feat(auth): 实现 TOTP 双因素认证功能
新增功能: - 支持 Google Authenticator 等应用进行 TOTP 二次验证 - 用户可在个人设置中启用/禁用 2FA - 登录时支持 TOTP 验证流程 - 管理后台可全局开关 TOTP 功能 安全增强: - TOTP 密钥使用 AES-256-GCM 加密存储 - 添加 TOTP_ENCRYPTION_KEY 配置项,必须手动配置才能启用功能 - 防止服务重启导致加密密钥变更使用户无法登录 - 验证失败次数限制,防止暴力破解 配置说明: - Docker 部署:在 .env 中设置 TOTP_ENCRYPTION_KEY - 非 Docker 部署:在 config.yaml 中设置 totp.encryption_key - 生成密钥命令:openssl rand -hex 32
This commit is contained in:
shaw
@@ -61,6 +61,18 @@ ADMIN_PASSWORD=
|
||||
JWT_SECRET=
|
||||
JWT_EXPIRE_HOUR=24
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# TOTP (2FA) Configuration
|
||||
# TOTP(双因素认证)配置
|
||||
# -----------------------------------------------------------------------------
|
||||
# IMPORTANT: Set a fixed encryption key for TOTP secrets. If left empty, a
|
||||
# random key will be generated on each startup, causing all existing TOTP
|
||||
# configurations to become invalid (users won't be able to login with 2FA).
|
||||
# Generate a secure key: openssl rand -hex 32
|
||||
# 重要:设置固定的 TOTP 加密密钥。如果留空,每次启动将生成随机密钥,
|
||||
# 导致现有的 TOTP 配置失效(用户无法使用双因素认证登录)。
|
||||
TOTP_ENCRYPTION_KEY=
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Configuration File (Optional)
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
@@ -403,6 +403,21 @@ jwt:
|
||||
# 令牌过期时间(小时,最大 24)
|
||||
expire_hour: 24
|
||||
|
||||
# =============================================================================
|
||||
# TOTP (2FA) Configuration
|
||||
# TOTP 双因素认证配置
|
||||
# =============================================================================
|
||||
totp:
|
||||
# IMPORTANT: Set a fixed encryption key for TOTP secrets.
|
||||
# 重要:设置固定的 TOTP 加密密钥。
|
||||
# If left empty, a random key will be generated on each startup, causing all
|
||||
# existing TOTP configurations to become invalid (users won't be able to
|
||||
# login with 2FA).
|
||||
# 如果留空,每次启动将生成随机密钥,导致现有的 TOTP 配置失效(用户无法使用
|
||||
# 双因素认证登录)。
|
||||
# Generate with / 生成命令: openssl rand -hex 32
|
||||
encryption_key: ""
|
||||
|
||||
# =============================================================================
|
||||
# LinuxDo Connect OAuth Login (SSO)
|
||||
# LinuxDo Connect OAuth 登录(用于 Sub2API 用户登录)
|
||||
|
||||
@@ -79,6 +79,16 @@ services:
|
||||
- JWT_SECRET=${JWT_SECRET:-}
|
||||
- JWT_EXPIRE_HOUR=${JWT_EXPIRE_HOUR:-24}
|
||||
|
||||
# =======================================================================
|
||||
# TOTP (2FA) Configuration
|
||||
# =======================================================================
|
||||
# IMPORTANT: Set a fixed encryption key for TOTP secrets. If left empty,
|
||||
# a random key will be generated on each startup, causing all existing
|
||||
# TOTP configurations to become invalid (users won't be able to login
|
||||
# with 2FA).
|
||||
# Generate a secure key: openssl rand -hex 32
|
||||
- TOTP_ENCRYPTION_KEY=${TOTP_ENCRYPTION_KEY:-}
|
||||
|
||||
# =======================================================================
|
||||
# Timezone Configuration
|
||||
# This affects ALL time operations in the application:
|
||||
|
||||
Reference in New Issue
Block a user