@lobehub/chat 1.104.5 → 1.105.0

package/src/database/migrations/meta/_journal.json

@@ -203,6 +203,13 @@
       "when": 1752567402506,
       "tag": "0028_oauth_handoffs",
       "breakpoints": true
+    },
+    {
+      "idx": 29,
+      "version": "7",
+      "when": 1753201379817,
+      "tag": "0029_add_apikey_manage",
+      "breakpoints": true
     }
   ],
   "version": "6"

package/src/database/models/apiKey.ts

@@ -0,0 +1,116 @@
+import { and, desc, eq } from 'drizzle-orm/expressions';
+
+import { LobeChatDatabase } from '@/database/type';
+import { generateApiKey, isApiKeyExpired, validateApiKeyFormat } from '@/utils/apiKey';
+
+import { ApiKeyItem, NewApiKeyItem, apiKeys } from '../schemas';
+
+type EncryptAPIKeyVaults = (keyVaults: string) => Promise<string>;
+type DecryptAPIKeyVaults = (keyVaults: string) => Promise<{ plaintext: string }>;
+
+const defaultSerialize = (s: string) => s;
+
+export class ApiKeyModel {
+  private userId: string;
+  private db: LobeChatDatabase;
+
+  constructor(db: LobeChatDatabase, userId: string) {
+    this.userId = userId;
+    this.db = db;
+  }
+
+  create = async (
+    params: Omit<NewApiKeyItem, 'userId' | 'id' | 'key'>,
+    encryptor?: EncryptAPIKeyVaults,
+  ) => {
+    const key = generateApiKey();
+
+    const encrypt = encryptor || defaultSerialize;
+
+    const encryptedKey = await encrypt(key);
+
+    const [result] = await this.db
+      .insert(apiKeys)
+      .values({ ...params, key: encryptedKey, userId: this.userId })
+      .returning();
+
+    return result;
+  };
+
+  delete = async (id: number) => {
+    return this.db.delete(apiKeys).where(and(eq(apiKeys.id, id), eq(apiKeys.userId, this.userId)));
+  };
+
+  deleteAll = async () => {
+    return this.db.delete(apiKeys).where(eq(apiKeys.userId, this.userId));
+  };
+
+  query = async (decryptor?: DecryptAPIKeyVaults) => {
+    const results = await this.db.query.apiKeys.findMany({
+      orderBy: [desc(apiKeys.updatedAt)],
+      where: eq(apiKeys.userId, this.userId),
+    });
+
+    // 如果没有提供解密器，直接返回原始结果
+    if (!decryptor) {
+      return results;
+    }
+
+    // 对每个 API Key 的 key 字段进行解密
+    const decryptedResults = await Promise.all(
+      results.map(async (apiKey) => {
+        const decryptedKey = await decryptor(apiKey.key);
+        return {
+          ...apiKey,
+          key: decryptedKey.plaintext,
+        };
+      }),
+    );
+
+    return decryptedResults;
+  };
+
+  findByKey = async (key: string, encryptor?: EncryptAPIKeyVaults) => {
+    if (!validateApiKeyFormat(key)) {
+      return null;
+    }
+
+    const encrypt = encryptor || defaultSerialize;
+
+    const encryptedKey = await encrypt(key);
+
+    return this.db.query.apiKeys.findFirst({
+      where: eq(apiKeys.key, encryptedKey),
+    });
+  };
+
+  validateKey = async (key: string) => {
+    const apiKey = await this.findByKey(key);
+
+    if (!apiKey) return false;
+    if (!apiKey.enabled) return false;
+    if (isApiKeyExpired(apiKey.expiresAt)) return false;
+
+    return true;
+  };
+
+  update = async (id: number, value: Partial<ApiKeyItem>) => {
+    return this.db
+      .update(apiKeys)
+      .set({ ...value, updatedAt: new Date() })
+      .where(and(eq(apiKeys.id, id), eq(apiKeys.userId, this.userId)));
+  };
+
+  findById = async (id: number) => {
+    return this.db.query.apiKeys.findFirst({
+      where: and(eq(apiKeys.id, id), eq(apiKeys.userId, this.userId)),
+    });
+  };
+
+  updateLastUsed = async (id: number) => {
+    return this.db
+      .update(apiKeys)
+      .set({ lastUsedAt: new Date() })
+      .where(and(eq(apiKeys.id, id), eq(apiKeys.userId, this.userId)));
+  };
+}

package/src/database/schemas/apiKey.ts

@@ -0,0 +1,25 @@
+/* eslint-disable sort-keys-fix/sort-keys-fix  */
+import { boolean, integer, pgTable, text, varchar } from 'drizzle-orm/pg-core';
+import { createInsertSchema } from 'drizzle-zod';
+
+import { timestamps, timestamptz } from './_helpers';
+import { users } from './user';
+
+export const apiKeys = pgTable('api_keys', {
+  id: integer('id').primaryKey().generatedByDefaultAsIdentity(), // auto-increment primary key
+  name: varchar('name', { length: 256 }).notNull(), // name of the API key
+  key: varchar('key', { length: 256 }).notNull().unique(), // API key
+  enabled: boolean('enabled').default(true), // whether the API key is enabled
+  expiresAt: timestamptz('expires_at'), // expires time
+  lastUsedAt: timestamptz('last_used_at'), // last used time
+  userId: text('user_id')
+    .references(() => users.id, { onDelete: 'cascade' })
+    .notNull(), // belongs to user, when user is deleted, the API key will be deleted
+
+  ...timestamps,
+});
+
+export const insertApiKeySchema = createInsertSchema(apiKeys);
+
+export type ApiKeyItem = typeof apiKeys.$inferSelect;
+export type NewApiKeyItem = typeof apiKeys.$inferInsert;

package/src/database/schemas/index.ts

@@ -1,5 +1,6 @@
 export * from './agent';
 export * from './aiInfra';
+export * from './apiKey';
 export * from './asyncTask';
 export * from './document';
 export * from './file';

package/src/database/schemas/rbac.ts

@@ -1,5 +1,14 @@
 /* eslint-disable sort-keys-fix/sort-keys-fix  */
-import { boolean, index, integer, pgTable, primaryKey, text, timestamp } from 'drizzle-orm/pg-core';
+import {
+  boolean,
+  index,
+  integer,
+  jsonb,
+  pgTable,
+  primaryKey,
+  text,
+  timestamp,
+} from 'drizzle-orm/pg-core';
 
 import { timestamps } from './_helpers';
 import { users } from './user';
@@ -12,6 +21,7 @@ export const roles = pgTable('rbac_roles', {
   description: text('description'), // Role description
   isSystem: boolean('is_system').default(false).notNull(), // Whether it's a system role
   isActive: boolean('is_active').default(true).notNull(), // Whether it's active
+  metadata: jsonb('metadata').default({}), // Role metadata
 
   ...timestamps,
 });

package/src/locales/default/auth.ts

@@ -1,4 +1,57 @@
 export default {
+  apikey: {
+    display: {
+      autoGenerated: '自动生成',
+      copy: '复制',
+      copyError: '复制失败',
+      copySuccess: 'API Key 已复制到剪贴板',
+      enterPlaceholder: '请输入',
+      hide: '隐藏',
+      neverExpires: '永不过期',
+      neverUsed: '从未使用',
+      show: '显示',
+    },
+    form: {
+      fields: {
+        expiresAt: {
+          label: '过期时间',
+          placeholder: '永不过期',
+        },
+        name: {
+          label: '名称',
+          placeholder: '请输入 API Key 名称',
+        },
+      },
+      submit: '创建',
+      title: '创建 API Key',
+    },
+    list: {
+      actions: {
+        create: '创建 API Key',
+        delete: '删除',
+        deleteConfirm: {
+          actions: {
+            cancel: '取消',
+            ok: '确认',
+          },
+          content: '确认删除该 API Key 吗？',
+          title: '确认操作',
+        },
+      },
+      columns: {
+        actions: '操作',
+        expiresAt: '过期时间',
+        key: '密钥',
+        lastUsedAt: '最后使用时间',
+        name: '名称',
+        status: '启用状态',
+      },
+      title: 'API Key 列表',
+    },
+    validation: {
+      required: '内容不得为空',
+    },
+  },
   date: {
     prevMonth: '上个月',
     recent30Days: '最近30天',
@@ -90,6 +143,7 @@ export default {
     words: '累计字数',
   },
   tab: {
+    apikey: 'API Key 管理',
     profile: '个人资料',
     security: '安全',
     stats: '数据统计',

package/src/server/routers/lambda/apiKey.ts

@@ -0,0 +1,80 @@
+import { z } from 'zod';
+
+import { ApiKeyModel } from '@/database/models/apiKey';
+import { authedProcedure, router } from '@/libs/trpc/lambda';
+import { serverDatabase } from '@/libs/trpc/lambda/middleware';
+import { KeyVaultsGateKeeper } from '@/server/modules/KeyVaultsEncrypt';
+
+const apiKeyProcedure = authedProcedure.use(serverDatabase).use(async (opts) => {
+  const { ctx } = opts;
+
+  const gateKeeper = await KeyVaultsGateKeeper.initWithEnvKey();
+
+  return opts.next({
+    ctx: {
+      apiKeyModel: new ApiKeyModel(ctx.serverDB, ctx.userId),
+      gateKeeper,
+    },
+  });
+});
+
+export const apiKeyRouter = router({
+  createApiKey: apiKeyProcedure
+    .input(
+      z.object({
+        expiresAt: z.date().optional().nullable(),
+        name: z.string(),
+      }),
+    )
+    .mutation(async ({ input, ctx }) => {
+      return await ctx.apiKeyModel.create(input, ctx.gateKeeper.encrypt);
+    }),
+
+  deleteAllApiKeys: apiKeyProcedure.mutation(async ({ ctx }) => {
+    return ctx.apiKeyModel.deleteAll();
+  }),
+
+  deleteApiKey: apiKeyProcedure
+    .input(z.object({ id: z.number() }))
+    .mutation(async ({ input, ctx }) => {
+      return ctx.apiKeyModel.delete(input.id);
+    }),
+
+  getApiKey: apiKeyProcedure
+    .input(z.object({ apiKey: z.string() }))
+    .query(async ({ input, ctx }) => {
+      return ctx.apiKeyModel.findByKey(input.apiKey, ctx.gateKeeper.encrypt);
+    }),
+
+  getApiKeyById: apiKeyProcedure
+    .input(z.object({ id: z.number() }))
+    .query(async ({ input, ctx }) => {
+      return ctx.apiKeyModel.findById(input.id);
+    }),
+
+  getApiKeys: apiKeyProcedure.query(async ({ ctx }) => {
+    return ctx.apiKeyModel.query(ctx.gateKeeper.decrypt);
+  }),
+
+  updateApiKey: apiKeyProcedure
+    .input(
+      z.object({
+        id: z.number(),
+        value: z.object({
+          description: z.string().optional(),
+          enabled: z.boolean().optional(),
+          expiresAt: z.date().optional().nullable(),
+          name: z.string().optional(),
+        }),
+      }),
+    )
+    .mutation(async ({ input, ctx }) => {
+      return ctx.apiKeyModel.update(input.id, input.value);
+    }),
+
+  validateApiKey: apiKeyProcedure
+    .input(z.object({ key: z.string() }))
+    .query(async ({ input, ctx }) => {
+      return ctx.apiKeyModel.validateKey(input.key);
+    }),
+});

package/src/server/routers/lambda/index.ts

@@ -6,6 +6,7 @@ import { publicProcedure, router } from '@/libs/trpc/lambda';
 import { agentRouter } from './agent';
 import { aiModelRouter } from './aiModel';
 import { aiProviderRouter } from './aiProvider';
+import { apiKeyRouter } from './apiKey';
 import { chunkRouter } from './chunk';
 import { configRouter } from './config';
 import { documentRouter } from './document';
@@ -31,6 +32,7 @@ export const lambdaRouter = router({
   agent: agentRouter,
   aiModel: aiModelRouter,
   aiProvider: aiProviderRouter,
+  apiKey: apiKeyRouter,
   chunk: chunkRouter,
   config: configRouter,
   document: documentRouter,

package/src/store/global/initialState.ts

@@ -40,6 +40,7 @@ export enum SettingsTabs {
 }
 
 export enum ProfileTabs {
+  APIKey = 'apikey',
   Profile = 'profile',
   Security = 'security',
   Stats = 'stats',

package/src/store/serverConfig/selectors.test.ts

@@ -19,6 +19,7 @@ describe('featureFlagsSelectors', () => {
     expect(result).toEqual({
       enableWebrtc: false,
       isAgentEditable: false,
+      showApiKeyManage: false,
       enablePlugins: true,
       showCreateSession: true,
       showChangelog: true,

package/src/types/apiKey.ts

@@ -0,0 +1,12 @@
+export { type ApiKeyItem } from '@/database/schemas/apiKey';
+
+export interface CreateApiKeyParams {
+  expiresAt?: Date | null;
+  name: string;
+}
+
+export interface UpdateApiKeyParams {
+  enabled?: boolean;
+  expiresAt?: Date | null;
+  name?: string;
+}

package/src/utils/apiKey.ts

@@ -0,0 +1,60 @@
+// Global counter for additional uniqueness
+let apiKeyCounter = 0;
+
+/**
+ * Generate API Key
+ * Format: lb-{random}
+ * @returns Generated API Key
+ */
+export function generateApiKey(): string {
+  // Use high-resolution timestamp for better uniqueness
+  const timestamp = performance.now().toString(36).replaceAll('.', '');
+
+  // Generate multiple random components
+  const random1 = Math.random().toString(36).slice(2);
+  const random2 = Math.random().toString(36).slice(2);
+  const random3 = Math.random().toString(36).slice(2);
+
+  // Add a counter-based component for additional uniqueness
+  apiKeyCounter = (apiKeyCounter + 1) % 1_000_000;
+  const counter = apiKeyCounter.toString(36);
+
+  // Combine all components
+  const combined = (timestamp + random1 + random2 + random3 + counter).replaceAll(/[^\da-z]/g, '');
+
+  // Ensure we have enough entropy
+  let randomPart = combined.slice(0, 16);
+
+  // If we don't have enough characters, generate more
+  while (randomPart.length < 16) {
+    const additional = Math.random().toString(36).slice(2);
+    randomPart += additional;
+  }
+
+  // Take exactly 16 characters
+  randomPart = randomPart.slice(0, 16);
+
+  // Combine to form the final API Key
+  return `lb-${randomPart}`;
+}
+
+/**
+ * Check if API Key is expired
+ * @param expiresAt - Expiration time
+ * @returns Whether the key has expired
+ */
+export function isApiKeyExpired(expiresAt: Date | null): boolean {
+  if (!expiresAt) return false;
+  return new Date() > expiresAt;
+}
+
+/**
+ * Validate API Key format
+ * @param key - API Key to validate
+ * @returns Whether the key has a valid format
+ */
+export function validateApiKeyFormat(key: string): boolean {
+  // Check format: lb-{random}
+  const pattern = /^lb-[\da-f]{16}$/;
+  return pattern.test(key);
+}