From ebe2d250f3d083835b12685e276edbc05396da6b Mon Sep 17 00:00:00 2001 From: User Date: Thu, 16 Apr 2026 21:37:03 +0800 Subject: [PATCH] feat(security): enhance JWT secret auto-generation warning Add prominent warning messages when JWT secret is auto-generated: - Use multi-line banner format for better visibility - Include actionable guidance for production deployments - Update both setup.go and security_secret_bootstrap.go This helps operators notice the security concern and take appropriate action before deploying to production. --- .../internal/repository/security_secret_bootstrap.go | 12 +++++++++++- backend/internal/setup/setup.go | 12 ++++++++++-- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/backend/internal/repository/security_secret_bootstrap.go b/backend/internal/repository/security_secret_bootstrap.go index e773c238..fb874bcc 100644 --- a/backend/internal/repository/security_secret_bootstrap.go +++ b/backend/internal/repository/security_secret_bootstrap.go @@ -14,6 +14,7 @@ import ( "github.com/Wei-Shaw/sub2api/ent" "github.com/Wei-Shaw/sub2api/ent/securitysecret" "github.com/Wei-Shaw/sub2api/internal/config" + "github.com/Wei-Shaw/sub2api/internal/pkg/logger" ) const ( @@ -52,7 +53,16 @@ func ensureBootstrapSecrets(ctx context.Context, client *ent.Client, cfg *config cfg.JWT.Secret = secret if created { - log.Println("Warning: JWT secret auto-generated and persisted to database. Consider rotating to a managed secret for production.") + // 使用更醒目的告警格式,便于运维识别 + log.Println("================================================================================") + log.Println("⚠️ SECURITY WARNING: JWT secret auto-generated and persisted to database") + log.Println(" This secret will be used for all JWT token signing.") + log.Println(" For production deployments, consider:") + log.Println(" 1. Set JWT_SECRET environment variable before first startup") + log.Println(" 2. Or set jwt.secret in config.yaml") + log.Println(" Auto-generated secrets persist across restarts but should be rotated.") + log.Println("================================================================================") + logger.LegacyPrintf("security", "JWT secret auto-generated and persisted. Consider rotating to a managed secret for production.") } return nil } diff --git a/backend/internal/setup/setup.go b/backend/internal/setup/setup.go index 925b2138..5acdbd3b 100644 --- a/backend/internal/setup/setup.go +++ b/backend/internal/setup/setup.go @@ -297,7 +297,11 @@ func Install(cfg *SetupConfig) error { return fmt.Errorf("failed to generate jwt secret: %w", err) } cfg.JWT.Secret = secret - logger.LegacyPrintf("setup", "%s", "Warning: JWT secret auto-generated. Consider setting a fixed secret for production.") + // 使用更醒目的告警格式 + logger.LegacyPrintf("setup", "================================================================================") + logger.LegacyPrintf("setup", "⚠️ SECURITY WARNING: JWT secret auto-generated") + logger.LegacyPrintf("setup", " For production, set JWT_SECRET environment variable or jwt.secret in config.yaml") + logger.LegacyPrintf("setup", "================================================================================") } // Test connections @@ -594,7 +598,11 @@ func AutoSetupFromEnv() error { return fmt.Errorf("failed to generate jwt secret: %w", err) } cfg.JWT.Secret = secret - logger.LegacyPrintf("setup", "%s", "Warning: JWT secret auto-generated. Consider setting a fixed secret for production.") + // 使用更醒目的告警格式 + logger.LegacyPrintf("setup", "================================================================================") + logger.LegacyPrintf("setup", "⚠️ SECURITY WARNING: JWT secret auto-generated") + logger.LegacyPrintf("setup", " For production, set JWT_SECRET environment variable or jwt.secret in config.yaml") + logger.LegacyPrintf("setup", "================================================================================") } // Test database connection