Create cleanup_tokens.sh

cleanup_tokens.sh

@@ -0,0 +1,184 @@
+#!/bin/sh
+#
+# cleanup_tokens.sh - Remove invalid/unavailable auth tokens via CLIProxyAPI Management API
+#
+# Runs periodically to clean up expired or failed OAuth tokens from the auth store.
+# Tokens with status != "ready", unavailable=true, or known error statuses will be deleted.
+#
+# Required environment variables:
+#   MANAGEMENT_PASSWORD        - CLIProxyAPI management API password (required)
+#
+# Optional environment variables:
+#   FEISHU_WEBHOOK_URL         - Feishu (Lark) bot webhook URL for notifications
+#                                e.g. https://open.feishu.cn/open-apis/bot/v2/hook/xxxx
+#                                If not set, no notifications will be sent.
+#   CLEANUP_NOTIFY_ON_EMPTY    - Set to "true" to send a notification even when
+#                                no invalid tokens were found (default: false)
+#
+# The service always runs on localhost:7860 in this HuggingFace deployment.
+#
+
+API_BASE="http://localhost:7860/v0/management"
+LOG_PREFIX="[cleanup_tokens] $(date '+%Y-%m-%d %H:%M:%S')"
+TMP_FILE="/tmp/auth_files_$$.json"
+TMP_NAMES="/tmp/auth_names_$$.txt"
+
+cleanup_tmp() {
+    rm -f "$TMP_FILE" "$TMP_NAMES"
+}
+trap cleanup_tmp EXIT
+
+# Send a notification to Feishu webhook
+# Usage: notify_feishu "title" "content"
+notify_feishu() {
+    if [ -z "$FEISHU_WEBHOOK_URL" ]; then
+        return 0
+    fi
+    TITLE="$1"
+    CONTENT="$2"
+    PAYLOAD=$(jq -n \
+        --arg title "$TITLE" \
+        --arg content "$CONTENT" \
+        '{
+            msg_type: "post",
+            content: {
+                post: {
+                    zh_cn: {
+                        title: $title,
+                        content: [[{"tag": "text", "text": $content}]]
+                    }
+                }
+            }
+        }')
+    curl -s -X POST \
+        -H "Content-Type: application/json" \
+        -d "$PAYLOAD" \
+        "$FEISHU_WEBHOOK_URL" > /dev/null 2>&1
+}
+
+if [ -z "$MANAGEMENT_PASSWORD" ]; then
+    echo "${LOG_PREFIX} ERROR: MANAGEMENT_PASSWORD not set, skipping cleanup"
+    exit 1
+fi
+
+echo "${LOG_PREFIX} Starting invalid token cleanup..."
+
+# Fetch all auth files
+HTTP_STATUS=$(curl -s -o "$TMP_FILE" -w "%{http_code}" \
+    -H "Authorization: Bearer ${MANAGEMENT_PASSWORD}" \
+    "${API_BASE}/auth-files" 2>/dev/null)
+
+if [ "$HTTP_STATUS" != "200" ]; then
+    MSG="API returned HTTP ${HTTP_STATUS}. Service may not be ready."
+    echo "${LOG_PREFIX} ERROR: ${MSG}"
+    cat "$TMP_FILE" 2>/dev/null
+    notify_feishu "❌ Token 清理失败" "$(date '+%Y-%m-%d %H:%M:%S')
+错误：${MSG}"
+    exit 1
+fi
+
+if ! jq empty "$TMP_FILE" 2>/dev/null; then
+    echo "${LOG_PREFIX} ERROR: Invalid JSON response from API"
+    notify_feishu "❌ Token 清理失败" "$(date '+%Y-%m-%d %H:%M:%S')
+错误：API 返回了无效的 JSON 响应"
+    exit 1
+fi
+
+TOTAL=$(jq '.files | length' "$TMP_FILE")
+echo "${LOG_PREFIX} Total auth files found: ${TOTAL}"
+
+if [ "$TOTAL" -eq 0 ]; then
+    echo "${LOG_PREFIX} No auth files found, nothing to clean up."
+    exit 0
+fi
+
+# Extract names of tokens to delete:
+# - unavailable=true AND runtime_only=false (can only delete file-based tokens)
+# - OR status is one of: error, expired, invalid, failed, unauthorized, quota_exceeded
+jq -r '
+  .files[] |
+  select(.runtime_only != true) |
+  select(
+    .unavailable == true or
+    (.status != null and (.status == "error" or .status == "expired" or
+     .status == "invalid" or .status == "failed" or
+     .status == "unauthorized" or .status == "quota_exceeded"))
+  ) |
+  .name
+' "$TMP_FILE" > "$TMP_NAMES"
+
+TO_DELETE=$(wc -l < "$TMP_NAMES" | tr -d ' ')
+echo "${LOG_PREFIX} Tokens to delete: ${TO_DELETE}"
+
+if [ "$TO_DELETE" -eq 0 ]; then
+    echo "${LOG_PREFIX} All tokens are healthy, no cleanup needed."
+    if [ "${CLEANUP_NOTIFY_ON_EMPTY}" = "true" ]; then
+        notify_feishu "✅ Token 清理完成" "$(date '+%Y-%m-%d %H:%M:%S')
+共 ${TOTAL} 个 token，全部健康，无需清理。"
+    fi
+    exit 0
+fi
+
+# Build a detail list for the notification
+DETAIL_LIST=""
+while IFS= read -r NAME; do
+    STATUS=$(jq -r --arg n "$NAME" '.files[] | select(.name == $n) | .status // "unknown"' "$TMP_FILE")
+    UNAVAIL=$(jq -r --arg n "$NAME" '.files[] | select(.name == $n) | .unavailable' "$TMP_FILE")
+    echo "${LOG_PREFIX}   - ${NAME} (status=${STATUS}, unavailable=${UNAVAIL})"
+    DETAIL_LIST="${DETAIL_LIST}  • ${NAME} [${STATUS}]
+"
+done < "$TMP_NAMES"
+
+# Delete each invalid token
+DELETED=0
+ERRORS=0
+ERROR_LIST=""
+
+while IFS= read -r NAME; do
+    if [ -z "$NAME" ]; then
+        continue
+    fi
+
+    # URL-encode the name (handles @ and . in email-based filenames)
+    ENCODED_NAME=$(printf '%s' "$NAME" | sed 's/@/%40/g' | sed 's/ /%20/g')
+
+    DEL_STATUS=$(curl -s -o /tmp/del_resp_$$.json -w "%{http_code}" \
+        -X DELETE \
+        -H "Authorization: Bearer ${MANAGEMENT_PASSWORD}" \
+        "${API_BASE}/auth-files?name=${ENCODED_NAME}" 2>/dev/null)
+
+    if [ "$DEL_STATUS" = "200" ]; then
+        echo "${LOG_PREFIX} DELETED: ${NAME}"
+        DELETED=$((DELETED + 1))
+    else
+        DEL_ERR=$(cat /tmp/del_resp_$$.json 2>/dev/null)
+        echo "${LOG_PREFIX} ERROR deleting ${NAME} (HTTP ${DEL_STATUS}): ${DEL_ERR}"
+        ERRORS=$((ERRORS + 1))
+        ERROR_LIST="${ERROR_LIST}  • ${NAME} (HTTP ${DEL_STATUS})
+"
+    fi
+    rm -f /tmp/del_resp_$$.json
+done < "$TMP_NAMES"
+
+echo "${LOG_PREFIX} Cleanup done. Deleted: ${DELETED}, Errors: ${ERRORS}"
+
+# Send Feishu notification with summary
+if [ "$ERRORS" -gt 0 ]; then
+    NOTIFY_TITLE="⚠️ Token 清理完成（有错误）"
+    NOTIFY_BODY="$(date '+%Y-%m-%d %H:%M:%S')
+共 ${TOTAL} 个 token，清理 ${TO_DELETE} 个失效 token。
+
+已删除（${DELETED} 个）：
+${DETAIL_LIST}
+删除失败（${ERRORS} 个）：
+${ERROR_LIST}"
+else
+    NOTIFY_TITLE="🧹 Token 清理完成"
+    NOTIFY_BODY="$(date '+%Y-%m-%d %H:%M:%S')
+共 ${TOTAL} 个 token，成功清理 ${DELETED} 个失效 token。
+
+已删除：
+${DETAIL_LIST}"
+fi
+
+notify_feishu "$NOTIFY_TITLE" "$NOTIFY_BODY"