Add local-only web setup editor for external config#17
Add local-only web setup editor for external config#17pilgrimage233 merged 3 commits intodevelopmentfrom
Conversation
Co-authored-by: pilgrimage233 <70379307+pilgrimage233@users.noreply.github.com>
Co-authored-by: pilgrimage233 <70379307+pilgrimage233@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR introduces a local-only web-based “setup wizard” to read/edit externalized configuration files under the config/ directory during initial startup, aiming to simplify first-time deployment configuration.
Changes:
- Added
setup.htmlUI for editingapplication.ymlandapplication-druid.ymlvia HTTP. - Added anonymous
/setup/configGET/POST endpoints with “local-only by default” access guard and YAML validation. - Added
setup.allow-remoteconfiguration flag and startup log/README guidance for the setup entrypoint.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
endless-admin/src/main/resources/static/setup.html |
Provides a browser UI to load/save external config via /setup/config. |
endless-admin/src/main/resources/application.yml |
Adds setup.allow-remote flag (default false). |
endless-admin/src/main/java/cc/endmc/web/controller/setup/SetupConfigController.java |
Implements anonymous config read/write API with local-only gating and YAML parsing. |
endless-admin/src/main/java/cc/endmc/EndlessApplication.java |
Logs the setup wizard URL after startup. |
README.md |
Documents the setup wizard entry URL and remote access flag. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| saveBtn.disabled = true; | ||
| reloadBtn.disabled = true; | ||
| try { | ||
| const response = await fetch(`/setup/config?file=${encodeURIComponent(file)}`); |
There was a problem hiding this comment.
这里的 fetch 使用以 “/” 开头的绝对路径(/setup/config)。当应用配置了 server.servlet.context-path(非根路径)时,请求会发到域名根路径而不是当前应用上下文,导致读取/保存失败。建议改为相对路径(例如 setup/config)或基于 window.location 拼出包含 context-path 的 URL。
| const response = await fetch(`/setup/config?file=${encodeURIComponent(file)}`); | |
| const response = await fetch(`setup/config?file=${encodeURIComponent(file)}`); |
| const saveConfig = async () => { | ||
| const file = fileSelect.value; | ||
| setStatus('正在保存配置...', ''); | ||
| saveBtn.disabled = true; | ||
| try { | ||
| const response = await fetch(`/setup/config?file=${encodeURIComponent(file)}`, { | ||
| method: 'POST', | ||
| headers: { | ||
| 'Content-Type': 'text/plain; charset=utf-8' | ||
| }, | ||
| body: contentArea.value | ||
| }); |
There was a problem hiding this comment.
保存接口同样使用了绝对路径 /setup/config,在配置了 server.servlet.context-path 时会指向错误的地址。建议与加载接口保持一致,改为相对路径或根据当前页面上下文动态拼接。
| private boolean isRequestAllowed(HttpServletRequest request) | ||
| { | ||
| return allowRemote || isLocalAddress(request.getRemoteAddr()); | ||
| } |
There was a problem hiding this comment.
isRequestAllowed 仅基于 request.getRemoteAddr() 的 loopback 判断。在反向代理(Nginx/Traefik)部署且代理与应用同机时,外网请求的 remoteAddr 可能始终是 127.0.0.1/::1,从而绕过“仅本机访问”限制。另外当前全局 CORS 允许任意 Origin 时,浏览器可跨站向 localhost 发起 POST,形成 CSRF 风险。建议在 allow-remote=false 时:检测并拒绝带 Forwarded/X-Forwarded-* 的请求,且为保存操作增加一次性 token/密码校验或显式限制 Origin/关闭 /setup/** 的 CORS。
| private boolean isValidYaml(String content) | ||
| { | ||
| try | ||
| { | ||
| SAFE_YAML.load(content); | ||
| return true; | ||
| } | ||
| catch (YAMLException ex) | ||
| { | ||
| log.warn("YAML格式校验失败", ex); | ||
| return false; | ||
| } |
There was a problem hiding this comment.
YAML 校验这里使用 SAFE_YAML.load(content):它只解析第一个 document(--- 之后的内容可能未被校验),并且 LoaderOptions 未设置 codePointLimit / maxAliasesForCollections 等限制,远程放开时可能被构造超大/高别名输入导致解析耗时或内存膨胀。建议改为遍历 loadAll 校验所有 documents,并在 LoaderOptions 上配置合理上限。
启动时需要手动修改外置配置文件(如 MySQL/Redis 等)不够友好。此变更提供启动初期的可视化配置入口,简化首次部署配置流程。
/setup/config读取/保存外置配置,仅允许本机访问(setup.allow-remote=true可选放开)setup.html可视化编辑application.yml/application-druid.ymlScreenshot
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
mybatis.org/opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/tools/linux64/java/bin/java /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/tools/linux64/java/bin/java -jar /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/xml/tools/xml-extractor.jar --fileList=/home/REDACTED/work/Minecraft-Rcon-Manage/.codeql-scratch/dbs/java/working/files-to-index4140316050475057365.list --sourceArchiveDir=/home/REDACTED/work/Minecraft-Rcon-Manage/.codeql-scratch/dbs/java/src --outputDir=/home/REDACTED/work/Minecraft-Rcon-Manage/.codeql-scratch/dbs/java/trap/java(dns block)If you need me to access, download, or install something from one of these locations, you can either:
Original prompt
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.