✨ feat: LobeChat OpenAPI

[MarioJames]

💻 变更类型 | Change Type

• ✨ feat
• 🐛 fix
• ♻️ refactor
• 💄 style
• 👷 build
• ⚡️ perf
• 📝 docs
• 🔨 chore

🔀 变更说明 | Description of Change

新增 OpenAPI v1 版本接口

架构设计

在 LobeChat 中继承轻量化框架 Hono
通过在 api/v1 下创建拦截式路由实现请求的接收，目录结构如下

|── v1
│   |── [[...route]] // 拦截路由，将请求拦截后转发到 _hono 的总入口
│  |── _hono // hono 应用
│   |── app.ts // 总入口
│   |── common // 公共库，存放一些基类
│   |── constant // 常量
│   |── controllers // controller
│   |── helpers // 工具函数
│   |── middleware // 中间件，登录态、rbac 权限管理等
│   |── routes // 路由注册
│   |── services // service
│   |── types // 类型定义

如何新增一个模块

1. 在 routes 目录下新增一个路由文件，在 routes/index.ts 中注册该路由文件
2. 在 controllers 下新增一个控制器文件，继承 common/base.controller.ts，提供了基础的数据库实例注入、请求参数转换、操作请求响应等能力
3. 在 services 下新增相应的服务文件，继承 common/base.service.ts，提供了统一的日志、rbac 细粒度权限管理、各种类型的抛错等能力

如何调用

可以通过 Postman/Apifox 等工具通过调用 /api/v1/ 相关接口实现调用

开发自测

为了方便在本地测试接口，提供了新的环境变量： MOCK_DEV_USER_ID

1. 在 .env 文件中配置 MOCK_DEV_USER_ID 为特定的用户
2. 请求时携带特定的请求头 lobe-auth-dev-backend-api: 1

middleware/auth 中间件会自动放行，并将 userId 放到相应的上下文中

鉴权逻辑

目前仅支持通过 OIDC JWT Token 的鉴权方式，用户可以将第三方客户端接入 LobeChat 提供的标准化 OIDC Provider
通过获取到授权方的 IdToken 信息，在调用接口时，通过 Authorization: Bearer {id_token} 的方式传递
中间件会对请求合法性进行校验 通过后会将对应的用户信息注入到请求上下文中

📝 补充信息 | Additional Information

在接口中因为涉及到一些联表查询，因此在 src/database/schemas/relations.ts 中添加了所需的关联关系维护

Summary by Sourcery

Add OpenAPI v1 endpoints using Hono to expose a fully featured backend API with authentication and RBAC, extend database schema, and enhance file, session, agent, user, message, topic, model, chat, and search services

New Features:

• Introduce Hono-based /api/v1 routes for versioned HTTP API
• Implement file management endpoints (upload, batch upload, public upload, parse, pre­signed URLs, listing, deletion)
• Add full CRUD support for sessions, agents, users, topics, messages, translations, models, and chat operations
• Enable OIDC JWT authentication with mock dev mode and RBAC enforcement
• Expose model and provider configuration, search, and AI chat translation services

Enhancements:

• Extend database schemas with new relations for users, messages (translation/tts/files), agents, sessions, AI providers and models
• Add skipAgentCreation flag in SessionModel to control agent creation
• Add S3.getPublicUrl method for generating public file URLs
• Refine placeholder parser formatting and ensure local temp directories exist

Build:

• Add dependencies: hono, @hono/zod-validator, Google AI SDKs

Documentation:

• Provide OpenAPI.md documentation for v1 API architecture and usage

[vercel]

Someone is attempting to deploy a commit to the LobeHub OSS Team on Vercel.

A member of the Team first needs to authorize it.

[sourcery-ai]

Reviewer's Guide

This PR introduces a full OpenAPI v1 interface built on Hono.js under api/v1, expands database relations, refactors session creation logic, and adds a comprehensive file‐upload/S3 service, alongside parser and minor formatting fixes.

ER diagram for expanded database relations (messages, users, sessions, files, AI infra)

erDiagram
  USERS ||--o{ SESSIONS : "has"
  USERS ||--o{ AI_PROVIDERS : "has"
  USERS ||--o{ AI_MODELS : "has"
  SESSIONS ||--o{ MESSAGES : "has"
  SESSIONS ||--o{ FILES_TO_SESSIONS : "has"
  SESSIONS }o--|| SESSION_GROUPS : "belongs to"
  SESSIONS }o--|| USERS : "belongs to"
  MESSAGES ||--o{ MESSAGES_FILES : "has"
  MESSAGES }o--|| SESSIONS : "belongs to"
  MESSAGES }o--|| USERS : "belongs to"
  MESSAGES }o--|| THREADS : "belongs to"
  MESSAGES }o--|| MESSAGE_TRANSLATES : "has translation"
  MESSAGES }o--|| MESSAGE_TTS : "has tts"
  MESSAGES_FILES }o--|| FILES : "file"
  MESSAGES_FILES }o--|| MESSAGES : "message"
  AI_PROVIDERS ||--o{ AI_MODELS : "has"
  AI_PROVIDERS }o--|| USERS : "belongs to"
  AI_MODELS }o--|| AI_PROVIDERS : "provider"
  AI_MODELS }o--|| USERS : "belongs to"
  FILES_TO_SESSIONS }o--|| FILES : "file"
  FILES_TO_SESSIONS }o--|| SESSIONS : "session"
  MESSAGE_TRANSLATES }o--|| MESSAGES : "message"
  MESSAGE_TTS }o--|| MESSAGES : "message"

Loading

Class diagram for new and updated backend service classes (AgentService, SessionService, FileUploadService)

classDiagram
  class BaseService {
    <<abstract>>
    +db: LobeChatDatabase
    +userId: string
    +resolveQueryPermission()
    +createAuthError()
    +createAuthorizationError()
    +log()
  }
  class AgentService {
    +getAllAgents()
    +createAgent()
    +updateAgent()
    +deleteAgent()
    +getAgentById()
    +getAgentBySessionId()
    +migrateAgentSessions()
    +createSessionForAgent()
    +getAgentSessions()
    +linkAgentSession()
    +unlinkAgentSession()
    +batchLinkAgentSessions()
    +batchDeleteAgents()
    +batchUpdateAgents()
  }
  class SessionService {
    +getSessions()
    +getGroupedSessions()
    +getSessionsGroupedByAgent()
    +getSessionCountGroupedByAgent()
    +getSessionById()
    +getSessionConfig()
    +createSession()
    +updateSession()
    +deleteSession()
    +cloneSession()
    +searchSessions()
    +batchGetSessions()
    +batchUpdateSessions()
  }
  class FileUploadService {
    +uploadFile()
    +uploadFiles()
    +createPreSignedUrl()
    +getFileList()
    +getFileDetail()
    +getFileUrl()
    +uploadPublicFile()
    +getPermanentFileUrl()
    +parseFile()
    +deleteFile()
    +getFileAndParse()
    +uploadAndParseFile()
    +createFileSessionRelation()
    +batchGetFiles()
  }
  AgentService --|> BaseService
  SessionService --|> BaseService
  FileUploadService --|> BaseService

Loading

Class diagram for updated message types (MessageItem, MessageTranslateItem)

classDiagram
  class MessageItem {
    +createdAt: Date
    +error: any | null
    +favorite: boolean | null
    +files: string[] | null
    +id: string
    +metadata?: MessageMetadata | null
    +model: string | null
    ...
  }
  class MessageTranslateItem {
    ...
  }

Loading

File-Level Changes

Change	Details	Files
Add Hono-based API v1 layer with routes, controllers, services, middleware and OpenAPI doc	New api/v1/_hono folder containing base controller/service, typed routes, CRUD controllers and services for files, sessions, agents, users, messages, topics, models, RBAC Middleware for OIDC auth and permission checks using a unified BaseController Routes registered via Hono with zod validation and RBAC scopes OpenAPI.md overview documentation Package.json updated with Hono and related dependencies	src/app/(backend)/api/v1/_hono/**/* .claude/OpenAPI.md package.json
Expand and adjust database schema relations	Add new one/many relations for messagesFiles, messageTranslates, messageTTS, sessions→user Restore and restructure messagesFilesRelations and add usersRelations Define AI infrastructure relations for aiProviders and aiModels Add new type exports for MessageItem and MessageTranslateItem	src/database/schemas/relations.ts src/database/schemas/message.ts
Refactor session creation to support skipAgentCreation	Introduce skipAgentCreation flag in SessionModel.create signature Wrap agent insertion logic under skip check and conditionally create agentsToSessions link Simplify update method removal of userId filter Clean up map return in queryWithGroups	src/database/models/session.ts
Implement file upload and S3 service enhancements	Add getPublicUrl method in S3 module to support public-read buckets and custom domains Create FileUploadService with upload, batch upload, presigned URLs, public upload, parsing, deletion Wire up file controller and routes with multipart/form-data handling	src/server/modules/S3/index.ts src/app/(backend)/api/v1/_hono/services/file.service.ts src/app/(backend)/api/v1/_hono/controllers/file.controller.ts src/app/(backend)/api/v1/_hono/routes/files.route.ts
Refactor and format placeholder parser utilities	Reorder and restore uuid import Adjust comment block indent and remove unused code Apply consistent arrow‐function spacing and trailing commas in parsePlaceholderVariables and related maps	src/utils/client/parserPlaceholder.ts

Possibly linked issues

• build(deps-dev): bump @types/node from 18.16.13 to 20.2.1 #1: The PR introduces a new API and RBAC system, which directly addresses how user authentication and authorization (including userId handling) are managed in the backend, potentially resolving or being impacted by the AuthObject TypeError.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gru-agent]

There is too much information in the pull request to test.

[lobehubbot]

👍 @MarioJames

Thank you for raising your pull request and contributing to our Community
Please make sure you have followed our contributing guidelines. We will review it as soon as possible.
If you encounter any problems, please feel free to connect with us.
非常感谢您提出拉取请求并为我们的社区做出贡献，请确保您已经遵循了我们的贡献指南，我们会尽快审查它。
如果您遇到任何问题，请随时与我们联系。

[sourcery-ai]

Hey @MarioJames - I've reviewed your changes and found some issues that need to be addressed.

Blocking issues:

• SQL injection risk in LIKE clause for keyword search. (link)

Prompt for AI Agents

Please address the comments from this code review:
## Individual Comments

### Comment 1
<location> `src/database/schemas/relations.ts:114` </location>
<code_context>
     references: [threads.id],
   }),
+
+  translation: one(messageTranslates, {
+    fields: [messages.id],
+    references: [messageTranslates.id],
+  }),
+
+  tts: one(messageTTS, {
</code_context>

<issue_to_address>
The translation and tts relations use messages.id as the foreign key, which may not match the referenced table's primary key.

Verify that messageTranslates.id and messageTTS.id are meant to match messages.id. If they have independent primary keys, this setup could cause incorrect joins and break referential integrity.
</issue_to_address>

### Comment 2
<location> `src/database/schemas/relations.ts:292` </location>
<code_context>
+  }),
+}));
+
+export const aiModelsRelations = relations(aiModels, ({ one }) => ({
+  provider: one(aiProviders, {
+    fields: [aiModels.providerId, aiModels.userId],
+    references: [aiProviders.id, aiProviders.userId],
+  }),
+  user: one(users, {
+    fields: [aiModels.userId],
+    references: [users.id],
+  }),
+}));
 // Generation 相关关系定义
 export const generationTopicsRelations = relations(generationTopics, ({ one, many }) => ({
</code_context>

<issue_to_address>
aiModelsRelations references both providerId and userId for the provider relation, which may not match the referenced table's primary key.

Please verify that aiProviders has a composite primary key (id, userId) to match this relation. Otherwise, this setup may cause join issues.
</issue_to_address>

### Comment 3
<location> `src/database/models/document.ts:55` </location>
<code_context>
       .where(and(eq(documents.id, id), eq(documents.userId, this.userId)));
   };
+
+  findByFileId = async (fileId: string) => {
+    return this.db.query.documents.findFirst({
+      where: and(eq(documents.fileId, fileId), eq(documents.userId, this.userId)),
+    });
+  };
 }
</code_context>

<issue_to_address>
findByFileId method assumes that fileId is unique per user, which may not be enforced at the database level.

If fileId is not unique per user, this method may return an unintended document. Please ensure uniqueness or document the intended behavior.
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
  findByFileId = async (fileId: string) => {
    return this.db.query.documents.findFirst({
      where: and(eq(documents.fileId, fileId), eq(documents.userId, this.userId)),
    });
  };
=======
  /**
   * Finds a document by fileId for the current user.
   * 
   * Note: This method assumes that fileId is unique per user.
   * If multiple documents exist with the same fileId for a user,
   * this will return the first match found. Ensure uniqueness at the
   * database level or handle accordingly.
   */
  findByFileId = async (fileId: string) => {
    return this.db.query.documents.findFirst({
      where: and(eq(documents.fileId, fileId), eq(documents.userId, this.userId)),
    });
  };
>>>>>>> REPLACE

</suggested_fix>

### Comment 4
<location> `src/app/(backend)/api/v1/_hono/services/topic.service.ts:47` </location>
<code_context>
+        whereConditions.push(eq(topics.userId, permissionResult.condition.userId));
+      }
+
+      // 如果有关键词，添加标题的模糊搜索条件
+      if (keyword) {
+        whereConditions.push(sql`${topics.title} LIKE ${`%${keyword}%`}`);
</code_context>

<issue_to_address>
SQL injection risk in LIKE clause for keyword search.

Use parameterized queries or ORM ilike/like functions to prevent SQL injection when handling user input in SQL statements.
</issue_to_address>

### Comment 5
<location> `src/app/(backend)/api/v1/_hono/controllers/session.controller.ts:141` </location>
<code_context>
+      const { id: sessionId } = this.getParams<{ id: string }>(c);
+      const body = await this.getBody<Omit<UpdateSessionRequest, 'id'>>(c);
+
+      console.log('body', body);
+
+      const request: UpdateSessionRequest = {
</code_context>

<issue_to_address>
Remove console.log statement from production code.

Console.log statements can clutter production logs and potentially expose sensitive information. Please remove or use a proper logging mechanism if necessary.
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
      console.log('body', body);

      const request: UpdateSessionRequest = {
=======
      const request: UpdateSessionRequest = {
>>>>>>> REPLACE

</suggested_fix>

### Comment 6
<location> `src/app/(backend)/api/v1/_hono/helpers/file.ts:23` </location>
<code_context>
+
+  return {
+    ...file,
+    url: `${publicDomain}/${file.url}`,
+  };
+}
</code_context>

<issue_to_address>
Adding a slash between publicDomain and file.url may result in double slashes if publicDomain ends with a slash.

Normalize slashes to prevent double slashes in the URL when concatenating publicDomain and file.url.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[arvinxx]

revert

[arvinxx]

revert

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.79%. Comparing base (6c01f21) to head (20203a9).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8642      +/-   ##
==========================================
+ Coverage   79.75%   79.79%   +0.04%     
==========================================
  Files         822      255     -567     
  Lines       53140    15178   -37962     
  Branches     7118     2895    -4223     
==========================================
- Hits        42381    12112   -30269     
+ Misses      10759     3066    -7693     

Flag	Coverage Δ
app	?
database	?
packages/agent-runtime	62.53% <ø> (ø)
packages/context-engine	62.29% <ø> (ø)
packages/electron-server-ipc	93.76% <ø> (ø)
packages/file-loaders	88.00% <ø> (ø)
packages/model-bank	100.00% <ø> (ø)
packages/model-runtime	76.90% <ø> (ø)
packages/prompts	100.00% <ø> (ø)
packages/utils	94.81% <ø> (ø)
packages/web-crawler	97.07% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
Store	∅ <ø> (∅)
Services	∅ <ø> (∅)
Server	∅ <ø> (∅)
Libs	∅ <ø> (∅)
Utils	93.47% <ø> (+18.47%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.