xiaozhi-esp32-server-java

CRITICAL VULNERABILITIES DETECTED: 1. **Unauthenticated Virtual Device Creation/Access via `user_chat_` deviceId:** The `MessageHandler.handleUnboundDevice` function attempts to automatically bind new WebSocket connections if their `device-id` starts with `user_chat_` followed by a user ID (e.g., `user_chat_1`). If a virtual device for that specific `device-id` does not exist in the database, the system will *create* one and associate it with the extracted `userId`. This allows any malicious actor to create or take over a virtual device linked to any existing user account (including administrator accounts, e.g., `userId=1`) simply by spoofing the `device-id` in the connection request. This is a critical authentication bypass that grants unauthorized access to user-specific virtual devices and potentially associated functionalities. 2. **Weak Device Authentication on WebSocket:** The `WebSocketHandler.afterConnectionEstablished` method has commented-out code for token-based authentication. In its current active state, device authentication relies solely on the `device-id` header or URI parameter. This `device-id` is easily spoofed, enabling unauthorized physical devices to impersonate legitimate ones and gain control over their associated roles and functionalities. 3. **Storage of Sensitive API Keys in Database:** API keys and secrets for numerous external LLM, STT, and TTS services (e.g., OpenAI, Aliyun, Coze, Dify) are stored directly in plaintext or weakly encrypted format within the `sys_config` database table. While common, this practice makes the entire system highly vulnerable to database breaches. A compromise of the database would immediately expose all integrated service credentials, posing a significant security risk.