提升安全与流畅度

Dockerfile

@@ -1,10 +1,20 @@
-FROM python:3.9
+# 🚀 P2优化：使用轻量级基镜像，从 900MB 降到 ~150MB
+FROM python:3.9-slim
 
+# 设置工作目录
 WORKDIR /code
 
+# 安装系统依赖 (psycopg2 需要)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libpq-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+# 先复制依赖文件，利用 Docker 缓存层
 COPY ./requirements.txt /code/requirements.txt
 RUN pip install --no-cache-dir --upgrade -r /code/requirements.txt
 
+# 复制应用代码
 COPY . .
 
+# 启动命令
 CMD ["uvicorn", "app:app", "--host", "0.0.0.0", "--port", "7860"]

app.py

@@ -10,11 +10,24 @@ import urllib.parse
 import urllib.request
 import urllib.error
 import os
-import mimetypes 
+import mimetypes
+import logging
+import time
 import 数据库连接 as db
 import asyncio
 
 
+# ==========================================
+# 📝 P2优化：日志配置
+# ==========================================
+logging.basicConfig(
+    level=logging.INFO,
+    format='%(asctime)s | %(levelname)s | %(name)s | %(message)s',
+    datefmt='%Y-%m-%d %H:%M:%S'
+)
+logger = logging.getLogger("ComfyUI-Ranking")
+
+
 from 云端_定时版本检测引擎 import daily_version_check_task
 
 # ==========================================
@@ -39,24 +52,134 @@ from router_proxy import router as proxy_router       # 🔗 代理下载
 from database_sql import init_sql_db, get_db
 from models_sql import Ownership
 
+# 🚀 P2优化：速率限制 (防止暴力攻击)
+from slowapi import Limiter, _rate_limit_exceeded_handler
+from slowapi.util import get_remote_address
+from slowapi.errors import RateLimitExceeded
+from fastapi.exceptions import RequestValidationError
+from starlette.exceptions import HTTPException as StarletteHTTPException
+import traceback
+
+limiter = Limiter(key_func=get_remote_address)
 app = FastAPI(title="ComfyUI Ranking Community API")
+app.state.limiter = limiter
+app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
+
 
+# ==========================================
+# 🛡️ 稳定性优化：全局异常处理器
+# ==========================================
+# 作用：捕获所有未处理异常，防止单个请求崩溃整个服务
+
+@app.exception_handler(StarletteHTTPException)
+async def http_exception_handler(request, exc):
+    """HTTP 异常处理，返回友好错误信息"""
+    logger.warning(f"HTTP {exc.status_code} | {request.url.path} | {exc.detail}")
+    return JSONResponse(
+        status_code=exc.status_code,
+        content={"status": "error", "detail": str(exc.detail)}
+    )
+
+@app.exception_handler(RequestValidationError)
+async def validation_exception_handler(request, exc):
+    """请求参数校验失败处理"""
+    logger.warning(f"Validation Error | {request.url.path} | {exc.errors()}")
+    return JSONResponse(
+        status_code=422,
+        content={"status": "error", "detail": "请求参数格式错误", "errors": exc.errors()}
+    )
+
+@app.exception_handler(Exception)
+async def global_exception_handler(request, exc):
+    """全局异常处理，捕获所有未预期异常"""
+    error_id = f"ERR_{int(time.time())}_{id(exc) % 10000}"
+    logger.error(f"Unhandled Exception [{error_id}] | {request.url.path} | {type(exc).__name__}: {exc}")
+    logger.error(traceback.format_exc())
+    return JSONResponse(
+        status_code=500,
+        content={
+            "status": "error", 
+            "detail": "服务器内部错误，请稍后重试",
+            "error_id": error_id  # 方便排查
+        }
+    )
+
+
+# ==========================================
+# ❤️ 健康检查接口 (增强版)
+# ==========================================
 @app.get("/")
 def health_check():
     return {"status": "ok", "message": "ComfyUI Ranking API is running perfectly!"}
 
+@app.get("/health")
+def detailed_health_check():
+    """详细健康检查，含依赖状态"""
+    health_status = {
+        "status": "ok",
+        "components": {}
+    }
+    
+    # 检查 SQL 数据库
+    try:
+        from database_sql import check_db_connection
+        if check_db_connection():
+            health_status["components"]["sql_database"] = "ok"
+        else:
+            health_status["components"]["sql_database"] = "error: connection failed"
+            health_status["status"] = "degraded"
+    except Exception as e:
+        health_status["components"]["sql_database"] = f"error: {str(e)}"
+        health_status["status"] = "degraded"
+    
+    # 检查 JSON 文件访问
+    try:
+        import 数据库连接 as json_db
+        json_db.load_data("users.json", default_data={})
+        health_status["components"]["json_storage"] = "ok"
+    except Exception as e:
+        health_status["components"]["json_storage"] = f"error: {str(e)}"
+        health_status["status"] = "degraded"
+    
+    return health_status
+
 # ==========================================
 # 🚀 应用启动事件
 # ==========================================
-# 作用：初始化数据库 + 启动定时版本检测后台任务
+# 作用：初始化数据库 + 启动定时版本检测后台任务 + 预热检查
 @app.on_event("startup")
 async def on_startup():
-    # 初始化 SQL 数据库
-    init_sql_db()
-    print("关系型数据库加载完毕，金融表同步完成。")
+    logger.info("🚀 ComfyUI-Ranking API 启动中...")
+    
+    # ========== 预热检查：SQL 数据库 ==========
+    try:
+        init_sql_db()
+        logger.info("✅ SQL 数据库初始化完成")
+    except Exception as e:
+        logger.error(f"❌ SQL 数据库初始化失败: {e}")
+        # 不抛出异常，允许降级运行
+    
+    # ========== 预热检查：JSON 数据库 ==========
+    try:
+        db.load_data("users.json", default_data={})
+        db.load_data("items.json", default_data=[])
+        logger.info("✅ JSON 数据库访问正常")
+    except Exception as e:
+        logger.warning(f"⚠️ JSON 数据库访问异常: {e}")
     
-    # 🚀 启动定时版本探测挂载后台任务
+    # ========== 启动后台任务 ==========
     asyncio.create_task(daily_version_check_task())
+    logger.info("✅ 定时版本检测任务已挂载")
+    
+    logger.info("🎉 ComfyUI-Ranking API 启动完成!")
+
+
+@app.on_event("shutdown")
+async def on_shutdown():
+    """优雅关闭，清理资源"""
+    logger.info("🛑 ComfyUI-Ranking API 正在关闭...")
+    # 这里可以添加其他清理逻辑（如关闭连接池等）
+    logger.info("✅ 关闭完成")
 
 app.add_middleware(
     CORSMiddleware,

database_sql.py

@@ -1,25 +1,117 @@
 # database_sql.py
+# ==========================================
+# 🛡️ 稳定性优化：SQL 数据库连接模块
+# ==========================================
 import os
-from sqlalchemy import create_engine
+import time
+import logging
+from functools import wraps
+from sqlalchemy import create_engine, text
 from sqlalchemy.orm import sessionmaker
+from sqlalchemy.pool import QueuePool, NullPool
+from sqlalchemy.exc import OperationalError, InterfaceError, DBAPIError
 from models_sql import Base
 
+logger = logging.getLogger("ComfyUI-Ranking.Database")
+
 # 核心：优先读取环境变量中的 PostgreSQL 数据库连接
 SQLALCHEMY_DATABASE_URL = os.environ.get("DATABASE_URL", "sqlite:////tmp/comfy_financial.db")
 
-# 兼容性处理：只有在使用降级的 SQLite 时，才需要 check_same_thread=False
-connect_args = {"check_same_thread": False} if "sqlite" in SQLALCHEMY_DATABASE_URL else {}
+# 🚀 P1性能优化：根据数据库类型配置连接池
+if "sqlite" in SQLALCHEMY_DATABASE_URL:
+    # SQLite：使用空连接池，单线程模式
+    connect_args = {"check_same_thread": False}
+    engine = create_engine(
+        SQLALCHEMY_DATABASE_URL, 
+        connect_args=connect_args,
+        poolclass=NullPool  # SQLite 不需要连接池
+    )
+else:
+    # PostgreSQL/MySQL：配置连接池参数
+    engine = create_engine(
+        SQLALCHEMY_DATABASE_URL,
+        poolclass=QueuePool,
+        pool_size=5,           # 核心连接数
+        max_overflow=10,       # 超出 pool_size 后可创建的最大连接数
+        pool_timeout=30,       # 获取连接超时(秒)
+        pool_recycle=1800,     # 连接回收时间(30分钟)，防止数据库断开
+        pool_pre_ping=True     # 使用前检测连接有效性
+    )
 
-engine = create_engine(SQLALCHEMY_DATABASE_URL, connect_args=connect_args)
 SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
 
+
+# ==========================================
+# 🛡️ 稳定性优化：数据库操作重试装饰器
+# ==========================================
+def db_retry(max_retries: int = 3, delay: float = 0.5):
+    """
+    数据库操作重试装饰器
+    
+    用法：
+        @db_retry(max_retries=3)
+        def my_db_function(db):
+            ...
+    """
+    def decorator(func):
+        @wraps(func)
+        def wrapper(*args, **kwargs):
+            last_error = None
+            for attempt in range(max_retries):
+                try:
+                    return func(*args, **kwargs)
+                except (OperationalError, InterfaceError, DBAPIError) as e:
+                    last_error = e
+                    if attempt < max_retries - 1:
+                        wait_time = delay * (2 ** attempt)  # 指数退避
+                        logger.warning(f"DB 操作失败 (第{attempt+1}次):{e}, {wait_time}秒后重试")
+                        time.sleep(wait_time)
+                    else:
+                        logger.error(f"DB 操作失败 (重试{max_retries}次后放弃): {e}")
+            raise last_error
+        return wrapper
+    return decorator
+
+
 def init_sql_db():
-    # 启动时自动检查并在云端（或本地）建立缺失的表
-    Base.metadata.create_all(bind=engine)
+    """初始化数据库，包含重试机制"""
+    for attempt in range(3):
+        try:
+            Base.metadata.create_all(bind=engine)
+            logger.info("数据库初始化成功")
+            return
+        except Exception as e:
+            if attempt < 2:
+                logger.warning(f"数据库初始化失败 (第{attempt+1}次): {e}")
+                time.sleep(2 ** attempt)
+            else:
+                logger.error(f"数据库初始化失败 (已重试3次): {e}")
+                raise
+
 
 def get_db():
+    """获取数据库会话，带连接有效性检测"""
     db = SessionLocal()
     try:
         yield db
+    except (OperationalError, InterfaceError) as e:
+        logger.error(f"数据库连接错误: {e}")
+        db.rollback()
+        raise
     finally:
-        db.close()
+        db.close()
+
+
+def check_db_connection() -> bool:
+    """
+    检查数据库连接是否正常
+    用于健康检查接口
+    """
+    try:
+        db = SessionLocal()
+        db.execute(text("SELECT 1"))
+        db.close()
+        return True
+    except Exception as e:
+        logger.error(f"数据库连接检查失败: {e}")
+        return False

requirements.txt

@@ -1,12 +1,15 @@
-fastapi
-uvicorn
-pydantic
-huggingface_hub
-datasets
-python-multipart
+# 🔒 P0安全修复：依赖版本锁定，防止供应链攻击和不兼容更新
+fastapi==0.104.1
+uvicorn==0.24.0
+pydantic==2.5.2
+huggingface_hub==0.19.4
+datasets==2.15.0
+python-multipart==0.0.6
 alibabacloud_dysmsapi20170525==2.0.24
-sqlalchemy
-psycopg2-binary
-httpx
-python-alipay-sdk
-aiofiles
+sqlalchemy==2.0.23
+psycopg2-binary==2.9.9
+httpx==0.25.2
+python-alipay-sdk==3.1.0
+aiofiles==23.2.1
+# 🚀 P2优化：速率限制
+slowapi==0.1.9

router_items.py

@@ -1,5 +1,5 @@
 # router_items.py
-from fastapi import APIRouter, HTTPException
+from fastapi import APIRouter, HTTPException, Depends
 import time
 import uuid
 import datetime
@@ -9,6 +9,7 @@ import urllib.error
 import json
 import 数据库连接 as db
 from models import ItemCreate, ItemUpdate
+from 安全认证 import require_auth
 
 router = APIRouter()
 
@@ -56,15 +57,29 @@ async def get_items(type: str = "tool", sort: str = "time", limit: int = 50): #
 
 @router.get("/api/creators")
 async def get_creators(sort: str = "downloads", limit: int = 20):
+    """
+    获取创作者列表
+    🚀 P1性能优化：预构建 author->items 索引，避免 N+1 查询
+    """
     users_db = db.load_data("users.json", default_data={})
     items_db = db.load_data("items.json", default_data=[])
     comments_db = db.load_data("comments.json", default_data={})
     
+    # 🚀 P1性能优化：预构建 author->items 索引，复杂度从 O(n*m) 降到 O(n+m)
+    author_items_index = {}
+    for item in items_db:
+        author = item.get("author")
+        if author:
+            if author not in author_items_index:
+                author_items_index[author] = []
+            author_items_index[author].append(item)
+    
     creators = []
     months = get_last_6_months()
     
     for account, u in users_db.items():
-        u_items = [i for i in items_db if i.get("author") == account]
+        # 🚀 P1性能优化：直接从索引获取，而非遍历全表
+        u_items = author_items_index.get(account, [])
         
         trend_tools = {m: 0 for m in months}
         trend_apps = {m: 0 for m in months}
@@ -126,7 +141,11 @@ async def create_item(item: ItemCreate):
     return {"status": "success", "data": new_item}
 
 @router.put("/api/items/{item_id}")
-async def update_item(item_id: str, update_data: ItemUpdate, author: str):
+async def update_item(item_id: str, update_data: ItemUpdate, current_user: str = Depends(require_auth)):
+    """
+    更新内容接口
+    🔒 P0安全修复：使用 JWT Token 验证用户身份，而非前端传入的 author 参数
+    """
     if update_data.price is not None:
         update_data.price = int(update_data.price)
         if update_data.price < 0:
@@ -135,7 +154,9 @@ async def update_item(item_id: str, update_data: ItemUpdate, author: str):
     items_db = db.load_data("items.json", default_data=[])
     for item in items_db:
         if item["id"] == item_id:
-            if item.get("author") != author: raise HTTPException(status_code=403, detail="无权修改他人发布的内容")
+            # 🔒 P0安全修复：使用 JWT 解析出的真实用户账号进行校验
+            if item.get("author") != current_user: 
+                raise HTTPException(status_code=403, detail="无权修改他人发布的内容")
             
             if update_data.title is not None: item["title"] = update_data.title
             if update_data.shortDesc is not None: item["shortDesc"] = update_data.shortDesc

router_messages.py

@@ -12,6 +12,20 @@ from 安全认证 import require_auth
 
 router = APIRouter()
 
+# ==========================================
+# 🔒 P0安全修复：管理员账号从环境变量读取
+# ==========================================
+# 支持多管理员，逗号分隔，如：ADMIN_ACCOUNTS=admin1,admin2,admin3
+ADMIN_ACCOUNTS = set(
+    acc.strip() 
+    for acc in os.environ.get("ADMIN_ACCOUNTS", "").split(",") 
+    if acc.strip()
+)
+
+def is_admin(account: str) -> bool:
+    """检查账号是否为管理员"""
+    return account in ADMIN_ACCOUNTS
+
 # ==========================================
 # 新增：系统公告请求体模型
 # ==========================================
@@ -24,8 +38,8 @@ class SystemAnnouncement(BaseModel):
 # ==========================================
 @router.post("/api/system/announcement")
 async def publish_announcement(ann: SystemAnnouncement, current_user: str = Depends(require_auth)):
-    # ✅ 安全检查：使用 JWT Token 解析出的真实用户账号，而不是请求体中的字段
-    if current_user != "123456":
+    # 🔒 P0安全修复：使用环境变量配置的管理员列表
+    if not is_admin(current_user):
         raise HTTPException(status_code=403, detail="无权发布系统公告，仅管理员可操作")
     
     announcements_db = db.load_data("announcements.json", default_data=[])
@@ -33,7 +47,7 @@ async def publish_announcement(ann: SystemAnnouncement, current_user: str = Depe
     new_ann = {
         "id": f"sys_{int(time.time())}_{uuid.uuid4().hex[:6]}",
         "type": "system",
-        "from_user": "123456",
+        "from_user": current_user,  # 使用真实的管理员账号
         "from_name": "官方团队",
         "from_avatar": "https://via.placeholder.com/150/FF9800/FFFFFF?text=Sys",
         "content": ann.content,
@@ -52,23 +66,37 @@ class AdminScriptRequest(BaseModel):
     admin_account: str
     script_name: str
 
+# 🔒 P0安全修复：脚本白名单（仅允许执行指定的脚本）
+# 警告：添加新脚本前请确保其安全性
+ALLOWED_SCRIPTS = {
+    "密码迁移.py",      # 用户密码哈希化迁移
+    "测试脚本.py",      # 接口测试工具
+}
+
 @router.post("/api/admin/run-script")
 async def run_admin_script(req: AdminScriptRequest, current_user: str = Depends(require_auth)):
     """
     管理员专属：执行指定的 Python 脚本
-    ✅ 安全改造：使用 JWT Token 验证真实登录用户
+    🔒 P0安全修复：白名单 + 路径穿越防护
     """
-    # ✅ 安全检查：使用 JWT Token 解析出的真实用户账号
-    if current_user != "123456":
+    # 🔒 P0安全修复：使用环境变量配置的管理员列表
+    if not is_admin(current_user):
         raise HTTPException(status_code=403, detail="无权执行此操作，仅管理员可操作")
     
     script_name = req.script_name.strip()
     if not script_name:
         raise HTTPException(status_code=400, detail="脚本名称不能为空")
     
-    # 安全检查：仅允许执行 .py 文件
-    if not script_name.endswith(".py"):
-        raise HTTPException(status_code=400, detail="仅支持执行 .py 文件")
+    # 🔒 P0安全修复：路径穿越攻击防护
+    if ".." in script_name or "/" in script_name or "\\" in script_name:
+        raise HTTPException(status_code=400, detail="🚨 安全拦截：脚本名称包含非法字符")
+    
+    # 🔒 P0安全修复：白名单检查
+    if script_name not in ALLOWED_SCRIPTS:
+        raise HTTPException(
+            status_code=403, 
+            detail=f"🚨 安全拦截：脚本 [{script_name}] 不在白名单中。允许的脚本: {list(ALLOWED_SCRIPTS)}"
+        )
     
     # 获取当前工作目录
     current_dir = os.path.dirname(os.path.abspath(__file__))
@@ -78,7 +106,7 @@ async def run_admin_script(req: AdminScriptRequest, current_user: str = Depends(
     if not os.path.exists(script_path):
         return {
             "status": "error",
-            "output": f"❌ 脚本文件不存在: {script_name}\n\n当前目录: {current_dir}\n\n可用脚本: {[f for f in os.listdir(current_dir) if f.endswith('.py')]}"
+            "output": f"❌ 脚本文件不存在: {script_name}\n\n白名单脚本: {list(ALLOWED_SCRIPTS)}"
         }
     
     try:

router_users_auth.py

@@ -17,11 +17,16 @@ import random
 import json
 import 数据库连接 as db
 from models import UserRegister, UserLogin, SendCodeRequest
-from verify_code_engine import VERIFY_CODES, send_email_code, send_sms_code
+from verify_code_engine import VERIFY_CODES, send_email_code, send_sms_code, cleanup_expired_codes
 
 # 🔒 P0安全增强：导入密码哈希和 JWT 工具
 from 安全认证 import hash_password, verify_password, create_token
 
+# 🚀 P2优化：速率限制
+from slowapi import Limiter
+from slowapi.util import get_remote_address
+limiter = Limiter(key_func=get_remote_address)
+
 # 创建子路由实例
 router = APIRouter()
 
@@ -33,7 +38,8 @@ router = APIRouter()
 # 关联：verify_code_engine.py 的 send_email_code / send_sms_code
 # 前端调用：注册表单组件.js、重置密码表单组件.js
 @router.post("/api/users/send-code")
-async def send_verify_code(req: SendCodeRequest, bg_tasks: BackgroundTasks):
+@limiter.limit("5/minute")  # 🚀 P2优化：每分钟最多5次
+async def send_verify_code(request: Request, req: SendCodeRequest, bg_tasks: BackgroundTasks):
     """
     发送验证码接口（异步版本）
     
@@ -62,6 +68,9 @@ async def send_verify_code(req: SendCodeRequest, bg_tasks: BackgroundTasks):
     # 生成6位随机验证码
     code = str(random.randint(100000, 999999))
     
+    # 🚀 P1性能优化：每次写入前触发清理过期验证码
+    cleanup_expired_codes()
+    
     # 构建缓存键（联系方式_动作类型）
     cache_key = f"{req.contact}_{req.action_type}"
     
@@ -209,7 +218,8 @@ async def register_user(user: UserRegister):
 #   - 数据库连接.py (读取 users.json 校验密码)
 #   - 前端 登录表单组件.js
 @router.post("/api/users/login")
-async def login_user(user: UserLogin):
+@limiter.limit("10/minute")  # 🚀 P2优化：每分钟最多10次登录尝试
+async def login_user(request: Request, user: UserLogin):
     """
     用户登录接口
     

router_wallet.py

@@ -17,11 +17,15 @@ import uuid
 import hashlib
 import os
 import datetime
+import logging
 from database_sql import get_db
 from models_sql import Wallet, Transaction, Ownership
 from models import RechargeRequest, WithdrawRequest, PurchaseRequest, TipRequest
 import 数据库连接 as json_db
 
+# 📝 P2优化：审计日志
+logger = logging.getLogger("ComfyUI-Ranking.Wallet")
+
 # 🔐 导入验证码缓存 (提现时需要验证)
 from verify_code_engine import VERIFY_CODES
 
@@ -180,6 +184,9 @@ async def purchase_item(req: PurchaseRequest, db: Session = Depends(get_db)):
     db.add(new_tx)
     db.commit()
     
+    # 📝 P2优化：购买审计日志
+    logger.info(f"PURCHASE | buyer={req.account} | seller={seller_account} | item={req.item_id} | amount={price} | tx={tx_id}")
+    
     return {"status": "success", "already_owned": False}
 
 @router.post("/api/wallet/tip")
@@ -224,6 +231,9 @@ async def tip_user(req: TipRequest, db: Session = Depends(get_db)):
     db.add(tx_target)
     db.commit()
     
+    # 📝 P2优化：打赏审计日志
+    logger.info(f"TIP | from={req.sender_account} | to={req.target_account} | amount={req.amount} | item={req.item_id or 'N/A'} | anon={req.is_anonymous}")
+    
     # 🚀 核心新增：记录打赏榜单和月度收益趋势 (写入 JSON 以供高频读取)
     users_db = json_db.load_data("users.json", default_data={})
     items_db = json_db.load_data("items.json", default_data=[])
@@ -267,7 +277,9 @@ async def tip_user(req: TipRequest, db: Session = Depends(get_db)):
 async def withdraw(req: WithdrawRequest, db: Session = Depends(get_db)):
     key = f"{req.account}_withdraw"
     code_data = VERIFY_CODES.get(key)
-    if not code_data or code_data["code"] != req.code or time.time() > code_data["expires"]:
+    # 🔒 P0安全修复：统一使用 expires_at 字段，兼容旧版 expires
+    expire_time = code_data.get("expires_at", code_data.get("expires", 0)) if code_data else 0
+    if not code_data or code_data["code"] != req.code or time.time() > expire_time:
         raise HTTPException(status_code=400, detail="验证码无效或已过期")
         
     wallet = db.query(Wallet).filter(Wallet.account == req.account).with_for_update().first()
@@ -327,6 +339,9 @@ async def withdraw(req: WithdrawRequest, db: Session = Depends(get_db)):
     
     db.commit()
     
+    # 📝 P2优化：提现审计日志
+    logger.info(f"WITHDRAW | account={req.account} | amount={actual_withdraw} | fee={fee_amount} | net={net_amount} | tx={tx_id}")
+    
     del VERIFY_CODES[key]
     return {
         "status": "success",

verify_code_engine.py

@@ -10,6 +10,7 @@
 
 import os
 import json
+import time
 import urllib.request
 import urllib.parse
 import base64
@@ -22,6 +23,37 @@ import base64
 # 注意：服务重启后缓存会清空，生产环境建议改用 Redis
 VERIFY_CODES = {}
 
+# 🚀 P1性能优化：记录上次清理时间，避免频繁清理
+_last_cleanup_time = 0
+_CLEANUP_INTERVAL = 300  # 5分钟清理一次
+
+
+def cleanup_expired_codes():
+    """
+    🚀 P1性能优化：清理过期验证码，防止内存泄漏
+    """
+    global _last_cleanup_time
+    now = time.time()
+    
+    # 限制清理频率，避免每次请求都清理
+    if now - _last_cleanup_time < _CLEANUP_INTERVAL:
+        return
+    
+    _last_cleanup_time = now
+    
+    # 收集过期的键
+    expired_keys = [
+        key for key, data in VERIFY_CODES.items()
+        if now > data.get("expires_at", data.get("expires", 0))
+    ]
+    
+    # 删除过期验证码
+    for key in expired_keys:
+        del VERIFY_CODES[key]
+    
+    if expired_keys:
+        print(f"🧹 已清理 {len(expired_keys)} 个过期验证码，当前缓存: {len(VERIFY_CODES)} 条")
+
 
 def send_email_code(to_email: str, code: str, action: str):
     """

云端_定时版本检测引擎.py

@@ -2,10 +2,16 @@
 import asyncio
 import datetime
 import httpx
+import logging
 import 数据库连接 as db
 
+logger = logging.getLogger("ComfyUI-Ranking.VersionCheck")
+
 async def fetch_latest_github_hash(repo_url, token):
-    """请求 GitHub API 获取最新版的 Commit Hash"""
+    """
+    请求 GitHub API 获取最新版的 Commit Hash
+    🛡️ 稳定性优化：超时保护 + 异常捕获 + 重试机制
+    """
     try:
         parts = repo_url.rstrip("/").split("/")
         if len(parts) < 2: return None
@@ -15,15 +21,27 @@ async def fetch_latest_github_hash(repo_url, token):
         headers = {"Accept": "application/vnd.github.v3+json", "User-Agent": "ComfyUI-Hub"}
         if token:
             headers["Authorization"] = f"token {token}"
-            
-        async with httpx.AsyncClient(follow_redirects=True) as client:
-            resp = await client.get(api_url, headers=headers, timeout=15.0)
-            if resp.status_code == 200:
-                data = resp.json()
-                if isinstance(data, list) and len(data) > 0:
-                    return data[0]["sha"]  # 返回最新的 Commit Hash
+        
+        # 🛡️ 稳定性优化：超时 + 重试
+        async with httpx.AsyncClient(follow_redirects=True, timeout=httpx.Timeout(15.0, connect=5.0)) as client:
+            for attempt in range(3):  # 最多重试 3 次
+                try:
+                    resp = await client.get(api_url, headers=headers)
+                    if resp.status_code == 200:
+                        data = resp.json()
+                        if isinstance(data, list) and len(data) > 0:
+                            return data[0]["sha"]  # 返回最新的 Commit Hash
+                    elif resp.status_code == 403:  # Rate limit
+                        logger.warning(f"GitHub API 速率限制: {repo_url}")
+                        return None
+                    break
+                except (httpx.TimeoutException, httpx.ConnectError) as e:
+                    if attempt < 2:
+                        await asyncio.sleep(2 ** attempt)  # 指数退避
+                        continue
+                    logger.warning(f"版本检测超时 {repo_url}: {e}")
     except Exception as e:
-        print(f"检测版本失败 {repo_url}: {e}")
+        logger.error(f"检测版本失败 {repo_url}: {e}")
     return None
 
 async def daily_version_check_task():