fix：dev环境

- Pin golang:1.24 base image to specific digest to prevent upstream cache invalidation
- Pin ubuntu:24.04 base image to specific digest to prevent upstream cache invalidation
- Add WORKER_API_KEY generation in install.sh auto_fill_docker_env_secrets function
- Generate random 32-character string for WORKER_API_KEY during installation
- Update installation info message to include WORKER_API_KEY in generated secrets list
- Improve build reproducibility and security by using immutable image references

VERSION

@@ -1 +1 @@
-v1.2.7-dev
+v1.2.9-dev

backend/apps/common/container_bootstrap.py

@@ -40,8 +40,14 @@ def fetch_config_and_setup_django():
     print(f"[CONFIG] 正在从配置中心获取配置: {config_url}")
     print(f"[CONFIG] IS_LOCAL={is_local}")
     try:
+        # 构建请求头（包含 Worker API Key）
+        headers = {}
+        worker_api_key = os.environ.get("WORKER_API_KEY", "")
+        if worker_api_key:
+            headers["X-Worker-API-Key"] = worker_api_key
+        
         # verify=False: 远程 Worker 通过 HTTPS 访问时可能使用自签名证书
-        resp = requests.get(config_url, timeout=10, verify=False)
+        resp = requests.get(config_url, headers=headers, timeout=10, verify=False)
         resp.raise_for_status()
         config = resp.json()
         

backend/apps/common/exception_handlers.py

@@ -0,0 +1,49 @@
+"""
+自定义异常处理器
+
+统一处理 DRF 异常，确保错误响应格式一致
+"""
+
+from rest_framework.views import exception_handler
+from rest_framework import status
+from rest_framework.exceptions import AuthenticationFailed, NotAuthenticated
+
+from apps.common.response_helpers import error_response
+from apps.common.error_codes import ErrorCodes
+
+
+def custom_exception_handler(exc, context):
+    """
+    自定义异常处理器
+    
+    处理认证相关异常，返回统一格式的错误响应
+    """
+    # 先调用 DRF 默认的异常处理器
+    response = exception_handler(exc, context)
+    
+    if response is not None:
+        # 处理 401 未认证错误
+        if response.status_code == status.HTTP_401_UNAUTHORIZED:
+            return error_response(
+                code=ErrorCodes.UNAUTHORIZED,
+                message='Authentication required',
+                status_code=status.HTTP_401_UNAUTHORIZED
+            )
+        
+        # 处理 403 权限不足错误
+        if response.status_code == status.HTTP_403_FORBIDDEN:
+            return error_response(
+                code=ErrorCodes.PERMISSION_DENIED,
+                message='Permission denied',
+                status_code=status.HTTP_403_FORBIDDEN
+            )
+    
+    # 处理 NotAuthenticated 和 AuthenticationFailed 异常
+    if isinstance(exc, (NotAuthenticated, AuthenticationFailed)):
+        return error_response(
+            code=ErrorCodes.UNAUTHORIZED,
+            message='Authentication required',
+            status_code=status.HTTP_401_UNAUTHORIZED
+        )
+    
+    return response

backend/apps/common/permissions.py

@@ -0,0 +1,80 @@
+"""
+集中式权限管理
+
+实现三类端点的认证逻辑：
+1. 公开端点（无需认证）：登录、登出、获取当前用户状态
+2. Worker 端点（API Key 认证）：注册、配置、心跳、回调、资源同步
+3. 业务端点（Session 认证）：其他所有 API
+"""
+
+import re
+import logging
+from django.conf import settings
+from rest_framework.permissions import BasePermission
+
+logger = logging.getLogger(__name__)
+
+# 公开端点白名单（无需任何认证）
+PUBLIC_ENDPOINTS = [
+    r'^/api/auth/login/$',
+    r'^/api/auth/logout/$',
+    r'^/api/auth/me/$',
+]
+
+# Worker API 端点（需要 API Key 认证）
+# 包括：注册、配置、心跳、回调、资源同步（字典下载）
+WORKER_ENDPOINTS = [
+    r'^/api/workers/register/$',
+    r'^/api/workers/config/$',
+    r'^/api/workers/\d+/heartbeat/$',
+    r'^/api/callbacks/',
+    # 资源同步端点（Worker 需要下载字典文件）
+    r'^/api/wordlists/download/$',
+    # 注意：指纹导出 API 使用 Session 认证（前端用户导出用）
+    # Worker 通过数据库直接获取指纹数据，不需要 HTTP API
+]
+
+
+class IsAuthenticatedOrPublic(BasePermission):
+    """
+    自定义权限类：
+    - 白名单内的端点公开访问
+    - Worker 端点需要 API Key 认证
+    - 其他端点需要 Session 认证
+    """
+    
+    def has_permission(self, request, view):
+        path = request.path
+        
+        # 检查是否在公开白名单内
+        for pattern in PUBLIC_ENDPOINTS:
+            if re.match(pattern, path):
+                return True
+        
+        # 检查是否是 Worker 端点
+        for pattern in WORKER_ENDPOINTS:
+            if re.match(pattern, path):
+                return self._check_worker_api_key(request)
+        
+        # 其他路径需要 Session 认证
+        return request.user and request.user.is_authenticated
+    
+    def _check_worker_api_key(self, request):
+        """验证 Worker API Key"""
+        api_key = request.headers.get('X-Worker-API-Key')
+        expected_key = getattr(settings, 'WORKER_API_KEY', None)
+        
+        if not expected_key:
+            # 未配置 API Key 时，拒绝所有 Worker 请求
+            logger.warning("WORKER_API_KEY 未配置，拒绝 Worker 请求")
+            return False
+        
+        if not api_key:
+            logger.warning(f"Worker 请求缺少 X-Worker-API-Key Header: {request.path}")
+            return False
+        
+        if api_key != expected_key:
+            logger.warning(f"Worker API Key 无效: {request.path}")
+            return False
+        
+        return True

backend/apps/common/urls.py

@@ -2,14 +2,18 @@
 通用模块 URL 配置
 
 路由说明：
+- /api/health/    健康检查接口（无需认证）
 - /api/auth/*     认证相关接口（登录、登出、用户信息）
 - /api/system/*   系统管理接口（日志查看等）
 """
 
 from django.urls import path
-from .views import LoginView, LogoutView, MeView, ChangePasswordView, SystemLogsView, SystemLogFilesView
+from .views import LoginView, LogoutView, MeView, ChangePasswordView, SystemLogsView, SystemLogFilesView, HealthCheckView
 
 urlpatterns = [
+    # 健康检查（无需认证）
+    path('health/', HealthCheckView.as_view(), name='health-check'),
+    
     # 认证相关
     path('auth/login/', LoginView.as_view(), name='auth-login'),
     path('auth/logout/', LogoutView.as_view(), name='auth-logout'),

backend/apps/common/views/__init__.py

@@ -2,11 +2,17 @@
 通用模块视图导出
 
 包含：
+- 健康检查视图：Docker 健康检查
 - 认证相关视图：登录、登出、用户信息、修改密码
 - 系统日志视图：实时日志查看
 """
 
+from .health_views import HealthCheckView
 from .auth_views import LoginView, LogoutView, MeView, ChangePasswordView
 from .system_log_views import SystemLogsView, SystemLogFilesView
 
-__all__ = ['LoginView', 'LogoutView', 'MeView', 'ChangePasswordView', 'SystemLogsView', 'SystemLogFilesView']
+__all__ = [
+    'HealthCheckView',
+    'LoginView', 'LogoutView', 'MeView', 'ChangePasswordView',
+    'SystemLogsView', 'SystemLogFilesView',
+]

backend/apps/common/views/auth_views.py

@@ -9,7 +9,7 @@ from django.utils.decorators import method_decorator
 from rest_framework import status
 from rest_framework.views import APIView
 from rest_framework.response import Response
-from rest_framework.permissions import AllowAny, IsAuthenticated
+from rest_framework.permissions import AllowAny
 
 from apps.common.response_helpers import success_response, error_response
 from apps.common.error_codes import ErrorCodes
@@ -134,30 +134,10 @@ class ChangePasswordView(APIView):
     修改密码
     POST /api/auth/change-password/
     """
-    authentication_classes = []  # 禁用认证（绕过 CSRF）
-    permission_classes = [AllowAny]  # 手动检查登录状态
     
     def post(self, request):
-        # 手动检查登录状态（从 session 获取用户）
-        from django.contrib.auth import get_user_model
-        User = get_user_model()
-        
-        user_id = request.session.get('_auth_user_id')
-        if not user_id:
-            return error_response(
-                code=ErrorCodes.UNAUTHORIZED,
-                message='Please login first',
-                status_code=status.HTTP_401_UNAUTHORIZED
-            )
-        
-        try:
-            user = User.objects.get(pk=user_id)
-        except User.DoesNotExist:
-            return error_response(
-                code=ErrorCodes.UNAUTHORIZED,
-                message='User does not exist',
-                status_code=status.HTTP_401_UNAUTHORIZED
-            )
+        # 使用全局权限类验证，request.user 已经是认证用户
+        user = request.user
         
         # CamelCaseParser 将 oldPassword -> old_password
         old_password = request.data.get('old_password')

backend/apps/common/views/health_views.py

@@ -0,0 +1,24 @@
+"""
+健康检查视图
+
+提供 Docker 健康检查端点，无需认证。
+"""
+
+from rest_framework.views import APIView
+from rest_framework.response import Response
+from rest_framework.permissions import AllowAny
+
+
+class HealthCheckView(APIView):
+    """
+    健康检查端点
+    
+    GET /api/health/
+    
+    返回服务状态，用于 Docker 健康检查。
+    此端点无需认证。
+    """
+    permission_classes = [AllowAny]
+    
+    def get(self, request):
+        return Response({'status': 'ok'})

backend/apps/common/views/system_log_views.py

@@ -9,7 +9,6 @@ import logging
 from django.utils.decorators import method_decorator
 from django.views.decorators.csrf import csrf_exempt
 from rest_framework import status
-from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
@@ -42,9 +41,6 @@ class SystemLogFilesView(APIView):
             ]
         }
     """
-    
-    authentication_classes = []
-    permission_classes = [AllowAny]
 
     def __init__(self, **kwargs):
         super().__init__(**kwargs)
@@ -80,15 +76,7 @@ class SystemLogsView(APIView):
         {
             "content": "日志内容字符串..."
         }
-        
-    Note:
-        - 当前为开发阶段，暂时允许匿名访问
-        - 生产环境应添加管理员权限验证
     """
-    
-    # TODO: 生产环境应改为 IsAdminUser 权限
-    authentication_classes = []
-    permission_classes = [AllowAny]
 
     def __init__(self, **kwargs):
         super().__init__(**kwargs)

backend/apps/common/websocket_auth.py

@@ -0,0 +1,44 @@
+"""
+WebSocket 认证基类
+
+提供需要认证的 WebSocket Consumer 基类
+"""
+
+import logging
+from channels.generic.websocket import AsyncWebsocketConsumer
+
+logger = logging.getLogger(__name__)
+
+
+class AuthenticatedWebsocketConsumer(AsyncWebsocketConsumer):
+    """
+    需要认证的 WebSocket Consumer 基类
+    
+    子类应该重写 on_connect() 方法实现具体的连接逻辑
+    """
+    
+    async def connect(self):
+        """
+        连接时验证用户认证状态
+        
+        未认证时使用 close(code=4001) 拒绝连接
+        """
+        user = self.scope.get('user')
+        
+        if not user or not user.is_authenticated:
+            logger.warning(
+                f"WebSocket 连接被拒绝：用户未认证 - Path: {self.scope.get('path')}"
+            )
+            await self.close(code=4001)
+            return
+        
+        # 调用子类的连接逻辑
+        await self.on_connect()
+    
+    async def on_connect(self):
+        """
+        子类实现具体的连接逻辑
+        
+        默认实现：接受连接
+        """
+        await self.accept()

backend/apps/engine/consumers/worker_deploy_consumer.py

@@ -6,17 +6,17 @@ import json
 import logging
 import asyncio
 import os
-from channels.generic.websocket import AsyncWebsocketConsumer
 from asgiref.sync import sync_to_async
 
 from django.conf import settings
 
+from apps.common.websocket_auth import AuthenticatedWebsocketConsumer
 from apps.engine.services import WorkerService
 
 logger = logging.getLogger(__name__)
 
 
-class WorkerDeployConsumer(AsyncWebsocketConsumer):
+class WorkerDeployConsumer(AuthenticatedWebsocketConsumer):
     """
     Worker 交互式终端 WebSocket Consumer
     
@@ -31,8 +31,8 @@ class WorkerDeployConsumer(AsyncWebsocketConsumer):
         self.read_task = None
         self.worker_service = WorkerService()
     
-    async def connect(self):
-        """连接时加入对应 Worker 的组并自动建立 SSH 连接"""
+    async def on_connect(self):
+        """连接时加入对应 Worker 的组并自动建立 SSH 连接（已通过认证）"""
         self.worker_id = self.scope['url_route']['kwargs']['worker_id']
         self.group_name = f'worker_deploy_{self.worker_id}'
         

backend/apps/engine/services/deploy_service.py

@@ -66,6 +66,7 @@ def get_start_agent_script(
     # 替换变量
     script = script.replace("{{HEARTBEAT_API_URL}}", heartbeat_api_url or '')
     script = script.replace("{{WORKER_ID}}", str(worker_id) if worker_id else '')
+    script = script.replace("{{WORKER_API_KEY}}", getattr(settings, 'WORKER_API_KEY', ''))
     
     # 注入镜像版本配置（确保远程节点使用相同版本）
     docker_user = getattr(settings, 'DOCKER_USER', 'yyhuni')

backend/apps/scan/flows/fingerprint_detect_flow.py

@@ -37,28 +37,24 @@ logger = logging.getLogger(__name__)
 
 def calculate_fingerprint_detect_timeout(
     url_count: int,
-    base_per_url: float = 3.0,
-    min_timeout: int = 60
+    base_per_url: float = 5.0,
+    min_timeout: int = 300
 ) -> int:
     """
     根据 URL 数量计算超时时间
     
     公式：超时时间 = URL 数量 × 每 URL 基础时间
-    最小值：60秒
+    最小值：300秒
     无上限
     
     Args:
         url_count: URL 数量
-        base_per_url: 每 URL 基础时间（秒），默认 3秒
-        min_timeout: 最小超时时间（秒），默认 60秒
+        base_per_url: 每 URL 基础时间（秒），默认 5秒
+        min_timeout: 最小超时时间（秒），默认 300秒
         
     Returns:
         int: 计算出的超时时间（秒）
         
-    示例：
-        100 URL × 3秒 = 300秒
-        1000 URL × 3秒 = 3000秒（50分钟）
-        10000 URL × 3秒 = 30000秒（8.3小时）
     """
     timeout = int(url_count * base_per_url)
     return max(min_timeout, timeout)

backend/apps/scan/notifications/consumers.py

@@ -5,12 +5,13 @@ WebSocket Consumer - 通知实时推送
 import json
 import logging
 import asyncio
-from channels.generic.websocket import AsyncWebsocketConsumer
+
+from apps.common.websocket_auth import AuthenticatedWebsocketConsumer
 
 logger = logging.getLogger(__name__)
 
 
-class NotificationConsumer(AsyncWebsocketConsumer):
+class NotificationConsumer(AuthenticatedWebsocketConsumer):
     """
     通知 WebSocket Consumer
     
@@ -23,9 +24,9 @@ class NotificationConsumer(AsyncWebsocketConsumer):
         super().__init__(*args, **kwargs)
         self.heartbeat_task = None  # 心跳任务
     
-    async def connect(self):
+    async def on_connect(self):
         """
-        客户端连接时调用
+        客户端连接时调用（已通过认证）
         加入通知广播组
         """
         # 通知组名（所有客户端共享）

backend/apps/scan/notifications/services.py

@@ -305,6 +305,7 @@ def _push_via_api_callback(notification: Notification, server_url: str) -> None:
     通过 HTTP 请求 Server 容器的 /api/callbacks/notification/ 接口。
     Worker 无法直接访问 Redis，需要由 Server 代为推送 WebSocket。
     """
+    import os
     import requests
     
     try:
@@ -318,8 +319,14 @@ def _push_via_api_callback(notification: Notification, server_url: str) -> None:
             'created_at': notification.created_at.isoformat()
         }
         
+        # 构建请求头（包含 Worker API Key）
+        headers = {'Content-Type': 'application/json'}
+        worker_api_key = os.environ.get("WORKER_API_KEY", "")
+        if worker_api_key:
+            headers["X-Worker-API-Key"] = worker_api_key
+        
         # verify=False: 远程 Worker 回调 Server 时可能使用自签名证书
-        resp = requests.post(callback_url, json=data, timeout=5, verify=False)
+        resp = requests.post(callback_url, json=data, headers=headers, timeout=5, verify=False)
         resp.raise_for_status()
         
         logger.debug(f"通知回调推送成功 - ID: {notification.id}")

backend/apps/scan/notifications/views.py

@@ -7,8 +7,7 @@ from typing import Any
 from django.http import JsonResponse
 from django.utils import timezone
 from rest_framework import status
-from rest_framework.decorators import api_view, permission_classes
-from rest_framework.permissions import AllowAny
+from rest_framework.decorators import api_view
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
@@ -198,12 +197,13 @@ class NotificationSettingsView(APIView):
 # ============================================
 
 @api_view(['POST'])
-@permission_classes([AllowAny])  # Worker 容器无认证，可考虑添加 Token 验证
+# 权限由全局 IsAuthenticatedOrPublic 处理，/api/callbacks/* 需要 Worker API Key 认证
 def notification_callback(request):
     """
     接收 Worker 的通知推送请求
     
     Worker 容器无法直接访问 Redis，通过此 API 回调让 Server 推送 WebSocket。
+    需要 Worker API Key 认证（X-Worker-API-Key Header）。
     
     POST /api/callbacks/notification/
     {

backend/apps/scan/utils/wordlist_helpers.py

@@ -96,7 +96,13 @@ def ensure_wordlist_local(wordlist_name: str) -> str:
         ssl_context.check_hostname = False
         ssl_context.verify_mode = ssl.CERT_NONE
         
-        with urllib_request.urlopen(download_url, context=ssl_context) as resp:
+        # 创建带 API Key 的请求
+        req = urllib_request.Request(download_url)
+        worker_api_key = os.getenv('WORKER_API_KEY', '')
+        if worker_api_key:
+            req.add_header('X-Worker-API-Key', worker_api_key)
+        
+        with urllib_request.urlopen(req, context=ssl_context) as resp:
             if resp.status != 200:
                 raise RuntimeError(f"下载字典失败，HTTP {resp.status}")
             data = resp.read()

backend/config/settings.py

@@ -177,6 +177,10 @@ STATIC_URL = 'static/'
 
 DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
 
+# ==================== Worker API Key 配置 ====================
+# Worker 节点认证密钥（从环境变量读取）
+WORKER_API_KEY = os.environ.get('WORKER_API_KEY', '')
+
 # ==================== REST Framework 配置 ====================
 REST_FRAMEWORK = {
     'DEFAULT_PAGINATION_CLASS': 'apps.common.pagination.BasePagination',  # 使用基础分页器
@@ -186,6 +190,14 @@ REST_FRAMEWORK = {
         'apps.common.authentication.CsrfExemptSessionAuthentication',
     ],
     
+    # 全局权限配置：默认需要认证，公开端点和 Worker 端点在权限类中单独处理
+    'DEFAULT_PERMISSION_CLASSES': [
+        'apps.common.permissions.IsAuthenticatedOrPublic',
+    ],
+    
+    # 自定义异常处理器：统一 401/403 错误响应格式
+    'EXCEPTION_HANDLER': 'apps.common.exception_handlers.custom_exception_handler',
+    
     # JSON 命名格式转换：后端 snake_case ↔ 前端 camelCase
     'DEFAULT_RENDERER_CLASSES': (
         'djangorestframework_camel_case.render.CamelCaseJSONRenderer',  # 响应数据转换为 camelCase

backend/config/urls.py

@@ -16,7 +16,6 @@ Including another URLconf
 """
 from django.contrib import admin
 from django.urls import path, include
-from rest_framework import permissions
 from drf_yasg.views import get_schema_view
 from drf_yasg import openapi
 
@@ -30,7 +29,6 @@ schema_view = get_schema_view(
       description="Web 应用侦察工具 API 文档",
    ),
    public=True,
-   permission_classes=(permissions.AllowAny,),
 )
 
 urlpatterns = [

backend/scripts/worker-deploy/agent.sh

@@ -95,6 +95,7 @@ EOF
     
     RESPONSE=$(curl -k -s -X POST \
         -H "Content-Type: application/json" \
+        -H "X-Worker-API-Key: ${WORKER_API_KEY}" \
         -d "$REGISTER_DATA" \
         "${API_URL}/api/workers/register/" 2>/dev/null)
     
@@ -116,7 +117,7 @@ if [ -z "$WORKER_ID" ]; then
     # 等待 Server 就绪
     log "等待 Server 就绪..."
     for i in $(seq 1 30); do
-        if curl -k -s "${API_URL}/api/" > /dev/null 2>&1; then
+        if curl -k -s -H "X-Worker-API-Key: ${WORKER_API_KEY}" "${API_URL}/api/workers/config/?is_local=${IS_LOCAL}" > /dev/null 2>&1; then
             log "${GREEN}Server 已就绪${NC}"
             break
         fi
@@ -189,6 +190,7 @@ EOF
     RESPONSE_FILE=$(mktemp)
     HTTP_CODE=$(curl -k -s -o "$RESPONSE_FILE" -w "%{http_code}" -X POST \
         -H "Content-Type: application/json" \
+        -H "X-Worker-API-Key: ${WORKER_API_KEY}" \
         -d "$JSON_DATA" \
         "${API_URL}/api/workers/${WORKER_ID}/heartbeat/" 2>/dev/null || echo "000")
     RESPONSE_BODY=$(cat "$RESPONSE_FILE" 2>/dev/null)

backend/scripts/worker-deploy/start-agent.sh

@@ -30,6 +30,7 @@ IMAGE="${DOCKER_USER}/xingrin-agent:${IMAGE_TAG}"
 # 预设变量（远程部署时由 deploy_service.py 替换）
 PRESET_SERVER_URL="{{HEARTBEAT_API_URL}}"
 PRESET_WORKER_ID="{{WORKER_ID}}"
+PRESET_API_KEY="{{WORKER_API_KEY}}"
 
 # 颜色定义
 GREEN='\033[0;32m'
@@ -68,6 +69,7 @@ start_agent() {
         -e SERVER_URL="${PRESET_SERVER_URL}" \
         -e WORKER_ID="${PRESET_WORKER_ID}" \
         -e IMAGE_TAG="${IMAGE_TAG}" \
+        -e WORKER_API_KEY="${PRESET_API_KEY}" \
         -v /proc:/host/proc:ro \
         ${IMAGE}
     

docker/.env.example

@@ -50,6 +50,12 @@ LOG_LEVEL=INFO
 # 是否记录命令执行日志（大量扫描时会增加磁盘占用）
 ENABLE_COMMAND_LOGGING=true
 
+# ==================== Worker API Key 配置 ====================
+# Worker 节点认证密钥（用于 Worker 与主服务器之间的 API 认证）
+# 生产环境务必更换为随机强密钥（建议 32 位以上随机字符串）
+# 生成方法: openssl rand -hex 32
+WORKER_API_KEY=change-me-to-a-secure-random-key
+
 # ==================== Docker Hub 配置（生产模式） ====================
 # 生产模式下从 Docker Hub 拉取镜像时使用
 DOCKER_USER=yyhuni

docker/docker-compose.dev.yml

@@ -47,7 +47,8 @@ services:
       - /opt/xingrin:/opt/xingrin
       - /var/run/docker.sock:/var/run/docker.sock
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8888/api/"]
+      # 使用专门的健康检查端点（无需认证）
+      test: ["CMD", "curl", "-f", "http://localhost:8888/api/health/"]
       interval: 30s
       timeout: 10s
       retries: 3
@@ -66,6 +67,7 @@ services:
       - WORKER_NAME=本地节点
       - IS_LOCAL=true
       - IMAGE_TAG=${IMAGE_TAG:-dev}
+      - WORKER_API_KEY=${WORKER_API_KEY}
     depends_on:
       server:
         condition: service_healthy

docker/docker-compose.yml

@@ -50,7 +50,8 @@ services:
       # Docker Socket 挂载：允许 Django 服务器执行本地 docker 命令（用于本地 Worker 任务分发）
       - /var/run/docker.sock:/var/run/docker.sock
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8888/api/"]
+      # 使用专门的健康检查端点（无需认证）
+      test: ["CMD", "curl", "-f", "http://localhost:8888/api/health/"]
       interval: 30s
       timeout: 10s
       retries: 3
@@ -70,6 +71,7 @@ services:
       - WORKER_NAME=本地节点
       - IS_LOCAL=true
       - IMAGE_TAG=${IMAGE_TAG}
+      - WORKER_API_KEY=${WORKER_API_KEY}
     depends_on:
       server:
         condition: service_healthy

docker/worker/Dockerfile

@@ -1,5 +1,6 @@
 # 第一阶段：使用 Go 官方镜像编译工具
-FROM golang:1.24 AS go-builder
+# 锁定 digest 避免上游更新导致缓存失效
+FROM golang:1.24@sha256:7e050c14ae9ca5ae56408a288336545b18632f51402ab0ec8e7be0e649a1fc42 AS go-builder
 
 ENV GOPROXY=https://goproxy.cn,direct
 # Naabu 需要 CGO 和 libpcap
@@ -36,7 +37,8 @@ RUN CGO_ENABLED=0 go install -v github.com/owasp-amass/amass/v5/cmd/amass@main
 RUN go install github.com/hahwul/dalfox/v2@latest
 
 # 第二阶段：运行时镜像
-FROM ubuntu:24.04
+# 锁定 digest 避免上游更新导致缓存失效
+FROM ubuntu:24.04@sha256:4fdf0125919d24aec972544669dcd7d6a26a8ad7e6561c73d5549bd6db258ac2
 
 # 避免交互式提示
 ENV DEBIAN_FRONTEND=noninteractive

frontend/lib/api-client.ts

@@ -136,6 +136,20 @@ apiClient.interceptors.response.use(
       }
     }
 
+    // Handle 401 Unauthorized: redirect to login page
+    if (axios.isAxiosError(error) && error.response?.status === 401) {
+      const url = error.config?.url || '';
+      // Exclude auth-related APIs to avoid redirect loops
+      const isAuthApi = url.includes('/auth/login') || 
+                        url.includes('/auth/logout') || 
+                        url.includes('/auth/me');
+      
+      if (!isAuthApi && typeof window !== 'undefined') {
+        // Clear any cached state and redirect to login
+        window.location.href = '/login';
+      }
+    }
+
     return Promise.reject(error);
   }
 );

install.sh

@@ -198,11 +198,13 @@ generate_self_signed_cert() {
 # 自动为 docker/.env 填充敏感变量
 auto_fill_docker_env_secrets() {
     local env_file="$1"
-    info "自动生成 DJANGO_SECRET_KEY 和 DB_PASSWORD..."
+    info "自动生成 DJANGO_SECRET_KEY、DB_PASSWORD 和 WORKER_API_KEY..."
     GENERATED_DJANGO_KEY="$(generate_random_string 64)"
     GENERATED_DB_PASSWORD="$(generate_random_string 32)"
+    GENERATED_WORKER_API_KEY="$(generate_random_string 32)"
     update_env_var "$env_file" "DJANGO_SECRET_KEY" "$GENERATED_DJANGO_KEY"
     update_env_var "$env_file" "DB_PASSWORD" "$GENERATED_DB_PASSWORD"
+    update_env_var "$env_file" "WORKER_API_KEY" "$GENERATED_WORKER_API_KEY"
     success "密钥生成完成"
 }