2025-12-18 13:50:39 +08:00
|
|
|
|
package middleware
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
2026-01-09 23:01:42 +08:00
|
|
|
|
"context"
|
2025-12-18 13:50:39 +08:00
|
|
|
|
"errors"
|
|
|
|
|
|
"strings"
|
|
|
|
|
|
|
2025-12-29 03:17:25 +08:00
|
|
|
|
"github.com/Wei-Shaw/sub2api/internal/config"
|
2026-01-09 23:01:42 +08:00
|
|
|
|
"github.com/Wei-Shaw/sub2api/internal/pkg/ctxkey"
|
2026-01-09 21:59:32 +08:00
|
|
|
|
"github.com/Wei-Shaw/sub2api/internal/pkg/ip"
|
2025-12-26 10:42:08 +08:00
|
|
|
|
"github.com/Wei-Shaw/sub2api/internal/service"
|
|
|
|
|
|
|
2025-12-18 13:50:39 +08:00
|
|
|
|
"github.com/gin-gonic/gin"
|
|
|
|
|
|
)
|
|
|
|
|
|
|
2026-01-04 19:27:53 +08:00
|
|
|
|
// NewAPIKeyAuthMiddleware 创建 API Key 认证中间件
|
|
|
|
|
|
func NewAPIKeyAuthMiddleware(apiKeyService *service.APIKeyService, subscriptionService *service.SubscriptionService, cfg *config.Config) APIKeyAuthMiddleware {
|
|
|
|
|
|
return APIKeyAuthMiddleware(apiKeyAuthWithSubscription(apiKeyService, subscriptionService, cfg))
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-26 10:42:08 +08:00
|
|
|
|
// apiKeyAuthWithSubscription API Key认证中间件(支持订阅验证)
|
2026-03-03 20:58:00 +08:00
|
|
|
|
//
|
|
|
|
|
|
// 中间件职责分为两层:
|
|
|
|
|
|
// - 鉴权(Authentication):验证 Key 有效性、用户状态、IP 限制 —— 始终执行
|
|
|
|
|
|
// - 计费执行(Billing Enforcement):过期/配额/订阅/余额检查 —— skipBilling 时整块跳过
|
|
|
|
|
|
//
|
|
|
|
|
|
// /v1/usage 端点只需鉴权,不需要计费执行(允许过期/配额耗尽的 Key 查询自身用量)。
|
2026-01-04 19:27:53 +08:00
|
|
|
|
func apiKeyAuthWithSubscription(apiKeyService *service.APIKeyService, subscriptionService *service.SubscriptionService, cfg *config.Config) gin.HandlerFunc {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return func(c *gin.Context) {
|
2026-03-03 20:58:00 +08:00
|
|
|
|
// ── 1. 提取 API Key ──────────────────────────────────────────
|
|
|
|
|
|
|
2026-01-02 17:40:57 +08:00
|
|
|
|
queryKey := strings.TrimSpace(c.Query("key"))
|
|
|
|
|
|
queryApiKey := strings.TrimSpace(c.Query("api_key"))
|
|
|
|
|
|
if queryKey != "" || queryApiKey != "" {
|
|
|
|
|
|
AbortWithError(c, 400, "api_key_in_query_deprecated", "API key in query parameter is deprecated. Please use Authorization header instead.")
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-18 13:50:39 +08:00
|
|
|
|
// 尝试从Authorization header中提取API key (Bearer scheme)
|
|
|
|
|
|
authHeader := c.GetHeader("Authorization")
|
|
|
|
|
|
var apiKeyString string
|
|
|
|
|
|
|
|
|
|
|
|
if authHeader != "" {
|
|
|
|
|
|
// 验证Bearer scheme
|
|
|
|
|
|
parts := strings.SplitN(authHeader, " ", 2)
|
2026-02-10 00:37:47 +08:00
|
|
|
|
if len(parts) == 2 && strings.EqualFold(parts[0], "Bearer") {
|
|
|
|
|
|
apiKeyString = strings.TrimSpace(parts[1])
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 如果Authorization header中没有,尝试从x-api-key header中提取
|
|
|
|
|
|
if apiKeyString == "" {
|
|
|
|
|
|
apiKeyString = c.GetHeader("x-api-key")
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-25 21:24:28 -08:00
|
|
|
|
// 如果x-api-key header中没有,尝试从x-goog-api-key header中提取(Gemini CLI兼容)
|
2025-12-18 13:50:39 +08:00
|
|
|
|
if apiKeyString == "" {
|
2025-12-25 21:24:28 -08:00
|
|
|
|
apiKeyString = c.GetHeader("x-goog-api-key")
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 如果所有header都没有API key
|
|
|
|
|
|
if apiKeyString == "" {
|
2026-01-02 17:40:57 +08:00
|
|
|
|
AbortWithError(c, 401, "API_KEY_REQUIRED", "API key is required in Authorization header (Bearer scheme), x-api-key header, or x-goog-api-key header")
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-03 20:58:00 +08:00
|
|
|
|
// ── 2. 验证 Key 存在 ─────────────────────────────────────────
|
|
|
|
|
|
|
2025-12-26 10:42:08 +08:00
|
|
|
|
apiKey, err := apiKeyService.GetByKey(c.Request.Context(), apiKeyString)
|
2025-12-18 13:50:39 +08:00
|
|
|
|
if err != nil {
|
2026-01-04 19:27:53 +08:00
|
|
|
|
if errors.Is(err, service.ErrAPIKeyNotFound) {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
AbortWithError(c, 401, "INVALID_API_KEY", "Invalid API key")
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
AbortWithError(c, 500, "INTERNAL_ERROR", "Failed to validate API key")
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-03 20:58:00 +08:00
|
|
|
|
// ── 3. 基础鉴权(始终执行) ─────────────────────────────────
|
2026-02-03 19:01:49 +08:00
|
|
|
|
|
2026-03-03 20:58:00 +08:00
|
|
|
|
// disabled / 未知状态 → 无条件拦截(expired 和 quota_exhausted 留给计费阶段)
|
|
|
|
|
|
if !apiKey.IsActive() &&
|
|
|
|
|
|
apiKey.Status != service.StatusAPIKeyExpired &&
|
|
|
|
|
|
apiKey.Status != service.StatusAPIKeyQuotaExhausted {
|
|
|
|
|
|
AbortWithError(c, 401, "API_KEY_DISABLED", "API key is disabled")
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-09 21:59:32 +08:00
|
|
|
|
// 检查 IP 限制(白名单/黑名单)
|
|
|
|
|
|
// 注意:错误信息故意模糊,避免暴露具体的 IP 限制机制
|
|
|
|
|
|
if len(apiKey.IPWhitelist) > 0 || len(apiKey.IPBlacklist) > 0 {
|
2026-02-14 11:23:10 +08:00
|
|
|
|
clientIP := ip.GetTrustedClientIP(c)
|
2026-02-28 15:01:20 +08:00
|
|
|
|
allowed, _ := ip.CheckIPRestrictionWithCompiledRules(clientIP, apiKey.CompiledIPWhitelist, apiKey.CompiledIPBlacklist)
|
2026-01-09 21:59:32 +08:00
|
|
|
|
if !allowed {
|
|
|
|
|
|
AbortWithError(c, 403, "ACCESS_DENIED", "Access denied")
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-18 13:50:39 +08:00
|
|
|
|
// 检查关联的用户
|
|
|
|
|
|
if apiKey.User == nil {
|
|
|
|
|
|
AbortWithError(c, 401, "USER_NOT_FOUND", "User associated with API key not found")
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 检查用户状态
|
|
|
|
|
|
if !apiKey.User.IsActive() {
|
|
|
|
|
|
AbortWithError(c, 401, "USER_INACTIVE", "User account is not active")
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-03 20:58:00 +08:00
|
|
|
|
// ── 4. SimpleMode → early return ─────────────────────────────
|
|
|
|
|
|
|
2025-12-29 03:17:25 +08:00
|
|
|
|
if cfg.RunMode == config.RunModeSimple {
|
2026-01-04 19:27:53 +08:00
|
|
|
|
c.Set(string(ContextKeyAPIKey), apiKey)
|
2025-12-29 03:17:25 +08:00
|
|
|
|
c.Set(string(ContextKeyUser), AuthSubject{
|
|
|
|
|
|
UserID: apiKey.User.ID,
|
|
|
|
|
|
Concurrency: apiKey.User.Concurrency,
|
|
|
|
|
|
})
|
|
|
|
|
|
c.Set(string(ContextKeyUserRole), apiKey.User.Role)
|
2026-01-09 23:01:42 +08:00
|
|
|
|
setGroupContext(c, apiKey.Group)
|
2026-02-22 22:07:17 +08:00
|
|
|
|
_ = apiKeyService.TouchLastUsed(c.Request.Context(), apiKey.ID)
|
2025-12-29 03:17:25 +08:00
|
|
|
|
c.Next()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-03 20:58:00 +08:00
|
|
|
|
// ── 5. 加载订阅(订阅模式时始终加载) ───────────────────────
|
|
|
|
|
|
|
|
|
|
|
|
// skipBilling: /v1/usage 只需鉴权,跳过所有计费执行
|
|
|
|
|
|
skipBilling := c.Request.URL.Path == "/v1/usage"
|
|
|
|
|
|
|
|
|
|
|
|
var subscription *service.UserSubscription
|
2025-12-18 13:50:39 +08:00
|
|
|
|
isSubscriptionType := apiKey.Group != nil && apiKey.Group.IsSubscriptionType()
|
|
|
|
|
|
|
|
|
|
|
|
if isSubscriptionType && subscriptionService != nil {
|
2026-03-03 20:58:00 +08:00
|
|
|
|
sub, subErr := subscriptionService.GetActiveSubscription(
|
2025-12-18 13:50:39 +08:00
|
|
|
|
c.Request.Context(),
|
|
|
|
|
|
apiKey.User.ID,
|
|
|
|
|
|
apiKey.Group.ID,
|
|
|
|
|
|
)
|
2026-03-03 20:58:00 +08:00
|
|
|
|
if subErr != nil {
|
|
|
|
|
|
if !skipBilling {
|
|
|
|
|
|
AbortWithError(c, 403, "SUBSCRIPTION_NOT_FOUND", "No active subscription found for this group")
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
// skipBilling: 订阅不存在也放行,handler 会返回可用的数据
|
|
|
|
|
|
} else {
|
|
|
|
|
|
subscription = sub
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
2026-03-03 20:58:00 +08:00
|
|
|
|
}
|
2025-12-18 13:50:39 +08:00
|
|
|
|
|
2026-03-03 20:58:00 +08:00
|
|
|
|
// ── 6. 计费执行(skipBilling 时整块跳过) ────────────────────
|
|
|
|
|
|
|
|
|
|
|
|
if !skipBilling {
|
|
|
|
|
|
// Key 状态检查
|
|
|
|
|
|
switch apiKey.Status {
|
|
|
|
|
|
case service.StatusAPIKeyQuotaExhausted:
|
|
|
|
|
|
AbortWithError(c, 429, "API_KEY_QUOTA_EXHAUSTED", "API key 额度已用完")
|
|
|
|
|
|
return
|
|
|
|
|
|
case service.StatusAPIKeyExpired:
|
|
|
|
|
|
AbortWithError(c, 403, "API_KEY_EXPIRED", "API key 已过期")
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-03 20:58:00 +08:00
|
|
|
|
// 运行时过期/配额检查(即使状态是 active,也要检查时间和用量)
|
|
|
|
|
|
if apiKey.IsExpired() {
|
|
|
|
|
|
AbortWithError(c, 403, "API_KEY_EXPIRED", "API key 已过期")
|
|
|
|
|
|
return
|
2026-02-07 14:43:12 +08:00
|
|
|
|
}
|
2026-03-03 20:58:00 +08:00
|
|
|
|
if apiKey.IsQuotaExhausted() {
|
|
|
|
|
|
AbortWithError(c, 429, "API_KEY_QUOTA_EXHAUSTED", "API key 额度已用完")
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
2026-03-03 20:58:00 +08:00
|
|
|
|
|
|
|
|
|
|
// 订阅模式:验证订阅限额
|
|
|
|
|
|
if subscription != nil {
|
|
|
|
|
|
needsMaintenance, validateErr := subscriptionService.ValidateAndCheckLimits(subscription, apiKey.Group)
|
|
|
|
|
|
if validateErr != nil {
|
|
|
|
|
|
code := "SUBSCRIPTION_INVALID"
|
|
|
|
|
|
status := 403
|
|
|
|
|
|
if errors.Is(validateErr, service.ErrDailyLimitExceeded) ||
|
|
|
|
|
|
errors.Is(validateErr, service.ErrWeeklyLimitExceeded) ||
|
|
|
|
|
|
errors.Is(validateErr, service.ErrMonthlyLimitExceeded) {
|
|
|
|
|
|
code = "USAGE_LIMIT_EXCEEDED"
|
|
|
|
|
|
status = 429
|
|
|
|
|
|
}
|
|
|
|
|
|
AbortWithError(c, status, code, validateErr.Error())
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 窗口维护异步化(不阻塞请求)
|
|
|
|
|
|
if needsMaintenance {
|
|
|
|
|
|
maintenanceCopy := *subscription
|
|
|
|
|
|
subscriptionService.DoWindowMaintenance(&maintenanceCopy)
|
|
|
|
|
|
}
|
|
|
|
|
|
} else {
|
|
|
|
|
|
// 非订阅模式 或 订阅模式但 subscriptionService 未注入:回退到余额检查
|
|
|
|
|
|
if apiKey.User.Balance <= 0 {
|
|
|
|
|
|
AbortWithError(c, 403, "INSUFFICIENT_BALANCE", "Insufficient account balance")
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-03 20:58:00 +08:00
|
|
|
|
// ── 7. 设置上下文 → Next ─────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
|
|
if subscription != nil {
|
|
|
|
|
|
c.Set(string(ContextKeySubscription), subscription)
|
|
|
|
|
|
}
|
2026-01-04 19:27:53 +08:00
|
|
|
|
c.Set(string(ContextKeyAPIKey), apiKey)
|
2025-12-26 15:40:24 +08:00
|
|
|
|
c.Set(string(ContextKeyUser), AuthSubject{
|
|
|
|
|
|
UserID: apiKey.User.ID,
|
|
|
|
|
|
Concurrency: apiKey.User.Concurrency,
|
|
|
|
|
|
})
|
|
|
|
|
|
c.Set(string(ContextKeyUserRole), apiKey.User.Role)
|
2026-01-09 23:01:42 +08:00
|
|
|
|
setGroupContext(c, apiKey.Group)
|
2026-02-22 22:07:17 +08:00
|
|
|
|
_ = apiKeyService.TouchLastUsed(c.Request.Context(), apiKey.ID)
|
2025-12-18 13:50:39 +08:00
|
|
|
|
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-04 19:27:53 +08:00
|
|
|
|
// GetAPIKeyFromContext 从上下文中获取API key
|
|
|
|
|
|
func GetAPIKeyFromContext(c *gin.Context) (*service.APIKey, bool) {
|
|
|
|
|
|
value, exists := c.Get(string(ContextKeyAPIKey))
|
2025-12-18 13:50:39 +08:00
|
|
|
|
if !exists {
|
|
|
|
|
|
return nil, false
|
|
|
|
|
|
}
|
2026-01-04 19:27:53 +08:00
|
|
|
|
apiKey, ok := value.(*service.APIKey)
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return apiKey, ok
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GetSubscriptionFromContext 从上下文中获取订阅信息
|
2025-12-26 15:40:24 +08:00
|
|
|
|
func GetSubscriptionFromContext(c *gin.Context) (*service.UserSubscription, bool) {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
value, exists := c.Get(string(ContextKeySubscription))
|
|
|
|
|
|
if !exists {
|
|
|
|
|
|
return nil, false
|
|
|
|
|
|
}
|
2025-12-26 15:40:24 +08:00
|
|
|
|
subscription, ok := value.(*service.UserSubscription)
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return subscription, ok
|
|
|
|
|
|
}
|
2026-01-09 23:01:42 +08:00
|
|
|
|
|
|
|
|
|
|
func setGroupContext(c *gin.Context, group *service.Group) {
|
2026-01-10 07:56:50 +08:00
|
|
|
|
if !service.IsGroupContextValid(group) {
|
2026-01-09 23:01:42 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
2026-01-10 08:40:27 +08:00
|
|
|
|
if existing, ok := c.Request.Context().Value(ctxkey.Group).(*service.Group); ok && existing != nil && existing.ID == group.ID && service.IsGroupContextValid(existing) {
|
2026-01-09 23:01:42 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
ctx := context.WithValue(c.Request.Context(), ctxkey.Group, group)
|
|
|
|
|
|
c.Request = c.Request.WithContext(ctx)
|
|
|
|
|
|
}
|
