1

2026-04-26 20:50:58 +08:00
parent a3a9bfa194
commit 67161bd6d1
142 changed files with 3349 additions and 10674 deletions
--- a/server-rs/crates/api-server/src/auth.rs
+++ b/server-rs/crates/api-server/src/auth.rs
@@ -189,7 +189,9 @@ fn extract_bearer_token(headers: &HeaderMap) -> Result<String, AppError> {

 fn allows_internal_forwarded_auth(path: &str) -> bool {
    // Node 代理已经完成平台账号 JWT 校验，Rust 运行时只信任这些明确的内部转发路径。
-    path.starts_with("/api/runtime/big-fish/") || path.starts_with("/api/runtime/puzzle/")
+    path.starts_with("/api/runtime/big-fish/")
+        || path.starts_with("/api/runtime/chat/")
+        || path.starts_with("/api/runtime/puzzle/")
 }

 fn try_build_internal_forwarded_claims(
@@ -282,6 +284,9 @@ mod tests {
        assert!(allows_internal_forwarded_auth(
            "/api/runtime/big-fish/sessions"
        ));
+        assert!(allows_internal_forwarded_auth(
+            "/api/runtime/chat/npc/turn/stream"
+        ));
        assert!(allows_internal_forwarded_auth("/api/runtime/puzzle/works"));
        assert!(!allows_internal_forwarded_auth("/api/auth/me"));
    }