103 lines
3.1 KiB
YAML
103 lines
3.1 KiB
YAML
|
version: 1
|
|||
|
|
id: nfr
|
|||
|
|
title: Non-Functional Requirements
|
|||
|
|
sources:
|
|||
|
|
project_md:
|
|||
|
|
path: openspec/project.md
|
|||
|
|
lines: "67-70"
|
|||
|
|
middleware:
|
|||
|
|
- api/middlewares/index.ts
|
|||
|
|
database:
|
|||
|
|
- api/database/index.ts
|
|||
|
|
|
|||
|
|
security:
|
|||
|
|
password_handling:
|
|||
|
|
status: not_compliant
|
|||
|
|
current_state:
|
|||
|
|
storage: "明文存储在 users.password(SQLite)"
|
|||
|
|
transmission: "前后端请求体中直接传输 password 字段"
|
|||
|
|
evidence:
|
|||
|
|
- api/models/user.ts:18
|
|||
|
|
- api/controllers/userController.ts:81
|
|||
|
|
- openspec/project.md:69
|
|||
|
|
required_state:
|
|||
|
|
storage: "使用强哈希算法存储(例如 bcrypt/scrypt/argon2),不存明文"
|
|||
|
|
transmission: "避免回传密码;日志与导出不得包含敏感字段"
|
|||
|
|
constraints:
|
|||
|
|
- "当前实现未满足 required_state,属于待整改项"
|
|||
|
|
|
|||
|
|
admin_authentication:
|
|||
|
|
status: not_compliant
|
|||
|
|
current_state:
|
|||
|
|
admin_login_token: "固定值 admin-token"
|
|||
|
|
route_guard: "adminAuth 中间件放行"
|
|||
|
|
evidence:
|
|||
|
|
- api/controllers/adminController.ts:1
|
|||
|
|
- api/middlewares/index.ts:57
|
|||
|
|
- openspec/project.md:68
|
|||
|
|
required_state:
|
|||
|
|
token_validation: "生产环境需实现真实鉴权(例如 JWT 校验)并在前后端一致落地"
|
|||
|
|
constraints:
|
|||
|
|
- "当前管理接口在后端层面不具备访问控制"
|
|||
|
|
|
|||
|
|
logging_sensitivity:
|
|||
|
|
status: partial
|
|||
|
|
current_state:
|
|||
|
|
request_logging: "记录 method/path/statusCode/duration"
|
|||
|
|
evidence:
|
|||
|
|
- api/middlewares/index.ts:65
|
|||
|
|
constraints:
|
|||
|
|
- "应避免在日志中输出密码、token、导出数据等敏感信息(当前需持续自查)"
|
|||
|
|
|
|||
|
|
reliability:
|
|||
|
|
database_initialization:
|
|||
|
|
status: implemented
|
|||
|
|
behavior: "仅当 users 表不存在时执行 init.sql"
|
|||
|
|
evidence:
|
|||
|
|
- api/database/index.ts:109
|
|||
|
|
constraints:
|
|||
|
|
- "若数据库存在但缺少部分表/列(例如用户组、selection_config),当前不会自动迁移"
|
|||
|
|
|
|||
|
|
performance:
|
|||
|
|
limits:
|
|||
|
|
request_body_max_bytes:
|
|||
|
|
status: implemented
|
|||
|
|
value: 10485760
|
|||
|
|
evidence:
|
|||
|
|
- api/server.ts:30
|
|||
|
|
upload_max_bytes:
|
|||
|
|
status: implemented
|
|||
|
|
value: 10485760
|
|||
|
|
evidence:
|
|||
|
|
- api/middlewares/index.ts:7
|
|||
|
|
database_characteristics:
|
|||
|
|
status: implemented
|
|||
|
|
notes: "SQLite 适合单机/轻量;并发与事务能力有限。"
|
|||
|
|
evidence:
|
|||
|
|
- openspec/project.md:70
|
|||
|
|
|
|||
|
|
compliance:
|
|||
|
|
data_minimization:
|
|||
|
|
status: partial
|
|||
|
|
stored_personal_data:
|
|||
|
|
- field: users.name
|
|||
|
|
- field: users.phone
|
|||
|
|
constraints:
|
|||
|
|
- "当前未见用户数据保留期限/删除流程的实现"
|
|||
|
|
gdpr_like_rights:
|
|||
|
|
status: not_implemented
|
|||
|
|
requirements:
|
|||
|
|
- "数据导出:提供用户个人数据导出能力(当前仅管理员数据导出,且范围为业务数据)"
|
|||
|
|
- "数据删除:支持按合规要求删除用户数据并处理关联记录"
|
|||
|
|
constraints:
|
|||
|
|
- "以上为合规目标要求;当前代码中未实现对应流程"
|
|||
|
|
|
|||
|
|
operability:
|
|||
|
|
configuration:
|
|||
|
|
status: implemented
|
|||
|
|
mechanism: "dotenv + system_configs 表"
|
|||
|
|
evidence:
|
|||
|
|
- openspec/project.md:25
|
|||
|
|
- api/models/systemConfig.ts:1
|
|||
|
|
|