security: move onmyoji_gacha BOT_TOKEN to env var (was hardcoded plaintext)

danding_bot/plugins/onmyoji_gacha/api_utils.py

@@ -31,10 +31,11 @@ def mask_username(username: str) -> str:
 # 获取配置
 config = Config()
 
-# API 端点配置
+# API endpoint from config
-DD_API_HOST = "https://api.danding.vip/DD/"  # 蛋定服务器连接地址
+DD_API_HOST = config.DD_API_HOST
-BOT_TOKEN = "3340e353a49447f1be640543cbdcd937"  # 对接服务器的Token
+# Secrets from config (sourced from environment variables)
-BOT_USER_ID = "1424473282"  # 机器人用户ID
+BOT_TOKEN = config.BOT_TOKEN
+BOT_USER_ID = config.BOT_USER_ID
 
 async def query_qq_binding(qq: str) -> Tuple[bool, Optional[str], Optional[str]]:
     """

danding_bot/plugins/onmyoji_gacha/config.py

@@ -111,5 +111,11 @@ class Config(BaseSettings):
     WEB_ADMIN_TOKEN: str = os.getenv("WEB_ADMIN_TOKEN", "onmyoji_admin_token_2024")
     WEB_ADMIN_PORT: int = int(os.getenv("WEB_ADMIN_PORT", "8080"))
 
+    # 蛋定服务器对接配置
+    DD_API_HOST: str = "https://api.danding.vip/DD/"
+    BOT_TOKEN: str = os.getenv("ONMYOJI_BOT_TOKEN", os.getenv("BOT_TOKEN", ""))  # 必须设置
+    BOT_USER_ID: str = "1424473282"
+
+
     # 时区
     TIMEZONE: str = "Asia/Shanghai"