hankin/crm_project
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v0.1.0: CRM/ERP 系统内测版本 - 安全加固完成

Browse Source 
- Docker bridge 网络隔离(8000 端口封死)
- Gunicorn 4 Worker 多进程
- Alembic 数据库迁移基线
- 日志轮转 20m×3
- JWT 密钥 + DB 密码 + CORS 收紧
- 3-2-1 备份链路(NAS + R740-B 冷备)
- 连接池 pool_pre_ping + pool_recycle=3600
This commit is contained in:
hankin
2026-03-16 07:31:37 +00:00
commit 423baff73b
2578 changed files with 824643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/core/__init__.py
View File
backend/app/core/config.py
+65
View File
@@ -0,0 +1,65 @@
# -*- coding: utf-8 -*-
"""
核心配置模块
使用 Pydantic v2 Settings 管理所有环境变量,支持 .env 文件自动加载。
"""
from pydantic_settings import BaseSettings, SettingsConfigDict
class Settings(BaseSettings):
"""应用全局配置,所有敏感信息通过环境变量注入,禁止硬编码。"""
model_config = SettingsConfigDict(
env_file=".env",
env_file_encoding="utf-8",
case_sensitive=False,
)
# ---- 应用基础 ----
APP_NAME: str = "SHBL-CRM"
APP_VERSION: str = "2.0.0"
DEBUG: bool = False
# ---- 数据库 (PostgreSQL + asyncpg) ----
DB_HOST: str = "127.0.0.1"
DB_PORT: int = 5432
DB_USER: str = "crm_admin"
DB_PASSWORD: str = "change_me_in_production"
DB_NAME: str = "shbl_crm"
@property
def DATABASE_URL(self) -> str:
"""构造异步 PostgreSQL 连接字符串 (asyncpg 驱动)"""
return (
f"postgresql+asyncpg://{self.DB_USER}:{self.DB_PASSWORD}"
f"@{self.DB_HOST}:{self.DB_PORT}/{self.DB_NAME}"
)
@property
def DATABASE_URL_SYNC(self) -> str:
"""同步连接字符串,仅供 Alembic 迁移使用"""
return (
f"postgresql+psycopg2://{self.DB_USER}:{self.DB_PASSWORD}"
f"@{self.DB_HOST}:{self.DB_PORT}/{self.DB_NAME}"
)
# ---- JWT 安全 ----
SECRET_KEY: str = "REPLACE_WITH_RANDOM_64_CHAR_HEX"
JWT_ALGORITHM: str = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES: int = 60 * 24 # 24小时
# ---- CORS 白名单 (严格模式,禁止 "*") ----
CORS_ORIGINS: list[str] = [
"http://localhost:5173", # Vite 开发服务器
"http://localhost:8080", # Nginx 生产前端
]
# ---- AI 服务 (Dify BaaS 平台) ----
DIFY_BASE_URL: str = "http://192.168.1.88/v1"
DIFY_LOG_APP_API_KEY: str = "" # 日志分析 App (completion)
DIFY_REPORT_APP_API_KEY: str = "" # 月度报告 App (completion)
# 全局单例,其他模块通过 from app.core.config import settings 引用
settings = Settings()
backend/app/core/database.py
+58
View File
@@ -0,0 +1,58 @@
# -*- coding: utf-8 -*-
"""
异步数据库引擎与会话管理
使用 SQLAlchemy 2.0 异步模式 + asyncpg 驱动,配置连接池参数。
提供 get_db() 依赖注入函数供 FastAPI 路由使用。
"""
from collections.abc import AsyncGenerator
from sqlalchemy.ext.asyncio import (
AsyncSession,
async_sessionmaker,
create_async_engine,
)
from sqlalchemy.orm import DeclarativeBase
from app.core.config import settings
# ---- 异步引擎 (带连接池配置) ----
engine = create_async_engine(
settings.DATABASE_URL,
echo=settings.DEBUG, # DEBUG 模式下打印 SQL
pool_size=20, # 连接池常驻连接数
max_overflow=10, # 超出 pool_size 后允许的临时连接数
pool_pre_ping=True, # 每次取连接前探测存活,防止用到已断开的连接
pool_recycle=3600, # 连接最大存活时间(秒),防止数据库端主动断连
)
# ---- 异步会话工厂 ----
AsyncSessionLocal = async_sessionmaker(
bind=engine,
class_=AsyncSession,
expire_on_commit=False, # 提交后不过期对象属性,避免 lazy load 异常
)
# ---- ORM 基类 ----
class Base(DeclarativeBase):
"""所有 ORM 模型必须继承此基类,Alembic 通过 Base.metadata 自动检测表结构变更。"""
pass
# ---- 依赖注入:获取数据库会话 ----
async def get_db() -> AsyncGenerator[AsyncSession, None]:
"""
FastAPI Depends() 专用生成器。
每个请求获取独立会话,请求结束后自动关闭,异常时自动回滚。
用法: db: AsyncSession = Depends(get_db)
"""
async with AsyncSessionLocal() as session:
try:
yield session
await session.commit()
except Exception:
await session.rollback()
raise
finally:
await session.close()
backend/app/core/dify_client.py
+142
View File
@@ -0,0 +1,142 @@
# -*- coding: utf-8 -*-
"""
Dify BaaS API 客户端
取代原有的 OllamaClient,所有 AI 调用统一走 Dify 平台 API。
Dify 部署地址: http://192.168.1.88
文档参考: https://docs.dify.ai/guides/application-publishing/developing-with-apis
"""
import logging
import httpx
from app.core.config import settings
logger = logging.getLogger("dify_client")
class DifyClient:
"""
Dify 平台 API 客户端(异步)。
每个 Dify 应用有独立的 API Key:
- 日志分析 App → DIFY_LOG_APP_API_KEY
- 月度报告 App → DIFY_REPORT_APP_API_KEY
调用时传入对应 key 即可。
"""
def __init__(self, base_url: str = "http://192.168.1.88/v1"):
self.base_url = base_url.rstrip("/")
async def call_text_generator(
self,
api_key: str,
inputs: dict,
query: str = "",
) -> str:
"""
调用 Dify 文本生成(completion)类应用。
:param api_key: Dify App API Key (app-xxx 格式)
:param inputs: 传入变量字典,键名需与 Dify 后台配置的变量名一致
:param query: 可选的用户查询文本
:return: Dify 返回的 answer 文本,失败时返回空字符串
"""
url = f"{self.base_url}/completion-messages"
headers = {
"Authorization": f"Bearer {api_key}",
"Content-Type": "application/json",
}
payload = {
"inputs": inputs,
"query": query,
"response_mode": "blocking",
"user": "crm-backend",
}
try:
async with httpx.AsyncClient(timeout=60.0) as client:
response = await client.post(url, headers=headers, json=payload)
if response.status_code != 200:
logger.error(
"Dify API 非 200 响应: status=%d body=%s",
response.status_code,
response.text[:500],
)
return ""
data = response.json()
answer = data.get("answer", "")
logger.info(
"Dify 调用成功: %d chars (key=...%s)",
len(answer),
api_key[-6:],
)
return answer
except httpx.TimeoutException:
logger.error("Dify API 超时 (60s): url=%s key=...%s", url, api_key[-6:])
return ""
except Exception as e:
logger.error("Dify API 异常: %s (key=...%s)", e, api_key[-6:], exc_info=True)
return ""
async def call_workflow(
self,
api_key: str,
inputs: dict,
user: str = "crm-backend",
) -> dict | str:
"""
调用 Dify 工作流(workflow)类应用。
:param api_key: Dify App API Key (app-xxx 格式)
:param inputs: 传入变量字典,键名需与 Dify 后台配置的变量名一致
:param user: 用户标识
:return: Dify 工作流返回的 outputs 字典,失败时返回空字符串
"""
url = f"{self.base_url}/workflows/run"
headers = {
"Authorization": f"Bearer {api_key}",
"Content-Type": "application/json",
}
payload = {
"inputs": inputs,
"response_mode": "blocking",
"user": user,
}
try:
async with httpx.AsyncClient(timeout=60.0) as client:
response = await client.post(url, headers=headers, json=payload)
if response.status_code != 200:
logger.error(
"Dify Workflow 非 200 响应: status=%d body=%s",
response.status_code,
response.text[:500],
)
return ""
data = response.json()
outputs = data.get("data", {}).get("outputs", {})
logger.info(
"Dify Workflow 调用成功: outputs_keys=%s (key=...%s)",
list(outputs.keys()) if isinstance(outputs, dict) else "N/A",
api_key[-6:],
)
return outputs
except httpx.TimeoutException:
logger.error("Dify Workflow 超时 (60s): url=%s key=...%s", url, api_key[-6:])
return ""
except Exception as e:
logger.error("Dify Workflow 异常: %s (key=...%s)", e, api_key[-6:], exc_info=True)
return ""
# 全局单例,使用 settings 中配置的 Dify 地址
dify_client = DifyClient(base_url=settings.DIFY_BASE_URL)
backend/app/core/security.py
+64
View File
@@ -0,0 +1,64 @@
# -*- coding: utf-8 -*-
"""
安全模块:JWT 令牌签发/验证 + 密码哈希
使用 python-jose 进行 JWT 操作,bcrypt 直接进行密码哈希。
注意:passlib 已不再维护,与 bcrypt>=5.0 不兼容,故直接使用 bcrypt 库。
"""
from datetime import datetime, timedelta, timezone
import bcrypt
from jose import JWTError, jwt
from app.core.config import settings
def hash_password(plain_password: str) -> str:
"""将明文密码哈希为 bcrypt 格式存储"""
return bcrypt.hashpw(
plain_password.encode("utf-8"), bcrypt.gensalt()
).decode("utf-8")
def verify_password(plain_password: str, hashed_password: str) -> bool:
"""校验明文密码与数据库中的哈希值是否匹配"""
return bcrypt.checkpw(
plain_password.encode("utf-8"),
hashed_password.encode("utf-8"),
)
def create_access_token(
subject: str,
role: str,
expires_delta: timedelta | None = None,
) -> str:
"""
签发 JWT 访问令牌。
:param subject: 用户标识 (通常是 username 或 user_id)
:param role: 用户角色 (admin / user),嵌入 claims 供前端和后端鉴权
:param expires_delta: 自定义过期时间,默认使用配置值
"""
expire = datetime.now(timezone.utc) + (
expires_delta or timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
)
payload = {
"sub": subject,
"role": role,
"exp": expire,
}
return jwt.encode(payload, settings.SECRET_KEY, algorithm=settings.JWT_ALGORITHM)
def decode_access_token(token: str) -> dict | None:
"""
解码并验证 JWT 令牌。
:return: payload 字典,失败返回 None
"""
try:
payload = jwt.decode(
token, settings.SECRET_KEY, algorithms=[settings.JWT_ALGORITHM]
)
return payload
except JWTError:
return None