chatgpt2api / services /auth_service.py
tx1538's picture
Upload 179 files
9d7ddb9 verified
Raw
History Blame
9.92 kB
from __future__ import annotations
import hashlib
import hmac
import secrets
import uuid
from datetime import datetime, timezone
from threading import Lock
from typing import Literal
from services.config import config
from services.storage.base import StorageBackend
AuthRole = Literal["admin", "user"]
def _now_iso() -> str:
return datetime.now(timezone.utc).isoformat()
def _hash_key(value: str) -> str:
return hashlib.sha256(value.encode("utf-8")).hexdigest()
class AuthService:
def __init__(self, storage: StorageBackend):
self.storage = storage
self._lock = Lock()
self._items = self._load()
self._last_used_flush_at: dict[str, datetime] = {}
@staticmethod
def _clean(value: object) -> str:
return str(value or "").strip()
@staticmethod
def _default_name(role: object) -> str:
return "管理员密钥" if str(role or "").strip().lower() == "admin" else "普通用户"
def _normalize_item(self, raw: object) -> dict[str, object] | None:
if not isinstance(raw, dict):
return None
role = self._clean(raw.get("role")).lower()
if role not in {"admin", "user"}:
return None
key_hash = self._clean(raw.get("key_hash"))
if not key_hash:
return None
item_id = self._clean(raw.get("id")) or uuid.uuid4().hex[:12]
name = self._clean(raw.get("name")) or self._default_name(role)
created_at = self._clean(raw.get("created_at")) or _now_iso()
last_used_at = self._clean(raw.get("last_used_at")) or None
return {
"id": item_id,
"name": name,
"role": role,
"key_hash": key_hash,
"enabled": bool(raw.get("enabled", True)),
"created_at": created_at,
"last_used_at": last_used_at,
}
def _load(self) -> list[dict[str, object]]:
try:
items = self.storage.load_auth_keys()
except Exception:
return []
if not isinstance(items, list):
return []
return [normalized for item in items if (normalized := self._normalize_item(item)) is not None]
def _save(self) -> None:
self.storage.save_auth_keys(self._items)
def _reload_locked(self) -> None:
self._items = self._load()
@staticmethod
def _public_item(item: dict[str, object]) -> dict[str, object]:
return {
"id": item.get("id"),
"name": item.get("name"),
"role": item.get("role"),
"enabled": bool(item.get("enabled", True)),
"created_at": item.get("created_at"),
"last_used_at": item.get("last_used_at"),
}
def list_keys(self, role: AuthRole | None = None) -> list[dict[str, object]]:
with self._lock:
self._reload_locked()
items = [item for item in self._items if role is None or item.get("role") == role]
return [self._public_item(item) for item in items]
def _has_key_hash_locked(self, key_hash: str, *, exclude_id: str = "") -> bool:
for item in self._items:
item_id = self._clean(item.get("id"))
if exclude_id and item_id == exclude_id:
continue
stored_hash = self._clean(item.get("key_hash"))
if stored_hash and hmac.compare_digest(stored_hash, key_hash):
return True
return False
def _build_key_hash_locked(self, raw_key: str, *, exclude_id: str = "") -> str:
candidate = self._clean(raw_key)
if not candidate:
raise ValueError("请输入新的专用密钥")
admin_key = self._clean(config.auth_key)
if admin_key and hmac.compare_digest(candidate, admin_key):
raise ValueError("这个密钥和管理员密钥冲突了,请换一个新的密钥")
key_hash = _hash_key(candidate)
if self._has_key_hash_locked(key_hash, exclude_id=exclude_id):
raise ValueError("这个专用密钥已经存在,请换一个新的密钥")
return key_hash
def _has_name_locked(self, name: str, *, role: AuthRole | None = None, exclude_id: str = "") -> bool:
candidate = self._clean(name)
if not candidate:
return False
for item in self._items:
item_id = self._clean(item.get("id"))
if exclude_id and item_id == exclude_id:
continue
if role is not None and item.get("role") != role:
continue
if self._clean(item.get("name")) == candidate:
return True
return False
def _build_default_name_locked(self, role: AuthRole, *, exclude_id: str = "") -> str:
base_name = self._default_name(role)
if not self._has_name_locked(base_name, role=role, exclude_id=exclude_id):
return base_name
suffix = 2
while True:
candidate = f"{base_name} {suffix}"
if not self._has_name_locked(candidate, role=role, exclude_id=exclude_id):
return candidate
suffix += 1
def _build_name_locked(self, name: str, *, role: AuthRole, exclude_id: str = "") -> str:
candidate = self._clean(name)
if not candidate:
return self._build_default_name_locked(role, exclude_id=exclude_id)
if self._has_name_locked(candidate, role=role, exclude_id=exclude_id):
raise ValueError("这个名称已经在使用中了,换一个更容易区分的名称吧")
return candidate
def create_key(self, *, role: AuthRole, name: str = "") -> tuple[dict[str, object], str]:
with self._lock:
self._reload_locked()
normalized_name = self._build_name_locked(name, role=role)
while True:
raw_key = f"sk-{secrets.token_urlsafe(24)}"
try:
key_hash = self._build_key_hash_locked(raw_key)
break
except ValueError:
continue
item = {
"id": uuid.uuid4().hex[:12],
"name": normalized_name,
"role": role,
"key_hash": key_hash,
"enabled": True,
"created_at": _now_iso(),
"last_used_at": None,
}
self._items.append(item)
self._save()
return self._public_item(item), raw_key
def update_key(
self,
key_id: str,
updates: dict[str, object],
*,
role: AuthRole | None = None,
) -> dict[str, object] | None:
normalized_id = self._clean(key_id)
if not normalized_id:
return None
with self._lock:
self._reload_locked()
for index, item in enumerate(self._items):
if item.get("id") != normalized_id:
continue
if role is not None and item.get("role") != role:
return None
next_item = dict(item)
next_role = "admin" if str(next_item.get("role") or "").strip().lower() == "admin" else "user"
if "name" in updates and updates.get("name") is not None:
next_item["name"] = self._build_name_locked(
str(updates.get("name") or ""),
role=next_role,
exclude_id=normalized_id,
)
if "enabled" in updates and updates.get("enabled") is not None:
next_item["enabled"] = bool(updates.get("enabled"))
if "key" in updates and updates.get("key") is not None:
next_item["key_hash"] = self._build_key_hash_locked(str(updates.get("key") or ""), exclude_id=normalized_id)
self._items[index] = next_item
self._save()
return self._public_item(next_item)
return None
def delete_key(self, key_id: str, *, role: AuthRole | None = None) -> bool:
normalized_id = self._clean(key_id)
if not normalized_id:
return False
with self._lock:
self._reload_locked()
before = len(self._items)
self._items = [
item
for item in self._items
if not (item.get("id") == normalized_id and (role is None or item.get("role") == role))
]
if len(self._items) == before:
return False
self._save()
return True
def authenticate(self, raw_key: str) -> dict[str, object] | None:
candidate = self._clean(raw_key)
if not candidate:
return None
candidate_hash = _hash_key(candidate)
with self._lock:
for index, item in enumerate(self._items):
if not bool(item.get("enabled", True)):
continue
stored_hash = self._clean(item.get("key_hash"))
if not stored_hash or not hmac.compare_digest(stored_hash, candidate_hash):
continue
next_item = dict(item)
now = datetime.now(timezone.utc)
next_item["last_used_at"] = now.isoformat()
self._items[index] = next_item
item_id = self._clean(next_item.get("id"))
last_flush_at = self._last_used_flush_at.get(item_id)
if last_flush_at is None or (now - last_flush_at).total_seconds() >= 60:
try:
self._save()
self._last_used_flush_at[item_id] = now
except Exception:
pass
return self._public_item(next_item)
return None
auth_service = AuthService(config.get_storage_backend())