feat:访问控制和dashboard重启功能

2026-01-30 10:02:29 +08:00
parent 0e6a780c50
commit 0c4cc03efc
4 changed files with 119 additions and 83 deletions
--- a/index.js
+++ b/index.js
@@ -6,7 +6,7 @@ const config = require('./src/config/env');
 const { getConfiguredRepos } = require('./src/config/mappings');
 const { handleIssueEvent } = require('./src/logic/syncManager');
 const { handleJiraHook } = require('./src/logic/jiraSyncManager');
-const editorRoutes = require('./src/routes/editor');
+const editorRoutes = require('./src/routes/control');
 const logger = require('./src/utils/logger');

 const app = new Hono();
@@ -47,6 +47,30 @@ setInterval(() => {
    }
 }, 5 * 60 * 1000);

+//内网访问控制中间件：保护管理界面，只允许dotenv配置的域名访问
+const internalOnlyMiddleware = async (c, next) => {
+    const pathname = new URL(c.req.url).pathname;
+
+    if (pathname.startsWith('/hooks/')) {
+        return await next();
+    }
+
+    const host = (c.req.header('host') || '').split(':')[0];
+    const allowedHosts = config.app.dashboardAllowedHosts;
+
+    if (!allowedHosts.some(allowed => host === allowed || host.endsWith('.' + allowed))) {
+        logger.security(`Blocked access from unauthorized host: ${host}`, {
+            path: pathname,
+            ip: c.req.header('x-forwarded-for') || c.req.header('x-real-ip') || 'unknown'
+        });
+        return c.text('Forbidden - Access denied from this domain', 403);
+    }
+
+    await next();
+};
+
+app.use('*', internalOnlyMiddleware);
+
 //Gitea webhook处理入口
 app.post('/hooks/gitea', rateLimiter, async (c) => {
    try {