feat: 添加 API 文档路由、扩展用户列表字段、修复 CORS 配置

- Dockerfile.app: 添加 /docs、/redoc、/openapi.json 的 nginx 代理规则 - routes.py: 管理员用户列表接口增加 allowed_providers/endpoints/models 字段 - main.py: 修复 CORS_ORIGINS=* 时 credentials 配置冲突问题
2026-01-08 18:52:28 +08:00 · 2026-01-07 17:31:31 +08:00
parent 42dc64246c
commit 00f6fafcfc
3 changed files with 16 additions and 2 deletions
--- a/Dockerfile.app
+++ b/Dockerfile.app
@@ -82,6 +82,15 @@ RUN printf '%s\n' \
 '        try_files $uri $uri/ /index.html;' \
 '    }' \
 '' \
+'    location ~ ^/(docs|redoc|openapi\\.json)$ {' \
+'        proxy_pass http://127.0.0.1:PORT_PLACEHOLDER;' \
+'        proxy_http_version 1.1;' \
+'        proxy_set_header Host $host;' \
+'        proxy_set_header X-Real-IP $real_ip;' \
+'        proxy_set_header X-Forwarded-For $forwarded_for;' \
+'        proxy_set_header X-Forwarded-Proto $scheme;' \
+'    }' \
+'' \
 '    location / {' \
 '        try_files $uri $uri/ @backend;' \
 '    }' \
--- a/src/api/admin/users/routes.py
+++ b/src/api/admin/users/routes.py
@@ -273,6 +273,9 @@ class AdminListUsersAdapter(AdminApiAdapter):
                "email": u.email,
                "username": u.username,
                "role": u.role.value,
+                "allowed_providers": u.allowed_providers,
+                "allowed_endpoints": u.allowed_endpoints,
+                "allowed_models": u.allowed_models,
                "quota_usd": u.quota_usd,
                "used_usd": u.used_usd,
                "total_usd": getattr(u, "total_usd", 0),
--- a/src/main.py
+++ b/src/main.py
@@ -355,15 +355,17 @@ app.add_middleware(PluginMiddleware)
 # 生产环境必须通过 CORS_ORIGINS 环境变量显式指定允许的域名
 # 开发环境默认允许本地前端访问
 if config.cors_origins:
+    # CORS_ORIGINS=* 时自动禁用 credentials（浏览器规范要求）
+    allow_credentials = config.cors_allow_credentials and "*" not in config.cors_origins
    app.add_middleware(
        CORSMiddleware,
        allow_origins=config.cors_origins,  # 使用配置的白名单
-        allow_credentials=config.cors_allow_credentials,
+        allow_credentials=allow_credentials,
        allow_methods=["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
        allow_headers=["*"],
        expose_headers=["*"],
    )
-    logger.info(f"CORS已启用,允许的源: {config.cors_origins}")
+    logger.info(f"CORS已启用,允许的源: {config.cors_origins}, credentials: {allow_credentials}")
 else:
    # 没有配置CORS源,不允许跨域
    logger.warning(