feat: Security hardening, mobile responsiveness, and deployment improvements

- Account lockout (5 failed logins → 30min lock) with Prisma migration
- Rate limiting on auth endpoints (register, login, forgot/reset/change password)
- POST /auth/logout endpoint to invalidate refresh tokens
- Password strength validation (uppercase + lowercase + digit) on all DTOs and frontend forms
- Auth audit logging (login success/failure, password change, account deletion, logout)
- DOMPurify XSS sanitization for HTML imports, markdown rendering, and template preview
- Input length validation (@maxlength) on document titles, space names, search queries, etc.
- Mobile responsive fixes: AI panels, version history, permission dialog, notification dropdown, editor toolbar
- Table horizontal scroll for members and AI subscriptions pages
- Graceful shutdown with app.enableShutdownHooks()
- Production Nginx config (nginx/nginx.conf + proxy.conf) with API/WebSocket/static proxy
- Updated deployment docs in DEVELOPMENT.md and .env.example

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Jason-chen-coder

DEVELOPMENT.md

@@ -723,6 +723,52 @@ pnpm exec prisma migrate dev
 
 ---
 
+## 🌐 生产部署（Nginx 反向代理）
+
+项目包含 `nginx/` 目录下的生产 Nginx 配置：
+
+```bash
+# 目录结构
+nginx/
+├── nginx.conf    # 主配置（HTTP/HTTPS server 块）
+└── proxy.conf    # 代理规则（API/WebSocket/前端/静态资源）
+```
+
+### 使用方式
+
+1. 将 `nginx/` 目录挂载到 Nginx 容器：
+
+```yaml
+# docker-compose.prod.yml 中添加 nginx 服务
+nginx:
+  image: nginx:alpine
+  ports:
+    - "80:80"
+    - "443:443"
+  volumes:
+    - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+    - ./nginx/proxy.conf:/etc/nginx/conf.d/proxy.conf:ro
+    # SSL 证书（生产环境）
+    # - ./ssl:/etc/nginx/ssl:ro
+  depends_on:
+    - api
+    - web
+```
+
+2. HTTPS 配置：编辑 `nginx/nginx.conf`，取消注释 HTTPS server 块，填写域名和证书路径。
+
+3. 数据库备份：
+
+```bash
+# 备份
+docker exec docStudio-postgres pg_dump -U postgres docStudio_dev > backup.sql
+
+# 恢复
+docker exec -i docStudio-postgres psql -U postgres docStudio_dev < backup.sql
+```
+
+---
+
 ## 🆘 获取帮助
 
 - **Prisma 文档**：https://www.prisma.io/docs

apps/api/.env.example

@@ -11,12 +11,14 @@ API_URL=http://localhost:3001
 FRONTEND_URL=http://localhost:3000
 
 # ── JWT ───────────────────────────────────────────────────────
+# 生产环境务必使用随机长密钥：openssl rand -base64 64
 JWT_SECRET=your-super-secret-jwt-key-change-in-production
 JWT_EXPIRES_IN=7d
 
 # ── 超级管理员（首次启动自动创建）────────────────────────────
+# 生产环境务必修改默认密码（需含大写+小写+数字）
 SUPER_ADMIN_EMAIL=admin@doc-studio.com
-SUPER_ADMIN_PASSWORD=admin
+SUPER_ADMIN_PASSWORD=Admin123
 
 # ── Redis ─────────────────────────────────────────────────────
 REDIS_HOST=localhost

apps/api/prisma/migrations/20260330154155_add_login_security_fields/migration.sql

@@ -0,0 +1,20 @@
+-- AlterEnum
+-- This migration adds more than one value to an enum.
+-- With PostgreSQL versions 11 and earlier, this is not possible
+-- in a single migration. This can be worked around by creating
+-- multiple migrations, each migration adding only one value to
+-- the enum.
+
+
+ALTER TYPE "ActivityAction" ADD VALUE 'LOGIN_SUCCESS';
+ALTER TYPE "ActivityAction" ADD VALUE 'LOGIN_FAILED';
+ALTER TYPE "ActivityAction" ADD VALUE 'PASSWORD_CHANGED';
+ALTER TYPE "ActivityAction" ADD VALUE 'ACCOUNT_DELETED';
+ALTER TYPE "ActivityAction" ADD VALUE 'LOGOUT';
+
+-- AlterEnum
+ALTER TYPE "EntityType" ADD VALUE 'USER';
+
+-- AlterTable
+ALTER TABLE "users" ADD COLUMN     "failedLoginAttempts" INTEGER NOT NULL DEFAULT 0,
+ADD COLUMN     "lockedUntil" TIMESTAMP(3);

apps/api/prisma/schema.prisma

@@ -35,6 +35,10 @@ model User {
   // 新用户引导
   onboardingCompleted Boolean @default(false)
 
+  // 登录安全
+  failedLoginAttempts Int       @default(0)
+  lockedUntil         DateTime?
+
   // JWT Refresh Token
   refreshToken String?
 
@@ -241,6 +245,11 @@ enum ActivityAction {
   LEAVE
   INVITE
   ROLE_CHANGE
+  LOGIN_SUCCESS
+  LOGIN_FAILED
+  PASSWORD_CHANGED
+  ACCOUNT_DELETED
+  LOGOUT
 }
 
 // 实体类型枚举
@@ -250,6 +259,7 @@ enum EntityType {
   SNAPSHOT
   SHARE_LINK
   MEMBER
+  USER
 }
 
 // ==================== 最近访问模型（独立优化表） ====================

apps/api/src/auth/auth.controller.ts

@@ -17,6 +17,7 @@ import {
   ApiBearerAuth,
   ApiExcludeEndpoint,
 } from '@nestjs/swagger';
+import { Throttle } from '@nestjs/throttler';
 // Fastify types imported as values (not 'import type') for decorator metadata
 import { AuthService } from './auth.service';
 import { RegisterDto } from './dto/register.dto';
@@ -37,6 +38,7 @@ export class AuthController {
   constructor(private authService: AuthService) {}
 
   @Post('register')
+  @Throttle({ default: { limit: 5, ttl: 3600000 } }) // 5 次/小时
   @ApiOperation({ summary: '用户注册', description: '创建新用户账号' })
   @ApiResponse({
     status: 201,
@@ -50,6 +52,7 @@ export class AuthController {
   }
 
   @Post('login')
+  @Throttle({ default: { limit: 10, ttl: 900000 } }) // 10 次/15分钟
   @HttpCode(HttpStatus.OK)
   @ApiOperation({ summary: '用户登录', description: '使用邮箱和密码登录' })
   @ApiResponse({
@@ -77,6 +80,7 @@ export class AuthController {
   }
 
   @Post('change-password')
+  @Throttle({ default: { limit: 5, ttl: 3600000 } }) // 5 次/小时
   @UseGuards(JwtAuthGuard)
   @ApiBearerAuth('JWT-auth')
   @ApiOperation({ summary: '修改密码', description: '需要 JWT 认证' })
@@ -113,6 +117,7 @@ export class AuthController {
   // ==================== 密码重置 ====================
 
   @Post('forgot-password')
+  @Throttle({ default: { limit: 3, ttl: 3600000 } }) // 3 次/小时
   @HttpCode(HttpStatus.OK)
   @ApiOperation({ summary: '忘记密码', description: '发送密码重置邮件' })
   @ApiResponse({ status: 200, description: '如果邮箱存在将发送重置邮件' })
@@ -121,6 +126,7 @@ export class AuthController {
   }
 
   @Post('reset-password')
+  @Throttle({ default: { limit: 5, ttl: 3600000 } }) // 5 次/小时
   @HttpCode(HttpStatus.OK)
   @ApiOperation({ summary: '重置密码', description: '使用重置令牌设置新密码' })
   @ApiResponse({ status: 200, description: '密码重置成功' })
@@ -145,6 +151,18 @@ export class AuthController {
     return this.authService.deleteAccount(user.id, dto.password ?? '');
   }
 
+  // ==================== 登出 ====================
+
+  @Post('logout')
+  @UseGuards(JwtAuthGuard)
+  @ApiBearerAuth('JWT-auth')
+  @HttpCode(HttpStatus.OK)
+  @ApiOperation({ summary: '退出登录', description: '清除 refresh token 使其失效' })
+  @ApiResponse({ status: 200, description: '已退出登录' })
+  async logout(@CurrentUser() user: UserResponseDto) {
+    return this.authService.logout(user.id);
+  }
+
   // ==================== Refresh Token ====================
 
   @Post('refresh')

apps/api/src/auth/auth.service.ts

@@ -2,6 +2,7 @@ import {
   Injectable,
   UnauthorizedException,
   BadRequestException,
+  Logger,
 } from '@nestjs/common';
 import { JwtService } from '@nestjs/jwt';
 import { UsersService } from '../users/users.service';
@@ -11,17 +12,26 @@ import { ChangePasswordDto } from './dto/change-password.dto';
 import { PrismaService } from '../prisma/prisma.service';
 import { EmailService } from '../email/email.service';
 import { OnboardingService } from '../onboarding/onboarding.service';
+import { ActivityService } from '../activity/activity.service';
 import { randomBytes } from 'crypto';
 import * as bcrypt from 'bcryptjs';
 
+/** 登录失败锁定阈值 */
+const MAX_FAILED_ATTEMPTS = 5;
+/** 锁定时长（毫秒）— 30 分钟 */
+const LOCK_DURATION_MS = 30 * 60 * 1000;
+
 @Injectable()
 export class AuthService {
+  private readonly logger = new Logger(AuthService.name);
+
   constructor(
     private usersService: UsersService,
     private jwtService: JwtService,
     private prisma: PrismaService,
     private emailService: EmailService,
     private onboardingService: OnboardingService,
+    private activityService: ActivityService,
   ) {}
 
   private async generateTokens(userId: string, email: string) {
@@ -76,19 +86,72 @@ export class AuthService {
       throw new UnauthorizedException('邮箱或密码错误');
     }
 
+    // 检查账号是否被锁定
+    if (user.lockedUntil && user.lockedUntil > new Date()) {
+      const remainingMin = Math.ceil(
+        (user.lockedUntil.getTime() - Date.now()) / 60000,
+      );
+      this.activityService.log({
+        userId: user.id,
+        action: 'LOGIN_FAILED',
+        entityType: 'USER',
+        entityId: user.id,
+        metadata: { reason: 'account_locked' },
+      });
+      throw new UnauthorizedException(
+        `账号已锁定，请 ${remainingMin} 分钟后重试`,
+      );
+    }
+
     // 验证密码
     const isPasswordValid = await this.usersService.validatePassword(
       password,
       user.password,
     );
 
     if (!isPasswordValid) {
+      // 递增失败次数，达到阈值则锁定
+      const attempts = (user.failedLoginAttempts ?? 0) + 1;
+      const lockData: { failedLoginAttempts: number; lockedUntil?: Date } = {
+        failedLoginAttempts: attempts,
+      };
+      if (attempts >= MAX_FAILED_ATTEMPTS) {
+        lockData.lockedUntil = new Date(Date.now() + LOCK_DURATION_MS);
+      }
+      await this.prisma.user.update({
+        where: { id: user.id },
+        data: lockData,
+      });
+
+      this.activityService.log({
+        userId: user.id,
+        action: 'LOGIN_FAILED',
+        entityType: 'USER',
+        entityId: user.id,
+        metadata: { attempts },
+      });
+
       throw new UnauthorizedException('邮箱或密码错误');
     }
 
+    // 登录成功 — 重置失败计数
+    if (user.failedLoginAttempts > 0 || user.lockedUntil) {
+      await this.prisma.user.update({
+        where: { id: user.id },
+        data: { failedLoginAttempts: 0, lockedUntil: null },
+      });
+    }
+
     // 生成 token 对
     const tokens = await this.generateTokens(user.id, user.email);
 
+    this.activityService.log({
+      userId: user.id,
+      action: 'LOGIN_SUCCESS',
+      entityType: 'USER',
+      entityId: user.id,
+    });
+
     // 返回用户信息（不包含密码）
     const { password: _, ...userWithoutPassword } = user;
 
@@ -127,6 +190,13 @@ export class AuthService {
     // 更新密码
     await this.usersService.updatePassword(userId, newPassword);
 
+    this.activityService.log({
+      userId,
+      action: 'PASSWORD_CHANGED',
+      entityType: 'USER',
+      entityId: userId,
+    });
+
     return { message: '密码修改成功' };
   }
 
@@ -315,12 +385,37 @@ export class AuthService {
       }
     }
 
+    this.activityService.log({
+      userId,
+      action: 'ACCOUNT_DELETED',
+      entityType: 'USER',
+      entityId: userId,
+    });
+
     // 级联删除所有用户数据（Prisma onDelete: Cascade 会处理大部分关联）
     await this.prisma.user.delete({ where: { id: userId } });
 
     return { message: '账号已永久删除' };
   }
 
+  // ==================== 登出 ====================
+
+  async logout(userId: string) {
+    await this.prisma.user.update({
+      where: { id: userId },
+      data: { refreshToken: null },
+    });
+
+    this.activityService.log({
+      userId,
+      action: 'LOGOUT',
+      entityType: 'USER',
+      entityId: userId,
+    });
+
+    return { message: '已退出登录' };
+  }
+
   async resetPassword(token: string, newPassword: string) {
     const user = await this.prisma.user.findUnique({
       where: { resetToken: token },

apps/api/src/auth/dto/change-password.dto.ts

@@ -1,4 +1,4 @@
-import { IsNotEmpty, IsString, MinLength } from 'class-validator';
+import { IsNotEmpty, IsString, Matches, MinLength } from 'class-validator';
 import { ApiProperty } from '@nestjs/swagger';
 
 export class ChangePasswordDto {
@@ -11,12 +11,15 @@ export class ChangePasswordDto {
   currentPassword: string;
 
   @ApiProperty({
-    description: '新密码（至少8个字符）',
-    example: 'newPassword123',
+    description: '新密码（至少8位，需包含大写字母、小写字母和数字）',
+    example: 'NewPass123',
     minLength: 8,
   })
   @IsString({ message: '密码必须是字符串' })
   @MinLength(8, { message: '新密码长度至少为 8 个字符' })
+  @Matches(/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).+$/, {
+    message: '密码需包含至少一个大写字母、一个小写字母和一个数字',
+  })
   @IsNotEmpty({ message: '新密码不能为空' })
   newPassword: string;
 }

apps/api/src/auth/dto/register.dto.ts

@@ -1,4 +1,4 @@
-import { IsEmail, IsNotEmpty, IsString, MinLength } from 'class-validator';
+import { IsEmail, IsNotEmpty, IsString, Matches, MaxLength, MinLength } from 'class-validator';
 import { ApiProperty } from '@nestjs/swagger';
 
 export class RegisterDto {
@@ -16,15 +16,19 @@ export class RegisterDto {
   })
   @IsString({ message: '名称必须是字符串' })
   @IsNotEmpty({ message: '名称不能为空' })
+  @MaxLength(50, { message: '名称不能超过 50 个字符' })
   name: string;
 
   @ApiProperty({
-    description: '用户密码（至少8个字符）',
-    example: 'password123',
+    description: '密码（至少8位，需包含大写字母、小写字母和数字）',
+    example: 'MyPass123',
     minLength: 8,
   })
   @IsString({ message: '密码必须是字符串' })
   @MinLength(8, { message: '密码长度至少为 8 个字符' })
+  @Matches(/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).+$/, {
+    message: '密码需包含至少一个大写字母、一个小写字母和一个数字',
+  })
   @IsNotEmpty({ message: '密码不能为空' })
   password: string;
 }