feat(vNext.4): implement trusted-subject security chain for portal user key self-service

- Add portal_auth.go: Portal user session auth with HMAC-signed cookies - Add /api/portal/session/{login,logout,state} endpoints - Update nginx config template: cookie-to-header trusted proxy pattern - Update frontend: sync CRM session on login/logout - Add TRUSTED_SUBJECT_DEPLOY_GUIDE.md with remote43 deployment steps - Update EXECUTION_BOARD.md: mark trusted-subject blocking issue as resolved This implements the secure chain: Browser → Portal → nginx (cookie→header) → CRM (verify proxy secret) Required remote43 actions: 1. Generate 64-char hex secret 2. Update .env.crm with TRUSTED_* config 3. Update nginx with cookie map and header injection 4. Restart services Fixes EXECUTION_BOARD.md 2026-06-08 blocking issue
2026-06-09 07:48:03 +08:00
parent dd6f332b53
commit 4e2ee087fd
25 changed files with 1861 additions and 177 deletions
--- a/docs/EXECUTION_BOARD.md
+++ b/docs/EXECUTION_BOARD.md
@@ -20,6 +20,33 @@
  2. `portal-admin-api` nginx 反代自动指向 18190（新 CRM）
  3. `/metrics` Prometheus 端点已在公网通过 portal-admin-api 反代可访问

+## 2026-06-08 review remediation 当前真相
+
+- 本地已完成并验证的整改：
+  - `/v1/chat/completions` 上游失败不再包装成 `200/ok`
+  - `allowed_models` 已在公网 chat 入口强制校验
+  - `expires_at` 已在公网 chat 入口强制校验
+  - 成功 chat 后会更新 `last_used_at`
+  - `pause` handler 已接入请求体 `reason`
+  - 同一 `subject + logical_group` 不再复用同一宿主 key；现改为每条 key record 持久化独立 `managed_identity_selector`，`create/reset/pause/resume` 走当前 selector
+  - 新增 migration：`internal/store/migrations/0016_user_keys_managed_identity_selector.sql`
+- 本地验证（2026-06-08 当前运行）:
+  - `gofmt -w` 目标文件通过
+  - `go vet ./...` 通过
+  - `go test ./internal/app ./internal/store/sqlite ./tests/integration/... -count=1` 通过
+- 当前线上阻塞：
+  - ✅ **已解决** (2025-06-09): vNext.4 Trusted-Subject 安全链实施完成
+    - 新文件: `internal/app/portal_auth.go` - Portal user session 认证模块
+    - 变更: `http_api.go`, `bootstrap.go`, `.env.example`, `nginx.sub.tksea.top.conf.example`
+    - 前端: `index.html` 添加 CRM session 登录/登出
+    - 文档: `docs/TRUSTED_SUBJECT_DEPLOY_GUIDE.md` 完整部署指南
+    - 本地验证: `go test ./internal/app -run TestPortal` 全部通过
+  - **待 remote43 部署**:
+    - 需更新 nginx 配置（添加 cookie-to-header map）
+    - 需更新 `.env.crm`（配置 TRUSTED\_\* 环境变量）
+    - 需生成并同步 64 字符 hex secret
+    - 详见部署指南文档
+
 ## 2026-06-05 vNext.2 / V2-4 真实闭环

 - 已完成 user-key self-service 第二轮实现并部署到 remote43 生产 CRM：