Compatible for getting auth token from client

[timqi]

💻 变更类型 | Change Type

• feat
• fix
• refactor
• perf
• style
• test
• docs
• ci
• chore
• build

🔀 变更说明 | Description of Change

注意到一些客户端尤其是 anthropic 相关的，使用 x-api-key 头来传递服务的 auth token，所以做此修改用来兼容这一种情况

Summary by CodeRabbit

• New Features

  • Enhanced authorization handling by supporting both Authorization and x-api-key headers for token retrieval.
  • Introduced a new GitHub Actions workflow for automated synchronization of commits and Docker image building.

• Bug Fixes

  • Maintained existing error handling for invalid or missing access codes and API keys.

• Chores

  • Retained logic for injecting system API keys when user API keys are not provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
nextchat	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Dec 6, 2024 7:37am

[vercel]

@timqi is attempting to deploy a commit to the NextChat Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Warning

Rate limit exceeded

@timqi has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 10 minutes and 52 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 04f0a1f and d826b37.

Walkthrough

The changes in this pull request involve modifications to the auth function in app/api/auth.ts, enhancing the handling of authorization tokens. The function now checks for an Authorization header and, if not present, looks for an x-api-key header, allowing for broader authorization methods. The existing logic for parsing API keys and error handling remains unchanged, ensuring that valid access codes and API keys are still verified against server configurations. The functionality for injecting a system API key when no user API key is provided is also retained. Additionally, a new GitHub Actions workflow has been introduced to automate the synchronization of commits from an upstream repository and the building of a Docker image.

Changes

File	Change Summary
app/api/auth.ts	Modified auth function to check for Authorization header and fallback to x-api-key. Maintained existing logic for parsing API keys and error handling. Retained system API key injection logic.
.github/workflows/timqi.yml	Introduced a new GitHub Actions workflow to automate synchronization of commits from an upstream repository and build a Docker image.

Possibly related PRs

• fix: #5429 Anthropic authentication_error CORS #5435: This PR modifies the request function in app/api/anthropic.ts, which may involve similar authorization mechanisms as the changes made to the auth function in app/api/auth.ts, particularly regarding header management for API requests.

Suggested reviewers

• lloydzhou
• Dogtiti

Poem

In the code where tokens play,
A rabbit hops and finds the way.
With headers checked both near and far,
Authorization shines like a star!
So let us cheer for changes bright,
Expanding access, what a delight! 🐇✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

app/api/auth.ts (1)

28-29: Consider documenting supported authentication methods.

The auth function now supports two header variations (Authorization and x-api-key). Consider adding a comment or updating documentation to clarify the supported authentication methods.

Example comment:

+ // Supports both 'Authorization' and 'x-api-key' headers for authentication
+ // Format: Bearer <token> or direct API key
  const authToken =
    req.headers.get("Authorization") ?? req.headers.get("x-api-key") ?? "";

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 83cea3a and 54080c0.

📒 Files selected for processing (1)

• app/api/auth.ts (1 hunks)

🔇 Additional comments (1)

app/api/auth.ts (1)

28-29: LGTM! Verify security policies.

The addition of the x-api-key header fallback is a clean implementation that maintains backward compatibility while supporting clients that use this standard header.

Let's verify if there are any security policies or documentation about authentication methods:

✅ Verification successful

Let's examine the authentication implementation across the codebase to verify security policies and consistency.

---

**The x-api-key header addition is consistent with the codebase's authentication patterns **

The verification confirms that:

• The change aligns with the codebase's authentication patterns, particularly with Anthropic's client implementation which uses x-api-key
• The auth.ts implementation maintains proper security by:
  • Treating both headers equally in the token parsing logic
  • Applying the same validation rules for both headers
  • Preserving all existing security checks (access codes, API key restrictions)
• The change is backward compatible and follows the same security policies as the Authorization header

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for authentication documentation and security policies
echo "Searching for authentication documentation..."
rg -l -g '*.md' -i 'authentication|authorization|security|api.?key'

echo "Searching for other authentication header usages..."
rg -l 'Authorization|x-api-key' --type ts --type js

Length of output: 1119

---

Script:

#!/bin/bash
# Check authentication implementation in key files
echo "Checking auth.ts implementation..."
cat app/api/auth.ts

echo -e "\nChecking anthropic client implementation..."
cat app/client/platforms/anthropic.ts

echo -e "\nChecking common API authentication..."
cat app/api/common.ts

Length of output: 22334

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (2)

.github/workflows/timqi.yml (2)

3-5: Consider restricting permissions scope

The current workflow has broad write permissions to repository contents. Consider limiting the permissions to only what's needed:

permissions:
-  contents: write
+  contents: write  # Needed for sync
+  packages: write  # Needed for Docker push

---

41-41: Remove trailing whitespace

There are trailing spaces on several lines that should be removed for cleaner YAML formatting.

Also applies to: 48-48, 58-58, 70-70, 73-73

🧰 Tools

🪛 yamllint (1.35.1)

[error] 41-41: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 54080c0 and 5697a10.

📒 Files selected for processing (1)

• .github/workflows/timqi.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/timqi.yml

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

43-43: the runner of "docker/login-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

51-51: the runner of "docker/metadata-action@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

60-60: the runner of "docker/build-push-action@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 yamllint (1.35.1)

.github/workflows/timqi.yml

[error] 1-1: wrong new line character: expected \n

(new-lines)

---

[error] 41-41: trailing spaces

(trailing-spaces)

---

[error] 48-48: trailing spaces

(trailing-spaces)

---

[error] 58-58: trailing spaces

(trailing-spaces)

---

[error] 70-70: trailing spaces

(trailing-spaces)

---

[error] 73-73: trailing spaces

(trailing-spaces)

🔇 Additional comments (3)

.github/workflows/timqi.yml (3)

12-15: LGTM! Fork detection is properly implemented

The job configuration correctly ensures the workflow only runs on forks using the if condition.

---

35-40: Well-documented error handling with bilingual support

The error messaging is clear and helpful, providing both English and Chinese instructions with documentation links.

---

23-34: Verify upstream repository configuration

The sync configuration looks good and uses secure token handling. However, let's verify the upstream repository path.

✅ Verification successful

Upstream repository configuration is valid and accessible

The upstream repository ChatGPTNextWeb/ChatGPT-Next-Web exists, is active (not archived), and its default branch is 'main' which matches the sync configuration.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the upstream repository exists and is accessible
gh repo view ChatGPTNextWeb/ChatGPT-Next-Web --json name,isArchived,defaultBranchRef

Length of output: 168

[coderabbitai]

🛠️ Refactor suggestion

Update checkout action to v4

The actions/checkout action has a newer version available with security improvements and better performance.

- uses: actions/checkout@v3
+ uses: actions/checkout@v4

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout target repo
	uses: actions/checkout@v3
	- name: Checkout target repo
	uses: actions/checkout@v4

🧰 Tools

🪛 actionlint (1.7.4)

20-20: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

[coderabbitai]

⚠️ Potential issue

Several improvements needed for Docker configuration

1. There are commented-out conditions (# if: steps.sync.outputs.has_new_commits == 'true') that should be either removed or uncommented.
2. Using only the latest tag is risky. Consider adding version-based tags.
3. Docker-related actions have newer versions available.

Apply these improvements:

- uses: docker/login-action@v2
+ uses: docker/login-action@v3

- uses: docker/metadata-action@v4
+ uses: docker/metadata-action@v5

- uses: docker/build-push-action@v4
+ uses: docker/build-push-action@v5

  tags: |
    type=raw,value=latest
+   type=sha,prefix={{date 'YYYYMMDD'}}-
+   type=semver,pattern={{version}}

Also, consider uncommenting the sync conditions to avoid unnecessary builds when there are no changes:

+ if: steps.sync.outputs.has_new_commits == 'true'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Log in to Docker Hub
	uses: docker/login-action@v2
	# if: steps.sync.outputs.has_new_commits == 'true'
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}
	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@v4
	# if: steps.sync.outputs.has_new_commits == 'true'
	with:
	images: timqi/chatgpt-next-web
	tags: |
	type=raw,value=latest
	type=ref,event=tag
	- name: Build and push Docker image
	uses: docker/build-push-action@v4
	# if: steps.sync.outputs.has_new_commits == 'true'
	with:
	context: .
	platforms: linux/amd64
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha
	cache-to: type=gha,mode=max
	- name: Log in to Docker Hub
	uses: docker/login-action@v3
	if: steps.sync.outputs.has_new_commits == 'true'
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}
	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@v5
	if: steps.sync.outputs.has_new_commits == 'true'
	with:
	images: timqi/chatgpt-next-web
	tags: |
	type=raw,value=latest
	type=sha,prefix={{date 'YYYYMMDD'}}-
	type=semver,pattern={{version}}
	- name: Build and push Docker image
	uses: docker/build-push-action@v5
	if: steps.sync.outputs.has_new_commits == 'true'
	with:
	context: .
	platforms: linux/amd64
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha
	cache-to: type=gha,mode=max

🧰 Tools

🪛 actionlint (1.7.4)

43-43: the runner of "docker/login-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

51-51: the runner of "docker/metadata-action@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

60-60: the runner of "docker/build-push-action@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 yamllint (1.35.1)

[error] 48-48: trailing spaces

(trailing-spaces)

---

[error] 58-58: trailing spaces

(trailing-spaces)

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (3)

.github/workflows/timqi.yml (3)

3-4: Consider using more specific permissions

The current contents: write permission is broader than necessary. Consider limiting it to only the required permissions:

permissions:
-  contents: write
+  contents: read
+  pull-requests: write  # Required for sync action

---

35-40: Enhance error handling with status check

Consider adding a status check to distinguish between workflow file changes and other sync failures:

 - name: Sync check
   if: failure()
   run: |
+    if [[ "${{ steps.sync.outputs.has_workflow_changes }}" == "true" ]]; then
       echo "[Error] 由于上游仓库的 workflow 文件变更，导致 GitHub 自动暂停了本次自动更新，你需要手动 Sync Fork 一次，详细教程请查看：https://github.com/Yidadaa/ChatGPT-Next-Web/blob/main/README_CN.md#%E6%89%93%E5%BC%80%E8%87%AA%E5%8A%A8%E6%9B%B4%E6%96%B0"
       echo "[Error] Due to a change in the workflow file of the upstream repository, GitHub has automatically suspended the scheduled automatic update. You need to manually sync your fork. Please refer to the detailed tutorial for instructions: https://github.com/Yidadaa/ChatGPT-Next-Web#enable-automatic-updates"
+    else
+      echo "[Error] Sync failed for unknown reasons. Please check the action logs for more details."
+    fi
     exit 1

---

72-72: Consider adding multi-platform support

Currently building only for linux/amd64. Consider adding support for more platforms:

-platforms: linux/amd64
+platforms: linux/amd64,linux/arm64,linux/arm/v7

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 5697a10 and 0e0c554.

📒 Files selected for processing (1)

• .github/workflows/timqi.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/timqi.yml

12-12: could not parse as YAML: yaml: line 12: did not find expected key

(syntax-check)

🪛 yamllint (1.35.1)

.github/workflows/timqi.yml

[error] 1-1: wrong new line character: expected \n

(new-lines)

---

[error] 41-41: trailing spaces

(trailing-spaces)

---

[warning] 46-46: wrong indentation: expected 6 but found 10

(indentation)

---

[error] 48-48: trailing spaces

(trailing-spaces)

---

[error] 49-49: syntax error: expected , but found ''

(syntax)

---

[error] 58-58: trailing spaces

(trailing-spaces)

---

[error] 78-78: trailing spaces

(trailing-spaces)

---

[error] 81-81: trailing spaces

(trailing-spaces)

🔇 Additional comments (2)

.github/workflows/timqi.yml (2)

19-20: Update checkout action to v4

The actions/checkout action has a newer version available with security improvements and better performance.

- uses: actions/checkout@v3
+ uses: actions/checkout@v4

---

43-43: Update Docker-related actions to latest versions

Several Docker-related actions are using outdated versions.

-uses: docker/login-action@v2
+uses: docker/login-action@v3

-uses: docker/metadata-action@v4
+uses: docker/metadata-action@v5

-uses: docker/setup-qemu-action@v2
+uses: docker/setup-qemu-action@v3

-uses: docker/setup-buildx-action@v2
+uses: docker/setup-buildx-action@v3

-uses: docker/build-push-action@v4
+uses: docker/build-push-action@v5

Also, consider adding version-based tags:

 tags: |
   type=raw,value=latest
+  type=sha,prefix={{date 'YYYYMMDD'}}-
+  type=semver,pattern={{version}}

Also applies to: 51-51, 60-60, 64-64, 68-68

[coderabbitai]

⚠️ Potential issue

Uncomment the sync condition checks

The commented out conditions # if: steps.sync.outputs.has_new_commits == 'true' should be uncommented to avoid unnecessary Docker operations when there are no changes:

-# if: steps.sync.outputs.has_new_commits == 'true'
+if: steps.sync.outputs.has_new_commits == 'true'

Also applies to: 52-52, 61-61, 65-65, 69-69

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

.github/workflows/timqi.yml (2)

14-14: Specify Ubuntu version explicitly

Using ubuntu-latest may lead to unexpected behavior when Ubuntu releases new versions. Consider using a specific version for better stability.

-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04

---

1-79: Fix YAML formatting issues

There are several formatting issues in the file:

1. Incorrect indentation (e.g., line 46)
2. Trailing spaces (lines 41, 48, 58, 76, 79)

Consider using a YAML formatter to automatically fix these issues. For example:

yamlfmt -w .github/workflows/timqi.yml

🧰 Tools

🪛 actionlint (1.7.4)

12-12: could not parse as YAML: yaml: line 12: did not find expected key

(syntax-check)

🪛 yamllint (1.35.1)

[error] 1-1: wrong new line character: expected \n

(new-lines)

---

[error] 41-41: trailing spaces

(trailing-spaces)

---

[warning] 46-46: wrong indentation: expected 6 but found 10

(indentation)

---

[error] 48-48: trailing spaces

(trailing-spaces)

---

[error] 49-49: syntax error: expected , but found ''

(syntax)

---

[error] 58-58: trailing spaces

(trailing-spaces)

---

[error] 76-76: trailing spaces

(trailing-spaces)

---

[error] 79-79: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 0e0c554 and 04f0a1f.

📒 Files selected for processing (1)

• .github/workflows/timqi.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/timqi.yml

12-12: could not parse as YAML: yaml: line 12: did not find expected key

(syntax-check)

🪛 yamllint (1.35.1)

.github/workflows/timqi.yml

[error] 1-1: wrong new line character: expected \n

(new-lines)

---

[error] 41-41: trailing spaces

(trailing-spaces)

---

[warning] 46-46: wrong indentation: expected 6 but found 10

(indentation)

---

[error] 48-48: trailing spaces

(trailing-spaces)

---

[error] 49-49: syntax error: expected , but found ''

(syntax)

---

[error] 58-58: trailing spaces

(trailing-spaces)

---

[error] 76-76: trailing spaces

(trailing-spaces)

---

[error] 79-79: trailing spaces

(trailing-spaces)

🔇 Additional comments (3)

.github/workflows/timqi.yml (3)

1-10: LGTM! Workflow configuration is well-structured.

The workflow configuration includes appropriate triggers (daily schedule and manual) with correct permissions setup.

🧰 Tools

🪛 yamllint (1.35.1)

[error] 1-1: wrong new line character: expected \n

(new-lines)

---

19-20: Update checkout action to v4

The actions/checkout action has a newer version available with security improvements and better performance.

- uses: actions/checkout@v3
+ uses: actions/checkout@v4

---

42-76: 🛠️ Refactor suggestion

Docker configuration needs several improvements

1. Uncomment the sync conditions to avoid unnecessary builds
2. Update Docker actions to latest versions
3. Consider adding more platform support
4. Enhance the tagging strategy

Apply these improvements:

- uses: docker/login-action@v2
+ uses: docker/login-action@v3

- uses: docker/metadata-action@v4
+ uses: docker/metadata-action@v5

- uses: docker/setup-qemu-action@v2
+ uses: docker/setup-qemu-action@v3

- uses: docker/setup-buildx-action@v2
+ uses: docker/setup-buildx-action@v3

- uses: docker/build-push-action@v4
+ uses: docker/build-push-action@v5

# Uncomment sync conditions
-# if: steps.sync.outputs.has_new_commits == 'true'
+if: steps.sync.outputs.has_new_commits == 'true'

# Enhance platform support
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64

# Improve tagging strategy
           tags: |
             type=raw,value=latest
+            type=sha,prefix={{date 'YYYYMMDD'}}-
             type=ref,event=tag
+            type=semver,pattern={{version}}

Likely invalid or redundant comment.

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 46-46: wrong indentation: expected 6 but found 10

(indentation)

---

[error] 48-48: trailing spaces

(trailing-spaces)

---

[error] 49-49: syntax error: expected , but found ''

(syntax)

---

[error] 58-58: trailing spaces

(trailing-spaces)

---

[error] 76-76: trailing spaces

(trailing-spaces)