package middleware import ( "fmt" "net/http" "strings" "github.com/gin-contrib/sessions" "github.com/gin-gonic/gin" "github.com/songquanpeng/one-api/common/blacklist" "github.com/songquanpeng/one-api/common/ctxkey" "github.com/songquanpeng/one-api/common/logger" "github.com/songquanpeng/one-api/common/network" "github.com/songquanpeng/one-api/model" ) func authHelper(c *gin.Context, minRole int) { session := sessions.Default(c) username := session.Get("username") role := session.Get("role") id := session.Get("id") status := session.Get("status") if username == nil { logger.SysLog("no user session found, try to use access token") // Check access token accessToken := c.Request.Header.Get("Authorization") if accessToken == "" { c.JSON(http.StatusUnauthorized, gin.H{ "success": false, "message": "No permission to perform this operation, not logged in and no access token provided", }) c.Abort() return } user := model.ValidateAccessToken(accessToken) if user != nil && user.Username != "" { // Token is valid username = user.Username role = user.Role id = user.Id status = user.Status } else { c.JSON(http.StatusOK, gin.H{ "success": false, "message": "No permission to perform this operation, access token is invalid", }) c.Abort() return } } if status.(int) == model.UserStatusDisabled || blacklist.IsUserBanned(id.(int)) { c.JSON(http.StatusOK, gin.H{ "success": false, "message": "User has been banned", }) session := sessions.Default(c) session.Clear() _ = session.Save() c.Abort() return } if role.(int) < minRole { c.JSON(http.StatusOK, gin.H{ "success": false, "message": "No permission to perform this operation, insufficient permissions", }) c.Abort() return } c.Set("username", username) c.Set("role", role) c.Set("id", id) c.Next() } func UserAuth() func(c *gin.Context) { return func(c *gin.Context) { authHelper(c, model.RoleCommonUser) } } func AdminAuth() func(c *gin.Context) { return func(c *gin.Context) { authHelper(c, model.RoleAdminUser) } } func RootAuth() func(c *gin.Context) { return func(c *gin.Context) { authHelper(c, model.RoleRootUser) } } func TokenAuth() func(c *gin.Context) { return func(c *gin.Context) { ctx := c.Request.Context() key := c.Request.Header.Get("Authorization") key = strings.TrimPrefix(key, "Bearer ") key = strings.TrimPrefix(strings.TrimPrefix(key, "sk-"), "laisky-") parts := strings.Split(key, "-") key = parts[0] token, err := model.ValidateUserToken(key) if err != nil { abortWithMessage(c, http.StatusUnauthorized, err.Error()) return } if token.Subnet != nil && *token.Subnet != "" { if !network.IsIpInSubnets(ctx, c.ClientIP(), *token.Subnet) { abortWithMessage(c, http.StatusForbidden, fmt.Sprintf("该API Keys只能在指定网段使用:%s,当前 ip:%s", *token.Subnet, c.ClientIP())) return } } userEnabled, err := model.CacheIsUserEnabled(token.UserId) if err != nil { abortWithMessage(c, http.StatusInternalServerError, err.Error()) return } if !userEnabled || blacklist.IsUserBanned(token.UserId) { abortWithMessage(c, http.StatusForbidden, "User has been banned") return } requestModel, err := getRequestModel(c) if err != nil && shouldCheckModel(c) { abortWithMessage(c, http.StatusBadRequest, err.Error()) return } c.Set(ctxkey.RequestModel, requestModel) if token.Models != nil && *token.Models != "" { c.Set(ctxkey.AvailableModels, *token.Models) if requestModel != "" && !isModelInList(requestModel, *token.Models) { abortWithMessage(c, http.StatusForbidden, fmt.Sprintf("该API KeysNone权使用Model:%s", requestModel)) return } } c.Set(ctxkey.Id, token.UserId) c.Set(ctxkey.TokenId, token.Id) c.Set(ctxkey.TokenName, token.Name) c.Set(ctxkey.TokenQuota, token.RemainQuota) c.Set(ctxkey.TokenQuotaUnlimited, token.UnlimitedQuota) if len(parts) > 1 { if model.IsAdmin(token.UserId) { c.Set(ctxkey.SpecificChannelId, parts[1]) } else { abortWithMessage(c, http.StatusForbidden, "Ordinary users do not support specifying channels") return } } // set channel id for proxy relay if channelId := c.Param("channelid"); channelId != "" { c.Set(ctxkey.SpecificChannelId, channelId) } c.Next() } } func shouldCheckModel(c *gin.Context) bool { if strings.HasPrefix(c.Request.URL.Path, "/v1/completions") { return true } if strings.HasPrefix(c.Request.URL.Path, "/v1/chat/completions") { return true } if strings.HasPrefix(c.Request.URL.Path, "/v1/images") { return true } if strings.HasPrefix(c.Request.URL.Path, "/v1/audio") { return true } return false }