Skip to content

增加强制开启托管账户的环境变量#192

Open
edison0817 wants to merge 2 commits into
KuekHaoYang:mainfrom
edison0817:dev1
Open

增加强制开启托管账户的环境变量#192
edison0817 wants to merge 2 commits into
KuekHaoYang:mainfrom
edison0817:dev1

Conversation

@edison0817
Copy link
Copy Markdown

@edison0817 edison0817 commented Jun 3, 2026

描述 (Description)

docker 部署项目后,redis一直没有生成账号,能看到数据库读取记录。因此添加此环境变量,跳过验证,完成项目部署。

增加强制开启托管账户的环境变量,在redis配置测试正常的情况下可以使用。

关联 Issue (Related Issue)

如果有相关的 Issue,请在这里链接 (例如: Fixes #123)。

更改类型 (Type of Change)

请删除不适用的选项:

  • 📝 文档更新 (Documentation update)
  • 🔧 配置更改 (Configuration change)

检查清单 (Checklist)

在提交 PR 之前,请确保您已完成以下检查:

  • 我已阅读并遵守 贡献指南
  • 我的代码遵循项目的代码风格
  • 我已对自己更改的代码进行了自我审查
  • 我已注释了难以理解的代码部分
  • 我已更新了相应的文档 (如果适用)
  • 我的更改没有产生新的警告或错误
  • 我已测试了我的更改,确保其按预期工作

截图/录屏 (Screenshots/Recordings)

如果您的更改涉及 UI/UX,请提供截图或录屏:

edison0817 added 2 commits June 3, 2026 13:33
@edison0817
Update auth.ts
0111318 
add开启托管账户环境变量
@edison0817
Update README.md
7b57bd1 
增加强制开启托管账户环境变量说明
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a MANAGED_AUTH_ENABLED environment variable to force-enable managed authentication mode, bypassing the default checks for AUTH_SECRET and Redis. However, a critical issue was identified: because the managed authentication system strictly depends on Redis for storage and AUTH_SECRET for session signing, bypassing these checks entirely can lead to runtime crashes or login failures. It is recommended to ensure these dependencies are present even when the flag is enabled, as suggested by the reviewer.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread lib/server/auth.ts
Comment on lines +103 to +105
if (MANAGED_AUTH_ENABLED) {
return true;
}
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

⚠️ 潜在的运行时崩溃与鉴权失效风险

如果强制设置 MANAGED_AUTH_ENABLED=true 来跳过 AUTH_SECRET 和 Redis 的检查,会导致系统在运行时发生崩溃或无法登录。这是因为托管账户模式在底层强依赖这两个配置:

  1. Redis 依赖

    • 托管模式下的账户数据必须持久化到 Redis 中。
    • 如果 getRedisClient() 返回 null(即未配置 Redis),在调用 saveManagedAccounts(例如初始化引导账户或创建/修改账户)时,会直接抛出未捕获的异常:throw new Error('Managed auth storage unavailable')。这会导致登录或管理接口直接返回 500 错误。

  2. AUTH_SECRET 依赖

    • 托管模式下,会话签名必须使用 AUTH_SECRET
    • 如果未配置 AUTH_SECRETresolveSessionSecret('managed') 将返回 null
    • 这会导致 signSession 签名失败,登录接口直接返回 { valid: false, message: 'Session signing unavailable' } (500 状态码),用户将完全无法登录。

建议

即使设置了 MANAGED_AUTH_ENABLED,也应该确保最基本的运行依赖(如 AUTH_SECRET 和 Redis 客户端)是存在的。如果确实缺少这些依赖,应该安全地返回 false 并输出警告,避免在用户尝试登录时发生运行时崩溃。

Suggested change
if (MANAGED_AUTH_ENABLED) {
return true;
}
if (MANAGED_AUTH_ENABLED) {
if (!AUTH_SECRET || !getRedisClient()) {
console.warn('MANAGED_AUTH_ENABLED is set to true, but AUTH_SECRET or Redis client is missing.');
return false;
}
return true;
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@edison0817