fix: 移除后台登录默认凭据

This commit is contained in:
2026-07-09 16:45:09 +08:00
parent 55333445f4
commit ef24868105
5 changed files with 53 additions and 10 deletions

View File

@@ -21,7 +21,7 @@ const admin = ref<AdminProfile | null>(null);
const activeMenu = ref("dashboard");
const loading = ref(false);
const loginForm = reactive({ username: "admin", password: "admin123456" });
const loginForm = reactive({ username: "", password: "" });
const stats = ref<DashboardStats | null>(null);
const dashboardFilters = reactive({
start: "",
@@ -1068,9 +1068,9 @@ function formatRecordDateTime(value: string, boundary: "start" | "end") {
<h2>登录答疑后台</h2>
<p>请输入大本营答疑助手后台管理员账号和密码</p>
</div>
<el-form label-position="top" @submit.prevent="login">
<el-form label-position="top" autocomplete="off" @submit.prevent="login">
<el-form-item label="管理员账号">
<el-input v-model="loginForm.username" size="large" placeholder="请输入管理员账号" />
<el-input v-model="loginForm.username" size="large" placeholder="请输入管理员账号" autocomplete="off" />
</el-form-item>
<el-form-item label="密码">
<el-input
@@ -1078,6 +1078,7 @@ function formatRecordDateTime(value: string, boundary: "start" | "end") {
size="large"
type="password"
placeholder="请输入密码"
autocomplete="new-password"
show-password
/>
</el-form-item>

View File

@@ -40,6 +40,7 @@ CHAT_MAX_QUEUE_SIZE=20
CHAT_QUEUE_TIMEOUT_SECONDS=60
CHAT_ACTIVE_LEASE_SECONDS=900
# 本地开发可以使用开发密码;生产环境必须改成高强度密码,且 APP_ENV=production 时不能使用 admin123456
BOOTSTRAP_ADMIN_USERNAME=admin
BOOTSTRAP_ADMIN_PASSWORD=admin123456
BOOTSTRAP_ADMIN_NAME=系统管理员

View File

@@ -60,8 +60,8 @@ class Settings(BaseSettings):
chat_max_queue_size: int = 20
chat_queue_timeout_seconds: int = 60
chat_active_lease_seconds: int = 900
bootstrap_admin_username: str = "admin"
bootstrap_admin_password: str = "admin123456"
bootstrap_admin_username: str = ""
bootstrap_admin_password: str = ""
bootstrap_admin_name: str = "系统管理员"

View File

@@ -15,6 +15,44 @@ from app.models.logs import AiRequestLog, OperationLog
from app.models.user import User
DEVELOPMENT_ENVS = {"local", "dev", "development", "docker", "test", "testing"}
UNSAFE_BOOTSTRAP_PASSWORDS = {
"123456",
"admin",
"admin123456",
"change-me-in-production",
"password",
"replace-with-strong-password",
}
def _is_production_env(app_env: str) -> bool:
return app_env.strip().lower() not in DEVELOPMENT_ENVS
def _get_bootstrap_admin_config() -> tuple[str, str, str]:
settings = get_settings()
username = settings.bootstrap_admin_username.strip()
password = settings.bootstrap_admin_password
name = settings.bootstrap_admin_name.strip() or username
if not username or not password:
raise HTTPException(
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
detail="未配置首个管理员初始化账号,请配置 BOOTSTRAP_ADMIN_USERNAME/BOOTSTRAP_ADMIN_PASSWORD",
)
if _is_production_env(settings.app_env):
normalized_password = password.strip().lower()
if normalized_password in UNSAFE_BOOTSTRAP_PASSWORDS or len(password) < 12:
raise HTTPException(
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
detail="生产环境首个管理员初始化密码不安全,请重新配置 BOOTSTRAP_ADMIN_PASSWORD",
)
return username, password, name
class AdminAuthService:
@classmethod
def login(cls, db: Session, username: str, password: str) -> dict:
@@ -47,11 +85,11 @@ class AdminAuthService:
has_admin = db.scalar(select(func.count(Admin.id))) or 0
if has_admin:
return
settings = get_settings()
username, password, name = _get_bootstrap_admin_config()
admin = Admin(
username=settings.bootstrap_admin_username,
password=hash_password(settings.bootstrap_admin_password),
name=settings.bootstrap_admin_name,
username=username,
password=hash_password(password),
name=name,
status=1,
)
db.add(admin)