feat: Add API key authentication system for external service access (#1757)

* Initial plan * feat: Add API key authentication system backend Co-authored-by: RockChinQ <45992437+RockChinQ@users.noreply.github.com> * feat: Add API key management UI in frontend sidebar Co-authored-by: RockChinQ <45992437+RockChinQ@users.noreply.github.com> * fix: Correct import paths in API controller groups Co-authored-by: RockChinQ <45992437+RockChinQ@users.noreply.github.com> * fix: Address code review feedback - add i18n and validation Co-authored-by: RockChinQ <45992437+RockChinQ@users.noreply.github.com> * refactor: Enable API key auth on existing endpoints instead of creating separate service API - Added USER_TOKEN_OR_API_KEY auth type that accepts both authentication methods - Removed separate /api/service/v1/models endpoints - Updated existing endpoints (models, bots, pipelines) to accept API keys - External services can now use API keys to access all existing LangBot APIs - Updated documentation to reflect unified API approach Co-authored-by: RockChinQ <45992437+RockChinQ@users.noreply.github.com> * docs: Add OpenAPI specification for API key authenticated endpoints Co-authored-by: RockChinQ <45992437+RockChinQ@users.noreply.github.com> * chore: rename openapi spec * perf: ui and i18n * fix: ui bug * chore: tidy docs * chore: fix linter errors --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: RockChinQ <45992437+RockChinQ@users.noreply.github.com> Co-authored-by: Junyan Qin <rockchinq@gmail.com>
2026-06-05 05:16:03 +00:00 · 2025-11-07 14:08:11 +08:00
parent af82227dff
commit a076ce5756
18 changed files with 2899 additions and 13 deletions
--- a/pkg/api/http/controller/groups/apikeys.py
+++ b/pkg/api/http/controller/groups/apikeys.py
@@ -0,0 +1,43 @@
+import quart
+
+from .. import group
+
+
+@group.group_class('apikeys', '/api/v1/apikeys')
+class ApiKeysRouterGroup(group.RouterGroup):
+    async def initialize(self) -> None:
+        @self.route('', methods=['GET', 'POST'])
+        async def _() -> str:
+            if quart.request.method == 'GET':
+                keys = await self.ap.apikey_service.get_api_keys()
+                return self.success(data={'keys': keys})
+            elif quart.request.method == 'POST':
+                json_data = await quart.request.json
+                name = json_data.get('name', '')
+                description = json_data.get('description', '')
+
+                if not name:
+                    return self.http_status(400, -1, 'Name is required')
+
+                key = await self.ap.apikey_service.create_api_key(name, description)
+                return self.success(data={'key': key})
+
+        @self.route('/<int:key_id>', methods=['GET', 'PUT', 'DELETE'])
+        async def _(key_id: int) -> str:
+            if quart.request.method == 'GET':
+                key = await self.ap.apikey_service.get_api_key(key_id)
+                if key is None:
+                    return self.http_status(404, -1, 'API key not found')
+                return self.success(data={'key': key})
+
+            elif quart.request.method == 'PUT':
+                json_data = await quart.request.json
+                name = json_data.get('name')
+                description = json_data.get('description')
+
+                await self.ap.apikey_service.update_api_key(key_id, name, description)
+                return self.success()
+
+            elif quart.request.method == 'DELETE':
+                await self.ap.apikey_service.delete_api_key(key_id)
+                return self.success()
--- a/pkg/api/http/controller/groups/pipelines/pipelines.py
+++ b/pkg/api/http/controller/groups/pipelines/pipelines.py
@@ -8,7 +8,7 @@ from ... import group
@group.group_class('pipelines', '/api/v1/pipelines')
 class PipelinesRouterGroup(group.RouterGroup):
    async def initialize(self) -> None:
-        @self.route('', methods=['GET', 'POST'])
+        @self.route('', methods=['GET', 'POST'], auth_type=group.AuthType.USER_TOKEN_OR_API_KEY)
        async def _() -> str:
            if quart.request.method == 'GET':
                sort_by = quart.request.args.get('sort_by', 'created_at')
@@ -23,11 +23,11 @@ class PipelinesRouterGroup(group.RouterGroup):

                return self.success(data={'uuid': pipeline_uuid})

-        @self.route('/_/metadata', methods=['GET'])
+        @self.route('/_/metadata', methods=['GET'], auth_type=group.AuthType.USER_TOKEN_OR_API_KEY)
        async def _() -> str:
            return self.success(data={'configs': await self.ap.pipeline_service.get_pipeline_metadata()})

-        @self.route('/<pipeline_uuid>', methods=['GET', 'PUT', 'DELETE'])
+        @self.route('/<pipeline_uuid>', methods=['GET', 'PUT', 'DELETE'], auth_type=group.AuthType.USER_TOKEN_OR_API_KEY)
        async def _(pipeline_uuid: str) -> str:
            if quart.request.method == 'GET':
                pipeline = await self.ap.pipeline_service.get_pipeline(pipeline_uuid)
@@ -47,7 +47,7 @@ class PipelinesRouterGroup(group.RouterGroup):

                return self.success()

-        @self.route('/<pipeline_uuid>/extensions', methods=['GET', 'PUT'])
+        @self.route('/<pipeline_uuid>/extensions', methods=['GET', 'PUT'], auth_type=group.AuthType.USER_TOKEN_OR_API_KEY)
        async def _(pipeline_uuid: str) -> str:
            if quart.request.method == 'GET':
                # Get current extensions and available plugins
--- a/pkg/api/http/controller/groups/platform/bots.py
+++ b/pkg/api/http/controller/groups/platform/bots.py
@@ -6,7 +6,7 @@ from ... import group
@group.group_class('bots', '/api/v1/platform/bots')
 class BotsRouterGroup(group.RouterGroup):
    async def initialize(self) -> None:
-        @self.route('', methods=['GET', 'POST'])
+        @self.route('', methods=['GET', 'POST'], auth_type=group.AuthType.USER_TOKEN_OR_API_KEY)
        async def _() -> str:
            if quart.request.method == 'GET':
                return self.success(data={'bots': await self.ap.bot_service.get_bots()})
@@ -15,7 +15,7 @@ class BotsRouterGroup(group.RouterGroup):
                bot_uuid = await self.ap.bot_service.create_bot(json_data)
                return self.success(data={'uuid': bot_uuid})

-        @self.route('/<bot_uuid>', methods=['GET', 'PUT', 'DELETE'])
+        @self.route('/<bot_uuid>', methods=['GET', 'PUT', 'DELETE'], auth_type=group.AuthType.USER_TOKEN_OR_API_KEY)
        async def _(bot_uuid: str) -> str:
            if quart.request.method == 'GET':
                bot = await self.ap.bot_service.get_bot(bot_uuid)
@@ -30,7 +30,7 @@ class BotsRouterGroup(group.RouterGroup):
                await self.ap.bot_service.delete_bot(bot_uuid)
                return self.success()

-        @self.route('/<bot_uuid>/logs', methods=['POST'])
+        @self.route('/<bot_uuid>/logs', methods=['POST'], auth_type=group.AuthType.USER_TOKEN_OR_API_KEY)
        async def _(bot_uuid: str) -> str:
            json_data = await quart.request.json
            from_index = json_data.get('from_index', -1)
--- a/pkg/api/http/controller/groups/provider/models.py
+++ b/pkg/api/http/controller/groups/provider/models.py
@@ -6,7 +6,7 @@ from ... import group
@group.group_class('models/llm', '/api/v1/provider/models/llm')
 class LLMModelsRouterGroup(group.RouterGroup):
    async def initialize(self) -> None:
-        @self.route('', methods=['GET', 'POST'])
+        @self.route('', methods=['GET', 'POST'], auth_type=group.AuthType.USER_TOKEN_OR_API_KEY)
        async def _() -> str:
            if quart.request.method == 'GET':
                return self.success(data={'models': await self.ap.llm_model_service.get_llm_models()})
@@ -17,7 +17,7 @@ class LLMModelsRouterGroup(group.RouterGroup):

                return self.success(data={'uuid': model_uuid})

-        @self.route('/<model_uuid>', methods=['GET', 'PUT', 'DELETE'])
+        @self.route('/<model_uuid>', methods=['GET', 'PUT', 'DELETE'], auth_type=group.AuthType.USER_TOKEN_OR_API_KEY)
        async def _(model_uuid: str) -> str:
            if quart.request.method == 'GET':
                model = await self.ap.llm_model_service.get_llm_model(model_uuid)
@@ -37,7 +37,7 @@ class LLMModelsRouterGroup(group.RouterGroup):

                return self.success()

-        @self.route('/<model_uuid>/test', methods=['POST'])
+        @self.route('/<model_uuid>/test', methods=['POST'], auth_type=group.AuthType.USER_TOKEN_OR_API_KEY)
        async def _(model_uuid: str) -> str:
            json_data = await quart.request.json

@@ -49,7 +49,7 @@ class LLMModelsRouterGroup(group.RouterGroup):
@group.group_class('models/embedding', '/api/v1/provider/models/embedding')
 class EmbeddingModelsRouterGroup(group.RouterGroup):
    async def initialize(self) -> None:
-        @self.route('', methods=['GET', 'POST'])
+        @self.route('', methods=['GET', 'POST'], auth_type=group.AuthType.USER_TOKEN_OR_API_KEY)
        async def _() -> str:
            if quart.request.method == 'GET':
                return self.success(data={'models': await self.ap.embedding_models_service.get_embedding_models()})
@@ -60,7 +60,7 @@ class EmbeddingModelsRouterGroup(group.RouterGroup):

                return self.success(data={'uuid': model_uuid})

-        @self.route('/<model_uuid>', methods=['GET', 'PUT', 'DELETE'])
+        @self.route('/<model_uuid>', methods=['GET', 'PUT', 'DELETE'], auth_type=group.AuthType.USER_TOKEN_OR_API_KEY)
        async def _(model_uuid: str) -> str:
            if quart.request.method == 'GET':
                model = await self.ap.embedding_models_service.get_embedding_model(model_uuid)
@@ -80,7 +80,7 @@ class EmbeddingModelsRouterGroup(group.RouterGroup):

                return self.success()

-        @self.route('/<model_uuid>/test', methods=['POST'])
+        @self.route('/<model_uuid>/test', methods=['POST'], auth_type=group.AuthType.USER_TOKEN_OR_API_KEY)
        async def _(model_uuid: str) -> str:
            json_data = await quart.request.json