feat: 添加 API 文档路由、扩展用户列表字段、修复 CORS 配置

- Dockerfile.app: 添加 /docs、/redoc、/openapi.json 的 nginx 代理规则 - routes.py: 管理员用户列表接口增加 allowed_providers/endpoints/models 字段 - main.py: 修复 CORS_ORIGINS=* 时 credentials 配置冲突问题
2026-01-11 03:58:28 +08:00 · 2026-01-07 17:31:31 +08:00
parent 42dc64246c
commit 00f6fafcfc
3 changed files with 16 additions and 2 deletions
--- a/src/api/admin/users/routes.py
+++ b/src/api/admin/users/routes.py
@@ -273,6 +273,9 @@ class AdminListUsersAdapter(AdminApiAdapter):
                "email": u.email,
                "username": u.username,
                "role": u.role.value,
+                "allowed_providers": u.allowed_providers,
+                "allowed_endpoints": u.allowed_endpoints,
+                "allowed_models": u.allowed_models,
                "quota_usd": u.quota_usd,
                "used_usd": u.used_usd,
                "total_usd": getattr(u, "total_usd", 0),
--- a/src/main.py
+++ b/src/main.py
@@ -355,15 +355,17 @@ app.add_middleware(PluginMiddleware)
 # 生产环境必须通过 CORS_ORIGINS 环境变量显式指定允许的域名
 # 开发环境默认允许本地前端访问
 if config.cors_origins:
+    # CORS_ORIGINS=* 时自动禁用 credentials（浏览器规范要求）
+    allow_credentials = config.cors_allow_credentials and "*" not in config.cors_origins
    app.add_middleware(
        CORSMiddleware,
        allow_origins=config.cors_origins,  # 使用配置的白名单
-        allow_credentials=config.cors_allow_credentials,
+        allow_credentials=allow_credentials,
        allow_methods=["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
        allow_headers=["*"],
        expose_headers=["*"],
    )
-    logger.info(f"CORS已启用,允许的源: {config.cors_origins}")
+    logger.info(f"CORS已启用,允许的源: {config.cors_origins}, credentials: {allow_credentials}")
 else:
    # 没有配置CORS源,不允许跨域
    logger.warning(