@lobehub/lobehub 2.0.0-next.195 → 2.0.0-next.196

package/CHANGELOG.md

@@ -2,6 +2,31 @@
 
 # Changelog
 
+## [Version 2.0.0-next.196](https://github.com/lobehub/lobe-chat/compare/v2.0.0-next.195...v2.0.0-next.196)
+
+<sup>Released on **2026-01-03**</sup>
+
+#### ♻ Code Refactoring
+
+- **misc**: Refactor to remove access code.
+
+<br/>
+
+<details>
+<summary><kbd>Improvements and Fixes</kbd></summary>
+
+#### Code refactoring
+
+- **misc**: Refactor to remove access code, closes [#11120](https://github.com/lobehub/lobe-chat/issues/11120) ([0e9f98c](https://github.com/lobehub/lobe-chat/commit/0e9f98c))
+
+</details>
+
+<div align="right">
+
+[![](https://img.shields.io/badge/-BACK_TO_TOP-151515?style=flat-square)](#readme-top)
+
+</div>
+
 ## [Version 2.0.0-next.195](https://github.com/lobehub/lobe-chat/compare/v2.0.0-next.194...v2.0.0-next.195)
 
 <sup>Released on **2026-01-03**</sup>

package/changelog/v1.json

@@ -1,4 +1,13 @@
 [
+  {
+    "children": {
+      "improvements": [
+        "Refactor to remove access code."
+      ]
+    },
+    "date": "2026-01-03",
+    "version": "2.0.0-next.196"
+  },
   {
     "children": {
       "fixes": [

package/locales/ar/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "الأسئلة الافتتاحية",
   "settingOpening.title": "إعدادات البداية",
   "settingPlugin.title": "قائمة المهارات",
-  "settingSystem.accessCode.desc": "تم تفعيل الوصول المشفر من قبل المسؤول",
-  "settingSystem.accessCode.placeholder": "أدخل كلمة مرور الوصول",
-  "settingSystem.accessCode.title": "كلمة مرور الوصول",
   "settingSystem.oauth.info.desc": "تم تسجيل الدخول",
   "settingSystem.oauth.info.title": "معلومات الحساب",
   "settingSystem.oauth.signin.action": "تسجيل الدخول",

package/locales/bg-BG/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "Начални въпроси",
   "settingOpening.title": "Настройки за начало",
   "settingPlugin.title": "Списък с умения",
-  "settingSystem.accessCode.desc": "Достъпът с шифроване е активиран от администратора",
-  "settingSystem.accessCode.placeholder": "Въведете парола за достъп",
-  "settingSystem.accessCode.title": "Парола за достъп",
   "settingSystem.oauth.info.desc": "Вход изпълнен",
   "settingSystem.oauth.info.title": "Информация за акаунта",
   "settingSystem.oauth.signin.action": "Вход",

package/locales/de-DE/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "Einstiegsfragen",
   "settingOpening.title": "Begrüßungseinstellungen",
   "settingPlugin.title": "Fähigkeitenliste",
-  "settingSystem.accessCode.desc": "Zugriff mit Verschlüsselung ist vom Administrator aktiviert",
-  "settingSystem.accessCode.placeholder": "Zugangspasswort eingeben",
-  "settingSystem.accessCode.title": "Zugangspasswort",
   "settingSystem.oauth.info.desc": "Angemeldet",
   "settingSystem.oauth.info.title": "Kontoinformationen",
   "settingSystem.oauth.signin.action": "Anmelden",

package/locales/en-US/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "Opening Questions",
   "settingOpening.title": "Opening Settings",
   "settingPlugin.title": "Skill List",
-  "settingSystem.accessCode.desc": "Encryption access is enabled by the administrator",
-  "settingSystem.accessCode.placeholder": "Enter access password",
-  "settingSystem.accessCode.title": "Access Password",
   "settingSystem.oauth.info.desc": "Logged in",
   "settingSystem.oauth.info.title": "Account Information",
   "settingSystem.oauth.signin.action": "Sign In",

package/locales/es-ES/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "Preguntas de Apertura",
   "settingOpening.title": "Configuración de Apertura",
   "settingPlugin.title": "Lista de Habilidades",
-  "settingSystem.accessCode.desc": "El administrador ha habilitado el acceso cifrado",
-  "settingSystem.accessCode.placeholder": "Introduce la contraseña de acceso",
-  "settingSystem.accessCode.title": "Contraseña de Acceso",
   "settingSystem.oauth.info.desc": "Sesión iniciada",
   "settingSystem.oauth.info.title": "Información de la Cuenta",
   "settingSystem.oauth.signin.action": "Iniciar Sesión",

package/locales/fa-IR/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "سؤالات آغازین",
   "settingOpening.title": "تنظیمات آغازین",
   "settingPlugin.title": "فهرست مهارت‌ها",
-  "settingSystem.accessCode.desc": "دسترسی رمزگذاری‌شده توسط مدیر فعال شده است",
-  "settingSystem.accessCode.placeholder": "رمز عبور دسترسی را وارد کنید",
-  "settingSystem.accessCode.title": "رمز عبور دسترسی",
   "settingSystem.oauth.info.desc": "وارد شده‌اید",
   "settingSystem.oauth.info.title": "اطلاعات حساب",
   "settingSystem.oauth.signin.action": "ورود",

package/locales/fr-FR/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "Questions d’accueil",
   "settingOpening.title": "Paramètres d’accueil",
   "settingPlugin.title": "Liste des compétences",
-  "settingSystem.accessCode.desc": "L’accès chiffré est activé par l’administrateur",
-  "settingSystem.accessCode.placeholder": "Saisir le mot de passe d’accès",
-  "settingSystem.accessCode.title": "Mot de passe d’accès",
   "settingSystem.oauth.info.desc": "Connecté",
   "settingSystem.oauth.info.title": "Informations du compte",
   "settingSystem.oauth.signin.action": "Se connecter",

package/locales/it-IT/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "Domande di Apertura",
   "settingOpening.title": "Impostazioni di Apertura",
   "settingPlugin.title": "Elenco Competenze",
-  "settingSystem.accessCode.desc": "L'accesso crittografato è abilitato dall'amministratore",
-  "settingSystem.accessCode.placeholder": "Inserisci la password di accesso",
-  "settingSystem.accessCode.title": "Password di Accesso",
   "settingSystem.oauth.info.desc": "Accesso effettuato",
   "settingSystem.oauth.info.title": "Informazioni Account",
   "settingSystem.oauth.signin.action": "Accedi",

package/locales/ja-JP/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "オープニング質問",
   "settingOpening.title": "オープニング設定",
   "settingPlugin.title": "スキルリスト",
-  "settingSystem.accessCode.desc": "管理者が暗号化アクセスを有効にしています",
-  "settingSystem.accessCode.placeholder": "アクセスコードを入力してください",
-  "settingSystem.accessCode.title": "アクセスコード",
   "settingSystem.oauth.info.desc": "ログイン済み",
   "settingSystem.oauth.info.title": "アカウント情報",
   "settingSystem.oauth.signin.action": "ログイン",

package/locales/ko-KR/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "오프닝 질문",
   "settingOpening.title": "오프닝 설정",
   "settingPlugin.title": "기능 목록",
-  "settingSystem.accessCode.desc": "관리자가 암호화된 액세스를 활성화했습니다",
-  "settingSystem.accessCode.placeholder": "액세스 암호를 입력하세요",
-  "settingSystem.accessCode.title": "액세스 암호",
   "settingSystem.oauth.info.desc": "로그인됨",
   "settingSystem.oauth.info.title": "계정 정보",
   "settingSystem.oauth.signin.action": "로그인",

package/locales/nl-NL/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "Openingsvragen",
   "settingOpening.title": "Openingsinstellingen",
   "settingPlugin.title": "Vaardighedenlijst",
-  "settingSystem.accessCode.desc": "Versleutelde toegang is ingeschakeld door de beheerder",
-  "settingSystem.accessCode.placeholder": "Voer toegangswachtwoord in",
-  "settingSystem.accessCode.title": "Toegangswachtwoord",
   "settingSystem.oauth.info.desc": "Ingelogd",
   "settingSystem.oauth.info.title": "Accountinformatie",
   "settingSystem.oauth.signin.action": "Inloggen",

package/locales/pl-PL/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "Pytania wprowadzające",
   "settingOpening.title": "Ustawienia powitania",
   "settingPlugin.title": "Lista umiejętności",
-  "settingSystem.accessCode.desc": "Dostęp szyfrowany został włączony przez administratora",
-  "settingSystem.accessCode.placeholder": "Wprowadź hasło dostępu",
-  "settingSystem.accessCode.title": "Hasło dostępu",
   "settingSystem.oauth.info.desc": "Zalogowano",
   "settingSystem.oauth.info.title": "Informacje o koncie",
   "settingSystem.oauth.signin.action": "Zaloguj się",

package/locales/pt-BR/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "Perguntas de Abertura",
   "settingOpening.title": "Configurações de Abertura",
   "settingPlugin.title": "Lista de Habilidades",
-  "settingSystem.accessCode.desc": "O acesso criptografado foi ativado pelo administrador",
-  "settingSystem.accessCode.placeholder": "Digite a senha de acesso",
-  "settingSystem.accessCode.title": "Senha de Acesso",
   "settingSystem.oauth.info.desc": "Conectado",
   "settingSystem.oauth.info.title": "Informações da Conta",
   "settingSystem.oauth.signin.action": "Entrar",

package/locales/ru-RU/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "Вводные вопросы",
   "settingOpening.title": "Настройки приветствия",
   "settingPlugin.title": "Список навыков",
-  "settingSystem.accessCode.desc": "Доступ по паролю включён администратором",
-  "settingSystem.accessCode.placeholder": "Введите пароль доступа",
-  "settingSystem.accessCode.title": "Пароль доступа",
   "settingSystem.oauth.info.desc": "Вы вошли в систему",
   "settingSystem.oauth.info.title": "Информация об аккаунте",
   "settingSystem.oauth.signin.action": "Войти",

package/locales/tr-TR/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "Açılış Soruları",
   "settingOpening.title": "Açılış Ayarları",
   "settingPlugin.title": "Yetenek Listesi",
-  "settingSystem.accessCode.desc": "Şifreli erişim, yönetici tarafından etkinleştirilmiştir",
-  "settingSystem.accessCode.placeholder": "Erişim şifresini girin",
-  "settingSystem.accessCode.title": "Erişim Şifresi",
   "settingSystem.oauth.info.desc": "Giriş yapıldı",
   "settingSystem.oauth.info.title": "Hesap Bilgileri",
   "settingSystem.oauth.signin.action": "Giriş Yap",

package/locales/vi-VN/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "Câu Hỏi Mở Đầu",
   "settingOpening.title": "Cài Đặt Mở Đầu",
   "settingPlugin.title": "Danh Sách Kỹ Năng",
-  "settingSystem.accessCode.desc": "Mã truy cập được mã hóa do quản trị viên bật",
-  "settingSystem.accessCode.placeholder": "Nhập mật khẩu truy cập",
-  "settingSystem.accessCode.title": "Mật Khẩu Truy Cập",
   "settingSystem.oauth.info.desc": "Đã đăng nhập",
   "settingSystem.oauth.info.title": "Thông Tin Tài Khoản",
   "settingSystem.oauth.signin.action": "Đăng Nhập",

package/locales/zh-CN/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "开场问题",
   "settingOpening.title": "开场设置",
   "settingPlugin.title": "技能列表",
-  "settingSystem.accessCode.desc": "管理员已开启加密访问",
-  "settingSystem.accessCode.placeholder": "请输入访问密码",
-  "settingSystem.accessCode.title": "访问密码",
   "settingSystem.oauth.info.desc": "已登录",
   "settingSystem.oauth.info.title": "账户信息",
   "settingSystem.oauth.signin.action": "登录",

package/locales/zh-TW/setting.json

@@ -384,9 +384,6 @@
   "settingOpening.openingQuestions.title": "開場問題",
   "settingOpening.title": "開場設定",
   "settingPlugin.title": "插件列表",
-  "settingSystem.accessCode.desc": "管理員已開啟加密訪問",
-  "settingSystem.accessCode.placeholder": "請輸入訪問密碼",
-  "settingSystem.accessCode.title": "訪問密碼",
   "settingSystem.oauth.info.desc": "已登錄",
   "settingSystem.oauth.info.title": "帳戶資訊",
   "settingSystem.oauth.signin.action": "登錄",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lobehub/lobehub",
-  "version": "2.0.0-next.195",
+  "version": "2.0.0-next.196",
   "description": "LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application.",
   "keywords": [
     "framework",

package/packages/const/src/fetch.ts

@@ -6,8 +6,6 @@ export const USE_AZURE_OPENAI = 'X-use-azure-openai';
 
 export const AZURE_OPENAI_API_VERSION = 'X-azure-openai-api-version';
 
-export const LOBE_CHAT_ACCESS_CODE = 'X-lobe-chat-access-code';
-
 export const OAUTH_AUTHORIZED = 'X-oauth-authorized';
 
 /**
@@ -16,7 +14,6 @@ export const OAUTH_AUTHORIZED = 'X-oauth-authorized';
 export const getOpenAIAuthFromRequest = (req: Request) => {
   const apiKey = req.headers.get(OPENAI_API_KEY_HEADER_KEY);
   const endpoint = req.headers.get(OPENAI_END_POINT);
-  const accessCode = req.headers.get(LOBE_CHAT_ACCESS_CODE);
   const useAzureStr = req.headers.get(USE_AZURE_OPENAI);
   const apiVersion = req.headers.get(AZURE_OPENAI_API_VERSION);
   const oauthAuthorizedStr = req.headers.get(OAUTH_AUTHORIZED);
@@ -25,5 +22,5 @@ export const getOpenAIAuthFromRequest = (req: Request) => {
   const oauthAuthorized = !!oauthAuthorizedStr;
   const useAzure = !!useAzureStr;
 
-  return { accessCode, apiKey, apiVersion, endpoint, oauthAuthorized, useAzure, userId };
+  return { apiKey, apiVersion, endpoint, oauthAuthorized, useAzure, userId };
 };

package/packages/types/src/auth.ts

@@ -1,9 +1,5 @@
 /* eslint-disable typescript-sort-keys/interface */
 export interface ClientSecretPayload {
-  /**
-   * password
-   */
-  accessCode?: string;
   /**
    * Represents the user's API key
    *

package/packages/utils/src/server/xor.test.ts

@@ -7,7 +7,6 @@ describe('getXorPayload', () => {
   it('should correctly decode XOR obfuscated payload with user data', () => {
     const originalPayload = {
       userId: '001362c3-48c5-4635-bd3b-837bfff58fc0',
-      accessCode: 'test-access-code',
       apiKey: 'test-api-key',
       baseURL: 'https://api.example.com',
     };
@@ -86,7 +85,7 @@ describe('getXorPayload', () => {
   it('should handle payload with undefined values', () => {
     const originalPayload = {
       userId: 'test-user',
-      accessCode: undefined,
+      baseURL: undefined,
       apiKey: 'test-key',
     };
 

package/src/app/(backend)/_deprecated/createBizOpenAI/auth.test.ts

@@ -1,53 +1,19 @@
 // @vitest-environment node
 import { checkAuth } from './auth';
 
-describe('ACCESS_CODE', () => {
-  let auth = false;
-
-  beforeEach(() => {
-    auth = false;
-    process.env.ACCESS_CODE = undefined;
-    // Reset environment variables before each test case
-    vi.restoreAllMocks();
-  });
-
-  it('set multiple access codes', () => {
-    process.env.ACCESS_CODE = ',code1,code2,code3';
-    ({ auth } = checkAuth({ accessCode: 'code1' }));
-    expect(auth).toBe(true);
-    ({ auth } = checkAuth({ accessCode: 'code2' }));
-    expect(auth).toBe(true);
-    ({ auth } = checkAuth({ accessCode: 'code1,code2' }));
-    expect(auth).toBe(false);
-  });
-
-  it('set individual access code', () => {
-    process.env.ACCESS_CODE = 'code1';
-    ({ auth } = checkAuth({ accessCode: 'code1' }));
+describe('checkAuth', () => {
+  it('should pass with oauth authorized', () => {
+    const { auth } = checkAuth({ oauthAuthorized: true });
     expect(auth).toBe(true);
-    ({ auth } = checkAuth({ accessCode: 'code2' }));
-    expect(auth).toBe(false);
   });
 
-  it('no access code', () => {
-    delete process.env.ACCESS_CODE;
-    ({ auth } = checkAuth({ accessCode: 'code1' }));
-    expect(auth).toBe(true);
-    ({ auth } = checkAuth({}));
+  it('should pass with api key', () => {
+    const { auth } = checkAuth({ apiKey: 'test-api-key' });
     expect(auth).toBe(true);
   });
 
-  it('empty access code', () => {
-    process.env.ACCESS_CODE = '';
-    ({ auth } = checkAuth({ accessCode: 'code1' }));
-    expect(auth).toBe(true);
-    ({ auth } = checkAuth({}));
-    expect(auth).toBe(true);
-
-    process.env.ACCESS_CODE = ',,';
-    ({ auth } = checkAuth({ accessCode: 'code1' }));
-    expect(auth).toBe(true);
-    ({ auth } = checkAuth({}));
+  it('should pass with no params', () => {
+    const { auth } = checkAuth({});
     expect(auth).toBe(true);
   });
 });

package/src/app/(backend)/_deprecated/createBizOpenAI/auth.ts

@@ -1,32 +1,18 @@
-import { ChatErrorType } from '@lobechat/types';
-
-import { getAppConfig } from '@/envs/app';
-
 interface AuthConfig {
-  accessCode?: string | null;
   apiKey?: string | null;
   oauthAuthorized?: boolean;
 }
 
-export const checkAuth = ({ apiKey, accessCode, oauthAuthorized }: AuthConfig) => {
+export const checkAuth = ({ apiKey, oauthAuthorized }: AuthConfig) => {
   // If authorized by oauth
   if (oauthAuthorized) {
     return { auth: true };
   }
 
-  const { ACCESS_CODES } = getAppConfig();
-
   // if apiKey exist
   if (apiKey) {
     return { auth: true };
   }
 
-  // if accessCode doesn't exist
-  if (!ACCESS_CODES.length) return { auth: true };
-
-  if (!accessCode || !ACCESS_CODES.includes(accessCode)) {
-    return { auth: false, error: ChatErrorType.InvalidAccessCode };
-  }
-
   return { auth: true };
 };

package/src/app/(backend)/_deprecated/createBizOpenAI/index.ts

@@ -1,10 +1,9 @@
-import { ChatErrorType, type ErrorType } from '@lobechat/types';
+import { ChatErrorType } from '@lobechat/types';
 import type OpenAI from 'openai';
 
 import { getOpenAIAuthFromRequest } from '@/const/fetch';
 import { createErrorResponse } from '@/utils/errorResponse';
 
-import { checkAuth } from './auth';
 import { createOpenai } from './createOpenai';
 
 /**
@@ -13,13 +12,7 @@ import { createOpenai } from './createOpenai';
  * if auth not pass ,just return error response
  */
 export const createBizOpenAI = (req: Request): Response | OpenAI => {
-  const { apiKey, accessCode, endpoint, oauthAuthorized } = getOpenAIAuthFromRequest(req);
-
-  const result = checkAuth({ accessCode, apiKey, oauthAuthorized });
-
-  if (!result.auth) {
-    return createErrorResponse(result.error as ErrorType);
-  }
+  const { apiKey, endpoint } = getOpenAIAuthFromRequest(req);
 
   let openai: OpenAI;
 

package/src/app/(backend)/middleware/auth/index.ts

@@ -92,7 +92,6 @@ export const checkAuth =
 
       if (!isUseOidcAuth)
         checkAuthMethod({
-          accessCode: jwtPayload.accessCode,
           apiKey: jwtPayload.apiKey,
           betterAuthAuthorized,
           clerkAuth,

package/src/app/(backend)/middleware/auth/utils.test.ts

@@ -1,8 +1,6 @@
 import { type AuthObject } from '@clerk/backend';
 import { beforeEach, describe, expect, it, vi } from 'vitest';
 
-import { getAppConfig } from '@/envs/app';
-
 import { checkAuthMethod } from './utils';
 
 let enableClerkMock = false;
@@ -26,15 +24,9 @@ vi.mock('@/const/auth', async (importOriginal) => {
   };
 });
 
-vi.mock('@/envs/app', () => ({
-  getAppConfig: vi.fn(),
-}));
-
 describe('checkAuthMethod', () => {
   beforeEach(() => {
-    vi.mocked(getAppConfig).mockReturnValue({
-      ACCESS_CODES: ['validAccessCode'],
-    } as any);
+    vi.clearAllMocks();
   });
 
   it('should pass with valid Clerk auth', () => {
@@ -91,39 +83,7 @@ describe('checkAuthMethod', () => {
     ).not.toThrow();
   });
 
-  it('should pass with no access code required', () => {
-    vi.mocked(getAppConfig).mockReturnValueOnce({
-      ACCESS_CODES: [],
-    } as any);
-
+  it('should pass with no auth params', () => {
     expect(() => checkAuthMethod({})).not.toThrow();
   });
-
-  it('should pass with valid access code', () => {
-    expect(() =>
-      checkAuthMethod({
-        accessCode: 'validAccessCode',
-      }),
-    ).not.toThrow();
-  });
-
-  it('should throw error with invalid access code', () => {
-    try {
-      checkAuthMethod({
-        accessCode: 'invalidAccessCode',
-      });
-    } catch (e) {
-      expect(e).toEqual({
-        errorType: 'InvalidAccessCode',
-      });
-    }
-
-    try {
-      checkAuthMethod({});
-    } catch (e) {
-      expect(e).toEqual({
-        errorType: 'InvalidAccessCode',
-      });
-    }
-  });
 });

package/src/app/(backend)/middleware/auth/utils.ts

@@ -3,28 +3,25 @@ import { AgentRuntimeError } from '@lobechat/model-runtime';
 import { ChatErrorType } from '@lobechat/types';
 
 import { enableBetterAuth, enableClerk, enableNextAuth } from '@/const/auth';
-import { getAppConfig } from '@/envs/app';
 
 interface CheckAuthParams {
-  accessCode?: string;
   apiKey?: string;
   betterAuthAuthorized?: boolean;
   clerkAuth?: AuthObject;
   nextAuthAuthorized?: boolean;
 }
 /**
- * Check if the provided access code is valid, a user API key should be used or the OAuth 2 header is provided.
+ * Check if authentication is valid based on various auth methods.
  *
  * @param {CheckAuthParams} params - Authentication parameters extracted from headers.
- * @param {string} [params.accessCode] - The access code to check.
  * @param {string} [params.apiKey] - The user API key.
  * @param {boolean} [params.betterAuthAuthorized] - Whether the Better Auth session exists.
  * @param {AuthObject} [params.clerkAuth] - Clerk authentication payload from middleware.
  * @param {boolean} [params.nextAuthAuthorized] - Whether the OAuth 2 header is provided.
- * @throws {AgentRuntimeError} If the access code is invalid and no user API key is provided.
+ * @throws {AgentRuntimeError} If authentication fails.
  */
 export const checkAuthMethod = (params: CheckAuthParams) => {
-  const { apiKey, betterAuthAuthorized, nextAuthAuthorized, accessCode, clerkAuth } = params;
+  const { apiKey, betterAuthAuthorized, nextAuthAuthorized, clerkAuth } = params;
   // clerk auth handler
   if (enableClerk) {
     // if there is no userId, means the use is not login, just throw error
@@ -42,15 +39,4 @@ export const checkAuthMethod = (params: CheckAuthParams) => {
 
   // if apiKey exist
   if (apiKey) return;
-
-  const { ACCESS_CODES } = getAppConfig();
-
-  // if accessCode doesn't exist
-  if (!ACCESS_CODES.length) return;
-
-  if (!accessCode || !ACCESS_CODES.includes(accessCode)) {
-    // Avoid logging user-provided credentials (access code) for security reasons
-    console.warn('Invalid access code provided');
-    throw AgentRuntimeError.createError(ChatErrorType.InvalidAccessCode);
-  }
 };

package/src/app/(backend)/webapi/chat/[provider]/route.test.ts

@@ -62,7 +62,6 @@ describe('POST handler', () => {
 
       // 设置 getJWTPayload 和 initModelRuntimeWithUserPayload 的模拟返回值
       vi.mocked(getXorPayload).mockReturnValueOnce({
-        accessCode: 'test-access-code',
         apiKey: 'test-api-key',
         azureApiVersion: 'v1',
       });
@@ -105,7 +104,6 @@ describe('POST handler', () => {
       mockState.enableClerk = true;
 
       vi.mocked(getXorPayload).mockReturnValueOnce({
-        accessCode: 'test-access-code',
         apiKey: 'test-api-key',
         azureApiVersion: 'v1',
       });
@@ -133,7 +131,6 @@ describe('POST handler', () => {
       await POST(request, { params: mockParams });
 
       expect(checkAuthMethod).toBeCalledWith({
-        accessCode: 'test-access-code',
         apiKey: 'test-api-key',
         betterAuthAuthorized: false,
         clerkAuth: {},
@@ -163,7 +160,6 @@ describe('POST handler', () => {
   describe('chat', () => {
     it('should correctly handle chat completion with valid payload', async () => {
       vi.mocked(getXorPayload).mockReturnValueOnce({
-        accessCode: 'test-access-code',
         apiKey: 'test-api-key',
         azureApiVersion: 'v1',
         userId: 'abc',
@@ -193,7 +189,6 @@ describe('POST handler', () => {
     it('should return an error response when chat completion fails', async () => {
       // 设置 getJWTPayload 和 initAgentRuntimeWithUserPayload 的模拟返回值
       vi.mocked(getXorPayload).mockReturnValueOnce({
-        accessCode: 'test-access-code',
         apiKey: 'test-api-key',
         azureApiVersion: 'v1',
       });

package/src/app/(backend)/webapi/models/[provider]/route.test.ts

@@ -41,7 +41,6 @@ describe('GET handler', () => {
       const mockParams = Promise.resolve({ provider: 'google' });
 
       vi.mocked(getXorPayload).mockReturnValueOnce({
-        accessCode: 'test-access-code',
         apiKey: 'test-api-key',
       });
 
@@ -73,7 +72,6 @@ describe('GET handler', () => {
       const mockParams = Promise.resolve({ provider: 'google' });
 
       vi.mocked(getXorPayload).mockReturnValueOnce({
-        accessCode: 'test-access-code',
         apiKey: 'test-api-key',
       });
 
@@ -103,7 +101,6 @@ describe('GET handler', () => {
       const mockParams = Promise.resolve({ provider: 'google' });
 
       vi.mocked(getXorPayload).mockReturnValueOnce({
-        accessCode: 'test-access-code',
         apiKey: 'test-api-key',
       });
 
@@ -128,7 +125,6 @@ describe('GET handler', () => {
       const mockParams = Promise.resolve({ provider: 'google' });
 
       vi.mocked(getXorPayload).mockReturnValueOnce({
-        accessCode: 'test-access-code',
         apiKey: 'test-api-key',
       });
 
@@ -145,7 +141,6 @@ describe('GET handler', () => {
       const mockParams = Promise.resolve({ provider: 'openai' });
 
       vi.mocked(getXorPayload).mockReturnValueOnce({
-        accessCode: 'test-access-code',
         apiKey: 'test-api-key',
       });
 
@@ -165,7 +160,6 @@ describe('GET handler', () => {
       const mockParams = Promise.resolve({ provider: 'openai' });
 
       vi.mocked(getXorPayload).mockReturnValueOnce({
-        accessCode: 'test-access-code',
         apiKey: 'test-api-key',
       });
 

package/src/app/(backend)/webapi/plugin/gateway/route.ts

@@ -1,36 +1,15 @@
 import { AgentRuntimeError } from '@lobechat/model-runtime';
-import { ChatErrorType, type ErrorType, TraceNameMap } from '@lobechat/types';
-import { getXorPayload } from '@lobechat/utils/server';
+import { ChatErrorType, TraceNameMap } from '@lobechat/types';
 import type { PluginRequestPayload } from '@lobehub/chat-plugin-sdk';
 import { createGatewayOnEdgeRuntime } from '@lobehub/chat-plugins-gateway';
 
-import { LOBE_CHAT_AUTH_HEADER, OAUTH_AUTHORIZED, enableNextAuth } from '@/const/auth';
+import { LOBE_CHAT_AUTH_HEADER } from '@/const/auth';
 import { LOBE_CHAT_TRACE_ID } from '@/const/trace';
 import { getAppConfig } from '@/envs/app';
 import { TraceClient } from '@/libs/traces';
 import { parserPluginSettings } from '@/server/services/pluginGateway/settings';
-import { createErrorResponse } from '@/utils/errorResponse';
 import { getTracePayload } from '@/utils/trace';
 
-const checkAuth = (accessCode: string | null, oauthAuthorized: boolean | null) => {
-  const { ACCESS_CODES, PLUGIN_SETTINGS } = getAppConfig();
-
-  // if there is no plugin settings, just skip the auth
-  if (!PLUGIN_SETTINGS) return { auth: true };
-
-  // If authorized by oauth
-  if (oauthAuthorized && enableNextAuth) return { auth: true };
-
-  // if accessCode doesn't exist
-  if (!ACCESS_CODES.length) return { auth: true };
-
-  if (!accessCode || !ACCESS_CODES.includes(accessCode)) {
-    return { auth: false, error: ChatErrorType.InvalidAccessCode };
-  }
-
-  return { auth: true };
-};
-
 const { PLUGINS_INDEX_URL: pluginsIndexUrl, PLUGIN_SETTINGS } = getAppConfig();
 
 const defaultPluginSettings = parserPluginSettings(PLUGIN_SETTINGS);
@@ -42,15 +21,6 @@ export const POST = async (req: Request) => {
   const authorization = req.headers.get(LOBE_CHAT_AUTH_HEADER);
   if (!authorization) throw AgentRuntimeError.createError(ChatErrorType.Unauthorized);
 
-  const oauthAuthorized = !!req.headers.get(OAUTH_AUTHORIZED);
-  const payload = getXorPayload(authorization);
-
-  const result = checkAuth(payload.accessCode!, oauthAuthorized);
-
-  if (!result.auth) {
-    return createErrorResponse(result.error as ErrorType);
-  }
-
   // TODO: need to be replace by better telemetry system
   // add trace
   const tracePayload = getTracePayload(req);

package/src/app/[variants]/(main)/settings/common/features/Common/Common.tsx

@@ -1,6 +1,6 @@
 'use client';
 
-import { Form, type FormGroupItemType, Icon, ImageSelect, InputPassword } from '@lobehub/ui';
+import { Form, type FormGroupItemType, Icon, ImageSelect } from '@lobehub/ui';
 import { Select, Skeleton } from '@lobehub/ui';
 import { Segmented, Switch } from 'antd';
 import isEqual from 'fast-deep-equal';
@@ -14,8 +14,6 @@ import { isDesktop } from '@/const/version';
 import { localeOptions } from '@/locales/resources';
 import { useGlobalStore } from '@/store/global';
 import { systemStatusSelectors } from '@/store/global/selectors';
-import { useServerConfigStore } from '@/store/serverConfig';
-import { serverConfigSelectors } from '@/store/serverConfig/selectors';
 import { useUserStore } from '@/store/user';
 import { settingsSelectors } from '@/store/user/selectors';
 import { type LocaleMode } from '@/types/locale';
@@ -23,7 +21,6 @@ import { type LocaleMode } from '@/types/locale';
 const Common = memo(() => {
   const { t } = useTranslation('setting');
 
-  const showAccessCodeConfig = useServerConfigStore(serverConfigSelectors.enabledAccessCode);
   const general = useUserStore((s) => settingsSelectors.currentSettings(s).general, isEqual);
   const themeMode = useGlobalStore(systemStatusSelectors.themeMode);
   const language = useGlobalStore(systemStatusSelectors.language);
@@ -137,18 +134,6 @@ const Common = memo(() => {
         name: 'contextMenuMode',
       },
 
-      {
-        children: (
-          <InputPassword
-            autoComplete={'new-password'}
-            placeholder={t('settingSystem.accessCode.placeholder')}
-          />
-        ),
-        desc: t('settingSystem.accessCode.desc'),
-        hidden: !showAccessCodeConfig,
-        label: t('settingSystem.accessCode.title'),
-        name: 'password',
-      },
       {
         children: (
           <Select

package/src/locales/default/setting.ts

@@ -442,9 +442,6 @@ export default {
   'settingOpening.openingQuestions.title': 'Opening Questions',
   'settingOpening.title': 'Opening Settings',
   'settingPlugin.title': 'Skill List',
-  'settingSystem.accessCode.desc': 'Encryption access is enabled by the administrator',
-  'settingSystem.accessCode.placeholder': 'Enter access password',
-  'settingSystem.accessCode.title': 'Access Password',
   'settingSystem.oauth.info.desc': 'Logged in',
   'settingSystem.oauth.info.title': 'Account Information',
   'settingSystem.oauth.signin.action': 'Sign In',