github/claude-relay-service
1
0
Fork 0
mirror of https://github.com/Wei-Shaw/claude-relay-service.git synced 2026-01-22 16:43:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): add authenticateAdmin middleware to concurrency routes

Browse Source 
fix(security): add authenticateAdmin middleware to concurrency routes

All concurrency management endpoints were missing authentication,
allowing unauthenticated access to view and clear concurrency data.
This commit is contained in:
QTom
2025-12-10 13:59:25 +08:00
committed by GitHub
parent cb94a4260e
commit e3ca555df7
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/routes/admin/concurrency.js
View File

@@ -7,12 +7,13 @@ const express = require('express')
const router = express.Router() const router = express.Router()
const redis = require('../../models/redis') const redis = require('../../models/redis')
const logger = require('../../utils/logger') const logger = require('../../utils/logger')
const { authenticateAdmin } = require('../../middleware/auth')
/** /**
* GET /admin/concurrency * GET /admin/concurrency
* 获取所有并发状态 * 获取所有并发状态
*/ */
router.get('/concurrency', async (req, res) => { router.get('/concurrency', authenticateAdmin, async (req, res) => {
try { try {
const status = await redis.getAllConcurrencyStatus() const status = await redis.getAllConcurrencyStatus()
@@ -42,7 +43,7 @@ router.get('/concurrency', async (req, res) => {
* GET /admin/concurrency/:apiKeyId * GET /admin/concurrency/:apiKeyId
* 获取特定 API Key 的并发状态详情 * 获取特定 API Key 的并发状态详情
*/ */
router.get('/concurrency/:apiKeyId', async (req, res) => { router.get('/concurrency/:apiKeyId', authenticateAdmin, async (req, res) => {
try { try {
const { apiKeyId } = req.params const { apiKeyId } = req.params
const status = await redis.getConcurrencyStatus(apiKeyId) const status = await redis.getConcurrencyStatus(apiKeyId)
@@ -65,7 +66,7 @@ router.get('/concurrency/:apiKeyId', async (req, res) => {
* DELETE /admin/concurrency/:apiKeyId * DELETE /admin/concurrency/:apiKeyId
* 强制清理特定 API Key 的并发计数 * 强制清理特定 API Key 的并发计数
*/ */
router.delete('/concurrency/:apiKeyId', async (req, res) => { router.delete('/concurrency/:apiKeyId', authenticateAdmin, async (req, res) => {
try { try {
const { apiKeyId } = req.params const { apiKeyId } = req.params
const result = await redis.forceClearConcurrency(apiKeyId) const result = await redis.forceClearConcurrency(apiKeyId)
@@ -93,7 +94,7 @@ router.delete('/concurrency/:apiKeyId', async (req, res) => {
* DELETE /admin/concurrency * DELETE /admin/concurrency
* 强制清理所有并发计数 * 强制清理所有并发计数
*/ */
router.delete('/concurrency', async (req, res) => { router.delete('/concurrency', authenticateAdmin, async (req, res) => {
try { try {
const result = await redis.forceClearAllConcurrency() const result = await redis.forceClearAllConcurrency()
@@ -118,7 +119,7 @@ router.delete('/concurrency', async (req, res) => {
* POST /admin/concurrency/cleanup * POST /admin/concurrency/cleanup
* 清理过期的并发条目(不影响活跃请求) * 清理过期的并发条目(不影响活跃请求)
*/ */
router.post('/concurrency/cleanup', async (req, res) => { router.post('/concurrency/cleanup', authenticateAdmin, async (req, res) => {
try { try {
const { apiKeyId } = req.body const { apiKeyId } = req.body
const result = await redis.cleanupExpiredConcurrency(apiKeyId || null) const result = await redis.cleanupExpiredConcurrency(apiKeyId || null)