refactor: optimize middleware with pure ASGI implementation and enhance security measures

- Replace BaseHTTPMiddleware with pure ASGI implementation in plugin middleware for better streaming response handling
- Add trusted proxy count configuration for client IP extraction in reverse proxy environments
- Implement audit log cleanup scheduler with configurable retention period
- Replace plaintext token logging with SHA256 hash fingerprints for security
- Fix database session lifecycle management in middleware
- Improve request tracing and error logging throughout the system
- Add comprehensive tests for pipeline architecture

src/services/auth/jwt_blacklist.py

@@ -63,14 +63,16 @@ class JWTBlacklistService:
 
             if ttl_seconds <= 0:
                 # Token 已经过期，不需要加入黑名单
-                logger.debug(f"Token 已过期，无需加入黑名单: {token[:10]}...")
+                token_fp = JWTBlacklistService._get_token_hash(token)[:12]
+                logger.debug("Token 已过期，无需加入黑名单: token_fp={}", token_fp)
                 return True
 
             # 存储到 Redis，设置 TTL 为 Token 过期时间
             # 值存储为原因字符串
             await redis_client.setex(redis_key, ttl_seconds, reason)
 
-            logger.info(f"Token 已加入黑名单: {token[:10]}... (原因: {reason}, TTL: {ttl_seconds}s)")
+            token_fp = JWTBlacklistService._get_token_hash(token)[:12]
+            logger.info("Token 已加入黑名单: token_fp={} (原因: {}, TTL: {}s)", token_fp, reason, ttl_seconds)
             return True
 
         except Exception as e:
@@ -109,7 +111,8 @@ class JWTBlacklistService:
             if exists:
                 # 获取黑名单原因（可选）
                 reason = await redis_client.get(redis_key)
-                logger.warning(f"检测到黑名单 Token: {token[:10]}... (原因: {reason})")
+                token_fp = JWTBlacklistService._get_token_hash(token)[:12]
+                logger.warning("检测到黑名单 Token: token_fp={} (原因: {})", token_fp, reason)
                 return True
 
             return False
@@ -148,9 +151,11 @@ class JWTBlacklistService:
             deleted = await redis_client.delete(redis_key)
 
             if deleted:
-                logger.info(f"Token 已从黑名单移除: {token[:10]}...")
+                token_fp = JWTBlacklistService._get_token_hash(token)[:12]
+                logger.info("Token 已从黑名单移除: token_fp={}", token_fp)
             else:
-                logger.debug(f"Token 不在黑名单中: {token[:10]}...")
+                token_fp = JWTBlacklistService._get_token_hash(token)[:12]
+                logger.debug("Token 不在黑名单中: token_fp={}", token_fp)
 
             return bool(deleted)
 

src/services/auth/service.py

@@ -3,6 +3,7 @@
 """
 
 import os
+import hashlib
 import secrets
 from datetime import datetime, timedelta, timezone
 from typing import Any, Dict, Optional
@@ -169,7 +170,8 @@ class AuthService:
         key_record.last_used_at = datetime.now(timezone.utc)
         db.commit()  # 立即提交事务,释放数据库锁,避免阻塞后续请求
 
-        logger.debug(f"API认证成功: 用户 {user.email} (Key: {api_key[:10]}...)")
+        api_key_fp = hashlib.sha256(api_key.encode()).hexdigest()[:12]
+        logger.debug("API认证成功: 用户 {} (api_key_fp={})", user.email, api_key_fp)
         return user, key_record
 
     @staticmethod