chore: sync VERSION file with release v1.1.241 [skip ci]

2026-01-24 06:45:59 +00:00 · 2025-12-25 06:23:55 +00:00
8 changed files with 40 additions and 103 deletions
--- a/README.md
+++ b/README.md
@@ -1,10 +1,5 @@
 # Claude Relay Service

-> [!CAUTION]
-> **安全更新通知**：v1.1.248 及以下版本存在严重的管理员认证绕过漏洞，攻击者可未授权访问管理面板。
->
-> **请立即更新到 v1.1.249+ 版本**，或迁移到新一代项目 **[CRS 2.0 (sub2api)](https://github.com/Wei-Shaw/sub2api)**
-
 <div align="center">

 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
--- a/README_EN.md
+++ b/README_EN.md
@@ -1,10 +1,5 @@
 # Claude Relay Service

-> [!CAUTION]
-> **Security Update**: v1.1.248 and below contain a critical admin authentication bypass vulnerability allowing unauthorized access to the admin panel.
->
-> **Please update to v1.1.249+ immediately**, or migrate to the next-generation project **[CRS 2.0 (sub2api)](https://github.com/Wei-Shaw/sub2api)**
-
 <div align="center">

 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,21 +0,0 @@
-# Security Policy
-
-## Supported Versions
-
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
-
-| Version | Supported          |
-| ------- | ------------------ |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
-
-## Reporting a Vulnerability
-
-Use this section to tell people how to report a vulnerability.
-
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
--- a/2
+++ b/2
@@ -1 +1 @@
-1.1.252
+1.1.241
--- a/src/middleware/auth.js
+++ b/src/middleware/auth.js
@@ -1434,6 +1434,7 @@ const authenticateAdmin = async (req, res, next) => {

    // 设置管理员信息（只包含必要信息）
    req.admin = {
+      id: adminSession.adminId || 'admin',
      username: adminSession.username,
      sessionId: token,
      loginTime: adminSession.loginTime
@@ -1566,15 +1567,8 @@ const authenticateUserOrAdmin = async (req, res, next) => {
      try {
        const adminSession = await redis.getSession(adminToken)
        if (adminSession && Object.keys(adminSession).length > 0) {
-          // 🔒 安全修复：验证会话必须字段（与 authenticateAdmin 保持一致）
-          if (!adminSession.username || !adminSession.loginTime) {
-            logger.security(
-              `🔒 Corrupted admin session in authenticateUserOrAdmin from ${req.ip || 'unknown'} - missing required fields (username: ${!!adminSession.username}, loginTime: ${!!adminSession.loginTime})`
-            )
-            await redis.deleteSession(adminToken) // 清理无效/伪造的会话
-            // 不返回 401，继续尝试用户认证
-          } else {
          req.admin = {
+            id: adminSession.adminId || 'admin',
            username: adminSession.username,
            sessionId: adminToken,
            loginTime: adminSession.loginTime
@@ -1585,7 +1579,6 @@ const authenticateUserOrAdmin = async (req, res, next) => {
          logger.security(`🔐 Admin authenticated: ${adminSession.username} in ${authDuration}ms`)
          return next()
        }
-        }
      } catch (error) {
        logger.debug('Admin authentication failed, trying user authentication:', error.message)
      }
--- a/src/routes/api.js
+++ b/src/routes/api.js
@@ -179,18 +179,18 @@ async function handleMessagesRequest(req, res) {
    const isStream = req.body.stream === true

    // 临时修复新版本客户端，删除context_management字段，避免报错
-    if (req.body.context_management) {
-      delete req.body.context_management
-    }
+    // if (req.body.context_management) {
+    //   delete req.body.context_management
+    // }

    // 遍历tools数组，删除input_examples字段
-    if (req.body.tools && Array.isArray(req.body.tools)) {
-      req.body.tools.forEach((tool) => {
-        if (tool && typeof tool === 'object' && tool.input_examples) {
-          delete tool.input_examples
-        }
-      })
-    }
+    // if (req.body.tools && Array.isArray(req.body.tools)) {
+    //   req.body.tools.forEach((tool) => {
+    //     if (tool && typeof tool === 'object' && tool.input_examples) {
+    //       delete tool.input_examples
+    //     }
+    //   })
+    // }

    logger.api(
      `🚀 Processing ${isStream ? 'stream' : 'non-stream'} request for key: ${req.apiKey.name}`
--- a/src/routes/openaiClaudeRoutes.js
+++ b/src/routes/openaiClaudeRoutes.js
@@ -402,19 +402,8 @@ async function handleChatCompletion(req, res, apiKeyData) {
    const duration = Date.now() - startTime
    logger.info(`✅ OpenAI-Claude request completed in ${duration}ms`)
  } catch (error) {
-    // 客户端主动断开连接是正常情况，使用 INFO 级别
-    if (error.message === 'Client disconnected') {
-      logger.info('🔌 OpenAI-Claude stream ended: Client disconnected')
-    } else {
    logger.error('❌ OpenAI-Claude request error:', error)
-    }

-    // 检查响应是否已发送（流式响应场景），避免 ERR_HTTP_HEADERS_SENT
-    if (!res.headersSent) {
-      // 客户端断开使用 499 状态码 (Client Closed Request)
-      if (error.message === 'Client disconnected') {
-        res.status(499).end()
-      } else {
    const status = error.status || 500
    res.status(status).json({
      error: {
@@ -423,8 +412,6 @@ async function handleChatCompletion(req, res, apiKeyData) {
        code: 'internal_error'
      }
    })
-      }
-    }
  } finally {
    // 清理资源
    if (abortController) {
--- a/src/routes/openaiGeminiRoutes.js
+++ b/src/routes/openaiGeminiRoutes.js
@@ -604,12 +604,7 @@ router.post('/v1/chat/completions', authenticateApiKey, async (req, res) => {
    const duration = Date.now() - startTime
    logger.info(`OpenAI-Gemini request completed in ${duration}ms`)
  } catch (error) {
-    // 客户端主动断开连接是正常情况，使用 INFO 级别
-    if (error.message === 'Client disconnected') {
-      logger.info('🔌 OpenAI-Gemini stream ended: Client disconnected')
-    } else {
    logger.error('OpenAI-Gemini request error:', error)
-    }

    // 处理速率限制
    if (error.status === 429) {
@@ -618,12 +613,6 @@ router.post('/v1/chat/completions', authenticateApiKey, async (req, res) => {
      }
    }

-    // 检查响应是否已发送（流式响应场景），避免 ERR_HTTP_HEADERS_SENT
-    if (!res.headersSent) {
-      // 客户端断开使用 499 状态码 (Client Closed Request)
-      if (error.message === 'Client disconnected') {
-        res.status(499).end()
-      } else {
    // 返回 OpenAI 格式的错误响应
    const status = error.status || 500
    const errorResponse = {
@@ -633,9 +622,8 @@ router.post('/v1/chat/completions', authenticateApiKey, async (req, res) => {
        code: 'internal_error'
      }
    }
+
    res.status(status).json(errorResponse)
-      }
-    }
  } finally {
    // 清理资源
    if (abortController) {
@@ -1 +1 @@
 .1.252
 .1.241