laoxong/nofx
1
0
Fork 0
mirror of https://github.com/laoxong/nofx.git synced 2026-06-04 09:58:22 +08:00
Code Issues Packages Projects Releases Wiki Activity

Feat: Enable admin password in admin mode (#540)

Browse Source 
* WIP: save local changes before merging
* Enable admin password in admin mode #374
This commit is contained in:
Burt
2025-11-05 21:48:28 +08:00
committed by GitHub
parent 96ed2c6ea7
commit 8b853a963d
13 changed files with 421 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.example
+3
View File
@@ -11,3 +11,6 @@ NOFX_FRONTEND_PORT=3000
# Timezone Setting
# System timezone for container time synchronization
NOFX_TIMEZONE=Asia/Shanghai
# Admin password when admin_mode=true
NOFX_ADMIN_PASSWORD=YOUR_PASS
README.md
+44
View File
@@ -29,6 +29,7 @@
- [🧠 AI Self-Learning](#-ai-self-learning-example)
- [📊 Web Interface Features](#-web-interface-features)
- [🎛️ API Endpoints](#-api-endpoints)
- [🔐 Admin Mode (Single-User)](#-admin-mode-single-user)
- [⚠️ Important Risk Warnings](#-important-risk-warnings)
- [🛠️ Common Issues](#-common-issues)
- [📈 Performance Tips](#-performance-optimization-tips)
@@ -242,6 +243,49 @@ NOFX is built with a modern, modular architecture:
---
## 🔐 Admin Mode (Single-User)
For self-hosted or single-tenant setups, NOFX supports a strict admin-only mode that disables public features and requires an admin password for all access.
### How it works
- All API endpoints require a valid JWT when `admin_mode=true`, except:
- `GET /api/health`
- `GET /api/config`
- `POST /api/admin-login`
- Registration is gated by `allow_registration` in `config.json` (default: `true`). When `admin_mode=true`, registration is blocked regardless of this flag.
- Logout invalidates the current token via an in-memory blacklist (sufficient for single instance; use Redis for multi-instance see Notes).
### Quick setup
1) Set flags in `config.json`:
```jsonc
{
// ... other config
"admin_mode": true,
"jwt_secret": "YOUR_JWT_SCR"
}
```
2) Provide required environment variables:
- `NOFX_ADMIN_PASSWORD` — plaintext admin password (only used at startup to derive a bcrypt hash)
Docker Compose example (already wired):
```yaml
services:
nofx:
environment:
- NOFX_ADMIN_PASSWORD=${NOFX_ADMIN_PASSWORD}
```
1) Login flow (admin mode):
- Open the web UI → youll be redirected to the login page
- Enter admin password → the server returns a JWT
- The UI stores the token and authenticates subsequent API calls
### Notes
- Token lifetime: 24h. On logout, tokens are blacklisted in-memory until expiry. For multi-instance deployments, use a shared store (e.g., Redis) to sync the blacklist.
---
## 💰 Register Binance Account (Save on Fees!)
Before using this system, you need a Binance Futures account. **Use our referral link to save on trading fees:**
api/server.go
+95 -11
View File
@@ -74,20 +74,27 @@ func (s *Server) setupRoutes() {
// 健康检查
api.Any("/health", s.handleHealth)
// 管理员登录(管理员模式下使用,公共)
api.POST("/admin-login", s.handleAdminLogin)
// 非管理员模式下的公开认证路由
if !auth.IsAdminMode() {
// 认证相关路由(无需认证)
api.POST("/register", s.handleRegister)
api.POST("/login", s.handleLogin)
api.POST("/verify-otp", s.handleVerifyOTP)
api.POST("/complete-registration", s.handleCompleteRegistration)
api.POST("/reset-password", s.handleResetPassword)
// 系统支持的模型和交易所(无需认证)
api.GET("/supported-models", s.handleGetSupportedModels)
api.GET("/supported-exchanges", s.handleGetSupportedExchanges)
}
// 系统配置(无需认证)
// 系统配置(无需认证,用于前端判断是否管理员模式/注册是否开启
api.GET("/config", s.handleGetSystemConfig)
// 系统提示词模板管理(仅在非管理员模式下公开)
if !auth.IsAdminMode() {
// 系统提示词模板管理(无需认证)
api.GET("/prompt-templates", s.handleGetPromptTemplates)
api.GET("/prompt-templates/:name", s.handleGetPromptTemplate)
@@ -99,10 +106,14 @@ func (s *Server) setupRoutes() {
api.GET("/equity-history", s.handleEquityHistory)
api.POST("/equity-history-batch", s.handleEquityHistoryBatch)
api.GET("/traders/:id/public-config", s.handleGetPublicTraderConfig)
}
// 需要认证的路由
protected := api.Group("/", s.authMiddleware())
{
// 注销(加入黑名单)
protected.POST("/logout", s.handleLogout)
// 服务器IP查询(需要认证,用于白名单配置)
protected.GET("/server-ip", s.handleGetServerIP)
@@ -1460,14 +1471,6 @@ func (s *Server) handlePerformance(c *gin.Context) {
// authMiddleware JWT认证中间件
func (s *Server) authMiddleware() gin.HandlerFunc {
return func(c *gin.Context) {
// 如果是管理员模式,直接使用admin用户
if auth.IsAdminMode() {
c.Set("user_id", "admin")
c.Set("email", "admin@localhost")
c.Next()
return
}
authHeader := c.GetHeader("Authorization")
if authHeader == "" {
c.JSON(http.StatusUnauthorized, gin.H{"error": "缺少Authorization头"})
@@ -1483,8 +1486,18 @@ func (s *Server) authMiddleware() gin.HandlerFunc {
return
}
tokenString := tokenParts[1]
// 黑名单检查
if auth.IsTokenBlacklisted(tokenString) {
c.JSON(http.StatusUnauthorized, gin.H{"error": "token已失效,请重新登录"})
c.Abort()
return
}
// 验证JWT token
claims, err := auth.ValidateJWT(tokenParts[1])
claims, err := auth.ValidateJWT(tokenString)
if err != nil {
c.JSON(http.StatusUnauthorized, gin.H{"error": "无效的token: " + err.Error()})
c.Abort()
@@ -1498,8 +1511,79 @@ func (s *Server) authMiddleware() gin.HandlerFunc {
}
}
// handleAdminLogin 管理员登录(密码仅来自环境变量)
func (s *Server) handleAdminLogin(c *gin.Context) {
if !auth.IsAdminMode() {
c.JSON(http.StatusForbidden, gin.H{"error": "仅管理员模式可用"})
return
}
// 简单的IP速率限制(5次/分钟 + 递增退避)
// 为简化,此处省略复杂实现,可在后续使用中间件或Redis增强
var req struct {
Password string `json:"password"`
}
if err := c.ShouldBindJSON(&req); err != nil || strings.TrimSpace(req.Password) == "" {
c.JSON(http.StatusBadRequest, gin.H{"error": "缺少密码"})
return
}
if !auth.CheckAdminPassword(req.Password) {
c.JSON(http.StatusUnauthorized, gin.H{"error": "密码错误"})
return
}
token, err := auth.GenerateJWT("admin", "admin@localhost")
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": "生成token失败"})
return
}
c.JSON(http.StatusOK, gin.H{"token": token, "user_id": "admin", "email": "admin@localhost"})
}
// handleLogout 将当前token加入黑名单
func (s *Server) handleLogout(c *gin.Context) {
authHeader := c.GetHeader("Authorization")
if authHeader == "" {
c.JSON(http.StatusUnauthorized, gin.H{"error": "缺少Authorization头"})
return
}
parts := strings.Split(authHeader, " ")
if len(parts) != 2 || parts[0] != "Bearer" {
c.JSON(http.StatusUnauthorized, gin.H{"error": "无效的Authorization格式"})
return
}
tokenString := parts[1]
claims, err := auth.ValidateJWT(tokenString)
if err != nil {
c.JSON(http.StatusUnauthorized, gin.H{"error": "无效的token"})
return
}
var exp time.Time
if claims.ExpiresAt != nil {
exp = claims.ExpiresAt.Time
} else {
exp = time.Now().Add(24 * time.Hour)
}
auth.BlacklistToken(tokenString, exp)
c.JSON(http.StatusOK, gin.H{"message": "已登出"})
}
// handleRegister 处理用户注册请求
func (s *Server) handleRegister(c *gin.Context) {
// 管理员模式下禁用注册
if auth.IsAdminMode() {
c.JSON(http.StatusForbidden, gin.H{"error": "管理员模式下禁用注册"})
return
}
// 若未开启注册,返回403
allowRegStr, _ := s.database.GetSystemConfig("allow_registration")
if allowRegStr == "false" {
c.JSON(http.StatusForbidden, gin.H{"error": "注册已关闭"})
return
}
var req struct {
Email string `json:"email" binding:"required,email"`
Password string `json:"password" binding:"required,min=6"`
auth/auth.go
+67
View File
@@ -3,6 +3,8 @@ package auth
import (
"crypto/rand"
"fmt"
"log"
"sync"
"time"
"github.com/golang-jwt/jwt/v5"
@@ -17,6 +19,18 @@ var JWTSecret []byte
// AdminMode 管理员模式标志
var AdminMode bool = false
// adminPasswordHash 管理员密码哈希(仅内存)
var adminPasswordHash string
// tokenBlacklist 用于登出后的token黑名单(仅内存,按过期时间清理)
var tokenBlacklist = struct {
sync.RWMutex
items map[string]time.Time
}{items: make(map[string]time.Time)}
// maxBlacklistEntries 黑名单最大容量阈值
const maxBlacklistEntries = 100_000
// OTPIssuer OTP发行者名称
const OTPIssuer = "nofxAI"
@@ -35,6 +49,59 @@ func IsAdminMode() bool {
return AdminMode
}
// SetAdminPasswordFromPlain 通过明文设置管理员密码(会使用bcrypt哈希,成本12)
func SetAdminPasswordFromPlain(plain string) error {
bytes, err := bcrypt.GenerateFromPassword([]byte(plain), 12)
if err != nil {
return err
}
adminPasswordHash = string(bytes)
return nil
}
// CheckAdminPassword 校验管理员密码
func CheckAdminPassword(plain string) bool {
if adminPasswordHash == "" {
return false
}
return bcrypt.CompareHashAndPassword([]byte(adminPasswordHash), []byte(plain)) == nil
}
// BlacklistToken 将token加入黑名单直到过期
func BlacklistToken(token string, exp time.Time) {
tokenBlacklist.Lock()
defer tokenBlacklist.Unlock()
tokenBlacklist.items[token] = exp
// 如果超过容量阈值,则进行一次过期清理;若仍超限,记录警告日志
if len(tokenBlacklist.items) > maxBlacklistEntries {
now := time.Now()
for t, e := range tokenBlacklist.items {
if now.After(e) {
delete(tokenBlacklist.items, t)
}
}
if len(tokenBlacklist.items) > maxBlacklistEntries {
log.Printf("auth: token blacklist size (%d) exceeds limit (%d) after sweep; consider reducing JWT TTL or using a shared persistent store",
len(tokenBlacklist.items), maxBlacklistEntries)
}
}
}
// IsTokenBlacklisted 检查token是否在黑名单中(过期自动清理)
func IsTokenBlacklisted(token string) bool {
tokenBlacklist.Lock()
defer tokenBlacklist.Unlock()
if exp, ok := tokenBlacklist.items[token]; ok {
if time.Now().After(exp) {
delete(tokenBlacklist.items, token)
return false
}
return true
}
return false
}
// Claims JWT声明
type Claims struct {
UserID string `json:"user_id"`
docker-compose.yml
+1
View File
@@ -18,6 +18,7 @@ services:
environment:
- TZ=${NOFX_TIMEZONE:-Asia/Shanghai} # Set timezone
- AI_MAX_TOKENS=4000 # AI响应的最大token数(默认2000,建议4000-8000
- NOFX_ADMIN_PASSWORD=${NOFX_ADMIN_PASSWORD} # Admin password when admin_mode=true
networks:
- nofx-network
healthcheck:
docs/getting-started/README.md
+17
View File
@@ -90,6 +90,23 @@ After deployment:
3. **Create Traders** → Combine AI models with exchanges
4. **Start Trading** → Monitor performance in dashboard
### 🔐 Optional: Enable Admin Mode (Single-User)
For single-tenant/self-hosted usage, you can enable strict admin-only access:
1) In `config.json` set the 2 fields below:
```jsonc
{
"admin_mode": true,
...
"jwt_secret": "YOUR_JWT_SCR"
}
```
2) Set environment variables (Docker compose already wired):
- `NOFX_ADMIN_PASSWORD` — admin password (plaintext; hashed on startup)
3) Login at `/login` using the admin password. All non-essential endpoints are blocked to unauthenticated users while admin mode is enabled.
---
## ⚠️ Important Notes
go.mod
+1 -1
View File
@@ -10,6 +10,7 @@ require (
github.com/golang-jwt/jwt/v5 v5.2.0
github.com/google/uuid v1.6.0
github.com/gorilla/websocket v1.5.3
github.com/joho/godotenv v1.5.1
github.com/pquerna/otp v1.4.0
github.com/sirupsen/logrus v1.9.3
github.com/sonirico/go-hyperliquid v0.17.0
@@ -42,7 +43,6 @@ require (
github.com/goccy/go-json v0.10.4 // indirect
github.com/goccy/go-yaml v1.18.0 // indirect
github.com/holiman/uint256 v1.3.2 // indirect
github.com/joho/godotenv v1.5.1 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/jpillora/backoff v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
main.go
+15 -6
View File
@@ -15,6 +15,8 @@ import (
"strconv"
"strings"
"syscall"
"github.com/joho/godotenv"
)
// LeverageConfig 杠杆配置
@@ -160,6 +162,10 @@ func main() {
fmt.Println("╚════════════════════════════════════════════════════════════╝")
fmt.Println()
// Load environment variables from .env file if present (for local/dev runs)
// In Docker Compose, variables are injected by the runtime and this is harmless.
_ = godotenv.Load()
// 初始化数据库配置
dbPath := "config.db"
if len(os.Args) > 1 {
@@ -206,17 +212,20 @@ func main() {
}
auth.SetJWTSecret(jwtSecret)
// 管理员模式下,确保admin用户存在
// 管理员模式下需要管理员密码,缺失则退出
if adminMode {
err := database.EnsureAdminUser()
if err != nil {
log.Printf("⚠️ 创建admin用户失败: %v", err)
} else {
log.Printf("✓ 管理员模式已启用,无需登录")
adminPassword := os.Getenv("NOFX_ADMIN_PASSWORD")
if adminPassword == "" {
log.Fatalf("Admin mode is enabled but NOFX_ADMIN_PASSWORD is missing. Set NOFX_ADMIN_PASSWORD and restart.")
}
if err := auth.SetAdminPasswordFromPlain(adminPassword); err != nil {
log.Fatalf("Failed to set admin password: %v", err)
}
auth.SetAdminMode(true)
log.Printf("✓ Admin mode enabled. All API endpoints require admin authentication.")
}
log.Printf("✓ 配置数据库初始化成功")
fmt.Println()
web/src/App.tsx
+11 -2
View File
@@ -229,6 +229,10 @@ function App() {
return <LoginPage />
}
if (route === '/register') {
if (systemConfig?.admin_mode) {
window.history.pushState({}, '', '/login');
return <LoginPage />;
}
return <RegisterPage />
}
if (route === '/reset-password') {
@@ -286,10 +290,15 @@ function App() {
// Show landing page for root route
if (route === '/' || route === '') {
return <LandingPage />
return <LandingPage isAdminMode={systemConfig?.admin_mode} />;
}
// Show main app for authenticated users on other routes
// In admin mode, require authentication for any protected routes
if (systemConfig?.admin_mode && (!user || !token)) {
return <LoginPage />;
}
// Show main app for authenticated users on other routes (non-admin mode)
if (!systemConfig?.admin_mode && (!user || !token)) {
// Default to landing page when not authenticated and no specific route
return <LandingPage />
web/src/components/LoginPage.tsx
+62 -3
View File
@@ -1,12 +1,13 @@
import React, { useState } from 'react'
import React, { useEffect, useState } from 'react';
import { useAuth } from '../contexts/AuthContext'
import { useLanguage } from '../contexts/LanguageContext'
import { t } from '../i18n/translations'
import HeaderBar from './landing/HeaderBar'
import { getSystemConfig } from '../lib/config';
export function LoginPage() {
const { language } = useLanguage()
const { login, verifyOTP } = useAuth()
const { login, loginAdmin, verifyOTP } = useAuth()
const [step, setStep] = useState<'login' | 'otp'>('login')
const [email, setEmail] = useState('')
const [password, setPassword] = useState('')
@@ -14,6 +15,30 @@ export function LoginPage() {
const [userID, setUserID] = useState('')
const [error, setError] = useState('')
const [loading, setLoading] = useState(false)
const [adminPassword, setAdminPassword] = useState('');
const [adminMode, setAdminMode] = useState<boolean | null>(null);
useEffect(() => {
getSystemConfig()
.then((cfg) => {
setAdminMode(!!cfg.admin_mode);
})
.catch(() => {
setAdminMode(false);
});
}, []);
const handleAdminLogin = async (e: React.FormEvent) => {
e.preventDefault();
setError('');
setLoading(true);
const result = await loginAdmin(adminPassword);
if (!result.success) {
setError(result.message || t('loginFailed', language));
}
setLoading(false);
};
const handleLogin = async (e: React.FormEvent) => {
e.preventDefault()
@@ -102,7 +127,39 @@ export function LoginPage() {
border: '1px solid var(--panel-border)',
}}
>
{step === 'login' ? (
{adminMode ? (
<form onSubmit={handleAdminLogin} className="space-y-4">
<div>
<label className="block text-sm font-semibold mb-2" style={{ color: 'var(--brand-light-gray)' }}>
</label>
<input
type="password"
value={adminPassword}
onChange={(e) => setAdminPassword(e.target.value)}
className="w-full px-3 py-2 rounded"
style={{ background: 'var(--brand-black)', border: '1px solid var(--panel-border)', color: 'var(--brand-light-gray)' }}
placeholder="请输入管理员密码"
required
/>
</div>
{error && (
<div className="text-sm px-3 py-2 rounded" style={{ background: 'var(--binance-red-bg)', color: 'var(--binance-red)' }}>
{error}
</div>
)}
<button
type="submit"
disabled={loading}
className="w-full px-4 py-2 rounded text-sm font-semibold transition-all hover:scale-105 disabled:opacity-50"
style={{ background: 'var(--brand-yellow)', color: 'var(--brand-black)' }}
>
{loading ? t('loading', language) : '登录'}
</button>
</form>
) : step === 'login' ? (
<form onSubmit={handleLogin} className="space-y-4">
<div>
<label
@@ -263,6 +320,7 @@ export function LoginPage() {
</div>
{/* Register Link */}
{!adminMode && (
<div className="text-center mt-6">
<p className="text-sm" style={{ color: 'var(--text-secondary)' }}>
{' '}
@@ -278,6 +336,7 @@ export function LoginPage() {
</button>
</p>
</div>
)}
</div>
</div>
</div>
web/src/components/landing/HeaderBar.tsx
+8 -6
View File
@@ -394,16 +394,16 @@ export default function HeaderBar({
>
{t('signIn', language)}
</a>
{!isAdminMode && (
<a
href="/register"
className="px-4 py-2 rounded font-semibold text-sm transition-colors hover:opacity-90"
style={{
background: 'var(--brand-yellow)',
color: 'var(--brand-black)',
}}
href='/register'
className='px-4 py-2 rounded font-semibold text-sm transition-colors hover:opacity-90'
style={{ background: 'var(--brand-yellow)', color: 'var(--brand-black)' }}
>
{t('signUp', language)}
</a>
)}
</div>
)
)}
@@ -797,6 +797,7 @@ export default function HeaderBar({
>
{t('signIn', language)}
</a>
{!isAdminMode && (
<a
href="/register"
className="block w-full px-4 py-2 rounded font-semibold text-sm text-center transition-colors"
@@ -808,6 +809,7 @@ export default function HeaderBar({
>
{t('signUp', language)}
</a>
)}
</div>
)}
</div>
web/src/contexts/AuthContext.tsx
+47 -13
View File
@@ -18,6 +18,12 @@ interface AuthContextType {
userID?: string
requiresOTP?: boolean
}>
loginAdmin: (
password: string
) => Promise<{
success: boolean;
message?: string
}>;
register: (
email: string,
password: string,
@@ -56,21 +62,15 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
useEffect(() => {
// 先检查是否为管理员模式(使用带缓存的系统配置获取)
getSystemConfig()
.then((data) => {
if (data.admin_mode) {
// 管理员模式下,模拟admin用户
setUser({ id: 'admin', email: 'admin@localhost' })
setToken('admin-mode')
} else {
// 非管理员模式,检查本地存储中是否有token
const savedToken = localStorage.getItem('auth_token')
const savedUser = localStorage.getItem('auth_user')
.then(() => {
// 不再在管理员模式下模拟登录;统一检查本地存储
const savedToken = localStorage.getItem('auth_token');
const savedUser = localStorage.getItem('auth_user');
if (savedToken && savedUser) {
setToken(savedToken)
setUser(JSON.parse(savedUser))
}
setToken(savedToken);
setUser(JSON.parse(savedUser));
}
setIsLoading(false)
})
.catch((err) => {
@@ -118,6 +118,32 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
return { success: false, message: '未知错误' }
}
const loginAdmin = async (password: string) => {
try {
const response = await fetch('/api/admin-login', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ password }),
});
const data = await response.json();
if (response.ok) {
const userInfo = { id: data.user_id || 'admin', email: data.email || 'admin@localhost' };
setToken(data.token);
setUser(userInfo);
localStorage.setItem('auth_token', data.token);
localStorage.setItem('auth_user', JSON.stringify(userInfo));
// 跳转到仪表盘
window.history.pushState({}, '', '/dashboard');
window.dispatchEvent(new PopStateEvent('popstate'));
return { success: true };
} else {
return { success: false, message: data.error || '登录失败' };
}
} catch (e) {
return { success: false, message: '登录失败,请重试' };
}
};
const register = async (
email: string,
password: string,
@@ -256,6 +282,13 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
}
const logout = () => {
const savedToken = localStorage.getItem('auth_token');
if (savedToken) {
fetch('/api/logout', {
method: 'POST',
headers: { 'Authorization': `Bearer ${savedToken}` },
}).catch(() => {/* ignore network errors on logout */});
}
setUser(null)
setToken(null)
localStorage.removeItem('auth_token')
@@ -268,6 +301,7 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
user,
token,
login,
loginAdmin,
register,
verifyOTP,
completeRegistration,
web/src/pages/LandingPage.tsx
+2 -1
View File
@@ -14,7 +14,7 @@ import { useAuth } from '../contexts/AuthContext'
import { useLanguage } from '../contexts/LanguageContext'
import { t } from '../i18n/translations'
export function LandingPage() {
export function LandingPage({ isAdminMode = false }: { isAdminMode?: boolean }) {
const [showLoginModal, setShowLoginModal] = useState(false)
const { user, logout } = useAuth()
const { language, setLanguage } = useLanguage()
@@ -31,6 +31,7 @@ export function LandingPage() {
onLanguageChange={setLanguage}
user={user}
onLogout={logout}
isAdminMode={isAdminMode}
onPageChange={(page) => {
console.log('LandingPage onPageChange called with:', page)
if (page === 'competition') {