Add API key authentication for proxy endpoints.

Support multiple API keys from config, env, and CLI, enforce auth on non-public endpoints, and pass keys through remote deploy verification. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-08 13:08:27 +08:00
parent c1a0fe2949
commit 450faefaf9
8 changed files with 229 additions and 2 deletions
--- a/internal/service/service.go
+++ b/internal/service/service.go
@@ -53,6 +53,7 @@ type Config struct {
 	ShellType                  string
 	SessionMode                SessionMode
 	Timeout                    time.Duration
+	APIKeys                    []string
 	RemoteFallbackEnabled      bool
 	RemoteFallbackModels       []string
 	LingmaBootstrapEnabled     bool
@@ -185,6 +186,7 @@ func New(cfg Config) *Service {
 		cfg.Mode = "agent"
 	}
 	cfg.Model = strings.TrimSpace(cfg.Model)
+	cfg.APIKeys = cleanStringSlice(cfg.APIKeys)
 	if strings.TrimSpace(cfg.ShellType) == "" {
 		cfg.ShellType = lingmaipc.DefaultShellType()
 	}
@@ -247,6 +249,26 @@ func (s *Service) DefaultModel() string {
 	return strings.TrimSpace(s.cfg.Model)
 }

+func (s *Service) APIKeys() []string {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	return append([]string(nil), s.cfg.APIKeys...)
+}
+
+func cleanStringSlice(values []string) []string {
+	out := make([]string, 0, len(values))
+	seen := map[string]bool{}
+	for _, value := range values {
+		item := strings.TrimSpace(value)
+		if item == "" || seen[item] {
+			continue
+		}
+		seen[item] = true
+		out = append(out, item)
+	}
+	return out
+}
+
 func (s *Service) PrepareRuntime() error {
 	s.mu.Lock()
 	cfg := s.cfg