✨ feat(cli): support api key auth in cli#13190
Conversation
|
@cy948 is attempting to deploy a commit to the LobeHub OSS Team on Vercel. A member of the Team first needs to authorize it. |
|
@tjx666 @nekomeowww - This PR adds API key auth support for the CLI and updates the server-side tRPC lambda context. Please coordinate on review. |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## canary #13190 +/- ##
==========================================
+ Coverage 72.16% 74.25% +2.08%
==========================================
Files 1471 1553 +82
Lines 115393 127437 +12044
Branches 15171 14070 -1101
==========================================
+ Hits 83275 94629 +11354
- Misses 32007 32697 +690
Partials 111 111
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ee4bb72eeb
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| if (credentials.tokenType === 'apiKey') { | ||
| return { token: credentials.apiKey, tokenType: 'apiKey', userId: credentials.userId }; |
There was a problem hiding this comment.
Prevent API keys from being sent to gateway auth
Returning stored API-key credentials here makes lh connect send a raw API key as the gateway auth token, but the gateway auth path only accepts SERVICE_TOKEN or a JWT (it calls verifyDesktopToken → jwtVerify in apps/device-gateway/src/DeviceGatewayDO.ts and apps/device-gateway/src/auth.ts). In the API-key-login flow this will consistently fail with auth_failed, so users who log in via --api-key cannot actually connect.
Useful? React with 👍 / 👎.
| if (credentials.tokenType !== 'jwt') return null; | ||
| if (typeof credentials.accessToken !== 'string') return null; |
There was a problem hiding this comment.
Preserve backward compatibility for legacy JWT credentials
This loader now rejects any decrypted credential object that lacks tokenType, but pre-change JWT credentials were persisted without that field. After upgrading, existing encrypted credential files are treated as invalid and all CLI commands behave as logged out until users manually run lh login again. Treating missing tokenType as legacy JWT would avoid this regression.
Useful? React with 👍 / 👎.
| } | ||
|
|
||
| export async function getAuthInfo(): Promise<AuthInfo> { | ||
| if (process.env[CLI_API_KEY_ENV]) { |
There was a problem hiding this comment.
这里不应该判,而是应该在 !result 后,如果检测到有 API_KEY ,才提醒。 当前的实现会挡住一些正常使用 oidc 登录的用户。
| } | ||
|
|
||
| // Token expired — try refresh | ||
| // Token expired, try refresh |
| import { loadSettings } from '../settings'; | ||
| import { log } from '../utils/logger'; | ||
|
|
||
| const CLI_API_KEY_ENV = 'LOBEHUB_CLI_API_KEY'; |
| } | ||
|
|
||
| const timeout = Number.parseInt(options.timeout || '10000', 10); | ||
| const serverUrl = (settings?.serverUrl || OFFICIAL_SERVER_URL).replace(/\/$/, ''); |
There was a problem hiding this comment.
serverUrl 应该弄一个方法统一方法吧,目前看好多地方都加了这个处理逻辑,不干净
|
❤️ Great PR @cy948 ❤️ The growth of project is inseparable from user feedback and contribution, thanks for your contribution! If you are interesting with the lobehub developer community, please join our discord and then dm @arvinxx or @canisminor1990. They will invite you to our private developer channel. We are talking about the lobe-chat development or sharing ai newsletter around the world. |
# 🚀 release: 20260326 This release includes **91 commits**. Key updates are below. - **Agent can now execute background tasks** — Agents can perform long-running operations without blocking your conversation. [#13289](#13289) - **Better error messages** — Redesigned error UI across chat and image generation with clearer explanations and recovery options. [#13302](#13302) - **Smoother topic switching** — No more full page reloads when switching topics while an agent is responding. [#13309](#13309) - **Faster image uploads** — Large images are now automatically compressed to 1920px before upload, reducing wait times. [#13224](#13224) - **Improved knowledge base** — Documents are now properly parsed before chunking, improving retrieval accuracy. [#13221](#13221) ### Bot Platform - **WeChat Bot support** — You can now connect LobeChat to WeChat, in addition to Discord. [#13191](#13191) - **Richer bot responses** — Bots now support custom markdown rendering and context injection. [#13294](#13294) - **New bot commands** — Added `/new` to start fresh conversations and `/stop` to halt generation. [#13194](#13194) - **Discord stability fixes** — Fixed thread creation issues and Redis connection drops. [#13228](#13228) [#13205](#13205) ### Models & Providers - **GLM-5** is now available in the LobeHub model list. [#13189](#13189) - **Coding Plan providers** — Added support for code planning assistant providers. [#13203](#13203) - **Tencent Hunyuan 3.0 ImageGen** — New image generation model from Tencent. [#13166](#13166) - **Gemini content handling** — Better handling when Gemini blocks content due to safety filters. [#13270](#13270) - **Claude token limits fixed** — Corrected max window tokens for Anthropic Claude models. [#13206](#13206) ### Skills & Tools - **Auto credential injection** — Skills can now automatically request and use required credentials. [#13124](#13124) - **Smarter tool permissions** — Built-in tools skip confirmation for safe paths like `/tmp`. [#13232](#13232) - **Model switcher improvements** — Quick access to provider settings and visual highlight for default model. [#13220](#13220) ### Memory - **Bulk delete memories** — You can now delete all memory entries at once. [#13161](#13161) - **Per-agent memory control** — Memory injection now respects individual agent settings. [#13265](#13265) ### Desktop App - **Gateway connection** — Desktop app can now connect to LobeHub Gateway for enhanced features. [#13234](#13234) - **Connection status indicator** — See gateway connection status in the titlebar. [#13260](#13260) - **Settings persistence** — Gateway toggle state now persists across app restarts. [#13300](#13300) ### CLI - **API key authentication** — CLI now supports API key auth for programmatic access. [#13190](#13190) - **Shell completion** — Tab completion for bash/zsh/fish shells. [#13164](#13164) - **Man pages** — Built-in manual pages for CLI commands. [#13200](#13200) ### Security - **XSS protection** — Sanitized search result image titles to prevent script injection. [#13303](#13303) - **Workflow hardening** — Fixed potential shell injection in release automation. [#13319](#13319) - **Dependency update** — Updated nodemailer to address security advisory. [#13326](#13326) ### Bug Fixes - Fixed skill page not redirecting correctly after import. [#13255](#13255) [#13261](#13261) - Fixed token counting in group chats. [#13247](#13247) - Fixed editor not resetting when switching to empty pages. [#13229](#13229) - Fixed manual tool toggle not working. [#13218](#13218) - Fixed Search1API response parsing. [#13207](#13207) [#13208](#13208) - Fixed mobile topic menus rendering issues. [#12477](#12477) - Fixed history count calculation for accurate context. [#13051](#13051) - Added missing Turkish translations. [#13196](#13196) ### Credits Huge thanks to these contributors: @bakiburakogun @hardy-one @Zhouguanyang @sxjeru @hezhijie0327 @arvinxx @cy948 @CanisMinor @Innei @lijian @lobehubbot @neko @rdmclin2 @rivertwilight @tjx666
💻 Change Type
🔗 Related Issue
close LOBE-6247
🔀 Description of Change
LOBEHUB_CLI_API_KEY则跳过登陆,只保存--server(如有)。后续 connect 使用。
于 tokenType 做校验和解析。
新逻辑。
用保存的 userId,JWT 则从 sub 里解析。
旧链路。
让 lh connect 能直接复用本地 API key 登录态。
API key 的不同语义给出不同处理;JWT 仍可尝试 refresh,API key 只能重新登录。
注入对应 userId;这次还修复了一个安全问题,API key 校验失败后不再回退到 OIDC 或 session。
归用例;相对 canary 没发现还需要继续删掉的无用测试改动。
🧪 How to Test
📸 Screenshots / Videos
📝 Additional Information