Upload app.py

app.py

@@ -56,11 +56,16 @@ app.add_middleware(
 
 # 允許的來源網址清單
 ALLOWED_ORIGINS = [
-    "https://n-m2azgihk7rtcqqaxywntv75at3thf3bgps4xdlq-0lu-script.googleusercontent.com",
     "https://www.dfes.ntpc.edu.tw",
     "https://demo.dfes.ntpc.edu.tw"
 ]
 
+# 允許的 GAS 專案 ID 清單（支援多個專案）
+ALLOWED_GAS_PROJECT_IDS = [
+    "m2azgihk7rtcqqaxywntv75at3thf3bgps4xdlq",  # 您的 GAS 專案 ID
+    # 可以在這裡添加更多 GAS 專案 ID
+]
+
 # 如果希望允許所有 GAS，取消下面兩行的註解
 # "https://script.google.com",  # 所有 Google Apps Script
 
@@ -96,12 +101,20 @@ def _is_origin_allowed(request: Request) -> bool:
             if origin.startswith(allowed_origin):
                 print(f"✅ Origin 匹配: {origin} 匹配 {allowed_origin}")
                 return True
+        
+        # 檢查 GAS 專案 ID
+        if _is_gas_project_allowed(origin):
+            return True
     
     if referer:
         for allowed_origin in ALLOWED_ORIGINS:
             if referer.startswith(allowed_origin):
                 print(f"✅ Referer 匹配: {referer} 匹配 {allowed_origin}")
                 return True
+        
+        # 檢查 GAS 專案 ID
+        if _is_gas_project_allowed(referer):
+            return True
     
     # 允許來自 Hugging Face Spaces 的直接調用
     if "huggingface" in user_agent.lower():
@@ -111,6 +124,40 @@ def _is_origin_allowed(request: Request) -> bool:
     print(f"❌ 請求被拒絕 - Origin: {origin}, Referer: {referer}")
     return False
 
+def _is_gas_project_allowed(url: str) -> bool:
+    """檢查是否為允許的 GAS 專案"""
+    if not url:
+        return False
+    
+    # 檢查是否為 GAS 網址格式
+    if not url.startswith("https://n-") or not url.endswith("-script.googleusercontent.com"):
+        return False
+    
+    # 提取專案 ID
+    # 網址格式: https://n-{專案ID}-{使用者ID}lu-script.googleusercontent.com
+    try:
+        # 移除前綴和後綴
+        project_part = url.replace("https://n-", "").replace("-script.googleusercontent.com", "")
+        
+        # 找到最後一個 "-" 的位置，前面就是專案 ID
+        last_dash_index = project_part.rfind("-")
+        if last_dash_index == -1:
+            return False
+        
+        project_id = project_part[:last_dash_index]
+        
+        # 檢查專案 ID 是否在允許清單中
+        if project_id in ALLOWED_GAS_PROJECT_IDS:
+            print(f"✅ GAS 專案匹配: {project_id} 在允許清單中")
+            return True
+        else:
+            print(f"❌ GAS 專案不匹配: {project_id} 不在允許清單中")
+            return False
+            
+    except Exception as e:
+        print(f"⚠️ 解析 GAS 網址時發生錯誤: {e}")
+        return False
+
 @app.get("/")
 async def root():
     """根路徑，返回 API 信息"""
@@ -138,23 +185,36 @@ async def get_allowed_origins():
     """獲取允許的來源列表（僅供管理員查看）"""
     return {
         "allowed_origins": ALLOWED_ORIGINS,
-        "count": len(ALLOWED_ORIGINS),
-        "description": "允許的來源網址清單，支援擴充匹配"
+        "allowed_gas_project_ids": ALLOWED_GAS_PROJECT_IDS,
+        "count": len(ALLOWED_ORIGINS) + len(ALLOWED_GAS_PROJECT_IDS),
+        "description": "允許的來源網址清單，支援擴充匹配。GAS 專案 ID 會自動匹配所有使用者的網址變體。"
     }
 
 @app.get("/debug-request")
 async def debug_request(request: Request):
     """調試端點：顯示請求的詳細信息"""
     headers = dict(request.headers)
+    origin = headers.get("origin")
+    referer = headers.get("referer")
+    
+    # 檢查 GAS 專案
+    gas_project_info = {}
+    if origin:
+        gas_project_info["origin"] = _extract_gas_project_id(origin)
+    if referer:
+        gas_project_info["referer"] = _extract_gas_project_id(referer)
+    
     return {
         "method": request.method,
         "url": str(request.url),
         "headers": headers,
-        "origin": headers.get("origin"),
-        "referer": headers.get("referer"),
+        "origin": origin,
+        "referer": referer,
         "user_agent": headers.get("user-agent"),
         "is_allowed": _is_origin_allowed(request),
         "client_ip": request.client.host if request.client else "unknown",
+        "gas_project_info": gas_project_info,
+        "allowed_gas_project_ids": ALLOWED_GAS_PROJECT_IDS,
         "request_info": {
             "has_origin": bool(headers.get("origin")),
             "has_referer": bool(headers.get("referer")),
@@ -163,6 +223,33 @@ async def debug_request(request: Request):
         }
     }
 
+def _extract_gas_project_id(url: str) -> dict:
+    """提取 GAS 專案 ID 信息"""
+    if not url:
+        return {"is_gas": False}
+    
+    if not url.startswith("https://n-") or not url.endswith("-script.googleusercontent.com"):
+        return {"is_gas": False}
+    
+    try:
+        project_part = url.replace("https://n-", "").replace("-script.googleusercontent.com", "")
+        last_dash_index = project_part.rfind("-")
+        
+        if last_dash_index == -1:
+            return {"is_gas": True, "project_id": None, "user_id": None, "error": "無法解析專案 ID"}
+        
+        project_id = project_part[:last_dash_index]
+        user_id = project_part[last_dash_index + 1:]
+        
+        return {
+            "is_gas": True,
+            "project_id": project_id,
+            "user_id": user_id,
+            "is_allowed": project_id in ALLOWED_GAS_PROJECT_IDS
+        }
+    except Exception as e:
+        return {"is_gas": True, "error": str(e)}
+
 
 @app.get("/voices")
 async def get_voices():