🔒 Randomly generate the cookie key https://github.com/siyuan-note/siyuan/issues/16690

Signed-off-by: Daniel <845765@qq.com>
2025-12-27 11:58:49 +01:00 · 2025-12-26 11:21:47 +08:00 · 2025-12-26 11:21:47 +08:00 · a65dcd220f
commit a65dcd220f
parent cef8ca8cf7
5 changed files with 13 additions and 7 deletions
--- a/kernel/harmony/kernel.go
+++ b/kernel/harmony/kernel.go
@ -37,7 +37,7 @@ import (

 //export StartKernelFast
 func StartKernelFast(container, appDir, workspaceBaseDir, localIPs *C.char) {
-	go server.Serve(true)
+	go server.Serve(true, model.Conf.CookieKey)
 }

 //export StartKernel
@ -49,7 +49,7 @@ func StartKernel(container, appDir, workspaceBaseDir, timezoneID, localIPs, lang
 	util.BootMobile(C.GoString(container), C.GoString(appDir), C.GoString(workspaceBaseDir), C.GoString(lang))

 	model.InitConf()
-	go server.Serve(false)
+	go server.Serve(false, model.Conf.CookieKey)
 	go func() {
 		model.InitAppearance()
 		sql.InitDatabase(false)
--- a/kernel/main.go
+++ b/kernel/main.go
@ -31,7 +31,7 @@ func main() {
 	util.Boot()

 	model.InitConf()
-	go server.Serve(false)
+	go server.Serve(false, model.Conf.CookieKey)
 	model.InitAppearance()
 	sql.InitDatabase(false)
 	sql.InitHistoryDatabase(false)
--- a/kernel/mobile/kernel.go
+++ b/kernel/mobile/kernel.go
@ -197,7 +197,7 @@ func VerifyAppStoreTransaction(accountToken, transactionID string) (retCode int)
 }

 func StartKernelFast(container, appDir, workspaceBaseDir, localIPs string) {
-	go server.Serve(true)
+	go server.Serve(true, model.Conf.CookieKey)
 }

 func StartKernel(container, appDir, workspaceBaseDir, timezoneID, localIPs, lang, osVer string) {
@ -208,7 +208,7 @@ func StartKernel(container, appDir, workspaceBaseDir, timezoneID, localIPs, lang
 	util.BootMobile(container, appDir, workspaceBaseDir, lang)

 	model.InitConf()
-	go server.Serve(false)
+	go server.Serve(false, model.Conf.CookieKey)
 	go func() {
 		model.InitAppearance()
 		sql.InitDatabase(false)
--- a/kernel/model/conf.go
+++ b/kernel/model/conf.go
@ -82,6 +82,7 @@ type AppConf struct {
 	CloudRegion    int              `json:"cloudRegion"`    // 云端区域，0：中国大陆，1：北美
 	Snippet        *conf.Snpt       `json:"snippet"`        // 代码片段
 	DataIndexState int              `json:"dataIndexState"` // 数据索引状态，0：已索引，1：未索引
+	CookieKey      string           `json:"cookieKey"`      // 用于加密 Cookie 的密钥

 	m        *sync.RWMutex // 配置数据锁
 	userLock *sync.RWMutex // 用户数据独立锁，避免与配置保存操作竞争
@ -579,6 +580,10 @@ func InitConf() {

 	Conf.DataIndexState = 0

+	if "" == Conf.CookieKey {
+		Conf.CookieKey = gulu.Rand.String(16)
+	}
+
 	Conf.Save()
 	logging.SetLogLevel(Conf.LogLevel)

--- a/kernel/server/serve.go
+++ b/kernel/server/serve.go
@ -62,7 +62,7 @@ const (
 )

 var (
-	sessionStore = cookie.NewStore([]byte("ATN51UlxVq1Gcvdf"))
+	sessionStore cookie.Store

 	HttpMethods = []string{
 		http.MethodGet,
@ -129,7 +129,7 @@ var (
 	}
 )

-func Serve(fastMode bool) {
+func Serve(fastMode bool, cookieKey string) {
 	gin.SetMode(gin.ReleaseMode)
 	ginServer := gin.New()
 	ginServer.UseH2C = true
@ -143,6 +143,7 @@ func Serve(fastMode bool) {
 		gzip.Gzip(gzip.DefaultCompression, gzip.WithExcludedExtensions([]string{".pdf", ".mp3", ".wav", ".ogg", ".mov", ".weba", ".mkv", ".mp4", ".webm", ".flac"})),
 	)

+	sessionStore = cookie.NewStore([]byte(cookieKey))
 	sessionStore.Options(sessions.Options{
 		Path:   "/",
 		Secure: util.SSL,