fix(security): disable Swagger in prod, remove dead debug field, harden env config

2026-04-30 11:47:48 +08:00
parent 388775e05f
commit 6432c24e20
3 changed files with 9 additions and 4 deletions
@@ -5,10 +5,9 @@
 # 运行时配置
 ############
 ERYAO_RUNTIME__ENVIRONMENT=dev
-ERYAO_RUNTIME__DEBUG=true
 ERYAO_RUNTIME__LOG_LEVEL=INFO
 ERYAO_RUNTIME__SQL_LOG_QUERIES=false
-ERYAO_RUNTIME__TRUSTED_PROXY_IPS=[]
+ERYAO_RUNTIME__TRUSTED_PROXY_IPS='["127.0.0.1", "172.18.0.1"]'

 ############
 # Web 服务器配置（Uvicorn）
@@ -48,7 +48,14 @@ async def lifespan(_: FastAPI) -> AsyncGenerator[None, None]:
        logger.info("Base services closed", services=SERVICE_STARTUP_ORDER)


-app = FastAPI(lifespan=lifespan)
+_is_prod = config.runtime.environment == "prod"
+
+app = FastAPI(
+    lifespan=lifespan,
+    docs_url=None if _is_prod else "/docs",
+    redoc_url=None if _is_prod else "/redoc",
+    openapi_url=None if _is_prod else "/openapi.json",
+)
 app.add_middleware(
    CORSMiddleware,
    allow_origins=config.cors.allow_origins,
@@ -35,7 +35,6 @@ def _resolve_project_root() -> Path:
 class RuntimeSettings(BaseModel):
    environment: Literal["dev", "test", "prod"] = "dev"
    service_name: str = "app"
-    debug: bool = True
    log_level: str = "INFO"
    log_json: bool = True
    log_rotation: Literal["time", "size", "none"] = "time"