feat(server): Add api key handler

2026-06-20 13:00:39 +00:00 · 2026-04-22 20:50:17 +08:00
parent 7d7562d191
commit 31ffd98166
4 changed files with 176 additions and 0 deletions
@@ -24,6 +24,9 @@
    // Default PBKDF2 iterations for account creation/prelogin fallback.
    // 账户创建与预登录回退使用的默认 PBKDF2 迭代次数。
    defaultKdfIterations: 600000,
    // clientSecret length
    // clientSecret 长度
    clientSecretLength: 30,
  },
  rateLimit: {
    // Max failed login attempts before temporary lock.
@@ -209,6 +209,7 @@ export async function handleRegister(request: Request, env: Env): Promise<Respon
    verifyDevices: true,
    totpSecret: null,
    totpRecoveryCode: null,
    apiKey: null,
    createdAt: now,
    updatedAt: now,
  };
@@ -751,3 +752,64 @@ export async function handleVerifyPassword(request: Request, env: Env, userId: s
  return new Response(null, { status: 200 });
 }
 // POST /api/accounts/api-key
 export async function handleGetApiKey(request: Request, env: Env, userId: string): Promise<Response>{
  return apiKey(request, env, userId, false);
 }
 // POST /api/accounts/rotate-api-key
 export async function handleRotateApiKey(request: Request, env: Env, userId: string): Promise<Response> {
  return apiKey(request, env, userId, true);
 }
 async function apiKey(request: Request, env: Env, userId: string,rotate: boolean): Promise<Response> {
  const storage = new StorageService(env.DB);
  const auth = new AuthService(env);
  const user = await storage.getUserById(userId);
  if (!user) return errorResponse('User not found', 404);
  let body: Record<string, string | undefined>;
  try {
    const contentType = request.headers.get('content-type') || '';
    if (contentType.includes('application/x-www-form-urlencoded')) {
      const formData = await request.formData();
      body = Object.fromEntries(formData.entries()) as Record<string, string>;
    } else {
      body = await request.json();
    }
  } catch {
    return errorResponse('Invalid JSON', 400);
  }
  const currentHash = String(body.masterPasswordHash || body.master_password_hash || body.password || '').trim();
  if (!currentHash) return errorResponse('masterPasswordHash is required', 400);
  const valid = await auth.verifyPassword(currentHash, user.masterPasswordHash, user.email);
  if (!valid) return errorResponse('Invalid password', 400);
  if (rotate || user.apiKey === null) {
    // Upstream apikeys are 30-character random alphanumeric strings
    user.apiKey = randomStringAlphanum(LIMITS.auth.clientSecretLength);
    user.updatedAt = new Date().toISOString();
    await storage.saveUser(user);
  }
  return  jsonResponse({
    apiKey: user.apiKey,
    revisionDate: user.updatedAt, 
    object: 'apiKey',
  }); 
 }
 // Generate a random alphanumeric string of the given length using crypto.getRandomValues.
 function randomStringAlphanum(length: number): string {
  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
  const array = new Uint8Array(length);
  crypto.getRandomValues(array);
  let result = "";
  for (let i = 0; i < length; i++) {
    result += chars[array[i] % chars.length];
  }
  return result;
 }
@@ -361,6 +361,94 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
      ? withWebRefreshCookie(request, baseResponse, refreshToken)
      : baseResponse;
  } else if (grantType === 'client_credentials') {
    // Login with client credentials
    const clientId = body.client_id;
    const clientSecret = body.client_secret;
    const scope = body.scope;
    const deviceInfo = readAuthRequestDeviceInfo(body, request);
    const loginIdentifier = `${clientIdentifier}:${clientId}`;
    const parmValid = checkClientCredentialsParam(clientId, clientSecret, scope);
    if (!parmValid) {
      return identityErrorResponse('Parameter error', 'invalid_request', 400);
    }
    // Check login lockout before user lookup to reduce user-enumeration signal
    const loginCheck = await rateLimit.checkLoginAttempt(loginIdentifier);
    if (!loginCheck.allowed) {
      return identityErrorResponse(
        `Too many failed login attempts. Try again in ${Math.ceil(loginCheck.retryAfterSeconds! / 60)} minutes.`,
        'TooManyRequests',
        429
      );
    }
    const uid = clientId.slice(5);
    const user = await storage.getUserById(uid);
    if (!user) {
      await rateLimit.recordFailedLogin(loginIdentifier);
      return identityErrorResponse('ClientId or clientSecret is incorrect. Try again', 'invalid_grant', 400);
    }
    if (user.status !== 'active') {
      await rateLimit.recordFailedLogin(loginIdentifier);
      return identityErrorResponse('Account is disabled', 'invalid_grant', 400);
    }
     // Persist device only after successful password + (optional) 2FA verification.
    const deviceSession =
      deviceInfo.deviceIdentifier
        ? { identifier: deviceInfo.deviceIdentifier, sessionStamp: generateUUID() }
        : null;
    if (deviceSession) {
      await storage.upsertDevice(
        user.id,
        deviceSession.identifier,
        deviceInfo.deviceName,
        deviceInfo.deviceType,
        deviceSession.sessionStamp
      );
    }
    // Successful login - clear failed attempts
    await rateLimit.clearLoginAttempts(loginIdentifier);
    const accessToken = await auth.generateAccessToken(user, deviceSession);
    const refreshToken = await auth.generateRefreshToken(user.id, deviceSession);
    const accountKeys = buildAccountKeys(user);
    const userDecryptionOptions = buildUserDecryptionOptions(user);
    const response: TokenResponse = {
      access_token: accessToken,
      expires_in: LIMITS.auth.accessTokenTtlSeconds,
      token_type: 'Bearer',
      ...(shouldUseWebSession(request) ? { web_session: true } : { refresh_token: refreshToken } ),
      Key: user.key,
      PrivateKey: user.privateKey,
      AccountKeys: accountKeys,
      accountKeys: accountKeys,
      Kdf: user.kdfType,
      KdfIterations: user.kdfIterations,
      KdfMemory: user.kdfMemory,
      KdfParallelism: user.kdfParallelism,
      ForcePasswordReset: false,
      ResetMasterPassword: false,
      MasterPasswordPolicy: {
        Object: 'masterPasswordPolicy',
      },
      ApiUseKeyConnector: false,
      scope: 'api offline_access',
      unofficialServer: true,
      UserDecryptionOptions: userDecryptionOptions,
      userDecryptionOptions: userDecryptionOptions,
    };
    const baseResponse = jsonResponse(response);
    return shouldUseWebSession(request)
      ? withWebRefreshCookie(request, baseResponse, refreshToken)
      : baseResponse;
  } else if (grantType === 'send_access') {
    const sendAccessLimit = await rateLimit.consumeBudget(`${clientIdentifier}:public`, LIMITS.rateLimit.publicRequestsPerMinute);
    if (!sendAccessLimit.allowed) {
@@ -553,3 +641,16 @@ export async function handleRevocation(request: Request, env: Env): Promise<Resp
    ? withWebRefreshCookie(request, baseResponse, null)
    : baseResponse;
 }
 export function checkClientCredentialsParam(clientId: string, clientSecret: string, scope: string): boolean {
  if (scope !== "api") {
    return false;
  }
  if (!clientId.startsWith("user.")) {
    return false;
  }
  if (!clientSecret) {
    return false;
  }
  return true;
 }
@@ -11,6 +11,8 @@ import {
  handleGetTotpStatus,
  handleSetTotpStatus,
  handleGetTotpRecoveryCode,
  handleGetApiKey,
  handleRotateApiKey,
 } from './handlers/accounts';
 import {
  handleGetCiphers,
@@ -119,6 +121,14 @@ export async function handleAuthenticatedRoute(
    return handleSetVerifyDevices(request, env, userId);
  }
  if (path === '/api/accounts/api_key' && method === 'POST') {
    return handleGetApiKey(request, env, userId);
  }
  if (path === '/api/accounts/rotate_api_key' && method === 'POST') {
    return handleRotateApiKey(request, env, userId);
  }
  if (path === '/api/sync' && method === 'GET') {
    return handleSync(request, env, userId);
  }