refactor: optimize middleware with pure ASGI implementation and enhance security measures

- Replace BaseHTTPMiddleware with pure ASGI implementation in plugin middleware for better streaming response handling - Add trusted proxy count configuration for client IP extraction in reverse proxy environments - Implement audit log cleanup scheduler with configurable retention period - Replace plaintext token logging with SHA256 hash fingerprints for security - Fix database session lifecycle management in middleware - Improve request tracing and error logging throughout the system - Add comprehensive tests for pipeline architecture
2026-01-03 00:02:28 +08:00 · 2025-12-18 19:07:20 +08:00
parent c7b971cfe7
commit 7b932d7afb
24 changed files with 497 additions and 219 deletions
--- a/src/utils/auth_utils.py
+++ b/src/utils/auth_utils.py
@@ -3,6 +3,7 @@
 提供统一的用户认证和授权功能
 """

+import hashlib
 from typing import Optional

 from fastapi import Depends, Header, HTTPException, status
@@ -44,10 +45,17 @@ async def get_current_user(
            payload = await AuthService.verify_token(token, token_type="access")
        except HTTPException as token_error:
            # 保持原始的HTTP状态码（如401 Unauthorized），不要转换为403
-            logger.error(f"Token验证失败: {token_error.status_code}: {token_error.detail}, Token前10位: {token[:10]}...")
+            token_fp = hashlib.sha256(token.encode()).hexdigest()[:12]
+            logger.error(
+                "Token验证失败: {}: {}, token_fp={}",
+                token_error.status_code,
+                token_error.detail,
+                token_fp,
+            )
            raise  # 重新抛出原始异常，保持状态码
        except Exception as token_error:
-            logger.error(f"Token验证失败: {token_error}, Token前10位: {token[:10]}...")
+            token_fp = hashlib.sha256(token.encode()).hexdigest()[:12]
+            logger.error("Token验证失败: {}, token_fp={}", token_error, token_fp)
            raise ForbiddenException("无效的Token")

        user_id = payload.get("user_id")
@@ -63,7 +71,8 @@ async def get_current_user(
            raise ForbiddenException("无效的认证凭据")

        # 仅在DEBUG模式下记录详细信息
-        logger.debug(f"尝试获取用户: user_id={user_id}, token前10位: {token[:10]}...")
+        token_fp = hashlib.sha256(token.encode()).hexdigest()[:12]
+        logger.debug("尝试获取用户: user_id={}, token_fp={}", user_id, token_fp)

        # 确保user_id是字符串格式（UUID）
        if not isinstance(user_id, str):