bia/story-edit-web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
06e639f0df9a9a529f796af5e49bd39fde889575
story-edit-web/web/docker-compose.yml
邓雨鹏 90402c4a17 security: 每人一把口令(口令即身份) + 随机会话token + 无配置拒绝启动 + 爆破节流 
- STORY_WEB_PASSWORD(默认story) 废弃 → STORY_WEB_USERS=名字1:口令1,名字2:口令2;
  未配置/口令<8位/口令或用户名重复 → 启动即退出,杜绝弱默认口令裸奔
- cookie 不再存口令原文:登录发 secrets.token_urlsafe(32) 随机token,
  会话存 SQLite sessions 表(30天);登出删token;从 USERS 移除某人=吊销其全部会话
- updated_by 改由服务端按会话身份填写,前端自报 by 不再可信;登录框去掉昵称字段
- 登录失败全局递增节流(最多sleep 5s),口令比较用 secrets.compare_digest
- Dockerfile/compose 移除一切口令默认值;compose 未设 STORY_WEB_USERS 直接报错
- 顺手修 playtest.js 走位/动画/out_ref 行未转义的存储型XSS(esc补齐)
2026-06-10 17:34:50 +08:00

28 lines
1.3 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Story 事件协作 Web 编辑器M6。NAS 跑容器VPS 端口映射到此。
# cd tools/event_authoring/web
# STORY_WEB_USERS="bia:口令A,ljl:口令B" docker compose up -d --build
services:
story-web:
build:
context: .. # = tools/event_authoring
dockerfile: web/Dockerfile
args:
# 默认官方源;国内构建用环境变量覆盖,如
# PIP_INDEX_URL=https://pypi.tuna.tsinghua.edu.cn/simple docker compose build
PIP_INDEX_URL: "${PIP_INDEX_URL:-https://pypi.org/simple}"
image: story-event-web:latest
container_name: story-event-web
ports:
- "${STORY_WEB_PORT:-8787}:8787"
environment:
# 必须显式提供(每人一把口令,口令即身份);未设置时 compose 直接报错
STORY_WEB_USERS: "${STORY_WEB_USERS:?必须设置 STORY_WEB_USERS=名字1:口令1,名字2:口令2}"
volumes:
# SQLite 持久化(事件数据;勿删)
- ./data:/data
# 点位集(开发侧产出,只读引用;缺失时坐标校验降级为警告)
- ../../../Assets/StreamingAssets/Story/PointSets:/pointsets:ro
# 前端静态文件热挂载:改 static/* 后刷新浏览器即生效,无需重建镜像
- ./static:/app/web/static:ro
restart: unless-stopped
Reference in New Issue View Git Blame Copy Permalink