github-actions[bot]
c97bfb6478
chore: sync VERSION file with release v1.1.266 [skip ci]
2026-01-24 12:22:09 +00:00
Wesley Liddick
efda870e96
Merge pull request #923 from DaydreamCoding/feature/fix_api_auth
...
fix(auth): 修复客户端限制绕过漏洞,添加路径白名单检查
2026-01-24 20:21:52 +08:00
Wesley Liddick
1ae310f2a1
Merge pull request #920 from arksou/main [skip ci]
...
fix: 配额超限优化
2026-01-24 20:21:34 +08:00
QTom
6dc85b39c9
refactor(validators): 消除重复代码,使用映射表和复用函数
...
代码审查后的重构:
- isPathAllowedForClient 复用 getClientDefinitionById 避免重复查找
- validateRequest 中使用 getClientDefinitionById 替代内联查找
- 使用 VALIDATOR_MAP 映射表替代 switch 语句
- getSupportedClients 改为从映射表动态获取,避免硬编码
- 导入 CLIENT_IDS 枚举,提高类型安全性
这些改动提高了代码的可维护性,添加新客户端时只需修改映射表。
2026-01-24 17:45:13 +08:00
QTom
6c4670213e
fix(auth): 修复客户端限制绕过漏洞,添加路径白名单检查
...
当 API Key 启用客户端限制(如仅允许 Claude Code)时,攻击者可通过
/api/v1/chat/completions 等 OpenAI 兼容端点绕过验证。原因是
ClaudeCodeValidator 对非 messages 路径仅检查 User-Agent。
修复方案:
- 为每个客户端类型定义允许的路径白名单
- 在客户端验证前进行路径检查
- 路径不在白名单中则直接拒绝,无需继续验证
修改文件:
- src/validators/clientDefinitions.js:添加 allowedPathPrefixes 配置
- src/validators/clientValidator.js:添加路径白名单前置检查
Claude Code 限制时的路由保护:
- 允许访问:/api/v1/messages, /claude/v1/messages 等原生端点
- 拒绝访问:/api/v1/chat/completions, /openai/claude/v1/chat/completions 等
- 其他客户端类型(Gemini CLI、Codex CLI、Droid CLI)也同样适用
相关问题:/api/v1/chat/completions 端点在启用 Claude Code 限制后
依然可以使用,深入分析原因并提供修复方案 #security #client-restriction
2026-01-24 17:37:42 +08:00
gaozitian
d16b75293d
fix: optimize Claude Console quota exceeded status display
...
- Keep account status as 'active' when quota exceeded (not 'quota_exceeded')
- Keep isActive as true, only use quotaStoppedAt to mark quota exceeded
- Show green status in UI for quota exceeded accounts (normal state)
- Show '余额不足' as unschedulable reason instead of '已暂停'
- Simplify resetDailyUsage() to only check quotaStoppedAt field
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-24 12:06:09 +08:00
github-actions[bot]
2ac31a5706
chore: sync VERSION file with release v1.1.265 [skip ci]
2026-01-23 11:16:24 +00:00
Wesley Liddick
a3a922ac09
Merge pull request #919 from arksou/hotfix/claude-console-quota-exceeded-recovery
...
fix: Claude Console 配额超限状态优化,支持主动自动恢复
2026-01-23 19:16:10 +08:00
Wesley Liddick
0073d40299
Merge pull request #916 from enzyme2013/fix/allow-new-session-after-clear [skip ci]
...
fix: allow new session binding after /clear command
2026-01-23 19:15:59 +08:00
jett.gao
d812af9159
fix: Claude Console 配额超限状态优化,支持主动自动恢复
...
- 新增 rateLimitCleanupService 配额超限恢复检查(每5分钟)
- 调度器预检查配额超限账户,到达重置时间自动恢复
- 前端显示"余额不足"替代默认的"手动停止调度"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-23 18:19:34 +08:00
github-actions[bot]
4ed5cc631a
chore: sync VERSION file with release v1.1.264 [skip ci]
2026-01-23 02:41:20 +00:00
Wesley Liddick
4019b043ec
Merge pull request #918 from Chapoly1305/fix/crypto-import
...
fix: add missing crypto module import in geminiAccountService
2026-01-23 10:41:04 +08:00
Junming Chen
9d70110139
fix: add missing crypto module import in geminiAccountService
2026-01-22 21:32:49 -05:00
github-actions[bot]
2180c42b84
chore: sync VERSION file with release v1.1.263 [skip ci]
2026-01-22 13:57:22 +00:00
Wesley Liddick
0883bb6b39
Merge pull request #859 from SunSeekerX/feat/optimize
...
feat: 大规模性能优化 - Redis Pipeline 批量操作、索引系统、连接池优化
2026-01-22 21:57:07 +08:00
enzyme2013
16e2bcfedb
fix: allow new session binding after /clear command
...
- 移除 isOldSession 检查,信任客户端的 session ID 作为新会话标识
- 将 sessionBindingTtlDays 默认值从 30 天改为 1 天,避免 Redis 内存累积
- 添加新会话绑定的监控日志(包含 sessionId、messages 数量、accountId 等)
- 完美支持 Claude Code /clear 等合法的新会话场景
- 同步更新前端界面的默认值配置
问题背景:
用户在 Claude Code 中执行 /clear 后,会生成新的 session ID,
但旧的逻辑会检查请求内容判定为"旧会话",导致返回"本地session已污染"错误。
修复方案:
采用方案2(放宽新会话检测)+ TTL 优化,信任客户端的 session ID,
不再检查请求内容是否"看起来像旧会话",由 1 天的 TTL 自动清理过期绑定。
影响范围:
- src/routes/api.js (流式和非流式两处)
- src/services/claudeRelayConfigService.js
- web/admin-spa/src/views/SettingsView.vue
2026-01-22 17:31:11 +08:00
SunSeekerX
ea6d1f1b36
1
2026-01-22 17:07:52 +08:00
SunSeekerX
4367fa47da
1
2026-01-22 17:02:00 +08:00
root
55c876fad5
fix: unify weekly cost key to usage:opus:*
...
- redis.getWeeklyOpusCost: read only usage:opus:weekly:* (remove claude fallback)
- weeklyClaudeCostInitService: write to usage:opus:weekly:* instead of claude
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-22 16:09:01 +08:00
root
f9df276d0c
merge: resolve conflicts from main branch
...
- auth.js: keep 402 status code with Opus message
- redis.js: keep dual-cost tracking (rated/real) with opus key prefix, add setWeeklyOpusCost method
- apiKeyService.js: keep both imports, serviceRates handling, and 5-param recordOpusCost
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-22 15:27:52 +08:00
github-actions[bot]
9ebef1b116
chore: sync VERSION file with release v1.1.262 [skip ci]
2026-01-22 07:18:31 +00:00
Wesley Liddick
35f755246e
Merge pull request #914 from sczheng189/main
...
mod: 修改opus周限额为Claude模型的周限额
2026-01-22 15:18:16 +08:00
root
83cbaf7c3e
fix: resolve all ESLint errors
...
- droidRelayService: add missing keyId variable declaration
- quotaCardService: use object destructuring for actualDeducted
- apiKeyService: remove unused variables and duplicate requires
- redis: remove shadowed logger/config requires
- unifiedGeminiScheduler: rename isActive param to avoid shadow
- commonHelper: add comments to empty catch blocks
- testPayloadHelper: prefix unused model param with underscore
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-22 15:14:22 +08:00
github-actions[bot]
338d44faee
chore: sync VERSION file with release v1.1.261 [skip ci]
2026-01-22 07:08:02 +00:00
shaw
968398ffa5
fix: API Key permissions multi-select save and display issue
...
- Fix updateApiKey to use JSON.stringify for permissions field
- Add comma-separated string handling in normalizePermissions
- Add frontend parsing for comma-separated permissions format
Fixes issue where selecting multiple permissions (e.g. Claude + OpenAI)
would be saved as "claude,openai" instead of '["claude","openai"]'
2026-01-22 15:07:19 +08:00
shaw
645ab43675
chore: sync latest Claude Code system prompt definitions
...
Add claudeOtherSystemPrompt5 for CLI billing header detection
2026-01-22 15:07:10 +08:00
root
24f825f60d
style: format all files with prettier
...
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-22 15:05:58 +08:00
root
ac7d28f9ce
style: format quotaCardService.js with prettier
...
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-22 15:04:55 +08:00
sczheng
1027a2e3e2
mod: 修改opus周限额为Claude模型的周限额
2026-01-22 15:04:34 +08:00
SunSeekerX
cb935ea0f0
1
2026-01-22 14:56:09 +08:00
SunSeekerX
73a241df1a
Merge branch 'main' into feat/optimize
2026-01-21 11:56:02 +08:00
SunSeekerX
029bdf3719
1
2026-01-21 11:55:28 +08:00
github-actions[bot]
0f5321b0ef
chore: sync VERSION file with release v1.1.260 [skip ci]
2026-01-21 02:19:34 +00:00
shaw
c7d7bf47d6
fix: 更新claude账号oauth链接生成规则
2026-01-21 10:06:24 +08:00
Wesley Liddick
ebc30b6026
Merge pull request #906 from 0xRichardH/fix-bedrock-sse-stream-event [skip ci]
...
Fix bedrock sse stream event
2026-01-21 09:38:19 +08:00
Wesley Liddick
d5a7af2d7d
Merge pull request #903 from RedwindA/main [skip ci]
...
feat(droid): add prompt_cache_retention and safety_identifier to fiel…
2026-01-21 09:37:19 +08:00
SunSeekerX
76ecbe18a5
1
2026-01-19 20:24:47 +08:00
Richard Hao
81a3e26e27
fix: correct Bedrock SSE stream event format to match Claude API spec
...
- message_start: nest fields inside 'message' object with type: 'message'
- content_block_delta: add type field to data
- message_delta: add type field to data
- message_stop: remove usage field, just return type
- Extract usage from message_delta instead of message_stop
2026-01-18 11:38:38 +08:00
Richard Hao
64db4a270d
fix: handle bedrock content block start/stop events
2026-01-18 10:58:11 +08:00
RedwindA
ca027ecb90
feat(droid): add prompt_cache_retention and safety_identifier to fieldsToRemove
2026-01-16 04:22:05 +08:00
github-actions[bot]
21e6944abb
chore: sync VERSION file with release v1.1.259 [skip ci]
2026-01-15 03:07:53 +00:00
Wesley Liddick
4ea3d4830f
Merge pull request #858 from zengqinglei/feature/gemini-retrieve-user-quota
...
feat: 添加 Gemini retrieveUserQuota 接口支持
2026-01-15 11:07:41 +08:00
github-actions[bot]
3000632d4e
chore: sync VERSION file with release v1.1.258 [skip ci]
2026-01-15 01:25:03 +00:00
Wesley Liddick
9e3a4cf45a
Merge pull request #899 from UncleJ-h/fix/remove-unused-heapdump
...
fix: remove unused heapdump dependency
2026-01-15 09:24:51 +08:00
UncleJ-h
eb992697b6
fix: remove unused heapdump dependency
...
The heapdump package was added in v1.1.257 but is not actually used anywhere in the codebase.
This causes build failures on platforms without Python (e.g., Zeabur) because heapdump requires node-gyp compilation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-14 16:43:45 +08:00
github-actions[bot]
35ab34d687
chore: sync VERSION file with release v1.1.257 [skip ci]
2026-01-14 07:41:16 +00:00
Wesley Liddick
bc4b050c69
Merge pull request #895 from wayfind/fix/memory-simple
...
fix(memory): reduce memory retention in request handling
2026-01-14 15:40:59 +08:00
root
189d53d793
style: fix ESLint prefer-const and formatting
...
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-12 10:46:08 +00:00
root
b148537428
style: fix prettier formatting
...
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-12 10:42:39 +00:00
root
9d1a451027
fix(memory): comprehensive req closure capture fixes
...
Additional fixes for memory leaks:
- Bedrock stream: extract _apiKeyIdBedrock, _rateLimitInfoBedrock, _requestBodyBedrock
- Non-stream requests: extract variables at block start
- Non-stream service calls: use extracted variables
- Non-stream usage recording: use extracted variables
All async callbacks now use local variables instead of req.* references,
preventing the entire request object (including large req.body with images)
from being retained by closures.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-12 10:29:29 +00:00
