npm - @chenpu17/cc-gw - Versions diffs - 0.3.7 → 0.3.8 - Mend

@chenpu17/cc-gw 0.3.7 → 0.3.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/src/server/dist/index.js CHANGED Viewed

@@ -75,6 +75,33 @@ function sanitizeModelRoutes(input) {
   }
   return sanitized;
 }
+function sanitizeWebAuth(input) {
+  if (!input || typeof input !== "object") {
+    return {
+      enabled: false
+    };
+  }
+  const source = input;
+  const config = {
+    enabled: Boolean(source.enabled)
+  };
+  const usernameRaw = source.username;
+  if (typeof usernameRaw === "string") {
+    const trimmed = usernameRaw.trim();
+    if (trimmed) {
+      config.username = trimmed;
+    }
+  }
+  const hashRaw = source.passwordHash;
+  if (typeof hashRaw === "string" && hashRaw.trim().length > 0) {
+    config.passwordHash = hashRaw.trim();
+  }
+  const saltRaw = source.passwordSalt;
+  if (typeof saltRaw === "string" && saltRaw.trim().length > 0) {
+    config.passwordSalt = saltRaw.trim();
+  }
+  return config;
+}
 function resolveEndpointRouting(source, fallback) {
   const defaultsRaw = typeof source === "object" && source !== null ? source.defaults : void 0;
   const routesRaw = typeof source === "object" && source !== null ? source.modelRoutes : void 0;
@@ -125,6 +152,9 @@ function parseConfig(raw) {
   if (typeof data.responseLogging !== "boolean") {
     data.responseLogging = data.requestLogging !== false;
   }
+  if (typeof data.bodyLimit !== "number" || !Number.isFinite(data.bodyLimit) || data.bodyLimit <= 0) {
+    data.bodyLimit = 10 * 1024 * 1024;
+  }
   const endpointRouting = {};
   const sourceRouting = data.endpointRouting && typeof data.endpointRouting === "object" ? data.endpointRouting : {};
   const fallbackAnthropic = {
@@ -187,6 +217,10 @@ function parseConfig(raw) {
     }
   }
   data.routingPresets = routingPresets;
+  const webAuth = sanitizeWebAuth(data.webAuth);
+  if (webAuth) {
+    data.webAuth = webAuth;
+  }
   return data;
 }
 function loadConfig() {
@@ -571,86 +605,6 @@ function buildProviderBody(payload, options = {}) {
   }
   return body;
 }
-function buildAnthropicContentFromText(text) {
-  if (!text || text.length === 0) {
-    return [];
-  }
-  return [
-    {
-      type: "text",
-      text
-    }
-  ];
-}
-function buildAnthropicBody(payload, options = {}) {
-  const messages = [];
-  for (const message of payload.messages) {
-    const blocks = [];
-    if (message.text) {
-      blocks.push(...buildAnthropicContentFromText(message.text));
-    }
-    if (message.role === "user" && message.toolResults?.length) {
-      for (const result of message.toolResults) {
-        const content = typeof result.content === "string" ? [{ type: "text", text: result.content }] : [{ type: "text", text: JSON.stringify(result.content ?? "") }];
-        blocks.push({
-          type: "tool_result",
-          tool_use_id: result.id,
-          content,
-          cache_control: result.cacheControl
-        });
-      }
-    }
-    if (message.role === "assistant" && message.toolCalls?.length) {
-      for (const call of message.toolCalls) {
-        blocks.push({
-          type: "tool_use",
-          id: call.id,
-          name: call.name,
-          input: call.arguments ?? {},
-          cache_control: call.cacheControl
-        });
-      }
-    }
-    if (message.role === "assistant" || message.role === "user") {
-      if (blocks.length === 0) {
-        blocks.push({ type: "text", text: "" });
-      }
-      messages.push({
-        role: message.role,
-        content: blocks
-      });
-    }
-  }
-  const body = {
-    system: payload.system ?? void 0,
-    messages
-  };
-  if (options.maxTokens) {
-    body.max_tokens = options.maxTokens;
-  }
-  if (typeof options.temperature === "number") {
-    body.temperature = options.temperature;
-  }
-  if (payload.original && typeof payload.original === "object") {
-    const original = payload.original;
-    if (original.metadata && typeof original.metadata === "object") {
-      body.metadata = original.metadata;
-    }
-  }
-  const tools = options.overrideTools ?? payload.tools;
-  if (tools && tools.length > 0) {
-    body.tools = tools.map((tool) => ({
-      type: "tool",
-      name: tool.name,
-      description: tool.description,
-      input_schema: tool.input_schema ?? tool.parameters ?? {}
-    }));
-  }
-  if (options.toolChoice) {
-    body.tool_choice = options.toolChoice;
-  }
-  return body;
-}
 // providers/openai.ts
 import { fetch } from "undici";
@@ -2216,21 +2170,39 @@ async function registerMessagesRoute(app) {
             if (trimmed.startsWith("event:")) {
               currentEvent = trimmed.slice(6).trim();
             } else if (trimmed.startsWith("data:")) {
-              if (currentEvent === "message_delta" || currentEvent === "message_stop") {
+              if (currentEvent === "message_delta" || currentEvent === "message_stop" || currentEvent === "content_block_delta") {
                 try {
-                  const data = JSON.parse(trimmed.slice(5).trim());
-                  if (data?.usage) {
-                    usagePrompt2 = data.usage.input_tokens ?? usagePrompt2;
-                    usageCompletion2 = data.usage.output_tokens ?? usageCompletion2;
-                    const maybeCached = resolveCachedTokens(data.usage);
+                  const payload2 = JSON.parse(trimmed.slice(5).trim());
+                  if (payload2?.usage) {
+                    usagePrompt2 = payload2.usage.input_tokens ?? usagePrompt2;
+                    usageCompletion2 = payload2.usage.output_tokens ?? usageCompletion2;
+                    const maybeCached = resolveCachedTokens(payload2.usage);
                     if (maybeCached !== null) {
                       usageCached2 = maybeCached;
                     }
-                    lastUsagePayload = data.usage;
+                    lastUsagePayload = payload2.usage;
                   }
-                  const deltaText = data?.delta?.text;
-                  if (typeof deltaText === "string") {
-                    if (!firstTokenAt2 && deltaText.length > 0) {
+                  let deltaText = null;
+                  if (currentEvent === "content_block_delta") {
+                    const delta = payload2?.delta;
+                    if (delta && typeof delta === "object") {
+                      const maybeText = delta.text;
+                      if (typeof maybeText === "string") {
+                        deltaText = maybeText;
+                      } else if (Array.isArray(maybeText)) {
+                        deltaText = maybeText.filter((item) => typeof item === "string").join("");
+                      }
+                    }
+                  } else {
+                    const maybeText = payload2?.delta?.text;
+                    if (typeof maybeText === "string") {
+                      deltaText = maybeText;
+                    } else if (Array.isArray(maybeText)) {
+                      deltaText = maybeText.filter((item) => typeof item === "string").join("");
+                    }
+                  }
+                  if (deltaText && deltaText.length > 0) {
+                    if (!firstTokenAt2) {
                       firstTokenAt2 = Date.now();
                     }
                     accumulatedContent2 += deltaText;
@@ -3452,6 +3424,126 @@ async function getApiKeyUsageMetrics(days = 7, limit = 10, endpoint) {
   }));
 }
+// security/webAuth.ts
+import { randomBytes as randomBytes3, scryptSync, timingSafeEqual } from "crypto";
+var SESSION_COOKIE_NAME = "ccgw_session";
+var SESSION_TTL_MS = 1e3 * 60 * 60 * 12;
+var sessions = /* @__PURE__ */ new Map();
+function derive(password, salt) {
+  return scryptSync(password, salt, 64);
+}
+function createPasswordRecord(password) {
+  const salt = randomBytes3(16).toString("hex");
+  const hash = derive(password, salt).toString("base64");
+  return {
+    passwordHash: hash,
+    passwordSalt: salt
+  };
+}
+function verifyPassword(password, record) {
+  if (!record?.passwordHash || !record?.passwordSalt)
+    return false;
+  try {
+    const expected = Buffer.from(record.passwordHash, "base64");
+    const actual = derive(password, record.passwordSalt);
+    if (expected.length !== actual.length)
+      return false;
+    return timingSafeEqual(expected, actual);
+  } catch {
+    return false;
+  }
+}
+function purgeExpiredSessions() {
+  const now = Date.now();
+  for (const [token, session] of sessions.entries()) {
+    if (session.expiresAt <= now) {
+      sessions.delete(token);
+    }
+  }
+}
+function buildCookieString(token, ttlMs) {
+  const expires = new Date(Date.now() + ttlMs);
+  const parts = [
+    `${SESSION_COOKIE_NAME}=${token}`,
+    "Path=/",
+    "HttpOnly",
+    "SameSite=Strict",
+    `Max-Age=${Math.floor(ttlMs / 1e3)}`,
+    `Expires=${expires.toUTCString()}`
+  ];
+  return parts.join("; ");
+}
+function parseCookie(header) {
+  if (!header)
+    return {};
+  const entries = header.split(";").map((part) => part.trim());
+  const result = {};
+  for (const entry of entries) {
+    const [key, ...rest] = entry.split("=");
+    if (!key)
+      continue;
+    result[key] = rest.join("=");
+  }
+  return result;
+}
+function getSessionByToken(token) {
+  if (!token)
+    return null;
+  purgeExpiredSessions();
+  const session = sessions.get(token);
+  if (!session)
+    return null;
+  if (session.expiresAt <= Date.now()) {
+    sessions.delete(token);
+    return null;
+  }
+  session.expiresAt = Date.now() + SESSION_TTL_MS;
+  sessions.set(token, session);
+  return session;
+}
+function readSession(request) {
+  const cookieHeader = request.headers.cookie;
+  const cookies = parseCookie(typeof cookieHeader === "string" ? cookieHeader : void 0);
+  const token = cookies[SESSION_COOKIE_NAME] ?? null;
+  return getSessionByToken(token);
+}
+function issueSession(username) {
+  purgeExpiredSessions();
+  const token = randomBytes3(32).toString("base64url");
+  const record = {
+    token,
+    username,
+    expiresAt: Date.now() + SESSION_TTL_MS
+  };
+  sessions.set(token, record);
+  return record;
+}
+function setSessionCookie(reply, token) {
+  reply.header("Set-Cookie", buildCookieString(token, SESSION_TTL_MS));
+}
+function clearSessionCookie(reply) {
+  reply.header("Set-Cookie", `${SESSION_COOKIE_NAME}=; Path=/; HttpOnly; SameSite=Strict; Max-Age=0; Expires=${(/* @__PURE__ */ new Date(0)).toUTCString()}`);
+}
+function revokeSession(token) {
+  if (!token)
+    return;
+  sessions.delete(token);
+}
+function revokeAllSessions() {
+  sessions.clear();
+}
+function getSessionToken(request) {
+  const cookieHeader = request.headers.cookie;
+  const cookies = parseCookie(typeof cookieHeader === "string" ? cookieHeader : void 0);
+  return cookies[SESSION_COOKIE_NAME] ?? null;
+}
+function sanitizeUsername(username) {
+  if (typeof username !== "string")
+    return void 0;
+  const trimmed = username.trim();
+  return trimmed || void 0;
+}
 // routes/admin.ts
 async function registerAdminRoutes(app) {
   try {
@@ -3485,15 +3577,96 @@ async function registerAdminRoutes(app) {
     return config.providers;
   });
   app.get("/api/config", async () => {
-    return getConfig();
+    const config = getConfig();
+    if (config.webAuth) {
+      const { passwordHash, passwordSalt, ...rest } = config.webAuth;
+      return {
+        ...config,
+        webAuth: rest
+      };
+    }
+    return config;
   });
   app.get("/api/config/info", async () => {
     const config = getConfig();
+    const sanitizedWebAuth = config.webAuth ? (() => {
+      const { passwordHash, passwordSalt, ...rest } = config.webAuth;
+      return rest;
+    })() : void 0;
     return {
-      config,
+      config: sanitizedWebAuth ? { ...config, webAuth: sanitizedWebAuth } : config,
       path: CONFIG_PATH
     };
   });
+  app.get("/api/auth/web", async () => {
+    const config = getConfig();
+    const auth = config.webAuth ?? { enabled: false };
+    return {
+      enabled: Boolean(auth.enabled),
+      username: auth.username ?? "",
+      hasPassword: Boolean(auth.passwordHash && auth.passwordSalt)
+    };
+  });
+  app.post("/api/auth/web", async (request, reply) => {
+    const body = request.body;
+    if (!body || typeof body.enabled !== "boolean") {
+      reply.code(400);
+      return { error: "Invalid payload" };
+    }
+    const current = getConfig();
+    const currentAuth = current.webAuth ?? { enabled: false };
+    const nextAuth = { ...currentAuth };
+    const normalizedUsername = sanitizeUsername(body.username);
+    const rawPassword = typeof body.password === "string" ? body.password : void 0;
+    const enforcingPassword = Boolean(rawPassword && rawPassword.length > 0);
+    if (enforcingPassword && rawPassword.length < 6) {
+      reply.code(400);
+      return { error: "Password must be at least 6 characters" };
+    }
+    const willEnable = body.enabled;
+    if (willEnable) {
+      if (!normalizedUsername) {
+        reply.code(400);
+        return { error: "Username is required when enabling authentication" };
+      }
+      nextAuth.enabled = true;
+      nextAuth.username = normalizedUsername;
+      const usernameChanged = normalizedUsername !== (currentAuth.username ?? void 0);
+      if (enforcingPassword) {
+        const record = createPasswordRecord(rawPassword);
+        nextAuth.passwordHash = record.passwordHash;
+        nextAuth.passwordSalt = record.passwordSalt;
+      } else if (!currentAuth.passwordHash || !currentAuth.passwordSalt || usernameChanged) {
+        reply.code(400);
+        return { error: "Password must be provided when enabling authentication" };
+      }
+    } else {
+      nextAuth.enabled = false;
+      nextAuth.username = normalizedUsername ?? currentAuth.username ?? void 0;
+      if (enforcingPassword) {
+        const record = createPasswordRecord(rawPassword);
+        nextAuth.passwordHash = record.passwordHash;
+        nextAuth.passwordSalt = record.passwordSalt;
+      }
+    }
+    const nextConfig = {
+      ...current,
+      webAuth: nextAuth
+    };
+    updateConfig(nextConfig);
+    const updated = getConfig();
+    if (!willEnable || enforcingPassword || (normalizedUsername ?? "") !== (currentAuth.username ?? "")) {
+      revokeAllSessions();
+    }
+    return {
+      success: true,
+      auth: {
+        enabled: Boolean(updated.webAuth?.enabled),
+        username: updated.webAuth?.username ?? "",
+        hasPassword: Boolean(updated.webAuth?.passwordHash && updated.webAuth?.passwordSalt)
+      }
+    };
+  });
   app.put("/api/config", async (request, reply) => {
     const body = request.body;
     if (!body || typeof body.port !== "number") {
@@ -3666,6 +3839,48 @@ async function registerAdminRoutes(app) {
         statusText: "No model configured for provider"
       };
     }
+    const rawBody = request.body;
+    const maskSensitiveHeaders = (headers) => {
+      if (!headers)
+        return null;
+      const masked = {};
+      for (const [key, value] of Object.entries(headers)) {
+        const lower = key.toLowerCase();
+        if (lower.includes("authorization") || lower.includes("api-key")) {
+          masked[key] = "<redacted>";
+        } else {
+          masked[key] = value;
+        }
+      }
+      return masked;
+    };
+    const providedHeaders = (() => {
+      if (!rawBody || typeof rawBody !== "object")
+        return null;
+      const candidate = rawBody.headers;
+      if (!candidate || typeof candidate !== "object")
+        return null;
+      const normalized = {};
+      for (const [key, value] of Object.entries(candidate)) {
+        if (typeof value !== "string")
+          continue;
+        const trimmedKey = key.trim();
+        if (!trimmedKey)
+          continue;
+        normalized[trimmedKey.toLowerCase()] = value;
+      }
+      return Object.keys(normalized).length > 0 ? normalized : null;
+    })();
+    const providedQuery = (() => {
+      if (!rawBody || typeof rawBody !== "object")
+        return null;
+      const raw = rawBody.query;
+      if (typeof raw === "string") {
+        const trimmed = raw.trim();
+        return trimmed.length > 0 ? trimmed : null;
+      }
+      return null;
+    })();
     const testPayload = normalizeClaudePayload({
       model: targetModel,
       stream: false,
@@ -3680,15 +3895,23 @@ async function registerAdminRoutes(app) {
             }
           ]
         }
-      ],
-      system: "You are a connection diagnostic assistant."
+      ]
     });
-    const providerBody = provider.type === "anthropic" ? buildAnthropicBody(testPayload, {
-      maxTokens: 256,
+    const providerBody = provider.type === "anthropic" ? {
+      model: targetModel,
+      stream: false,
+      max_tokens: 256,
       temperature: 0,
-      toolChoice: void 0,
-      overrideTools: void 0
-    }) : buildProviderBody(testPayload, {
+      messages: [
+        {
+          role: "user",
+          content: [
+            { type: "text", text: "You are a connection diagnostic assistant." },
+            { type: "text", text: "\u4F60\u597D\uFF0C\u8FD9\u662F\u4E00\u6B21\u8FDE\u63A5\u6D4B\u8BD5\u3002\u8BF7\u7B80\u77ED\u56DE\u5E94\u4EE5\u786E\u8BA4\u670D\u52A1\u53EF\u7528\u3002" }
+          ]
+        }
+      ]
+    } : buildProviderBody(testPayload, {
       maxTokens: 256,
       temperature: 0,
       toolChoice: void 0,
@@ -3699,15 +3922,38 @@ async function registerAdminRoutes(app) {
       const upstream = await connector.send({
         model: targetModel,
         body: providerBody,
-        stream: false
+        stream: false,
+        headers: providedHeaders ?? void 0,
+        query: providedQuery ?? void 0
       });
       const duration = Date.now() - startedAt;
       if (upstream.status >= 400) {
         const errorText = upstream.body ? await new Response(upstream.body).text() : "";
+        const credentialRestricted = errorText.includes("only authorized for use with Claude Code");
+        let requestBodyPreview;
+        try {
+          requestBodyPreview = JSON.stringify(providerBody).slice(0, 1e3);
+        } catch {
+          requestBodyPreview = "[unserializable body]";
+        }
+        request.log.warn(
+          {
+            event: "provider.test.failure",
+            provider: provider.id,
+            status: upstream.status,
+            statusText: errorText || "Upstream error",
+            headers: maskSensitiveHeaders(providedHeaders),
+            query: providedQuery ?? null,
+            durationMs: duration,
+            model: targetModel,
+            requestBody: requestBodyPreview
+          },
+          "provider test request failed"
+        );
         return {
           ok: false,
           status: upstream.status,
-          statusText: errorText || "Upstream error",
+          statusText: credentialRestricted ? "\u6D4B\u8BD5\u8BF7\u6C42\u88AB\u62D2\u7EDD\uFF1A\u8BE5\u51ED\u8BC1\u4EC5\u6388\u6743\u5728 Claude Code \u5185\u4F7F\u7528\u3002\u8BF7\u76F4\u63A5\u5728 IDE \u4E2D\u53D1\u8D77\u4E00\u6B21\u5BF9\u8BDD\u786E\u8BA4\u771F\u5B9E\u8FDE\u901A\u6027\u3002" : errorText || "Upstream error",
           durationMs: duration
         };
       }
@@ -3717,6 +3963,19 @@ async function registerAdminRoutes(app) {
         parsed = raw ? JSON.parse(raw) : null;
       } catch {
         const fallbackSample = raw?.trim() ?? "";
+        request.log.warn(
+          {
+            event: "provider.test.invalid_json",
+            provider: provider.id,
+            status: upstream.status,
+            headers: maskSensitiveHeaders(providedHeaders),
+            query: providedQuery ?? null,
+            durationMs: duration,
+            model: targetModel,
+            sample: fallbackSample ? fallbackSample.slice(0, 500) : ""
+          },
+          "provider test response not valid JSON"
+        );
         if (provider.type && provider.type !== "anthropic") {
           return {
             ok: fallbackSample.length > 0,
@@ -3941,6 +4200,64 @@ async function registerAdminRoutes(app) {
 }
 var isEndpoint = (value) => value === "anthropic" || value === "openai";
+// routes/auth.ts
+async function registerAuthRoutes(app) {
+  app.get("/auth/session", async (request) => {
+    const config = getConfig();
+    const webAuth = config.webAuth;
+    if (!webAuth?.enabled) {
+      return {
+        authEnabled: false,
+        authenticated: true
+      };
+    }
+    const session = readSession(request);
+    if (!session) {
+      return {
+        authEnabled: true,
+        authenticated: false
+      };
+    }
+    return {
+      authEnabled: true,
+      authenticated: true,
+      username: session.username
+    };
+  });
+  app.post("/auth/login", async (request, reply) => {
+    const config = getConfig();
+    const webAuth = config.webAuth;
+    if (!webAuth?.enabled) {
+      return {
+        success: true,
+        authEnabled: false
+      };
+    }
+    const body = request.body;
+    const username = sanitizeUsername(body?.username);
+    const password = typeof body?.password === "string" ? body.password : void 0;
+    if (!username || !password) {
+      reply.code(400);
+      return { error: "Missing username or password" };
+    }
+    if (!webAuth.username || username !== webAuth.username || !verifyPassword(password, webAuth)) {
+      reply.code(401);
+      return { error: "Invalid credentials" };
+    }
+    const session = issueSession(username);
+    setSessionCookie(reply, session.token);
+    return { success: true };
+  });
+  app.post("/auth/logout", async (request, reply) => {
+    const token = getSessionToken(request);
+    if (token) {
+      revokeSession(token);
+    }
+    clearSessionCookie(reply);
+    return { success: true };
+  });
+}
 // tasks/maintenance.ts
 var DAY_MS = 24 * 60 * 60 * 1e3;
 var timersStarted = false;
@@ -3995,11 +4312,37 @@ async function createServer() {
   const config = cachedConfig2 ?? loadConfig();
   const requestLogEnabled = config.requestLogging !== false;
   const responseLogEnabled = config.responseLogging !== false;
+  const bodyLimit = typeof config.bodyLimit === "number" && Number.isFinite(config.bodyLimit) && config.bodyLimit > 0 ? config.bodyLimit : 10 * 1024 * 1024;
   const app = Fastify({
     logger: {
       level: config.logLevel ?? "info"
     },
-    disableRequestLogging: true
+    disableRequestLogging: true,
+    bodyLimit
+  });
+  app.addHook("onRequest", async (request, reply) => {
+    const authConfig = (cachedConfig2 ?? getConfig()).webAuth;
+    if (!authConfig?.enabled) {
+      return;
+    }
+    const rawUrl = request.raw?.url ?? request.url ?? "";
+    if (!rawUrl)
+      return;
+    if (rawUrl.startsWith("/auth/") || rawUrl.startsWith("/anthropic") || rawUrl.startsWith("/openai") || rawUrl.startsWith("/assets/") || rawUrl.startsWith("/favicon.ico") || rawUrl === "/" || rawUrl.startsWith("/ui") || rawUrl.startsWith("/health")) {
+      return;
+    }
+    if (request.method === "OPTIONS") {
+      return;
+    }
+    if (rawUrl.startsWith("/api/")) {
+      const session = readSession(request);
+      if (session) {
+        return;
+      }
+      reply.code(401);
+      reply.header("Cache-Control", "no-store");
+      await reply.send({ error: "Authentication required" });
+    }
   });
   if (requestLogEnabled) {
     app.addHook("onRequest", (request, _reply, done) => {
@@ -4079,6 +4422,7 @@ async function createServer() {
   } else {
     app.log.warn("\u672A\u627E\u5230 Web UI \u6784\u5EFA\u4EA7\u7269\uFF0C/ui \u76EE\u5F55\u5C06\u4E0D\u53EF\u7528\u3002");
   }
+  await registerAuthRoutes(app);
   await registerMessagesRoute(app);
   await registerOpenAiRoutes(app);
   await registerAdminRoutes(app);