Feat/session token account (#155)

* feat: add session token account import

* feat: use uTLS Chrome fingerprint for session token refresh

* fix: remove session token from refresh token form

---------

Co-authored-by: KYX <kyxjames23@gmail.com>

Author: abwuge

admin/handler.go

@@ -1102,10 +1102,26 @@ func (h *Handler) getAccountUsageWindows(ctx context.Context) (map[int64]*databa
 type addAccountReq struct {
 	Name         string `json:"name"`
 	RefreshToken string `json:"refresh_token"`
+	SessionToken string `json:"session_token"`
 	ProxyURL     string `json:"proxy_url"`
 }
 
-// AddAccount 添加新账号（支持批量：refresh_token 按行分割）
+func splitAccountCredentialLines(raw string, sanitize bool) []string {
+	lines := strings.Split(raw, "\n")
+	tokens := make([]string, 0, len(lines))
+	for _, line := range lines {
+		token := strings.TrimSpace(line)
+		if sanitize {
+			token = strings.TrimSpace(security.SanitizeInput(token))
+		}
+		if token != "" {
+			tokens = append(tokens, token)
+		}
+	}
+	return tokens
+}
+
+// AddAccount 添加新账号（支持批量：refresh_token/session_token 按行分割）
 func (h *Handler) AddAccount(c *gin.Context) {
 	var req addAccountReq
 	if err := c.ShouldBindJSON(&req); err != nil {
@@ -1117,8 +1133,8 @@ func (h *Handler) AddAccount(c *gin.Context) {
 	req.Name = security.SanitizeInput(req.Name)
 	req.ProxyURL = security.SanitizeInput(req.ProxyURL)
 
-	if req.RefreshToken == "" {
-		writeError(c, http.StatusBadRequest, "refresh_token 是必填字段")
+	if strings.TrimSpace(req.RefreshToken) == "" && strings.TrimSpace(req.SessionToken) == "" {
+		writeError(c, http.StatusBadRequest, "refresh_token 或 session_token 是必填字段")
 		return
 	}
 
@@ -1140,23 +1156,40 @@ func (h *Handler) AddAccount(c *gin.Context) {
 		return
 	}
 
-	// 按行分割，支持批量添加
-	lines := strings.Split(req.RefreshToken, "\n")
-	var tokens []string
-	for _, line := range lines {
-		t := strings.TrimSpace(security.SanitizeInput(line))
-		if t != "" {
-			tokens = append(tokens, t)
+	// 按行分割，支持批量添加。refresh_token 与 session_token 同时填写时，
+	// session_token 可填写一行应用到所有 RT，也可与 RT 行数一一对应。
+	refreshTokens := splitAccountCredentialLines(req.RefreshToken, true)
+	sessionTokens := splitAccountCredentialLines(req.SessionToken, true)
+	total := len(refreshTokens)
+	if total == 0 {
+		total = len(sessionTokens)
+	}
+	if len(refreshTokens) > 0 && len(sessionTokens) > 1 && len(sessionTokens) != len(refreshTokens) {
+		writeError(c, http.StatusBadRequest, "session_token 行数需为 1 或与 refresh_token 行数一致")
+		return
+	}
+
+	var seeds []tokenCredentialSeed
+	for i := 0; i < total; i++ {
+		seed := tokenCredentialSeed{}
+		if len(refreshTokens) > 0 {
+			seed.refreshToken = refreshTokens[i]
+		}
+		if len(sessionTokens) == 1 {
+			seed.sessionToken = sessionTokens[0]
+		} else if len(sessionTokens) > 1 {
+			seed.sessionToken = sessionTokens[i]
 		}
+		seeds = append(seeds, seed)
 	}
 
-	if len(tokens) == 0 {
-		writeError(c, http.StatusBadRequest, "未找到有效的 Refresh Token")
+	if len(seeds) == 0 {
+		writeError(c, http.StatusBadRequest, "未找到有效的 Refresh Token 或 Session Token")
 		return
 	}
 
 	// 限制批量添加数量
-	if len(tokens) > 100 {
+	if len(seeds) > 100 {
 		writeError(c, http.StatusBadRequest, "单次最多添加100个账号")
 		return
 	}
@@ -1167,15 +1200,15 @@ func (h *Handler) AddAccount(c *gin.Context) {
 	successCount := 0
 	failCount := 0
 
-	for i, rt := range tokens {
+	for i, seed := range seeds {
 		name := req.Name
 		if name == "" {
 			name = fmt.Sprintf("account-%d", i+1)
-		} else if len(tokens) > 1 {
+		} else if len(seeds) > 1 {
 			name = fmt.Sprintf("%s-%d", req.Name, i+1)
 		}
 
-		id, err := h.db.InsertAccount(ctx, name, rt, req.ProxyURL)
+		id, err := h.db.InsertAccountWithCredentials(ctx, name, tokenCredentialMap(seed), req.ProxyURL)
 		if err != nil {
 			log.Printf("批量添加账号 %d 失败: %v", i+1, err)
 			failCount++
@@ -1186,11 +1219,7 @@ func (h *Handler) AddAccount(c *gin.Context) {
 		h.db.InsertAccountEventAsync(id, "added", "manual")
 
 		// 热加载：直接加入内存池
-		newAcc := &auth.Account{
-			DBID:         id,
-			RefreshToken: rt,
-			ProxyURL:     req.ProxyURL,
-		}
+		newAcc := accountFromCredentialSeed(id, req.ProxyURL, seed)
 		h.store.AddAccount(newAcc)
 
 		if !h.store.GetLazyMode() {

auth/token.go

@@ -205,7 +205,11 @@ func RefreshWithSessionToken(ctx context.Context, sessionToken string, proxyURL
 		return nil, nil, fmt.Errorf("创建 session 请求失败: %w", err)
 	}
 	req.Header.Set("Accept", "application/json")
-	req.Header.Set("User-Agent", "CodexProxy/1.9")
+	req.Header.Set("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36")
+	req.Header.Set("Accept-Language", "en-US,en;q=0.9")
+	req.Header.Set("Sec-Fetch-Dest", "empty")
+	req.Header.Set("Sec-Fetch-Mode", "cors")
+	req.Header.Set("Sec-Fetch-Site", "same-origin")
 	req.AddCookie(&http.Cookie{Name: "__Secure-next-auth.session-token", Value: sessionToken})
 	if ResinRequestDecorator != nil && accountID != "" {
 		req.Header.Set("X-Resin-Account", accountID)
@@ -215,7 +219,7 @@ func RefreshWithSessionToken(ctx context.Context, sessionToken string, proxyURL
 	if ResinRequestDecorator != nil && accountID != "" {
 		client = &http.Client{Timeout: 30 * time.Second}
 	} else {
-		client = buildHTTPClient(proxyURL)
+		client = buildUTLSHTTPClient(proxyURL)
 	}
 	resp, err := client.Do(req)
 	if err != nil {