From 5020e58b7ea3225ec98502d545e262e2b7b6a04f Mon Sep 17 00:00:00 2001 From: Huarch Date: Sun, 7 Jun 2026 17:15:40 +0800 Subject: [PATCH] feat(auth): validate agent requests --- src/auth/agentAuth.ts | 60 +++++++++++++++++++++++++++++++++++++++++++ src/config.ts | 2 ++ src/server.ts | 2 ++ 3 files changed, 64 insertions(+) create mode 100644 src/auth/agentAuth.ts diff --git a/src/auth/agentAuth.ts b/src/auth/agentAuth.ts new file mode 100644 index 0000000..43821a0 --- /dev/null +++ b/src/auth/agentAuth.ts @@ -0,0 +1,60 @@ +import type { NextFunction, Request, Response } from "express"; + +import { config } from "../config.js"; +import { logger } from "../logger.js"; + +export const extractBearerToken = (authorization?: string) => { + const value = authorization?.trim(); + if (!value) { + return ""; + } + return value.replace(/^Bearer\s+/i, "").trim(); +}; + +// Agent API 复用 TJWater 后端的登录态:每个请求都向 /auth/me 校验 Bearer token, +// 成功后才允许进入会话路由,避免 Agent 服务维护第二套用户体系。 +export const requireAgentAuth = async ( + req: Request, + res: Response, + next: NextFunction, +) => { + const token = extractBearerToken(req.header("authorization")); + if (!token) { + res.status(401).json({ message: "authorization token is required" }); + return; + } + + const controller = new AbortController(); + const timer = setTimeout(() => controller.abort(), config.AGENT_AUTH_TIMEOUT_MS); + + try { + const response = await fetch(new URL("/api/v1/auth/me", config.TJWATER_API_BASE_URL), { + method: "GET", + headers: { + Accept: "application/json", + Authorization: `Bearer ${token}`, + }, + signal: controller.signal, + }); + + if (response.ok) { + next(); + return; + } + + const detail = await response.text(); + res.status(response.status === 403 ? 403 : 401).json({ + message: response.status === 403 ? "forbidden" : "unauthorized", + detail: detail || undefined, + }); + } catch (error) { + const detail = error instanceof Error ? error.message : String(error); + logger.warn({ err: error }, "agent auth validation failed"); + res.status(503).json({ + message: "authentication service unavailable", + detail, + }); + } finally { + clearTimeout(timer); + } +}; diff --git a/src/config.ts b/src/config.ts index d91fa91..f5c860b 100644 --- a/src/config.ts +++ b/src/config.ts @@ -33,6 +33,8 @@ const envSchema = z .default("./logs/llm-request-audit.log"), // 内部工具桥调用本服务时使用的鉴权 token;未显式配置时启动阶段会自动生成。 AGENT_INTERNAL_TOKEN: optionalString(), + // Agent 前置认证调用后端 /api/v1/auth/me 的超时时间(毫秒)。 + AGENT_AUTH_TIMEOUT_MS: z.coerce.number().int().positive().default(5000), // opencode 运行模式:embedded 会启动本地 CLI 子进程;client 只连接现有 server。 OPENCODE_MODE: z.enum(["embedded", "client"]).default("embedded"), // embedded opencode server 的监听地址。 diff --git a/src/server.ts b/src/server.ts index f67696e..bf1b6a0 100644 --- a/src/server.ts +++ b/src/server.ts @@ -3,6 +3,7 @@ import { spawn } from "node:child_process"; import cors from "cors"; import express from "express"; +import { requireAgentAuth } from "./auth/agentAuth.js"; import { SessionTranscriptStore } from "./sessions/transcriptStore.js"; import { ChatSessionBridge } from "./chat/sessionBridge.js"; import { config } from "./config.js"; @@ -252,6 +253,7 @@ app.post("/internal/tools/session-search", async (req, res) => { app.use( "/api/v1/agent/chat", + requireAgentAuth, buildChatRouter( sessionBridge, opencodeRuntime,