feat: Enhance security and fix bugs in authentication

- Update the minimum access token length from 16 to 32 - Prevent spam by introducing policies and detecting user agents - Add an authorization header to the login response - Use base64 to decode the session secret and generate a random one if not set
2025-11-08 01:33:43 +08:00 · 2024-03-05 13:07:07 +00:00
parent bcd5cf3d5f
commit ba9b258a4b
4 changed files with 37 additions and 6 deletions
--- a/middleware/auth.go
+++ b/middleware/auth.go
@@ -1,12 +1,14 @@
 package middleware

 import (
+	"net/http"
+	"strings"
+
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
 	"github.com/songquanpeng/one-api/common"
+	"github.com/songquanpeng/one-api/common/logger"
 	"github.com/songquanpeng/one-api/model"
-	"net/http"
-	"strings"
 )

 func authHelper(c *gin.Context, minRole int) {
@@ -16,6 +18,7 @@ func authHelper(c *gin.Context, minRole int) {
 	id := session.Get("id")
 	status := session.Get("status")
 	if username == nil {
+		logger.SysLog("no user session found, try to use access token")
 		// Check access token
 		accessToken := c.Request.Header.Get("Authorization")
 		if accessToken == "" {
@@ -26,6 +29,7 @@ func authHelper(c *gin.Context, minRole int) {
 			c.Abort()
 			return
 		}
+
 		user := model.ValidateAccessToken(accessToken)
 		if user != nil && user.Username != "" {
 			// Token is valid
@@ -42,6 +46,7 @@ func authHelper(c *gin.Context, minRole int) {
 			return
 		}
 	}
+
 	if status.(int) == common.UserStatusDisabled {
 		c.JSON(http.StatusOK, gin.H{
 			"success": false,