2023-04-22 12:39:27 +00:00
|
|
|
|
package middleware
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
2024-04-03 18:08:18 +00:00
|
|
|
|
"fmt"
|
2023-04-22 12:39:27 +00:00
|
|
|
|
"github.com/gin-contrib/sessions"
|
|
|
|
|
|
"github.com/gin-gonic/gin"
|
2024-03-10 07:56:19 +00:00
|
|
|
|
"github.com/songquanpeng/one-api/common/blacklist"
|
2024-04-05 02:09:16 +00:00
|
|
|
|
"github.com/songquanpeng/one-api/common/network"
|
2024-01-28 11:38:58 +00:00
|
|
|
|
"github.com/songquanpeng/one-api/model"
|
2023-04-22 12:39:27 +00:00
|
|
|
|
"net/http"
|
2023-04-23 10:24:11 +00:00
|
|
|
|
"strings"
|
2023-04-22 12:39:27 +00:00
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
func authHelper(c *gin.Context, minRole int) {
|
|
|
|
|
|
session := sessions.Default(c)
|
|
|
|
|
|
username := session.Get("username")
|
|
|
|
|
|
role := session.Get("role")
|
|
|
|
|
|
id := session.Get("id")
|
|
|
|
|
|
status := session.Get("status")
|
|
|
|
|
|
if username == nil {
|
2023-04-26 12:54:39 +00:00
|
|
|
|
// Check access token
|
|
|
|
|
|
accessToken := c.Request.Header.Get("Authorization")
|
|
|
|
|
|
if accessToken == "" {
|
|
|
|
|
|
c.JSON(http.StatusUnauthorized, gin.H{
|
|
|
|
|
|
"success": false,
|
|
|
|
|
|
"message": "无权进行此操作,未登录且未提供 access token",
|
|
|
|
|
|
})
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
user := model.ValidateAccessToken(accessToken)
|
|
|
|
|
|
if user != nil && user.Username != "" {
|
|
|
|
|
|
// Token is valid
|
|
|
|
|
|
username = user.Username
|
|
|
|
|
|
role = user.Role
|
|
|
|
|
|
id = user.Id
|
|
|
|
|
|
status = user.Status
|
|
|
|
|
|
} else {
|
|
|
|
|
|
c.JSON(http.StatusOK, gin.H{
|
|
|
|
|
|
"success": false,
|
|
|
|
|
|
"message": "无权进行此操作,access token 无效",
|
|
|
|
|
|
})
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
2023-04-22 12:39:27 +00:00
|
|
|
|
}
|
2024-04-05 18:03:59 +00:00
|
|
|
|
if status.(int) == model.UserStatusDisabled || blacklist.IsUserBanned(id.(int)) {
|
2023-04-22 12:39:27 +00:00
|
|
|
|
c.JSON(http.StatusOK, gin.H{
|
|
|
|
|
|
"success": false,
|
|
|
|
|
|
"message": "用户已被封禁",
|
|
|
|
|
|
})
|
2024-03-10 07:56:19 +00:00
|
|
|
|
session := sessions.Default(c)
|
|
|
|
|
|
session.Clear()
|
|
|
|
|
|
_ = session.Save()
|
2023-04-22 12:39:27 +00:00
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
if role.(int) < minRole {
|
|
|
|
|
|
c.JSON(http.StatusOK, gin.H{
|
|
|
|
|
|
"success": false,
|
|
|
|
|
|
"message": "无权进行此操作,权限不足",
|
|
|
|
|
|
})
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
c.Set("username", username)
|
|
|
|
|
|
c.Set("role", role)
|
|
|
|
|
|
c.Set("id", id)
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func UserAuth() func(c *gin.Context) {
|
|
|
|
|
|
return func(c *gin.Context) {
|
2024-04-05 18:03:59 +00:00
|
|
|
|
authHelper(c, model.RoleCommonUser)
|
2023-04-22 12:39:27 +00:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func AdminAuth() func(c *gin.Context) {
|
|
|
|
|
|
return func(c *gin.Context) {
|
2024-04-05 18:03:59 +00:00
|
|
|
|
authHelper(c, model.RoleAdminUser)
|
2023-04-22 12:39:27 +00:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func RootAuth() func(c *gin.Context) {
|
|
|
|
|
|
return func(c *gin.Context) {
|
2024-04-05 18:03:59 +00:00
|
|
|
|
authHelper(c, model.RoleRootUser)
|
2023-04-22 12:39:27 +00:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2023-04-23 10:24:11 +00:00
|
|
|
|
func TokenAuth() func(c *gin.Context) {
|
2023-04-22 12:39:27 +00:00
|
|
|
|
return func(c *gin.Context) {
|
2024-04-05 02:09:16 +00:00
|
|
|
|
ctx := c.Request.Context()
|
2023-04-23 10:24:11 +00:00
|
|
|
|
key := c.Request.Header.Get("Authorization")
|
2023-05-17 09:03:36 +00:00
|
|
|
|
key = strings.TrimPrefix(key, "Bearer ")
|
|
|
|
|
|
key = strings.TrimPrefix(key, "sk-")
|
2023-04-23 10:24:11 +00:00
|
|
|
|
parts := strings.Split(key, "-")
|
|
|
|
|
|
key = parts[0]
|
|
|
|
|
|
token, err := model.ValidateUserToken(key)
|
|
|
|
|
|
if err != nil {
|
2023-09-17 07:39:46 +00:00
|
|
|
|
abortWithMessage(c, http.StatusUnauthorized, err.Error())
|
2023-04-22 12:39:27 +00:00
|
|
|
|
return
|
|
|
|
|
|
}
|
2024-04-05 02:09:16 +00:00
|
|
|
|
if token.Subnet != nil && *token.Subnet != "" {
|
2024-04-05 09:25:28 +00:00
|
|
|
|
if !network.IsIpInSubnets(ctx, c.ClientIP(), *token.Subnet) {
|
2024-04-05 02:09:16 +00:00
|
|
|
|
abortWithMessage(c, http.StatusForbidden, fmt.Sprintf("该令牌只能在指定网段使用:%s,当前 ip:%s", *token.Subnet, c.ClientIP()))
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2023-09-29 03:38:27 +00:00
|
|
|
|
userEnabled, err := model.CacheIsUserEnabled(token.UserId)
|
2023-09-03 13:31:58 +00:00
|
|
|
|
if err != nil {
|
2023-09-17 07:39:46 +00:00
|
|
|
|
abortWithMessage(c, http.StatusInternalServerError, err.Error())
|
2023-09-03 13:31:58 +00:00
|
|
|
|
return
|
|
|
|
|
|
}
|
2024-03-10 07:56:19 +00:00
|
|
|
|
if !userEnabled || blacklist.IsUserBanned(token.UserId) {
|
2023-09-17 07:39:46 +00:00
|
|
|
|
abortWithMessage(c, http.StatusForbidden, "用户已被封禁")
|
2023-04-27 07:05:33 +00:00
|
|
|
|
return
|
|
|
|
|
|
}
|
2024-04-03 18:08:18 +00:00
|
|
|
|
requestModel, err := getRequestModel(c)
|
2024-04-05 04:50:31 +00:00
|
|
|
|
if err != nil && !strings.HasPrefix(c.Request.URL.Path, "/v1/models") {
|
2024-04-03 18:08:18 +00:00
|
|
|
|
abortWithMessage(c, http.StatusBadRequest, err.Error())
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
c.Set("request_model", requestModel)
|
|
|
|
|
|
if token.Models != nil && *token.Models != "" {
|
2024-04-03 18:44:59 +00:00
|
|
|
|
c.Set("available_models", *token.Models)
|
|
|
|
|
|
if requestModel != "" && !isModelInList(requestModel, *token.Models) {
|
2024-04-03 18:08:18 +00:00
|
|
|
|
abortWithMessage(c, http.StatusForbidden, fmt.Sprintf("该令牌无权使用模型:%s", requestModel))
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2023-04-23 10:24:11 +00:00
|
|
|
|
c.Set("id", token.UserId)
|
2023-04-26 02:45:34 +00:00
|
|
|
|
c.Set("token_id", token.Id)
|
2023-06-17 06:56:03 +00:00
|
|
|
|
c.Set("token_name", token.Name)
|
2023-04-23 10:24:11 +00:00
|
|
|
|
if len(parts) > 1 {
|
2023-04-26 06:49:27 +00:00
|
|
|
|
if model.IsAdmin(token.UserId) {
|
2024-02-25 11:01:49 +00:00
|
|
|
|
c.Set("specific_channel_id", parts[1])
|
2023-04-26 06:49:27 +00:00
|
|
|
|
} else {
|
2023-09-17 07:39:46 +00:00
|
|
|
|
abortWithMessage(c, http.StatusForbidden, "普通用户不支持指定渠道")
|
2023-04-26 06:49:27 +00:00
|
|
|
|
return
|
|
|
|
|
|
}
|
2023-04-22 12:39:27 +00:00
|
|
|
|
}
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
