fix: /health 端点免鉴权,避免代理探活因 secret 不一致误判为不健康#13
Open
estelledc wants to merge 1 commit into
Open
Conversation
问题:/health 端点要求 path-secret 鉴权。当 config.secret 被清空/轮换后, 现有的监控探活全部 403 → 误判代理不健康 → 状态灯黄灯。 修改: - /health 改为免鉴权(健康检查不含敏感信息,加鉴权反而引入脆弱性) - 同时匹配裸路径和带 secret 前缀的路径,兼容新旧调用方 - 测试从 assert 403 改为 assert 200 Closes SuperJJ007#12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
解决的问题
Closes #12
问题描述
/health端点要求 path-secret 鉴权。当config.secret被清空或轮换后,所有现有的监控探活(Rust 侧status()命令、面板状态灯)全部返回 403 → 误判代理不健康 → 状态灯黄灯。实际上代理正在正常运行,只是 secret 不一致。修改
/health改为免鉴权。健康检查仅返回{"status":"ok","provider":"deepseek"},不含密钥、令牌或任何敏感信息,加鉴权反而引入脆弱性/health和带 secret 前缀的路径/<secret>/health,兼容新旧调用方test_health_without_secret_forbidden→test_health_without_secret_ok,期望值从 403 改为 200验证
影响范围
/health请求仍正常返回 200/health不含敏感数据,/v1/messages与/v1/models仍受 secret 保护proc::http_health()无需修改(仍可带或不带 secret 调用)