Use environment variables for secret keys in dev and backend

Set fixed secret keys for JWT and WebUI in development environment via environment variables. Updated backend to use NAPCAT_WEBUI_SECRET_KEY and NAPCAT_WEBUI_JWT_SECRET_KEY from environment if available, improving configurability and security.

packages/napcat-develop/loadNapCat.cjs

@@ -74,7 +74,9 @@ async function copyAll () {
   process.env.NAPCAT_QQ_VERSION_CONFIG_PATH = path.join(TARGET_DIR, 'config.json');
   process.env.NAPCAT_DISABLE_PIPE = '1';
   process.env.NAPCAT_WORKDIR = TARGET_DIR;
-
+  // 开发环境使用固定密钥
+  process.env.NAPCAT_WEBUI_JWT_SECRET_KEY = 'napcat_dev_secret_key';
+  process.env.NAPCAT_WEBUI_SECRET_KEY = 'napcat';
   console.log('Loading NapCat module...');
   await import(pathToFileURL(NAPCAT_MJS_PATH).href);
 }

packages/napcat-webui-backend/index.ts

@@ -92,7 +92,7 @@ export async function InitWebUi (logger: LogWrapper, pathWrapper: NapCatPathWrap
 
   // 检查并更新默认密码 - 最高优先级
   if (config.token === 'napcat' || !config.token) {
-    const randomToken = getRandomToken(8);
+    const randomToken = process.env['NAPCAT_WEBUI_SECRET_KEY'] || getRandomToken(8);
     await WebUiConfig.UpdateWebUIConfig({ token: randomToken });
     logger.log('[NapCat] [WebUi] 检测到默认密码，已自动更新为安全密码');
 

packages/napcat-webui-backend/src/helper/SignToken.ts

@@ -2,7 +2,7 @@ import crypto from 'crypto';
 import store from 'napcat-common/src/store';
 import type { WebUiCredentialJson, WebUiCredentialInnerJson } from '@/napcat-webui-backend/src/types';
 export class AuthHelper {
-  private static readonly secretKey = Math.random().toString(36).slice(2);
+  private static readonly secretKey = process.env['NAPCAT_WEBUI_JWT_SECRET_KEY'] || Math.random().toString(36).slice(2);
 
   /**
      * 签名凭证方法。