refactor(share): remove GALLERY_SECRET, use plaintext + SHA-256 integrity for .infiplot files

The encrypted .infiplot format (AES-256-GCM via GALLERY_SECRET) provided no
meaningful security — the payload is AI-generated story content with no
credentials or PII, and the project is open source. Replace with plaintext +
SHA-256 integrity check (format v2). Story share is now always enabled without
requiring a server secret.

- galleryCrypto.ts: AES-256-GCM → plaintext + SHA-256 hash; remove secret param
- 4 API routes: remove GALLERY_SECRET guard and 503 fallback
- story-unpack: forward specific error messages (v1 compat, hash mismatch)
- gallery/page.tsx: remove stale AES-GCM comment
- AGENTS.md: document gallery-pack/gallery-unpack routes
- .env.example, wrangler.jsonc: remove GALLERY_SECRET references

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
yuanzonghao
2026-06-18 21:41:56 +08:00
parent 03dccd7c74
commit 64cf9c330d
9 changed files with 48 additions and 143 deletions
+4 -10
View File
@@ -155,16 +155,10 @@ NEXT_PUBLIC_UMAMI_WEBSITE_ID=
# Blank → track on all hosts. e.g. infiplot.com,www.infiplot.com
NEXT_PUBLIC_UMAMI_DOMAINS=
# ---- 7. Gallery share files (optional — leave blank to disable) ----
# Server-side secret used to AES-256-GCM encrypt a played session into a
# binary `.infiplot` share file the player can send to a friend. Friends drop
# the file into /gallery; the server decrypts and renders the same interactive
# replay. GCM's built-in auth tag also gives tamper-detection for free.
# Blank → "导出分享文件" is hidden, only the same-browser localStorage flow
# remains. Set to any high-entropy string ≥ 32 chars (e.g. `openssl rand -hex 32`).
# WARNING: rotating this secret invalidates every share file ever issued
# (decryption will fail with "文件校验失败"). Only change when you're OK with that.
GALLERY_SECRET=
# ---- 7. Gallery share files ----
# Story share (`.infiplot` files) is always enabled — no secret needed.
# Files use SHA-256 integrity checks instead of encryption because the
# payload is AI-generated story content, not sensitive data.
# ---- 8. Auth · Supabase (optional — leave blank to disable) -------
# Sign up at https://supabase.com, create a project, copy the URL and