feat(auth): 支持通过令牌hash值直接认证，令牌列表添加复制按钮

认证中间件(RequireAPIAuth)新增双路径验证：先尝试直接匹配hash值，
再尝试SHA256匹配明文。列表API返回完整hash，前端负责脱敏显示并
提供复制按钮，用户可将hash用作API凭证在多设备间复用。

Closes #14

Author: caidaoli

internal/app/admin_auth_tokens.go

@@ -31,10 +31,6 @@ func (s *Server) HandleListAuthTokens(c *gin.Context) {
 		return
 	}
 
-	// 脱敏处理（仅显示前4后4字符）
-	for _, t := range tokens {
-		t.Token = model.MaskToken(t.Token)
-	}
 	if tokens == nil {
 		tokens = make([]*model.AuthToken, 0)
 	}
@@ -270,8 +266,6 @@ func (s *Server) HandleUpdateAuthToken(c *gin.Context) {
 		log.Print("[WARN]  热更新失败: " + err.Error())
 	}
 
-	// 返回脱敏后的令牌信息
-	token.Token = model.MaskToken(token.Token)
 	RespondJSON(c, http.StatusOK, token)
 }
 

internal/app/auth_middleware_test.go

@@ -282,6 +282,68 @@ func TestRequireTokenAuth_NoBearerPrefix(t *testing.T) {
 	}
 }
 
+func TestRequireAPIAuth_HashDirectMatch(t *testing.T) {
+	t.Parallel()
+	svc := newTestAuthService(t)
+	injectAPIToken(svc, "plaintext-token", 0, 10)
+
+	// 计算hash，用hash值作为Bearer token发送
+	hash := model.HashToken("plaintext-token")
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+	req.Header.Set("Authorization", "Bearer "+hash)
+
+	w := runMiddleware(t, svc.RequireAPIAuth(), req)
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+
+	// 验证 context 中的 token_hash 和 token_id
+	var resp map[string]any
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("unmarshal response: %v", err)
+	}
+	if got, ok := resp["token_hash"].(string); !ok || got != hash {
+		t.Fatalf("expected token_hash=%s, got=%v", hash, resp["token_hash"])
+	}
+	if got, ok := resp["token_id"].(float64); !ok || int64(got) != 10 {
+		t.Fatalf("expected token_id=10, got=%v", resp["token_id"])
+	}
+}
+
+func TestRequireAPIAuth_HashExpired(t *testing.T) {
+	t.Parallel()
+	svc := newTestAuthService(t)
+	expiredAt := time.Now().Add(-time.Hour).UnixMilli()
+	injectAPIToken(svc, "expired-plain", expiredAt, 20)
+
+	// 用hash值作为Bearer token发送
+	hash := model.HashToken("expired-plain")
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+	req.Header.Set("Authorization", "Bearer "+hash)
+
+	w := runMiddleware(t, svc.RequireAPIAuth(), req)
+	if w.Code != http.StatusUnauthorized {
+		t.Fatalf("expected 401, got %d: %s", w.Code, w.Body.String())
+	}
+
+	// 验证响应包含 "token expired"
+	var resp map[string]string
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("unmarshal response: %v", err)
+	}
+	if resp["error"] != "token expired" {
+		t.Fatalf("expected 'token expired' error, got: %s", resp["error"])
+	}
+
+	// 验证懒惰删除：hash应已从内存中移除
+	svc.authTokensMux.RLock()
+	_, stillExists := svc.authTokens[hash]
+	svc.authTokensMux.RUnlock()
+	if stillExists {
+		t.Fatal("expected expired token to be lazily deleted from memory")
+	}
+}
+
 // TestRequireAPIAuth_TokenPriority 验证 token 提取优先级（Bearer > X-API-Key > x-goog-api-key > query）
 func TestRequireAPIAuth_TokenPriority(t *testing.T) {
 	t.Parallel()

internal/app/auth_service.go

@@ -316,11 +316,16 @@ func (s *AuthService) RequireAPIAuth() gin.HandlerFunc {
 			return
 		}
 
-		// 计算令牌哈希并验证
-		tokenHash := model.HashToken(token)
-
+		// 双路径验证：先尝试直接匹配（客户端发送的是hash值），再尝试SHA256匹配（客户端发送的是明文）
 		s.authTokensMux.RLock()
-		expiresAt, exists := s.authTokens[tokenHash]
+		var tokenHash string
+		expiresAt, exists := s.authTokens[token]
+		if exists {
+			tokenHash = token
+		} else {
+			tokenHash = model.HashToken(token)
+			expiresAt, exists = s.authTokens[tokenHash]
+		}
 		tokenID, hasTokenID := s.authTokenIDs[tokenHash]
 		s.authTokensMux.RUnlock()
 

web/assets/js/tokens.js

@@ -89,6 +89,13 @@
       container.addEventListener('click', (e) => {
         const target = e.target;
 
+        // 处理复制令牌按钮
+        if (target.classList.contains('btn-copy-token')) {
+          const tokenHash = target.dataset.token;
+          if (tokenHash) copyTokenToClipboard(tokenHash);
+          return;
+        }
+
         // 处理编辑按钮
         if (target.classList.contains('btn-edit')) {
           const row = target.closest('tr');
@@ -154,7 +161,7 @@
             <th style="text-align: center;">${t('tokens.table.streamAvg')}</th>
             <th style="text-align: center;">${t('tokens.table.nonStreamAvg')}</th>
             <th>${t('tokens.table.lastUsed')}</th>
-            <th style="width: 200px;">${t('tokens.table.actions')}</th>
+            <th style="width: 260px;">${t('tokens.table.actions')}</th>
           </tr>
         </thead>
       `;
@@ -217,10 +224,15 @@
       const nonStreamAvgHtml = buildResponseTimeHtml(token.non_stream_avg_rt, token.non_stream_count);
 
       // 使用模板引擎渲染
+      const maskedToken = token.token.length > 8
+        ? token.token.substring(0, 4) + '****' + token.token.slice(-4)
+        : token.token;
+
       return TemplateEngine.render('tpl-token-row', {
         id: token.id,
         description: token.description,
         token: token.token,
+        maskedToken: maskedToken,
         statusClass: status.class,
         createdAt: createdAt,
         createdLabel: t('tokens.createdSuffix'),
@@ -425,11 +437,15 @@
       const streamAvgHtml = buildResponseTimeHtml(token.stream_avg_ttfb, token.stream_count);
       const nonStreamAvgHtml = buildResponseTimeHtml(token.non_stream_avg_rt, token.non_stream_count);
 
+      const maskedToken = token.token.length > 8
+        ? token.token.substring(0, 4) + '****' + token.token.slice(-4)
+        : token.token;
+
       return `
         <tr data-token-id="${token.id}">
           <td style="font-weight: 500;">${escapeHtml(token.description)}</td>
           <td>
-            <div><span class="token-display token-display-${status.class}">${escapeHtml(token.token)}</span></div>
+            <div><span class="token-display token-display-${status.class}">${escapeHtml(maskedToken)}</span></div>
             <div style="font-size: 12px; color: var(--neutral-500); margin-top: 4px;">${createdAt}${t('tokens.createdSuffix')} · ${expiresAt}</div>
           </td>
           <td style="text-align: center;">${callsHtml}</td>
@@ -440,7 +456,8 @@
           <td style="text-align: center;">${streamAvgHtml}</td>
           <td style="text-align: center;">${nonStreamAvgHtml}</td>
           <td style="color: var(--neutral-600);">${lastUsed}</td>
-          <td>
+          <td style="white-space: nowrap;">
+            <button class="btn-copy-token btn btn-secondary" style="padding: 4px 12px; font-size: 13px; margin-right: 4px;" data-token="${escapeHtml(token.token)}">${t('common.copy')}</button>
             <button class="btn btn-secondary btn-edit" style="padding: 4px 12px; font-size: 13px; margin-right: 4px;">${t('common.edit')}</button>
             <button class="btn btn-danger btn-delete" style="padding: 4px 12px; font-size: 13px;">${t('common.delete')}</button>
           </td>
@@ -520,10 +537,27 @@
       const textarea = document.getElementById('newTokenValue');
       textarea.select();
       document.execCommand('copy');
-      
+
       window.showNotification(t('tokens.msg.copySuccess'), 'success');
     }
 
+    function copyTokenToClipboard(hash) {
+      navigator.clipboard.writeText(hash).then(() => {
+        window.showNotification(t('tokens.msg.copySuccess'), 'success');
+      }).catch(() => {
+        // fallback
+        const textarea = document.createElement('textarea');
+        textarea.value = hash;
+        textarea.style.position = 'fixed';
+        textarea.style.opacity = '0';
+        document.body.appendChild(textarea);
+        textarea.select();
+        document.execCommand('copy');
+        document.body.removeChild(textarea);
+        window.showNotification(t('tokens.msg.copySuccess'), 'success');
+      });
+    }
+
     function closeTokenResultModal() {
       document.getElementById('tokenResultModal').style.display = 'none';
       document.getElementById('newTokenValue').value = '';

web/tokens.html

@@ -317,7 +317,7 @@ <h2 style="margin: 0; font-size: 18px;" data-i18n="tokens.importModelTitle">手
     <tr data-token-id="{{id}}">
       <td style="font-weight: 500;">{{description}}</td>
       <td>
-        <div><span class="token-display token-display-{{statusClass}}">{{token}}</span></div>
+        <div><span class="token-display token-display-{{statusClass}}">{{maskedToken}}</span></div>
         <div style="font-size: 12px; color: var(--neutral-500); margin-top: 4px;">{{createdAt}}{{createdLabel}} · {{expiresAt}}</div>
       </td>
       <td style="text-align: center;">{{{callsHtml}}}</td>
@@ -328,7 +328,8 @@ <h2 style="margin: 0; font-size: 18px;" data-i18n="tokens.importModelTitle">手
       <td style="text-align: center;">{{{streamAvgHtml}}}</td>
       <td style="text-align: center;">{{{nonStreamAvgHtml}}}</td>
       <td style="color: var(--neutral-600);">{{lastUsed}}</td>
-      <td>
+      <td style="white-space: nowrap;">
+        <button class="btn-copy-token btn btn-secondary" style="padding: 4px 12px; font-size: 13px; margin-right: 4px;" data-token="{{token}}" data-i18n="common.copy">复制</button>
         <button class="btn btn-secondary btn-edit" style="padding: 4px 12px; font-size: 13px; margin-right: 4px;" data-i18n="common.edit">编辑</button>
         <button class="btn btn-danger btn-delete" style="padding: 4px 12px; font-size: 13px;" data-i18n="common.delete">删除</button>
       </td>