fix(ui): use fixed-length key masking and fingerprint usage sources

2026-02-19 11:10:49 +08:00 · 2026-01-19 00:41:11 +08:00
parent d79ccc480d
commit d077b5dd26
10 changed files with 283 additions and 62 deletions
--- a/src/utils/format.ts
+++ b/src/utils/format.ts
@@ -7,14 +7,16 @@
 * 隐藏 API Key 中间部分，仅保留前后两位
 */
 export function maskApiKey(key: string): string {
-  if (!key) {
+  const trimmed = String(key || '').trim();
+  if (!trimmed) {
    return '';
  }

-  const visibleChars = 2;
-  const start = key.slice(0, visibleChars);
-  const end = key.slice(-visibleChars);
-  const maskedLength = Math.max(key.length - visibleChars * 2, 1);
+  const MASKED_LENGTH = 10;
+  const visibleChars = trimmed.length < 4 ? 1 : 2;
+  const start = trimmed.slice(0, visibleChars);
+  const end = trimmed.slice(-visibleChars);
+  const maskedLength = Math.max(MASKED_LENGTH - visibleChars * 2, 1);
  const masked = '*'.repeat(maskedLength);

  return `${start}${masked}${end}`;
--- a/src/utils/usage.ts
+++ b/src/utils/usage.ts
@@ -73,6 +73,124 @@ const normalizeAuthIndex = (value: any) => {
  return null;
 };

+const USAGE_SOURCE_PREFIX_KEY = 'k:';
+const USAGE_SOURCE_PREFIX_MASKED = 'm:';
+const USAGE_SOURCE_PREFIX_TEXT = 't:';
+
+const KEY_LIKE_TOKEN_REGEX =
+  /(sk-[A-Za-z0-9-_]{6,}|sk-ant-[A-Za-z0-9-_]{6,}|AIza[0-9A-Za-z-_]{8,}|AI[a-zA-Z0-9_-]{6,}|hf_[A-Za-z0-9]{6,}|pk_[A-Za-z0-9]{6,}|rk_[A-Za-z0-9]{6,})/;
+const MASKED_TOKEN_HINT_REGEX = /^[^\s]{1,24}(\*{2,}|\.{3}|…)[^\s]{1,24}$/;
+
+const keyFingerprintCache = new Map<string, string>();
+
+const fnv1a64Hex = (value: string): string => {
+  const cached = keyFingerprintCache.get(value);
+  if (cached) return cached;
+
+  const FNV_OFFSET_BASIS = 0xcbf29ce484222325n;
+  const FNV_PRIME = 0x100000001b3n;
+
+  let hash = FNV_OFFSET_BASIS;
+  for (let i = 0; i < value.length; i++) {
+    hash ^= BigInt(value.charCodeAt(i));
+    hash = (hash * FNV_PRIME) & 0xffffffffffffffffn;
+  }
+
+  const hex = hash.toString(16).padStart(16, '0');
+  keyFingerprintCache.set(value, hex);
+  return hex;
+};
+
+const looksLikeRawSecret = (text: string): boolean => {
+  if (!text || /\s/.test(text)) return false;
+
+  const lower = text.toLowerCase();
+  if (lower.endsWith('.json')) return false;
+  if (lower.startsWith('http://') || lower.startsWith('https://')) return false;
+  if (/[\\/]/.test(text)) return false;
+
+  if (KEY_LIKE_TOKEN_REGEX.test(text)) return true;
+
+  if (text.length >= 32 && text.length <= 512) {
+    return true;
+  }
+
+  if (text.length >= 16 && text.length < 32 && /^[A-Za-z0-9._=-]+$/.test(text)) {
+    return /[A-Za-z]/.test(text) && /\d/.test(text);
+  }
+
+  return false;
+};
+
+const extractRawSecretFromText = (text: string): string | null => {
+  if (!text) return null;
+  if (looksLikeRawSecret(text)) return text;
+
+  const keyLikeMatch = text.match(KEY_LIKE_TOKEN_REGEX);
+  if (keyLikeMatch?.[0]) return keyLikeMatch[0];
+
+  const queryMatch = text.match(
+    /(?:[?&])(api[-_]?key|key|token|access_token|authorization)=([^&#\s]+)/i
+  );
+  const queryValue = queryMatch?.[2];
+  if (queryValue && looksLikeRawSecret(queryValue)) {
+    return queryValue;
+  }
+
+  const headerMatch = text.match(
+    /(api[-_]?key|key|token|access[-_]?token|authorization)\s*[:=]\s*([A-Za-z0-9._=-]+)/i
+  );
+  const headerValue = headerMatch?.[2];
+  if (headerValue && looksLikeRawSecret(headerValue)) {
+    return headerValue;
+  }
+
+  const bearerMatch = text.match(/\bBearer\s+([A-Za-z0-9._=-]{6,})/i);
+  const bearerValue = bearerMatch?.[1];
+  if (bearerValue && looksLikeRawSecret(bearerValue)) {
+    return bearerValue;
+  }
+
+  return null;
+};
+
+export function normalizeUsageSourceId(
+  value: unknown,
+  masker: (val: string) => string = maskApiKey
+): string {
+  const raw = typeof value === 'string' ? value : value === null || value === undefined ? '' : String(value);
+  const trimmed = raw.trim();
+  if (!trimmed) return '';
+
+  const extracted = extractRawSecretFromText(trimmed);
+  if (extracted) {
+    return `${USAGE_SOURCE_PREFIX_KEY}${fnv1a64Hex(extracted)}`;
+  }
+
+  if (MASKED_TOKEN_HINT_REGEX.test(trimmed)) {
+    return `${USAGE_SOURCE_PREFIX_MASKED}${masker(trimmed)}`;
+  }
+
+  return `${USAGE_SOURCE_PREFIX_TEXT}${trimmed}`;
+}
+
+export function buildCandidateUsageSourceIds(input: { apiKey?: string; prefix?: string }): string[] {
+  const result: string[] = [];
+
+  const prefix = input.prefix?.trim();
+  if (prefix) {
+    result.push(`${USAGE_SOURCE_PREFIX_TEXT}${prefix}`);
+  }
+
+  const apiKey = input.apiKey?.trim();
+  if (apiKey) {
+    result.push(`${USAGE_SOURCE_PREFIX_KEY}${fnv1a64Hex(apiKey)}`);
+    result.push(`${USAGE_SOURCE_PREFIX_MASKED}${maskApiKey(apiKey)}`);
+  }
+
+  return Array.from(new Set(result));
+}
+
 /**
 * 对使用数据中的敏感字段进行遮罩
 */
@@ -200,6 +318,7 @@ export function collectUsageDetails(usageData: any): UsageDetail[] {
        if (detail && detail.timestamp) {
          details.push({
            ...detail,
+            source: normalizeUsageSourceId(detail.source),
            __modelName: modelName
          });
        }
@@ -878,7 +997,7 @@ export function computeKeyStats(usageData: any, masker: (val: string) => string
      const details = modelEntry?.details || [];

      details.forEach((detail: any) => {
-        const source = maskUsageSensitiveValue(detail?.source, masker);
+        const source = normalizeUsageSourceId(detail?.source, masker);
        const authIndexKey = normalizeAuthIndex(detail?.auth_index);
        const isFailed = detail?.failed === true;