From 991dd1436f1c76b91e63d838f987c86cd85f8eea Mon Sep 17 00:00:00 2001
From: shaw <shaw-wei@foxmail.com>
Date: Thu, 25 Sep 2025 17:23:05 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Dapikey=E7=9A=84?=
 =?UTF-8?q?=E6=9C=8D=E5=8A=A1=E6=9D=83=E9=99=90=E5=A4=B1=E6=95=88=E9=97=AE?=
 =?UTF-8?q?=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/routes/api.js | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/routes/api.js b/src/routes/api.js
index 7a73bf94..8d91c791 100644
--- a/src/routes/api.js
+++ b/src/routes/api.js
@@ -20,6 +20,20 @@ async function handleMessagesRequest(req, res) {
   try {
     const startTime = Date.now()
 
+    // Claude 服务权限校验，阻止未授权的 Key
+    if (
+      req.apiKey.permissions &&
+      req.apiKey.permissions !== 'all' &&
+      req.apiKey.permissions !== 'claude'
+    ) {
+      return res.status(403).json({
+        error: {
+          type: 'permission_error',
+          message: '此 API Key 无权访问 Claude 服务'
+        }
+      })
+    }
+
     // 严格的输入验证
     if (!req.body || typeof req.body !== 'object') {
       return res.status(400).json({
@@ -988,3 +1002,4 @@ router.post('/v1/messages/count_tokens', authenticateApiKey, async (req, res) =>
 })
 
 module.exports = router
+module.exports.handleMessagesRequest = handleMessagesRequest