fix(gemini): skip token cache when expires_at is within refresh window

When a Gemini OAuth account receives a 401, ratelimit_service sets expires_at=now() to force a refresh. Previously GetAccessToken would return the stale cached token before checking expires_at, causing repeated 401s until the cache TTL expired. Fix: check needsRefresh before attempting cache lookup.
fix: use Gitea API for version check instead of GitHub
2026-06-09 01:00:11 +08:00 · 2026-06-06 04:29:48 +08:00 · 2026-06-06 04:07:07 +08:00 · 2026-06-06 03:43:13 +08:00 · 2026-06-04 00:53:13 +08:00 · 2026-06-04 00:49:41 +08:00
10 changed files with 273 additions and 16 deletions
@@ -0,0 +1,96 @@
+name: Release Image
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag to release, for example v0.1.140'
+        required: true
+        type: string
+
+jobs:
+  image:
+    runs-on: linux_amd64
+    env:
+      GITEA_BASE_URL: http://git.jianshixingqiu.com
+      GITEA_API_URL: http://git.jianshixingqiu.com/api/v1
+      GITEA_OWNER: kgod
+      GITEA_REPO: sub2api
+      IMAGE_NAME: git.jianshixingqiu.com/kgod/sub2api
+    steps:
+      - name: Checkout
+        env:
+          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        run: |
+          set -eu
+          rm -rf .git
+          git init
+          git remote add origin "http://kgod:${RELEASE_TOKEN}@git.jianshixingqiu.com/kgod/sub2api.git"
+          if [ -n "${{ inputs.tag }}" ] && [ "${GITHUB_EVENT_NAME:-}" != "workflow_dispatch" ]; then
+            git fetch --depth 1 origin "refs/tags/${{ inputs.tag }}"
+          else
+            git fetch --depth 1 origin "$GITHUB_REF"
+          fi
+          git checkout --force FETCH_HEAD
+
+      - name: Prepare metadata
+        run: |
+          set -eu
+          if [ -n "${{ inputs.tag }}" ]; then
+            TAG="${{ inputs.tag }}"
+          else
+            TAG="${GITHUB_REF_NAME:-${GITHUB_REF##*/}}"
+          fi
+          VERSION="${TAG#v}"
+          COMMIT="$(git rev-parse --short=12 HEAD)"
+          BUILD_DATE="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+
+          echo "TAG=${TAG}" >> "$GITHUB_ENV"
+          echo "VERSION=${VERSION}" >> "$GITHUB_ENV"
+          echo "COMMIT=${COMMIT}" >> "$GITHUB_ENV"
+          echo "BUILD_DATE=${BUILD_DATE}" >> "$GITHUB_ENV"
+
+      - name: Login to Gitea Container Registry
+        env:
+          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        run: |
+          set -eu
+          echo "$RELEASE_TOKEN" | docker login git.jianshixingqiu.com -u kgod --password-stdin
+
+      - name: Build image
+        run: |
+          set -eu
+          docker build \
+            -f Dockerfile.gitea \
+            --build-arg VERSION="$VERSION" \
+            --build-arg COMMIT="$COMMIT" \
+            --build-arg BUILD_DATE="$BUILD_DATE" \
+            --label "org.opencontainers.image.version=$VERSION" \
+            --label "org.opencontainers.image.revision=$COMMIT" \
+            --label "org.opencontainers.image.source=$GITEA_BASE_URL/$GITEA_OWNER/$GITEA_REPO" \
+            -t "$IMAGE_NAME:$VERSION" \
+            -t "$IMAGE_NAME:latest" \
+            .
+
+      - name: Push image
+        run: |
+          set -eu
+          docker push "$IMAGE_NAME:$VERSION"
+          docker push "$IMAGE_NAME:latest"
+
+      - name: Create Gitea release
+        env:
+          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        run: |
+          set -eu
+          BODY="Docker image: ${IMAGE_NAME}:${VERSION}"
+          PAYLOAD=$(printf '{"tag_name":"%s","target_commitish":"%s","name":"Sub2API %s","body":"%s","draft":false,"prerelease":false}' "$TAG" "$(git rev-parse HEAD)" "$VERSION" "$BODY")
+          curl -fsS \
+            -X POST \
+            -H "Authorization: token ${RELEASE_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "$PAYLOAD" \
+            "$GITEA_API_URL/repos/$GITEA_OWNER/$GITEA_REPO/releases" || true
@@ -0,0 +1,89 @@
+# syntax=docker/dockerfile:1
+
+ARG NODE_IMAGE=node:20-alpine
+ARG GO_IMAGE=golang:1.26.3-alpine
+ARG ALPINE_IMAGE=alpine:3.21
+ARG POSTGRES_IMAGE=postgres:18-alpine
+
+FROM ${NODE_IMAGE} AS frontend
+WORKDIR /src
+
+RUN corepack enable && corepack prepare pnpm@9.15.9 --activate
+
+COPY frontend/package.json frontend/pnpm-lock.yaml ./frontend/
+WORKDIR /src/frontend
+RUN pnpm install --frozen-lockfile
+
+WORKDIR /src
+COPY frontend ./frontend
+COPY backend/internal/web ./backend/internal/web
+RUN cd frontend && pnpm run build
+
+FROM ${GO_IMAGE} AS backend-builder
+RUN sed -i 's#https://dl-cdn.alpinelinux.org/alpine#https://mirrors.tencent.com/alpine#g' /etc/apk/repositories && \
+    apk add --no-cache ca-certificates git
+ENV GOPROXY=https://goproxy.cn,direct
+WORKDIR /src
+
+COPY backend/go.mod backend/go.sum ./backend/
+RUN cd backend && go mod download
+
+COPY backend ./backend
+COPY --from=frontend /src/backend/internal/web/dist ./backend/internal/web/dist
+
+ARG VERSION=0.0.0-dev
+ARG COMMIT=unknown
+ARG BUILD_DATE=unknown
+
+RUN cd backend && \
+    CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
+      -tags=embed \
+      -ldflags="-s -w -X main.Version=${VERSION} -X main.Commit=${COMMIT} -X main.Date=${BUILD_DATE} -X main.BuildType=release" \
+      -o /out/sub2api \
+      ./cmd/server
+
+FROM ${POSTGRES_IMAGE} AS pg-client
+
+FROM ${ALPINE_IMAGE}
+
+LABEL maintainer="Wei-Shaw <github.com/Wei-Shaw>"
+LABEL description="Sub2API - AI API Gateway Platform"
+LABEL org.opencontainers.image.source="http://git.jianshixingqiu.com/kgod/sub2api"
+
+RUN sed -i 's#https://dl-cdn.alpinelinux.org/alpine#https://mirrors.tencent.com/alpine#g' /etc/apk/repositories && \
+    apk add --no-cache \
+    ca-certificates \
+    tzdata \
+    curl \
+    su-exec \
+    libpq \
+    zstd-libs \
+    lz4-libs \
+    krb5-libs \
+    libldap \
+    libedit \
+    && rm -rf /var/cache/apk/*
+
+COPY --from=pg-client /usr/local/bin/pg_dump /usr/local/bin/pg_dump
+COPY --from=pg-client /usr/local/bin/psql /usr/local/bin/psql
+COPY --from=pg-client /usr/local/lib/libpq.so.5* /usr/local/lib/
+
+RUN addgroup -g 1000 sub2api && \
+    adduser -u 1000 -G sub2api -s /bin/sh -D sub2api
+
+WORKDIR /app
+
+COPY --from=backend-builder /out/sub2api /app/sub2api
+COPY deploy/docker-entrypoint.sh /app/docker-entrypoint.sh
+
+RUN mkdir -p /app/data && \
+    chown -R sub2api:sub2api /app && \
+    chmod +x /app/docker-entrypoint.sh
+
+EXPOSE 8080
+
+HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
+    CMD curl -f http://localhost:${SERVER_PORT:-8080}/health || exit 1
+
+ENTRYPOINT ["/app/docker-entrypoint.sh"]
+CMD ["/app/sub2api"]
@@ -148,9 +148,9 @@ type GeminiTierQuotaConfig struct {
 }

 type UpdateConfig struct {
-	// GitHubRepo 用于在线更新的 GitHub 仓库，格式 owner/repo
+	// GitHubRepo 是历史配置字段名，用于在线更新的代码仓库，格式 owner/repo。
 	GitHubRepo string `mapstructure:"github_repo"`
-	// ProxyURL 用于访问 GitHub 的代理地址
+	// ProxyURL 用于访问代码仓库的代理地址
 	// 支持 http/https/socks5/socks5h 协议
 	// 例如: "http://127.0.0.1:7890", "socks5://127.0.0.1:1080"
 	ProxyURL string `mapstructure:"proxy_url"`
@@ -564,7 +564,7 @@ type CSPConfig struct {
 type ProxyFallbackConfig struct {
 	// AllowDirectOnError 当辅助服务的代理初始化失败时是否允许回退直连。
 	// 仅影响以下非 AI 账号连接的辅助服务：
-	//   - GitHub Release 更新检查
+	//   - Gitea Release 更新检查
 	//   - 定价数据拉取
 	// 不影响 AI 账号网关连接（Claude/OpenAI/Gemini/Antigravity），
 	// 这些关键路径的代理失败始终返回错误，不会回退直连。
@@ -1614,8 +1614,8 @@ func setDefaults() {
 	viper.SetDefault("pricing.hash_check_interval_minutes", 10)

 	// Update
-	viper.SetDefault("update.github_repo", "man209111-cpu/sub2api")
-	viper.SetDefault("update.proxy_url", "socks5://admin%40sub2api.local:m729066849@172.16.32.16:3389")
+	viper.SetDefault("update.github_repo", "kgod/sub2api")
+	viper.SetDefault("update.proxy_url", "")

 	// Timezone (default to Asia/Shanghai for Chinese users)
 	viper.SetDefault("timezone", "Asia/Shanghai")
@@ -200,13 +200,15 @@ func (h *AuthHandler) SendVerifyCode(c *gin.Context) {
 		return
 	}

+	clientIP := ip.GetClientIP(c)
+
 	// Turnstile 验证
-	if err := h.authService.VerifyTurnstile(c.Request.Context(), req.TurnstileToken, ip.GetClientIP(c)); err != nil {
+	if err := h.authService.VerifyTurnstile(c.Request.Context(), req.TurnstileToken, clientIP); err != nil {
 		response.ErrorFrom(c, err)
 		return
 	}

-	result, err := h.authService.SendVerifyCodeAsync(c.Request.Context(), req.Email)
+	result, err := h.authService.SendVerifyCodeAsync(c.Request.Context(), req.Email, clientIP)
 	if err != nil {
 		response.ErrorFrom(c, err)
 		return
@@ -76,13 +76,14 @@ func (c *githubReleaseClientError) FetchChecksumFile(ctx context.Context, url st
 }

 func (c *githubReleaseClient) FetchLatestRelease(ctx context.Context, repo string) (*service.GitHubRelease, error) {
-	url := fmt.Sprintf("https://api.github.com/repos/%s/releases/latest", repo)
+	// 使用 Gitea API（兼容 GitHub Release API 格式）
+	url := fmt.Sprintf("http://git.jianshixingqiu.com/api/v1/repos/%s/releases/latest", repo)

 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
 	if err != nil {
 		return nil, err
 	}
-	req.Header.Set("Accept", "application/vnd.github.v3+json")
+	req.Header.Set("Accept", "application/json")
 	req.Header.Set("User-Agent", "Sub2API-Updater")

 	resp, err := c.httpClient.Do(req)
@@ -92,7 +93,7 @@ func (c *githubReleaseClient) FetchLatestRelease(ctx context.Context, repo strin
 	defer func() { _ = resp.Body.Close() }()

 	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("GitHub API returned %d", resp.StatusCode)
+		return nil, fmt.Errorf("Gitea API returned %d", resp.StatusCode)
 	}

 	var release service.GitHubRelease
@@ -1113,3 +1113,26 @@ func (r *userRepository) DisableTotp(ctx context.Context, userID int64) error {
 	}
 	return nil
 }
+
+// CountByRegistrationIP 统计指定 IP 注册的用户数量
+func (r *userRepository) CountByRegistrationIP(ctx context.Context, ip string) (int, error) {
+	if strings.TrimSpace(ip) == "" {
+		return 0, nil
+	}
+	rows, err := r.sql.QueryContext(ctx,
+		`SELECT COUNT(*) FROM users WHERE register_ip_address = $1 AND deleted_at IS NULL`,
+		ip,
+	)
+	if err != nil {
+		return 0, err
+	}
+	defer rows.Close()
+
+	var count int
+	if rows.Next() {
+		if err := rows.Scan(&count); err != nil {
+			return 0, err
+		}
+	}
+	return count, nil
+}
@@ -311,8 +311,9 @@ func (s *AuthService) SendVerifyCode(ctx context.Context, email string) error {
 }

 // SendVerifyCodeAsync 异步发送邮箱验证码并返回倒计时
-func (s *AuthService) SendVerifyCodeAsync(ctx context.Context, email string) (*SendVerifyCodeResult, error) {
-	logger.LegacyPrintf("service.auth", "[Auth] SendVerifyCodeAsync called for email: %s", email)
+// clientIP 用于检查同一 IP 注册账号数量限制
+func (s *AuthService) SendVerifyCodeAsync(ctx context.Context, email string, clientIP string) (*SendVerifyCodeResult, error) {
+	logger.LegacyPrintf("service.auth", "[Auth] SendVerifyCodeAsync called for email: %s, ip: %s", email, clientIP)

 	// 检查是否开放注册（默认关闭）
 	if s.settingService == nil || !s.settingService.IsRegistrationEnabled(ctx) {
@@ -338,6 +339,28 @@ func (s *AuthService) SendVerifyCodeAsync(ctx context.Context, email string) (*S
 		return nil, ErrEmailExists
 	}

+	// 检查 Gmail 别名邮箱（含 + 或本地部分含 . 的），静默假装发送成功
+	if isGmailAliasEmail(email) {
+		logger.LegacyPrintf("service.auth", "[Auth] Gmail alias email detected: %s, returning fake success", email)
+		return &SendVerifyCodeResult{
+			Countdown: 60,
+		}, nil
+	}
+
+	// 检查同一 IP 注册账号数量（>=2 则静默假装发送成功，不实际发送）
+	if clientIP != "" {
+		ipRegCount, err := s.userRepo.CountByRegistrationIP(ctx, clientIP)
+		if err != nil {
+			logger.LegacyPrintf("service.auth", "[Auth] Failed to count users by registration IP: %v", err)
+			// 查询失败不阻塞，继续正常流程
+		} else if ipRegCount >= 2 {
+			logger.LegacyPrintf("service.auth", "[Auth] IP %s already registered %d accounts, returning fake success", clientIP, ipRegCount)
+			return &SendVerifyCodeResult{
+				Countdown: 60,
+			}, nil
+		}
+	}
+
 	// 检查邮件队列服务是否配置
 	if s.emailQueueService == nil {
 		logger.LegacyPrintf("service.auth", "%s", "[Auth] Email queue service not configured")
@@ -1092,6 +1115,22 @@ func isReservedEmail(email string) bool {
 		strings.HasSuffix(normalized, WeChatConnectSyntheticEmailDomain)
 }

+// isGmailAliasEmail 检测 Gmail 别名邮箱
+// Gmail 支持两种别名方式：
+// 1. 加号别名：user+anything@gmail.com -> user@gmail.com
+// 2. 点号忽略：u.s.e.r@gmail.com -> user@gmail.com
+// 为防止滥用注册，检测到这类邮箱时返回 true
+func isGmailAliasEmail(email string) bool {
+	normalized := strings.ToLower(strings.TrimSpace(email))
+	if !strings.HasSuffix(normalized, "@gmail.com") {
+		return false
+	}
+	// 提取本地部分（@前面的部分）
+	localPart := strings.TrimSuffix(normalized, "@gmail.com")
+	// 检查是否包含 + 或 .
+	return strings.Contains(localPart, "+") || strings.Contains(localPart, ".")
+}
+
 // GenerateToken 生成JWT access token
 // 使用新的access_token_expire_minutes配置项（如果配置了），否则回退到expire_hour
 func (s *AuthService) GenerateToken(user *User) (string, error) {
@@ -231,6 +231,10 @@ func (r *contentModerationTestUserRepo) DisableTotp(ctx context.Context, userID
 	panic("unexpected DisableTotp call")
 }

+func (r *contentModerationTestUserRepo) CountByRegistrationIP(ctx context.Context, ip string) (int, error) {
+	return 0, nil
+}
+
 type contentModerationTestAuthCacheInvalidator struct {
 	userIDs []int64
 }
@@ -62,16 +62,16 @@ func (p *GeminiTokenProvider) GetAccessToken(ctx context.Context, account *Accou

 	cacheKey := GeminiTokenCacheKey(account)

-	// 1) Try cache first.
-	if p.tokenCache != nil {
+	// 1) Try cache first — skip if token is already expired or within refresh skew.
+	expiresAt := account.GetCredentialAsTime("expires_at")
+	needsRefresh := expiresAt == nil || time.Until(*expiresAt) <= geminiTokenRefreshSkew
+	if !needsRefresh && p.tokenCache != nil {
 		if token, err := p.tokenCache.GetAccessToken(ctx, cacheKey); err == nil && strings.TrimSpace(token) != "" {
 			return token, nil
 		}
 	}

 	// 2) Refresh if needed (pre-expiry skew).
-	expiresAt := account.GetCredentialAsTime("expires_at")
-	needsRefresh := expiresAt == nil || time.Until(*expiresAt) <= geminiTokenRefreshSkew

 	if needsRefresh && p.refreshAPI != nil && p.executor != nil {
 		result, err := p.refreshAPI.RefreshIfNeeded(ctx, account, p.executor, geminiTokenRefreshSkew)
@@ -111,6 +111,9 @@ type UserRepository interface {
 	UpdateTotpSecret(ctx context.Context, userID int64, encryptedSecret *string) error
 	EnableTotp(ctx context.Context, userID int64) error
 	DisableTotp(ctx context.Context, userID int64) error
+
+	// CountByRegistrationIP 统计指定 IP 注册的用户数量
+	CountByRegistrationIP(ctx context.Context, ip string) (int, error)
 }

 type UserAuthIdentityRecord struct {
Author	SHA1	Message	Date
kone	0984773711	fix(gemini): skip token cache when expires_at is within refresh window When a Gemini OAuth account receives a 401, ratelimit_service sets expires_at=now() to force a refresh. Previously GetAccessToken would return the stale cached token before checking expires_at, causing repeated 401s until the cache TTL expired. Fix: check needsRefresh before attempting cache lookup.	2026-06-09 01:00:11 +08:00
kone	4eb9877082	fix: use Gitea API for version check instead of GitHub	2026-06-06 04:29:48 +08:00
kone	88ccd0ecbb	feat: add registration abuse prevention - Silently block verification code for IPs with 2+ registered accounts - Silently block Gmail alias emails (containing + or . in local part) - Add CountByRegistrationIP to UserRepository interface - Pass client IP to SendVerifyCodeAsync for abuse detection Both checks return fake success to prevent enumeration attacks.	2026-06-06 04:07:07 +08:00
kone	ba5a09862f	fix: remove hardcoded default update proxy URL The default socks5 proxy (172.16.32.16:3389) was unreachable for most deployments, causing version check to timeout after 30 seconds. Setting the default to empty string allows direct connection to the Gitea API, which is the expected behavior for most users. Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>	2026-06-06 03:43:13 +08:00
kone	a1b75400a6	ci: use go module proxy for gitea build	2026-06-04 00:53:13 +08:00
kone	711aab05e4	ci: use alpine mirror for gitea image build	2026-06-04 00:49:41 +08:00
kone	7fb962474b	ci: pin pnpm for gitea image build	2026-06-04 00:39:07 +08:00
kone	b1d837d800	ci: support manual gitea image release dispatch	2026-06-04 00:36:44 +08:00
kone	dbf3278ba3	ci: add gitea image release workflow	2026-06-04 00:25:46 +08:00