修复token缺失bug

scripts/deploy.sh

@@ -18,12 +18,30 @@ else
   exit 1
 fi
 
-if [ ! -f .env.local ]; then
+if command -v node >/dev/null 2>&1; then
+  node scripts/ensure-deploy-env.mjs "$ROOT_DIR"
+elif [ ! -f .env.local ]; then
   cp .env.example .env.local
   echo "[deploy] Created .env.local from .env.example"
   echo "[deploy] Real generation requires API keys in .env.local. Empty keys keep mock/local flows available."
 fi
 
+if ! grep -q '^ZHINIAN_INTERNAL_WORKER_TOKEN=' .env.local || grep -q '^ZHINIAN_INTERNAL_WORKER_TOKEN=$\|^ZHINIAN_INTERNAL_WORKER_TOKEN=change-me-worker-token$' .env.local; then
+  if command -v openssl >/dev/null 2>&1; then
+    WORKER_TOKEN="$(openssl rand -hex 32)"
+    if grep -q '^ZHINIAN_INTERNAL_WORKER_TOKEN=' .env.local; then
+      sed -i.bak "s/^ZHINIAN_INTERNAL_WORKER_TOKEN=.*/ZHINIAN_INTERNAL_WORKER_TOKEN=${WORKER_TOKEN}/" .env.local
+      rm -f .env.local.bak
+    else
+      printf '\nZHINIAN_INTERNAL_WORKER_TOKEN=%s\n' "$WORKER_TOKEN" >> .env.local
+    fi
+    echo "[deploy] Added ZHINIAN_INTERNAL_WORKER_TOKEN to .env.local"
+  else
+    echo "[deploy] ZHINIAN_INTERNAL_WORKER_TOKEN is required in .env.local, and openssl was not found to generate one."
+    exit 1
+  fi
+fi
+
 mkdir -p .runtime/data .runtime/uploads .runtime/generated-results
 
 if [ -z "${APP_PORT:-}" ] && [ -f .env.local ]; then

scripts/ensure-deploy-env.mjs

@@ -0,0 +1,44 @@
+#!/usr/bin/env node
+
+import { randomBytes } from "node:crypto";
+import { copyFileSync, existsSync, readFileSync, writeFileSync } from "node:fs";
+import { join, resolve } from "node:path";
+
+const rootDir = resolve(process.argv[2] || process.cwd());
+const envPath = join(rootDir, ".env.local");
+const examplePath = join(rootDir, ".env.example");
+
+if (!existsSync(envPath)) {
+  if (!existsSync(examplePath)) {
+    console.error("[deploy] .env.local was not found and .env.example is missing.");
+    process.exit(1);
+  }
+  copyFileSync(examplePath, envPath);
+  console.log("[deploy] Created .env.local from .env.example");
+  console.log("[deploy] Real generation requires API keys in .env.local. Empty keys keep mock/local flows available.");
+}
+
+let envText = readFileSync(envPath, "utf8");
+const token = readEnvValue(envText, "ZHINIAN_INTERNAL_WORKER_TOKEN");
+
+if (!token || token === "change-me-worker-token") {
+  envText = setEnvValue(envText, "ZHINIAN_INTERNAL_WORKER_TOKEN", randomBytes(32).toString("hex"));
+  writeFileSync(envPath, envText);
+  console.log("[deploy] Added ZHINIAN_INTERNAL_WORKER_TOKEN to .env.local");
+}
+
+function readEnvValue(text, name) {
+  const escaped = name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  const match = text.match(new RegExp(`^${escaped}=(.*)$`, "m"));
+  return match?.[1]?.trim().replace(/^['"]|['"]$/g, "") || "";
+}
+
+function setEnvValue(text, name, value) {
+  const line = `${name}=${value}`;
+  const escaped = name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  if (new RegExp(`^${escaped}=`, "m").test(text)) {
+    return text.replace(new RegExp(`^${escaped}=.*$`, "m"), line);
+  }
+  const suffix = text.endsWith("\n") ? "" : "\n";
+  return `${text}${suffix}${line}\n`;
+}

scripts/worker.mjs

@@ -1,12 +1,17 @@
 #!/usr/bin/env node
 
 const baseUrl = (process.env.ZHINIAN_WORKER_BASE_URL || process.env.NEXT_PUBLIC_APP_URL || "http://127.0.0.1:3000").replace(/\/$/, "");
-const token = process.env.ZHINIAN_INTERNAL_WORKER_TOKEN || "";
+const token = (process.env.ZHINIAN_INTERNAL_WORKER_TOKEN || "").trim();
 const intervalMs = positiveInt(process.env.ZHINIAN_WORKER_INTERVAL_MS, 5000);
 const limit = positiveInt(process.env.ZHINIAN_WORKER_BATCH_SIZE, 3);
 const once = process.argv.includes("--once");
 const workerId = process.env.ZHINIAN_WORKER_ID || `worker-${Math.random().toString(16).slice(2)}`;
 
+if (process.env.NODE_ENV === "production" && !token) {
+  console.error("[zhinian-worker] ZHINIAN_INTERNAL_WORKER_TOKEN is required in production. Set the same value for zhinian-aigc and zhinian-worker.");
+  process.exit(1);
+}
+
 async function tick() {
   const response = await fetch(`${baseUrl}/api/internal/worker/tick`, {
     method: "POST",

tests/deploy-env.test.ts

@@ -0,0 +1,29 @@
+import { mkdtemp, readFile, rm, writeFile } from "node:fs/promises";
+import { execFile } from "node:child_process";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { promisify } from "node:util";
+import { describe, expect, it } from "vitest";
+
+const execFileAsync = promisify(execFile);
+
+describe("deployment environment preparation", () => {
+  it("adds a strong internal worker token when .env.local does not define one", async () => {
+    const dir = await mkdtemp(join(tmpdir(), "zhinian-deploy-env-"));
+    try {
+      await writeFile(join(dir, ".env.example"), "APP_PORT=3000\nZHINIAN_INTERNAL_WORKER_TOKEN=change-me-worker-token\n");
+      await writeFile(join(dir, ".env.local"), "APP_PORT=3001\n");
+
+      const { stdout } = await execFileAsync(process.execPath, ["scripts/ensure-deploy-env.mjs", dir], {
+        cwd: new URL("../", import.meta.url)
+      });
+      const envLocal = await readFile(join(dir, ".env.local"), "utf8");
+
+      expect(stdout).toContain("Added ZHINIAN_INTERNAL_WORKER_TOKEN");
+      expect(envLocal).toMatch(/^ZHINIAN_INTERNAL_WORKER_TOKEN=[a-f0-9]{64}$/m);
+      expect(envLocal).toContain("APP_PORT=3001");
+    } finally {
+      await rm(dir, { force: true, recursive: true });
+    }
+  });
+});

tests/worker-script.test.ts

@@ -0,0 +1,24 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { fileURLToPath } from "node:url";
+import { describe, expect, it } from "vitest";
+
+const execFileAsync = promisify(execFile);
+const rootDir = fileURLToPath(new URL("../", import.meta.url));
+
+describe("worker script configuration", () => {
+  it("fails fast in production when the internal worker token is missing", async () => {
+    await expect(execFileAsync(process.execPath, ["scripts/worker.mjs", "--once"], {
+      cwd: rootDir,
+      env: {
+        ...process.env,
+        NODE_ENV: "production",
+        ZHINIAN_INTERNAL_WORKER_TOKEN: "",
+        ZHINIAN_WORKER_BASE_URL: "http://127.0.0.1:9"
+      }
+    })).rejects.toMatchObject({
+      code: 1,
+      stderr: expect.stringContaining("ZHINIAN_INTERNAL_WORKER_TOKEN is required")
+    });
+  });
+});