Update app.py

app.py

@@ -10,18 +10,20 @@
   - /v1/reset-run
   - /health
 - 将原来的命令行/TTY 登录改为网页管理页：
-  - /                 管理页（需先通过管理密码）
-  - /admin/gate       管理页登录页
+  - /                 管理页（使用浏览器 Basic Auth 门禁）
   - /admin/login/start
   - /admin/login/status
-  - /admin/logout
 - 适配 Hugging Face Spaces：
   - 读取 PORT 环境变量
   - 凭据优先保存到 /data（若已开通持久化存储）
-  - 可通过 Secrets 传入 API_KEY / ADMIN_PASSWORD / ACCOUNTS_JSON
+  - 可通过 Secrets 传入 API_KEY / ADMIN_PASSWORD / ADMIN_USERNAME / ACCOUNTS_JSON
+- 管理页门禁：
+  - 使用浏览器原生 HTTP Basic Auth
+  - 不使用 cookie，不需要单独登录页
 """
 
 import asyncio
+import base64
 import json
 import os
 import platform
@@ -46,15 +48,12 @@ PORT = int(os.environ.get("PORT", "7860"))
 HOST = os.environ.get("HOST", "0.0.0.0")
 POLL_INTERVAL_S = int(os.environ.get("POLL_INTERVAL_S", "5"))
 TIMEOUT_S = int(os.environ.get("TIMEOUT_S", "300"))
-COOKIE_SECURE = os.environ.get("COOKIE_SECURE", "1") != "0"
 
 # /v1/* 访问鉴权（Bearer）
 PROXY_API_KEY = os.environ.get("API_KEY", "")
-# 管理后台鉴权（网页登录 + Cookie）
+# 管理后台鉴权（浏览器 Basic Auth）
+ADMIN_USERNAME = os.environ.get("ADMIN_USERNAME", "admin")
 ADMIN_PASSWORD = os.environ.get("ADMIN_PASSWORD", "")
-ADMIN_COOKIE_NAME = "freebuff_admin_auth"
-ADMIN_COOKIE_VALUE = "ok"
-ADMIN_COOKIE_MAX_AGE = 86400 * 7
 
 MODEL_TO_AGENT = {
     "minimax/minimax-m2.7": "base2-free",
@@ -547,25 +546,30 @@ async def auth_middleware(request: web.Request, handler):
     return await handler(request)
 
 
-def is_admin_authed(request: web.Request) -> bool:
-    if not ADMIN_PASSWORD:
-        return True
-    return request.cookies.get(ADMIN_COOKIE_NAME) == ADMIN_COOKIE_VALUE
-
 
-def get_supplied_admin_password(request: web.Request) -> str:
-    return request.headers.get("X-Admin-Password") or request.query.get("password") or ""
+def parse_basic_auth(request: web.Request) -> Tuple[Optional[str], Optional[str]]:
+    auth = request.headers.get("Authorization", "")
+    if not auth.startswith("Basic "):
+        return None, None
+    try:
+        decoded = base64.b64decode(auth[6:]).decode("utf-8")
+        username, password = decoded.split(":", 1)
+        return username, password
+    except Exception:
+        return None, None
 
 
 def require_admin(request: web.Request) -> Optional[web.Response]:
     if not ADMIN_PASSWORD:
         return None
-    if is_admin_authed(request):
-        return None
-    supplied = get_supplied_admin_password(request)
-    if supplied == ADMIN_PASSWORD:
+
+    username, password = parse_basic_auth(request)
+    if username == ADMIN_USERNAME and password == ADMIN_PASSWORD:
         return None
-    return web.json_response({"error": {"message": "Admin password required"}}, status=401)
+
+    resp = web.Response(text="Authentication required", status=401)
+    resp.headers["WWW-Authenticate"] = 'Basic realm="Freebuff Admin"'
+    return resp
 
 
 # ============ Responses API 辅助函数 ============
@@ -931,6 +935,9 @@ async def handle_models(request: web.Request) -> web.Response:
 
 
 async def handle_reset_run(request: web.Request) -> web.Response:
+    denied = require_admin(request)
+    if denied:
+        return denied
     run_cache.clear()
     log("Agent Run 缓存已清除")
     return web.json_response({"status": "cleared"})
@@ -971,96 +978,11 @@ async def handle_health(request: web.Request) -> web.Response:
     })
 
 
-async def handle_admin_gate(request: web.Request) -> web.Response:
-    if is_admin_authed(request):
-        raise web.HTTPFound("/")
-
-    html = """<!doctype html>
-<html lang="zh-CN">
-<head>
-  <meta charset="utf-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <title>Admin Login</title>
-  <style>
-    body { font-family: -apple-system, BlinkMacSystemFont, Segoe UI, sans-serif; margin: 0; background: #0b1020; color: #e8eefc; display:flex; min-height:100vh; align-items:center; justify-content:center; }
-    .card { width: min(460px, 92vw); background: #141b34; border: 1px solid #2a355e; border-radius: 16px; padding: 22px; }
-    input, button { width:100%; box-sizing:border-box; border-radius:12px; border:1px solid #3a4b80; background:#0d1430; color:#fff; padding:12px; margin-top:12px; }
-    button { background:#3451ff; border:none; font-weight:700; cursor:pointer; }
-    .muted { color:#9fb0dd; }
-    .err { color:#ff9c9c; margin-top:10px; }
-    code { background:#091024; padding:2px 6px; border-radius:8px; }
-  </style>
-</head>
-<body>
-  <form class="card" method="post" action="/admin/gate">
-    <h1>管理页登录</h1>
-    <p class="muted">请输入 <code>ADMIN_PASSWORD</code>，验证通过后才会进入管理页面。</p>
-    <input type="password" name="password" placeholder="ADMIN_PASSWORD" autofocus />
-    <button type="submit">进入管理页</button>
-  </form>
-</body>
-</html>"""
-    return web.Response(text=html, content_type="text/html")
-
-
-async def handle_admin_gate_post(request: web.Request) -> web.Response:
-    if not ADMIN_PASSWORD:
-        raise web.HTTPFound("/")
-
-    data = await request.post()
-    supplied = str(data.get("password", ""))
-
-    if supplied != ADMIN_PASSWORD:
-        html = """<!doctype html>
-<html lang="zh-CN">
-<head>
-  <meta charset="utf-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <title>Admin Login</title>
-  <style>
-    body { font-family: -apple-system, BlinkMacSystemFont, Segoe UI, sans-serif; margin: 0; background: #0b1020; color: #e8eefc; display:flex; min-height:100vh; align-items:center; justify-content:center; }
-    .card { width: min(460px, 92vw); background: #141b34; border: 1px solid #2a355e; border-radius: 16px; padding: 22px; }
-    input, button { width:100%; box-sizing:border-box; border-radius:12px; border:1px solid #3a4b80; background:#0d1430; color:#fff; padding:12px; margin-top:12px; }
-    button { background:#3451ff; border:none; font-weight:700; cursor:pointer; }
-    .muted { color:#9fb0dd; }
-    .err { color:#ff9c9c; margin-top:10px; }
-    code { background:#091024; padding:2px 6px; border-radius:8px; }
-  </style>
-</head>
-<body>
-  <form class="card" method="post" action="/admin/gate">
-    <h1>管理页登录</h1>
-    <p class="muted">请输入 <code>ADMIN_PASSWORD</code>，验证通过后才会进入管理页面。</p>
-    <input type="password" name="password" placeholder="ADMIN_PASSWORD" autofocus />
-    <button type="submit">进入管理页</button>
-    <div class="err">密码错误</div>
-  </form>
-</body>
-</html>"""
-        return web.Response(text=html, content_type="text/html", status=401)
-
-    resp = web.HTTPFound("/")
-    resp.set_cookie(
-        ADMIN_COOKIE_NAME,
-        ADMIN_COOKIE_VALUE,
-        max_age=ADMIN_COOKIE_MAX_AGE,
-        httponly=True,
-        samesite="Lax",
-        secure=COOKIE_SECURE,
-        path="/",
-    )
-    raise resp
-
-
-async def handle_admin_logout(request: web.Request) -> web.Response:
-    resp = web.HTTPFound("/admin/gate")
-    resp.del_cookie(ADMIN_COOKIE_NAME, path="/")
-    raise resp
-
 
 async def handle_root(request: web.Request) -> web.Response:
-    if ADMIN_PASSWORD and not is_admin_authed(request):
-        raise web.HTTPFound("/admin/gate")
+    denied = require_admin(request)
+    if denied:
+        return denied
 
     html = f"""<!doctype html>
 <html lang="zh-CN">
@@ -1073,7 +995,7 @@ async def handle_root(request: web.Request) -> web.Response:
     .wrap {{ max-width: 1100px; margin: 0 auto; padding: 28px; }}
     .card {{ background: #141b34; border: 1px solid #2a355e; border-radius: 16px; padding: 18px; margin-bottom: 18px; }}
     .row {{ display: grid; grid-template-columns: repeat(auto-fit, minmax(240px, 1fr)); gap: 12px; }}
-    input, button, textarea {{ width: 100%; box-sizing: border-box; border-radius: 12px; border: 1px solid #3a4b80; background: #0d1430; color: #fff; padding: 12px; }}
+    button, textarea {{ width: 100%; box-sizing: border-box; border-radius: 12px; border: 1px solid #3a4b80; background: #0d1430; color: #fff; padding: 12px; }}
     button {{ cursor: pointer; background: #3451ff; border: none; font-weight: 700; }}
     button.secondary {{ background: #273053; }}
     a {{ color: #94c7ff; }}
@@ -1086,7 +1008,7 @@ async def handle_root(request: web.Request) -> web.Response:
   <div class="wrap">
     <div class="card">
       <h1>Freebuff OpenAI Proxy · Hugging Face Space</h1>
-      <p class="muted">保留原脚本的 OpenAI 兼容接口、Responses API、账号池轮询、Run 缓存、健康检查与重置能力，并把登录迁移到网页管理页。</p>
+      <p class="muted">当前管理页使用浏览器原生 <code>HTTP Basic Auth</code> 门禁。设置了 <code>ADMIN_PASSWORD</code> 后，访问页面或管理接口时会先弹出浏览器用户名/密码框，不再使用 cookie。</p>
       <div class="row">
         <div>
           <strong>聊天接口</strong>
@@ -1109,9 +1031,9 @@ async def handle_root(request: web.Request) -> web.Response:
         <div><button onclick="startLogin()">1. 发起网页登录</button></div>
         <div><button class="secondary" onclick="checkLogin()">2. 检查登录状态</button></div>
         <div><button class="secondary" onclick="refreshHealth()">刷新状态</button></div>
-        <div><button class="secondary" onclick="logout()">退出管理页</button></div>
       </div>
       <p class="muted">登录后账号会写入凭据文件。若 Space 挂载了持久化存储，会写入 <code>/data/manicode/credentials.json</code>。</p>
+      <p class="muted">管理页账号默认用户名是 <code>{ADMIN_USERNAME}</code>，密码来自 <code>ADMIN_PASSWORD</code>。</p>
       <pre id="loginBox">尚未发起登录。</pre>
     </div>
 
@@ -1126,31 +1048,29 @@ let currentLoginId = localStorage.getItem('loginId') || '';
 const loginBox = document.getElementById('loginBox');
 const healthBox = document.getElementById('healthBox');
 
-function adminHeaders() {{
-  return {{ 'Content-Type': 'application/json' }};
-}}
-
 async function refreshHealth() {{
-  const res = await fetch('/health', {{ credentials: 'same-origin' }});
-  if (res.status === 401) {{
-    window.location.href = '/admin/gate';
-    return;
+  const res = await fetch('/health');
+  const raw = await res.text();
+  try {{
+    const data = JSON.parse(raw);
+    healthBox.textContent = JSON.stringify(data, null, 2);
+  }} catch (e) {{
+    healthBox.textContent = raw;
   }}
-  const data = await res.json();
-  healthBox.textContent = JSON.stringify(data, null, 2);
 }}
 
 async function startLogin() {{
-  const res = await fetch('/admin/login/start', {{ method: 'POST', headers: adminHeaders(), credentials: 'same-origin' }});
-  const data = await res.json();
+  const res = await fetch('/admin/login/start', {{ method: 'POST' }});
+  const raw = await res.text();
+  let data = null;
+  try {{ data = JSON.parse(raw); }} catch (e) {{}}
   if (!res.ok) {{
-    loginBox.textContent = JSON.stringify(data, null, 2);
-    if (res.status === 401) window.location.href = '/admin/gate';
+    loginBox.textContent = data ? JSON.stringify(data, null, 2) : raw;
     return;
   }}
   currentLoginId = data.loginId;
   localStorage.setItem('loginId', currentLoginId);
-  loginBox.innerHTML = `请在新标签页完成授权：\n\n${{JSON.stringify(data, null, 2)}}\n\n打开登录链接：\n${{data.loginUrl}}`;
+  loginBox.textContent = JSON.stringify(data, null, 2) + "\n\n打开登录链接：\n" + data.loginUrl;
   window.open(data.loginUrl, '_blank');
 }}
 
@@ -1160,20 +1080,17 @@ async function checkLogin() {{
     return;
   }}
   const url = '/admin/login/status?loginId=' + encodeURIComponent(currentLoginId);
-  const res = await fetch(url, {{ headers: adminHeaders(), credentials: 'same-origin' }});
-  const data = await res.json();
-  loginBox.textContent = JSON.stringify(data, null, 2);
-  if (res.status === 401) {{
-    window.location.href = '/admin/gate';
-    return;
+  const res = await fetch(url);
+  const raw = await res.text();
+  try {{
+    const data = JSON.parse(raw);
+    loginBox.textContent = JSON.stringify(data, null, 2);
+  }} catch (e) {{
+    loginBox.textContent = raw;
   }}
   await refreshHealth();
 }}
 
-function logout() {{
-  window.location.href = '/admin/logout';
-}}
-
 refreshHealth();
 </script>
 </body>
@@ -1257,9 +1174,6 @@ def create_app() -> web.Application:
     app.on_cleanup.append(on_cleanup)
 
     app.router.add_get("/", handle_root)
-    app.router.add_get("/admin/gate", handle_admin_gate)
-    app.router.add_post("/admin/gate", handle_admin_gate_post)
-    app.router.add_get("/admin/logout", handle_admin_logout)
     app.router.add_get("/health", handle_health)
     app.router.add_post("/v1/chat/completions", handle_chat_completion)
     app.router.add_post("/v1/responses", handle_responses)