Merge pull request #421 from NgoQuocViet2001/ai/vercel-credential-cache

feat(admin): remember Vercel sync credentials
2026-05-07 01:45:27 +08:00 · 2026-05-04 23:11:00 +08:00
parent 269d7cd8f9 76884c0d94
commit 554fae6b3f
18 changed files with 321 additions and 20 deletions
--- a/internal/config/codec.go
+++ b/internal/config/codec.go
@@ -48,6 +48,9 @@ func (c Config) MarshalJSON() ([]byte, error) {
 	if c.ThinkingInjection.Enabled != nil || strings.TrimSpace(c.ThinkingInjection.Prompt) != "" {
 		m["thinking_injection"] = c.ThinkingInjection
 	}
+	if strings.TrimSpace(c.Vercel.Token) != "" || strings.TrimSpace(c.Vercel.ProjectID) != "" || strings.TrimSpace(c.Vercel.TeamID) != "" {
+		m["vercel"] = NormalizeVercelConfig(c.Vercel)
+	}
 	if c.VercelSyncHash != "" {
 		m["_vercel_sync_hash"] = c.VercelSyncHash
 	}
@@ -125,6 +128,10 @@ func (c *Config) UnmarshalJSON(b []byte) error {
 			if err := json.Unmarshal(v, &c.ThinkingInjection); err != nil {
 				return fmt.Errorf("invalid field %q: %w", k, err)
 			}
+		case "vercel":
+			if err := json.Unmarshal(v, &c.Vercel); err != nil {
+				return fmt.Errorf("invalid field %q: %w", k, err)
+			}
 		case "_vercel_sync_hash":
 			if err := json.Unmarshal(v, &c.VercelSyncHash); err != nil {
 				return fmt.Errorf("invalid field %q: %w", k, err)
@@ -164,6 +171,7 @@ func (c Config) Clone() Config {
 			Enabled: cloneBoolPtr(c.ThinkingInjection.Enabled),
 			Prompt:  c.ThinkingInjection.Prompt,
 		},
+		Vercel:           c.Vercel,
 		VercelSyncHash:   c.VercelSyncHash,
 		VercelSyncTime:   c.VercelSyncTime,
 		AdditionalFields: map[string]any{},
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -20,6 +20,7 @@ type Config struct {
 	AutoDelete        AutoDeleteConfig        `json:"auto_delete"`
 	CurrentInputFile  CurrentInputFileConfig  `json:"current_input_file,omitempty"`
 	ThinkingInjection ThinkingInjectionConfig `json:"thinking_injection,omitempty"`
+	Vercel            VercelConfig            `json:"vercel,omitempty"`
 	VercelSyncHash    string                  `json:"_vercel_sync_hash,omitempty"`
 	VercelSyncTime    int64                   `json:"_vercel_sync_time,omitempty"`
 	AdditionalFields  map[string]any          `json:"-"`
@@ -99,6 +100,7 @@ func (c *Config) NormalizeCredentials() {
 		c.Accounts[i].Remark = strings.TrimSpace(c.Accounts[i].Remark)
 	}

+	c.Vercel = NormalizeVercelConfig(c.Vercel)
 	c.normalizeModelAliases()
 }

@@ -175,3 +177,24 @@ type ThinkingInjectionConfig struct {
 	Enabled *bool  `json:"enabled,omitempty"`
 	Prompt  string `json:"prompt,omitempty"`
 }
+
+type VercelConfig struct {
+	Token     string `json:"token,omitempty"`
+	ProjectID string `json:"project_id,omitempty"`
+	TeamID    string `json:"team_id,omitempty"`
+}
+
+func NormalizeVercelConfig(v VercelConfig) VercelConfig {
+	return VercelConfig{
+		Token:     strings.TrimSpace(v.Token),
+		ProjectID: strings.TrimSpace(v.ProjectID),
+		TeamID:    strings.TrimSpace(v.TeamID),
+	}
+}
+
+func (c *Config) ClearVercelCredentials() {
+	if c == nil {
+		return
+	}
+	c.Vercel = VercelConfig{}
+}
--- a/internal/config/config_edge_test.go
+++ b/internal/config/config_edge_test.go
@@ -173,6 +173,11 @@ func TestConfigJSONRoundtrip(t *testing.T) {
 		Runtime: RuntimeConfig{
 			TokenRefreshIntervalHours: 12,
 		},
+		Vercel: VercelConfig{
+			Token:     " vercel-token ",
+			ProjectID: " prj_123 ",
+			TeamID:    " team_123 ",
+		},
 		VercelSyncHash: "hash123",
 		VercelSyncTime: 1234567890,
 		AdditionalFields: map[string]any{
@@ -205,6 +210,9 @@ func TestConfigJSONRoundtrip(t *testing.T) {
 	if decoded.AutoDelete.Mode != "single" {
 		t.Fatalf("unexpected auto delete mode: %#v", decoded.AutoDelete.Mode)
 	}
+	if decoded.Vercel.Token != "vercel-token" || decoded.Vercel.ProjectID != "prj_123" || decoded.Vercel.TeamID != "team_123" {
+		t.Fatalf("unexpected vercel config: %#v", decoded.Vercel)
+	}
 	if decoded.VercelSyncHash != "hash123" {
 		t.Fatalf("unexpected vercel sync hash: %q", decoded.VercelSyncHash)
 	}
--- a/internal/httpapi/admin/auth/deps.go
+++ b/internal/httpapi/admin/auth/deps.go
@@ -15,5 +15,6 @@ type Handler struct {

 var writeJSON = adminshared.WriteJSON
 var intFrom = adminshared.IntFrom
+var maskSecretPreview = adminshared.MaskSecretPreview

 func nilIfEmpty(s string) any { return adminshared.NilIfEmpty(s) }
--- a/internal/httpapi/admin/auth/handler_auth.go
+++ b/internal/httpapi/admin/auth/handler_auth.go
@@ -61,9 +61,34 @@ func (h *Handler) verify(w http.ResponseWriter, r *http.Request) {
 }

 func (h *Handler) getVercelConfig(w http.ResponseWriter, _ *http.Request) {
+	saved := h.Store.Snapshot().Vercel
+	token, tokenSource := firstConfiguredValue(
+		[2]string{"env", os.Getenv("VERCEL_TOKEN")},
+		[2]string{"config", saved.Token},
+	)
+	projectID, _ := firstConfiguredValue(
+		[2]string{"env", os.Getenv("VERCEL_PROJECT_ID")},
+		[2]string{"config", saved.ProjectID},
+	)
+	teamID, _ := firstConfiguredValue(
+		[2]string{"env", os.Getenv("VERCEL_TEAM_ID")},
+		[2]string{"config", saved.TeamID},
+	)
 	writeJSON(w, http.StatusOK, map[string]any{
-		"has_token":  strings.TrimSpace(os.Getenv("VERCEL_TOKEN")) != "",
-		"project_id": strings.TrimSpace(os.Getenv("VERCEL_PROJECT_ID")),
-		"team_id":    nilIfEmpty(strings.TrimSpace(os.Getenv("VERCEL_TEAM_ID"))),
+		"has_token":     token != "",
+		"token_preview": maskSecretPreview(token),
+		"token_source":  nilIfEmpty(tokenSource),
+		"project_id":    projectID,
+		"team_id":       nilIfEmpty(teamID),
 	})
 }
+
+func firstConfiguredValue(values ...[2]string) (string, string) {
+	for _, pair := range values {
+		value := strings.TrimSpace(pair[1])
+		if value != "" {
+			return value, strings.TrimSpace(pair[0])
+		}
+	}
+	return "", ""
+}
--- a/internal/httpapi/admin/auth/handler_auth_test.go
+++ b/internal/httpapi/admin/auth/handler_auth_test.go
@@ -0,0 +1,38 @@
+package auth
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"ds2api/internal/config"
+)
+
+func TestGetVercelConfigFallsBackToSavedConfig(t *testing.T) {
+	t.Setenv("DS2API_CONFIG_JSON", `{"keys":["k1"],"vercel":{"token":"saved-token","project_id":"saved-project","team_id":"saved-team"}}`)
+	t.Setenv("VERCEL_TOKEN", "")
+	t.Setenv("VERCEL_PROJECT_ID", "")
+	t.Setenv("VERCEL_TEAM_ID", "")
+	h := &Handler{Store: config.LoadStore()}
+
+	rec := httptest.NewRecorder()
+	h.getVercelConfig(rec, httptest.NewRequest(http.MethodGet, "/admin/vercel/config", nil))
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", rec.Code, rec.Body.String())
+	}
+	var payload map[string]any
+	if err := json.Unmarshal(rec.Body.Bytes(), &payload); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	if payload["has_token"] != true {
+		t.Fatalf("expected saved token to be detected: %#v", payload)
+	}
+	if payload["token_source"] != "config" || payload["project_id"] != "saved-project" || payload["team_id"] != "saved-team" {
+		t.Fatalf("unexpected preconfig payload: %#v", payload)
+	}
+	if payload["token_preview"] == "saved-token" {
+		t.Fatal("token preview leaked the full token")
+	}
+}
--- a/internal/httpapi/admin/configmgmt/handler_config_import.go
+++ b/internal/httpapi/admin/configmgmt/handler_config_import.go
@@ -94,6 +94,10 @@ func (h *Handler) configImport(w http.ResponseWriter, r *http.Request) {
 			if strings.TrimSpace(incoming.Embeddings.Provider) != "" {
 				next.Embeddings.Provider = incoming.Embeddings.Provider
 			}
+			incomingVercel := config.NormalizeVercelConfig(incoming.Vercel)
+			if strings.TrimSpace(incomingVercel.Token) != "" || strings.TrimSpace(incomingVercel.ProjectID) != "" || strings.TrimSpace(incomingVercel.TeamID) != "" {
+				next.Vercel = incomingVercel
+			}
 			if strings.TrimSpace(incoming.Admin.PasswordHash) != "" {
 				next.Admin.PasswordHash = incoming.Admin.PasswordHash
 			}
--- a/internal/httpapi/admin/configmgmt/handler_config_read.go
+++ b/internal/httpapi/admin/configmgmt/handler_config_read.go
@@ -19,6 +19,12 @@ func (h *Handler) getConfig(w http.ResponseWriter, _ *http.Request) {
 		"env_writeback_enabled": h.Store.IsEnvWritebackEnabled(),
 		"config_path":           h.Store.ConfigPath(),
 		"model_aliases":         snap.ModelAliases,
+		"vercel": map[string]any{
+			"has_token":     strings.TrimSpace(snap.Vercel.Token) != "",
+			"token_preview": maskSecretPreview(snap.Vercel.Token),
+			"project_id":    snap.Vercel.ProjectID,
+			"team_id":       snap.Vercel.TeamID,
+		},
 	}
 	accounts := make([]map[string]any, 0, len(snap.Accounts))
 	for _, acc := range snap.Accounts {
--- a/internal/httpapi/admin/shared/helpers.go
+++ b/internal/httpapi/admin/shared/helpers.go
@@ -78,6 +78,7 @@ func ComputeSyncHash(store ConfigStore) string {
 	}
 	snap := store.Snapshot().Clone()
 	snap.ClearAccountTokens()
+	snap.ClearVercelCredentials()
 	snap.VercelSyncHash = ""
 	snap.VercelSyncTime = 0
 	b, _ := json.Marshal(snap)
@@ -93,6 +94,7 @@ func SyncHashForJSON(s string) string {
 	cfg.VercelSyncHash = ""
 	cfg.VercelSyncTime = 0
 	cfg.ClearAccountTokens()
+	cfg.ClearVercelCredentials()
 	b, err := json.Marshal(cfg)
 	if err != nil {
 		return ""
--- a/internal/httpapi/admin/vercel/handler_vercel.go
+++ b/internal/httpapi/admin/vercel/handler_vercel.go
@@ -23,7 +23,7 @@ func (h *Handler) syncVercel(w http.ResponseWriter, r *http.Request) {
 		writeJSON(w, http.StatusBadRequest, map[string]any{"detail": "invalid json"})
 		return
 	}
-	opts, err := parseVercelSyncOptions(req)
+	opts, err := parseVercelSyncOptions(req, h.Store.Snapshot().Vercel)
 	if err != nil {
 		writeJSON(w, http.StatusBadRequest, map[string]any{"detail": err.Error()})
 		return
@@ -50,6 +50,12 @@ func (h *Handler) syncVercel(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	savedCreds := h.saveVercelProjectCredentials(r.Context(), client, opts, params, headers, envs)
+	credentialsWarning := ""
+	if saved, err := h.saveLocalVercelCredentials(opts); err == nil && saved {
+		savedCreds = append(savedCreds, "config.vercel")
+	} else if err != nil {
+		credentialsWarning = "保存 Vercel 凭据到本地配置失败: " + err.Error()
+	}
 	manual, deployURL := triggerVercelDeployment(r.Context(), client, opts.ProjectID, params, headers)
 	_ = h.Store.SetVercelSync(syncHashForJSON(cfgJSON), time.Now().Unix())
 	result := map[string]any{"success": true, "validated_accounts": validated}
@@ -66,6 +72,9 @@ func (h *Handler) syncVercel(w http.ResponseWriter, r *http.Request) {
 	if len(savedCreds) > 0 {
 		result["saved_credentials"] = savedCreds
 	}
+	if credentialsWarning != "" {
+		result["credentials_warning"] = credentialsWarning
+	}
 	writeJSON(w, http.StatusOK, result)
 }

@@ -78,7 +87,7 @@ type vercelSyncOptions struct {
 	UsePreconfig bool
 }

-func parseVercelSyncOptions(req map[string]any) (vercelSyncOptions, error) {
+func parseVercelSyncOptions(req map[string]any, saved config.VercelConfig) (vercelSyncOptions, error) {
 	vercelToken, _ := req["vercel_token"].(string)
 	projectID, _ := req["project_id"].(string)
 	teamID, _ := req["team_id"].(string)
@@ -92,13 +101,13 @@ func parseVercelSyncOptions(req map[string]any) (vercelSyncOptions, error) {
 	}
 	usePreconfig := vercelToken == "__USE_PRECONFIG__" || strings.TrimSpace(vercelToken) == ""
 	if usePreconfig {
-		vercelToken = strings.TrimSpace(os.Getenv("VERCEL_TOKEN"))
+		vercelToken = firstNonEmpty(os.Getenv("VERCEL_TOKEN"), saved.Token)
 	}
 	if strings.TrimSpace(projectID) == "" {
-		projectID = strings.TrimSpace(os.Getenv("VERCEL_PROJECT_ID"))
+		projectID = firstNonEmpty(os.Getenv("VERCEL_PROJECT_ID"), saved.ProjectID)
 	}
 	if strings.TrimSpace(teamID) == "" {
-		teamID = strings.TrimSpace(os.Getenv("VERCEL_TEAM_ID"))
+		teamID = firstNonEmpty(os.Getenv("VERCEL_TEAM_ID"), saved.TeamID)
 	}
 	vercelToken = strings.TrimSpace(vercelToken)
 	projectID = strings.TrimSpace(projectID)
@@ -116,6 +125,15 @@ func parseVercelSyncOptions(req map[string]any) (vercelSyncOptions, error) {
 	}, nil
 }

+func firstNonEmpty(values ...string) string {
+	for _, value := range values {
+		if trimmed := strings.TrimSpace(value); trimmed != "" {
+			return trimmed
+		}
+	}
+	return ""
+}
+
 func buildVercelParams(teamID string) url.Values {
 	params := url.Values{}
 	if strings.TrimSpace(teamID) != "" {
@@ -178,6 +196,25 @@ func (h *Handler) saveVercelProjectCredentials(ctx context.Context, client *http
 	return saved
 }

+func (h *Handler) saveLocalVercelCredentials(opts vercelSyncOptions) (bool, error) {
+	if !opts.SaveCreds {
+		return false, nil
+	}
+	err := h.Store.Update(func(c *config.Config) error {
+		token := opts.VercelToken
+		if opts.UsePreconfig {
+			token = c.Vercel.Token
+		}
+		c.Vercel = config.NormalizeVercelConfig(config.VercelConfig{
+			Token:     token,
+			ProjectID: opts.ProjectID,
+			TeamID:    opts.TeamID,
+		})
+		return nil
+	})
+	return err == nil, err
+}
+
 func triggerVercelDeployment(ctx context.Context, client *http.Client, projectID string, params url.Values, headers map[string]string) (bool, string) {
 	projectResp, status, _ := vercelRequest(ctx, client, http.MethodGet, "https://api.vercel.com/v9/projects/"+projectID, params, headers, nil)
 	if status != http.StatusOK {
@@ -243,7 +280,7 @@ func (h *Handler) vercelStatus(w http.ResponseWriter, r *http.Request) {
 func (h *Handler) exportSyncConfig(req map[string]any) (string, string, error) {
 	override, ok := req["config_override"]
 	if !ok || override == nil {
-		return h.Store.ExportJSONAndBase64()
+		return encodeVercelSyncConfig(h.Store.Snapshot())
 	}
 	raw, err := json.Marshal(override)
 	if err != nil {
@@ -253,8 +290,13 @@ func (h *Handler) exportSyncConfig(req map[string]any) (string, string, error) {
 	if err := json.Unmarshal(raw, &cfg); err != nil {
 		return "", "", err
 	}
+	return encodeVercelSyncConfig(cfg)
+}
+
+func encodeVercelSyncConfig(cfg config.Config) (string, string, error) {
 	cfg.DropInvalidAccounts()
 	cfg.ClearAccountTokens()
+	cfg.ClearVercelCredentials()
 	cfg.VercelSyncHash = ""
 	cfg.VercelSyncTime = 0
 	b, err := json.Marshal(cfg)
@@ -272,6 +314,7 @@ func syncHashForJSON(s string) string {
 	cfg.VercelSyncHash = ""
 	cfg.VercelSyncTime = 0
 	cfg.ClearAccountTokens()
+	cfg.ClearVercelCredentials()
 	b, err := json.Marshal(cfg)
 	if err != nil {
 		return ""
--- a/internal/httpapi/admin/vercel/handler_vercel_test.go
+++ b/internal/httpapi/admin/vercel/handler_vercel_test.go
@@ -0,0 +1,100 @@
+package vercel
+
+import (
+	"encoding/json"
+	"strings"
+	"testing"
+
+	"ds2api/internal/config"
+)
+
+func TestParseVercelSyncOptionsFallsBackToSavedConfig(t *testing.T) {
+	t.Setenv("VERCEL_TOKEN", "")
+	t.Setenv("VERCEL_PROJECT_ID", "")
+	t.Setenv("VERCEL_TEAM_ID", "")
+
+	opts, err := parseVercelSyncOptions(map[string]any{
+		"vercel_token": "__USE_PRECONFIG__",
+	}, config.VercelConfig{
+		Token:     " saved-token ",
+		ProjectID: " saved-project ",
+		TeamID:    " saved-team ",
+	})
+	if err != nil {
+		t.Fatalf("parse options error: %v", err)
+	}
+	if opts.VercelToken != "saved-token" || opts.ProjectID != "saved-project" || opts.TeamID != "saved-team" {
+		t.Fatalf("unexpected options: %#v", opts)
+	}
+	if !opts.UsePreconfig {
+		t.Fatal("expected preconfig mode")
+	}
+}
+
+func TestSaveLocalVercelCredentialsStoresExplicitInput(t *testing.T) {
+	t.Setenv("DS2API_CONFIG_JSON", `{"keys":["k1"]}`)
+	store := config.LoadStore()
+	h := &Handler{Store: store}
+
+	saved, err := h.saveLocalVercelCredentials(vercelSyncOptions{
+		VercelToken: " token ",
+		ProjectID:   " project ",
+		TeamID:      " team ",
+		SaveCreds:   true,
+	})
+	if err != nil {
+		t.Fatalf("save local credentials error: %v", err)
+	}
+	if !saved {
+		t.Fatal("expected credentials to be saved")
+	}
+	got := store.Snapshot().Vercel
+	if got.Token != "token" || got.ProjectID != "project" || got.TeamID != "team" {
+		t.Fatalf("unexpected saved credentials: %#v", got)
+	}
+}
+
+func TestSaveLocalVercelCredentialsPreservesPreconfiguredTokenAndUpdatesProject(t *testing.T) {
+	t.Setenv("DS2API_CONFIG_JSON", `{"keys":["k1"],"vercel":{"token":"saved-token","project_id":"old-project","team_id":"old-team"}}`)
+	store := config.LoadStore()
+	h := &Handler{Store: store}
+
+	saved, err := h.saveLocalVercelCredentials(vercelSyncOptions{
+		VercelToken:  "resolved-token",
+		ProjectID:    "new-project",
+		TeamID:       "new-team",
+		SaveCreds:    true,
+		UsePreconfig: true,
+	})
+	if err != nil {
+		t.Fatalf("save local credentials error: %v", err)
+	}
+	if !saved {
+		t.Fatal("expected project/team updates to be saved")
+	}
+	got := store.Snapshot().Vercel
+	if got.Token != "saved-token" || got.ProjectID != "new-project" || got.TeamID != "new-team" {
+		t.Fatalf("unexpected saved credentials: %#v", got)
+	}
+}
+
+func TestExportSyncConfigStripsSavedVercelCredentials(t *testing.T) {
+	t.Setenv("DS2API_CONFIG_JSON", `{"keys":["k1"],"vercel":{"token":"secret-token","project_id":"project","team_id":"team"}}`)
+	store := config.LoadStore()
+	h := &Handler{Store: store}
+
+	jsonStr, _, err := h.exportSyncConfig(map[string]any{})
+	if err != nil {
+		t.Fatalf("export sync config error: %v", err)
+	}
+	if strings.Contains(jsonStr, "secret-token") || strings.Contains(jsonStr, `"vercel"`) {
+		t.Fatalf("expected sync export to strip Vercel credentials, got %s", jsonStr)
+	}
+	var exported config.Config
+	if err := json.Unmarshal([]byte(jsonStr), &exported); err != nil {
+		t.Fatalf("exported config is invalid JSON: %v", err)
+	}
+	if len(exported.Keys) != 1 || exported.Keys[0] != "k1" {
+		t.Fatalf("unexpected exported config: %#v", exported)
+	}
+}