fix(proxy): 模型列表端点不再被 openai_chat_compatible 能力误拦#202
Merged
Conversation
GET /v1/models 是发现类端点,原先被硬编码判定为 openai_chat_compatible 能力,并在授权拦截之后才执行本地模型列表处理。导致仅绑定 Codex 形态上游 (openai_responses / codex_cli_responses)的密钥即便能正常调用模型,也会 在列模型时收到 403 NO_AUTHORIZED_UPSTREAMS,形成“能用却列不出”的矛盾。 将本地模型列表短路逻辑前移到能力授权拦截之前,并按密钥实际授权的全部 active 上游(不限能力)过滤可见模型。只要密钥配置了 allowed_models 且至少 有一个授权 active 上游,即本地返回模型列表,与具体路由能力解耦。 补充回归测试:密钥仅绑定不支持 openai_chat_compatible 的上游时,GET /v1/models 返回 200 本地列表而非 403。
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #202 +/- ##
==========================================
- Coverage 74.45% 74.44% -0.01%
==========================================
Files 160 160
Lines 11626 11626
Branches 3982 3982
==========================================
- Hits 8656 8655 -1
Misses 1731 1731
- Partials 1239 1240 +1
🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
修复一个生产环境暴露的矛盾:仅绑定 Codex 形态上游(
openai_responses/codex_cli_responses)的密钥能够正常调用模型,但调用GET /v1/models列模型时却返回403 NO_AUTHORIZED_UPSTREAMS。根因是模型列表这个发现类端点被硬编码判定为openai_chat_compatible能力,并且本地模型列表处理逻辑被放在了能力授权拦截之后,导致非 chat 能力的密钥永远走不到本应为它服务的本地返回逻辑。Related Issue
无关联 issue,源自生产日志排查(请求
request_id=6614756f,路径models,capabilityCandidatesCount:1/authorizedCapabilityCandidatesCount:0)。Type of Change
Changes
将
src/app/api/proxy/v1/[...path]/route.ts中的「本地模型列表」短路逻辑从能力授权拦截之后前移到之前,并把可见模型的过滤基准从「openai_chat_compatible授权候选」改为「密钥实际授权的全部 active 上游(不限能力)」。行为约定保持收敛:仅当密钥配置了
allowed_models且至少存在一个授权的 active 上游时,才本地返回模型列表;若密钥没有任何授权 active 上游,则继续走原有拦截返回 403,原「无授权上游」语义不变。未配置allowed_models的密钥仍按原逻辑转发上游,不受影响。Test Plan
pnpm test:run tests/unit/api/proxy/route.test.ts(74 passed / 1 skipped),含新增回归用例「密钥仅绑定不支持openai_chat_compatible的上游时,GET /v1/models返回 200 本地列表而非 403」pnpm exec tsc --noEmitChecklist
Additional Notes
并存的次要观察(本 PR 未一并处理,避免扩大改动范围):
NO_AUTHORIZED_UPSTREAMS拦截分支(route.ts 内)只打log.warn后直接return,未调用logRequest落库,因此这类 403 不会出现在管理后台请求日志里,仅存在于容器 stdout。与之相邻的NO_UPSTREAMS_CONFIGURED分支却会落库。这是一处可观测性上的落库不一致,可在后续单独评估是否补齐。