Copilot/add ongoing activities section#1013
Conversation
* Initial plan * feat: add Zeabur deployment template (zeabur.yaml) and deploy button Co-authored-by: FenjuFu <92919259+FenjuFu@users.noreply.github.com> * fix: update deployment option count in README (2 -> 3 methods) Co-authored-by: FenjuFu <92919259+FenjuFu@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: FenjuFu <92919259+FenjuFu@users.noreply.github.com>
…onal iFLYTEK config
… README Co-authored-by: FenjuFu <92919259+FenjuFu@users.noreply.github.com>
|
|
There was a problem hiding this comment.
Code Review
This pull request introduces a new one-click deployment option using a Zeabur template, and updates the README files accordingly. The changes to the documentation are good. However, the new zeabur.yaml template file contains several critical security vulnerabilities and high-severity configuration issues. These include hardcoded private keys, weak default passwords, hardcoded API keys, and invalid configurations like future timestamps and non-existent image tags. These issues must be addressed before this can be merged to ensure a secure and functional deployment for users.
| "id": "1e3b4ee5-7164-47c4-a421-a2ff4938c765", | ||
| "externalId": "", | ||
| "type": "normal-user", | ||
| "password": "123", |
There was a problem hiding this comment.
The default password for the Casdoor admin user is hardcoded to 123. This is a critical security risk as it uses a weak, well-known default password for an administrative account. This makes the system highly vulnerable to unauthorized access. Please use a strong, randomly generated password. You can leverage Zeabur's built-in ${PASSWORD} variable for this.
"password": "${PASSWORD}",| "bitSize": 4096, | ||
| "expireInYears": 20, | ||
| "certificate": "-----BEGIN CERTIFICATE-----\nMIIE3TCCAsWgAwIBAgIDAeJAMA0GCSqGSIb3DQEBCwUAMCgxDjAMBgNVBAoTBWFk\nbWluMRYwFAYDVQQDEw1jZXJ0LWJ1aWx0LWluMB4XDTI1MDkyMDEwNDcxOFoXDTQ1\nMDkyMDEwNDcxOFowKDEOMAwGA1UEChMFYWRtaW4xFjAUBgNVBAMTDWNlcnQtYnVp\nbHQtaW4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDL9L2vPZEXUP4z\nmbVhlgpQx35HzCvQGr+Hbi+ENf5rUadq2X8JVJ5Js3vsi/dMXoXuw2wScltgayEp\nOuyh775uXC/gOrKgfnwANE9VRU9jwBdpZcLeQBfZB2gVQZDYt2wZBSpCwp78I2AS\neWgpvBDXDTp8fV2bJBu7yaLPTdysXVCpdHEkEan7xCAY9yHl9psiqn8aVD4f9T+U\n/oHRIvyAVLpxgQ6w/Lsk2Zcw7lI4feRlF0PYQouoof91gnOIjkYEyFvF/imuL+Xg\nQuA6yMfJ04lfLt8lwu3jAwGw7VIA8LE2pQ6DmJ4pEbFBMU3H626HNel1dxEjW/j+\nTv47nkCPpXGI0w17fc54fbZ7VmtZ6LizxkBfhWf+j8Rm3hpMr6tJ6ISjUajyB17U\n1w9QWU9pOJa/cehOVczEehQLjhX5MZGAUovlmMNojKAtOO/tdcRsDMwOHJyXBqHa\noCykyJ00eIguTtmTTboAqdx3cpom8wNjRh5sUB+YkpsYTVVe/a5r0olfZHDos5bf\nknJXi9X+ppD7nvoCtwrki6AH5Dw9prsrql3sagUHgBKBVLG3EIhDIlkRTQDOO55C\n8OzuyVbDkIbcEX8BIFj8yoUAP/DcpazHHOGhjHRRcFvVHAGRtz8fH6qB9hX3N3a+\nTevIZoANOYLgN6ACWJ0bODLAO9pwWwIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMA0G\nCSqGSIb3DQEBCwUAA4ICAQAT63JAwjc151XNWbMSr5ClNGd+bwEx+zDnQh/YD8V7\n8Wqj2E4r8B+wysDVu7YdOQkoIjtlFOLACg0469F7oC+kPi6N8vMFFZ+xXWk6qLed\nOFYsdUyH+l643GfMprFMA1qbJvqcOnymggeMA1rSJMu9PJ5g7WfoEg6UTKh7H9HV\nvHvgVzLweiZCS37FCC5+RDt/rOCzIrI2DfwDbf4CLKXft7mr3mnA3kVRuT+ufI9X\n+e6UqmM7EBFYeZAHi8/GXIQ8/j34ag5hiIISMhjuFYKEfMtqLYUCTH6X7NTGbGrv\nAs8YB2x5QnUj89N7IRv2hr1uJnaZOIx5feLRmuRmo35scLopAnNu0VT75TOS0Ifh\nyrouqlep4grk4DMFSWEMNodpkHHLr4pOVE8vCYphli75/beOkiilUpxGI6/osKKo\nSOC5CuC6hDarVBF3q6zpNEnqalQf9Vf2d4zeCKMfV2IuUOqKRaRFpVZfVJsbiYTi\nYF1VUCTFdfrIFsC5V9LknxvLyq8ubzpXHnIV6m/l95OxxCEDvI47l5RmwkblKk57\nH9IRmr6l66Ar2WRGQYAxpiOz3aF8IMg8f0+Vk91FNTsgNrSsk9uovQrrDDtm3KyO\nEzhOO4NA9WgaE1c6GzZD87GhrZukHWHE4KvTpkiQ3pGmTqUjIHvon+0lKtG8E5fz\nKg==\n-----END CERTIFICATE-----\n", | ||
| "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIJKQIBAAKCAgEAy/S9rz2RF1D+M5m1YZYKUMd+R8wr0Bq/h24vhDX+a1Gnatl/\nCVSeSbN77Iv3TF6F7sNsEnJbYGshKTrsoe++blwv4DqyoH58ADRPVUVPY8AXaWXC\n3kAX2QdoFUGQ2LdsGQUqQsKe/CNgEnloKbwQ1w06fH1dmyQbu8miz03crF1QqXRx\nJBGp+8QgGPch5fabIqp/GlQ+H/U/lP6B0SL8gFS6cYEOsPy7JNmXMO5SOH3kZRdD\n2EKLqKH/dYJziI5GBMhbxf4pri/l4ELgOsjHydOJXy7fJcLt4wMBsO1SAPCxNqUO\ng5ieKRGxQTFNx+tuhzXpdXcRI1v4/k7+O55Aj6VxiNMNe33OeH22e1ZrWei4s8ZA\nX4Vn/o/EZt4aTK+rSeiEo1Go8gde1NcPUFlPaTiWv3HoTlXMxHoUC44V+TGRgFKL\n5ZjDaIygLTjv7XXEbAzMDhyclwah2qAspMidNHiILk7Zk026AKncd3KaJvMDY0Ye\nbFAfmJKbGE1VXv2ua9KJX2Rw6LOW35JyV4vV/qaQ+576ArcK5IugB+Q8Paa7K6pd\n7GoFB4ASgVSxtxCIQyJZEU0AzjueQvDs7slWw5CG3BF/ASBY/MqFAD/w3KWsxxzh\noYx0UXBb1RwBkbc/Hx+qgfYV9zd2vk3ryGaADTmC4DegAlidGzgywDvacFsCAwEA\nAQKCAgEAtERUJ4BuLkKa+3afF2qrIWzB06nFC8GoiYY9H0kt3yMjq1AjdVbCNPgb\nzx6C7JAbJsa5TbCfzR/DBpMbNaIWGasHcdPPsAU7il6xw/dnzQ2qY7DaxN+3dE6U\nkz0JTlMIizDCgpFMPiTyNEH0a/bal4kMqZ2Qz5/hl2AHs9zo77vmoG/X1H58VJer\nmwVLg9sskT5K6zWMV2jH0uQET5nxvWemBs5/8rTeoBpmBIyQRXgYF7WxdIKUt+6/\nQNiVTxwZDP8eBmi35EpXjpjtYWe3Fk8O+v8Nom2hHuW4Z+3KbiRPLbJDmtKY8Em/\n9pQiYFJZtc5T00vy7OLMt9GP6ZfdDMXHqGT/VFJuYNQhRWgaf9JE5zZuQ3O/D1BH\nAbY0+a825DcOn2XqP3KlHOR1CJyFhphZDowxg2pjhQ548+30eQ9/IoTvgrEnReRW\n3/USVvcUA4lgmzKv50BLiy9wK55FVglafdRm1fq3ykQwAZ/ok4ah2U+ZA98Hh8/V\n4xZ/KSBlNxSfBEPKlPkSBBrwqUwZtrwcHUg0qiRrJGvGxqKPUb0kOQmQjX2VNPoU\nPYzHO9G83RFeJU5KjMj9+apXV2qSL1m8wFJ/aHraUoaOhQ7AzETY0H8r0EbBunq3\nQ8s3Foeb3/p9DOxZxODaDKYDKHM43h1Oro+JjXy+21KSBBjAQrkCggEBAOZzNUlB\nayl/c6ynVlaYR2UGPdbymbAu8dB2Yj/OFjKQgWl2pKVpjUvva7A8p0smU+oC3fVQ\n9qBT6834N8jUqKUCxkHnVw1UDhXPJofqOkaLwf4cLL3X1PbPShaZbEM45YZqmU/c\npihL/myVcXFxntzQZ9NxzJU1wu4uwII0jd1ciFNssulxobgN0JDLM3jJ+Vf1yFUC\nJgCscZcRWBb0HW1IxHVic3GPEzg1hwgyt9V+e/xdKuy4+LQuPPsVBiy5lsVBtwXY\nN5Ve2k9dp0etnoQE+xjdcDwJVNgD46C4nw8e177u20cDyevILbxCRlSJ/ptQXgVu\nc3UZ9o9Y51N9HfUCggEBAOKRj7vGLhUf0Tv7+qroktTaj6jFUQr+JFQKuOTAHo1C\nghyIAtDjDPl3Be+DWPrvXSswEjOqI/haTjxUmTQgJEmuQEfebE7n0fOf25jcCFwb\nIEFgzvLJSvEiZX7y8nPFffP5TSzS/gxiqNZVJ0im3aAYUK48DXY+6Sg+xhOAPpzY\nysLifc6P2WlGt3OntuMYYgCqGwmlnRNVADdlqt5EH/mRRuxjqGQqXovozlQ8UBTL\nDX4fDLjkcqdG22mOD0qscvsG36LTjpcERposjQ6Qa6QFkGoNd5qYTILW3oq36NsJ\nevucMPSK6HWEbCkrC9Z6Q+PSuILHRNWJSThkAuzKkw8CggEAb6BEomxWvS4oWOxh\njOaMRqokUDcJLOdAaKq/YoqwA+QtW2mFzT34nFynvCFVI7i4EvU6kHacUAL2iLmA\nQ/6Ghg92+ztU1nbtr7C8yD8z5TITUMRTA85FMRwtlg7Q+yrXOyntg1qs/X36CpzE\n65+OxQUKFcjcwTXea0MoKqnMQfptaoOPkjZhkGbYrRpQn2SuK+Y5GLxGrjLZfsR+\n9/ddPa9uwjFjHBGizKpY8yamF3sCEbcLcMkUZyqyjSic6hMnrfrr7Z/TJL5iXulN\nexHlY6uJ+XxhviMC/vO7UgG7wjY9aRYIDzkNmPFI/hTYPmDtfEwMjvL2aDWgUcVN\noApN9QKCAQEAyhT21I7BD4pff1cSj1n9jOicdfX4gQuIr4UYwL8zAN+vWW9ew52g\nNumYW7cVqEvTF/A6a+Z3Ss6RNXJna3y3oRhQsUmL5R0TwG522XJ36l8vd+C29Qnh\nVA5P5Nkgs24VF4Tm9vICMl3VJcax0TU0O9U0MRPTFgKqx4Cl/0LFlfQvdX+6ooDf\nc+zlN70BfLCEyP7wOryCy3lnRgHiU3kD4/9V+QYybZT022l8jtl0u/cYQ8PB/y+T\nq+uhTBavQPVrYMcStRJo/f2MU3slHTZnK9biphT49uScaZ7ow2WhxaxBCyaW66by\nC89fAaEpX9WRtCSA+fRuSt+2dRuPGFDetQKCAQBNxBbtOrw79tpq7NaSWlylTR+K\nQJeUSol1NpktS17dLesFc6c4vVc90tOrQvmK9MoOdYpk7/ZMpIpXtgtoegEnN34r\nbfyb+O4UeOi44Y/cKr1Av3bZmp2lRQtTXZJkRlRI5kowVAHOP70WWytcfIYW+zbZ\nOSRiQOT2UFaIQjdZml9jvD/Zhr8TuLPZoaRuhWVLID0LZrix9ivYD028uHoiONl3\nbmzNhqTlcGC/skh5hn6ohEyizvHLIrpbUPK66xOWjcheFi+wKfGpKOZxt325y64D\nhQkmJquirnONmiUNuKWIUxOkbC/spnrAJ72dStfEo2V59hG5jitTlmoaXAo+\n-----END RSA PRIVATE KEY-----\n" |
There was a problem hiding this comment.
A private key is hardcoded in the Casdoor init_data.json. This is a critical security vulnerability as it allows anyone with access to this repository to sign JWTs, compromising user authentication. Private keys must never be committed to version control. Please remove the certs block from the init_data.json template and allow Casdoor to generate a new key pair on its first run.
| default: 7b709739e8da44536127a333c7603a83 | ||
| APP_AUTH_SECRET: | ||
| default: NjhmY2NmM2NkZDE4MDFlNmM5ZjcyZjMy |
There was a problem hiding this comment.
The APP_AUTH_API_KEY and APP_AUTH_SECRET are hardcoded. This is a critical security vulnerability. Hardcoding credentials makes them accessible to anyone who can view the repository, and makes rotation difficult. This pattern is repeated for other credentials like TENANT_KEY (line 1741) and MAAS_API_KEY (line 1778). These should be generated dynamically at deployment and managed as secrets.
| '2025-10-24 10:00:00', -- create_at (DATETIME) | ||
| '2025-10-24 10:00:00' -- update_at (DATETIME) |
There was a problem hiding this comment.
The create_at and update_at timestamps are hardcoded to a future date (2025-10-24 10:00:00). This is incorrect and can lead to data integrity issues. This issue is present in multiple places in this file (e.g., lines 216-217, 274, 295, 489, etc.).
For the SQL INSERT statements, the table schemas already define default CURRENT_TIMESTAMP values, so you should remove these columns from the INSERT list and let the database handle them automatically.
For the init_data.json, these timestamps should be valid past dates.
| template: PREBUILT_V2 | ||
| spec: | ||
| source: | ||
| image: minio/minio:RELEASE.2025-07-23T15-54-02Z |
There was a problem hiding this comment.
The Minio image tag RELEASE.2025-07-23T15-54-02Z points to a future date. This image likely does not exist, which will cause the service to fail during deployment. Please use a valid and existing Minio image tag. Using latest or a specific recent version is recommended.
image: minio/minio:latest| OAUTH2_ISSUER_URI: | ||
| default: ${CASDOOR_PUBLIC_URL} | ||
| OAUTH2_JWK_SET_URI: | ||
| default: http://${CASDOOR_HOST}:8000/.well-known/jwks |
There was a problem hiding this comment.
OAUTH2_JWK_SET_URI is configured with an internal HTTP URL (http://${CASDOOR_HOST}:8000/...), while OAUTH2_ISSUER_URI uses the public HTTPS URL (${CASDOOR_PUBLIC_URL}). This mismatch can cause token validation to fail because the issuer in the token won't match the domain serving the keys. To ensure correct validation, the JWKS URI should also use the public URL.
default: ${CASDOOR_PUBLIC_URL}/.well-known/jwks
Summary
Type of Change
Related Issue
Changes
Testing
Screenshots (if applicable)
Checklist