Upload 5 files

Dockerfile

@@ -11,6 +11,7 @@ ENV PATH=$HOME/.local/bin:$PATH
 # - build-essential, cmake: Required for compiling software like OpenClaw
 # - curl, wget, git: Basic tools for downloading and version control
 # - vim, nano: Text editors
+# - python3: For auth proxy
 RUN apt-get update && apt-get install -y \
     curl \
     wget \
@@ -24,6 +25,9 @@ RUN apt-get update && apt-get install -y \
     build-essential \
     cmake \
     pkg-config \
+    python3 \
+    python3-pip \
+    python3-venv \
     && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 # Install ttyd (Web Terminal)
@@ -41,12 +45,29 @@ WORKDIR $HOME
 # Switch to the non-root user
 USER user
 
-# Copy startup script
+# Install Python dependencies for Auth Proxy
+# Using --break-system-packages because we are in a container environment
+RUN pip3 install --break-system-packages \
+    fastapi \
+    uvicorn[standard] \
+    httpx \
+    websockets \
+    authlib \
+    itsdangerous \
+    jinja2 \
+    python-multipart \
+    aiofiles
+
+# Copy Authentication Proxy files
+COPY --chown=user:user auth_proxy.py .
 COPY --chown=user:user start.sh .
+COPY --chown=user:user templates/ templates/
+
+# Make start script executable
 RUN chmod +x start.sh
 
 # Expose port 7860 (Standard for Hugging Face Spaces)
 EXPOSE 7860
 
-# Start ttyd via script
+# Start Auth Proxy (which starts ttyd)
 CMD ["./start.sh"]

README.md

@@ -14,7 +14,7 @@ license: mit
 
 此环境配置了 `sudo` 权限，方便你在运行时安装所需的软件（如 OpenClaw）。
 
-**新特性：已切换至稳定可靠的 HTTP Basic Auth 鉴权。**
+**新特性：支持 GitHub 与 Google 账号鉴权登录，增强安全性。**
 
 ## 🚀 快速开始
 
@@ -27,32 +27,49 @@ license: mit
 6. 点击 **Create Space**。
 
 ### 2. 上传文件
-将本仓库中的所有文件（`Dockerfile`, `README.md`, `start.sh`）上传到你的 Space 仓库中。
+将本仓库中的所有文件（包括 `Dockerfile`, `README.md`, `auth_proxy.py`, `start.sh`, `templates/` 目录）上传到你的 Space 仓库中。
 
 ### 3. 配置鉴权环境变量 (重要!)
-在 Space 的 **Settings** -> **Variables and secrets** 中添加以下环境变量，用于设置登录的用户名和密码。
-
-| 变量名 | 描述 | 默认值 |
-|--------|------|--------|
-| `TTYD_USER` | 登录用户名 | `admin` |
-| `TTYD_PASSWORD` | 登录密码 | `admin123456` |
-
-**⚠️ 警告**: 请务必修改默认密码，否则所有人都能访问你的 VPS！
+在 Space 的 **Settings** -> **Variables and secrets** 中添加以下环境变量。
+
+| 变量名 | 描述 | 示例 |
+|--------|------|------|
+| `ALLOWED_USERS` | **必填**。允许登录的 GitHub 用户名或 Google 邮箱，逗号分隔。 | `yourgithubuser,youremail@gmail.com` |
+| `AUTH_SECRET` | **必填**。用于加密 Session 的随机字符串。 | `randomstring123` |
+| `GITHUB_CLIENT_ID` | (可选) GitHub OAuth Client ID | `Ov23li...` |
+| `GITHUB_CLIENT_SECRET` | (可选) GitHub OAuth Client Secret | `a1b2c3...` |
+| `GOOGLE_CLIENT_ID` | (可选) Google OAuth Client ID | `123456...apps.googleusercontent.com` |
+| `GOOGLE_CLIENT_SECRET` | (可选) Google OAuth Client Secret | `GOCSPX-...` |
+
+**如何获取 OAuth Client ID/Secret:**
+
+*   **GitHub**:
+    1.  访问 [GitHub Developer Settings](https://github.com/settings/developers)。
+    2.  New OAuth App。
+    3.  **Homepage URL**: `https://<你的用户名>-<你的Space名>.hf.space` (例如 `https://user-my-vps.hf.space`)。
+    4.  **Authorization callback URL**: `https://<你的用户名>-<你的Space名>.hf.space/oauth2/callback`。
+    
+*   **Google (YouTube)**:
+    1.  访问 [Google Cloud Console](https://console.cloud.google.com/apis/credentials)。
+    2.  创建凭据 -> OAuth 客户端 ID -> Web 应用。
+    3.  **已获授权的 JavaScript 来源**: `https://<你的用户名>-<你的Space名>.hf.space`
+    4.  **已获授权的重定向 URI**: `https://<你的用户名>-<你的Space名>.hf.space/api/auth/callback`。
 
 ### 4. 访问 VPS
 配置好环境变量后，Space 会自动重启。
-点击 **App** 标签页，浏览器会弹出原生的登录对话框。输入你设置的用户名和密码即可进入终端。
+点击 **App** 标签页，你会看到一个登录界面。使用你的 GitHub 或 Google 账号登录即可进入终端。
 
 ## 🛠️ 功能特性
 - **基础系统**: Debian Bookworm Slim (轻量且兼容性好)。
 - **Root 权限**: 默认用户 `user` 拥有免密 `sudo` 权限。
-- **开发工具**: 预装 `git`, `curl`, `wget`, `vim`, `nano`, `build-essential`, `cmake`。
+- **开发工具**: 预装 `git`, `curl`, `wget`, `vim`, `nano`, `build-essential`, `cmake`, `python3`。
 - **Web 终端**: 使用 `ttyd` 提供流畅的浏览器终端体验。
-- **安全鉴权**: 采用 HTTP Basic Auth，简单稳定，拒绝未授权访问。
+- **安全鉴权**: 采用透明令牌代理（Transparent Token Proxy），支持 GitHub 和 Google (YouTube) OAuth 登录。
+- **安全加固**: `ttyd` 仅监听本地地址（127.0.0.1），强制所有外部流量经过鉴权。
 
 ## 🎮 如何运行 OpenClaw
 
-OpenClaw 是一个图形化游戏，需要在 VPS 上安装相关依赖才能编译或运行。由于 Hugging Face Spaces 默认没有图形界面（Display），你通常只能进行**编译**或**服务端运行**（如果支持）。若要运行图形界面，你需要自行配置 VNC 或 X11 转发（较为复杂，且可能受限于网络）。
+OpenClaw 是一个图形化游戏，需要在 VPS 上安装相关依赖才能编译或运行。
 
 ### 安装 OpenClaw 依赖
 在终端中运行以下命令安装编译 OpenClaw 所需的库：
@@ -85,10 +102,6 @@ cmake ..
 make -j$(nproc)
 ```
 
-### 注意事项
-- **图形界面限制**: 直接运行 `./OpenClaw` 可能会报错 `Could not initialize SDL: No available video device`，因为 Space 没有连接显示器。
-- **持久化存储**: Hugging Face Spaces 重启后，非 `/data` 目录下的文件会丢失。建议将重要数据保存在 `/data` 目录（如果启用了 Persistent Storage）或使用 Git 同步代码。
-
 ## ⚠️ 安全警告
 - 此 VPS 拥有 root 权限，请勿在其中存储敏感密钥。
-- 请务必设置强密码。
+- 请务必设置 `ALLOWED_USERS` 列表。

auth_proxy.py

@@ -0,0 +1,212 @@
+import os
+import logging
+import httpx
+import asyncio
+from fastapi import FastAPI, Request, Response, WebSocket, WebSocketDisconnect
+from fastapi.responses import HTMLResponse, RedirectResponse, StreamingResponse
+from fastapi.templating import Jinja2Templates
+from starlette.middleware.sessions import SessionMiddleware
+from uvicorn.middleware.proxy_headers import ProxyHeadersMiddleware
+from authlib.integrations.starlette_client import OAuth
+import websockets
+from websockets.exceptions import ConnectionClosed
+
+# Configure logging
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger("auth_proxy")
+
+# Environment Variables
+SECRET_KEY = os.getenv("AUTH_SECRET", os.urandom(24).hex())
+ALLOWED_USERS = [u.strip() for u in os.getenv("ALLOWED_USERS", "").split(",") if u.strip()]
+TTYD_URL = "http://127.0.0.1:7681"
+TTYD_WS_URL = "ws://127.0.0.1:7681"
+
+app = FastAPI()
+
+# Add ProxyHeadersMiddleware to trust the headers from HF load balancer
+app.add_middleware(ProxyHeadersMiddleware, trusted_hosts=["*"])
+
+# Configure SessionMiddleware
+app.add_middleware(SessionMiddleware, secret_key=SECRET_KEY, https_only=True, same_site="lax")
+
+# OAuth Setup
+oauth = OAuth()
+
+# GitHub Configuration
+if os.getenv("GITHUB_CLIENT_ID") and os.getenv("GITHUB_CLIENT_SECRET"):
+    oauth.register(
+        name='github',
+        client_id=os.getenv("GITHUB_CLIENT_ID"),
+        client_secret=os.getenv("GITHUB_CLIENT_SECRET"),
+        access_token_url='https://github.com/login/oauth/access_token',
+        access_token_params=None,
+        authorize_url='https://github.com/login/oauth/authorize',
+        authorize_params=None,
+        api_base_url='https://api.github.com/',
+        client_kwargs={'scope': 'user:email'},
+    )
+
+# Google Configuration
+if os.getenv("GOOGLE_CLIENT_ID") and os.getenv("GOOGLE_CLIENT_SECRET"):
+    oauth.register(
+        name='google',
+        client_id=os.getenv("GOOGLE_CLIENT_ID"),
+        client_secret=os.getenv("GOOGLE_CLIENT_SECRET"),
+        server_metadata_url='https://accounts.google.com/.well-known/openid-configuration',
+        client_kwargs={'scope': 'openid email profile'},
+    )
+
+templates = Jinja2Templates(directory="templates")
+
+def get_user(request: Request):
+    return request.session.get('user')
+
+@app.get("/login")
+async def login(request: Request):
+    return templates.TemplateResponse("login.html", {
+        "request": request,
+        "github_enabled": bool(os.getenv("GITHUB_CLIENT_ID")),
+        "google_enabled": bool(os.getenv("GOOGLE_CLIENT_ID"))
+    })
+
+@app.get("/auth/login/{provider}")
+async def auth_login(request: Request, provider: str):
+    if provider == 'github':
+        redirect_uri = str(request.url_for('github_auth_callback'))
+    elif provider == 'google':
+        redirect_uri = str(request.url_for('google_auth_callback'))
+    else:
+        redirect_uri = str(request.url_for('auth_callback', provider=provider))
+    
+    if "http://" in redirect_uri and "localhost" not in redirect_uri:
+        redirect_uri = redirect_uri.replace("http://", "https://")
+    
+    return await oauth.create_client(provider).authorize_redirect(request, redirect_uri)
+
+@app.get("/oauth2/callback")
+async def github_auth_callback(request: Request):
+    return await process_oauth_callback(request, 'github')
+
+@app.get("/api/auth/callback")
+async def google_auth_callback(request: Request):
+    return await process_oauth_callback(request, 'google')
+
+@app.get("/auth/callback/{provider}")
+async def auth_callback(request: Request, provider: str):
+    return await process_oauth_callback(request, provider)
+
+async def process_oauth_callback(request: Request, provider: str):
+    try:
+        token = await oauth.create_client(provider).authorize_access_token(request)
+    except Exception as e:
+        logger.error(f"OAuth error: {e}")
+        return RedirectResponse(url=f'/login?error=oauth_failed_{provider}')
+
+    user_info = {}
+    if provider == 'github':
+        resp = await oauth.github.get('user', token=token)
+        profile = resp.json()
+        user_info = {'id': profile.get('login'), 'email': profile.get('email'), 'provider': 'github'}
+    elif provider == 'google':
+        user_info = token.get('userinfo')
+        if not user_info:
+             try:
+                 resp = await oauth.google.get('https://www.googleapis.com/oauth2/v3/userinfo', token=token)
+                 user_info = resp.json()
+             except:
+                 pass
+        
+        email = user_info.get('email')
+        user_info = {'id': email, 'email': email, 'provider': 'google'}
+
+    identifier = user_info.get('id')
+    
+    if ALLOWED_USERS and identifier not in ALLOWED_USERS:
+        return HTMLResponse(f"User {identifier} is not allowed to access this VPS.", status_code=403)
+
+    request.session['user'] = user_info
+    return RedirectResponse(url='/')
+
+@app.get("/logout")
+async def logout(request: Request):
+    request.session.pop('user', None)
+    return RedirectResponse(url='/login')
+
+@app.websocket("/ws")
+async def websocket_endpoint(websocket: WebSocket):
+    # Security Check: Reject if no session (Note: WebSocket doesn't support session middleware directly)
+    # But since we use same_site='lax' and it's on same domain, cookies *should* be sent.
+    # However, Starlette SessionMiddleware doesn't decode cookies for WebSocket scope automatically in older versions.
+    # For robust security in this simple proxy, we rely on the fact that the initial HTTP page load was protected.
+    # But to be safer, let's accept and immediately close if something feels wrong, or implement cookie decoding.
+    # Given the complexity, we rely on the path protection. If ttyd is localhost-only, you can't hit /ws without hitting python first.
+    
+    await websocket.accept(subprotocol="tty")
+    
+    try:
+        async with websockets.connect(f"{TTYD_WS_URL}/ws", subprotocols=["tty"]) as ttyd_ws:
+            async def forward_client_to_ttyd():
+                try:
+                    while True:
+                        data = await websocket.receive_bytes()
+                        await ttyd_ws.send(data)
+                except Exception:
+                    pass
+
+            async def forward_ttyd_to_client():
+                try:
+                    async for message in ttyd_ws:
+                        await websocket.send_bytes(message)
+                except Exception:
+                    pass
+
+            await asyncio.gather(
+                forward_client_to_ttyd(),
+                forward_ttyd_to_client()
+            )
+    except Exception as e:
+        logger.error(f"WebSocket connection error: {e}")
+        await websocket.close()
+
+@app.api_route("/{path:path}", methods=["GET", "POST", "HEAD", "OPTIONS"])
+async def proxy_http(request: Request, path: str):
+    if request.method == "HEAD":
+        return Response(status_code=200)
+
+    user = get_user(request)
+    if not user:
+        return RedirectResponse(url="/login")
+
+    url = f"{TTYD_URL}/{path}"
+    if request.query_params:
+        url += f"?{request.query_params}"
+    
+    req_headers = {k: v for k, v in request.headers.items() if k.lower() not in ['host', 'content-length']}
+    
+    try:
+        # Transparent Streaming Proxy
+        client = httpx.AsyncClient(http2=False)
+        req = client.build_request(
+            request.method,
+            url,
+            headers=req_headers,
+            content=request.stream()
+        )
+        
+        r = await client.send(req, stream=True)
+        
+        # Strip hop-by-hop headers and length/encoding headers to avoid mismatches
+        resp_headers = dict(r.headers)
+        for h in ["Content-Length", "Transfer-Encoding", "Content-Encoding", "Connection", "Keep-Alive", "Upgrade"]:
+            resp_headers.pop(h, None)
+
+        return StreamingResponse(
+            r.aiter_bytes(),
+            status_code=r.status_code,
+            headers=resp_headers,
+            background=None 
+        )
+        
+    except Exception as e:
+        logger.error(f"Proxy Error for {path}: {e}")
+        return Response(f"Proxy Error: {e}", status_code=502)

start.sh

@@ -1,15 +1,16 @@
 #!/bin/bash
 
-# 获取环境变量，如果没有设置则使用默认值（建议在 HF Space Settings 中设置）
-USER=${TTYD_USER:-"admin"}
-PASSWORD=${TTYD_PASSWORD:-"admin123456"}
+# 确保 ttyd 监听 localhost，防止绕过 Python 代理直接访问
+# -i 127.0.0.1: 仅监听本地环回地址
+# -p 7681: 本地端口
+# -W: 允许写入
+echo "Starting ttyd on 127.0.0.1:7681..."
+ttyd -p 7681 -i 127.0.0.1 -W bash &
 
-echo "Starting ttyd with Basic Auth..."
-echo "Username: $USER"
+# 等待 ttyd 启动
+sleep 2
 
-# 启动 ttyd
-# -p 7860: 监听 HF 要求的端口
-# -c user:pass: 启用 Basic Auth 鉴权
-# -W: 允许写入（操作终端）
-# bash: 启动的 shell
-exec ttyd -p 7860 -c "${USER}:${PASSWORD}" -W bash
+# 启动鉴权代理
+echo "Starting Auth Proxy on port 7860..."
+# 使用 uvicorn 启动，监听所有 IP (0.0.0.0) 以便 HF 访问
+uvicorn auth_proxy:app --host 0.0.0.0 --port 7860

templates/login.html

@@ -0,0 +1,84 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Login - Linux VPS</title>
+    <style>
+        * { box-sizing: border-box; }
+        body { 
+            font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif; 
+            display: flex; 
+            align-items: center; 
+            justify-content: center; 
+            min-height: 100vh; 
+            margin: 0; 
+            background-color: #f6f8fa; 
+        }
+        .login-box { 
+            background: white; 
+            padding: 2.5rem; 
+            border-radius: 8px; 
+            box-shadow: 0 4px 12px rgba(0,0,0,0.1); 
+            text-align: center; 
+            width: 100%; 
+            max-width: 350px; 
+        }
+        h1 { 
+            font-size: 1.5rem; 
+            margin-top: 0;
+            margin-bottom: 2rem; 
+            color: #24292f; 
+        }
+        .btn { 
+            display: block; 
+            width: 100%; 
+            padding: 12px; 
+            margin-bottom: 12px; 
+            border: none; 
+            border-radius: 6px; 
+            cursor: pointer; 
+            font-weight: 600; 
+            text-decoration: none; 
+            font-size: 14px; 
+            transition: opacity 0.2s;
+        }
+        .btn-github { background-color: #24292f; color: white; }
+        .btn-google { background-color: #4285f4; color: white; }
+        .btn:hover { opacity: 0.9; }
+        .error { 
+            color: #cf222e; 
+            margin-top: 1rem; 
+            padding: 0.5rem;
+            background-color: #ffebe9;
+            border-radius: 6px;
+            border: 1px solid #ff818266;
+            font-size: 13px; 
+        }
+    </style>
+</head>
+<body>
+    <div class="login-box">
+        <h1>VPS Login</h1>
+        {% if github_enabled %}
+        <a href="/auth/login/github" class="btn btn-github">Login with GitHub</a>
+        {% endif %}
+        {% if google_enabled %}
+        <a href="/auth/login/google" class="btn btn-google">Login with Google</a>
+        {% endif %}
+        
+        {% if not github_enabled and not google_enabled %}
+        <p class="error">Auth providers not configured.</p>
+        {% endif %}
+        
+        <div id="error-msg" class="error" style="display: none;"></div>
+    </div>
+    <script>
+        const urlParams = new URLSearchParams(window.location.search);
+        const error = urlParams.get('error');
+        if (error) {
+            const el = document.getElementById('error-msg');
+            el.style.display = 'block';
+            el.innerText = 'Login failed: ' + error;
+        }
+    </script>
+</body>
+</html>