LazyAGI
diff --git a/‎back/requirements.txt‎
Lines changed: 2 additions & 0 deletions b/‎back/requirements.txt‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎back/src/app.py‎
Lines changed: 6 additions & 3 deletions b/‎back/src/app.py‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎back/src/parts/auth/key_exchange.py‎
Lines changed: 96 additions & 0 deletions b/‎back/src/parts/auth/key_exchange.py‎
Lines changed: 96 additions & 0 deletions
diff --git a/‎back/src/parts/auth/login.py‎
Lines changed: 77 additions & 27 deletions b/‎back/src/parts/auth/login.py‎
Lines changed: 77 additions & 27 deletions
diff --git a/‎back/src/parts/data/controller.py‎
Lines changed: 44 additions & 18 deletions b/‎back/src/parts/data/controller.py‎
Lines changed: 44 additions & 18 deletions
@@ -40,11 +40,13 @@ Markdown
 markdown-it-py
 tokenizers
 pycryptodome
+cryptography
 safetensors
 # app
 # uvicorn
 # gradio<5.0.0
 typer
+filetype
 # docx2txt
 # EbookLib
 # html2text
 
@@ -21,7 +21,7 @@
 import warnings
 from appcmd import register_commands
 from datetime import datetime
-from logging.handlers import RotatingFileHandler
+from logging.handlers import TimedRotatingFileHandler
 from zoneinfo import ZoneInfo
 
 from flask import Flask, Response, g, request
@@ -80,8 +80,11 @@ def initialize_logger(self, app):
             log_dir = os.path.dirname(log_file)
             os.makedirs(log_dir, exist_ok=True)
             log_handlers = [
-                RotatingFileHandler(
-                    filename=log_file, maxBytes=1024 * 1024 * 1024, backupCount=5
+                TimedRotatingFileHandler(
+                    filename=log_file,
+                    when="D",        # 按天分块
+                    interval=6,      # 每6天
+                    backupCount=30,  # 保留180天的日志
                 ),
                 logging.StreamHandler(sys.stdout),
             ]
 
@@ -0,0 +1,96 @@
+# Copyright (c) 2025 SenseTime. All Rights Reserved.
+# Author: LazyLLM Team,  https://github.com/LazyAGI/LazyLLM
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""
+ECDH 密钥交换 API
+
+提供 ECDH 密钥交换接口，用于前后端协商共享密钥。
+无需预先约定密钥，适合开源项目。
+"""
+
+from flask_restful import reqparse
+
+from core.restful import Resource
+from parts.urls import api
+from utils.util_ecdh import ECDHSessionManager
+
+# 会话密钥过期时间（秒）
+SESSION_KEY_EXPIRY = 300  # 5分钟
+
+
+class KeyExchangeApi(Resource):
+    """ECDH 密钥交换 API
+    
+    接收前端公钥，生成后端密钥对，计算共享密钥，返回后端公钥和会话 ID。
+    前端使用返回的公钥计算相同的共享密钥，然后使用共享密钥加密数据。
+    """
+    
+    def post(self):
+        """
+        进行 ECDH 密钥交换
+        
+        请求格式：
+        {
+            "frontend_public_key": "Base64编码的前端公钥"
+        }
+        
+        响应格式：
+        {
+            "backend_public_key": "Base64编码的后端公钥",
+            "session_id": "会话ID（UUID）",
+            "expires_in": 300,
+            "algorithm": "ECDH-P256 + AES-256-GCM"
+        }
+        
+        Returns:
+            dict: 包含后端公钥和会话 ID 的字典
+        
+        Raises:
+            ValueError: 当前端公钥格式错误时抛出
+        """
+        parser = reqparse.RequestParser()
+        parser.add_argument(
+            "frontend_public_key",
+            type=str,
+            required=True,
+            location="json",
+            help="前端公钥（Base64 编码）"
+        )
+        body = parser.parse_args()
+        
+        try:
+            # 创建 ECDH 会话
+            session_id, backend_public_key_b64, _ = ECDHSessionManager.create_session(
+                body.frontend_public_key
+            )
+            
+            return {
+                "backend_public_key": backend_public_key_b64,
+                "session_id": session_id,
+                "expires_in": SESSION_KEY_EXPIRY,
+                "algorithm": "ECDH-P256 + AES-256-GCM",
+                "curve": "secp256r1",
+                "key_size": 256
+            }
+        
+        except Exception as e:
+            import logging
+            logger = logging.getLogger(__name__)
+            logger.error(f"ECDH 密钥交换失败: {e}", exc_info=True)
+            raise ValueError(f"密钥交换失败: {str(e)}")
+
+
+api.add_resource(KeyExchangeApi, "/key_exchange")
+
@@ -31,6 +31,7 @@
 from parts.logs import Action, LogService, Module
 from parts.urls import api
 from utils.util_database import db
+from utils.util_ecdh import decrypt_ecdh_encrypted_data
 
 from .sms import SmsChecker
 
@@ -39,8 +40,8 @@ class RegisterApi(Resource):
     def post(self):
         """注册新用户账号。
 
-        处理用户注册请求，验证用户输入信息并创建新账号。
-        包括验证短信验证码、检查密码一致性、创建账号和租户等。
+        接收 encrypted_data 和 session_id 参数，使用 ECDH 会话密钥解密。
+        请求数据应包含：name, email, phone, password, confirm_password, verify_code
 
         Returns:
             dict: 登录成功后的令牌信息
@@ -49,25 +50,37 @@ def post(self):
             ValueError: 当输入信息无效或密码不一致时抛出
         """
         parser = reqparse.RequestParser()
-        parser.add_argument("name", type=str, required=True, location="json")
-        parser.add_argument("email", type=EmailType, required=True, location="json")
-        parser.add_argument("phone", type=str, required=True, location="json")
-        parser.add_argument("password", type=str, required=True, location="json")
-        parser.add_argument(
-            "confirm_password", type=str, required=True, location="json"
-        )
-        parser.add_argument("verify_code", type=str, required=True, location="json")
+        parser.add_argument("encrypted_data", type=str, required=True, location="json")
+        parser.add_argument("session_id", type=str, required=True, location="json")
         body = parser.parse_args()
 
-        AccountService.validate_name_email_phone(body.name, body.email, body.phone)
-        if body.password != body.confirm_password:
+        # 解密请求数据
+        try:
+            decrypted_data = decrypt_ecdh_encrypted_data(body.encrypted_data, body.session_id)
+        except ValueError as e:
+            raise ValueError(f"请求数据解密失败: {str(e)}")
+        
+        # 从解密后的数据中提取参数
+        name = decrypted_data.get("name")
+        email = decrypted_data.get("email")
+        phone = decrypted_data.get("phone")
+        password = decrypted_data.get("password")
+        confirm_password = decrypted_data.get("confirm_password")
+        verify_code = decrypted_data.get("verify_code")
+
+        # 验证必需参数
+        if not all([name, email, phone, password, confirm_password, verify_code]):
+            raise ValueError("缺少必需参数：name, email, phone, password, confirm_password, verify_code")
+
+        AccountService.validate_name_email_phone(name, email, phone)
+        if password != confirm_password:
             raise ValueError("两次输入的密码不相同")
 
         # 校验验证码
-        SmsChecker("register").check(body.phone, body.verify_code)
+        SmsChecker("register").check(phone, verify_code)
 
         account = RegisterService.register(
-            body.email, body.phone, body.name, password=body.password
+            email, phone, name, password=password
         )
         TenantService.create_private_tenant(account)
 
@@ -199,6 +212,9 @@ class LoginApi(Resource):
     def post(self):
         """用户密码登录。
 
+        接收 encrypted_data 和 session_id 参数，使用 ECDH 会话密钥解密。
+        请求数据应包含：name 或 email 或 phone（至少一个），以及 password
+
         使用用户名/邮箱和密码进行身份验证并登录系统。
         验证成功后记录登录日志并返回访问令牌。
 
@@ -209,16 +225,31 @@ def post(self):
             ValueError: 当身份验证失败时抛出
         """
         parser = reqparse.RequestParser()
-        parser.add_argument("name", type=str, required=False, location="json")
-        parser.add_argument("email", type=str, required=False, location="json")
-        parser.add_argument("password", type=str, required=True, location="json")
-        parser.add_argument(
-            "remember_me", type=bool, required=False, default=False, location="json"
-        )
+        parser.add_argument("encrypted_data", type=str, required=True, location="json")
+        parser.add_argument("session_id", type=str, required=True, location="json")
         body = parser.parse_args()
 
+        # 解密请求数据
+        try:
+            decrypted_data = decrypt_ecdh_encrypted_data(body.encrypted_data, body.session_id)
+        except ValueError as e:
+            raise ValueError(f"请求数据解密失败: {str(e)}")
+        
+        # 从解密后的数据中提取参数
+        name = decrypted_data.get("name")
+        email = decrypted_data.get("email")
+        phone = decrypted_data.get("phone", "")
+        password = decrypted_data.get("password")
+        remember_me = decrypted_data.get("remember_me", False)
+
+        # 验证必需参数
+        if not password:
+            raise ValueError("密码不能为空")
+        if not any([name, email, phone]):
+            raise ValueError("必须提供用户名/邮箱/手机号")
+
         account = AccountService.authenticate_by_password(
-            body.name, body.email, "", body.password
+            name, email, phone, password
         )
         LogService().add(
             Module.USER_MANAGEMENT,
@@ -233,6 +264,9 @@ class LoginSmsApi(Resource):
     def post(self):
         """短信验证码登录。
 
+        接收 encrypted_data 和 session_id 参数，使用 ECDH 会话密钥解密。
+        请求数据应包含：phone, verify_code
+
         使用手机号和短信验证码进行身份验证并登录系统。
         如果用户账号不存在，会缓存验证码用于后续注册流程。
 
@@ -243,20 +277,36 @@ def post(self):
             ValueError: 当验证码验证失败或用户认证失败时抛出
         """
         parser = reqparse.RequestParser()
-        parser.add_argument("phone", type=str, required=True, location="json")
-        parser.add_argument("verify_code", type=str, required=True, location="json")
+        parser.add_argument("encrypted_data", type=str, required=True, location="json")
+        parser.add_argument("session_id", type=str, required=True, location="json")
         body = parser.parse_args()
 
+        # 解密请求数据
+        try:
+            decrypted_data = decrypt_ecdh_encrypted_data(body.encrypted_data, body.session_id)
+        except ValueError as e:
+            raise ValueError(f"请求数据解密失败: {str(e)}")
+        
+        # 从解密后的数据中提取参数
+        phone = decrypted_data.get("phone")
+        verify_code = decrypted_data.get("verify_code")
+
+        # 验证必需参数
+        if not phone:
+            raise ValueError("手机号不能为空")
+        if not verify_code:
+            raise ValueError("验证码不能为空")
+
         # 校验登录验证码
-        SmsChecker("login").check(body.phone, body.verify_code)
+        SmsChecker("login").check(phone, verify_code)
 
-        account = Account.query.filter_by(phone=body.phone).first()
+        account = Account.query.filter_by(phone=phone).first()
         if not account:
             SmsChecker("register").cached_phone_code_for_registration(
-                body.phone, body.verify_code
+                phone, verify_code
             )
 
-        account = AccountService.authenticate_by_sms(body.phone, body.verify_code)
+        account = AccountService.authenticate_by_sms(phone, verify_code)
 
         LogService().add(
             Module.USER_MANAGEMENT,
 
@@ -35,6 +35,7 @@
 from parts.logs import Action, LogService, Module
 from parts.urls import api
 from utils.util_database import db
+from utils.util_file_validation import validate_file_type_and_raise
 
 from . import fields
 from .data_service import DataService
@@ -488,24 +489,32 @@ def post(self):
         if type is None or type == "":
             raise ValueError("没有选择文件类型")
         if type == "pic":
-            if not file.filename.endswith(
-                (
-                    ".jpg",
-                    ".png",
-                    ".jpeg",
-                    ".gif",
-                    ".svg",
-                    ".webp",
-                    ".bmp",
-                    ".tiff",
-                    ".ico",
-                    ".tar.gz",
-                    ".zip",
-                )
-            ):
+            pic_extensions = [
+                ".jpg",
+                ".png",
+                ".jpeg",
+                ".gif",
+                ".svg",
+                ".webp",
+                ".bmp",
+                ".tiff",
+                ".ico",
+                ".tar.gz",
+                ".zip",
+            ]
+            if not file.filename.endswith(tuple(pic_extensions)):
                 raise ValueError("文件类型错误")
             if file.content_length > 2 * 1024 * 1024 * 1024:
                 raise ValueError("文件大小不能超过2GB")
+            
+            if not (file.filename.endswith(".zip") or file.filename.endswith(".tar.gz")):
+                is_strict = not file.filename.lower().endswith(".svg")
+                validate_file_type_and_raise(
+                    file,
+                    [ext.lstrip('.') for ext in pic_extensions if ext not in ['.tar.gz', '.zip']],
+                    strict=is_strict
+                )
+            
             # 检查压缩包内文件类型
             allowed_ext = (
                 ".jpg",
@@ -521,13 +530,30 @@ def post(self):
             self.check_compres_package(file, allowed_ext)
 
         if type == "doc":
-            if not file.filename.endswith(
-                (".json", ".csv", ".jsonl", ".txt", ".parquet", ".tar.gz", ".zip")
-            ):
+            doc_extensions = [
+                ".json",
+                ".csv",
+                ".jsonl",
+                ".txt",
+                ".parquet",
+                ".tar.gz",
+                ".zip",
+            ]
+            if not file.filename.endswith(tuple(doc_extensions)):
                 raise ValueError("文件类型错误")
             if file.content_length > 1024 * 1024 * 1024:
                 raise ValueError("文件大小不能超过1GB")
 
+            if not (file.filename.endswith(".zip") or file.filename.endswith(".tar.gz")):
+                # 对于文档文件，大部分是文本文件，使用非严格模式
+                # parquet 是二进制格式，需要特殊处理
+                is_strict = file.filename.lower().endswith(".parquet")
+                validate_file_type_and_raise(
+                    file,
+                    [ext.lstrip('.') for ext in doc_extensions if ext not in ['.tar.gz', '.zip']],
+                    strict=is_strict
+                )
+
             # 检查压缩包内文件类型
             allowed_ext = (".json", ".csv", ".jsonl", ".txt", ".parquet")
             self.check_compres_package(file, allowed_ext)