refactor(config, auth): remove allow-localhost-unauthenticated support and related handlers

- Eliminated `allow-localhost-unauthenticated` configuration field and its usage. - Removed associated management API handlers and middleware logic. - Simplified authentication middleware by deprecating localhost-specific checks.
2026-02-02 04:20:50 +08:00 · 2025-09-25 09:00:38 +08:00
parent ac93641946
commit 688547b063
4 changed files with 3 additions and 32 deletions
--- a/internal/api/handlers/management/config_basic.go
+++ b/internal/api/handlers/management/config_basic.go
@@ -26,14 +26,6 @@ func (h *Handler) PutRequestRetry(c *gin.Context) {
 	h.updateIntField(c, func(v int) { h.cfg.RequestRetry = v })
 }

-// Allow localhost unauthenticated
-func (h *Handler) GetAllowLocalhost(c *gin.Context) {
-	c.JSON(200, gin.H{"allow-localhost-unauthenticated": h.cfg.AllowLocalhostUnauthenticated})
-}
-func (h *Handler) PutAllowLocalhost(c *gin.Context) {
-	h.updateBoolField(c, func(v bool) { h.cfg.AllowLocalhostUnauthenticated = v })
-}
-
 // Proxy URL
 func (h *Handler) GetProxyURL(c *gin.Context) { c.JSON(200, gin.H{"proxy-url": h.cfg.ProxyURL}) }
 func (h *Handler) PutProxyURL(c *gin.Context) {
--- a/internal/api/server.go
+++ b/internal/api/server.go
@@ -188,11 +188,9 @@ func (s *Server) setupRoutes() {
 	claudeCodeHandlers := claude.NewClaudeCodeAPIHandler(s.handlers)
 	openaiResponsesHandlers := openai.NewOpenAIResponsesAPIHandler(s.handlers)

-	cfgSupplier := func() *config.Config { return s.cfg }
-
 	// OpenAI compatible API routes
 	v1 := s.engine.Group("/v1")
-	v1.Use(AuthMiddleware(cfgSupplier, s.accessManager))
+	v1.Use(AuthMiddleware(s.accessManager))
 	{
 		v1.GET("/models", s.unifiedModelsHandler(openaiHandlers, claudeCodeHandlers))
 		v1.POST("/chat/completions", openaiHandlers.ChatCompletions)
@@ -204,7 +202,7 @@ func (s *Server) setupRoutes() {

 	// Gemini compatible API routes
 	v1beta := s.engine.Group("/v1beta")
-	v1beta.Use(AuthMiddleware(cfgSupplier, s.accessManager))
+	v1beta.Use(AuthMiddleware(s.accessManager))
 	{
 		v1beta.GET("/models", geminiHandlers.GeminiModels)
 		v1beta.POST("/models/:action", geminiHandlers.GeminiHandler)
@@ -309,10 +307,6 @@ func (s *Server) setupRoutes() {
 			mgmt.PUT("/request-retry", s.mgmt.PutRequestRetry)
 			mgmt.PATCH("/request-retry", s.mgmt.PutRequestRetry)

-			mgmt.GET("/allow-localhost-unauthenticated", s.mgmt.GetAllowLocalhost)
-			mgmt.PUT("/allow-localhost-unauthenticated", s.mgmt.PutAllowLocalhost)
-			mgmt.PATCH("/allow-localhost-unauthenticated", s.mgmt.PutAllowLocalhost)
-
 			mgmt.GET("/claude-api-key", s.mgmt.GetClaudeKeys)
 			mgmt.PUT("/claude-api-key", s.mgmt.PutClaudeKeys)
 			mgmt.PATCH("/claude-api-key", s.mgmt.PatchClaudeKey)
@@ -487,17 +481,8 @@ func (s *Server) UpdateClients(cfg *config.Config) {
 // AuthMiddleware returns a Gin middleware handler that authenticates requests
 // using the configured authentication providers. When no providers are available,
 // it allows all requests (legacy behaviour).
-func AuthMiddleware(cfgFn func() *config.Config, manager *sdkaccess.Manager) gin.HandlerFunc {
+func AuthMiddleware(manager *sdkaccess.Manager) gin.HandlerFunc {
 	return func(c *gin.Context) {
-		cfg := cfgFn()
-		if cfg != nil && cfg.AllowLocalhostUnauthenticated {
-			ip := c.ClientIP()
-			if ip == "127.0.0.1" || ip == "::1" || strings.HasPrefix(c.Request.RemoteAddr, "127.0.0.1:") || strings.HasPrefix(c.Request.RemoteAddr, "[::1]:") {
-				c.Next()
-				return
-			}
-		}
-
 		if manager == nil {
 			c.Next()
 			return
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -53,9 +53,6 @@ type Config struct {
 	// OpenAICompatibility defines OpenAI API compatibility configurations for external providers.
 	OpenAICompatibility []OpenAICompatibility `yaml:"openai-compatibility" json:"openai-compatibility"`

-	// AllowLocalhostUnauthenticated allows unauthenticated requests from localhost.
-	AllowLocalhostUnauthenticated bool `yaml:"allow-localhost-unauthenticated" json:"allow-localhost-unauthenticated"`
-
 	// RemoteManagement nests management-related options under 'remote-management'.
 	RemoteManagement RemoteManagement `yaml:"remote-management" json:"-"`

--- a/internal/watcher/watcher.go
+++ b/internal/watcher/watcher.go
@@ -474,9 +474,6 @@ func (w *Watcher) reloadConfig() bool {
 		if len(oldConfig.CodexKey) != len(newConfig.CodexKey) {
 			log.Debugf("  codex-api-key count: %d -> %d", len(oldConfig.CodexKey), len(newConfig.CodexKey))
 		}
-		if oldConfig.AllowLocalhostUnauthenticated != newConfig.AllowLocalhostUnauthenticated {
-			log.Debugf("  allow-localhost-unauthenticated: %t -> %t", oldConfig.AllowLocalhostUnauthenticated, newConfig.AllowLocalhostUnauthenticated)
-		}
 		if oldConfig.RemoteManagement.AllowRemote != newConfig.RemoteManagement.AllowRemote {
 			log.Debugf("  remote-management.allow-remote: %t -> %t", oldConfig.RemoteManagement.AllowRemote, newConfig.RemoteManagement.AllowRemote)
 		}