Implement proper auth, add Dockerfile, allow prioritizing accounts and log request IP#23
Open
Xh4H wants to merge 11 commits intosnipeship:mainfrom
Open
Implement proper auth, add Dockerfile, allow prioritizing accounts and log request IP#23Xh4H wants to merge 11 commits intosnipeship:mainfrom
Xh4H wants to merge 11 commits intosnipeship:mainfrom
Conversation
added 8 commits
August 7, 2025 10:17
Xh4H
changed the title
snipeship
reviewed
Aug 7, 2025
|
|
||
| ### Dashboard Authentication | ||
|
|
||
| The web dashboard (`/dashboard`) requires authentication: |
Owner
There was a problem hiding this comment.
Why enforce auth? I'm running it in a private network & I'd expect lots would also - requiring auth might be a PITA.
I think the best way to go would be:
- Optional auth (toggle through config/env with a boolean
AUTH_REQUIRED) - Ability to create API keys for the
/v1/messagesendpoint- Track the usage of each key
- Helps track usage across multiple machines
- Also - for sure, if you're going to run it in public, I would suggest putting it behind an API key
Thoughts?
Author
There was a problem hiding this comment.
Auth is enforced to access dashboard and endpoints, although using it through Claude Code is still available with no authentication.
I would be fine with a toggle for an optional auth for those who are using ccflare for themselves, but I'd be happy if auth was set by default, as this tool has certain important capabilities which should be somewhat protected.
In my case, we are running a PoC in my company, and we have it currently over my fork, and having auth is a must have!
About the messages endpoint, I am not very familiar with it, although by looking at the docs, it makes sense to be able to create API keys, and be able to track their usage.
Happy to discuss further!
|
I am against forcing auth, strongly. Optional is fine. I run tailscale, I would never expose this and don't need auth. I imagine my config is like the majority. |
Author
|
Thanks for the suggestions, folks. I've made the auth disabled by default, switchable with an environment variable. |
added 2 commits
August 8, 2025 20:19
zenprocess
pushed a commit
to zenprocess/ccflare
that referenced
this pull request
Apr 6, 2026
…ip#23) * feat: remove 5h session tracking for non-Anthropic providers This PR removes the 5-hour session tracking for non-Anthropic providers while maintaining the correct behavior for Anthropic providers. This addresses the requirement to allow pay-as-you-go providers (API-key-based, OpenAI-compatible, etc.) to operate without unnecessary session windows. ### Changes - Update SessionStrategy to only apply fixed duration for providers that require session tracking (currently only Anthropic) - Create provider-specific session tracking configuration - Add requiresSessionDurationTracking function for extensibility - Update constants to be more specific to Anthropic usage - Update documentation to reflect provider-specific behavior - Maintain all Anthropic-specific functionality (usage window alignment, auto-fallback, etc.) - Prepare system for future providers with usage windows 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * refactor: improve code quality and type safety - Use Object.hasOwn() for safer property checking in requiresSessionDurationTracking - Extract session checking logic into a private hasActiveSession helper method - Improve type safety with explicit boolean casting - Clarify comment for SESSION_DURATION_DEFAULT constant to indicate it's only used by Anthropic providers 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: address code quality issues and session behavior - Clarify SESSION_DURATION_DEFAULT constant comment to indicate it's for backward compatibility only - Remove conflicting 'as const' assertion from PROVIDER_SESSION_TRACKING_CONFIG to fix type safety - Fix session continuity issue for non-Anthropic providers: they no longer have persistent sessions since they are pay-as-you-go and don't benefit from session stickiness, allowing proper load distribution based on priority and availability 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * improve: enhance code quality and maintainability - Improve hasActiveSession method with early returns for better readability - Add deprecation notice for SESSION_DURATION_DEFAULT constant - Add documentation note about provider configuration completeness - Refine session logic to be more explicit about provider-specific behavior 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: address high-priority race condition and add improvements - Fix potential race condition in tests by comparing timestamps against original values instead of 0 - Simplify provider checking logic with more explicit conditional structure - Add test for unknown providers to verify graceful handling - Improve JSDoc documentation for provider configuration with usage context - Enhance test coverage for edge cases 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * improve: add logging, documentation, and type safety enhancements - Add debug logging for session tracking decisions to help with debugging - Add JSDoc comments to hasActiveSession method for better code documentation - Fix variable name shadowing in documentation (requiresSessionTracking -> needsSessionTracking) - Improve PROVIDER_SESSION_TRACKING_CONFIG type safety with 'satisfies' assertion - Update documentation to reflect improved code examples 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * improve: address code quality and performance concerns - Replace magic number with explicit calculation for ANTHROPIC_SESSION_DURATION_FALLBACK - Enhance deprecation notice for SESSION_DURATION_DEFAULT with more detailed information - Address logging verbosity by moving debug logs to strategic locations to avoid per-account logging - Maintain debug insights while reducing log noise in high-volume scenarios 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * improve: add provider validation and clarify fallback behavior - Add validation for provider names in requiresSessionDurationTracking to catch typos early - Add explanatory comment about fallback behavior in config handler to clarify why ANTHROPIC_SESSION_DURATION_FALLBACK is used - The validation will warn about unknown providers while defaulting to no session tracking 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Updated workflow scripts. * feat: separate anthropic oauth and console api accounts with distinct session behavior - Add new 'claude-console-api' provider for Anthropic console accounts - Update session management to treat OAuth vs Console accounts differently - OAuth accounts: rate limit window tracking only (no fixed duration) - Console API accounts: no session tracking (pay-as-you-go) - Add database migration to update existing console accounts - Update account creation flows to use correct providers - Add tests for new provider behavior * refactor: consolidate duplicate provider checks into utility functions - Create provider-utils.ts with consolidated provider-specific logic - Replace duplicate provider checks in web UI components with utility functions - Improve maintainability by centralizing provider behavior logic - Maintain all existing functionality while reducing code duplication * refactor: improve type safety and logging in requiresSessionDurationTracking - Replace unsafe 'as any' cast with type-safe validation - Use Object.values().some() for proper provider validation - Enhance warning message with security context - Add comprehensive JSDoc with security through default denial explanation - Maintain security by defaulting unknown providers to false * refactor: add type guard for provider validation - Add isKnownProvider type guard function for cleaner provider validation - Replace manual validation with the type guard in requiresSessionDurationTracking - Improve type safety and code readability - Follow TypeScript best practices for type guards * feat: add missing providers and improve type safety - Add missing MINIMAX and ANTHROPIC_COMPATIBLE providers to constants - Update ACCOUNT_MODES to include new providers - Update getProviderFromMode to handle new modes - Update provider configuration sets (OAUTH, USAGE_TRACKING, API_KEY) - Update session tracking config for new providers - Add type guard usage to all provider validation functions - Add default endpoint for minimax provider - Fix type safety in isKnownProvider function - Consolidate duplicate provider checks into utility functions * docs: update documentation and centralize provider configuration - Create dedicated provider-config.ts module for provider configuration - Move PROVIDER_SESSION_TRACKING_CONFIG to centralized module - Update README.md to reflect new provider types and Claude account separation - Add documentation for Claude OAuth vs Claude Console API account differences - Update account mode documentation to include new providers - Maintain type safety while avoiding circular dependencies * feat: enhance provider configuration with detailed interface and centralized management - Create detailed ProviderConfig interface with multiple features (requiresSessionTracking, supportsUsageTracking, supportsOAuth, defaultEndpoint) - Centralize provider configuration in provider-config.ts module - Update load-balancer strategies to use PROVIDER_NAMES constants instead of hardcoded strings - Update dashboard-web provider-utils to use centralized configuration - Update documentation in README.md and CLAUDE.md to reflect new provider behaviors - Enhance type safety and avoid circular dependencies in configuration modules - Update migration logic to properly handle Claude OAuth vs Claude Console API accounts * fix: resolve circular dependency in provider configuration - Fix circular dependency between constants.ts and provider-config.ts - Move PROVIDER_NAMES and related definitions to provider-config.ts to avoid circular imports - Update constants.ts to import and re-export from provider-config.ts - Enhance migration robustness with database transactions for atomicity - Separate file system operations from database operations in migrations - Prevent multiple backups per migration run - Maintain all existing functionality while fixing initialization issues 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * docs: add migration guide and enhance documentation - Add comprehensive v2 to v3 migration guide - Add migration notes to load-balancing documentation - Enhance JSDoc for hasActiveSession method with detailed explanation - Update documentation index to include migration guide - Include inline-worker.ts changes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In this PR you will find multiple additions: