修复/api/server-config暴露externalServerAuth的安全问题

This commit is contained in:
mtvpls
2025-12-26 22:13:13 +08:00
parent 3050cd48a9
commit fb9f55136d
5 changed files with 76 additions and 4 deletions

View File

@@ -13,11 +13,12 @@ export async function GET(request: NextRequest) {
const storageType = process.env.NEXT_PUBLIC_STORAGE_TYPE || 'localstorage';
// 观影室配置从环境变量读取
// 注意:不要暴露 externalServerAuth 到前端,这是敏感凭据
const watchRoomConfig = {
enabled: process.env.WATCH_ROOM_ENABLED === 'true',
serverType: (process.env.WATCH_ROOM_SERVER_TYPE as 'internal' | 'external') || 'internal',
externalServerUrl: process.env.WATCH_ROOM_EXTERNAL_SERVER_URL,
externalServerAuth: process.env.WATCH_ROOM_EXTERNAL_SERVER_AUTH,
// externalServerAuth 不应该暴露给前端
};
// 如果使用 localStorage返回默认配置