4e2ee087fd
- Add portal_auth.go: Portal user session auth with HMAC-signed cookies
- Add /api/portal/session/{login,logout,state} endpoints
- Update nginx config template: cookie-to-header trusted proxy pattern
- Update frontend: sync CRM session on login/logout
- Add TRUSTED_SUBJECT_DEPLOY_GUIDE.md with remote43 deployment steps
- Update EXECUTION_BOARD.md: mark trusted-subject blocking issue as resolved
This implements the secure chain:
Browser → Portal → nginx (cookie→header) → CRM (verify proxy secret)
Required remote43 actions:
1. Generate 64-char hex secret
2. Update .env.crm with TRUSTED_* config
3. Update nginx with cookie map and header injection
4. Restart services
Fixes EXECUTION_BOARD.md 2026-06-08 blocking issue
57 lines
1.7 KiB
Go
57 lines
1.7 KiB
Go
package app
|
|
|
|
import (
|
|
"context"
|
|
"time"
|
|
|
|
"sub2api-cn-relay-manager/internal/config"
|
|
)
|
|
|
|
func Bootstrap(ctx context.Context) (*Server, error) {
|
|
cfg, err := config.LoadStartupFromEnv()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
adminToken, err := config.LoadAdminTokenFromEnv()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
adminSession, err := config.LoadAdminSessionFromEnv()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
stickyRuntime, err := newStickyStoreRuntime(ctx, cfg.RouteRuntime)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
startBackgroundSchedulers(ctx, cfg, defaultBackgroundSchedulers())
|
|
handler := NewAPIHandlerWithAuth(AdminAuthConfig{
|
|
Token: adminToken,
|
|
Username: adminSession.Username,
|
|
Password: adminSession.Password,
|
|
SessionTTL: adminSession.SessionTTL,
|
|
}, NewActionSetWithStickyRuntime(cfg.Database.SQLiteDSN, stickyRuntime, cfg.UserKeyAuth), cfg.Database.SQLiteDSN, cfg.UserKeyAuth.TrustedProxySecret)
|
|
return NewServer(cfg.Server.ListenAddr, handler, nil), nil
|
|
}
|
|
|
|
type backgroundSchedulers struct {
|
|
runBatchImport func(context.Context, string)
|
|
runReconcile func(context.Context, string, time.Duration)
|
|
}
|
|
|
|
func defaultBackgroundSchedulers() backgroundSchedulers {
|
|
return backgroundSchedulers{
|
|
runBatchImport: runBatchImportBackgroundScheduler,
|
|
runReconcile: runReconcileBackgroundScheduler,
|
|
}
|
|
}
|
|
|
|
func startBackgroundSchedulers(ctx context.Context, cfg config.StartupConfig, schedulers backgroundSchedulers) {
|
|
if schedulers.runBatchImport != nil {
|
|
schedulers.runBatchImport(ctx, cfg.Database.SQLiteDSN)
|
|
}
|
|
if cfg.Reconcile.WorkerEnabled && schedulers.runReconcile != nil {
|
|
schedulers.runReconcile(ctx, cfg.Database.SQLiteDSN, cfg.Reconcile.PollInterval)
|
|
}
|
|
}
|