fix(openai): 修复 codex_cli_only 误拦截并补充 codex 家族识别

- 为 codex_cli_only 增加 originator 判定通道，避免仅依赖 User-Agent 误拦截 - 扩展官方客户端家族标识，补充 codex_chatgpt_desktop 等常见前缀 - 新增并更新单元测试与网关透传回归测试，覆盖 UA 与 originator 组合场景 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 12:06:24 +08:00
parent 03f69dd394
commit f323174d07
5 changed files with 116 additions and 29 deletions
--- a/backend/internal/service/openai_client_restriction_detector.go
+++ b/backend/internal/service/openai_client_restriction_detector.go
@@ -11,6 +11,8 @@ const (
 	CodexClientRestrictionReasonDisabled = "codex_cli_only_disabled"
 	// CodexClientRestrictionReasonMatchedUA 表示请求命中官方客户端 UA 白名单。
 	CodexClientRestrictionReasonMatchedUA = "official_client_user_agent_matched"
+	// CodexClientRestrictionReasonMatchedOriginator 表示请求命中官方客户端 originator 白名单。
+	CodexClientRestrictionReasonMatchedOriginator = "official_client_originator_matched"
 	// CodexClientRestrictionReasonNotMatchedUA 表示请求未命中官方客户端 UA 白名单。
 	CodexClientRestrictionReasonNotMatchedUA = "official_client_user_agent_not_matched"
 	// CodexClientRestrictionReasonForceCodexCLI 表示通过 ForceCodexCLI 配置兜底放行。
@@ -56,8 +58,10 @@ func (d *OpenAICodexClientRestrictionDetector) Detect(c *gin.Context, account *A
 	}

 	userAgent := ""
+	originator := ""
 	if c != nil {
 		userAgent = c.GetHeader("User-Agent")
+		originator = c.GetHeader("originator")
 	}
 	if openai.IsCodexOfficialClientRequest(userAgent) {
 		return CodexClientRestrictionDetectionResult{
@@ -66,6 +70,13 @@ func (d *OpenAICodexClientRestrictionDetector) Detect(c *gin.Context, account *A
 			Reason:  CodexClientRestrictionReasonMatchedUA,
 		}
 	}
+	if openai.IsCodexOfficialClientOriginator(originator) {
+		return CodexClientRestrictionDetectionResult{
+			Enabled: true,
+			Matched: true,
+			Reason:  CodexClientRestrictionReasonMatchedOriginator,
+		}
+	}

 	return CodexClientRestrictionDetectionResult{
 		Enabled: true,
--- a/backend/internal/service/openai_client_restriction_detector_test.go
+++ b/backend/internal/service/openai_client_restriction_detector_test.go
@@ -10,13 +10,16 @@ import (
 	"github.com/stretchr/testify/require"
 )

-func newCodexDetectorTestContext(ua string) *gin.Context {
+func newCodexDetectorTestContext(ua string, originator string) *gin.Context {
 	rec := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(rec)
 	c.Request = httptest.NewRequest(http.MethodPost, "/v1/responses", nil)
 	if ua != "" {
 		c.Request.Header.Set("User-Agent", ua)
 	}
+	if originator != "" {
+		c.Request.Header.Set("originator", originator)
+	}
 	return c
 }

@@ -27,7 +30,7 @@ func TestOpenAICodexClientRestrictionDetector_Detect(t *testing.T) {
 		detector := NewOpenAICodexClientRestrictionDetector(nil)
 		account := &Account{Platform: PlatformOpenAI, Type: AccountTypeOAuth, Extra: map[string]any{}}

-		result := detector.Detect(newCodexDetectorTestContext("curl/8.0"), account)
+		result := detector.Detect(newCodexDetectorTestContext("curl/8.0", ""), account)
 		require.False(t, result.Enabled)
 		require.False(t, result.Matched)
 		require.Equal(t, CodexClientRestrictionReasonDisabled, result.Reason)
@@ -41,7 +44,7 @@ func TestOpenAICodexClientRestrictionDetector_Detect(t *testing.T) {
 			Extra:    map[string]any{"codex_cli_only": true},
 		}

-		result := detector.Detect(newCodexDetectorTestContext("codex_cli_rs/0.99.0"), account)
+		result := detector.Detect(newCodexDetectorTestContext("codex_cli_rs/0.99.0", ""), account)
 		require.True(t, result.Enabled)
 		require.True(t, result.Matched)
 		require.Equal(t, CodexClientRestrictionReasonMatchedUA, result.Reason)
@@ -55,7 +58,7 @@ func TestOpenAICodexClientRestrictionDetector_Detect(t *testing.T) {
 			Extra:    map[string]any{"codex_cli_only": true},
 		}

-		result := detector.Detect(newCodexDetectorTestContext("codex_vscode/1.0.0"), account)
+		result := detector.Detect(newCodexDetectorTestContext("codex_vscode/1.0.0", ""), account)
 		require.True(t, result.Enabled)
 		require.True(t, result.Matched)
 		require.Equal(t, CodexClientRestrictionReasonMatchedUA, result.Reason)
@@ -69,12 +72,26 @@ func TestOpenAICodexClientRestrictionDetector_Detect(t *testing.T) {
 			Extra:    map[string]any{"codex_cli_only": true},
 		}

-		result := detector.Detect(newCodexDetectorTestContext("codex_app/2.1.0"), account)
+		result := detector.Detect(newCodexDetectorTestContext("codex_app/2.1.0", ""), account)
 		require.True(t, result.Enabled)
 		require.True(t, result.Matched)
 		require.Equal(t, CodexClientRestrictionReasonMatchedUA, result.Reason)
 	})

+	t.Run("开启后 originator 命中", func(t *testing.T) {
+		detector := NewOpenAICodexClientRestrictionDetector(nil)
+		account := &Account{
+			Platform: PlatformOpenAI,
+			Type:     AccountTypeOAuth,
+			Extra:    map[string]any{"codex_cli_only": true},
+		}
+
+		result := detector.Detect(newCodexDetectorTestContext("curl/8.0", "codex_chatgpt_desktop"), account)
+		require.True(t, result.Enabled)
+		require.True(t, result.Matched)
+		require.Equal(t, CodexClientRestrictionReasonMatchedOriginator, result.Reason)
+	})
+
 	t.Run("开启后非官方客户端拒绝", func(t *testing.T) {
 		detector := NewOpenAICodexClientRestrictionDetector(nil)
 		account := &Account{
@@ -83,7 +100,7 @@ func TestOpenAICodexClientRestrictionDetector_Detect(t *testing.T) {
 			Extra:    map[string]any{"codex_cli_only": true},
 		}

-		result := detector.Detect(newCodexDetectorTestContext("curl/8.0"), account)
+		result := detector.Detect(newCodexDetectorTestContext("curl/8.0", "my_client"), account)
 		require.True(t, result.Enabled)
 		require.False(t, result.Matched)
 		require.Equal(t, CodexClientRestrictionReasonNotMatchedUA, result.Reason)
@@ -99,7 +116,7 @@ func TestOpenAICodexClientRestrictionDetector_Detect(t *testing.T) {
 			Extra:    map[string]any{"codex_cli_only": true},
 		}

-		result := detector.Detect(newCodexDetectorTestContext("curl/8.0"), account)
+		result := detector.Detect(newCodexDetectorTestContext("curl/8.0", "my_client"), account)
 		require.True(t, result.Enabled)
 		require.True(t, result.Matched)
 		require.Equal(t, CodexClientRestrictionReasonForceCodexCLI, result.Reason)
--- a/backend/internal/service/openai_oauth_passthrough_test.go
+++ b/backend/internal/service/openai_oauth_passthrough_test.go
@@ -555,12 +555,14 @@ func TestOpenAIGatewayService_CodexCLIOnly_AllowOfficialClientFamilies(t *testin
 	gin.SetMode(gin.TestMode)

 	tests := []struct {
-		name string
-		ua   string
+		name       string
+		ua         string
+		originator string
 	}{
-		{name: "codex_cli_rs", ua: "codex_cli_rs/0.99.0"},
-		{name: "codex_vscode", ua: "codex_vscode/1.0.0"},
-		{name: "codex_app", ua: "codex_app/2.1.0"},
+		{name: "codex_cli_rs", ua: "codex_cli_rs/0.99.0", originator: ""},
+		{name: "codex_vscode", ua: "codex_vscode/1.0.0", originator: ""},
+		{name: "codex_app", ua: "codex_app/2.1.0", originator: ""},
+		{name: "originator_codex_chatgpt_desktop", ua: "curl/8.0", originator: "codex_chatgpt_desktop"},
 	}

 	for _, tt := range tests {
@@ -569,6 +571,9 @@ func TestOpenAIGatewayService_CodexCLIOnly_AllowOfficialClientFamilies(t *testin
 			c, _ := gin.CreateTestContext(rec)
 			c.Request = httptest.NewRequest(http.MethodPost, "/v1/responses", bytes.NewReader(nil))
 			c.Request.Header.Set("User-Agent", tt.ua)
+			if tt.originator != "" {
+				c.Request.Header.Set("originator", tt.originator)
+			}

 			inputBody := []byte(`{"model":"gpt-5.2","stream":false,"store":true,"input":[{"type":"text","text":"hi"}]}`)