5.6 KiB
5.6 KiB
🦟 蚊子项目优化报告 v2.0
优化日期: 2026-01-20
基于: CODE_REVIEW_REPORT.md
工具: superpowers, security, code-review skills
✅ 已完成的优化 (第二轮)
1. 🔴 API密钥恢复机制
新增文件:
service/ApiKeyEncryptionService.java- AES/GCM加密服务dto/RevealApiKeyResponse.java- 响应DTOdb/migration/V18__Add_api_key_encryption_fields.sql
修改文件:
persistence/entity/ApiKeyEntity.java- 添加encryptedKey, revealedAt字段service/ActivityService.java- 生成密钥时加密存储controller/ApiKeyController.java- 新增GET /api/v1/api-keys/{id}/reveal端点
// 新增端点
@GetMapping("/{id}/reveal")
public ResponseEntity<RevealApiKeyResponse> revealApiKey(@PathVariable Long id) {
String rawApiKey = activityService.revealApiKey(id);
return ResponseEntity.ok(new RevealApiKeyResponse(
rawApiKey,
"警告: API密钥只显示一次,请立即保存!此操作会被记录。"
));
}
2. 🔴 速率限制强制Redis
修改文件: web/RateLimitInterceptor.java
private void checkRedisRequirement() {
if (productionMode && redisTemplate == null) {
throw new IllegalStateException(
"Production mode requires Redis for rate limiting. " +
"Please set spring.redis.host in your production configuration."
);
}
}
改进:
- 生产环境(prod/profiles)强制要求Redis
- 添加X-RateLimit-Limit和X-RateLimit-Remaining响应头
- Redis异常时返回503服务不可用
3. 🟠 缓存失效机制
修改文件: service/ActivityService.java
@Caching(evict = {
@CacheEvict(value = "activities", key = "#id")
})
public void evictActivityCache(Long id) {
log.info("Evicted cache for activity: {}", id);
}
4. 🟠 审计字段
新增文件: db/migration/V19__Add_audit_fields.sql
ALTER TABLE activities ADD COLUMN IF NOT EXISTS created_by BIGINT;
ALTER TABLE activities ADD COLUMN IF NOT EXISTS updated_by BIGINT;
-- 为所有主要表添加审计字段
CREATE INDEX IF NOT EXISTS idx_activities_created_by ON activities(created_by);
5. 🟠 应用配置化
新增文件: config/AppConfig.java
@Configuration
@ConfigurationProperties(prefix = "app")
public class AppConfig {
private SecurityConfig security = new SecurityConfig();
private ShortLinkConfig shortLink = new ShortLinkConfig();
private RateLimitConfig rateLimit = new RateLimitConfig();
private CacheConfig cache = new CacheConfig();
// ...
}
application.properties配置示例:
app.security.api-key-iterations=185000
app.short-link.code-length=8
app.short-link.max-url-length=2048
app.rate-limit.per-minute=100
app.cache.leaderboard-ttl-minutes=5
6. 🟢 健康检查端点
修改文件: pom.xml - 添加依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
application.properties配置:
management.endpoints.web.exposure.include=health,info,metrics
management.endpoint.health.show-details=when_authorized
management.health.redis.enabled=true
management.health.db.enabled=true
可用端点:
GET /actuator/health- 健康检查GET /actuator/info- 应用信息GET /actuator/metrics- 指标
7. 🟢 API文档
新增文件:
config/OpenApiConfig.java- OpenAPI配置controller/ActivityController.java- 添加Swagger注解
pom.xml依赖:
<dependency>
<groupId>org.springdoc</groupId>
<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
<version>2.3.0</version>
</dependency>
Swagger UI访问: http://localhost:8080/swagger-ui.html
📊 修复统计
| 问题 | 状态 | 严重程度 |
|---|---|---|
| API密钥一次性返回 | ✅ 已修复 | High |
| 速率限制可被绕过 | ✅ 已修复 | High |
| 缓存失效机制 | ✅ 已修复 | Medium |
| 审计字段缺失 | ✅ 已修复 | Medium |
| 硬编码值 | ✅ 已修复 | Medium |
| 健康检查端点 | ✅ 已修复 | Low |
| API文档缺失 | ✅ 已修复 | Low |
📁 新增文件清单
src/main/java/com/mosquito/project/
├── config/
│ ├── AppConfig.java # 应用配置类
│ └── OpenApiConfig.java # OpenAPI配置
├── controller/
│ └── ActivityController.java # Swagger注解
├── dto/
│ └── RevealApiKeyResponse.java
├── service/
│ ├── ActivityService.java # 更新
│ ├── ApiKeyEncryptionService.java
│ └── DbRewardQueue.java
└── web/
├── RateLimitInterceptor.java # 更新
└── UrlValidator.java
src/main/resources/db/migration/
├── V17__Add_foreign_key_constraints.sql
├── V18__Add_api_key_encryption_fields.sql
└── V19__Add_audit_fields.sql
🚀 部署说明
# 1. 运行数据库迁移
mvn flyway:migrate
# 2. 生产环境必须配置Redis
export SPRING_REDIS_HOST=your-redis-host
export SPRING_REDIS_PORT=6379
# 3. 配置加密密钥 (生产环境)
export APP_SECURITY_ENCRYPTION_KEY=your-32-byte-key
# 4. 构建并部署
mvn clean package -DskipTests
java -jar target/mosquito-0.0.1-SNAPSHOT.jar --spring.profiles.active=prod
🔒 安全注意事项
- 加密密钥: 生产环境必须设置
app.security.encryption-key - Redis: 生产环境必须配置Redis用于速率限制
- API密钥:
/reveal端点应添加额外的认证机制
优化完成时间: 2026-01-20