admin/Hermes-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: auth bypass, SPA serving, and provider improvements (#97)

Browse Source 
* feat(chat): polish syntax highlighting and tool payload rendering (#94)

* [verified] feat(chat): polish syntax highlighting and tool payload rendering

* [verified] fix(chat): tighten large tool payload rendering

* docs: update data volume path in Docker docs

Align documentation with docker-compose.yml change:
hermes-web-ui-data -> hermes-web-ui, /app/dist/data -> /root/.hermes-web-ui

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: bundle server build and restructure service modules

- Add build-server.mjs script for standalone server compilation
- Add logger service with structured output
- Restructure auth, gateway-manager, hermes-cli, hermes services
- Update docker-compose volume mount path
- Update tsconfig and entry point for bundled server

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: separate controllers from routes and centralize route registration

- Extract business logic from route handlers into controllers/
- Add centralized route registry in routes/index.ts with public/auth/protected layers
- Replace global auth whitelist with sequential middleware registration
- Extract shared helpers to services/config-helpers.ts
- Allow custom provider name to be user-editable in ProviderFormModal
- Deduplicate custom providers by poolKey instead of base_url in getAvailable

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: auth bypass via path case, SPA serving, and provider improvements

- Fix auth bypass: path case-insensitive check for /api, /v1, /upload
- Fix SPA returning 401: skip auth for non-API paths (static files)
- Fix profile switch: use local loading state instead of shared store ref
- Auto-append /v1 to base_url when fetching models (frontend + backend)
- Guard .env writing to built-in providers only
- Add builtin field to provider presets, enable base_url input in form
- Print auth token to console on startup (pino only writes to file)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Zhicheng Han <43314240+hanzckernel@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
ekko
2026-04-21 12:35:48 +08:00
committed by GitHub
parent 21296a416b
commit 477af66232
65 changed files with 2743 additions and 2621 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/server/src/routes/hermes/weixin.ts
+4 -133
View File
@@ -1,137 +1,8 @@
import Router from '@koa/router'
import axios from 'axios'
import { readFile, writeFile } from 'fs/promises'
import { chmod } from 'fs/promises'
import { resolve } from 'path'
import { restartGateway } from '../../services/hermes/hermes-cli'
import { getActiveEnvPath } from '../../services/hermes/hermes-profile'
const envPath = () => getActiveEnvPath()
const ILINK_BASE = 'https://ilinkai.weixin.qq.com'
import * as ctrl from '../../controllers/hermes/weixin'
export const weixinRoutes = new Router()
// GET /api/weixin/qrcode — fetch QR code from Tencent iLink API
weixinRoutes.get('/api/hermes/weixin/qrcode', async (ctx) => {
try {
const res = await axios.get(`${ILINK_BASE}/ilink/bot/get_bot_qrcode`, {
params: { bot_type: 3 },
timeout: 15000,
})
const data = res.data
if (!data || !data.qrcode) {
ctx.status = 500
ctx.body = { error: 'Failed to get QR code' }
return
}
ctx.body = {
qrcode: data.qrcode,
qrcode_url: data.qrcode_img_content,
}
} catch (err: any) {
ctx.status = 500
ctx.body = { error: err.message || 'Failed to connect to iLink API' }
}
})
// GET /api/weixin/qrcode/status — poll QR scan status
weixinRoutes.get('/api/hermes/weixin/qrcode/status', async (ctx) => {
const qrcode = ctx.query.qrcode as string
if (!qrcode) {
ctx.status = 400
ctx.body = { error: 'Missing qrcode parameter' }
return
}
try {
const res = await axios.get(`${ILINK_BASE}/ilink/bot/get_qrcode_status`, {
params: { qrcode },
timeout: 35000,
})
const data = res.data
const status = data?.status || 'wait'
ctx.body = { status }
// If confirmed, return credentials so frontend can save them
if (status === 'confirmed') {
ctx.body = {
status: 'confirmed',
account_id: data.ilink_bot_id,
token: data.bot_token,
base_url: data.baseurl,
}
}
} catch (err: any) {
ctx.status = 500
ctx.body = { error: err.message || 'Failed to poll QR status' }
}
})
// POST /api/weixin/save — save weixin credentials to .env
weixinRoutes.post('/api/hermes/weixin/save', async (ctx) => {
const { account_id, token, base_url } = ctx.request.body as {
account_id: string
token: string
base_url?: string
}
if (!account_id || !token) {
ctx.status = 400
ctx.body = { error: 'Missing account_id or token' }
return
}
try {
let raw: string
try {
raw = await readFile(envPath(), 'utf-8')
} catch {
raw = ''
}
const entries: Record<string, string> = {
WEIXIN_ACCOUNT_ID: account_id,
WEIXIN_TOKEN: token,
}
if (base_url) entries.WEIXIN_BASE_URL = base_url
const lines = raw.split('\n')
const existingKeys = new Set<string>()
const result: string[] = []
for (const line of lines) {
const trimmed = line.trim()
if (trimmed.startsWith('#')) {
result.push(line)
continue
}
const eqIdx = trimmed.indexOf('=')
if (eqIdx !== -1) {
const key = trimmed.slice(0, eqIdx).trim()
if (key in entries) {
result.push(`${key}=${entries[key]}`)
existingKeys.add(key)
continue
}
}
result.push(line)
}
for (const [key, val] of Object.entries(entries)) {
if (!existingKeys.has(key)) {
result.push(`${key}=${val}`)
}
}
let output = result.join('\n').replace(/\n{3,}/g, '\n\n').replace(/\n+$/, '') + '\n'
const ep = envPath()
await writeFile(ep, output, 'utf-8')
try { await chmod(ep, 0o600) } catch { /* ignore */ }
await restartGateway()
ctx.body = { success: true }
} catch (err: any) {
ctx.status = 500
ctx.body = { error: err.message }
}
})
weixinRoutes.get('/api/hermes/weixin/qrcode', ctrl.getQrcode)
weixinRoutes.get('/api/hermes/weixin/qrcode/status', ctrl.pollStatus)
weixinRoutes.post('/api/hermes/weixin/save', ctrl.save)