feat: Encryption Configuration Error Detection (#251)

* feat: Decrypt error alert

* feat: Check proxy key

* feat: ENCRYPTION_KEY tip

* feat: Update readme for jp

Author: tbphp

README.md

@@ -1,6 +1,6 @@
 # GPT-Load
 
-English | [中文文档](README_CN.md)
+English | [中文文档](README_CN.md) | [日本語](README_JP.md)
 
 [![Release](https://img.shields.io/github/v/release/tbphp/gpt-load)](https://github.com/tbphp/gpt-load/releases)
 ![Go Version](https://img.shields.io/badge/Go-1.23+-blue.svg)
@@ -341,6 +341,7 @@ make run
 ### Important Notes
 
 ⚠️ **Important Reminders**:
+- **Once ENCRYPTION_KEY is lost, encrypted data CANNOT be recovered!** Please securely backup this key. Consider using a password manager or secure key management system
 - **Service must be stopped** before migration to avoid data inconsistency
 - Strongly recommended to **backup the database** in case migration fails and recovery is needed
 - Keys should use **32 characters or longer random strings** for security

README_CN.md

@@ -1,6 +1,6 @@
 # GPT-Load
 
-[English](README.md) | 中文文档
+[English](README.md) | 中文文档 | [日本語](README_JP.md)
 
 [![Release](https://img.shields.io/github/v/release/tbphp/gpt-load)](https://github.com/tbphp/gpt-load/releases)
 ![Go Version](https://img.shields.io/badge/Go-1.23+-blue.svg)
@@ -341,6 +341,7 @@ make run
 ### 注意事项
 
 ⚠️ **重要提醒**：
+- **ENCRYPTION_KEY 一旦丢失将无法恢复已加密的数据！** 请务必安全备份此密钥，建议使用密码管理器或安全的密钥管理系统保存
 - 迁移前**必须停止服务**，避免数据不一致
 - 强烈建议**备份数据库**，以防迁移失败需要恢复
 - 密钥建议使用 **32 位或更长的随机字符串**，确保安全性

README_JP.md

@@ -3,12 +3,14 @@ package handler
 import (
 	"fmt"
 	"strings"
+	"gpt-load/internal/encryption"
 	app_errors "gpt-load/internal/errors"
 	"gpt-load/internal/models"
 	"gpt-load/internal/response"
 	"time"
 
 	"github.com/gin-gonic/gin"
+	"github.com/sirupsen/logrus"
 )
 
 // Stats Get dashboard statistics
@@ -261,6 +263,38 @@ func (s *Server) getSecurityWarnings() []models.SecurityWarning {
 		warnings = append(warnings, encryptionWarnings...)
 	}
 
+	// 检查系统级代理密钥
+	systemSettings := s.SettingsManager.GetSettings()
+	if systemSettings.ProxyKeys != "" {
+		proxyKeys := strings.Split(systemSettings.ProxyKeys, ",")
+		for i, key := range proxyKeys {
+			key = strings.TrimSpace(key)
+			if key != "" {
+				keyName := fmt.Sprintf("全局代理密钥 #%d", i+1)
+				proxyWarnings := checkPasswordSecurity(key, keyName)
+				warnings = append(warnings, proxyWarnings...)
+			}
+		}
+	}
+	
+	// 检查分组级代理密钥
+	var groups []models.Group
+	if err := s.DB.Where("proxy_keys IS NOT NULL AND proxy_keys != ''").Find(&groups).Error; err == nil {
+		for _, group := range groups {
+			if group.ProxyKeys != "" {
+				proxyKeys := strings.Split(group.ProxyKeys, ",")
+				for i, key := range proxyKeys {
+					key = strings.TrimSpace(key)
+					if key != "" {
+						keyName := fmt.Sprintf("分组 [%s] 的代理密钥 #%d", group.Name, i+1)
+						proxyWarnings := checkPasswordSecurity(key, keyName)
+						warnings = append(warnings, proxyWarnings...)
+					}
+				}
+			}
+		}
+	}
+	
 	return warnings
 }
 
@@ -344,3 +378,92 @@ func hasGoodComplexity(password string) bool {
 
 	return count >= 3
 }
+
+// EncryptionStatus checks if ENCRYPTION_KEY is configured but keys are not encrypted
+func (s *Server) EncryptionStatus(c *gin.Context) {
+	hasMismatch, message, suggestion := s.checkEncryptionMismatch()
+	
+	response.Success(c, gin.H{
+		"has_mismatch": hasMismatch,
+		"message":      message,
+		"suggestion":   suggestion,
+	})
+}
+
+// checkEncryptionMismatch detects encryption configuration mismatches
+func (s *Server) checkEncryptionMismatch() (bool, string, string) {
+	encryptionKey := s.config.GetEncryptionKey()
+	
+	// Sample check API keys
+	var sampleKeys []models.APIKey
+	if err := s.DB.Limit(20).Where("key_hash IS NOT NULL AND key_hash != ''").Find(&sampleKeys).Error; err != nil {
+		logrus.WithError(err).Error("Failed to fetch sample keys for encryption check")
+		return false, "", ""
+	}
+	
+	if len(sampleKeys) == 0 {
+		// No keys in database, no mismatch
+		return false, "", ""
+	}
+	
+	// Check hash consistency with unencrypted data
+	noopService, err := encryption.NewService("")
+	if err != nil {
+		logrus.WithError(err).Error("Failed to create noop encryption service")
+		return false, "", ""
+	}
+	
+	unencryptedHashMatchCount := 0
+	for _, key := range sampleKeys {
+		// For unencrypted data: key_hash should match SHA256(key_value)
+		expectedHash := noopService.Hash(key.KeyValue)
+		if expectedHash == key.KeyHash {
+			unencryptedHashMatchCount++
+		}
+	}
+	
+	unencryptedConsistencyRate := float64(unencryptedHashMatchCount) / float64(len(sampleKeys))
+	
+	// If ENCRYPTION_KEY is configured, also check if current key can decrypt the data
+	var currentKeyHashMatchCount int
+	if encryptionKey != "" {
+		currentService, err := encryption.NewService(encryptionKey)
+		if err == nil {
+			for _, key := range sampleKeys {
+				// Try to decrypt and re-hash to check if current key matches
+				decrypted, err := currentService.Decrypt(key.KeyValue)
+				if err == nil {
+					// Successfully decrypted, check if hash matches
+					expectedHash := currentService.Hash(decrypted)
+					if expectedHash == key.KeyHash {
+						currentKeyHashMatchCount++
+					}
+				}
+			}
+		}
+	}
+	currentKeyConsistencyRate := float64(currentKeyHashMatchCount) / float64(len(sampleKeys))
+	
+	// Scenario A: ENCRYPTION_KEY configured but data not encrypted
+	if encryptionKey != "" && unencryptedConsistencyRate > 0.8 {
+		return true,
+			"检测到您已配置 ENCRYPTION_KEY，但数据库中的密钥尚未加密。这会导致密钥无法正常读取（显示为 failed-to-decrypt）。",
+			"请停止服务，执行密钥迁移命令后重启"
+	}
+	
+	// Scenario B: ENCRYPTION_KEY not configured but data is encrypted
+	if encryptionKey == "" && unencryptedConsistencyRate < 0.2 {
+		return true,
+			"检测到数据库中的密钥已加密，但未配置 ENCRYPTION_KEY。这会导致密钥无法正常读取。",
+			"请配置与加密时相同的 ENCRYPTION_KEY，或执行解密迁移"
+	}
+	
+	// Scenario C: ENCRYPTION_KEY configured but doesn't match encrypted data
+	if encryptionKey != "" && unencryptedConsistencyRate < 0.2 && currentKeyConsistencyRate < 0.2 {
+		return true,
+			"检测到您配置的 ENCRYPTION_KEY 与数据加密时使用的密钥不匹配。这会导致密钥解密失败（显示为 failed-to-decrypt）。",
+			"请使用正确的 ENCRYPTION_KEY，或执行密钥迁移"
+	}
+	
+	return false, "", ""
+}

internal/handler/dashboard_handler.go

@@ -140,6 +140,7 @@ func registerProtectedAPIRoutes(api *gin.RouterGroup, serverHandler *handler.Ser
 	{
 		dashboard.GET("/stats", serverHandler.Stats)
 		dashboard.GET("/chart", serverHandler.Chart)
+		dashboard.GET("/encryption-status", serverHandler.EncryptionStatus)
 	}
 
 	// 日志

internal/router/router.go

@@ -1,12 +1,20 @@
 <script setup lang="ts">
-import { getDashboardStats } from "@/api/dashboard";
 import type { DashboardStatsResponse } from "@/types/models";
 import { NCard, NGrid, NGridItem, NSpace, NTag, NTooltip } from "naive-ui";
-import { onMounted, ref } from "vue";
+import { computed, onMounted, ref } from "vue";
 
-// 统计数据
-const stats = ref<DashboardStatsResponse | null>(null);
-const loading = ref(true);
+// Props
+interface Props {
+  stats: DashboardStatsResponse | null;
+  loading?: boolean;
+}
+
+const props = withDefaults(defineProps<Props>(), {
+  loading: false,
+});
+
+// 使用计算属性代替ref
+const stats = computed(() => props.stats);
 const animatedValues = ref<Record<string, number>>({});
 
 // 格式化数值显示
@@ -26,14 +34,9 @@ const formatTrend = (trend: number): string => {
   return `${sign}${trend.toFixed(1)}%`;
 };
 
-// 获取统计数据
-const fetchStats = async () => {
-  try {
-    loading.value = true;
-    const response = await getDashboardStats();
-    stats.value = response.data;
-
-    // 添加动画效果
+// 监听stats变化并更新动画值
+const updateAnimatedValues = () => {
+  if (stats.value) {
     setTimeout(() => {
       animatedValues.value = {
         key_count:
@@ -44,15 +47,12 @@ const fetchStats = async () => {
         error_rate: (100 - (stats.value?.error_rate?.value ?? 0)) / 100,
       };
     }, 0);
-  } catch (error) {
-    console.error("获取统计数据失败:", error);
-  } finally {
-    loading.value = false;
   }
 };
 
+// 监听stats变化
 onMounted(() => {
-  fetchStats();
+  updateAnimatedValues();
 });
 </script>