Merge branch 'main' into dev

Merge pull request #41 from kaixxx/main
Codex CLI - setting 'store = false' to prevent the request being rejected by OpenAI
2026-02-10 00:10:51 +08:00 · 2025-09-12 13:12:02 +08:00 · 2025-09-12 13:10:22 +08:00 · 2025-09-12 01:16:54 +02:00 · 2025-09-12 01:12:51 +02:00 · 2025-09-12 00:59:49 +02:00
3 changed files with 65 additions and 9 deletions
--- a/README.md
+++ b/README.md
@@ -47,9 +47,16 @@ The first Chinese provider has now been added: [Qwen Code](https://github.com/Qw
   ```

 2. Build the application:
+   
+   Linux, macOS:
   ```bash
   go build -o cli-proxy-api ./cmd/server
   ```
+   Windows: 
+   ```bash
+   go build -o cli-proxy-api.exe ./cmd/server
+   ```
+

 ## Usage

--- a/internal/api/handlers/management/handler.go
+++ b/internal/api/handlers/management/handler.go
@@ -7,22 +7,31 @@ import (
 	"net/http"
 	"strings"
 	"sync"
+	"time"

 	"github.com/gin-gonic/gin"
 	"github.com/luispater/CLIProxyAPI/internal/config"
 	"golang.org/x/crypto/bcrypt"
 )

+type attemptInfo struct {
+	count        int
+	blockedUntil time.Time
+}
+
 // Handler aggregates config reference, persistence path and helpers.
 type Handler struct {
 	cfg            *config.Config
 	configFilePath string
 	mu             sync.Mutex
+
+	attemptsMu     sync.Mutex
+	failedAttempts map[string]*attemptInfo // keyed by client IP
 }

 // NewHandler creates a new management handler instance.
 func NewHandler(cfg *config.Config, configFilePath string) *Handler {
-	return &Handler{cfg: cfg, configFilePath: configFilePath}
+	return &Handler{cfg: cfg, configFilePath: configFilePath, failedAttempts: make(map[string]*attemptInfo)}
 }

 // SetConfig updates the in-memory config reference when the server hot-reloads.
@@ -32,11 +41,32 @@ func (h *Handler) SetConfig(cfg *config.Config) { h.cfg = cfg }
 // All requests (local and remote) require a valid management key.
 // Additionally, remote access requires allow-remote-management=true.
 func (h *Handler) Middleware() gin.HandlerFunc {
+	const maxFailures = 5
+	const banDuration = 30 * time.Minute
+
 	return func(c *gin.Context) {
 		clientIP := c.ClientIP()

-		// Remote access control: when not loopback, must be enabled
+		// For remote IPs, enforce allow-remote-management and ban checks
 		if !(clientIP == "127.0.0.1" || clientIP == "::1") {
+			// Check if IP is currently blocked
+			h.attemptsMu.Lock()
+			ai := h.failedAttempts[clientIP]
+			if ai != nil {
+				if !ai.blockedUntil.IsZero() {
+					if time.Now().Before(ai.blockedUntil) {
+						remaining := time.Until(ai.blockedUntil).Round(time.Second)
+						h.attemptsMu.Unlock()
+						c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": fmt.Sprintf("IP banned due to too many failed attempts. Try again in %s", remaining)})
+						return
+					}
+					// Ban expired, reset state
+					ai.blockedUntil = time.Time{}
+					ai.count = 0
+				}
+			}
+			h.attemptsMu.Unlock()
+
 			allowRemote := h.cfg.RemoteManagement.AllowRemote
 			if !allowRemote {
 				allowRemote = true
@@ -67,15 +97,41 @@ func (h *Handler) Middleware() gin.HandlerFunc {
 		}

 		if !(clientIP == "127.0.0.1" || clientIP == "::1") {
+			// For remote IPs, enforce key and track failures
+			fail := func() {
+				h.attemptsMu.Lock()
+				ai := h.failedAttempts[clientIP]
+				if ai == nil {
+					ai = &attemptInfo{}
+					h.failedAttempts[clientIP] = ai
+				}
+				ai.count++
+				if ai.count >= maxFailures {
+					ai.blockedUntil = time.Now().Add(banDuration)
+					ai.count = 0
+				}
+				h.attemptsMu.Unlock()
+			}
+
 			if provided == "" {
+				fail()
 				c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "missing management key"})
 				return
 			}

 			if err := bcrypt.CompareHashAndPassword([]byte(secret), []byte(provided)); err != nil {
+				fail()
 				c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid management key"})
 				return
 			}
+
+			// Success: reset failed count for this IP
+			h.attemptsMu.Lock()
+			if ai := h.failedAttempts[clientIP]; ai != nil {
+				ai.count = 0
+				ai.blockedUntil = time.Time{}
+			}
+			h.attemptsMu.Unlock()
 		}

 		c.Next()
--- a/internal/translator/codex/openai/chat-completions/codex_openai_request.go
+++ b/internal/translator/codex/openai/chat-completions/codex_openai_request.go
@@ -259,9 +259,6 @@ func ConvertOpenAIRequestToCodex(modelName string, inputRawJSON []byte, stream b
 				out, _ = sjson.Set(out, "text.verbosity", v.Value())
 			}
 		}
-
-		// The examples include store: true when response_format is provided
-		store = true
 	} else if text.Exists() {
 		// If only text.verbosity present (no response_format), map verbosity
 		if v := text.Get("verbosity"); v.Exists() {
@@ -306,10 +303,6 @@ func ConvertOpenAIRequestToCodex(modelName string, inputRawJSON []byte, stream b
 				out, _ = sjson.SetRaw(out, "tools.-1", item)
 			}
 		}
-		// The examples include store: true when tools and formatting are used; be conservative
-		if rf.Exists() {
-			store = true
-		}
 	}

 	out, _ = sjson.Set(out, "store", store)
Author	SHA1	Message	Date
Luis Pater	e0d13148ef	Merge branch 'main' into dev	2025-09-12 13:12:02 +08:00
Luis Pater	bd68472d3c	Merge pull request #41 from kaixxx/main Codex CLI - setting 'store = false' to prevent the request being rejected by OpenAI	2025-09-12 13:10:22 +08:00
kaixxx	b3c534bae5	Build instructions reformatting	2025-09-12 01:16:54 +02:00
kaixxx	b7d6ae1b48	Windows build instructions	2025-09-12 01:12:51 +02:00
kaixxx	aacfcae382	Codex CLI - setting 'store = false' store = true leads to: BadRequestError("Error code: 400 - {'detail': 'Store must be set to false'}")	2025-09-12 00:59:49 +02:00
Luis Pater	1c92034191	Implement IP-based rate limiting and ban mechanism for management API - Introduced a new `attemptInfo` structure to track failed login attempts per IP. - Added logic to temporarily ban IPs exceeding the allowed number of failures. - Enhanced middleware to reset failed attempt counters on successful authentication. - Updated `Handler` to include a `failedAttempts` map with thread-safe access.	2025-09-12 03:00:37 +08:00