feat: Kiro API Proxy - OpenAI/Anthropic compatible API service

- Multi-account pool with round-robin load balancing - Auto token refresh for IAM IdC and Social auth - Streaming support (SSE) - Web admin panel with account management - Docker support with GitHub Actions CI/CD - Machine ID management per account - Usage tracking (requests, tokens, credits)
2026-02-04 00:37:05 +08:00
commit c5e6d42163
18 changed files with 5218 additions and 0 deletions
--- a/auth/oidc.go
+++ b/auth/oidc.go
@@ -0,0 +1,102 @@
+package auth
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"kiro-api-proxy/config"
+	"net/http"
+	"time"
+)
+
+// RefreshToken 刷新 access token
+func RefreshToken(account *config.Account) (string, string, int64, error) {
+	if account.AuthMethod == "social" {
+		return refreshSocialToken(account.RefreshToken)
+	}
+	return refreshOIDCToken(account.RefreshToken, account.ClientID, account.ClientSecret, account.Region)
+}
+
+// refreshOIDCToken IdC/Builder ID token 刷新
+func refreshOIDCToken(refreshToken, clientID, clientSecret, region string) (string, string, int64, error) {
+	if region == "" {
+		region = "us-east-1"
+	}
+
+	url := fmt.Sprintf("https://oidc.%s.amazonaws.com/token", region)
+
+	payload := map[string]string{
+		"clientId":     clientID,
+		"clientSecret": clientSecret,
+		"refreshToken": refreshToken,
+		"grantType":    "refresh_token",
+	}
+
+	body, _ := json.Marshal(payload)
+	req, _ := http.NewRequest("POST", url, bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	client := &http.Client{Timeout: 30 * time.Second}
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", "", 0, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		respBody, _ := io.ReadAll(resp.Body)
+		return "", "", 0, fmt.Errorf("refresh failed: %d %s", resp.StatusCode, string(respBody))
+	}
+
+	var result struct {
+		AccessToken  string `json:"accessToken"`
+		RefreshToken string `json:"refreshToken"`
+		ExpiresIn    int    `json:"expiresIn"`
+	}
+
+	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
+		return "", "", 0, err
+	}
+
+	expiresAt := time.Now().Unix() + int64(result.ExpiresIn)
+	return result.AccessToken, result.RefreshToken, expiresAt, nil
+}
+
+// refreshSocialToken Social (GitHub/Google) token 刷新
+func refreshSocialToken(refreshToken string) (string, string, int64, error) {
+	url := "https://prod.us-east-1.auth.desktop.kiro.dev/refreshToken"
+
+	payload := map[string]string{
+		"refreshToken": refreshToken,
+	}
+
+	body, _ := json.Marshal(payload)
+	req, _ := http.NewRequest("POST", url, bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	client := &http.Client{Timeout: 30 * time.Second}
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", "", 0, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		respBody, _ := io.ReadAll(resp.Body)
+		return "", "", 0, fmt.Errorf("refresh failed: %d %s", resp.StatusCode, string(respBody))
+	}
+
+	var result struct {
+		AccessToken  string `json:"accessToken"`
+		RefreshToken string `json:"refreshToken"`
+		ExpiresIn    int    `json:"expiresIn"`
+	}
+
+	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
+		return "", "", 0, err
+	}
+
+	expiresAt := time.Now().Unix() + int64(result.ExpiresIn)
+	return result.AccessToken, result.RefreshToken, expiresAt, nil
+}