From 688547b0635a379edc94232fedfd7e0d4ad7e477 Mon Sep 17 00:00:00 2001 From: Luis Pater Date: Thu, 25 Sep 2025 09:00:38 +0800 Subject: [PATCH] refactor(config, auth): remove `allow-localhost-unauthenticated` support and related handlers - Eliminated `allow-localhost-unauthenticated` configuration field and its usage. - Removed associated management API handlers and middleware logic. - Simplified authentication middleware by deprecating localhost-specific checks. --- .../api/handlers/management/config_basic.go | 8 ------- internal/api/server.go | 21 +++---------------- internal/config/config.go | 3 --- internal/watcher/watcher.go | 3 --- 4 files changed, 3 insertions(+), 32 deletions(-) diff --git a/internal/api/handlers/management/config_basic.go b/internal/api/handlers/management/config_basic.go index 57af692c..a89996c9 100644 --- a/internal/api/handlers/management/config_basic.go +++ b/internal/api/handlers/management/config_basic.go @@ -26,14 +26,6 @@ func (h *Handler) PutRequestRetry(c *gin.Context) { h.updateIntField(c, func(v int) { h.cfg.RequestRetry = v }) } -// Allow localhost unauthenticated -func (h *Handler) GetAllowLocalhost(c *gin.Context) { - c.JSON(200, gin.H{"allow-localhost-unauthenticated": h.cfg.AllowLocalhostUnauthenticated}) -} -func (h *Handler) PutAllowLocalhost(c *gin.Context) { - h.updateBoolField(c, func(v bool) { h.cfg.AllowLocalhostUnauthenticated = v }) -} - // Proxy URL func (h *Handler) GetProxyURL(c *gin.Context) { c.JSON(200, gin.H{"proxy-url": h.cfg.ProxyURL}) } func (h *Handler) PutProxyURL(c *gin.Context) { diff --git a/internal/api/server.go b/internal/api/server.go index ac57c424..e01fb385 100644 --- a/internal/api/server.go +++ b/internal/api/server.go @@ -188,11 +188,9 @@ func (s *Server) setupRoutes() { claudeCodeHandlers := claude.NewClaudeCodeAPIHandler(s.handlers) openaiResponsesHandlers := openai.NewOpenAIResponsesAPIHandler(s.handlers) - cfgSupplier := func() *config.Config { return s.cfg } - // OpenAI compatible API routes v1 := s.engine.Group("/v1") - v1.Use(AuthMiddleware(cfgSupplier, s.accessManager)) + v1.Use(AuthMiddleware(s.accessManager)) { v1.GET("/models", s.unifiedModelsHandler(openaiHandlers, claudeCodeHandlers)) v1.POST("/chat/completions", openaiHandlers.ChatCompletions) @@ -204,7 +202,7 @@ func (s *Server) setupRoutes() { // Gemini compatible API routes v1beta := s.engine.Group("/v1beta") - v1beta.Use(AuthMiddleware(cfgSupplier, s.accessManager)) + v1beta.Use(AuthMiddleware(s.accessManager)) { v1beta.GET("/models", geminiHandlers.GeminiModels) v1beta.POST("/models/:action", geminiHandlers.GeminiHandler) @@ -309,10 +307,6 @@ func (s *Server) setupRoutes() { mgmt.PUT("/request-retry", s.mgmt.PutRequestRetry) mgmt.PATCH("/request-retry", s.mgmt.PutRequestRetry) - mgmt.GET("/allow-localhost-unauthenticated", s.mgmt.GetAllowLocalhost) - mgmt.PUT("/allow-localhost-unauthenticated", s.mgmt.PutAllowLocalhost) - mgmt.PATCH("/allow-localhost-unauthenticated", s.mgmt.PutAllowLocalhost) - mgmt.GET("/claude-api-key", s.mgmt.GetClaudeKeys) mgmt.PUT("/claude-api-key", s.mgmt.PutClaudeKeys) mgmt.PATCH("/claude-api-key", s.mgmt.PatchClaudeKey) @@ -487,17 +481,8 @@ func (s *Server) UpdateClients(cfg *config.Config) { // AuthMiddleware returns a Gin middleware handler that authenticates requests // using the configured authentication providers. When no providers are available, // it allows all requests (legacy behaviour). -func AuthMiddleware(cfgFn func() *config.Config, manager *sdkaccess.Manager) gin.HandlerFunc { +func AuthMiddleware(manager *sdkaccess.Manager) gin.HandlerFunc { return func(c *gin.Context) { - cfg := cfgFn() - if cfg != nil && cfg.AllowLocalhostUnauthenticated { - ip := c.ClientIP() - if ip == "127.0.0.1" || ip == "::1" || strings.HasPrefix(c.Request.RemoteAddr, "127.0.0.1:") || strings.HasPrefix(c.Request.RemoteAddr, "[::1]:") { - c.Next() - return - } - } - if manager == nil { c.Next() return diff --git a/internal/config/config.go b/internal/config/config.go index 982d0288..7b09fe6d 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -53,9 +53,6 @@ type Config struct { // OpenAICompatibility defines OpenAI API compatibility configurations for external providers. OpenAICompatibility []OpenAICompatibility `yaml:"openai-compatibility" json:"openai-compatibility"` - // AllowLocalhostUnauthenticated allows unauthenticated requests from localhost. - AllowLocalhostUnauthenticated bool `yaml:"allow-localhost-unauthenticated" json:"allow-localhost-unauthenticated"` - // RemoteManagement nests management-related options under 'remote-management'. RemoteManagement RemoteManagement `yaml:"remote-management" json:"-"` diff --git a/internal/watcher/watcher.go b/internal/watcher/watcher.go index fdc9dab8..5a82849e 100644 --- a/internal/watcher/watcher.go +++ b/internal/watcher/watcher.go @@ -474,9 +474,6 @@ func (w *Watcher) reloadConfig() bool { if len(oldConfig.CodexKey) != len(newConfig.CodexKey) { log.Debugf(" codex-api-key count: %d -> %d", len(oldConfig.CodexKey), len(newConfig.CodexKey)) } - if oldConfig.AllowLocalhostUnauthenticated != newConfig.AllowLocalhostUnauthenticated { - log.Debugf(" allow-localhost-unauthenticated: %t -> %t", oldConfig.AllowLocalhostUnauthenticated, newConfig.AllowLocalhostUnauthenticated) - } if oldConfig.RemoteManagement.AllowRemote != newConfig.RemoteManagement.AllowRemote { log.Debugf(" remote-management.allow-remote: %t -> %t", oldConfig.RemoteManagement.AllowRemote, newConfig.RemoteManagement.AllowRemote) }