feat: Enhance security and fix bugs in authentication

- Update the minimum access token length from 16 to 32 - Prevent spam by introducing policies and detecting user agents - Add an authorization header to the login response - Use base64 to decode the session secret and generate a random one if not set
2025-11-10 02:23:43 +08:00 · 2024-03-05 13:07:07 +00:00
parent bcd5cf3d5f
commit ba9b258a4b
4 changed files with 37 additions and 6 deletions
--- a/common/config/config.go
+++ b/common/config/config.go
@@ -1,15 +1,29 @@
 package config

 import (
-	"github.com/songquanpeng/one-api/common/helper"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
 	"os"
 	"strconv"
 	"sync"
 	"time"

-	"github.com/google/uuid"
+	"github.com/songquanpeng/one-api/common/helper"
 )

+func init() {
+	if SessionSecret == "" {
+		fmt.Println("SESSION_SECRET not set, using random secret")
+		key := make([]byte, 32)
+		if _, err := rand.Read(key); err != nil {
+			panic(fmt.Sprintf("failed to generate random secret: %v", err))
+		}
+
+		SessionSecret = base64.StdEncoding.EncodeToString(key)
+	}
+}
+
 var SystemName = "One API"
 var ServerAddress = "http://localhost:3000"
 var Footer = ""
@@ -22,7 +36,7 @@ var DisplayTokenStatEnabled = true

 // Any options with "Secret", "Token" in its key won't be return by GetOptions

-var SessionSecret = uuid.New().String()
+var SessionSecret = os.Getenv("SESSION_SECRET")

 var OptionMap map[string]string
 var OptionMapRWMutex sync.RWMutex