Merge pull request #14 from database-playground/pan93412/dbp-88-任意使用者都能使用-ai

pan93412 · web-flow · commit 1650072ac2db · 2025-10-05T03:25:19.000+08:00
fix(chat): disallow users without "ai" scope to use AI
diff --git a/app/api/chat/route.ts b/app/api/chat/route.ts
@@ -72,7 +72,7 @@ interface ChatRouteRequest {
 }
 
 export async function POST(req: Request) {
-  const authorized = await checkAuthorizedStatus();
+  const authorized = await checkAuthorizedStatus(["*", "ai"]);
   if (!authorized) {
     return new NextResponse("Unauthorized", { status: 401 });
   }
diff --git a/lib/auth.rsc.ts b/lib/auth.rsc.ts
@@ -17,17 +17,26 @@ export async function redirectIfAuthenticated(): Promise<void> {
   redirect("/");
 }
 
-export async function checkAuthorizedStatus(): Promise<boolean> {
+export async function checkAuthorizedStatus(requiredScopes?: string[]): Promise<boolean> {
   const token = await getAuthToken();
   if (!token) {
     return false;
   }
 
-  const loggedIn = await getAuthStatus(token)
-    .then(result => result.loggedIn)
-    .catch(() => false);
+  const authStatus = await getAuthStatus(token);
+
+  if (!authStatus.loggedIn || !authStatus.introspectResult?.active) {
+    return false;
+  }
+
+  // check if the token has the required scope
+  if (requiredScopes) {
+    for (const scope of requiredScopes) {
+      if (authStatus.introspectResult?.scope.includes(scope)) {
+        return true;
+      }
+    }
 
-  if (!loggedIn) {
     return false;
   }
 

Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ interface ChatRouteRequest {`
`72`	`72`	`}`
`73`	`73`
`74`	`74`	`export async function POST(req: Request) {`
`75`		`- const authorized = await checkAuthorizedStatus();`
	`75`	`+ const authorized = await checkAuthorizedStatus(["*", "ai"]);`
`76`	`76`	`if (!authorized) {`
`77`	`77`	`return new NextResponse("Unauthorized", { status: 401 });`
`78`	`78`	`}`