refactor(config, auth): remove allow-localhost-unauthenticated support and related handlers

- Eliminated `allow-localhost-unauthenticated` configuration field and its usage. - Removed associated management API handlers and middleware logic. - Simplified authentication middleware by deprecating localhost-specific checks.
2026-02-18 04:10:51 +08:00 · 2025-09-25 09:00:38 +08:00
parent ac93641946
commit 688547b063
4 changed files with 3 additions and 32 deletions
--- a/internal/api/handlers/management/config_basic.go
+++ b/internal/api/handlers/management/config_basic.go
@@ -26,14 +26,6 @@ func (h *Handler) PutRequestRetry(c *gin.Context) {
 	h.updateIntField(c, func(v int) { h.cfg.RequestRetry = v })
 }

-// Allow localhost unauthenticated
-func (h *Handler) GetAllowLocalhost(c *gin.Context) {
-	c.JSON(200, gin.H{"allow-localhost-unauthenticated": h.cfg.AllowLocalhostUnauthenticated})
-}
-func (h *Handler) PutAllowLocalhost(c *gin.Context) {
-	h.updateBoolField(c, func(v bool) { h.cfg.AllowLocalhostUnauthenticated = v })
-}
-
 // Proxy URL
 func (h *Handler) GetProxyURL(c *gin.Context) { c.JSON(200, gin.H{"proxy-url": h.cfg.ProxyURL}) }
 func (h *Handler) PutProxyURL(c *gin.Context) {
--- a/internal/api/server.go
+++ b/internal/api/server.go
@@ -188,11 +188,9 @@ func (s *Server) setupRoutes() {
 	claudeCodeHandlers := claude.NewClaudeCodeAPIHandler(s.handlers)
 	openaiResponsesHandlers := openai.NewOpenAIResponsesAPIHandler(s.handlers)

-	cfgSupplier := func() *config.Config { return s.cfg }
-
 	// OpenAI compatible API routes
 	v1 := s.engine.Group("/v1")
-	v1.Use(AuthMiddleware(cfgSupplier, s.accessManager))
+	v1.Use(AuthMiddleware(s.accessManager))
 	{
 		v1.GET("/models", s.unifiedModelsHandler(openaiHandlers, claudeCodeHandlers))
 		v1.POST("/chat/completions", openaiHandlers.ChatCompletions)
@@ -204,7 +202,7 @@ func (s *Server) setupRoutes() {

 	// Gemini compatible API routes
 	v1beta := s.engine.Group("/v1beta")
-	v1beta.Use(AuthMiddleware(cfgSupplier, s.accessManager))
+	v1beta.Use(AuthMiddleware(s.accessManager))
 	{
 		v1beta.GET("/models", geminiHandlers.GeminiModels)
 		v1beta.POST("/models/:action", geminiHandlers.GeminiHandler)
@@ -309,10 +307,6 @@ func (s *Server) setupRoutes() {
 			mgmt.PUT("/request-retry", s.mgmt.PutRequestRetry)
 			mgmt.PATCH("/request-retry", s.mgmt.PutRequestRetry)

-			mgmt.GET("/allow-localhost-unauthenticated", s.mgmt.GetAllowLocalhost)
-			mgmt.PUT("/allow-localhost-unauthenticated", s.mgmt.PutAllowLocalhost)
-			mgmt.PATCH("/allow-localhost-unauthenticated", s.mgmt.PutAllowLocalhost)
-
 			mgmt.GET("/claude-api-key", s.mgmt.GetClaudeKeys)
 			mgmt.PUT("/claude-api-key", s.mgmt.PutClaudeKeys)
 			mgmt.PATCH("/claude-api-key", s.mgmt.PatchClaudeKey)
@@ -487,17 +481,8 @@ func (s *Server) UpdateClients(cfg *config.Config) {
 // AuthMiddleware returns a Gin middleware handler that authenticates requests
 // using the configured authentication providers. When no providers are available,
 // it allows all requests (legacy behaviour).
-func AuthMiddleware(cfgFn func() *config.Config, manager *sdkaccess.Manager) gin.HandlerFunc {
+func AuthMiddleware(manager *sdkaccess.Manager) gin.HandlerFunc {
 	return func(c *gin.Context) {
-		cfg := cfgFn()
-		if cfg != nil && cfg.AllowLocalhostUnauthenticated {
-			ip := c.ClientIP()
-			if ip == "127.0.0.1" || ip == "::1" || strings.HasPrefix(c.Request.RemoteAddr, "127.0.0.1:") || strings.HasPrefix(c.Request.RemoteAddr, "[::1]:") {
-				c.Next()
-				return
-			}
-		}
-
 		if manager == nil {
 			c.Next()
 			return