Merge pull request #693 from Calcium-Ion/refactor-auth

refactor: access_token auth
Adjust streaming timeout for OpenAI models in OaiStreamHandler
2026-04-15 17:07:27 +00:00 · 2025-01-06 17:55:20 +08:00 · 2025-01-06 17:52:33 +08:00 · 2025-01-06 16:37:21 +08:00 · 2025-01-06 15:20:38 +08:00 · 2025-01-05 22:13:04 +08:00
11 changed files with 113 additions and 42 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -3,4 +3,5 @@
 *.md
 .vscode
 .gitignore
-Makefile
+Makefile
+docs
--- a/.github/workflows/linux-release.yml
+++ b/.github/workflows/linux-release.yml
@@ -38,7 +38,7 @@ jobs:
      - name: Build Backend (arm64)
        run: |
          sudo apt-get update
-          sudo apt-get install gcc-aarch64-linux-gnu
+          DEBIAN_FRONTEND=noninteractive sudo apt-get install -y gcc-aarch64-linux-gnu
          CC=aarch64-linux-gnu-gcc CGO_ENABLED=1 GOOS=linux GOARCH=arm64 go build -ldflags "-s -w -X 'one-api/common.Version=$(git describe --tags)' -extldflags '-static'" -o one-api-arm64

      - name: Release
--- a/6
+++ b/6
@@ -1,11 +1,11 @@
-FROM node:16 as builder
+FROM oven/bun:latest as builder

 WORKDIR /build
 COPY web/package.json .
-RUN npm install
+RUN bun install
 COPY ./web .
 COPY ./VERSION .
-RUN DISABLE_ESLINT_PLUGIN='true' VITE_REACT_APP_VERSION=$(cat VERSION) npm run build
+RUN DISABLE_ESLINT_PLUGIN='true' VITE_REACT_APP_VERSION=$(cat VERSION) bun run build

 FROM golang AS builder2

--- a/controller/channel.go
+++ b/controller/channel.go
@@ -274,6 +274,17 @@ func AddChannel(c *gin.Context) {
 		}
 		localChannel := channel
 		localChannel.Key = key
+		// Validate the length of the model name
+		models := strings.Split(localChannel.Models, ",")
+		for _, model := range models {
+			if len(model) > 255 {
+				c.JSON(http.StatusOK, gin.H{
+					"success": false,
+					"message": fmt.Sprintf("模型名称过长: %s", model),
+				})
+				return
+			}
+		}
 		channels = append(channels, localChannel)
 	}
 	err = model.BatchInsertChannels(channels)
--- a/docs/api/api_auth.md
+++ b/docs/api/api_auth.md
@@ -0,0 +1,53 @@
+# API 鉴权文档
+
+## 认证方式
+
+### Access Token
+
+对于需要鉴权的 API 接口，必须同时提供以下两个请求头来进行 Access Token 认证：
+
+1. **请求头中的 `Authorization` 字段**
+
+    将 Access Token 放置于 HTTP 请求头部的 `Authorization` 字段中，格式如下：
+
+    ```
+    Authorization: <your_access_token>
+    ```
+
+    其中 `<your_access_token>` 需要替换为实际的 Access Token 值。
+
+2. **请求头中的 `New-Api-User` 字段**
+
+    将用户 ID 放置于 HTTP 请求头部的 `New-Api-User` 字段中，格式如下：
+
+    ```
+    New-Api-User: <your_user_id>
+    ```
+
+    其中 `<your_user_id>` 需要替换为实际的用户 ID。
+
+**注意：**
+
+*   **必须同时提供 `Authorization` 和 `New-Api-User` 两个请求头才能通过鉴权。**
+*   如果只提供其中一个请求头，或者两个请求头都未提供，则会返回 `401 Unauthorized` 错误。
+*   如果 `Authorization` 中的 Access Token 无效，则会返回 `401 Unauthorized` 错误，并提示“无权进行此操作，access token 无效”。
+*   如果 `New-Api-User` 中的用户 ID 与 Access Token 不匹配，则会返回 `401 Unauthorized` 错误，并提示“无权进行此操作，与登录用户不匹配，请重新登录”。
+*   如果没有提供 `New-Api-User` 请求头，则会返回 `401 Unauthorized` 错误，并提示“无权进行此操作，未提供 New-Api-User”。
+*   如果 `New-Api-User` 请求头格式错误，则会返回 `401 Unauthorized` 错误，并提示“无权进行此操作，New-Api-User 格式错误”。
+*   如果用户已被禁用，则会返回 `403 Forbidden` 错误，并提示“用户已被封禁”。
+*   如果用户权限不足，则会返回 `403 Forbidden` 错误，并提示“无权进行此操作，权限不足”。
+*   如果用户信息无效，则会返回 `403 Forbidden` 错误，并提示“无权进行此操作，用户信息无效”。
+
+## Curl 示例
+
+假设您的 Access Token 为 `access_token`，用户 ID 为 `123`，要访问的 API 接口为 `/api/user/self`，则可以使用以下 curl 命令：
+
+```bash
+curl -X GET \
+  -H "Authorization: access_token" \
+  -H "New-Api-User: 123" \
+  https://your-domain.com/api/user/self
+```
+
+请将 `access_token`、`123` 和 `https://your-domain.com` 替换为实际的值。
+
--- a/docs/api/user.md
+++ b/docs/api/user.md
--- a/middleware/auth.go
+++ b/middleware/auth.go
@@ -64,35 +64,33 @@ func authHelper(c *gin.Context, minRole int) {
 			return
 		}
 	}
-	if !useAccessToken {
-		// get header New-Api-User
-		apiUserIdStr := c.Request.Header.Get("New-Api-User")
-		if apiUserIdStr == "" {
-			c.JSON(http.StatusUnauthorized, gin.H{
-				"success": false,
-				"message": "无权进行此操作，请刷新页面或清空缓存后重试",
-			})
-			c.Abort()
-			return
-		}
-		apiUserId, err := strconv.Atoi(apiUserIdStr)
-		if err != nil {
-			c.JSON(http.StatusUnauthorized, gin.H{
-				"success": false,
-				"message": "无权进行此操作，登录信息无效，请重新登录",
-			})
-			c.Abort()
-			return
+	// get header New-Api-User
+	apiUserIdStr := c.Request.Header.Get("New-Api-User")
+	if apiUserIdStr == "" {
+		c.JSON(http.StatusUnauthorized, gin.H{
+			"success": false,
+			"message": "无权进行此操作，未提供 New-Api-User",
+		})
+		c.Abort()
+		return
+	}
+	apiUserId, err := strconv.Atoi(apiUserIdStr)
+	if err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{
+			"success": false,
+			"message": "无权进行此操作，New-Api-User 格式错误",
+		})
+		c.Abort()
+		return

-		}
-		if id != apiUserId {
-			c.JSON(http.StatusUnauthorized, gin.H{
-				"success": false,
-				"message": "无权进行此操作，与登录用户不匹配，请重新登录",
-			})
-			c.Abort()
-			return
-		}
+	}
+	if id != apiUserId {
+		c.JSON(http.StatusUnauthorized, gin.H{
+			"success": false,
+			"message": "无权进行此操作，New-Api-User 与登录用户不匹配",
+		})
+		c.Abort()
+		return
 	}
 	if status.(int) == common.UserStatusDisabled {
 		c.JSON(http.StatusOK, gin.H{
--- a/model/ability.go
+++ b/model/ability.go
@@ -12,7 +12,7 @@ import (

 type Ability struct {
 	Group     string  `json:"group" gorm:"type:varchar(64);primaryKey;autoIncrement:false"`
-	Model     string  `json:"model" gorm:"type:varchar(64);primaryKey;autoIncrement:false"`
+	Model     string  `json:"model" gorm:"type:varchar(255);primaryKey;autoIncrement:false"`
 	ChannelId int     `json:"channel_id" gorm:"primaryKey;autoIncrement:false;index"`
 	Enabled   bool    `json:"enabled"`
 	Priority  *int64  `json:"priority" gorm:"bigint;default:0;index"`
@@ -278,7 +278,6 @@ func FixAbility() (int, error) {
 		return 0, err
 	}
 	var channels []Channel
-
 	if len(abilityChannelIds) == 0 {
 		err = DB.Find(&channels).Error
 	} else {
--- a/model/user.go
+++ b/model/user.go
@@ -134,18 +134,23 @@ func SearchUsers(keyword string, group string, startIdx int, num int) ([]*User,
 	// 构建基础查询
 	query := tx.Unscoped().Model(&User{})

+	// 构建搜索条件
+	likeCondition := "username LIKE ? OR email LIKE ? OR display_name LIKE ?"
+
 	// 尝试将关键字转换为整数ID
 	keywordInt, err := strconv.Atoi(keyword)
 	if err == nil {
-		// 如果转换成功，按照ID和可选的组别搜索用户
+		// 如果是数字，同时搜索ID和其他字段
+		likeCondition = "id = ? OR " + likeCondition
 		if group != "" {
-			query = query.Where("id = ? AND "+groupCol+" = ?", keywordInt, group)
+			query = query.Where("("+likeCondition+") AND "+groupCol+" = ?",
+				keywordInt, "%"+keyword+"%", "%"+keyword+"%", "%"+keyword+"%", group)
 		} else {
-			query = query.Where("id = ?", keywordInt)
+			query = query.Where(likeCondition,
+				keywordInt, "%"+keyword+"%", "%"+keyword+"%", "%"+keyword+"%")
 		}
 	} else {
-		// 如果不是ID搜索，则使用模糊匹配
-		likeCondition := "username LIKE ? OR email LIKE ? OR display_name LIKE ?"
+		// 非数字关键字，只搜索字符串字段
 		if group != "" {
 			query = query.Where("("+likeCondition+") AND "+groupCol+" = ?",
 				"%"+keyword+"%", "%"+keyword+"%", "%"+keyword+"%", group)
--- a/relay/channel/openai/relay-openai.go
+++ b/relay/channel/openai/relay-openai.go
@@ -65,8 +65,12 @@ func OaiStreamHandler(c *gin.Context, resp *http.Response, info *relaycommon.Rel
 	scanner.Split(bufio.ScanLines)

 	service.SetEventStreamHeaders(c)
-
-	ticker := time.NewTicker(time.Duration(constant.StreamingTimeout) * time.Second)
+	streamingTimeout := time.Duration(constant.StreamingTimeout) * time.Second
+	if strings.HasPrefix(info.UpstreamModelName, "o1") || strings.HasPrefix(info.UpstreamModelName, "o3") {
+		// twice timeout for o1 model
+		streamingTimeout *= 2
+	}
+	ticker := time.NewTicker(streamingTimeout)
 	defer ticker.Stop()

 	stopChan := make(chan bool)
--- a/web/bun.lockb
+++ b/web/bun.lockb
Author	SHA1	Message	Date
Calcium-Ion	b85a07e57c	Merge pull request #693 from Calcium-Ion/refactor-auth refactor: access_token auth	2025-01-06 17:55:20 +08:00
1808837298@qq.com	8518ca65e2	Adjust streaming timeout for OpenAI models in OaiStreamHandler - Implemented conditional logic to double the streaming timeout for models starting with "o1" or "o3". - Improved handling of streaming timeout configuration to enhance performance based on model type.	2025-01-06 17:52:33 +08:00
1808837298@qq.com	cd192e2779	Update Dockerfile to use Bun for package management and build process - Changed base image from Node.js to Bun for improved performance. - Replaced npm install with bun install for dependency management. - Updated build command to use Bun for building the application. - Added new bun.lockb file to track Bun dependencies.	2025-01-06 16:37:21 +08:00
1808837298@qq.com	80fcd4e964	Enhance user search functionality to support ID and keyword searches. Updated query conditions to allow searching by user ID alongside username, email, and display name. Improved handling of numeric and string keywords in search queries.	2025-01-06 15:20:38 +08:00
Calcium-Ion	3f8c12c14e	Merge pull request #692 from Calcium-Ion/fix-channel-model-length Fix channel model length issue	2025-01-05 22:13:04 +08:00
1808837298@qq.com	08a89a50d7	revert cache.go	2025-01-05 22:12:39 +08:00
1808837298@qq.com	006bc37231	refactor: access_token auth	2025-01-05 22:08:23 +08:00
Calcium-Ion	4cf9d0787e	Fix model name length validation limit	2025-01-05 22:02:46 +08:00
Calcium-Ion	4fa7fefe61		2025-01-05 22:01:36 +08:00
Calcium-Ion	239bc46965	Fix channel model length issue Fixes #691 --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/Calcium-Ion/new-api/issues/691?shareId=XXXX-XXXX-XXXX-XXXX).	2025-01-05 21:55:25 +08:00
1808837298@qq.com	055a238ef2	fix: update linux-release workflow to install gcc-aarch64-linux-gnu non-interactively	2025-01-05 17:59:29 +08:00