feat: Implement client-side password encryption

.env.example

@@ -51,16 +51,14 @@ ACCESS_TOKEN_EXPIRE_MINUTES=14400
 
 # First Superuser: Email address for the initial administrator account.
 [email protected]
-
 # First Superuser Password: Password for the initial administrator account.
 # Choose a strong password.
 # min_length=8
 FIRST_SUPERUSER_PASSWORD='telepace'
 
-# First Superuser ID: Optional UUID for the initial administrator account.
-# If not set, a random UUID will be generated.
-# Example: e8ccbeed-f588-4b9a-95ca-000000000000
-# FIRST_SUPERUSER_ID=
+# 用于密码加密和解密的对称密钥，必须是有效的 Fernet 密钥（32 字节的 URL 安全 base64 编码，末尾必须有 = 符号）
+# 生成方法: `python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"`
+APP_SYMMETRIC_ENCRYPTION_KEY='Buhzb09HgEg-4C7oUsZqykAH_-yfXEONu9sogno3a2s='
 
 # -- Email (SMTP) Settings --
 # Configuration for sending emails (e.g., password resets, notifications).

.github/workflows/generate-client.yml

@@ -76,6 +76,7 @@ jobs:
           POSTHOG_API_KEY: ""
           POSTHOG_HOST: ""
           VIRTUAL_ENV: .venv
+          APP_SYMMETRIC_ENCRYPTION_KEY: 'Buhzb09HgEg-4C7oUsZqykAH_-yfXEONu9sogno3a2s='
 
       - name: Stage Generated Files
         run: |

.github/workflows/playwright.yml

@@ -74,9 +74,6 @@ jobs:
       working-directory: backend
     - run: pnpm install --frozen-lockfile
       working-directory: frontend
-    - run: uv run bash scripts/generate-client.sh
-      env:
-        VIRTUAL_ENV: backend/.venv
     - name: Install Doppler CLI
       uses: dopplerhq/cli-action@v3
     - name: Setup Doppler and env
@@ -87,6 +84,9 @@ jobs:
         echo "STACK_NAME=$STACK_NAME" >> $GITHUB_ENV
       env:
         DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN_STAGING }}
+    - run: doppler run -- uv run bash scripts/generate-client.sh
+      env:
+        VIRTUAL_ENV: backend/.venv
     - run: docker compose --project-name $STACK_NAME down --remove-orphans
     - run: docker compose --project-name $STACK_NAME build
     - run: docker compose --project-name $STACK_NAME up -d

.github/workflows/release.yml

@@ -115,7 +115,7 @@ jobs:
           artifacts: "dist/*"
           generateReleaseNotes: true
           bodyFile: "CHANGELOG.md"
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           draft: false
           prerelease: ${{ contains(github.ref, '-rc') || contains(github.ref, '-beta') || contains(github.ref, '-alpha') }}
 

.windsurfrules

@@ -0,0 +1 @@
+1. The text of the reply is in Chinese, but the code is in English

Makefile

@@ -342,7 +342,7 @@ backend-restart:
 .PHONY: backend-install
 backend-install: check-uv
 	@echo "===========> Installing backend dependencies"
-	@cd $(BACKEND_DIR) && $(UV) sync
+	@cd $(BACKEND_DIR) && UV_HTTP_TIMEOUT=120 $(UV) sync
 
 ## backend-test: Run backend tests with coverage
 .PHONY: backend-test

admin/.env.example

@@ -1,2 +1,6 @@
 VITE_API_URL=http://localhost:8000
-NODE_ENV=development
+NODE_ENV=development
+
+# This key needs to be a securely generated, preferably 32-byte (256-bit) random string,
+# often represented in base64. For Fernet, it must be a URL-safe base64-encoded 32-byte key.
+VITE_APP_SYMMETRIC_ENCRYPTION_KEY="your_strong_symmetric_encryption_key_here"

admin/package.json

@@ -21,6 +21,7 @@
     "@tanstack/react-query-devtools": "^5.28.14",
     "@tanstack/react-router": "1.19.1",
     "axios": "1.7.4",
+    "crypto-js": "^4.2.0",
     "form-data": "4.0.0",
     "next-themes": "^0.4.4",
     "react": "^18.2.0",
@@ -36,6 +37,7 @@
     "@playwright/test": "^1.45.2",
     "@tanstack/router-devtools": "1.19.1",
     "@tanstack/router-vite-plugin": "1.19.0",
+    "@types/crypto-js": "^4.2.2",
     "@types/node": "^20.10.5",
     "@types/react": "^18.2.37",
     "@types/react-dom": "^18.2.15",