fix(provider): 修复 OAuth 流程边界问题

Author: RhoninSeiei

astrbot/core/provider/oauth/openai_oauth.py

@@ -53,16 +53,16 @@ def parse_authorization_input(raw: str) -> tuple[str, str]:
     value = (raw or "").strip()
     if not value:
         raise ValueError("empty input")
-    if "#" in value:
-        code, state = value.split("#", 1)
-        return code.strip(), state.strip()
     if "code=" in value:
         parsed = urlparse(value)
         if parsed.query:
             query = parse_qs(parsed.query)
             return query.get("code", [""])[0].strip(), query.get("state", [""])[0].strip()
         query = parse_qs(value)
         return query.get("code", [""])[0].strip(), query.get("state", [""])[0].strip()
+    if "#" in value:
+        code, state = value.split("#", 1)
+        return code.strip(), state.strip()
     return value, ""
 
 

astrbot/core/provider/sources/openai_oauth_source.py

@@ -35,11 +35,6 @@ def __init__(self, provider_config, provider_settings) -> None:
             patched_config.get("api_base")
             or "https://chatgpt.com/backend-api/codex"
         ).rstrip("/")
-        self.http_client = httpx.AsyncClient(
-            proxy=patched_config.get("proxy") or None,
-            timeout=self.timeout,
-            follow_redirects=True,
-        )
 
     async def get_models(self):
         logger.info(
@@ -69,12 +64,17 @@ async def _request_backend(self, payload: dict[str, Any]) -> dict[str, Any]:
             for key, value in custom_headers.items():
                 headers[str(key)] = str(value)
 
-        response = await self.http_client.post(
-            f"{self.base_url}/responses",
-            headers=headers,
-            json=payload,
-        )
-        raw_text = await response.aread()
+        async with httpx.AsyncClient(
+            proxy=self.provider_config.get("proxy") or None,
+            timeout=self.timeout,
+            follow_redirects=True,
+        ) as client:
+            response = await client.post(
+                f"{self.base_url}/responses",
+                headers=headers,
+                json=payload,
+            )
+            raw_text = await response.aread()
         text = raw_text.decode("utf-8", errors="replace")
         if response.status_code < 200 or response.status_code >= 300:
             raise Exception(self._format_backend_error(response.status_code, text))

astrbot/dashboard/routes/config.py

@@ -2,6 +2,7 @@
 import copy
 import inspect
 import os
+import time
 import traceback
 from pathlib import Path
 from typing import Any
@@ -45,6 +46,7 @@
 )
 
 MAX_FILE_BYTES = 500 * 1024 * 1024
+OPENAI_OAUTH_FLOW_TTL_SECONDS = 10 * 60
 
 
 def try_cast(value: Any, type_: str):
@@ -350,7 +352,7 @@ def __init__(
         self._logo_token_cache = {}  # 缓存logo token，避免重复注册
         self.acm = core_lifecycle.astrbot_config_mgr
         self.ucr = core_lifecycle.umop_config_router
-        self._provider_source_oauth_flows: dict[str, dict[str, str]] = {}
+        self._provider_source_oauth_flows: dict[str, dict[str, Any]] = {}
         self.routes = {
             "/config/abconf/new": ("POST", self.create_abconf),
             "/config/abconf": ("GET", self.get_abconf),
@@ -427,6 +429,25 @@ def _is_openai_oauth_supported_source(self, provider_source: dict) -> bool:
             and provider_source.get("type") == "openai_oauth_chat_completion"
         )
 
+    def _cleanup_expired_provider_source_oauth_flows(self) -> None:
+        now = time.time()
+        expired_source_ids = [
+            source_id
+            for source_id, flow in self._provider_source_oauth_flows.items()
+            if now - float(flow.get("created_at") or 0) > OPENAI_OAUTH_FLOW_TTL_SECONDS
+        ]
+        for source_id in expired_source_ids:
+            self._provider_source_oauth_flows.pop(source_id, None)
+
+    def _create_provider_source_oauth_flow(self) -> dict[str, Any]:
+        flow = create_pkce_flow()
+        flow["created_at"] = time.time()
+        return flow
+
+    def _get_provider_source_oauth_flow(self, source_id: str) -> dict[str, Any] | None:
+        self._cleanup_expired_provider_source_oauth_flows()
+        return self._provider_source_oauth_flows.get(source_id)
+
     async def _reload_provider_source_providers(self, source_id: str) -> list[str]:
         prov_mgr = self.core_lifecycle.provider_manager
         reload_errors = []
@@ -474,7 +495,8 @@ async def start_provider_source_openai_oauth(self):
             _, _, provider_source = self._find_provider_source(source_id)
         if not self._is_openai_oauth_supported_source(provider_source):
             return Response().error("当前 provider source 不支持 OpenAI OAuth").__dict__
-        flow = create_pkce_flow()
+        self._cleanup_expired_provider_source_oauth_flows()
+        flow = self._create_provider_source_oauth_flow()
         self._provider_source_oauth_flows[source_id] = flow
         return Response().ok(
             data={
@@ -489,9 +511,11 @@ async def complete_provider_source_openai_oauth(self):
         auth_input = post_data.get("input") or ""
         if not source_id:
             return Response().error("缺少 source_id").__dict__
-        flow = self._provider_source_oauth_flows.get(source_id)
+        flow = self._get_provider_source_oauth_flow(source_id)
         try:
             _, _, provider_source = self._find_provider_source(source_id)
+            if not self._is_openai_oauth_supported_source(provider_source):
+                return Response().error("当前 provider source 不支持 OpenAI OAuth").__dict__
             token = parse_oauth_credential_json(auth_input)
             if token is None:
                 if not flow: