNC_SECRET' } }); + if (!config) { + const secret = crypto.randomBytes(32).toString('hex'); + config = await prisma.systemConfig.create({ + data: { key: 'SYNC_SECRET', value: secret }, + }); + } + return config.value; +} + +// 生成 sync_token(5 分钟过期,jti 用 CSPRNG 生成) +async function generateSyncToken(roleId, adminId) { + const secret = await getSyncSecret(); + const jti = crypto.randomBytes(16).toString('hex'); + return jwt.sign({ roleId, adminId, jti, type: 'sync' }, secret, { expiresIn: SYNC_TOKEN_EXPIRES_IN }); +} + +// 验证 sync_token,返回 payload 或 null +// 注意:sync_token 在 5 分钟有效期内可多次使用(Hermes 需拉取 SOUL.md + config.yaml 两个文件) +// 重放防护依赖 5 分钟短过期 + HTTPS 传输 + roleId 绑定 +async function verifySyncToken(token) { + try { + const secret = await getSyncSecret(); + const decoded = jwt.verify(token, secret); + if (decoded.type !== 'sync') return null; + return decoded; + } catch { + return null; + } +} + +module.exports = { + generateSyncToken, + verifySyncToken, +}; diff --git a/src/routes/admin-auth.js b/src/routes/admin-auth.js new file mode 100644 index 0000000..11da434 --- /dev/null +++ b/src/routes/admin-auth.js @@ -0,0 +1,48 @@ +const express = require('express'); +const prisma = require('../lib/prisma'); +const { verifyPassword, adminSignToken, adminAuthMiddleware } = require('../lib/auth'); + +const router = express.Router(); + +// 管理员登录 +router.post('/login', async (req, res) => { + try { + const { account, password } = req.body; + if (!account || !password) { + return res.status(400).json({ error: '账号和密码不能为空' }); + } + + const admin = await prisma.admin.findUnique({ where: { account } }); + if (!admin || !verifyPassword(password, admin.password)) { + return res.status(401).json({ error: '账号或密码错误' }); + } + + const token = adminSignToken(admin.id); + res.json({ + token, + admin: { id: admin.id, account: admin.account }, + }); + } catch (err) { + console.error('管理员登录失败:', err); + res.status(500).json({ error: '登录失败' }); + } +}); + +// 获取当前管理员信息 +router.get('/me', adminAuthMiddleware, async (req, res) => { + try { + const admin = await prisma.admin.findUnique({ + where: { id: req.adminId }, + select: { id: true, account: true }, + }); + if (!admin) { + return res.status(404).json({ error: '管理员不存在' }); + } + res.json({ admin }); + } catch (err) { + console.error('获取管理员信息失败:', err); + res.status(500).json({ error: '服务器错误' }); + } +}); + +module.exports = router; diff --git a/src/routes/admin-config.js b/src/routes/admin-config.js new file mode 100644 index 0000000..2a5bd91 --- /dev/null +++ b/src/routes/admin-config.js @@ -0,0 +1,66 @@ +const express = require('express'); +const prisma = require('../lib/prisma'); +const { adminAuthMiddleware } = require('../lib/auth'); + +const router = express.Router(); + +// 敏感配置项的值需要脱敏显示 +const SENSITIVE_KEYS = ['SYNC_SECRET']; + +// 受保护配置项:禁止通过 PUT 接口直接覆写 +// SYNC_SECRET 由系统自动生成并轮换,管理员手动覆写会导致已知密钥攻击 +const PROTECTED_KEYS = ['SYNC_SECRET']; + +// 获取所有配置 +router.get('/', adminAuthMiddleware, async (req, res) => { + try { + const configs = await prisma.systemConfig.findMany(); + const result = configs.map((c) => ({ + key: c.key, + value: SENSITIVE_KEYS.includes(c.key) ? '***' : c.value, + updatedAt: c.updatedAt, + })); + res.json({ configs: result }); + } catch (err) { + console.error('获取系统配置失败:', err); + res.status(500).json({ error: '服务器错误' }); + } +}); + +// 更新配置项 +router.put('/:key', adminAuthMiddleware, async (req, res) => { + try { + const { value } = req.body; + if (value === undefined || value === null) { + return res.status(400).json({ error: 'value 不能为空' }); + } + if (typeof value !== 'string' || value.length === 0) { + return res.status(400).json({ error: 'value 必须为非空字符串' }); + } + + // 受保护配置项禁止通过此接口覆写 + if (PROTECTED_KEYS.includes(req.params.key)) { + return res.status(403).json({ + error: `配置项 ${req.params.key} 受系统保护,禁止手动修改(由系统自动管理)`, + }); + } + + const config = await prisma.systemConfig.upsert({ + where: { key: req.params.key }, + update: { value }, + create: { key: req.params.key, value }, + }); + res.json({ + config: { + key: config.key, + value: SENSITIVE_KEYS.includes(config.key) ? '***' : config.value, + updatedAt: config.updatedAt, + }, + }); + } catch (err) { + console.error('更新系统配置失败:', err); + res.status(500).json({ error: '更新失败' }); + } +}); + +module.exports = router; diff --git a/src/routes/admin-sync.js b/src/routes/admin-sync.js new file mode 100644 index 0000000..0bd8f49 --- /dev/null +++ b/src/routes/admin-sync.js @@ -0,0 +1,192 @@ +const express = require('express'); +const prisma = require('../lib/prisma'); +const { adminAuthMiddleware } = require('../lib/auth'); +const { generateSyncToken } = require('../lib/sync-token'); +const { postSync } = require('../lib/hermes-client'); + +const router = express.Router(); + +// SSRF 防护:校验 webhookUrl 协议与主机 +// - 仅允许 http/https(开发环境允许 http,生产环境强制 https) +// - 禁止指向内网/回环地址(10.x、127.x、169.254.x、172.16-31.x、192.168.x、::1、fc00::/7) +function isPrivateIPv4(hostname) { + const parts = hostname.split('.').map(Number); + if (parts.length !== 4 || parts.some((p) => Number.isNaN(p))) return false; + const [a, b] = parts; + if (a === 10) return true; + if (a === 127) return true; + if (a === 169 && b === 254) return true; + if (a === 172 && b >= 16 && b <= 31) return true; + if (a === 192 && b === 168) return true; + if (a === 0) return true; + return false; +} + +function validateWebhookUrl(rawUrl) { + if (!rawUrl || typeof rawUrl !== 'string') { + return { ok: false, error: 'webhook URL 不能为空' }; + } + let url; + try { + url = new URL(rawUrl); + } catch { + return { ok: false, error: 'webhook URL 格式无效' }; + } + const hostname = url.hostname.toLowerCase(); + if (url.protocol !== 'https:' && url.protocol !== 'http:') { + return { ok: false, error: 'webhook URL 协议仅支持 http/https' }; + } + const isProduction = process.env.NODE_ENV === 'production'; + if (isProduction && url.protocol !== 'https:') { + return { ok: false, error: '生产环境 webhook URL 必须使用 https' }; + } + // 生产环境禁止指向内网/回环地址(SSRF 防护) + // 非生产环境允许 localhost(用于 mock-hermes 测试) + if (isProduction) { + if (isPrivateIPv4(hostname)) { + return { ok: false, error: 'webhook URL 不允许指向内网地址' }; + } + if (hostname === 'localhost' || hostname === '::1' || hostname.endsWith('.local')) { + return { ok: false, error: 'webhook URL 不允许指向本地地址' }; + } + if (hostname.startsWith('fc') || hostname.startsWith('fd') || hostname.startsWith('fe80')) { + return { ok: false, error: 'webhook URL 不允许指向内网地址' }; + } + } + return { ok: true, url }; +} + +// 管理员发起同步 +router.post('/:roleId', adminAuthMiddleware, async (req, res) => { + try { + const { + profileName, + modelKey, + provider, + multimediaModelKey, + multimediaProvider, + enableSchedule, + webhookUrl, + } = req.body; + + if (!profileName) { + return res.status(400).json({ error: 'profile 名字不能为空' }); + } + + const role = await prisma.role.findUnique({ where: { id: req.params.roleId } }); + if (!role) { + return res.status(404).json({ error: '角色不存在' }); + } + if (!['approved', 'failed'].includes(role.reviewStatus)) { + return res.status(400).json({ error: `当前状态为 ${role.reviewStatus},无法同步(需 approved 或 failed)` }); + } + + // 获取 Hermes webhook URL:优先用请求参数,否则用全局配置 + let hermesUrl = webhookUrl; + if (!hermesUrl) { + const config = await prisma.systemConfig.findUnique({ where: { key: 'HERMES_WEBHOOK_URL' } }); + hermesUrl = config?.value; + } + if (!hermesUrl) { + return res.status(400).json({ error: '未配置 Hermes webhook URL' }); + } + + // SSRF 防护:校验 webhookUrl + const urlCheck = validateWebhookUrl(hermesUrl); + if (!urlCheck.ok) { + return res.status(400).json({ error: urlCheck.error }); + } + hermesUrl = urlCheck.url.toString(); + + // 获取 EternalAI 自身基础 URL(供 Hermes 回调拉取文件) + // 优先使用环境变量 BASE_URL,避免 Host 头被伪造 + const baseUrl = process.env.BASE_URL || (req.protocol + '://' + req.get('host')); + + // 生成 sync_token + const syncToken = await generateSyncToken(role.id, req.adminId); + + // 更新状态为 syncing + await prisma.role.update({ + where: { id: role.id }, + data: { reviewStatus: 'syncing' }, + }); + + // 向 Hermes POST 同步请求 + const payload = { + profileName, + modelKey, + provider, + multimediaModelKey, + multimediaProvider, + enableSchedule: !!enableSchedule, + syncToken, + filePullBaseUrl: baseUrl, + roleId: role.id, + }; + + const result = await postSync(hermesUrl, payload); + + // 同步成功,存储二维码 URL + const updated = await prisma.role.update({ + where: { id: role.id }, + data: { + reviewStatus: 'synced', + qrCodeUrl: result.qrCodeUrl || null, + syncedAt: new Date(), + }, + select: { + id: true, + displayName: true, + reviewStatus: true, + qrCodeUrl: true, + syncedAt: true, + }, + }); + + res.json({ role: updated, profileId: result.profileId }); + } catch (err) { + console.error('同步失败:', err); + + // 同步失败,仅当当前状态为 syncing 时才回滚为 failed(避免误覆盖 approved) + try { + const current = await prisma.role.findUnique({ + where: { id: req.params.roleId }, + select: { reviewStatus: true }, + }); + if (current && current.reviewStatus === 'syncing') { + await prisma.role.update({ + where: { id: req.params.roleId }, + data: { reviewStatus: 'failed' }, + }); + } + } catch (updateErr) { + console.error('更新失败状态出错:', updateErr); + } + + res.status(500).json({ error: '同步失败,请稍后重试或检查 Hermes 服务状态' }); + } +}); + +// 管理员强制重置 syncing 卡死状态(恢复路径) +router.post('/:roleId/reset', adminAuthMiddleware, async (req, res) => { + try { + const role = await prisma.role.findUnique({ where: { id: req.params.roleId } }); + if (!role) { + return res.status(404).json({ error: '角色不存在' }); + } + if (role.reviewStatus !== 'syncing') { + return res.status(400).json({ error: `当前状态为 ${role.reviewStatus},仅 syncing 状态可重置` }); + } + const updated = await prisma.role.update({ + where: { id: req.params.roleId }, + data: { reviewStatus: 'failed' }, + select: { id: true, displayName: true, reviewStatus: true }, + }); + res.json({ role: updated }); + } catch (err) { + console.error('重置同步状态失败:', err); + res.status(500).json({ error: '重置失败' }); + } +}); + +module.exports = router; diff --git a/src/routes/admin.js b/src/routes/admin.js new file mode 100644 index 0000000..e7209ae --- /dev/null +++ b/src/routes/admin.js @@ -0,0 +1,132 @@ +const express = require('express'); +const prisma = require('../lib/prisma'); +const { adminAuthMiddleware } = require('../lib/auth'); + +const router = express.Router(); + +// 获取待审核列表 +router.get('/reviews', adminAuthMiddleware, async (req, res) => { + try { + const { status } = req.query; + // 分页参数校验:默认 page=1, pageSize=20,限制最大 100 + const page = Math.max(1, Math.floor(Number(req.query.page) || 1)); + const pageSize = Math.min(100, Math.max(1, Math.floor(Number(req.query.pageSize) || 20))); + if (Number.isNaN(page) || Number.isNaN(pageSize)) { + return res.status(400).json({ error: 'page 和 pageSize 必须为正整数' }); + } + const where = status ? { reviewStatus: status } : { reviewStatus: 'pending_review' }; + + const [roles, total] = await Promise.all([ + prisma.role.findMany({ + where, + orderBy: { createdAt: 'desc' }, + skip: (page - 1) * pageSize, + take: pageSize, + select: { + id: true, + displayName: true, + creatorId: true, + reviewStatus: true, + reviewNote: true, + qrCodeUrl: true, + syncedAt: true, + createdAt: true, + }, + }), + prisma.role.count({ where }), + ]); + + res.json({ roles, total, page, pageSize }); + } catch (err) { + console.error('获取审核列表失败:', err); + res.status(500).json({ error: '服务器错误' }); + } +}); + +// 获取角色详情(审核用) +router.get('/reviews/:roleId', adminAuthMiddleware, async (req, res) => { + try { + const role = await prisma.role.findUnique({ + where: { id: req.params.roleId }, + }); + if (!role) { + return res.status(404).json({ error: '角色不存在' }); + } + res.json({ role }); + } catch (err) { + console.error('获取角色详情失败:', err); + res.status(500).json({ error: '服务器错误' }); + } +}); + +// 通过审核 +router.post('/reviews/:roleId/approve', adminAuthMiddleware, async (req, res) => { + try { + const role = await prisma.role.findUnique({ where: { id: req.params.roleId } }); + if (!role) { + return res.status(404).json({ error: '角色不存在' }); + } + if (role.reviewStatus !== 'pending_review') { + return res.status(400).json({ error: `当前状态为 ${role.reviewStatus},无法通过审核` }); + } + + const updated = await prisma.role.update({ + where: { id: req.params.roleId }, + data: { reviewStatus: 'approved' }, + select: { id: true, displayName: true, reviewStatus: true }, + }); + res.json({ role: updated }); + } catch (err) { + console.error('通过审核失败:', err); + res.status(500).json({ error: '操作失败' }); + } +}); + +// 驳回审核 +router.post('/reviews/:roleId/reject', adminAuthMiddleware, async (req, res) => { + try { + const { reviewNote } = req.body; + const role = await prisma.role.findUnique({ where: { id: req.params.roleId } }); + if (!role) { + return res.status(404).json({ error: '角色不存在' }); + } + if (role.reviewStatus !== 'pending_review') { + return res.status(400).json({ error: `当前状态为 ${role.reviewStatus},无法驳回` }); + } + + const updated = await prisma.role.update({ + where: { id: req.params.roleId }, + data: { reviewStatus: 'rejected', reviewNote: reviewNote || null }, + select: { id: true, displayName: true, reviewStatus: true, reviewNote: true }, + }); + res.json({ role: updated }); + } catch (err) { + console.error('驳回审核失败:', err); + res.status(500).json({ error: '操作失败' }); + } +}); + +// 获取所有角色同步状态 +router.get('/sync-status', adminAuthMiddleware, async (req, res) => { + try { + const roles = await prisma.role.findMany({ + where: { reviewStatus: { in: ['approved', 'syncing', 'synced', 'failed'] } }, + orderBy: { createdAt: 'desc' }, + select: { + id: true, + displayName: true, + creatorId: true, + reviewStatus: true, + qrCodeUrl: true, + syncedAt: true, + createdAt: true, + }, + }); + res.json({ roles }); + } catch (err) { + console.error('获取同步状态失败:', err); + res.status(500).json({ error: '服务器错误' }); + } +}); + +module.exports = router; diff --git a/src/routes/hermes.js b/src/routes/hermes.js index 08a85b2..4b2f50e 100644 --- a/src/routes/hermes.js +++ b/src/routes/hermes.js @@ -1,6 +1,7 @@ const express = require('express'); const prisma = require('../lib/prisma'); const { apiKeyMiddleware } = require('../lib/auth'); +const { verifySyncToken } = require('../lib/sync-token'); const router = express.Router(); @@ -40,31 +41,67 @@ function adaptToHermesConfig(role) { return lines.join('\n'); } +// 统一认证中间件:支持 sync_token、API Key、JWT 三种认证方式 +async function hermesAuthMiddleware(req, res, next) { + // 优先检查 X-Sync-Token header(Hermes 回调拉取) + const syncTokenHeader = req.headers['x-sync-token']; + if (syncTokenHeader) { + try { + const payload = await verifySyncToken(syncTokenHeader); + if (!payload) { + return res.status(401).json({ error: 'sync_token 无效或已过期' }); + } + // 验证 token 中的 roleId 与 URL 中的 :id 一致 + if (payload.roleId !== req.params.id) { + return res.status(403).json({ error: 'sync_token 与请求的角色不匹配' }); + } + // 通过 Role.creatorId 反查 userId + const role = await prisma.role.findUnique({ + where: { id: req.params.id }, + select: { creatorId: true }, + }); + if (!role) { + return res.status(404).json({ error: '角色不存在' }); + } + req.userId = role.creatorId; + req.authMethod = 'sync_token'; + req.syncTokenPayload = payload; + return next(); + } catch (err) { + console.error('sync_token 验证失败:', err); + return res.status(500).json({ error: '认证失败' }); + } + } + + // 否则走原有 apiKeyMiddleware(支持 API Key 和 JWT) + return apiKeyMiddleware(req, res, next); +} + // GET /api/hermes/roles/:id/SOUL.md — 返回 SOUL.md 内容 -router.get('/roles/:id/SOUL.md', apiKeyMiddleware, async (req, res) => { +router.get('/roles/:id/SOUL.md', hermesAuthMiddleware, async (req, res) => { try { const role = await prisma.role.findUnique({ where: { id: req.params.id }, select: { id: true, creatorId: true, displayName: true, soulMd: true }, }); if (!role) { - return res.status(404).json({ error: 'Role not found' }); + return res.status(404).json({ error: '角色不存在' }); } if (role.creatorId !== req.userId) { - return res.status(403).json({ error: 'Forbidden: not the role owner' }); + return res.status(403).json({ error: '无权访问该角色' }); } if (!role.soulMd) { - return res.status(404).json({ error: 'SOUL.md not generated for this role' }); + return res.status(404).json({ error: '该角色尚未生成 SOUL.md' }); } res.type('text/plain').send(role.soulMd); } catch (err) { console.error('获取 SOUL.md 失败:', err); - res.status(500).json({ error: 'Server error' }); + res.status(500).json({ error: '服务器错误' }); } }); // GET /api/hermes/roles/:id/config.yaml — 返回适配后的 Hermes config.yaml -router.get('/roles/:id/config.yaml', apiKeyMiddleware, async (req, res) => { +router.get('/roles/:id/config.yaml', hermesAuthMiddleware, async (req, res) => { try { const role = await prisma.role.findUnique({ where: { id: req.params.id }, @@ -81,16 +118,16 @@ router.get('/roles/:id/config.yaml', apiKeyMiddleware, async (req, res) => { }, }); if (!role) { - return res.status(404).json({ error: 'Role not found' }); + return res.status(404).json({ error: '角色不存在' }); } if (role.creatorId !== req.userId) { - return res.status(403).json({ error: 'Forbidden: not the role owner' }); + return res.status(403).json({ error: '无权访问该角色' }); } const config = adaptToHermesConfig(role); res.type('text/plain').send(config); } catch (err) { console.error('获取 config.yaml 失败:', err); - res.status(500).json({ error: 'Server error' }); + res.status(500).json({ error: '服务器错误' }); } }); diff --git a/src/routes/mock-hermes.js b/src/routes/mock-hermes.js new file mode 100644 index 0000000..4d580ee --- /dev/null +++ b/src/routes/mock-hermes.js @@ -0,0 +1,64 @@ +const express = require('express'); +const { verifySyncToken } = require('../lib/sync-token'); + +const router = express.Router(); + +// Mock Hermes 同步端点 — 模拟 Hermes 接收同步请求并回调拉取文件 +// 仅在非 production 环境注册 +router.post('/sync', async (req, res) => { + try { + const { syncToken, filePullBaseUrl, roleId, profileName } = req.body; + + if (!syncToken || !filePullBaseUrl || !roleId) { + return res.status(400).json({ error: '缺少必要参数' }); + } + + // 验证 sync_token + const payload = await verifySyncToken(syncToken); + if (!payload) { + return res.status(401).json({ error: 'sync_token 无效或已过期' }); + } + + // 验证 roleId 匹配 + if (payload.roleId !== roleId) { + return res.status(403).json({ error: 'roleId 与 sync_token 不匹配' }); + } + + // 回调拉取 SOUL.md + const soulResponse = await fetch(`${filePullBaseUrl}/api/hermes/roles/${roleId}/SOUL.md`, { + headers: { 'X-Sync-Token': syncToken }, + }); + if (!soulResponse.ok) { + return res.status(500).json({ error: `拉取 SOUL.md 失败: ${soulResponse.status}` }); + } + const soulMd = await soulResponse.text(); + + // 回调拉取 config.yaml + const configResponse = await fetch(`${filePullBaseUrl}/api/hermes/roles/${roleId}/config.yaml`, { + headers: { 'X-Sync-Token': syncToken }, + }); + if (!configResponse.ok) { + return res.status(500).json({ error: `拉取 config.yaml 失败: ${configResponse.status}` }); + } + const configYaml = await configResponse.text(); + + // 模拟创建 profile 和生成二维码 + console.log(`[Mock Hermes] 创建 profile: ${profileName}`); + console.log(`[Mock Hermes] SOUL.md 长度: ${soulMd.length}`); + console.log(`[Mock Hermes] config.yaml 长度: ${configYaml.length}`); + + const qrCodeUrl = `https://mock.hermes.local/qr/${roleId}`; + const profileId = `mock-profile-${roleId}`; + + res.json({ + qrCodeUrl, + profileId, + message: 'Profile 创建成功(mock)', + }); + } catch (err) { + console.error('[Mock Hermes] 同步失败:', err); + res.status(500).json({ error: err.message || '同步失败' }); + } +}); + +module.exports = router; diff --git a/src/routes/roles.js b/src/routes/roles.js index 96b5c40..bf815e1 100644 --- a/src/routes/roles.js +++ b/src/routes/roles.js @@ -4,11 +4,11 @@ const { authMiddleware } = require('../lib/auth'); const router = express.Router(); -// 获取角色库(所有已上架角色) +// 获取角色库(仅显示已同步完成的角色) router.get('/', async (req, res) => { try { const roles = await prisma.role.findMany({ - where: { status: 'running' }, + where: { reviewStatus: 'synced' }, orderBy: { createdAt: 'desc' }, select: { id: true, @@ -26,7 +26,7 @@ router.get('/', async (req, res) => { } }); -// 获取角色详情 +// 获取角色详情(仅显示已同步完成的角色) router.get('/:id', async (req, res) => { try { const role = await prisma.role.findUnique({ @@ -46,11 +46,16 @@ router.get('/:id', async (req, res) => { speechStyle: true, greeting: true, creatorId: true, + reviewStatus: true, }, }); if (!role) { return res.status(404).json({ error: '角色不存在' }); } + // 角色库仅展示已同步的角色 + if (role.reviewStatus !== 'synced') { + return res.status(404).json({ error: '角色不存在' }); + } res.json({ role }); } catch (err) { console.error('获取角色详情失败:', err); @@ -58,12 +63,25 @@ router.get('/:id', async (req, res) => { } }); -// 获取当前用户创建的角色 +// 获取当前用户创建的角色(含审核状态和二维码) router.get('/my/roles', authMiddleware, async (req, res) => { try { const roles = await prisma.role.findMany({ where: { creatorId: req.userId }, orderBy: { createdAt: 'desc' }, + select: { + id: true, + displayName: true, + avatar: true, + desc: true, + price: true, + status: true, + reviewStatus: true, + reviewNote: true, + qrCodeUrl: true, + syncedAt: true, + createdAt: true, + }, }); res.json({ roles }); } catch (err) { @@ -108,6 +126,7 @@ router.post('/', authMiddleware, async (req, res) => { desc: data.desc || data.personality.slice(0, 50), price: parseFloat(data.price) || 0, status: 'running', + reviewStatus: 'pending_review', }, }); @@ -130,6 +149,9 @@ router.put('/:id', authMiddleware, async (req, res) => { } const data = req.body; + // 若编辑已同步(synced)的角色,重置为 pending_review,需重新审核 + 同步 + // 防止 Hermes 端的 profile 与 EternalAI 端的角色数据不一致 + const shouldResetReview = existing.reviewStatus === 'synced'; const role = await prisma.role.update({ where: { id: req.params.id }, data: { @@ -157,10 +179,19 @@ router.put('/:id', authMiddleware, async (req, res) => { desc: data.desc ?? existing.desc, price: parseFloat(data.price) || existing.price, status: data.status ?? existing.status, + // 编辑后重置审核状态(仅当当前为 synced 时) + ...(shouldResetReview + ? { reviewStatus: 'pending_review', reviewNote: null, qrCodeUrl: null, syncedAt: null } + : {}), }, }); - res.json({ role }); + res.json({ + role, + reviewReset: shouldResetReview + ? '角色已编辑,审核状态已重置为 pending_review,需重新审核与同步' + : null, + }); } catch (err) { console.error('编辑角色失败:', err); res.status(500).json({ error: '编辑失败' });
扫描绑定后,即可在微信中与该角色对话
该角色已成功绑定微信