Feature/user auth guest mode feat: 添加用户认证访客模式和完善登录功能#6
Feature/user auth guest mode feat: 添加用户认证访客模式和完善登录功能#6xiaoshuai155vv wants to merge 2 commits intomainfrom
Conversation
- 新增访客登录功能 (POST /api/auth/guest),支持邮箱/手机号快速登录 - 访客用户自动创建,角色为 guest,无需注册 - 修复 GitHub OAuth 回调 500 错误,使用 generateTokenForUser 直接生成 Token - 前端登录页添加深色主题,与 Dashboard 页面风格一致 - 未登录访问首页自动跳转到 /login - Gateway 添加 User Service 和 Web IDE Backend 完整路由配置 - 后端 SecurityConfig 信任 Gateway 注入的 X-User-Id 等头信息 - 新增前端 API 拦截器统一处理 401/403 错误 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- 新增 Gateway 服务完整的 JWT 认证路由配置 - 新增 User Service 微服务基础架构(Controller, Service, Repository, Entity) - 新增 Docker 配置文件(Dockerfile, docker-compose) - 完善后端 SecurityConfig 信任 Gateway 注入的用户信息 - 新增数据库迁移脚本(Flyway) - 新增 JWT 认证过滤器(Gateway + User Service) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Summary of ChangesHello @xiaoshuai155vv, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! 本次拉取请求引入了 Forge 平台的全新用户认证和授权系统,核心是新增了一个独立的 User Service,支持访客模式、本地账号、Keycloak SSO 和 GitHub OAuth 等多种登录方式。同时,API Gateway 得到了全面配置,负责统一路由和 JWT 验证,前端也进行了相应更新,包括登录页面的深色主题和未登录重定向,并引入了 API 拦截器以增强用户体验和安全性。此外,还提供了详尽的设计、实施和使用文档,确保了新功能的完整性和可维护性。 Highlights
Changelog
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This PR successfully implements user authentication's guest mode and improves login functionality, covering the complete chain from backend User Service to Gateway routing and frontend integration, adopting an RBAC model and supporting multiple identity sources. However, a critical authentication bypass vulnerability exists where internal services trust identity headers without source verification, potentially leading to impersonation. Additionally, the OrganizationController lacks permission checks, and several hardcoded secrets, insecure CORS configurations, and incomplete brute force protection logic were identified. There are also hardcoding issues (e.g., gateway service address, token refresh user info) and potential risks from manually constructing JSON strings. It is recommended to address these issues to enhance security, maintainability, and adaptability.
| val xUserId = request.getHeader(HEADER_USER_ID) | ||
| val userAccount = request.getHeader(HEADER_USER_ACCOUNT) | ||
| val xUserRoles = request.getHeader(HEADER_USER_ROLES) | ||
|
|
||
| // 优先从 user-account JSON 解析 | ||
| if (!userAccount.isNullOrBlank()) { | ||
| try { | ||
| val userNode = objectMapper.readTree(userAccount) | ||
| val userId = userNode.get("userId")?.asText() ?: xUserId | ||
| val username = userNode.get("username")?.asText() ?: "" | ||
| val rolesNode = userNode.get("roles") | ||
| val roles = if (rolesNode != null && rolesNode.isArray) { | ||
| rolesNode.map { it.asText() } | ||
| } else { | ||
| xUserRoles?.split(",")?.filter { it.isNotBlank() } ?: listOf("user") | ||
| } | ||
|
|
||
| setAuthentication(userId, username, roles, request) | ||
| } catch (e: Exception) { | ||
| // JSON 解析失败,尝试从单独的头读取 | ||
| if (!xUserId.isNullOrBlank()) { | ||
| val roles = xUserRoles?.split(",")?.filter { it.isNotBlank() } ?: listOf("user") | ||
| setAuthentication(xUserId, "", roles, request) | ||
| } | ||
| } | ||
| } | ||
| // 其次从 X-User-Id 头读取 | ||
| else if (!xUserId.isNullOrBlank()) { | ||
| val roles = xUserRoles?.split(",")?.filter { it.isNotBlank() } ?: listOf("user") | ||
| setAuthentication(xUserId, "", roles, request) | ||
| } |
There was a problem hiding this comment.
The JwtAuthenticationFilter trusts identity headers (X-User-Id, user-account, X-User-Roles) to establish the security context for a request. These headers are intended to be injected by the API Gateway after it validates a JWT. However, the service does not verify that the request actually originated from the trusted Gateway. If an attacker can reach this service directly, they can spoof these headers to impersonate any user and assume any role, including admin.
| override fun doFilter(request: jakarta.servlet.ServletRequest, response: jakarta.servlet.ServletResponse, chain: jakarta.servlet.FilterChain) { | ||
| val httpRequest = request as HttpServletRequest | ||
|
|
||
| val xUserId = httpRequest.getHeader(SecurityConfig.HEADER_USER_ID) | ||
| val userAccount = httpRequest.getHeader(SecurityConfig.HEADER_USER_ACCOUNT) | ||
| val xUserRoles = httpRequest.getHeader(SecurityConfig.HEADER_USER_ROLES) | ||
|
|
||
| // 如果有 Gateway 注入的用户信息,设置认证 | ||
| if (!userAccount.isNullOrBlank()) { | ||
| try { | ||
| val userNode = objectMapper.readTree(userAccount) | ||
| val userId = userNode.get("userId")?.asText() ?: xUserId | ||
| val rolesNode = userNode.get("roles") | ||
| val roles = if (rolesNode != null && rolesNode.isArray) { | ||
| rolesNode.map { SimpleGrantedAuthority("ROLE_${it.asText().uppercase()}") } | ||
| } else { | ||
| parseRoles(xUserRoles) | ||
| } | ||
|
|
||
| val authentication = UsernamePasswordAuthenticationToken(userId, null, roles) | ||
| SecurityContextHolder.getContext().authentication = authentication | ||
| } catch (e: Exception) { | ||
| // 解析失败,静默忽略,让后续 JWT 验证处理 | ||
| } | ||
| } else if (!xUserId.isNullOrBlank()) { | ||
| // 只有 X-User-Id,使用默认角色 | ||
| val roles = parseRoles(xUserRoles) | ||
| val authentication = UsernamePasswordAuthenticationToken(xUserId, null, roles) | ||
| SecurityContextHolder.getContext().authentication = authentication | ||
| } | ||
|
|
||
| chain.doFilter(request, response) | ||
| } |
There was a problem hiding this comment.
The GatewayAuthenticationFilter trusts identity headers (X-User-Id, user-account, X-User-Roles) to establish the security context. It does not verify that these headers come from a trusted source. Furthermore, since this filter is added before the JWT validation filter, an attacker can bypass JWT validation entirely by providing a spoofed user-account header.
| class JwtAuthenticationFilter : AbstractGatewayFilterFactory<JwtAuthenticationFilter.Config>(Config::class.java) { | ||
|
|
||
| companion object { | ||
| private const val DEFAULT_JWT_SECRET = "your_jwt_secret_key_at_least_32_chars_here" |
There was a problem hiding this comment.
硬编码默认的 JWT 密钥是一个严重的安全风险。如果环境变量 JWT_SECRET 未设置,系统将回退到这个已知的密钥,从而允许攻击者伪造 Token。建议移除默认值,并确保在密钥缺失时应用启动失败。
| @Valid @RequestBody request: CreateOrgRequest, | ||
| @RequestHeader("X-User-Id") userId: String | ||
| ): ResponseEntity<ApiResponse<OrgResponse>> { | ||
| return try { | ||
| val org = organizationService.createOrganization( | ||
| name = request.name, | ||
| ownerId = UUID.fromString(userId), | ||
| slug = request.slug, | ||
| description = request.description | ||
| ) | ||
| ResponseEntity | ||
| .status(HttpStatus.CREATED) | ||
| .body(ApiResponse.success(OrgResponse.from(org), "组织创建成功")) | ||
| } catch (e: Exception) { | ||
| ResponseEntity | ||
| .status(HttpStatus.BAD_REQUEST) | ||
| .body(ApiResponse.error(e.message ?: "创建失败")) | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * 获取组织详情 | ||
| * GET /api/orgs/{id} | ||
| */ | ||
| @GetMapping("/{id}") | ||
| fun getOrganization( | ||
| @PathVariable id: String, | ||
| @RequestHeader("X-User-Id") userId: String | ||
| ): ResponseEntity<ApiResponse<OrgResponse>> { | ||
| return try { | ||
| val org = organizationService.getOrganization(UUID.fromString(id)) | ||
| ResponseEntity.ok(ApiResponse.success(OrgResponse.from(org))) | ||
| } catch (e: Exception) { | ||
| ResponseEntity | ||
| .status(HttpStatus.NOT_FOUND) | ||
| .body(ApiResponse.error("组织不存在")) | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * 获取用户所属组织列表 | ||
| * GET /api/orgs | ||
| */ | ||
| @GetMapping | ||
| fun getMyOrganizations( | ||
| @RequestHeader("X-User-Id") userId: String | ||
| ): ResponseEntity<ApiResponse<List<OrgResponse>>> { | ||
| return try { | ||
| val orgs = organizationService.getOrganizationsByUserId(UUID.fromString(userId)) | ||
| ResponseEntity.ok(ApiResponse.success(orgs.map { OrgResponse.from(it) })) | ||
| } catch (e: Exception) { | ||
| ResponseEntity | ||
| .status(HttpStatus.INTERNAL_SERVER_ERROR) | ||
| .body(ApiResponse.error("获取组织列表失败")) | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * 添加组织成员 | ||
| * POST /api/orgs/{id}/members | ||
| */ | ||
| data class AddMemberRequest( | ||
| val userId: String, | ||
| val role: OrgRole = OrgRole.MEMBER | ||
| ) | ||
|
|
||
| @PostMapping("/{id}/members") | ||
| fun addMember( | ||
| @PathVariable id: String, | ||
| @Valid @RequestBody request: AddMemberRequest, | ||
| @RequestHeader("X-User-Id") currentUserId: String | ||
| ): ResponseEntity<ApiResponse<Unit>> { | ||
| return try { | ||
| organizationService.addMember( | ||
| orgId = UUID.fromString(id), | ||
| userId = UUID.fromString(request.userId), | ||
| role = request.role, | ||
| invitedBy = UUID.fromString(currentUserId) | ||
| ) | ||
| ResponseEntity.ok(ApiResponse.success(message = "成员添加成功")) | ||
| } catch (e: Exception) { | ||
| ResponseEntity | ||
| .status(HttpStatus.BAD_REQUEST) | ||
| .body(ApiResponse.error(e.message ?: "添加成员失败")) | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * 移除组织成员 | ||
| * DELETE /api/orgs/{id}/members/{userId} | ||
| */ | ||
| @DeleteMapping("/{id}/members/{userId}") | ||
| fun removeMember( | ||
| @PathVariable id: String, | ||
| @PathVariable userId: String, | ||
| @RequestHeader("X-User-Id") currentUserId: String | ||
| ): ResponseEntity<ApiResponse<Unit>> { | ||
| return try { | ||
| organizationService.removeMember( | ||
| orgId = UUID.fromString(id), | ||
| userId = UUID.fromString(userId) | ||
| ) | ||
| ResponseEntity.ok(ApiResponse.success(message = "成员移除成功")) | ||
| } catch (e: Exception) { | ||
| ResponseEntity | ||
| .status(HttpStatus.BAD_REQUEST) | ||
| .body(ApiResponse.error(e.message ?: "移除成员失败")) | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * 更新成员角色 | ||
| * PUT /api/orgs/{id}/members/{userId}/role | ||
| */ | ||
| data class UpdateRoleRequest( | ||
| val role: OrgRole | ||
| ) | ||
|
|
||
| @PutMapping("/{id}/members/{userId}/role") | ||
| fun updateMemberRole( | ||
| @PathVariable id: String, | ||
| @PathVariable userId: String, | ||
| @Valid @RequestBody request: UpdateRoleRequest, | ||
| @RequestHeader("X-User-Id") currentUserId: String | ||
| ): ResponseEntity<ApiResponse<Unit>> { | ||
| return try { | ||
| organizationService.updateMemberRole( | ||
| orgId = UUID.fromString(id), | ||
| userId = UUID.fromString(userId), | ||
| newRole = request.role | ||
| ) | ||
| ResponseEntity.ok(ApiResponse.success(message = "角色更新成功")) | ||
| } catch (e: Exception) { | ||
| ResponseEntity | ||
| .status(HttpStatus.BAD_REQUEST) | ||
| .body(ApiResponse.error(e.message ?: "更新角色失败")) | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * 获取组织成员列表 | ||
| * GET /api/orgs/{id}/members | ||
| */ | ||
| @GetMapping("/{id}/members") | ||
| fun getMembers( | ||
| @PathVariable id: String, | ||
| @RequestHeader("X-User-Id") userId: String | ||
| ): ResponseEntity<ApiResponse<List<MemberResponse>>> { | ||
| return try { | ||
| val members = organizationService.getMembers(UUID.fromString(id)) | ||
| ResponseEntity.ok(ApiResponse.success(members.map { MemberResponse.from(it) })) | ||
| } catch (e: Exception) { | ||
| ResponseEntity | ||
| .status(HttpStatus.INTERNAL_SERVER_ERROR) | ||
| .body(ApiResponse.error("获取成员列表失败")) | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
The OrganizationController lacks authorization checks on sensitive endpoints such as createOrganization, addMember, removeMember, and updateMemberRole. The application uses a PermissionInterceptor that enforces permissions only when the @RequirePermission annotation is present on a handler method. Since these methods lack the annotation, any authenticated user can perform these actions on any organization, provided they know the organization and user IDs.
| private const val USER_SERVICE_URL = "http://localhost:8086" | ||
| private const val WEB_IDE_BACKEND_URL = "http://localhost:8080" |
There was a problem hiding this comment.
在网关配置中硬编码了 localhost 地址。在 Docker 容器化部署环境中,这会导致网关无法连接到其他服务(因为 localhost 指向网关容器自身)。建议将这些地址提取到配置文件中,或者在 Docker 环境下使用服务名称(如 http://forge-user-service:8086)。
| // 默认管理员配置 | ||
| const val DEFAULT_ADMIN_USERNAME = "admin" | ||
| const val DEFAULT_ADMIN_EMAIL = "admin@forge.local" | ||
| const val DEFAULT_ADMIN_PASSWORD = "ForgeAdmin123!" |
There was a problem hiding this comment.
A default administrator account is created with a hardcoded password (ForgeAdmin123!). Hardcoding default credentials in the source code is a significant security risk, as they are often left unchanged in production. It is recommended to manage such sensitive information through environment variables or configuration files to avoid exposing it directly in the source code.
| allowed-origins-patterns: "*" | ||
| allowed-methods: GET,POST,PUT,DELETE,OPTIONS | ||
| allowed-headers: "*" | ||
| allow-credentials: true |
There was a problem hiding this comment.
The CORS configuration allows all origins via allowed-origins-patterns: "*" while also enabling allow-credentials: true. This is an insecure configuration that allows any malicious website to make authenticated requests to the API on behalf of a logged-in user, potentially leading to CSRF attacks or data exfiltration.
| val failKey = "login:fail:${loggedInUser.id}" | ||
| val failCount = redisTemplate.opsForValue().get(failKey)?.toIntOrNull() ?: 0 | ||
|
|
||
| if (failCount >= appConfig.security.maxLoginAttempts) { | ||
| recordLoginLog(loggedInUser.id.toString(), "password", ipAddress, false, "Too many attempts") | ||
| throw AuthenticationException("登录失败次数过多,请${appConfig.security.lockoutDurationMinutes}分钟后重试") | ||
| } |
There was a problem hiding this comment.
The login method checks a failed login counter in Redis but never actually increments it when a password check fails. This renders the brute force protection logic ineffective.
| secret: ${JWT_SECRET:your_jwt_secret_key_at_least_32_chars_here} | ||
| refresh-secret: ${JWT_REFRESH_SECRET:your_jwt_refresh_secret_key_at_least_32_chars} |
There was a problem hiding this comment.
The application contains hardcoded default values for JWT secrets. If the JWT_SECRET environment variable is not provided, the system falls back to these insecure, publicly known strings for signing and verifying tokens.
| return try { | ||
| // 从请求头获取用户信息,实际实现中应该调用 UserService | ||
| ResponseEntity.ok(ApiResponse.success(null)) | ||
| } catch (e: Exception) { |
There was a problem hiding this comment.
/api/auth/me 接口目前直接返回 null 数据。作为完善登录功能的一部分,建议完成此功能的实现,通过 userService 获取并返回真实的用户信息。
1 participant
User Service: 访客登录、GitHub OAuth 修复、SecurityConfig
Gateway: 完整路由配置
前端: 登录页深色主题、未登录跳转、API 拦截器
文档: 设计文档、实施计划、使用指南