feat: 添加Hugging Face部署支持和管理员认证系统

- 添加远程SQL数据库支持（PostgreSQL/MySQL/SQLite）
- 实现管理员密码认证和会话管理系统
- 创建Dockerfile用于Hugging Face Space部署
- 添加数据库抽象层，支持环境变量配置
- 为敏感管理员操作添加认证保护
- 更新README.md包含HF Space配置
- 添加.env.example环境变量示例文件

.env.example

@@ -0,0 +1,53 @@
+# KiroProxy 环境变量配置示例
+# 复制此文件为 .env 并根据需要修改配置
+
+# ==================== 数据库配置 ====================
+# 数据库连接URL（可选）
+# 如果不设置，将使用文件系统存储（默认：~/.kiro-proxy/）
+
+# PostgreSQL 示例
+# DATABASE_URL=postgresql://username:password@hostname:5432/database_name
+
+# MySQL 示例
+# DATABASE_URL=mysql://username:password@hostname:3306/database_name
+
+# SQLite 示例（本地文件）
+# DATABASE_URL=sqlite:///path/to/database.db
+
+# ==================== 管理员认证配置 ====================
+# 管理员面板密码（强烈推荐设置）
+# 如果不设置，系统将自动生成随机密码并在启动时显示
+ADMIN_PASSWORD=your_secure_admin_password_here
+
+# ==================== 服务器配置 ====================
+# 服务器端口（默认：8080）
+PORT=7860
+
+# 服务器主机地址（默认：0.0.0.0）
+HOST=0.0.0.0
+
+# ==================== Kiro API 配置 ====================
+# Kiro API 端点（通常不需要修改）
+# KIRO_API_URL=https://q.us-east-1.amazonaws.com/generateAssistantResponse
+# MODELS_URL=https://q.us-east-1.amazonaws.com/ListAvailableModels
+
+# ==================== 高级配置 ====================
+# 配额冷却时间（秒，默认：300）
+# QUOTA_COOLDOWN_SECONDS=300
+
+# 数据目录（默认：~/.kiro-proxy）
+# DATA_DIR=/app/data
+
+# 日志级别（DEBUG, INFO, WARNING, ERROR）
+# LOG_LEVEL=INFO
+
+# ==================== Hugging Face Space 专用配置 ====================
+# 在 Hugging Face Space 中，以下环境变量会自动设置：
+# SPACE_ID - Space 的唯一标识符
+# SPACE_AUTHOR_NAME - Space 作者名称
+# SPACE_REPO_NAME - Space 仓库名称
+
+# 建议在 Hugging Face Space 设置中配置：
+# 1. DATABASE_URL - 连接到远程数据库（如 PostgreSQL）
+# 2. ADMIN_PASSWORD - 设置管理员密码
+# 3. 其他自定义配置根据需要添加

Dockerfile

@@ -0,0 +1,43 @@
+# Hugging Face Docker部署配置
+FROM python:3.11-slim
+
+# 设置工作目录
+WORKDIR /app
+
+# 设置环境变量
+ENV PYTHONPATH=/app
+ENV PYTHONUNBUFFERED=1
+ENV PYTHONDONTWRITEBYTECODE=1
+
+# 安装系统依赖
+RUN apt-get update && apt-get install -y \
+    gcc \
+    g++ \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# 复制requirements文件
+COPY requirements.txt .
+
+# 安装Python依赖
+RUN pip install --no-cache-dir -r requirements.txt
+
+# 复制项目文件
+COPY KiroProxy/ ./KiroProxy/
+COPY run.py .
+
+# 创建数据目录
+RUN mkdir -p /app/data
+
+# 设置权限
+RUN chmod +x run.py
+
+# 暴露端口
+EXPOSE 7860
+
+# 健康检查
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD curl -f http://localhost:7860/api/status || exit 1
+
+# 启动命令
+CMD ["python", "run.py", "7860"]

KiroProxy/kiro_proxy/core/admin_auth.py

@@ -0,0 +1,191 @@
+"""管理员认证系统"""
+import os
+import secrets
+import hashlib
+import hmac
+import time
+import logging
+from typing import Optional, Dict, Any
+from datetime import datetime, timedelta
+from .persistence import save_admin_config, load_admin_config
+
+logger = logging.getLogger(__name__)
+
+class AdminAuth:
+    """管理员认证管理器"""
+
+    def __init__(self):
+        self.secret_key = self._get_or_create_secret_key()
+        self.session_timeout = 24 * 60 * 60  # 24小时
+        self._sessions: Dict[str, Dict[str, Any]] = {}
+
+    def _get_or_create_secret_key(self) -> str:
+        """获取或创建密钥"""
+        admin_config = load_admin_config()
+        secret_key = admin_config.get("secret_key")
+
+        if not secret_key:
+            secret_key = secrets.token_urlsafe(32)
+            admin_config["secret_key"] = secret_key
+            save_admin_config(admin_config)
+            logger.info("生成新的管理员密钥")
+
+        return secret_key
+
+    def get_admin_password(self) -> str:
+        """获取管理员密码"""
+        # 1. 优先使用环境变量
+        env_password = os.getenv("ADMIN_PASSWORD")
+        if env_password:
+            logger.info("使用环境变量中的管理员密码")
+            return env_password
+
+        # 2. 从配置文件获取
+        admin_config = load_admin_config()
+        stored_password = admin_config.get("password")
+
+        if stored_password:
+            logger.info("使用配置文件中的管理员密码")
+            return stored_password
+
+        # 3. 生成随机密码
+        random_password = secrets.token_urlsafe(12)
+        admin_config["password"] = random_password
+        save_admin_config(admin_config)
+
+        logger.warning("=" * 60)
+        logger.warning("🔐 管理员密码已自动生成")
+        logger.warning(f"密码: {random_password}")
+        logger.warning("请妥善保存此密码，或设置环境变量 ADMIN_PASSWORD")
+        logger.warning("=" * 60)
+
+        return random_password
+
+    def hash_password(self, password: str) -> str:
+        """哈希密码"""
+        salt = secrets.token_bytes(32)
+        pwdhash = hashlib.pbkdf2_hmac('sha256', password.encode('utf-8'), salt, 100000)
+        return salt.hex() + pwdhash.hex()
+
+    def verify_password(self, password: str, hashed: str) -> bool:
+        """验证密码"""
+        try:
+            salt = bytes.fromhex(hashed[:64])
+            stored_hash = bytes.fromhex(hashed[64:])
+            pwdhash = hashlib.pbkdf2_hmac('sha256', password.encode('utf-8'), salt, 100000)
+            return hmac.compare_digest(stored_hash, pwdhash)
+        except Exception:
+            return False
+
+    def authenticate(self, password: str) -> bool:
+        """验证管理员密码"""
+        admin_password = self.get_admin_password()
+        return hmac.compare_digest(password, admin_password)
+
+    def create_session(self, user_id: str = "admin") -> str:
+        """创建会话"""
+        session_id = secrets.token_urlsafe(32)
+        expires_at = time.time() + self.session_timeout
+
+        self._sessions[session_id] = {
+            "user_id": user_id,
+            "created_at": time.time(),
+            "expires_at": expires_at,
+            "last_activity": time.time()
+        }
+
+        # 清理过期会话
+        self._cleanup_expired_sessions()
+
+        logger.info(f"创建管理员会话: {session_id[:8]}...")
+        return session_id
+
+    def validate_session(self, session_id: str) -> bool:
+        """验证会话"""
+        if not session_id or session_id not in self._sessions:
+            return False
+
+        session = self._sessions[session_id]
+        current_time = time.time()
+
+        # 检查是否过期
+        if current_time > session["expires_at"]:
+            del self._sessions[session_id]
+            return False
+
+        # 更新最后活动时间
+        session["last_activity"] = current_time
+        return True
+
+    def revoke_session(self, session_id: str) -> bool:
+        """撤销会话"""
+        if session_id in self._sessions:
+            del self._sessions[session_id]
+            logger.info(f"撤销管理员会话: {session_id[:8]}...")
+            return True
+        return False
+
+    def get_session_info(self, session_id: str) -> Optional[Dict[str, Any]]:
+        """获取会话信息"""
+        if session_id in self._sessions:
+            session = self._sessions[session_id].copy()
+            session["created_at"] = datetime.fromtimestamp(session["created_at"]).isoformat()
+            session["expires_at"] = datetime.fromtimestamp(session["expires_at"]).isoformat()
+            session["last_activity"] = datetime.fromtimestamp(session["last_activity"]).isoformat()
+            return session
+        return None
+
+    def _cleanup_expired_sessions(self):
+        """清理过期会话"""
+        current_time = time.time()
+        expired_sessions = [
+            sid for sid, session in self._sessions.items()
+            if current_time > session["expires_at"]
+        ]
+
+        for sid in expired_sessions:
+            del self._sessions[sid]
+
+        if expired_sessions:
+            logger.info(f"清理了 {len(expired_sessions)} 个过期会话")
+
+    def get_active_sessions(self) -> Dict[str, Dict[str, Any]]:
+        """获取所有活跃会话"""
+        self._cleanup_expired_sessions()
+        return {
+            sid: self.get_session_info(sid)
+            for sid in self._sessions.keys()
+        }
+
+
+# 全局认证实例
+_auth_instance: Optional[AdminAuth] = None
+
+def get_admin_auth() -> AdminAuth:
+    """获取管理员认证实例（单例模式）"""
+    global _auth_instance
+    if _auth_instance is None:
+        _auth_instance = AdminAuth()
+    return _auth_instance
+
+
+# 便捷函数
+def authenticate_admin(password: str) -> bool:
+    """验证管理员密码"""
+    return get_admin_auth().authenticate(password)
+
+def create_admin_session() -> str:
+    """创建管理员会话"""
+    return get_admin_auth().create_session()
+
+def validate_admin_session(session_id: str) -> bool:
+    """验证管理员会话"""
+    return get_admin_auth().validate_session(session_id)
+
+def revoke_admin_session(session_id: str) -> bool:
+    """撤销管理员会话"""
+    return get_admin_auth().revoke_session(session_id)
+
+def get_admin_password() -> str:
+    """获取管理员密码"""
+    return get_admin_auth().get_admin_password()

KiroProxy/kiro_proxy/core/auth_middleware.py

@@ -0,0 +1,118 @@
+"""管理员认证中间件和装饰器"""
+from functools import wraps
+from typing import Optional
+from fastapi import HTTPException, Request, Depends
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from .admin_auth import get_admin_auth, validate_admin_session
+
+security = HTTPBearer(auto_error=False)
+
+class AdminAuthMiddleware:
+    """管理员认证中间件"""
+
+    def __init__(self):
+        self.auth = get_admin_auth()
+
+    def get_session_from_request(self, request: Request) -> Optional[str]:
+        """从请求中提取会话ID"""
+        # 1. 从Authorization头获取
+        auth_header = request.headers.get("Authorization")
+        if auth_header and auth_header.startswith("Bearer "):
+            return auth_header[7:]
+
+        # 2. 从Cookie获取
+        session_id = request.cookies.get("admin_session")
+        if session_id:
+            return session_id
+
+        # 3. 从查询参数获取（用于WebSocket等场景）
+        session_id = request.query_params.get("session")
+        if session_id:
+            return session_id
+
+        return None
+
+    async def authenticate_request(self, request: Request) -> bool:
+        """验证请求是否已认证"""
+        session_id = self.get_session_from_request(request)
+        if not session_id:
+            return False
+
+        return validate_admin_session(session_id)
+
+
+# 全局中间件实例
+_middleware_instance: Optional[AdminAuthMiddleware] = None
+
+def get_auth_middleware() -> AdminAuthMiddleware:
+    """获取认证中间件实例"""
+    global _middleware_instance
+    if _middleware_instance is None:
+        _middleware_instance = AdminAuthMiddleware()
+    return _middleware_instance
+
+
+# FastAPI依赖项
+async def require_admin_auth(
+    request: Request,
+    credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)
+) -> str:
+    """要求管理员认证的依赖项"""
+    middleware = get_auth_middleware()
+
+    # 检查认证
+    if not await middleware.authenticate_request(request):
+        raise HTTPException(
+            status_code=401,
+            detail="需要管理员认证",
+            headers={"WWW-Authenticate": "Bearer"}
+        )
+
+    # 返回会话ID
+    session_id = middleware.get_session_from_request(request)
+    return session_id
+
+
+async def optional_admin_auth(
+    request: Request,
+    credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)
+) -> Optional[str]:
+    """可选的管理员认证依赖项"""
+    middleware = get_auth_middleware()
+
+    if await middleware.authenticate_request(request):
+        return middleware.get_session_from_request(request)
+
+    return None
+
+
+# 装饰器版本（用于非FastAPI函数）
+def require_admin_session(func):
+    """要求管理员会话的装饰器"""
+    @wraps(func)
+    async def wrapper(*args, **kwargs):
+        # 查找Request参数
+        request = None
+        for arg in args:
+            if isinstance(arg, Request):
+                request = arg
+                break
+
+        if not request:
+            # 从kwargs查找
+            request = kwargs.get('request')
+
+        if not request:
+            raise HTTPException(status_code=500, detail="无法获取请求对象")
+
+        middleware = get_auth_middleware()
+        if not await middleware.authenticate_request(request):
+            raise HTTPException(
+                status_code=401,
+                detail="需要管理员认证",
+                headers={"WWW-Authenticate": "Bearer"}
+            )
+
+        return await func(*args, **kwargs)
+
+    return wrapper

KiroProxy/kiro_proxy/core/database.py

@@ -0,0 +1,397 @@
+"""数据库抽象层 - 支持文件系统和远程SQL数据库"""
+import os
+import json
+import asyncio
+from abc import ABC, abstractmethod
+from typing import List, Dict, Any, Optional
+from pathlib import Path
+import logging
+
+logger = logging.getLogger(__name__)
+
+class DatabaseInterface(ABC):
+    """数据库接口抽象类"""
+
+    @abstractmethod
+    async def save_accounts(self, accounts: List[Dict[str, Any]]) -> bool:
+        """保存账号配置"""
+        pass
+
+    @abstractmethod
+    async def load_accounts(self) -> List[Dict[str, Any]]:
+        """加载账号配置"""
+        pass
+
+    @abstractmethod
+    async def save_config(self, config: Dict[str, Any]) -> bool:
+        """保存完整配置"""
+        pass
+
+    @abstractmethod
+    async def load_config(self) -> Dict[str, Any]:
+        """加载完整配置"""
+        pass
+
+    @abstractmethod
+    async def save_admin_config(self, admin_config: Dict[str, Any]) -> bool:
+        """保存管理员配置"""
+        pass
+
+    @abstractmethod
+    async def load_admin_config(self) -> Dict[str, Any]:
+        """加载管理员配置"""
+        pass
+
+    @abstractmethod
+    async def initialize(self) -> bool:
+        """初始化数据库"""
+        pass
+
+
+class FileSystemDatabase(DatabaseInterface):
+    """文件系统数据库实现（原有逻辑）"""
+
+    def __init__(self, data_dir: Path):
+        self.data_dir = data_dir
+        self.config_file = data_dir / "config.json"
+        self.admin_config_file = data_dir / "admin.json"
+
+    def _ensure_dir(self):
+        """确保目录存在"""
+        self.data_dir.mkdir(parents=True, exist_ok=True)
+
+    async def initialize(self) -> bool:
+        """初始化文件系统"""
+        try:
+            self._ensure_dir()
+            return True
+        except Exception as e:
+            logger.error(f"文件系统初始化失败: {e}")
+            return False
+
+    async def save_accounts(self, accounts: List[Dict[str, Any]]) -> bool:
+        """保存账号配置"""
+        try:
+            self._ensure_dir()
+            config = await self.load_config()
+            config["accounts"] = accounts
+            return await self.save_config(config)
+        except Exception as e:
+            logger.error(f"保存账号配置失败: {e}")
+            return False
+
+    async def load_accounts(self) -> List[Dict[str, Any]]:
+        """加载账号配置"""
+        config = await self.load_config()
+        return config.get("accounts", [])
+
+    async def save_config(self, config: Dict[str, Any]) -> bool:
+        """保存完整配置"""
+        try:
+            self._ensure_dir()
+            with open(self.config_file, "w", encoding="utf-8") as f:
+                json.dump(config, f, indent=2, ensure_ascii=False)
+            return True
+        except Exception as e:
+            logger.error(f"保存配置失败: {e}")
+            return False
+
+    async def load_config(self) -> Dict[str, Any]:
+        """加载完整配置"""
+        try:
+            if self.config_file.exists():
+                with open(self.config_file, "r", encoding="utf-8") as f:
+                    return json.load(f)
+        except Exception as e:
+            logger.error(f"加载配置失败: {e}")
+        return {}
+
+    async def save_admin_config(self, admin_config: Dict[str, Any]) -> bool:
+        """保存管理员配置"""
+        try:
+            self._ensure_dir()
+            with open(self.admin_config_file, "w", encoding="utf-8") as f:
+                json.dump(admin_config, f, indent=2, ensure_ascii=False)
+            return True
+        except Exception as e:
+            logger.error(f"保存管理员配置失败: {e}")
+            return False
+
+    async def load_admin_config(self) -> Dict[str, Any]:
+        """加载管理员配置"""
+        try:
+            if self.admin_config_file.exists():
+                with open(self.admin_config_file, "r", encoding="utf-8") as f:
+                    return json.load(f)
+        except Exception as e:
+            logger.error(f"加载管理员配置失败: {e}")
+        return {}
+
+
+class SQLDatabase(DatabaseInterface):
+    """SQL数据库实现"""
+
+    def __init__(self, database_url: str):
+        self.database_url = database_url
+        self.pool = None
+        self._db_type = self._detect_db_type(database_url)
+
+    def _detect_db_type(self, url: str) -> str:
+        """检测数据库类型"""
+        if url.startswith("postgresql://") or url.startswith("postgres://"):
+            return "postgresql"
+        elif url.startswith("mysql://") or url.startswith("mysql+"):
+            return "mysql"
+        elif url.startswith("sqlite://"):
+            return "sqlite"
+        else:
+            return "unknown"
+
+    async def initialize(self) -> bool:
+        """初始化SQL数据库连接和表结构"""
+        try:
+            if self._db_type == "postgresql":
+                await self._init_postgresql()
+            elif self._db_type == "mysql":
+                await self._init_mysql()
+            elif self._db_type == "sqlite":
+                await self._init_sqlite()
+            else:
+                logger.error(f"不支持的数据库类型: {self._db_type}")
+                return False
+
+            await self._create_tables()
+            return True
+        except Exception as e:
+            logger.error(f"SQL数据库初始化失败: {e}")
+            return False
+
+    async def _init_postgresql(self):
+        """初始化PostgreSQL连接"""
+        try:
+            import asyncpg
+            self.pool = await asyncpg.create_pool(self.database_url)
+        except ImportError:
+            raise ImportError("请安装 asyncpg: pip install asyncpg")
+
+    async def _init_mysql(self):
+        """初始化MySQL连接"""
+        try:
+            import aiomysql
+            # 解析连接URL
+            from urllib.parse import urlparse
+            parsed = urlparse(self.database_url)
+            self.pool = await aiomysql.create_pool(
+                host=parsed.hostname,
+                port=parsed.port or 3306,
+                user=parsed.username,
+                password=parsed.password,
+                db=parsed.path.lstrip('/'),
+                charset='utf8mb4'
+            )
+        except ImportError:
+            raise ImportError("请安装 aiomysql: pip install aiomysql")
+
+    async def _init_sqlite(self):
+        """初始化SQLite连接"""
+        try:
+            import aiosqlite
+            db_path = self.database_url.replace("sqlite://", "")
+            self.db_path = db_path
+        except ImportError:
+            raise ImportError("请安装 aiosqlite: pip install aiosqlite")
+
+    async def _create_tables(self):
+        """创建数据表"""
+        if self._db_type == "postgresql":
+            await self._create_tables_postgresql()
+        elif self._db_type == "mysql":
+            await self._create_tables_mysql()
+        elif self._db_type == "sqlite":
+            await self._create_tables_sqlite()
+
+    async def _create_tables_postgresql(self):
+        """创建PostgreSQL表"""
+        async with self.pool.acquire() as conn:
+            await conn.execute("""
+                CREATE TABLE IF NOT EXISTS kiro_config (
+                    id SERIAL PRIMARY KEY,
+                    key VARCHAR(255) UNIQUE NOT NULL,
+                    value JSONB NOT NULL,
+                    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+                    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+                )
+            """)
+
+            await conn.execute("""
+                CREATE TABLE IF NOT EXISTS kiro_admin (
+                    id SERIAL PRIMARY KEY,
+                    key VARCHAR(255) UNIQUE NOT NULL,
+                    value JSONB NOT NULL,
+                    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+                    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+                )
+            """)
+
+    async def _create_tables_mysql(self):
+        """创建MySQL表"""
+        async with self.pool.acquire() as conn:
+            async with conn.cursor() as cursor:
+                await cursor.execute("""
+                    CREATE TABLE IF NOT EXISTS kiro_config (
+                        id INT AUTO_INCREMENT PRIMARY KEY,
+                        `key` VARCHAR(255) UNIQUE NOT NULL,
+                        value JSON NOT NULL,
+                        created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+                        updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
+                    ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4
+                """)
+
+                await cursor.execute("""
+                    CREATE TABLE IF NOT EXISTS kiro_admin (
+                        id INT AUTO_INCREMENT PRIMARY KEY,
+                        `key` VARCHAR(255) UNIQUE NOT NULL,
+                        value JSON NOT NULL,
+                        created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+                        updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
+                    ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4
+                """)
+
+    async def _create_tables_sqlite(self):
+        """创建SQLite表"""
+        import aiosqlite
+        async with aiosqlite.connect(self.db_path) as db:
+            await db.execute("""
+                CREATE TABLE IF NOT EXISTS kiro_config (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    key TEXT UNIQUE NOT NULL,
+                    value TEXT NOT NULL,
+                    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+                    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+                )
+            """)
+
+            await db.execute("""
+                CREATE TABLE IF NOT EXISTS kiro_admin (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    key TEXT UNIQUE NOT NULL,
+                    value TEXT NOT NULL,
+                    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+                    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+                )
+            """)
+            await db.commit()
+
+    async def _get_config_value(self, table: str, key: str) -> Optional[Dict[str, Any]]:
+        """从指定表获取配置值"""
+        try:
+            if self._db_type == "postgresql":
+                async with self.pool.acquire() as conn:
+                    row = await conn.fetchrow(f"SELECT value FROM {table} WHERE key = $1", key)
+                    return row['value'] if row else None
+
+            elif self._db_type == "mysql":
+                async with self.pool.acquire() as conn:
+                    async with conn.cursor() as cursor:
+                        await cursor.execute(f"SELECT value FROM {table} WHERE `key` = %s", (key,))
+                        row = await cursor.fetchone()
+                        return json.loads(row[0]) if row else None
+
+            elif self._db_type == "sqlite":
+                import aiosqlite
+                async with aiosqlite.connect(self.db_path) as db:
+                    cursor = await db.execute(f"SELECT value FROM {table} WHERE key = ?", (key,))
+                    row = await cursor.fetchone()
+                    return json.loads(row[0]) if row else None
+
+        except Exception as e:
+            logger.error(f"获取配置失败 {table}.{key}: {e}")
+            return None
+
+    async def _set_config_value(self, table: str, key: str, value: Dict[str, Any]) -> bool:
+        """设置配置值到指定表"""
+        try:
+            if self._db_type == "postgresql":
+                async with self.pool.acquire() as conn:
+                    await conn.execute(f"""
+                        INSERT INTO {table} (key, value) VALUES ($1, $2)
+                        ON CONFLICT (key) DO UPDATE SET value = $2, updated_at = CURRENT_TIMESTAMP
+                    """, key, json.dumps(value))
+
+            elif self._db_type == "mysql":
+                async with self.pool.acquire() as conn:
+                    async with conn.cursor() as cursor:
+                        await cursor.execute(f"""
+                            INSERT INTO {table} (`key`, value) VALUES (%s, %s)
+                            ON DUPLICATE KEY UPDATE value = %s, updated_at = CURRENT_TIMESTAMP
+                        """, (key, json.dumps(value), json.dumps(value)))
+                        await conn.commit()
+
+            elif self._db_type == "sqlite":
+                import aiosqlite
+                async with aiosqlite.connect(self.db_path) as db:
+                    await db.execute(f"""
+                        INSERT OR REPLACE INTO {table} (key, value, updated_at)
+                        VALUES (?, ?, CURRENT_TIMESTAMP)
+                    """, (key, json.dumps(value)))
+                    await db.commit()
+
+            return True
+        except Exception as e:
+            logger.error(f"设置配置失败 {table}.{key}: {e}")
+            return False
+
+    async def save_accounts(self, accounts: List[Dict[str, Any]]) -> bool:
+        """保存账号配置"""
+        config = await self.load_config()
+        config["accounts"] = accounts
+        return await self.save_config(config)
+
+    async def load_accounts(self) -> List[Dict[str, Any]]:
+        """加载账号配置"""
+        config = await self.load_config()
+        return config.get("accounts", [])
+
+    async def save_config(self, config: Dict[str, Any]) -> bool:
+        """保存完整配置"""
+        return await self._set_config_value("kiro_config", "main", config)
+
+    async def load_config(self) -> Dict[str, Any]:
+        """加载完整配置"""
+        config = await self._get_config_value("kiro_config", "main")
+        return config or {}
+
+    async def save_admin_config(self, admin_config: Dict[str, Any]) -> bool:
+        """保存管理员配置"""
+        return await self._set_config_value("kiro_admin", "main", admin_config)
+
+    async def load_admin_config(self) -> Dict[str, Any]:
+        """加载管理员配置"""
+        config = await self._get_config_value("kiro_admin", "main")
+        return config or {}
+
+
+# 数据库工厂
+def create_database() -> DatabaseInterface:
+    """根据环境变量创建数据库实例"""
+    database_url = os.getenv("DATABASE_URL")
+
+    if database_url:
+        logger.info(f"使用远程数据库: {database_url.split('@')[0]}@***")
+        return SQLDatabase(database_url)
+    else:
+        from ..config import DATA_DIR
+        logger.info(f"使用文件系统数据库: {DATA_DIR}")
+        return FileSystemDatabase(DATA_DIR)
+
+
+# 全局数据库实例
+_db_instance: Optional[DatabaseInterface] = None
+
+async def get_database() -> DatabaseInterface:
+    """获取数据库实例（单例模式）"""
+    global _db_instance
+    if _db_instance is None:
+        _db_instance = create_database()
+        await _db_instance.initialize()
+    return _db_instance

KiroProxy/kiro_proxy/core/persistence.py

@@ -1,69 +1,98 @@
-"""配置持久化"""
-import json
-from pathlib import Path
+"""配置持久化 - 支持文件系统和远程数据库"""
+import asyncio
 from typing import List, Dict, Any
+from .database import get_database
 
-# 统一使用 config.py 中的 DATA_DIR
-from ..config import DATA_DIR
+# 向后兼容的同步接口
+def save_accounts(accounts: List[Dict[str, Any]]) -> bool:
+    """保存账号配置（同步接口）"""
+    return asyncio.run(_save_accounts_async(accounts))
 
-# 配置文件路径
-CONFIG_DIR = DATA_DIR
-CONFIG_FILE = CONFIG_DIR / "config.json"
+def load_accounts() -> List[Dict[str, Any]]:
+    """加载账号配置（同步接口）"""
+    return asyncio.run(_load_accounts_async())
 
+def save_config(config: Dict[str, Any]) -> bool:
+    """保存完整配置（同步接口）"""
+    return asyncio.run(_save_config_async(config))
 
-def ensure_config_dir():
-    """确保配置目录存在"""
-    CONFIG_DIR.mkdir(parents=True, exist_ok=True)
+def load_config() -> Dict[str, Any]:
+    """加载完整配置（同步接口）"""
+    return asyncio.run(_load_config_async())
 
+def export_config() -> Dict[str, Any]:
+    """导出配置（用于备份）"""
+    return load_config()
 
-def save_accounts(accounts: List[Dict[str, Any]]) -> bool:
-    """保存账号配置"""
+def import_config(config: Dict[str, Any]) -> bool:
+    """导入配置（用于恢复）"""
+    return save_config(config)
+
+# 异步接口
+async def _save_accounts_async(accounts: List[Dict[str, Any]]) -> bool:
+    """保存账号配置（异步）"""
     try:
-        ensure_config_dir()
-        config = load_config()
-        config["accounts"] = accounts
-        with open(CONFIG_FILE, "w", encoding="utf-8") as f:
-            json.dump(config, f, indent=2, ensure_ascii=False)
-        return True
+        db = await get_database()
+        return await db.save_accounts(accounts)
     except Exception as e:
-        print(f"[Persistence] 保存配置失败: {e}")
+        print(f"[Persistence] 保存账号配置失败: {e}")
         return False
 
+async def _load_accounts_async() -> List[Dict[str, Any]]:
+    """加载账号配置（异步）"""
+    try:
+        db = await get_database()
+        return await db.load_accounts()
+    except Exception as e:
+        print(f"[Persistence] 加载账号配置失败: {e}")
+        return []
 
-def load_accounts() -> List[Dict[str, Any]]:
-    """加载账号配置"""
-    config = load_config()
-    return config.get("accounts", [])
-
+async def _save_config_async(config: Dict[str, Any]) -> bool:
+    """保存完整配置（异步）"""
+    try:
+        db = await get_database()
+        return await db.save_config(config)
+    except Exception as e:
+        print(f"[Persistence] 保存配置失败: {e}")
+        return False
 
-def load_config() -> Dict[str, Any]:
-    """加载完整配置"""
+async def _load_config_async() -> Dict[str, Any]:
+    """加载完整配置（异步）"""
     try:
-        if CONFIG_FILE.exists():
-            with open(CONFIG_FILE, "r", encoding="utf-8") as f:
-                return json.load(f)
+        db = await get_database()
+        return await db.load_config()
     except Exception as e:
         print(f"[Persistence] 加载配置失败: {e}")
-    return {}
+        return {}
 
-
-def save_config(config: Dict[str, Any]) -> bool:
-    """保存完整配置"""
+# 新增：管理员配置接口
+async def save_admin_config_async(admin_config: Dict[str, Any]) -> bool:
+    """保存管理员配置（异步）"""
     try:
-        ensure_config_dir()
-        with open(CONFIG_FILE, "w", encoding="utf-8") as f:
-            json.dump(config, f, indent=2, ensure_ascii=False)
-        return True
+        db = await get_database()
+        return await db.save_admin_config(admin_config)
     except Exception as e:
-        print(f"[Persistence] 保存配置失败: {e}")
+        print(f"[Persistence] 保存管理员配置失败: {e}")
         return False
 
+async def load_admin_config_async() -> Dict[str, Any]:
+    """加载管理员配置（异步）"""
+    try:
+        db = await get_database()
+        return await db.load_admin_config()
+    except Exception as e:
+        print(f"[Persistence] 加载管理员配置失败: {e}")
+        return {}
 
-def export_config() -> Dict[str, Any]:
-    """导出配置（用于备份）"""
-    return load_config()
+def save_admin_config(admin_config: Dict[str, Any]) -> bool:
+    """保存管理员配置（同步接口）"""
+    return asyncio.run(save_admin_config_async(admin_config))
 
+def load_admin_config() -> Dict[str, Any]:
+    """加载管理员配置（同步接口）"""
+    return asyncio.run(load_admin_config_async())
 
-def import_config(config: Dict[str, Any]) -> bool:
-    """导入配置（用于恢复）"""
-    return save_config(config)
+# 向后兼容：保留原有函数名
+def ensure_config_dir():
+    """确保配置目录存在（向后兼容，现在由数据库层处理）"""
+    pass

KiroProxy/kiro_proxy/routers/admin.py

@@ -1,12 +1,126 @@
-from fastapi import APIRouter, Request, HTTPException
+from fastapi import APIRouter, Request, HTTPException, Depends, Response
+from fastapi.responses import JSONResponse
 
 from ..core import get_history_config, get_rate_limiter, update_history_config
+from ..core.auth_middleware import require_admin_auth, optional_admin_auth
+from ..core.admin_auth import get_admin_auth, authenticate_admin, create_admin_session, revoke_admin_session
 from ..handlers import admin as admin_handler
 from ..resources import get_resource_path
 
 router = APIRouter(prefix="/api")
 
 
+# ==================== 认证相关端点 ====================
+
+@router.post("/auth/login")
+async def api_admin_login(request: Request, response: Response):
+    """管理员登录"""
+    try:
+        data = await request.json()
+        password = data.get("password")
+
+        if not password:
+            raise HTTPException(status_code=400, detail="密码不能为空")
+
+        if not authenticate_admin(password):
+            raise HTTPException(status_code=401, detail="密码错误")
+
+        # 创建会话
+        session_id = create_admin_session()
+
+        # 设置Cookie（可选，主要用Bearer Token）
+        response.set_cookie(
+            key="admin_session",
+            value=session_id,
+            max_age=24 * 60 * 60,  # 24小时
+            httponly=True,
+            secure=False,  # 在生产环境中应该设为True
+            samesite="lax"
+        )
+
+        return {
+            "success": True,
+            "session_id": session_id,
+            "message": "登录成功"
+        }
+
+    except HTTPException:
+        raise
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=f"登录失败: {str(e)}")
+
+
+@router.post("/auth/logout")
+async def api_admin_logout(
+    response: Response,
+    session_id: str = Depends(require_admin_auth)
+):
+    """管理员登出"""
+    try:
+        # 撤销会话
+        revoke_admin_session(session_id)
+
+        # 清除Cookie
+        response.delete_cookie(key="admin_session")
+
+        return {
+            "success": True,
+            "message": "登出成功"
+        }
+
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=f"登出失败: {str(e)}")
+
+
+@router.get("/auth/session")
+async def api_admin_session_info(session_id: str = Depends(require_admin_auth)):
+    """获取当前会话信息"""
+    try:
+        auth = get_admin_auth()
+        session_info = auth.get_session_info(session_id)
+
+        if not session_info:
+            raise HTTPException(status_code=401, detail="会话无效")
+
+        return {
+            "success": True,
+            "session": session_info
+        }
+
+    except HTTPException:
+        raise
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=f"获取会话信息失败: {str(e)}")
+
+
+@router.get("/auth/sessions")
+async def api_admin_sessions(session_id: str = Depends(require_admin_auth)):
+    """获取所有活跃会话"""
+    try:
+        auth = get_admin_auth()
+        sessions = auth.get_active_sessions()
+
+        return {
+            "success": True,
+            "sessions": sessions
+        }
+
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=f"获取会话列表失败: {str(e)}")
+
+
+@router.post("/auth/check")
+async def api_admin_auth_check(session_id: str = Depends(optional_admin_auth)):
+    """检查认证状态"""
+    return {
+        "authenticated": session_id is not None,
+        "session_id": session_id
+    }
+
+
+# ==================== 公开API（无需认证） ====================
+
+
 @router.get("/status")
 async def api_status():
     return await admin_handler.get_status()
@@ -27,28 +141,30 @@ async def api_logs(limit: int = 100):
     return await admin_handler.get_logs(limit)
 
 
+# ==================== 需要认证的管理员API ====================
+
 @router.get("/accounts/export")
-async def api_export_accounts():
+async def api_export_accounts(session_id: str = Depends(require_admin_auth)):
     return await admin_handler.export_accounts()
 
 
 @router.post("/accounts/import")
-async def api_import_accounts(request: Request):
+async def api_import_accounts(request: Request, session_id: str = Depends(require_admin_auth)):
     return await admin_handler.import_accounts(request)
 
 
 @router.post("/accounts/manual")
-async def api_add_manual_token(request: Request):
+async def api_add_manual_token(request: Request, session_id: str = Depends(require_admin_auth)):
     return await admin_handler.add_manual_token(request)
 
 
 @router.post("/accounts/batch")
-async def api_batch_import_accounts(request: Request):
+async def api_batch_import_accounts(request: Request, session_id: str = Depends(require_admin_auth)):
     return await admin_handler.batch_import_accounts(request)
 
 
 @router.post("/accounts/refresh-all")
-async def api_refresh_all():
+async def api_refresh_all(session_id: str = Depends(require_admin_auth)):
     return await admin_handler.refresh_all_tokens()
 
 
@@ -63,7 +179,7 @@ async def api_accounts_summary():
 
 
 @router.post("/accounts/refresh-all-quotas")
-async def api_refresh_all_quotas():
+async def api_refresh_all_quotas(session_id: str = Depends(require_admin_auth)):
     return await admin_handler.refresh_all_quotas()
 
 
@@ -73,7 +189,7 @@ async def api_refresh_progress():
 
 
 @router.post("/refresh/all")
-async def api_refresh_all_with_progress():
+async def api_refresh_all_with_progress(session_id: str = Depends(require_admin_auth)):
     return await admin_handler.refresh_all_with_progress()
 
 
@@ -83,7 +199,7 @@ async def api_get_refresh_config():
 
 
 @router.put("/refresh/config")
-async def api_update_refresh_config(request: Request):
+async def api_update_refresh_config(request: Request, session_id: str = Depends(require_admin_auth)):
     return await admin_handler.update_refresh_config(request)
 
 
@@ -98,22 +214,22 @@ async def api_accounts():
 
 
 @router.post("/accounts")
-async def api_add_account(request: Request):
+async def api_add_account(request: Request, session_id: str = Depends(require_admin_auth)):
     return await admin_handler.add_account(request)
 
 
 @router.delete("/accounts/{account_id}")
-async def api_delete_account(account_id: str):
+async def api_delete_account(account_id: str, session_id: str = Depends(require_admin_auth)):
     return await admin_handler.delete_account(account_id)
 
 
 @router.put("/accounts/{account_id}")
-async def api_update_account(account_id: str, request: Request):
+async def api_update_account(account_id: str, request: Request, session_id: str = Depends(require_admin_auth)):
     return await admin_handler.update_account(account_id, request)
 
 
 @router.post("/accounts/{account_id}/toggle")
-async def api_toggle_account(account_id: str):
+async def api_toggle_account(account_id: str, session_id: str = Depends(require_admin_auth)):
     return await admin_handler.toggle_account(account_id)
 
 

KiroProxy/requirements.txt

@@ -6,3 +6,8 @@ pytest>=7.0.0
 hypothesis>=6.0.0
 tiktoken>=0.5.0
 cbor2>=5.4.0
+
+# 数据库驱动（可选，根据DATABASE_URL自动选择）
+asyncpg>=0.28.0  # PostgreSQL
+aiomysql>=0.2.0  # MySQL
+aiosqlite>=0.19.0  # SQLite

README.md

@@ -0,0 +1,116 @@
+---
+title: KiroProxy
+emoji: 🚀
+colorFrom: blue
+colorTo: purple
+sdk: docker
+pinned: false
+license: mit
+short_description: Kiro IDE API 反向代理服务器 - 支持多账号管理和多协议转换
+app_port: 7860
+---
+
+# KiroProxy
+
+🚀 **Kiro IDE API 反向代理服务器** - 支持多账号管理和多协议转换
+
+## 功能特性
+
+- **多协议支持** - 兼容 OpenAI、Anthropic、Gemini 三种 API 协议
+- **多账号轮询** - 支持随机、轮询、会话粘性等选择策略
+- **自动 Token 管理** - 后台自动刷新即将过期的 Token
+- **配额管理** - 智能配额调度和超限冷却
+- **Web UI** - 内置管理界面，支持账号管理、监控、日志
+- **数据库支持** - 支持文件系统和远程SQL数据库存储
+- **管理员认证** - 安全的密码认证和会话管理系统
+
+## 快速开始
+
+### 本地运行
+
+```bash
+# 克隆项目
+git clone <repository-url>
+cd KiroProxy
+
+# 安装依赖
+pip install -r requirements.txt
+
+# 启动服务
+python run.py 8080
+```
+
+### Docker 部署
+
+```bash
+# 构建镜像
+docker build -t kiroproxy .
+
+# 运行容器
+docker run -p 7860:7860 \
+  -e ADMIN_PASSWORD=your_password \
+  -e DATABASE_URL=postgresql://user:pass@host:5432/db \
+  kiroproxy
+```
+
+### Hugging Face Space 部署
+
+1. Fork 此项目到你的 Hugging Face Space
+2. 在 Space 设置中配置环境变量：
+   - `ADMIN_PASSWORD`: 管理员密码
+   - `DATABASE_URL`: 远程数据库连接（可选）
+3. Space 将自动构建和部署
+
+## 环境变量配置
+
+参考 `.env.example` 文件了解所有可用的环境变量配置选项。
+
+### 核心配置
+
+- `ADMIN_PASSWORD`: 管理员面板密码（强烈推荐设置）
+- `DATABASE_URL`: 数据库连接URL（可选，支持PostgreSQL/MySQL/SQLite）
+- `PORT`: 服务器端口（默认：8080，Hugging Face Space使用7860）
+
+## 管理员面板
+
+访问 `http://localhost:8080` 进入管理界面。
+
+首次启动时：
+- 如果设置了 `ADMIN_PASSWORD` 环境变量，使用该密码登录
+- 如果未设置，系统会自动生成随机密码并在启动日志中显示
+
+## 数据存储
+
+### 文件系统存储（默认）
+- 配置存储在 `~/.kiro-proxy/` 目录
+- 适合本地开发和小规模部署
+
+### 远程数据库存储
+- 支持 PostgreSQL、MySQL、SQLite
+- 适合生产环境和多实例部署
+- 通过 `DATABASE_URL` 环境变量配置
+
+## API 协议支持
+
+### OpenAI 兼容
+```
+POST /v1/chat/completions
+```
+
+### Anthropic 兼容
+```
+POST /v1/messages
+```
+
+### Gemini 兼容
+```
+POST /v1beta/models/{model}:generateContent
+```
+
+## 许可证
+
+MIT License
+
+## 贡献
+
+欢迎提交 Issue 和 Pull Request！

README_HF.md

@@ -0,0 +1,9 @@
+title: KiroProxy
+emoji: 🚀
+colorFrom: blue
+colorTo: purple
+sdk: docker
+pinned: false
+license: mit
+short_description: Kiro IDE API 反向代理服务器 - 支持多账号管理和多协议转换
+app_port: 7860

requirements.txt

@@ -0,0 +1,13 @@
+fastapi>=0.100.0
+uvicorn>=0.23.0
+httpx>=0.24.0
+requests>=2.31.0
+pytest>=7.0.0
+hypothesis>=6.0.0
+tiktoken>=0.5.0
+cbor2>=5.4.0
+
+# 数据库驱动（可选，根据DATABASE_URL自动选择）
+asyncpg>=0.28.0  # PostgreSQL
+aiomysql>=0.2.0  # MySQL
+aiosqlite>=0.19.0  # SQLite