mirror of
https://github.com/router-for-me/CLIProxyAPI.git
synced 2026-02-18 04:10:51 +08:00
refactor(auth): replace FileStore with FileTokenStore for unified token persistence
- Removed `FileStore` in favor of the new `FileTokenStore`. - Centralized auth JSON handling and token operations through `FileTokenStore`. - Updated all components to utilize `FileTokenStore` for consistent storage operations. - Introduced `SetBaseDir` and directory locking mechanisms for flexible configurations. - Enhanced metadata management, including path resolution and deep JSON comparisons.
This commit is contained in:
Luis Pater
@@ -1,256 +0,0 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io/fs"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
)
|
||||
|
||||
// FileStore implements Store backed by JSON files in a directory.
|
||||
type FileStore struct {
|
||||
dir string
|
||||
mu sync.Mutex
|
||||
}
|
||||
|
||||
// NewFileStore builds a file-backed store rooted at dir.
|
||||
func NewFileStore(dir string) *FileStore {
|
||||
return &FileStore{dir: dir}
|
||||
}
|
||||
|
||||
// List enumerates all auth JSON files under the store directory.
|
||||
func (s *FileStore) List(ctx context.Context) ([]*Auth, error) {
|
||||
if s.dir == "" {
|
||||
return nil, fmt.Errorf("auth filestore: directory not configured")
|
||||
}
|
||||
entries := make([]*Auth, 0)
|
||||
err := filepath.WalkDir(s.dir, func(path string, d fs.DirEntry, err error) error {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if d.IsDir() {
|
||||
return nil
|
||||
}
|
||||
if !strings.HasSuffix(strings.ToLower(d.Name()), ".json") {
|
||||
return nil
|
||||
}
|
||||
auth, err := s.readFile(path)
|
||||
if err != nil {
|
||||
// Record error but keep scanning to surface remaining auths.
|
||||
return nil
|
||||
}
|
||||
if auth != nil {
|
||||
entries = append(entries, auth)
|
||||
}
|
||||
return nil
|
||||
})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return entries, nil
|
||||
}
|
||||
|
||||
// Save writes the auth metadata back to its source file location.
|
||||
func (s *FileStore) Save(ctx context.Context, auth *Auth) error {
|
||||
if auth == nil {
|
||||
return fmt.Errorf("auth filestore: auth is nil")
|
||||
}
|
||||
path := s.resolvePath(auth)
|
||||
if path == "" {
|
||||
return fmt.Errorf("auth filestore: missing file path attribute for %s", auth.ID)
|
||||
}
|
||||
// If the auth has been disabled and the original file was removed, avoid
|
||||
// recreating it on disk. This lets operators delete auth files explicitly.
|
||||
if auth.Disabled {
|
||||
if _, err := os.Stat(path); err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
}
|
||||
s.mu.Lock()
|
||||
defer s.mu.Unlock()
|
||||
if err := os.MkdirAll(filepath.Dir(path), 0o700); err != nil {
|
||||
return fmt.Errorf("auth filestore: create dir failed: %w", err)
|
||||
}
|
||||
raw, err := json.Marshal(auth.Metadata)
|
||||
if err != nil {
|
||||
return fmt.Errorf("auth filestore: marshal metadata failed: %w", err)
|
||||
}
|
||||
if existing, errReadFile := os.ReadFile(path); errReadFile == nil {
|
||||
if jsonEqual(existing, raw) {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
tmp := path + ".tmp"
|
||||
if err = os.WriteFile(tmp, raw, 0o600); err != nil {
|
||||
return fmt.Errorf("auth filestore: write temp failed: %w", err)
|
||||
}
|
||||
if err = os.Rename(tmp, path); err != nil {
|
||||
return fmt.Errorf("auth filestore: rename failed: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func jsonEqual(a, b []byte) bool {
|
||||
var objA any
|
||||
var objB any
|
||||
if err := json.Unmarshal(a, &objA); err != nil {
|
||||
return false
|
||||
}
|
||||
if err := json.Unmarshal(b, &objB); err != nil {
|
||||
return false
|
||||
}
|
||||
return deepEqualJSON(objA, objB)
|
||||
}
|
||||
|
||||
func deepEqualJSON(a, b any) bool {
|
||||
switch valA := a.(type) {
|
||||
case map[string]any:
|
||||
valB, ok := b.(map[string]any)
|
||||
if !ok || len(valA) != len(valB) {
|
||||
return false
|
||||
}
|
||||
for key, subA := range valA {
|
||||
subB, ok1 := valB[key]
|
||||
if !ok1 || !deepEqualJSON(subA, subB) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
case []any:
|
||||
sliceB, ok := b.([]any)
|
||||
if !ok || len(valA) != len(sliceB) {
|
||||
return false
|
||||
}
|
||||
for i := range valA {
|
||||
if !deepEqualJSON(valA[i], sliceB[i]) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
case float64:
|
||||
valB, ok := b.(float64)
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
return valA == valB
|
||||
case string:
|
||||
valB, ok := b.(string)
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
return valA == valB
|
||||
case bool:
|
||||
valB, ok := b.(bool)
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
return valA == valB
|
||||
case nil:
|
||||
return b == nil
|
||||
default:
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// Delete removes the auth file.
|
||||
func (s *FileStore) Delete(ctx context.Context, id string) error {
|
||||
if id == "" {
|
||||
return fmt.Errorf("auth filestore: id is empty")
|
||||
}
|
||||
path := filepath.Join(s.dir, id)
|
||||
if strings.ContainsRune(id, os.PathSeparator) {
|
||||
path = id
|
||||
}
|
||||
if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
|
||||
return fmt.Errorf("auth filestore: delete failed: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *FileStore) readFile(path string) (*Auth, error) {
|
||||
data, err := os.ReadFile(path)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("read file: %w", err)
|
||||
}
|
||||
if len(data) == 0 {
|
||||
return nil, nil
|
||||
}
|
||||
metadata := make(map[string]any)
|
||||
if err = json.Unmarshal(data, &metadata); err != nil {
|
||||
return nil, fmt.Errorf("unmarshal auth json: %w", err)
|
||||
}
|
||||
provider, _ := metadata["type"].(string)
|
||||
if provider == "" {
|
||||
provider = "unknown"
|
||||
}
|
||||
info, err := os.Stat(path)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("stat file: %w", err)
|
||||
}
|
||||
id := s.idFor(path)
|
||||
auth := &Auth{
|
||||
ID: id,
|
||||
Provider: provider,
|
||||
Label: s.labelFor(metadata),
|
||||
Status: StatusActive,
|
||||
Attributes: map[string]string{"path": path},
|
||||
Metadata: metadata,
|
||||
CreatedAt: info.ModTime(),
|
||||
UpdatedAt: info.ModTime(),
|
||||
LastRefreshedAt: time.Time{},
|
||||
NextRefreshAfter: time.Time{},
|
||||
}
|
||||
if email, ok := metadata["email"].(string); ok && email != "" {
|
||||
auth.Attributes["email"] = email
|
||||
}
|
||||
return auth, nil
|
||||
}
|
||||
|
||||
func (s *FileStore) idFor(path string) string {
|
||||
rel, err := filepath.Rel(s.dir, path)
|
||||
if err != nil {
|
||||
return path
|
||||
}
|
||||
return rel
|
||||
}
|
||||
|
||||
func (s *FileStore) resolvePath(auth *Auth) string {
|
||||
if auth == nil {
|
||||
return ""
|
||||
}
|
||||
if auth.Attributes != nil {
|
||||
if p := auth.Attributes["path"]; p != "" {
|
||||
return p
|
||||
}
|
||||
}
|
||||
if filepath.IsAbs(auth.ID) {
|
||||
return auth.ID
|
||||
}
|
||||
if auth.ID == "" {
|
||||
return ""
|
||||
}
|
||||
return filepath.Join(s.dir, auth.ID)
|
||||
}
|
||||
|
||||
func (s *FileStore) labelFor(metadata map[string]any) string {
|
||||
if metadata == nil {
|
||||
return ""
|
||||
}
|
||||
if v, ok := metadata["label"].(string); ok && v != "" {
|
||||
return v
|
||||
}
|
||||
if v, ok := metadata["email"].(string); ok && v != "" {
|
||||
return v
|
||||
}
|
||||
if project, ok := metadata["project_id"].(string); ok && project != "" {
|
||||
return project
|
||||
}
|
||||
return ""
|
||||
}
|
||||
@@ -817,7 +817,7 @@ func (m *Manager) persist(ctx context.Context, auth *Auth) error {
|
||||
if auth.Metadata == nil {
|
||||
return nil
|
||||
}
|
||||
return m.store.Save(ctx, auth)
|
||||
return m.store.SaveAuth(ctx, auth)
|
||||
}
|
||||
|
||||
// StartAutoRefresh launches a background loop that evaluates auth freshness
|
||||
|
||||
@@ -6,8 +6,8 @@ import "context"
|
||||
type Store interface {
|
||||
// List returns all auth records stored in the backend.
|
||||
List(ctx context.Context) ([]*Auth, error)
|
||||
// Save persists the provided auth record, replacing any existing one with same ID.
|
||||
Save(ctx context.Context, auth *Auth) error
|
||||
// SaveAuth persists the provided auth record, replacing any existing one with same ID.
|
||||
SaveAuth(ctx context.Context, auth *Auth) error
|
||||
// Delete removes the auth record identified by id.
|
||||
Delete(ctx context.Context, id string) error
|
||||
}
|
||||
|
||||
@@ -4,9 +4,8 @@ import (
|
||||
"encoding/json"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
clipauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
|
||||
)
|
||||
|
||||
// Auth encapsulates the runtime state and metadata associated with a single credential.
|
||||
@@ -172,13 +171,19 @@ func (a *Auth) ExpirationTime() (time.Time, bool) {
|
||||
return time.Time{}, false
|
||||
}
|
||||
|
||||
var defaultAuthenticatorFactories = map[string]func() clipauth.Authenticator{
|
||||
"codex": func() clipauth.Authenticator { return clipauth.NewCodexAuthenticator() },
|
||||
"claude": func() clipauth.Authenticator { return clipauth.NewClaudeAuthenticator() },
|
||||
"qwen": func() clipauth.Authenticator { return clipauth.NewQwenAuthenticator() },
|
||||
"gemini": func() clipauth.Authenticator { return clipauth.NewGeminiAuthenticator() },
|
||||
"gemini-cli": func() clipauth.Authenticator { return clipauth.NewGeminiAuthenticator() },
|
||||
"gemini-web": func() clipauth.Authenticator { return clipauth.NewGeminiWebAuthenticator() },
|
||||
var (
|
||||
refreshLeadMu sync.RWMutex
|
||||
refreshLeadFactories = make(map[string]func() *time.Duration)
|
||||
)
|
||||
|
||||
func RegisterRefreshLeadProvider(provider string, factory func() *time.Duration) {
|
||||
provider = strings.ToLower(strings.TrimSpace(provider))
|
||||
if provider == "" || factory == nil {
|
||||
return
|
||||
}
|
||||
refreshLeadMu.Lock()
|
||||
refreshLeadFactories[provider] = factory
|
||||
refreshLeadMu.Unlock()
|
||||
}
|
||||
|
||||
var expireKeys = [...]string{"expired", "expire", "expires_at", "expiresAt", "expiry", "expires"}
|
||||
@@ -216,7 +221,7 @@ func expirationFromMap(meta map[string]any) (time.Time, bool) {
|
||||
}
|
||||
|
||||
func ProviderRefreshLead(provider string, runtime any) *time.Duration {
|
||||
provider = strings.ToLower(provider)
|
||||
provider = strings.ToLower(strings.TrimSpace(provider))
|
||||
if runtime != nil {
|
||||
if eval, ok := runtime.(interface{ RefreshLead() *time.Duration }); ok {
|
||||
if lead := eval.RefreshLead(); lead != nil && *lead > 0 {
|
||||
@@ -224,12 +229,14 @@ func ProviderRefreshLead(provider string, runtime any) *time.Duration {
|
||||
}
|
||||
}
|
||||
}
|
||||
if factory, ok := defaultAuthenticatorFactories[provider]; ok {
|
||||
if auth := factory(); auth != nil {
|
||||
if lead := auth.RefreshLead(); lead != nil && *lead > 0 {
|
||||
return lead
|
||||
}
|
||||
}
|
||||
refreshLeadMu.RLock()
|
||||
factory := refreshLeadFactories[provider]
|
||||
refreshLeadMu.RUnlock()
|
||||
if factory == nil {
|
||||
return nil
|
||||
}
|
||||
if lead := factory(); lead != nil && *lead > 0 {
|
||||
return lead
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -183,7 +183,15 @@ func (b *Builder) Build() (*Service, error) {
|
||||
|
||||
coreManager := b.coreManager
|
||||
if coreManager == nil {
|
||||
coreManager = coreauth.NewManager(coreauth.NewFileStore(b.cfg.AuthDir), nil, nil)
|
||||
tokenStore := sdkAuth.GetTokenStore()
|
||||
if dirSetter, ok := tokenStore.(interface{ SetBaseDir(string) }); ok && b.cfg != nil {
|
||||
dirSetter.SetBaseDir(b.cfg.AuthDir)
|
||||
}
|
||||
store, ok := tokenStore.(coreauth.Store)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("cliproxy: token store does not implement coreauth.Store")
|
||||
}
|
||||
coreManager = coreauth.NewManager(store, nil, nil)
|
||||
}
|
||||
// Attach a default RoundTripper provider so providers can opt-in per-auth transports.
|
||||
coreManager.SetRoundTripperProvider(newDefaultRoundTripperProvider())
|
||||
|
||||
Reference in New Issue
Block a user