refactor(auth): replace cookie with localStorage for token storage

Author: 夏一飞

app/api/v1/models/route.ts

@@ -71,7 +71,7 @@ export async function GET() {
         return {
           id: item.id,
           name: item.name,
-          imageUrl: item.info?.meta?.profile_image_url || "/openwebui.png",
+          imageUrl: item.info?.meta?.profile_image_url || "/static/favicon.png",
           input_price: priceInfo.input_price,
           output_price: priceInfo.output_price,
         };

app/components/Header.tsx

@@ -40,7 +40,7 @@ export default function Header() {
   };
 
   useEffect(() => {
-    const token = getAccessToken();
+    const token = localStorage.getItem("access_token");
     setAccessToken(token);
 
     if (!token) {
@@ -73,10 +73,6 @@ export default function Header() {
   };
 
   const handleLogout = () => {
-    document.cookie =
-      "access_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT";
-    document.cookie =
-      "auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT";
     localStorage.removeItem("access_token");
     window.location.href = "/token";
   };

app/token/page.tsx

@@ -12,7 +12,6 @@ export default function TokenPage() {
   const [showToken, setShowToken] = useState(false);
 
   const handleSubmit = async (e: React.FormEvent) => {
-    // 阻止表单默认提交行为
     e.preventDefault();
 
     if (!token.trim()) {
@@ -22,8 +21,8 @@ export default function TokenPage() {
 
     setLoading(true);
     try {
-      // 将令牌存储在 cookie 中
-      document.cookie = `access_token=${token}; path=/`;
+      // 将令牌存储在 localStorage 中而不是 cookie
+      localStorage.setItem("access_token", token);
 
       // 尝试访问 API 验证令牌
       const res = await fetch("/api/config", {
@@ -34,20 +33,17 @@ export default function TokenPage() {
 
       if (res.ok) {
         message.success("令牌验证成功");
-        // 等待消息显示完成后再跳转
         setTimeout(() => {
           window.location.href = "/";
         }, 500);
       } else {
         message.error("无效的访问令牌");
-        document.cookie =
-          "access_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT";
+        localStorage.removeItem("access_token");
       }
     } catch (error) {
       console.error("验证失败:", error);
       message.error("验证失败");
-      document.cookie =
-        "access_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT";
+      localStorage.removeItem("access_token");
     } finally {
       setLoading(false);
     }

middleware.ts

@@ -5,7 +5,6 @@ const API_KEY = process.env.API_KEY;
 const ACCESS_TOKEN = process.env.ACCESS_TOKEN;
 
 export async function middleware(request: NextRequest) {
-  // console.log("中间件处理路径:", request.nextUrl.pathname);
   const { pathname } = request.nextUrl;
 
   // 只验证 inlet/outlet/test API 请求
@@ -28,7 +27,6 @@ export async function middleware(request: NextRequest) {
       return NextResponse.json({ error: "无效的API密钥" }, { status: 401 });
     }
 
-    // API 密钥验证通过后直接返回
     return NextResponse.next();
   } else if (!pathname.startsWith("/api/")) {
     // 页面访问验证
@@ -37,22 +35,27 @@ export async function middleware(request: NextRequest) {
       return NextResponse.json({ error: "服务器配置错误" }, { status: 500 });
     }
 
-    const token = request.cookies.get("access_token")?.value;
-
     // 如果是令牌验证页面，直接允许访问
     if (pathname === "/token") {
       return NextResponse.next();
     }
 
-    if (!token || token !== ACCESS_TOKEN) {
-      console.log("访问令牌无效,重定向到令牌验证页");
-      return NextResponse.redirect(new URL("/token", request.url));
-    }
+    // 添加 no-store 和 no-cache 头，防止 Cloudflare 缓存
+    const response = NextResponse.next();
+    response.headers.set(
+      "Cache-Control",
+      "no-store, no-cache, must-revalidate, proxy-revalidate"
+    );
+    response.headers.set("Pragma", "no-cache");
+    response.headers.set("Expires", "0");
+
+    return response;
   }
 
   return NextResponse.next();
 }
 
+// 配置中间件匹配的路由
 export const config = {
-  matcher: ["/((?!api/auth|_next/static|_next/image|favicon.ico).*)"],
+  matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],
 };