wangzhuoxuan/duoqi-api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: 添加 JWT_SECRET 和 ADMIN_TOKEN 生成方式说明

Browse Source 
在环境变量模板和部署文档中添加了密钥生成的安全实践说明,
包括 openssl 和 Node.js 两种生成方式,以及相关的安全提示。
This commit is contained in:
Wang Zhuoxuan 2026-04-16 16:02:01 +08:00
parent e893755340
commit 3623ad04b6
3 changed files with 29 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.env.example
View File

@ -2,11 +2,14 @@
DATABASE_URL=mysql://root:password@localhost:3306/duoqi DATABASE_URL=mysql://root:password@localhost:3306/duoqi
# JWT # JWT
# 生成安全密钥: openssl rand -base64 32
# 或: node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"
JWT_SECRET=change-me-to-a-secure-secret JWT_SECRET=change-me-to-a-secure-secret
JWT_EXPIRES_IN=1h JWT_EXPIRES_IN=1h
JWT_REFRESH_EXPIRES_IN=30d JWT_REFRESH_EXPIRES_IN=30d
# Admin # Admin
# 生成方式同 JWT_SECRET建议与生产环境使用不同的值
ADMIN_TOKEN=change-me-admin-token ADMIN_TOKEN=change-me-admin-token
# Huawei ID Kit (Phase 1b) # Huawei ID Kit (Phase 1b)

3
.env.prod.example
View File

@ -5,11 +5,14 @@
DATABASE_URL=mysql://duoqi_prod:prod-password@your-rds-endpoint:3306/duoqi_prod DATABASE_URL=mysql://duoqi_prod:prod-password@your-rds-endpoint:3306/duoqi_prod
# JWT # JWT
# 生成安全密钥: openssl rand -base64 32
# 密钥长度必须 >= 32 字符
JWT_SECRET=prod-super-secret-jwt-key-change-this JWT_SECRET=prod-super-secret-jwt-key-change-this
JWT_EXPIRES_IN=1h JWT_EXPIRES_IN=1h
JWT_REFRESH_EXPIRES_IN=30d JWT_REFRESH_EXPIRES_IN=30d
# Admin # Admin
# 生成方式同 JWT_SECRET生产环境必须使用强密钥
ADMIN_TOKEN=prod-admin-token-change-this ADMIN_TOKEN=prod-admin-token-change-this
# Huawei ID Kit # Huawei ID Kit

27
docs/ci-deployment-guide.md
View File

@ -344,14 +344,33 @@ FLUSH PRIVILEGES;
#### 环境配置文件 #### 环境配置文件
**密钥生成**(在配置环境变量之前):
```bash
# 生成 JWT_SECRET用于签名和验证用户 JWT
openssl rand -base64 32
# 生成 ADMIN_TOKEN管理后台认证令牌
openssl rand -base64 32
# 或使用 Node.js 生成:
node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"
```
> **安全提示**
> - `JWT_SECRET` 必须至少 32 字符(代码中有强制校验)
> - 生产环境和测试环境必须使用不同的密钥
> - 密钥生成后应妥善保管,不要提交到 Git 仓库
> - 可在任意服务器生成,关键是通过安全渠道传输到目标环境
**生产环境** `/opt/duoqi-api/.env.prod` **生产环境** `/opt/duoqi-api/.env.prod`
```env ```env
DATABASE_URL=mysql://duoqi_prod:prod-password@your-rds-endpoint:3306/duoqi_prod DATABASE_URL=mysql://duoqi_prod:prod-password@your-rds-endpoint:3306/duoqi_prod
JWT_SECRET=prod-super-secret-jwt-key JWT_SECRET=prod-super-secret-jwt-key # 替换为生成的密钥
JWT_EXPIRES_IN=1h JWT_EXPIRES_IN=1h
JWT_REFRESH_EXPIRES_IN=30d JWT_REFRESH_EXPIRES_IN=30d
ADMIN_TOKEN=prod-admin-token ADMIN_TOKEN=prod-admin-token # 替换为生成的密钥
PORT=3000 PORT=3000
NODE_ENV=production NODE_ENV=production
LOG_LEVEL=warn LOG_LEVEL=warn
@ -362,10 +381,10 @@ LOG_LEVEL=warn
```env ```env
DATABASE_URL=mysql://duoqi_test:test-password@your-rds-endpoint:3306/duoqi_test DATABASE_URL=mysql://duoqi_test:test-password@your-rds-endpoint:3306/duoqi_test
JWT_SECRET=test-secret-key JWT_SECRET=test-secret-key # 与生产环境不同
JWT_EXPIRES_IN=1h JWT_EXPIRES_IN=1h
JWT_REFRESH_EXPIRES_IN=30d JWT_REFRESH_EXPIRES_IN=30d
ADMIN_TOKEN=test-admin-token ADMIN_TOKEN=test-admin-token # 与生产环境不同
PORT=3001 PORT=3001
NODE_ENV=test NODE_ENV=test
LOG_LEVEL=debug LOG_LEVEL=debug