release(secrets-mcp): 0.5.6

修复 OAuth 解绑时非法聚合 FOR UPDATE，Web OAuth 审计 IP 与 TRUST_PROXY 对齐并校验 IP，账号绑定写入 oauth_state 失败时回滚 bind 标记。回滚条目时恢复 folder/type，导入冲突检查在 DB 失败时传播错误，MCP delete/history 要求已登录用户，全局请求体 10MiB 限制。CI 部署支持 DEPLOY_KNOWN_HOSTS，默认 accept-new；文档与 deploy 示例补充连接池、限流、TRUST_PROXY。移除含明文凭据的 sync-test-to-prod 脚本。
2026-04-05 12:32:14 +08:00
parent 2b994141b8
commit 63cb3a8216
14 changed files with 217 additions and 194 deletions
--- a/crates/secrets-core/src/service/import.rs
+++ b/crates/secrets-core/src/service/import.rs
@@ -54,7 +54,13 @@ pub async fn run(
        .bind(params.user_id)
        .fetch_one(pool)
        .await
-        .unwrap_or(false);
+        .map_err(|e| {
+            anyhow::anyhow!(
+                "Failed to check entry existence for '{}': {}",
+                entry.name,
+                e
+            )
+        })?;

        if exists && !params.force {
            return Err(anyhow::anyhow!(
--- a/crates/secrets-core/src/service/rollback.rs
+++ b/crates/secrets-core/src/service/rollback.rs
@@ -228,9 +228,11 @@ pub async fn run(
        }

        sqlx::query(
-            "UPDATE entries SET tags = $1, metadata = $2, version = version + 1, \
-             updated_at = NOW() WHERE id = $3",
+            "UPDATE entries SET folder = $1, type = $2, tags = $3, metadata = $4, version = version + 1, \
+             updated_at = NOW() WHERE id = $5",
        )
+        .bind(&snap.folder)
+        .bind(&snap.entry_type)
        .bind(&snap.tags)
        .bind(&snap.metadata)
        .bind(lr.id)
--- a/crates/secrets-core/src/service/user.rs
+++ b/crates/secrets-core/src/service/user.rs
@@ -200,10 +200,14 @@ pub async fn unbind_oauth_account(
        );
    }

-    let count: i64 = sqlx::query_scalar("SELECT COUNT(*) FROM oauth_accounts WHERE user_id = $1")
-        .bind(user_id)
-        .fetch_one(pool)
-        .await?;
+    let mut tx = pool.begin().await?;
+
+    let locked_accounts: Vec<(String,)> =
+        sqlx::query_as("SELECT provider FROM oauth_accounts WHERE user_id = $1 FOR UPDATE")
+            .bind(user_id)
+            .fetch_all(&mut *tx)
+            .await?;
+    let count = locked_accounts.len();

    if count <= 1 {
        anyhow::bail!("Cannot unbind the last OAuth account. Please link another account first.");
@@ -212,8 +216,87 @@ pub async fn unbind_oauth_account(
    sqlx::query("DELETE FROM oauth_accounts WHERE user_id = $1 AND provider = $2")
        .bind(user_id)
        .bind(provider)
-        .execute(pool)
+        .execute(&mut *tx)
        .await?;

+    tx.commit().await?;
+
    Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    async fn maybe_test_pool() -> Option<PgPool> {
+        let database_url = match std::env::var("SECRETS_DATABASE_URL") {
+            Ok(v) => v,
+            Err(_) => {
+                eprintln!("skip user service tests: SECRETS_DATABASE_URL not set");
+                return None;
+            }
+        };
+        let pool = match sqlx::PgPool::connect(&database_url).await {
+            Ok(pool) => pool,
+            Err(e) => {
+                eprintln!("skip user service tests: cannot connect to database: {e}");
+                return None;
+            }
+        };
+        if let Err(e) = crate::db::migrate(&pool).await {
+            eprintln!("skip user service tests: migrate failed: {e}");
+            return None;
+        }
+        Some(pool)
+    }
+
+    async fn cleanup_user_rows(pool: &PgPool, user_id: Uuid) -> Result<()> {
+        sqlx::query("DELETE FROM oauth_accounts WHERE user_id = $1")
+            .bind(user_id)
+            .execute(pool)
+            .await?;
+        sqlx::query("DELETE FROM users WHERE id = $1")
+            .bind(user_id)
+            .execute(pool)
+            .await?;
+        Ok(())
+    }
+
+    #[tokio::test]
+    async fn unbind_oauth_account_removes_only_requested_provider() -> Result<()> {
+        let Some(pool) = maybe_test_pool().await else {
+            return Ok(());
+        };
+        let user_id = Uuid::from_u128(rand::random());
+
+        cleanup_user_rows(&pool, user_id).await?;
+
+        sqlx::query("INSERT INTO users (id, name) VALUES ($1, '')")
+            .bind(user_id)
+            .execute(&pool)
+            .await?;
+        sqlx::query(
+            "INSERT INTO oauth_accounts (user_id, provider, provider_id, email, name, avatar_url) \
+             VALUES ($1, 'google', $2, NULL, NULL, NULL), \
+                    ($1, 'github', $3, NULL, NULL, NULL)",
+        )
+        .bind(user_id)
+        .bind(format!("google-{user_id}"))
+        .bind(format!("github-{user_id}"))
+        .execute(&pool)
+        .await?;
+
+        unbind_oauth_account(&pool, user_id, "github", Some("google")).await?;
+
+        let remaining: Vec<(String,)> = sqlx::query_as(
+            "SELECT provider FROM oauth_accounts WHERE user_id = $1 ORDER BY provider",
+        )
+        .bind(user_id)
+        .fetch_all(&pool)
+        .await?;
+        assert_eq!(remaining, vec![("google".to_string(),)]);
+
+        cleanup_user_rows(&pool, user_id).await?;
+        Ok(())
+    }
+}
--- a/crates/secrets-mcp/Cargo.toml
+++ b/crates/secrets-mcp/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "secrets-mcp"
-version = "0.5.5"
+version = "0.5.6"
 edition.workspace = true

 [[bin]]
--- a/crates/secrets-mcp/src/logging.rs
+++ b/crates/secrets-mcp/src/logging.rs
@@ -1,9 +1,8 @@
-use std::net::SocketAddr;
 use std::time::Instant;

 use axum::{
    body::{Body, Bytes, to_bytes},
-    extract::{ConnectInfo, Request},
+    extract::Request,
    http::{
        HeaderMap, Method, StatusCode,
        header::{CONTENT_LENGTH, CONTENT_TYPE, USER_AGENT},
@@ -245,18 +244,5 @@ fn header_str(headers: &HeaderMap, name: impl axum::http::header::AsHeaderName)
 }

 fn client_ip(req: &Request) -> Option<String> {
-    if let Some(first) = req
-        .headers()
-        .get("x-forwarded-for")
-        .and_then(|v| v.to_str().ok())
-        .and_then(|s| s.split(',').next())
-    {
-        let s = first.trim();
-        if !s.is_empty() {
-            return Some(s.to_string());
-        }
-    }
-    req.extensions()
-        .get::<ConnectInfo<SocketAddr>>()
-        .map(|c| c.ip().to_string())
+    crate::client_ip::extract_client_ip(req).into()
 }
--- a/crates/secrets-mcp/src/main.rs
+++ b/crates/secrets-mcp/src/main.rs
@@ -187,6 +187,9 @@ async fn main() -> Result<()> {
        ))
        .layer(session_layer)
        .layer(cors)
+        .layer(tower_http::limit::RequestBodyLimitLayer::new(
+            10 * 1024 * 1024,
+        ))
        .with_state(app_state);

    // ── Start server ──────────────────────────────────────────────────────────
--- a/crates/secrets-mcp/src/tools.rs
+++ b/crates/secrets-mcp/src/tools.rs
@@ -230,15 +230,6 @@ impl SecretsService {
        }
    }

-    /// Extract user_id from the HTTP request parts injected by auth middleware.
-    fn user_id_from_ctx(ctx: &RequestContext<RoleServer>) -> Result<Option<Uuid>, rmcp::ErrorData> {
-        let parts = ctx
-            .extensions
-            .get::<http::request::Parts>()
-            .ok_or_else(mcp_err_missing_http_parts)?;
-        Ok(parts.extensions.get::<AuthUser>().map(|a| a.user_id))
-    }
-
    /// Get the authenticated user_id (returns error if not authenticated).
    fn require_user_id(ctx: &RequestContext<RoleServer>) -> Result<Uuid, rmcp::ErrorData> {
        let parts = ctx
@@ -1142,7 +1133,7 @@ impl SecretsService {
        ctx: RequestContext<RoleServer>,
    ) -> Result<CallToolResult, rmcp::ErrorData> {
        let t = Instant::now();
-        let user_id = Self::user_id_from_ctx(&ctx)?;
+        let user_id = Self::require_user_id(&ctx)?;

        // Safety: require at least one filter.
        if input.id.is_none()
@@ -1172,9 +1163,9 @@ impl SecretsService {
            if let Some(ref id_str) = input.id {
                let eid = parse_uuid(id_str)?;
                let uid = user_id;
-                let entry = resolve_entry_by_id(&self.pool, eid, uid)
+                let entry = resolve_entry_by_id(&self.pool, eid, Some(uid))
                    .await
-                    .map_err(|e| mcp_err_internal_logged("secrets_delete", uid, e))?;
+                    .map_err(|e| mcp_err_internal_logged("secrets_delete", Some(uid), e))?;
                (Some(entry.name), Some(entry.folder))
            } else {
                (input.name.clone(), input.folder.clone())
@@ -1187,11 +1178,11 @@ impl SecretsService {
                folder: effective_folder.as_deref(),
                entry_type: input.entry_type.as_deref(),
                dry_run: input.dry_run.unwrap_or(false),
-                user_id,
+                user_id: Some(user_id),
            },
        )
        .await
-        .map_err(|e| mcp_err_internal_logged("secrets_delete", user_id, e))?;
+        .map_err(|e| mcp_err_internal_logged("secrets_delete", Some(user_id), e))?;

        tracing::info!(
            tool = "secrets_delete",
@@ -1218,7 +1209,7 @@ impl SecretsService {
        ctx: RequestContext<RoleServer>,
    ) -> Result<CallToolResult, rmcp::ErrorData> {
        let t = Instant::now();
-        let user_id = Self::user_id_from_ctx(&ctx)?;
+        let user_id = Self::require_user_id(&ctx)?;
        tracing::info!(
            tool = "secrets_history",
            ?user_id,
@@ -1230,9 +1221,9 @@ impl SecretsService {
        let (resolved_name, resolved_folder): (String, Option<String>) =
            if let Some(ref id_str) = input.id {
                let eid = parse_uuid(id_str)?;
-                let entry = resolve_entry_by_id(&self.pool, eid, user_id)
+                let entry = resolve_entry_by_id(&self.pool, eid, Some(user_id))
                    .await
-                    .map_err(|e| mcp_err_internal_logged("secrets_history", user_id, e))?;
+                    .map_err(|e| mcp_err_internal_logged("secrets_history", Some(user_id), e))?;
                (entry.name, Some(entry.folder))
            } else {
                (input.name.clone(), input.folder.clone())
@@ -1243,10 +1234,10 @@ impl SecretsService {
            &resolved_name,
            resolved_folder.as_deref(),
            input.limit.unwrap_or(20),
-            user_id,
+            Some(user_id),
        )
        .await
-        .map_err(|e| mcp_err_internal_logged("secrets_history", user_id, e))?;
+        .map_err(|e| mcp_err_internal_logged("secrets_history", Some(user_id), e))?;

        tracing::info!(
            tool = "secrets_history",
--- a/crates/secrets-mcp/src/web.rs
+++ b/crates/secrets-mcp/src/web.rs
@@ -1,6 +1,6 @@
 use askama::Template;
 use chrono::SecondsFormat;
-use std::net::SocketAddr;
+use std::net::{IpAddr, SocketAddr};

 use axum::{
    Json, Router,
@@ -176,14 +176,33 @@ async fn current_user_id(session: &Session) -> Option<Uuid> {
 }

 fn request_client_ip(headers: &HeaderMap, connect_info: ConnectInfo<SocketAddr>) -> Option<String> {
-    if let Some(first) = headers
-        .get("x-forwarded-for")
-        .and_then(|v| v.to_str().ok())
-        .and_then(|s| s.split(',').next())
-    {
-        let value = first.trim();
-        if !value.is_empty() {
-            return Some(value.to_string());
+    let trust_proxy = std::env::var("TRUST_PROXY")
+        .as_deref()
+        .is_ok_and(|v| matches!(v, "1" | "true" | "yes"));
+    request_client_ip_with_trust_proxy(headers, connect_info, trust_proxy)
+}
+
+fn request_client_ip_with_trust_proxy(
+    headers: &HeaderMap,
+    connect_info: ConnectInfo<SocketAddr>,
+    trust_proxy: bool,
+) -> Option<String> {
+    if trust_proxy {
+        if let Some(first) = headers
+            .get("x-forwarded-for")
+            .and_then(|v| v.to_str().ok())
+            .and_then(|s| s.split(',').next())
+        {
+            let value = first.trim();
+            if let Ok(ip) = value.parse::<IpAddr>() {
+                return Some(ip.to_string());
+            }
+        }
+        if let Some(value) = headers.get("x-real-ip").and_then(|v| v.to_str().ok()) {
+            let value = value.trim();
+            if let Ok(ip) = value.parse::<IpAddr>() {
+                return Some(ip.to_string());
+            }
        }
    }

@@ -234,10 +253,6 @@ pub fn web_router() -> Router<AppState> {
        .route("/entries", get(entries_page))
        .route("/audit", get(audit_page))
        .route("/account/bind/google", get(account_bind_google))
-        .route(
-            "/account/bind/google/callback",
-            get(account_bind_google_callback),
-        )
        .route("/account/unbind/{provider}", post(account_unbind))
        .route("/api/key-salt", get(api_key_salt))
        .route("/api/key-setup", post(api_key_setup))
@@ -909,14 +924,9 @@ async fn account_bind_google(
            StatusCode::INTERNAL_SERVER_ERROR
        })?;

-    let redirect_uri = format!("{}/account/bind/google/callback", state.base_url);
-    let mut cfg = state
-        .google_config
-        .clone()
-        .ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
-    cfg.redirect_uri = redirect_uri;
-    let st = random_state();
-    if let Err(e) = session.insert(SESSION_OAUTH_STATE, &st).await {
+    let config = google_cfg(&state).ok_or(StatusCode::SERVICE_UNAVAILABLE)?;
+    let oauth_state = random_state();
+    if let Err(e) = session.insert(SESSION_OAUTH_STATE, &oauth_state).await {
        tracing::error!(error = %e, "failed to insert oauth_state for account bind flow");
        if let Err(rm) = session.remove::<bool>(SESSION_OAUTH_BIND_MODE).await {
            tracing::warn!(error = %rm, "failed to roll back oauth_bind_mode after oauth_state insert failure");
@@ -924,34 +934,8 @@ async fn account_bind_google(
        return Err(StatusCode::INTERNAL_SERVER_ERROR);
    }

-    Ok(Redirect::to(&google_auth_url(&cfg, &st)).into_response())
-}
-
-async fn account_bind_google_callback(
-    State(state): State<AppState>,
-    connect_info: ConnectInfo<SocketAddr>,
-    headers: HeaderMap,
-    session: Session,
-    Query(params): Query<OAuthCallbackQuery>,
-) -> Result<Response, StatusCode> {
-    let client_ip = request_client_ip(&headers, connect_info);
-    let user_agent = request_user_agent(&headers);
-    handle_oauth_callback(
-        &state,
-        &session,
-        params,
-        "google",
-        client_ip.as_deref(),
-        user_agent.as_deref(),
-        |s, cfg, code| {
-            Box::pin(crate::oauth::google::exchange_code(
-                &s.http_client,
-                cfg,
-                code,
-            ))
-        },
-    )
-    .await
+    let url = google_auth_url(config, &oauth_state);
+    Ok(Redirect::to(&url).into_response())
 }

 async fn account_unbind(
@@ -1742,6 +1726,34 @@ fn format_audit_target(folder: &str, entry_type: &str, name: &str) -> String {
 mod tests {
    use super::*;

+    #[test]
+    fn request_client_ip_ignores_forwarded_headers_without_trusted_proxy() {
+        let mut headers = HeaderMap::new();
+        headers.insert("x-forwarded-for", "203.0.113.10".parse().unwrap());
+
+        let ip = request_client_ip_with_trust_proxy(
+            &headers,
+            ConnectInfo(SocketAddr::from(([127, 0, 0, 1], 9315))),
+            false,
+        );
+
+        assert_eq!(ip.as_deref(), Some("127.0.0.1"));
+    }
+
+    #[test]
+    fn request_client_ip_uses_valid_forwarded_header_with_trusted_proxy() {
+        let mut headers = HeaderMap::new();
+        headers.insert("x-forwarded-for", "203.0.113.10, 10.0.0.1".parse().unwrap());
+
+        let ip = request_client_ip_with_trust_proxy(
+            &headers,
+            ConnectInfo(SocketAddr::from(([127, 0, 0, 1], 9315))),
+            true,
+        );
+
+        assert_eq!(ip.as_deref(), Some("203.0.113.10"));
+    }
+
    #[test]
    fn request_ui_lang_prefers_zh_cn_over_en_fallback() {
        let mut headers = HeaderMap::new();