github/claude-relay-service
1
0
Fork 0
mirror of https://github.com/Wei-Shaw/claude-relay-service.git synced 2026-01-23 09:38:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: disable user API keys when user account is disabled

Browse Source 
Security enhancement to prevent disabled users from using API keys:

- Auto-disable all API keys when user is disabled/deleted
- Add user status validation during API key authentication
- Prevent API usage even if key is active but user is disabled
- Add comprehensive logging for security audit trail

This ensures disabled users cannot bypass restrictions through
existing API keys and maintains system security integrity.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Feng Yue
2025-08-14 16:25:42 +08:00
parent 6b4ce99237
commit 94eed70cf2
2 changed files with 33 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/services/userService.js
View File

@@ -259,9 +259,18 @@ class UserService {
await redis.set(`${this.userPrefix}${userId}`, JSON.stringify(user))
logger.info(`🔄 Updated user status: ${user.username} -> ${isActive ? 'active' : 'disabled'}`)
// 如果禁用用户,删除所有会话
// 如果禁用用户,删除所有会话并禁用其所有API Keys
if (!isActive) {
await this.invalidateUserSessions(userId)
// Disable all user's API keys when user is disabled
try {
const apiKeyService = require('./apiKeyService')
const result = await apiKeyService.disableUserApiKeys(userId)
logger.info(`🔑 Disabled ${result.count} API keys for disabled user: ${user.username}`)
} catch (error) {
logger.error('❌ Error disabling user API keys during user disable:', error)
}
}
return user
@@ -420,6 +429,15 @@ class UserService {
// 删除所有会话
await this.invalidateUserSessions(userId)
// Disable all user's API keys when user is deleted
try {
const apiKeyService = require('./apiKeyService')
const result = await apiKeyService.disableUserApiKeys(userId)
logger.info(`🔑 Disabled ${result.count} API keys for deleted user: ${user.username}`)
} catch (error) {
logger.error('❌ Error disabling user API keys during user deletion:', error)
}
logger.info(`🗑️ Soft deleted user: ${user.username} (${userId})`)
return user
} catch (error) {