mirror of
https://github.com/dreamhunter2333/cloudflare_temp_email.git
synced 2026-05-18 05:27:36 +08:00
c3058817ff
* feat(admin): add IP whitelist (strict allowlist mode) (#920) - Add enableWhitelist/whitelist fields to IpBlacklistSettings - Implement three-layer access control: whitelist → blacklist → daily limit - Whitelist uses exact match for IPv4/IPv6, regex for patterns - Whitelisted IPs skip blacklist checks (trusted) - Fail-closed when cf-connecting-ip missing under whitelist mode - Frontend: independent whitelist toggle + empty list protection - Backend: backward compatible (old frontends get defaults) - E2E tests: config validation + runtime behavior - Docs: CHANGELOG zh/en updated Closes #920 * fix(admin): address PR review feedback on IP whitelist - Add IPv4-mapped IPv6 (::ffff:x.x.x.x) exact match in isWhitelisted - Include error.message in whitelist regex parse failure log - Include actual/max size in whitelist size limit error message Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(admin): validate whitelist regex on save and preserve existing whitelist on partial update - Reject invalid regex patterns in whitelist at save time to prevent runtime lockout - Preserve existing enableWhitelist/whitelist from DB when older clients omit these fields Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(admin): revert P2 - keep simple ?? defaults for backward compat Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(admin): validate whitelist elements are strings before trimming Prevents 500 error when whitelist contains non-string elements (e.g. numbers, null) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * docs(admin): add IP blacklist/whitelist documentation (zh + en) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(admin): fix fingerprint blacklist bypass when cf-connecting-ip absent, improve e2e tests - Split checkBlacklist into checkFingerprintBlacklist (IP-independent) and checkIpAsnBlacklist - Fingerprint check now runs before the !reqIp early-return to prevent bypass - Add afterEach reset to config test group, extract RESET_SETTINGS constant - Strengthen whitelist-blocks test to deterministic 403 assertion - Add e2e tests: invalid regex rejection, non-string element rejection, fingerprint-blocks-without-IP Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(admin): suppress no-useless-escape lint warning in whitelist regex check Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
1.9 KiB
1.9 KiB
Admin 控制台
Note
需要配置
ADMIN_PASSWORDS或者ADMIN_USER_ROLE才可以访问 admin 控制台 admin 角色配置, 如果用户角色等于 ADMIN_USER_ROLE 则可以访问 admin 控制台
部署前端应用之后,点击 左上角 logo 5 次 或者访问 /admin 路径即可进入管理控制台。
需要在后端配置 ADMIN_PASSWORDS 或者当前用户角色为 ADMIN_USER_ROLE, 则不允许访问控制台。
账号列表排序
管理后台的账号标签页支持按列排序,可点击表头对以下列进行升序/降序排列:
- ID
- 名称
- 创建时间
- 更新时间
- 邮件数量
- 发送数量
搜索邮箱地址时,分页会自动重置到第 1 页。
如果你的网站只可私人访问,可通过此禁用检查
DISABLE_ADMIN_PASSWORD_CHECK = true
IP 黑名单 / 白名单
在 Admin 控制台 → IP 黑名单设置 页面可配置访问控制,作用于以下接口:创建邮箱地址、发送邮件、外部发送邮件 API、用户注册、验证码校验。
IP 白名单(严格模式)
启用后,仅匹配白名单的 IP 才能访问受保护接口,其他所有 IP 一律返回 403。
- 纯文本条目:精确匹配(不支持子串),例如
1.2.3.4 - 正则条目:使用锚定正则,例如
^192\.168\.1\.\d+$ - 白名单命中的 IP 会跳过黑名单检查
- 白名单启用但列表为空时,服务端忽略该开关(防止锁死)
IP 黑名单
启用后,匹配黑名单的 IP 返回 403。支持文本子串匹配或正则表达式。
ASN 组织黑名单
按运营商/ISP 拉黑,不区分大小写,支持文本匹配或正则。
浏览器指纹黑名单
按 x-fingerprint 请求头拉黑,支持精确匹配或正则。
每日请求限流
限制单个 IP 每天最多请求次数(1–1,000,000),超出返回 429。计数以 UTC 日期为周期,24 小时后自动重置。