From 94563d622c59aba3b5279c5d057c109cd618eb0d Mon Sep 17 00:00:00 2001 From: HEUDavid Date: Tue, 10 Feb 2026 07:26:08 +0800 Subject: [PATCH 1/9] feat/auth-hook: add post auth hook --- .../api/handlers/management/auth_files.go | 37 +++++++++++++++++++ internal/api/handlers/management/handler.go | 6 +++ internal/api/server.go | 11 ++++++ internal/auth/gemini/gemini_token.go | 29 ++++++++++++++- sdk/auth/filestore.go | 8 ++++ sdk/cliproxy/auth/types.go | 13 +++++++ sdk/cliproxy/builder.go | 10 +++++ 7 files changed, 113 insertions(+), 1 deletion(-) diff --git a/internal/api/handlers/management/auth_files.go b/internal/api/handlers/management/auth_files.go index e2ff23f1..fd45ae19 100644 --- a/internal/api/handlers/management/auth_files.go +++ b/internal/api/handlers/management/auth_files.go @@ -864,11 +864,17 @@ func (h *Handler) saveTokenRecord(ctx context.Context, record *coreauth.Auth) (s if store == nil { return "", fmt.Errorf("token store unavailable") } + if h.postAuthHook != nil { + if err := h.postAuthHook(ctx, record); err != nil { + return "", fmt.Errorf("post-auth hook failed: %w", err) + } + } return store.Save(ctx, record) } func (h *Handler) RequestAnthropicToken(c *gin.Context) { ctx := context.Background() + ctx = PopulateAuthContext(ctx, c) fmt.Println("Initializing Claude authentication...") @@ -1013,6 +1019,7 @@ func (h *Handler) RequestAnthropicToken(c *gin.Context) { func (h *Handler) RequestGeminiCLIToken(c *gin.Context) { ctx := context.Background() + ctx = PopulateAuthContext(ctx, c) proxyHTTPClient := util.SetProxy(&h.cfg.SDKConfig, &http.Client{}) ctx = context.WithValue(ctx, oauth2.HTTPClient, proxyHTTPClient) @@ -1247,6 +1254,7 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) { func (h *Handler) RequestCodexToken(c *gin.Context) { ctx := context.Background() + ctx = PopulateAuthContext(ctx, c) fmt.Println("Initializing Codex authentication...") @@ -1392,6 +1400,7 @@ func (h *Handler) RequestCodexToken(c *gin.Context) { func (h *Handler) RequestAntigravityToken(c *gin.Context) { ctx := context.Background() + ctx = PopulateAuthContext(ctx, c) fmt.Println("Initializing Antigravity authentication...") @@ -1556,6 +1565,7 @@ func (h *Handler) RequestAntigravityToken(c *gin.Context) { func (h *Handler) RequestQwenToken(c *gin.Context) { ctx := context.Background() + ctx = PopulateAuthContext(ctx, c) fmt.Println("Initializing Qwen authentication...") @@ -1611,6 +1621,7 @@ func (h *Handler) RequestQwenToken(c *gin.Context) { func (h *Handler) RequestKimiToken(c *gin.Context) { ctx := context.Background() + ctx = PopulateAuthContext(ctx, c) fmt.Println("Initializing Kimi authentication...") @@ -1687,6 +1698,7 @@ func (h *Handler) RequestKimiToken(c *gin.Context) { func (h *Handler) RequestIFlowToken(c *gin.Context) { ctx := context.Background() + ctx = PopulateAuthContext(ctx, c) fmt.Println("Initializing iFlow authentication...") @@ -2266,3 +2278,28 @@ func (h *Handler) GetAuthStatus(c *gin.Context) { } c.JSON(http.StatusOK, gin.H{"status": "wait"}) } + +// PopulateAuthContext extracts request info and adds it to the context +func PopulateAuthContext(ctx context.Context, c *gin.Context) context.Context { + info := &coreauth.RequestInfo{ + Query: make(map[string]string), + Headers: make(map[string]string), + } + + // Capture all query parameters + for k, v := range c.Request.URL.Query() { + if len(v) > 0 { + info.Query[k] = v[0] + } + } + + // Capture specific headers relevant for logging/auditing + headers := []string{"User-Agent", "X-Forwarded-For", "X-Real-IP", "Referer"} + for _, h := range headers { + if val := c.GetHeader(h); val != "" { + info.Headers[h] = val + } + } + + return context.WithValue(ctx, "request_info", info) +} diff --git a/internal/api/handlers/management/handler.go b/internal/api/handlers/management/handler.go index 613c9841..45786b9d 100644 --- a/internal/api/handlers/management/handler.go +++ b/internal/api/handlers/management/handler.go @@ -47,6 +47,7 @@ type Handler struct { allowRemoteOverride bool envSecret string logDir string + postAuthHook coreauth.PostAuthHook } // NewHandler creates a new management handler instance. @@ -128,6 +129,11 @@ func (h *Handler) SetLogDirectory(dir string) { h.logDir = dir } +// SetPostAuthHook registers a hook to be called after auth record creation but before persistence. +func (h *Handler) SetPostAuthHook(hook coreauth.PostAuthHook) { + h.postAuthHook = hook +} + // Middleware enforces access control for management endpoints. // All requests (local and remote) require a valid management key. // Additionally, remote access requires allow-remote-management=true. diff --git a/internal/api/server.go b/internal/api/server.go index 4cbcbba2..52e7dd29 100644 --- a/internal/api/server.go +++ b/internal/api/server.go @@ -51,6 +51,7 @@ type serverOptionConfig struct { keepAliveEnabled bool keepAliveTimeout time.Duration keepAliveOnTimeout func() + postAuthHook auth.PostAuthHook } // ServerOption customises HTTP server construction. @@ -111,6 +112,13 @@ func WithRequestLoggerFactory(factory func(*config.Config, string) logging.Reque } } +// WithPostAuthHook registers a hook to be called after auth record creation. +func WithPostAuthHook(hook auth.PostAuthHook) ServerOption { + return func(cfg *serverOptionConfig) { + cfg.postAuthHook = hook + } +} + // Server represents the main API server. // It encapsulates the Gin engine, HTTP server, handlers, and configuration. type Server struct { @@ -262,6 +270,9 @@ func NewServer(cfg *config.Config, authManager *auth.Manager, accessManager *sdk } logDir := logging.ResolveLogDirectory(cfg) s.mgmt.SetLogDirectory(logDir) + if optionState.postAuthHook != nil { + s.mgmt.SetPostAuthHook(optionState.postAuthHook) + } s.localPassword = optionState.localPassword // Setup routes diff --git a/internal/auth/gemini/gemini_token.go b/internal/auth/gemini/gemini_token.go index 0ec7da17..24828076 100644 --- a/internal/auth/gemini/gemini_token.go +++ b/internal/auth/gemini/gemini_token.go @@ -35,11 +35,21 @@ type GeminiTokenStorage struct { // Type indicates the authentication provider type, always "gemini" for this storage. Type string `json:"type"` + + // Metadata holds arbitrary key-value pairs injected via hooks. + // It is not exported to JSON directly to allow flattening during serialization. + Metadata map[string]any `json:"-"` +} + +// SetMetadata allows external callers to inject metadata into the storage before saving. +func (ts *GeminiTokenStorage) SetMetadata(meta map[string]any) { + ts.Metadata = meta } // SaveTokenToFile serializes the Gemini token storage to a JSON file. // This method creates the necessary directory structure and writes the token // data in JSON format to the specified file path for persistent storage. +// It merges any injected metadata into the top-level JSON object. // // Parameters: // - authFilePath: The full path where the token file should be saved @@ -63,7 +73,24 @@ func (ts *GeminiTokenStorage) SaveTokenToFile(authFilePath string) error { } }() - if err = json.NewEncoder(f).Encode(ts); err != nil { + // Convert struct to map for merging + data := make(map[string]any) + temp, errJson := json.Marshal(ts) + if errJson != nil { + return fmt.Errorf("failed to marshal struct: %w", errJson) + } + if errUnmarshal := json.Unmarshal(temp, &data); errUnmarshal != nil { + return fmt.Errorf("failed to unmarshal struct map: %w", errUnmarshal) + } + + // Merge extra metadata + if ts.Metadata != nil { + for k, v := range ts.Metadata { + data[k] = v + } + } + + if err = json.NewEncoder(f).Encode(data); err != nil { return fmt.Errorf("failed to write token to file: %w", err) } return nil diff --git a/sdk/auth/filestore.go b/sdk/auth/filestore.go index 0bb7ff7d..a68d3cd2 100644 --- a/sdk/auth/filestore.go +++ b/sdk/auth/filestore.go @@ -62,8 +62,16 @@ func (s *FileTokenStore) Save(ctx context.Context, auth *cliproxyauth.Auth) (str return "", fmt.Errorf("auth filestore: create dir failed: %w", err) } + // metadataSetter is a private interface for TokenStorage implementations that support metadata injection. + type metadataSetter interface { + SetMetadata(map[string]any) + } + switch { case auth.Storage != nil: + if setter, ok := auth.Storage.(metadataSetter); ok { + setter.SetMetadata(auth.Metadata) + } if err = auth.Storage.SaveTokenToFile(path); err != nil { return "", err } diff --git a/sdk/cliproxy/auth/types.go b/sdk/cliproxy/auth/types.go index b2bbe0a2..e1ba6bb5 100644 --- a/sdk/cliproxy/auth/types.go +++ b/sdk/cliproxy/auth/types.go @@ -1,6 +1,7 @@ package auth import ( + "context" "crypto/sha256" "encoding/hex" "encoding/json" @@ -12,6 +13,18 @@ import ( baseauth "github.com/router-for-me/CLIProxyAPI/v6/internal/auth" ) +// PostAuthHook defines a function that is called after an Auth record is created +// but before it is persisted to storage. This allows for modification of the +// Auth record (e.g., injecting metadata) based on external context. +type PostAuthHook func(context.Context, *Auth) error + +// RequestInfo holds information extracted from the HTTP request. +// It is injected into the context passed to PostAuthHook. +type RequestInfo struct { + Query map[string]string + Headers map[string]string +} + // Auth encapsulates the runtime state and metadata associated with a single credential. type Auth struct { // ID uniquely identifies the auth record across restarts. diff --git a/sdk/cliproxy/builder.go b/sdk/cliproxy/builder.go index 60ca07f5..0e6d1421 100644 --- a/sdk/cliproxy/builder.go +++ b/sdk/cliproxy/builder.go @@ -153,6 +153,16 @@ func (b *Builder) WithLocalManagementPassword(password string) *Builder { return b } +// WithPostAuthHook registers a hook to be called after an Auth record is created +// but before it is persisted to storage. +func (b *Builder) WithPostAuthHook(hook coreauth.PostAuthHook) *Builder { + if hook == nil { + return b + } + b.serverOptions = append(b.serverOptions, api.WithPostAuthHook(hook)) + return b +} + // Build validates inputs, applies defaults, and returns a ready-to-run service. func (b *Builder) Build() (*Service, error) { if b.cfg == nil { From 48e957ddff9bb7e25f02c298014968e0e2854f3a Mon Sep 17 00:00:00 2001 From: HEUDavid Date: Tue, 10 Feb 2026 07:40:25 +0800 Subject: [PATCH 2/9] feat/auth-hook: add post auth hook --- internal/auth/claude/token.go | 29 ++++++++++++++++++++++++++++- internal/auth/codex/token.go | 30 ++++++++++++++++++++++++++++-- internal/auth/iflow/iflow_token.go | 28 +++++++++++++++++++++++++++- internal/auth/kimi/token.go | 28 +++++++++++++++++++++++++++- internal/auth/qwen/qwen_token.go | 29 ++++++++++++++++++++++++++++- 5 files changed, 138 insertions(+), 6 deletions(-) diff --git a/internal/auth/claude/token.go b/internal/auth/claude/token.go index cda10d58..c36f8e76 100644 --- a/internal/auth/claude/token.go +++ b/internal/auth/claude/token.go @@ -36,11 +36,21 @@ type ClaudeTokenStorage struct { // Expire is the timestamp when the current access token expires. Expire string `json:"expired"` + + // Metadata holds arbitrary key-value pairs injected via hooks. + // It is not exported to JSON directly to allow flattening during serialization. + Metadata map[string]any `json:"-"` +} + +// SetMetadata allows external callers to inject metadata into the storage before saving. +func (ts *ClaudeTokenStorage) SetMetadata(meta map[string]any) { + ts.Metadata = meta } // SaveTokenToFile serializes the Claude token storage to a JSON file. // This method creates the necessary directory structure and writes the token // data in JSON format to the specified file path for persistent storage. +// It merges any injected metadata into the top-level JSON object. // // Parameters: // - authFilePath: The full path where the token file should be saved @@ -65,8 +75,25 @@ func (ts *ClaudeTokenStorage) SaveTokenToFile(authFilePath string) error { _ = f.Close() }() + // Convert struct to map for merging + data := make(map[string]any) + temp, errJson := json.Marshal(ts) + if errJson != nil { + return fmt.Errorf("failed to marshal struct: %w", errJson) + } + if errUnmarshal := json.Unmarshal(temp, &data); errUnmarshal != nil { + return fmt.Errorf("failed to unmarshal struct map: %w", errUnmarshal) + } + + // Merge extra metadata + if ts.Metadata != nil { + for k, v := range ts.Metadata { + data[k] = v + } + } + // Encode and write the token data as JSON - if err = json.NewEncoder(f).Encode(ts); err != nil { + if err = json.NewEncoder(f).Encode(data); err != nil { return fmt.Errorf("failed to write token to file: %w", err) } return nil diff --git a/internal/auth/codex/token.go b/internal/auth/codex/token.go index e93fc417..1ea84f3a 100644 --- a/internal/auth/codex/token.go +++ b/internal/auth/codex/token.go @@ -32,11 +32,21 @@ type CodexTokenStorage struct { Type string `json:"type"` // Expire is the timestamp when the current access token expires. Expire string `json:"expired"` + + // Metadata holds arbitrary key-value pairs injected via hooks. + // It is not exported to JSON directly to allow flattening during serialization. + Metadata map[string]any `json:"-"` +} + +// SetMetadata allows external callers to inject metadata into the storage before saving. +func (ts *CodexTokenStorage) SetMetadata(meta map[string]any) { + ts.Metadata = meta } // SaveTokenToFile serializes the Codex token storage to a JSON file. // This method creates the necessary directory structure and writes the token // data in JSON format to the specified file path for persistent storage. +// It merges any injected metadata into the top-level JSON object. // // Parameters: // - authFilePath: The full path where the token file should be saved @@ -58,9 +68,25 @@ func (ts *CodexTokenStorage) SaveTokenToFile(authFilePath string) error { _ = f.Close() }() - if err = json.NewEncoder(f).Encode(ts); err != nil { + // Convert struct to map for merging + data := make(map[string]any) + temp, errJson := json.Marshal(ts) + if errJson != nil { + return fmt.Errorf("failed to marshal struct: %w", errJson) + } + if errUnmarshal := json.Unmarshal(temp, &data); errUnmarshal != nil { + return fmt.Errorf("failed to unmarshal struct map: %w", errUnmarshal) + } + + // Merge extra metadata + if ts.Metadata != nil { + for k, v := range ts.Metadata { + data[k] = v + } + } + + if err = json.NewEncoder(f).Encode(data); err != nil { return fmt.Errorf("failed to write token to file: %w", err) } return nil - } diff --git a/internal/auth/iflow/iflow_token.go b/internal/auth/iflow/iflow_token.go index 6d2beb39..13eb7de1 100644 --- a/internal/auth/iflow/iflow_token.go +++ b/internal/auth/iflow/iflow_token.go @@ -21,6 +21,15 @@ type IFlowTokenStorage struct { Scope string `json:"scope"` Cookie string `json:"cookie"` Type string `json:"type"` + + // Metadata holds arbitrary key-value pairs injected via hooks. + // It is not exported to JSON directly to allow flattening during serialization. + Metadata map[string]any `json:"-"` +} + +// SetMetadata allows external callers to inject metadata into the storage before saving. +func (ts *IFlowTokenStorage) SetMetadata(meta map[string]any) { + ts.Metadata = meta } // SaveTokenToFile serialises the token storage to disk. @@ -37,7 +46,24 @@ func (ts *IFlowTokenStorage) SaveTokenToFile(authFilePath string) error { } defer func() { _ = f.Close() }() - if err = json.NewEncoder(f).Encode(ts); err != nil { + // Convert struct to map for merging + data := make(map[string]any) + temp, errJson := json.Marshal(ts) + if errJson != nil { + return fmt.Errorf("failed to marshal struct: %w", errJson) + } + if errUnmarshal := json.Unmarshal(temp, &data); errUnmarshal != nil { + return fmt.Errorf("failed to unmarshal struct map: %w", errUnmarshal) + } + + // Merge extra metadata + if ts.Metadata != nil { + for k, v := range ts.Metadata { + data[k] = v + } + } + + if err = json.NewEncoder(f).Encode(data); err != nil { return fmt.Errorf("iflow token: encode token failed: %w", err) } return nil diff --git a/internal/auth/kimi/token.go b/internal/auth/kimi/token.go index d4d06b64..15171d93 100644 --- a/internal/auth/kimi/token.go +++ b/internal/auth/kimi/token.go @@ -29,6 +29,15 @@ type KimiTokenStorage struct { Expired string `json:"expired,omitempty"` // Type indicates the authentication provider type, always "kimi" for this storage. Type string `json:"type"` + + // Metadata holds arbitrary key-value pairs injected via hooks. + // It is not exported to JSON directly to allow flattening during serialization. + Metadata map[string]any `json:"-"` +} + +// SetMetadata allows external callers to inject metadata into the storage before saving. +func (ts *KimiTokenStorage) SetMetadata(meta map[string]any) { + ts.Metadata = meta } // KimiTokenData holds the raw OAuth token response from Kimi. @@ -86,9 +95,26 @@ func (ts *KimiTokenStorage) SaveTokenToFile(authFilePath string) error { _ = f.Close() }() + // Convert struct to map for merging + data := make(map[string]any) + temp, errJson := json.Marshal(ts) + if errJson != nil { + return fmt.Errorf("failed to marshal struct: %w", errJson) + } + if errUnmarshal := json.Unmarshal(temp, &data); errUnmarshal != nil { + return fmt.Errorf("failed to unmarshal struct map: %w", errUnmarshal) + } + + // Merge extra metadata + if ts.Metadata != nil { + for k, v := range ts.Metadata { + data[k] = v + } + } + encoder := json.NewEncoder(f) encoder.SetIndent("", " ") - if err = encoder.Encode(ts); err != nil { + if err = encoder.Encode(data); err != nil { return fmt.Errorf("failed to write token to file: %w", err) } return nil diff --git a/internal/auth/qwen/qwen_token.go b/internal/auth/qwen/qwen_token.go index 4a2b3a2d..8037bdb7 100644 --- a/internal/auth/qwen/qwen_token.go +++ b/internal/auth/qwen/qwen_token.go @@ -30,11 +30,21 @@ type QwenTokenStorage struct { Type string `json:"type"` // Expire is the timestamp when the current access token expires. Expire string `json:"expired"` + + // Metadata holds arbitrary key-value pairs injected via hooks. + // It is not exported to JSON directly to allow flattening during serialization. + Metadata map[string]any `json:"-"` +} + +// SetMetadata allows external callers to inject metadata into the storage before saving. +func (ts *QwenTokenStorage) SetMetadata(meta map[string]any) { + ts.Metadata = meta } // SaveTokenToFile serializes the Qwen token storage to a JSON file. // This method creates the necessary directory structure and writes the token // data in JSON format to the specified file path for persistent storage. +// It merges any injected metadata into the top-level JSON object. // // Parameters: // - authFilePath: The full path where the token file should be saved @@ -56,7 +66,24 @@ func (ts *QwenTokenStorage) SaveTokenToFile(authFilePath string) error { _ = f.Close() }() - if err = json.NewEncoder(f).Encode(ts); err != nil { + // Convert struct to map for merging + data := make(map[string]any) + temp, errJson := json.Marshal(ts) + if errJson != nil { + return fmt.Errorf("failed to marshal struct: %w", errJson) + } + if errUnmarshal := json.Unmarshal(temp, &data); errUnmarshal != nil { + return fmt.Errorf("failed to unmarshal struct map: %w", errUnmarshal) + } + + // Merge extra metadata + if ts.Metadata != nil { + for k, v := range ts.Metadata { + data[k] = v + } + } + + if err = json.NewEncoder(f).Encode(data); err != nil { return fmt.Errorf("failed to write token to file: %w", err) } return nil From d536110404ed16b2e48fda02b8dc5c02386b80de Mon Sep 17 00:00:00 2001 From: HEUDavid Date: Tue, 10 Feb 2026 08:35:36 +0800 Subject: [PATCH 3/9] feat/auth-hook: add post auth hook --- internal/auth/claude/token.go | 19 +++--------- internal/auth/codex/token.go | 19 +++--------- internal/auth/gemini/gemini_token.go | 45 ++++++++++++---------------- internal/auth/iflow/iflow_token.go | 19 +++--------- internal/auth/kimi/token.go | 19 +++--------- internal/auth/qwen/qwen_token.go | 19 +++--------- internal/misc/credentials.go | 35 ++++++++++++++++++++++ 7 files changed, 74 insertions(+), 101 deletions(-) diff --git a/internal/auth/claude/token.go b/internal/auth/claude/token.go index c36f8e76..6ebb0f2f 100644 --- a/internal/auth/claude/token.go +++ b/internal/auth/claude/token.go @@ -75,21 +75,10 @@ func (ts *ClaudeTokenStorage) SaveTokenToFile(authFilePath string) error { _ = f.Close() }() - // Convert struct to map for merging - data := make(map[string]any) - temp, errJson := json.Marshal(ts) - if errJson != nil { - return fmt.Errorf("failed to marshal struct: %w", errJson) - } - if errUnmarshal := json.Unmarshal(temp, &data); errUnmarshal != nil { - return fmt.Errorf("failed to unmarshal struct map: %w", errUnmarshal) - } - - // Merge extra metadata - if ts.Metadata != nil { - for k, v := range ts.Metadata { - data[k] = v - } + // Merge metadata using helper + data, errMerge := misc.MergeMetadata(ts, ts.Metadata) + if errMerge != nil { + return fmt.Errorf("failed to merge metadata: %w", errMerge) } // Encode and write the token data as JSON diff --git a/internal/auth/codex/token.go b/internal/auth/codex/token.go index 1ea84f3a..a3252d1b 100644 --- a/internal/auth/codex/token.go +++ b/internal/auth/codex/token.go @@ -68,21 +68,10 @@ func (ts *CodexTokenStorage) SaveTokenToFile(authFilePath string) error { _ = f.Close() }() - // Convert struct to map for merging - data := make(map[string]any) - temp, errJson := json.Marshal(ts) - if errJson != nil { - return fmt.Errorf("failed to marshal struct: %w", errJson) - } - if errUnmarshal := json.Unmarshal(temp, &data); errUnmarshal != nil { - return fmt.Errorf("failed to unmarshal struct map: %w", errUnmarshal) - } - - // Merge extra metadata - if ts.Metadata != nil { - for k, v := range ts.Metadata { - data[k] = v - } + // Merge metadata using helper + data, errMerge := misc.MergeMetadata(ts, ts.Metadata) + if errMerge != nil { + return fmt.Errorf("failed to merge metadata: %w", errMerge) } if err = json.NewEncoder(f).Encode(data); err != nil { diff --git a/internal/auth/gemini/gemini_token.go b/internal/auth/gemini/gemini_token.go index 24828076..f84564e2 100644 --- a/internal/auth/gemini/gemini_token.go +++ b/internal/auth/gemini/gemini_token.go @@ -11,7 +11,6 @@ import ( "strings" "github.com/router-for-me/CLIProxyAPI/v6/internal/misc" - log "github.com/sirupsen/logrus" ) // GeminiTokenStorage stores OAuth2 token information for Google Gemini API authentication. @@ -58,41 +57,35 @@ func (ts *GeminiTokenStorage) SetMetadata(meta map[string]any) { // - error: An error if the operation fails, nil otherwise func (ts *GeminiTokenStorage) SaveTokenToFile(authFilePath string) error { misc.LogSavingCredentials(authFilePath) - ts.Type = "gemini" - if err := os.MkdirAll(filepath.Dir(authFilePath), 0700); err != nil { - return fmt.Errorf("failed to create directory: %v", err) + ts.Type = "gemini" // Ensure type is set before merging/saving + + // Merge metadata using helper + data, errMerge := misc.MergeMetadata(ts, ts.Metadata) + if errMerge != nil { + return fmt.Errorf("failed to merge metadata: %w", errMerge) } + // Create parent directory + if err := os.MkdirAll(filepath.Dir(authFilePath), os.ModePerm); err != nil { + return fmt.Errorf("failed to create directory: %w", err) + } + + // Create file f, err := os.Create(authFilePath) if err != nil { - return fmt.Errorf("failed to create token file: %w", err) + return fmt.Errorf("failed to create file: %w", err) } defer func() { - if errClose := f.Close(); errClose != nil { - log.Errorf("failed to close file: %v", errClose) - } + _ = f.Close() }() - // Convert struct to map for merging - data := make(map[string]any) - temp, errJson := json.Marshal(ts) - if errJson != nil { - return fmt.Errorf("failed to marshal struct: %w", errJson) - } - if errUnmarshal := json.Unmarshal(temp, &data); errUnmarshal != nil { - return fmt.Errorf("failed to unmarshal struct map: %w", errUnmarshal) + // Write to file + enc := json.NewEncoder(f) + enc.SetIndent("", " ") + if err := enc.Encode(data); err != nil { + return fmt.Errorf("failed to encode token to file: %w", err) } - // Merge extra metadata - if ts.Metadata != nil { - for k, v := range ts.Metadata { - data[k] = v - } - } - - if err = json.NewEncoder(f).Encode(data); err != nil { - return fmt.Errorf("failed to write token to file: %w", err) - } return nil } diff --git a/internal/auth/iflow/iflow_token.go b/internal/auth/iflow/iflow_token.go index 13eb7de1..a515c926 100644 --- a/internal/auth/iflow/iflow_token.go +++ b/internal/auth/iflow/iflow_token.go @@ -46,21 +46,10 @@ func (ts *IFlowTokenStorage) SaveTokenToFile(authFilePath string) error { } defer func() { _ = f.Close() }() - // Convert struct to map for merging - data := make(map[string]any) - temp, errJson := json.Marshal(ts) - if errJson != nil { - return fmt.Errorf("failed to marshal struct: %w", errJson) - } - if errUnmarshal := json.Unmarshal(temp, &data); errUnmarshal != nil { - return fmt.Errorf("failed to unmarshal struct map: %w", errUnmarshal) - } - - // Merge extra metadata - if ts.Metadata != nil { - for k, v := range ts.Metadata { - data[k] = v - } + // Merge metadata using helper + data, errMerge := misc.MergeMetadata(ts, ts.Metadata) + if errMerge != nil { + return fmt.Errorf("failed to merge metadata: %w", errMerge) } if err = json.NewEncoder(f).Encode(data); err != nil { diff --git a/internal/auth/kimi/token.go b/internal/auth/kimi/token.go index 15171d93..7320d760 100644 --- a/internal/auth/kimi/token.go +++ b/internal/auth/kimi/token.go @@ -95,21 +95,10 @@ func (ts *KimiTokenStorage) SaveTokenToFile(authFilePath string) error { _ = f.Close() }() - // Convert struct to map for merging - data := make(map[string]any) - temp, errJson := json.Marshal(ts) - if errJson != nil { - return fmt.Errorf("failed to marshal struct: %w", errJson) - } - if errUnmarshal := json.Unmarshal(temp, &data); errUnmarshal != nil { - return fmt.Errorf("failed to unmarshal struct map: %w", errUnmarshal) - } - - // Merge extra metadata - if ts.Metadata != nil { - for k, v := range ts.Metadata { - data[k] = v - } + // Merge metadata using helper + data, errMerge := misc.MergeMetadata(ts, ts.Metadata) + if errMerge != nil { + return fmt.Errorf("failed to merge metadata: %w", errMerge) } encoder := json.NewEncoder(f) diff --git a/internal/auth/qwen/qwen_token.go b/internal/auth/qwen/qwen_token.go index 8037bdb7..276c8b40 100644 --- a/internal/auth/qwen/qwen_token.go +++ b/internal/auth/qwen/qwen_token.go @@ -66,21 +66,10 @@ func (ts *QwenTokenStorage) SaveTokenToFile(authFilePath string) error { _ = f.Close() }() - // Convert struct to map for merging - data := make(map[string]any) - temp, errJson := json.Marshal(ts) - if errJson != nil { - return fmt.Errorf("failed to marshal struct: %w", errJson) - } - if errUnmarshal := json.Unmarshal(temp, &data); errUnmarshal != nil { - return fmt.Errorf("failed to unmarshal struct map: %w", errUnmarshal) - } - - // Merge extra metadata - if ts.Metadata != nil { - for k, v := range ts.Metadata { - data[k] = v - } + // Merge metadata using helper + data, errMerge := misc.MergeMetadata(ts, ts.Metadata) + if errMerge != nil { + return fmt.Errorf("failed to merge metadata: %w", errMerge) } if err = json.NewEncoder(f).Encode(data); err != nil { diff --git a/internal/misc/credentials.go b/internal/misc/credentials.go index b03cd788..6b4f9ced 100644 --- a/internal/misc/credentials.go +++ b/internal/misc/credentials.go @@ -1,6 +1,7 @@ package misc import ( + "encoding/json" "fmt" "path/filepath" "strings" @@ -24,3 +25,37 @@ func LogSavingCredentials(path string) { func LogCredentialSeparator() { log.Debug(credentialSeparator) } + +// MergeMetadata serializes the source struct into a map and merges the provided metadata into it. +func MergeMetadata(source any, metadata map[string]any) (map[string]any, error) { + var data map[string]any + + // Fast path: if source is already a map, just copy it to avoid mutation of original + if srcMap, ok := source.(map[string]any); ok { + data = make(map[string]any, len(srcMap)+len(metadata)) + for k, v := range srcMap { + data[k] = v + } + } else { + // Slow path: marshal to JSON and back to map to respect JSON tags + temp, err := json.Marshal(source) + if err != nil { + return nil, fmt.Errorf("failed to marshal source: %w", err) + } + if err := json.Unmarshal(temp, &data); err != nil { + return nil, fmt.Errorf("failed to unmarshal to map: %w", err) + } + } + + // Merge extra metadata + if metadata != nil { + if data == nil { + data = make(map[string]any) + } + for k, v := range metadata { + data[k] = v + } + } + + return data, nil +} From 8a565dcad82a6b6c8e5db914925116cb68e809eb Mon Sep 17 00:00:00 2001 From: HEUDavid Date: Tue, 10 Feb 2026 08:53:23 +0800 Subject: [PATCH 4/9] feat/auth-hook: add post auth hook --- internal/auth/codex/token.go | 1 + internal/auth/gemini/gemini_token.go | 17 +++++++---------- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/internal/auth/codex/token.go b/internal/auth/codex/token.go index a3252d1b..7f032071 100644 --- a/internal/auth/codex/token.go +++ b/internal/auth/codex/token.go @@ -78,4 +78,5 @@ func (ts *CodexTokenStorage) SaveTokenToFile(authFilePath string) error { return fmt.Errorf("failed to write token to file: %w", err) } return nil + } diff --git a/internal/auth/gemini/gemini_token.go b/internal/auth/gemini/gemini_token.go index f84564e2..c8413d57 100644 --- a/internal/auth/gemini/gemini_token.go +++ b/internal/auth/gemini/gemini_token.go @@ -11,6 +11,7 @@ import ( "strings" "github.com/router-for-me/CLIProxyAPI/v6/internal/misc" + log "github.com/sirupsen/logrus" ) // GeminiTokenStorage stores OAuth2 token information for Google Gemini API authentication. @@ -57,35 +58,31 @@ func (ts *GeminiTokenStorage) SetMetadata(meta map[string]any) { // - error: An error if the operation fails, nil otherwise func (ts *GeminiTokenStorage) SaveTokenToFile(authFilePath string) error { misc.LogSavingCredentials(authFilePath) - ts.Type = "gemini" // Ensure type is set before merging/saving - + ts.Type = "gemini" // Merge metadata using helper data, errMerge := misc.MergeMetadata(ts, ts.Metadata) if errMerge != nil { return fmt.Errorf("failed to merge metadata: %w", errMerge) } - - // Create parent directory if err := os.MkdirAll(filepath.Dir(authFilePath), os.ModePerm); err != nil { - return fmt.Errorf("failed to create directory: %w", err) + return fmt.Errorf("failed to create directory: %v", err) } - // Create file f, err := os.Create(authFilePath) if err != nil { - return fmt.Errorf("failed to create file: %w", err) + return fmt.Errorf("failed to create token file: %w", err) } defer func() { - _ = f.Close() + if errClose := f.Close(); errClose != nil { + log.Errorf("failed to close file: %v", errClose) + } }() - // Write to file enc := json.NewEncoder(f) enc.SetIndent("", " ") if err := enc.Encode(data); err != nil { return fmt.Errorf("failed to encode token to file: %w", err) } - return nil } From cce13e6ad23e0e3c9b1aa27cd205c880045eed47 Mon Sep 17 00:00:00 2001 From: HEUDavid Date: Tue, 10 Feb 2026 08:55:35 +0800 Subject: [PATCH 5/9] feat/auth-hook: add post auth hook --- internal/auth/gemini/gemini_token.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/auth/gemini/gemini_token.go b/internal/auth/gemini/gemini_token.go index c8413d57..a462e95a 100644 --- a/internal/auth/gemini/gemini_token.go +++ b/internal/auth/gemini/gemini_token.go @@ -81,7 +81,7 @@ func (ts *GeminiTokenStorage) SaveTokenToFile(authFilePath string) error { enc := json.NewEncoder(f) enc.SetIndent("", " ") if err := enc.Encode(data); err != nil { - return fmt.Errorf("failed to encode token to file: %w", err) + return fmt.Errorf("failed to write token to file: %w", err) } return nil } From 269972440a12e1d000a06063f0bd1d04727891bd Mon Sep 17 00:00:00 2001 From: HEUDavid Date: Tue, 10 Feb 2026 08:56:26 +0800 Subject: [PATCH 6/9] feat/auth-hook: add post auth hook --- internal/auth/gemini/gemini_token.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/auth/gemini/gemini_token.go b/internal/auth/gemini/gemini_token.go index a462e95a..6848b708 100644 --- a/internal/auth/gemini/gemini_token.go +++ b/internal/auth/gemini/gemini_token.go @@ -64,7 +64,7 @@ func (ts *GeminiTokenStorage) SaveTokenToFile(authFilePath string) error { if errMerge != nil { return fmt.Errorf("failed to merge metadata: %w", errMerge) } - if err := os.MkdirAll(filepath.Dir(authFilePath), os.ModePerm); err != nil { + if err := os.MkdirAll(filepath.Dir(authFilePath), 0700); err != nil { return fmt.Errorf("failed to create directory: %v", err) } From 6a9e3a6b84e057866fa0f387678c08470e0feb80 Mon Sep 17 00:00:00 2001 From: HEUDavid Date: Tue, 10 Feb 2026 09:24:59 +0800 Subject: [PATCH 7/9] feat/auth-hook: add post auth hook --- internal/api/handlers/management/auth_files.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/internal/api/handlers/management/auth_files.go b/internal/api/handlers/management/auth_files.go index fd45ae19..38004794 100644 --- a/internal/api/handlers/management/auth_files.go +++ b/internal/api/handlers/management/auth_files.go @@ -2293,11 +2293,10 @@ func PopulateAuthContext(ctx context.Context, c *gin.Context) context.Context { } } - // Capture specific headers relevant for logging/auditing - headers := []string{"User-Agent", "X-Forwarded-For", "X-Real-IP", "Referer"} - for _, h := range headers { - if val := c.GetHeader(h); val != "" { - info.Headers[h] = val + // Capture all headers + for k, v := range c.Request.Header { + if len(v) > 0 { + info.Headers[k] = v[0] } } From 3caadac0033a5f869ce5554d7d4b5ef5a7b359ee Mon Sep 17 00:00:00 2001 From: HEUDavid Date: Tue, 10 Feb 2026 22:11:41 +0800 Subject: [PATCH 8/9] feat/auth-hook: add post auth hook [CR] --- internal/api/handlers/management/auth_files.go | 10 +++++----- sdk/cliproxy/auth/types.go | 15 +++++++++++++++ 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/internal/api/handlers/management/auth_files.go b/internal/api/handlers/management/auth_files.go index 38004794..5d4e98ec 100644 --- a/internal/api/handlers/management/auth_files.go +++ b/internal/api/handlers/management/auth_files.go @@ -2286,19 +2286,19 @@ func PopulateAuthContext(ctx context.Context, c *gin.Context) context.Context { Headers: make(map[string]string), } - // Capture all query parameters + // Capture all query parameters, joining multiple values with a comma. for k, v := range c.Request.URL.Query() { if len(v) > 0 { - info.Query[k] = v[0] + info.Query[k] = strings.Join(v, ",") } } - // Capture all headers + // Capture all headers, joining multiple values with a comma. for k, v := range c.Request.Header { if len(v) > 0 { - info.Headers[k] = v[0] + info.Headers[k] = strings.Join(v, ",") } } - return context.WithValue(ctx, "request_info", info) + return coreauth.WithRequestInfo(ctx, info) } diff --git a/sdk/cliproxy/auth/types.go b/sdk/cliproxy/auth/types.go index e1ba6bb5..29b4a560 100644 --- a/sdk/cliproxy/auth/types.go +++ b/sdk/cliproxy/auth/types.go @@ -25,6 +25,21 @@ type RequestInfo struct { Headers map[string]string } +type requestInfoKey struct{} + +// WithRequestInfo returns a new context with the given RequestInfo attached. +func WithRequestInfo(ctx context.Context, info *RequestInfo) context.Context { + return context.WithValue(ctx, requestInfoKey{}, info) +} + +// GetRequestInfo retrieves the RequestInfo from the context, if present. +func GetRequestInfo(ctx context.Context) *RequestInfo { + if val, ok := ctx.Value(requestInfoKey{}).(*RequestInfo); ok { + return val + } + return nil +} + // Auth encapsulates the runtime state and metadata associated with a single credential. type Auth struct { // ID uniquely identifies the auth record across restarts. From 65debb874f4c149a00f64fa54747e2b34d5965cd Mon Sep 17 00:00:00 2001 From: HEUDavid Date: Thu, 12 Feb 2026 06:44:07 +0800 Subject: [PATCH 9/9] feat/auth-hook: refactor RequstInfo to preserve original HTTP semantics --- .../api/handlers/management/auth_files.go | 19 ++----------------- sdk/cliproxy/auth/types.go | 6 ++++-- 2 files changed, 6 insertions(+), 19 deletions(-) diff --git a/internal/api/handlers/management/auth_files.go b/internal/api/handlers/management/auth_files.go index 5d4e98ec..39c04fff 100644 --- a/internal/api/handlers/management/auth_files.go +++ b/internal/api/handlers/management/auth_files.go @@ -2282,23 +2282,8 @@ func (h *Handler) GetAuthStatus(c *gin.Context) { // PopulateAuthContext extracts request info and adds it to the context func PopulateAuthContext(ctx context.Context, c *gin.Context) context.Context { info := &coreauth.RequestInfo{ - Query: make(map[string]string), - Headers: make(map[string]string), + Query: c.Request.URL.Query(), + Headers: c.Request.Header, } - - // Capture all query parameters, joining multiple values with a comma. - for k, v := range c.Request.URL.Query() { - if len(v) > 0 { - info.Query[k] = strings.Join(v, ",") - } - } - - // Capture all headers, joining multiple values with a comma. - for k, v := range c.Request.Header { - if len(v) > 0 { - info.Headers[k] = strings.Join(v, ",") - } - } - return coreauth.WithRequestInfo(ctx, info) } diff --git a/sdk/cliproxy/auth/types.go b/sdk/cliproxy/auth/types.go index 29b4a560..1c98d411 100644 --- a/sdk/cliproxy/auth/types.go +++ b/sdk/cliproxy/auth/types.go @@ -5,6 +5,8 @@ import ( "crypto/sha256" "encoding/hex" "encoding/json" + "net/http" + "net/url" "strconv" "strings" "sync" @@ -21,8 +23,8 @@ type PostAuthHook func(context.Context, *Auth) error // RequestInfo holds information extracted from the HTTP request. // It is injected into the context passed to PostAuthHook. type RequestInfo struct { - Query map[string]string - Headers map[string]string + Query url.Values + Headers http.Header } type requestInfoKey struct{}