feat(auth): introduce auth.providers for flexible authentication configuration

- Replaced legacy `api-keys` field with `auth.providers` in configuration, supporting multiple authentication providers including `config-api-key`. - Added synchronization to maintain compatibility with legacy `api-keys`. - Updated core components like request handling and middleware to use the new provider system. - Enhanced management API endpoints for seamless integration with `auth.providers`.
2026-02-03 13:00:52 +08:00 · 2025-09-22 17:36:31 +08:00
parent c28a5d24f8
commit 4008be19f4
14 changed files with 587 additions and 90 deletions
--- a/sdk/cliproxy/builder.go
+++ b/sdk/cliproxy/builder.go
@@ -5,6 +5,7 @@ import (

 	"github.com/router-for-me/CLIProxyAPI/v6/internal/api"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	sdkaccess "github.com/router-for-me/CLIProxyAPI/v6/sdk/access"
 	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
 	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 )
@@ -18,6 +19,7 @@ type Builder struct {
 	watcherFactory WatcherFactory
 	hooks          Hooks
 	authManager    *sdkAuth.Manager
+	accessManager  *sdkaccess.Manager
 	coreManager    *coreauth.Manager
 	serverOptions  []api.ServerOption
 }
@@ -75,6 +77,12 @@ func (b *Builder) WithAuthManager(mgr *sdkAuth.Manager) *Builder {
 	return b
 }

+// WithRequestAccessManager overrides the request authentication manager.
+func (b *Builder) WithRequestAccessManager(mgr *sdkaccess.Manager) *Builder {
+	b.accessManager = mgr
+	return b
+}
+
 // WithCoreAuthManager overrides the runtime auth manager responsible for request execution.
 func (b *Builder) WithCoreAuthManager(mgr *coreauth.Manager) *Builder {
 	b.coreManager = mgr
@@ -116,6 +124,16 @@ func (b *Builder) Build() (*Service, error) {
 		authManager = newDefaultAuthManager()
 	}

+	accessManager := b.accessManager
+	if accessManager == nil {
+		accessManager = sdkaccess.NewManager()
+	}
+	providers, err := sdkaccess.BuildProviders(b.cfg)
+	if err != nil {
+		return nil, err
+	}
+	accessManager.SetProviders(providers)
+
 	coreManager := b.coreManager
 	if coreManager == nil {
 		coreManager = coreauth.NewManager(coreauth.NewFileStore(b.cfg.AuthDir), nil, nil)
@@ -131,6 +149,7 @@ func (b *Builder) Build() (*Service, error) {
 		watcherFactory: watcherFactory,
 		hooks:          b.hooks,
 		authManager:    authManager,
+		accessManager:  accessManager,
 		coreManager:    coreManager,
 		serverOptions:  append([]api.ServerOption(nil), b.serverOptions...),
 	}
--- a/sdk/cliproxy/service.go
+++ b/sdk/cliproxy/service.go
@@ -16,6 +16,8 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/registry"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/runtime/executor"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	sdkaccess "github.com/router-for-me/CLIProxyAPI/v6/sdk/access"
+	_ "github.com/router-for-me/CLIProxyAPI/v6/sdk/access/providers/configapikey"
 	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
 	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	log "github.com/sirupsen/logrus"
@@ -40,8 +42,9 @@ type Service struct {
 	watcherCancel context.CancelFunc

 	// legacy client caches removed
-	authManager *sdkAuth.Manager
-	coreManager *coreauth.Manager
+	authManager   *sdkAuth.Manager
+	accessManager *sdkaccess.Manager
+	coreManager   *coreauth.Manager

 	shutdownOnce sync.Once
 }
@@ -56,6 +59,18 @@ func newDefaultAuthManager() *sdkAuth.Manager {
 	)
 }

+func (s *Service) refreshAccessProviders(cfg *config.Config) {
+	if s == nil || s.accessManager == nil || cfg == nil {
+		return
+	}
+	providers, err := sdkaccess.BuildProviders(cfg)
+	if err != nil {
+		log.Errorf("failed to rebuild request auth providers: %v", err)
+		return
+	}
+	s.accessManager.SetProviders(providers)
+}
+
 // Run starts the service and blocks until the context is cancelled or the server stops.
 func (s *Service) Run(ctx context.Context) error {
 	if s == nil {
@@ -102,7 +117,8 @@ func (s *Service) Run(ctx context.Context) error {
 	// legacy clients removed; no caches to refresh

 	// handlers no longer depend on legacy clients; pass nil slice initially
-	s.server = api.NewServer(s.cfg, s.coreManager, s.configPath, s.serverOptions...)
+	s.refreshAccessProviders(s.cfg)
+	s.server = api.NewServer(s.cfg, s.coreManager, s.accessManager, s.configPath, s.serverOptions...)

 	if s.authManager == nil {
 		s.authManager = newDefaultAuthManager()
@@ -139,6 +155,7 @@ func (s *Service) Run(ctx context.Context) error {
 		// Pull the latest auth snapshot and sync
 		auths := watcherWrapper.SnapshotAuths()
 		s.syncCoreAuthFromAuths(ctx, auths)
+		s.refreshAccessProviders(newCfg)
 		if s.server != nil {
 			s.server.UpdateClients(newCfg)
 		}