jim800121chen
22f0837ba8
從 edge-ai-platform POC 轉為正式產品的雲端後端,含以下整合階段:
- Phase 0:雛形骨架 — `cmd/api-server` (REST :3721) + `cmd/remote-proxy`
(tunnel :3800 / internal :3801) 雙 binary 共用 internal/,沿用 POC 的
WebSocket+yamux tunnel 協定但解耦 relay 與 API
- Phase 0.6:OIDC BFF 接 Innovedus Member Center
- internal/oidc package(coreos/go-oidc + PKCE S256 + state + nonce)
- internal/usersession package(HMAC-SHA256 cookie + RotateSessionID
防 session fixation, OWASP ASVS V3.2.1)
- 4 個 OIDC handler(/api/auth/login|callback|me|logout)+ AuthMiddleware
- 完全拔除 StaticAuthProvider,OIDC 是唯一認證路徑
- 9 個 ADR(含 ADR-010 BFF / ADR-011 取代 static auth /
ADR-012 pending session shared cookie / ADR-013 PKCE-only public client)
- Phase 0.7:A1 改造 + security audit 修復
- OIDC ClientSecret 變選填,支援 stage MC 的 public PKCE-only client
(AuthStyleInParams 強制 token endpoint 不送 client_secret)
- 預留 ServiceClient* 欄位給未來 client_credentials grant
- 移除 13+ 處 resolveUserID(uc, StaticUserID) fallback 改 strict mode
(Audit C1:multi-tenant 隔離破口)
- Pairing exchange MarkUsed 失敗 abort + revoke session token(Audit M3)
- 新增 all_endpoints_require_auth_test 整合測試(51 endpoint × 401)
驗證:go test -race -count=3 ./... 17 packages 全綠 / go vet 0 warning
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
132 lines
4.8 KiB
Go
132 lines
4.8 KiB
Go
package config
|
||
|
||
import (
|
||
"os"
|
||
"strconv"
|
||
"strings"
|
||
"time"
|
||
)
|
||
|
||
// Load 從環境變數讀取並組出一個 Config。
|
||
//
|
||
// 所有欄位皆有預設值(雛形便利),因此 Load 不會回傳 error;
|
||
// 未來加入必填欄位時(例如 Phase 1 的 DB URL),應改為回傳 error。
|
||
func Load() *Config {
|
||
return &Config{
|
||
Server: ServerConfig{
|
||
Host: getEnvString("VISIONA_HOST", "0.0.0.0"),
|
||
Port: getEnvInt("VISIONA_API_PORT", 3721),
|
||
TunnelPort: getEnvInt("VISIONA_TUNNEL_PORT", 3800),
|
||
InternalPort: getEnvInt("VISIONA_PROXY_INTERNAL_PORT", 3801),
|
||
RelayPublicURL: getEnvString("VISIONA_RELAY_PUBLIC_URL", ""),
|
||
SeedDemoData: getEnvBool("VISIONA_SEED_DEMO_DATA", false),
|
||
},
|
||
Session: SessionConfig{
|
||
Backend: getEnvString("VISIONA_SESSION_BACKEND", "inmemory"),
|
||
ProxyInternalURL: getEnvString("VISIONA_PROXY_INTERNAL_URL", "http://localhost:3801"),
|
||
},
|
||
Auth: AuthConfig{
|
||
// Phase 0.7 security fix C1:VISIONA_STATIC_USER_ID 僅供 dev seed / unit test 用,
|
||
// stage/prod 留空無影響;不再注入 api.Deps(見 internal/api/api.go Deps 註解)。
|
||
StaticUserID: getEnvString("VISIONA_STATIC_USER_ID", "demo-user"),
|
||
PairingToken: getEnvString("VISIONA_PAIRING_TOKEN", ""),
|
||
SigningSecret: getEnvString("VISIONA_STORAGE_SIGNING_SECRET", "dev-signing-secret-do-not-use-in-prod"),
|
||
},
|
||
OIDC: OIDCConfig{
|
||
IssuerURL: getEnvString("VISIONA_OIDC_ISSUER_URL", ""),
|
||
ClientID: getEnvString("VISIONA_OIDC_CLIENT_ID", ""),
|
||
ClientSecret: getEnvString("VISIONA_OIDC_CLIENT_SECRET", ""),
|
||
RedirectURL: getEnvString("VISIONA_OIDC_REDIRECT_URL", ""),
|
||
PostLoginURL: getEnvString("VISIONA_FRONTEND_URL", ""),
|
||
// A1:client_credentials grant 預留欄位,留空表「不啟用 service client」。
|
||
ServiceClientID: getEnvString("VISIONA_OIDC_SERVICE_CLIENT_ID", ""),
|
||
ServiceClientSecret: getEnvString("VISIONA_OIDC_SERVICE_CLIENT_SECRET", ""),
|
||
},
|
||
UserSession: UserSessionConfig{
|
||
Secret: getEnvString("VISIONA_SESSION_SECRET", ""),
|
||
CookieName: getEnvString("VISIONA_SESSION_COOKIE_NAME", "visiona_session"),
|
||
CookieDomain: getEnvString("VISIONA_SESSION_COOKIE_DOMAIN", ""),
|
||
CookieSecure: getEnvBool("VISIONA_SESSION_COOKIE_SECURE", false),
|
||
AbsoluteTTL: getEnvDuration("VISIONA_SESSION_ABSOLUTE_TTL", 168*time.Hour),
|
||
IdleTTL: getEnvDuration("VISIONA_SESSION_IDLE_TTL", 24*time.Hour),
|
||
},
|
||
Storage: StorageConfig{
|
||
Backend: getEnvString("VISIONA_STORAGE_BACKEND", "localfs"),
|
||
RootDir: getEnvString("VISIONA_STORAGE_LOCALFS_ROOT", "./data/storage"),
|
||
BaseURL: getEnvString("VISIONA_STORAGE_LOCALFS_BASE_URL", "http://localhost:3721/storage"),
|
||
},
|
||
Model: ModelConfig{
|
||
MaxSizeMB: getEnvInt("VISIONA_MODEL_MAX_SIZE_MB", 100),
|
||
},
|
||
Tunnel: TunnelConfig{
|
||
HeartbeatInterval: getEnvDuration("VISIONA_TUNNEL_HEARTBEAT_INTERVAL", 10*time.Second),
|
||
IdleTimeout: getEnvDuration("VISIONA_TUNNEL_IDLE_TIMEOUT", 30*time.Second),
|
||
},
|
||
Logger: LoggerConfig{
|
||
Level: getEnvString("VISIONA_LOG_LEVEL", "info"),
|
||
},
|
||
CORS: CORSConfig{
|
||
AllowedOrigins: getEnvStringSlice("VISIONA_CORS_ALLOWED_ORIGINS", nil),
|
||
},
|
||
}
|
||
}
|
||
|
||
// getEnvStringSlice 從環境變數取逗號分隔字串,拆成 slice。
|
||
// 每段都會 TrimSpace;空段會被過濾。若環境變數未設定或為空,回傳 fallback。
|
||
func getEnvStringSlice(key string, fallback []string) []string {
|
||
v, ok := os.LookupEnv(key)
|
||
if !ok || v == "" {
|
||
return fallback
|
||
}
|
||
parts := strings.Split(v, ",")
|
||
result := make([]string, 0, len(parts))
|
||
for _, p := range parts {
|
||
if trimmed := strings.TrimSpace(p); trimmed != "" {
|
||
result = append(result, trimmed)
|
||
}
|
||
}
|
||
if len(result) == 0 {
|
||
return fallback
|
||
}
|
||
return result
|
||
}
|
||
|
||
// getEnvString 從環境變數取字串,不存在或為空則回傳預設值。
|
||
func getEnvString(key, fallback string) string {
|
||
if v, ok := os.LookupEnv(key); ok && v != "" {
|
||
return v
|
||
}
|
||
return fallback
|
||
}
|
||
|
||
// getEnvInt 從環境變數取整數,若無法解析則回傳預設值。
|
||
func getEnvInt(key string, fallback int) int {
|
||
if v, ok := os.LookupEnv(key); ok && v != "" {
|
||
if n, err := strconv.Atoi(v); err == nil {
|
||
return n
|
||
}
|
||
}
|
||
return fallback
|
||
}
|
||
|
||
// getEnvDuration 從環境變數取 time.Duration(支援 "10s"、"1m" 等格式)。
|
||
func getEnvDuration(key string, fallback time.Duration) time.Duration {
|
||
if v, ok := os.LookupEnv(key); ok && v != "" {
|
||
if d, err := time.ParseDuration(v); err == nil {
|
||
return d
|
||
}
|
||
}
|
||
return fallback
|
||
}
|
||
|
||
// getEnvBool 從環境變數取布林值(接受 "true"/"false"/"1"/"0",大小寫不敏感)。
|
||
// 解析失敗或未設定回傳 fallback。
|
||
func getEnvBool(key string, fallback bool) bool {
|
||
if v, ok := os.LookupEnv(key); ok && v != "" {
|
||
if b, err := strconv.ParseBool(v); err == nil {
|
||
return b
|
||
}
|
||
}
|
||
return fallback
|
||
}
|