fix: integrate API key authentication into existing services and routes

LinkinStars · dashuai · commit 90022ce039b2 · 2026-01-29T16:50:25.000+08:00
diff --git a/cmd/wire_gen.go b/cmd/wire_gen.go
diff --git a/internal/base/middleware/api_key_auth.go b/internal/base/middleware/api_key_auth.go
@@ -0,0 +1,51 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package middleware
+
+import (
+	"github.com/apache/answer/internal/base/handler"
+	"github.com/apache/answer/internal/base/reason"
+	"github.com/gin-gonic/gin"
+	"github.com/segmentfault/pacman/errors"
+)
+
+// AuthAPIKey middleware to authenticate API key
+func (am *AuthUserMiddleware) AuthAPIKey() gin.HandlerFunc {
+	return func(ctx *gin.Context) {
+		token := ExtractToken(ctx)
+		if len(token) == 0 {
+			handler.HandleResponse(ctx, errors.Unauthorized(reason.UnauthorizedError), nil)
+			ctx.Abort()
+			return
+		}
+		pass, err := am.authService.AuthAPIKey(ctx, ctx.Request.Method == "GET", token)
+		if err != nil {
+			handler.HandleResponse(ctx, errors.Unauthorized(reason.UnauthorizedError), nil)
+			ctx.Abort()
+			return
+		}
+		if !pass {
+			handler.HandleResponse(ctx, errors.Unauthorized(reason.UnauthorizedError), nil)
+			ctx.Abort()
+			return
+		}
+		ctx.Next()
+	}
+}
diff --git a/internal/base/server/http.go b/internal/base/server/http.go
@@ -113,5 +113,10 @@ func NewHTTPServer(debug bool,
 		agent.RegisterAuthAdminRouter(adminauthV1)
 		return nil
 	})
+
+	// mcp
+	mcpAPIGroup := r.Group(uiConf.APIBaseURL + "/answer/api/v1")
+	mcpAPIGroup.Use(authUserMiddleware.AuthMcpEnable(), authUserMiddleware.AuthAPIKey())
+	answerRouter.RegisterMCPRouter(mcpAPIGroup)
 	return r
 }
diff --git a/internal/cli/reset_password.go b/internal/cli/reset_password.go
@@ -32,6 +32,7 @@ import (
 	"github.com/apache/answer/internal/base/conf"
 	"github.com/apache/answer/internal/base/data"
 	"github.com/apache/answer/internal/base/path"
+	"github.com/apache/answer/internal/repo/api_key"
 	"github.com/apache/answer/internal/repo/auth"
 	"github.com/apache/answer/internal/repo/user"
 	authService "github.com/apache/answer/internal/service/auth"
@@ -95,7 +96,8 @@ func ResetPassword(ctx context.Context, dataDirPath string, opts *ResetPasswordO
 
 	userRepo := user.NewUserRepo(dataData)
 	authRepo := auth.NewAuthRepo(dataData)
-	authSvc := authService.NewAuthService(authRepo)
+	apiKeyRepo := api_key.NewAPIKeyRepo(dataData)
+	authSvc := authService.NewAuthService(authRepo, apiKeyRepo)
 
 	email := strings.TrimSpace(opts.Email)
 	if email == "" {
diff --git a/internal/migrations/init.go b/internal/migrations/init.go
@@ -87,6 +87,8 @@ func (m *Mentor) InitDB() error {
 	m.do("init site info security", m.initSiteInfoSecurityConfig)
 	m.do("init default content", m.initDefaultContent)
 	m.do("init default badges", m.initDefaultBadges)
+	m.do("init default ai config", m.initSiteInfoAI)
+	m.do("init default MCP config", m.initSiteInfoMCP)
 	return m.err
 }
 
@@ -606,3 +608,29 @@ func (m *Mentor) initDefaultBadges() {
 		}
 	}
 }
+
+func (m *Mentor) initSiteInfoAI() {
+	content := &schema.SiteAIReq{
+		PromptConfig: &schema.AIPromptConfig{
+			ZhCN: constant.DefaultAIPromptConfigZhCN,
+			EnUS: constant.DefaultAIPromptConfigEnUS,
+		},
+	}
+	writeDataBytes, _ := json.Marshal(content)
+	_, m.err = m.engine.Context(m.ctx).Insert(&entity.SiteInfo{
+		Type:    constant.SiteTypeAI,
+		Content: string(writeDataBytes),
+		Status:  1,
+	})
+}
+func (m *Mentor) initSiteInfoMCP() {
+	content := &schema.SiteMCPReq{
+		Enabled: true,
+	}
+	writeDataBytes, _ := json.Marshal(content)
+	_, m.err = m.engine.Context(m.ctx).Insert(&entity.SiteInfo{
+		Type:    constant.SiteTypeMCP,
+		Content: string(writeDataBytes),
+		Status:  1,
+	})
+}
diff --git a/internal/migrations/init_data.go b/internal/migrations/init_data.go
@@ -76,6 +76,9 @@ var (
 		&entity.BadgeAward{},
 		&entity.FileRecord{},
 		&entity.PluginKVStorage{},
+		&entity.APIKey{},
+		&entity.AIConversation{},
+		&entity.AIConversationRecord{},
 	}
 
 	roles = []*entity.Role{
diff --git a/internal/router/answer_api_router.go b/internal/router/answer_api_router.go
@@ -61,6 +61,7 @@ type AnswerAPIRouter struct {
 	aiController                  *controller.AIController
 	aiConversationController      *controller.AIConversationController
 	aiConversationAdminController *controller_admin.AIConversationAdminController
+	mcpController                 *controller.MCPController
 }
 
 func NewAnswerAPIRouter(
@@ -98,6 +99,7 @@ func NewAnswerAPIRouter(
 	aiController *controller.AIController,
 	aiConversationController *controller.AIConversationController,
 	aiConversationAdminController *controller_admin.AIConversationAdminController,
+	mcpController *controller.MCPController,
 ) *AnswerAPIRouter {
 	return &AnswerAPIRouter{
 		langController:                langController,
@@ -134,6 +136,7 @@ func NewAnswerAPIRouter(
 		aiController:                  aiController,
 		aiConversationController:      aiConversationController,
 		aiConversationAdminController: aiConversationAdminController,
+		mcpController:                 mcpController,
 	}
 }
 
diff --git a/internal/router/mcp_router.go b/internal/router/mcp_router.go
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package router
+
+import (
+	"github.com/apache/answer/internal/schema/mcp_tools"
+	"github.com/gin-gonic/gin"
+	"github.com/mark3labs/mcp-go/server"
+)
+
+func (a *AnswerAPIRouter) RegisterMCPRouter(r *gin.RouterGroup) {
+	s := server.NewMCPServer("Answer Enterprise MCP Server", "1.0.0")
+
+	s.AddTool(mcp_tools.NewQuestionsTool(), a.mcpController.MCPQuestionsHandler())
+	s.AddTool(mcp_tools.NewAnswersTool(), a.mcpController.MCPAnswersHandler())
+	s.AddTool(mcp_tools.NewCommentsTool(), a.mcpController.MCPCommentsHandler())
+	s.AddTool(mcp_tools.NewTagsTool(), a.mcpController.MCPTagsHandler())
+	s.AddTool(mcp_tools.NewTagDetailTool(), a.mcpController.MCPTagDetailsHandler())
+	s.AddTool(mcp_tools.NewUserTool(), a.mcpController.MCPUserDetailsHandler())
+
+	sseServer := server.NewSSEServer(s,
+		server.WithSSEEndpoint("/answer/api/v1/mcp/see"),
+		server.WithMessageEndpoint("/answer/api/v1/mcp/message"),
+	)
+	r.GET("/mcp/sse", gin.WrapH(sseServer.SSEHandler()))
+	r.POST("/mcp/message", gin.WrapH(sseServer.MessageHandler()))
+}
diff --git a/internal/service/auth/auth.go b/internal/service/auth/auth.go
@@ -23,8 +23,10 @@ import (
 	"context"
 
 	"github.com/apache/answer/internal/entity"
+	"github.com/apache/answer/internal/service/apikey"
 	"github.com/apache/answer/pkg/token"
 	"github.com/apache/answer/plugin"
+	"github.com/segmentfault/pacman/log"
 )
 
 // AuthRepo auth repository
@@ -46,13 +48,15 @@ type AuthRepo interface {
 
 // AuthService kit service
 type AuthService struct {
-	authRepo AuthRepo
+	authRepo   AuthRepo
+	apiKeyRepo apikey.APIKeyRepo
 }
 
 // NewAuthService email service
-func NewAuthService(authRepo AuthRepo) *AuthService {
+func NewAuthService(authRepo AuthRepo, apiKeyRepo apikey.APIKeyRepo) *AuthService {
 	return &AuthService{
-		authRepo: authRepo,
+		authRepo:   authRepo,
+		apiKeyRepo: apiKeyRepo,
 	}
 }
 
@@ -152,3 +156,19 @@ func (as *AuthService) SetAdminUserCacheInfo(ctx context.Context, accessToken st
 func (as *AuthService) RemoveAdminUserCacheInfo(ctx context.Context, accessToken string) (err error) {
 	return as.authRepo.RemoveAdminUserCacheInfo(ctx, accessToken)
 }
+func (as *AuthService) AuthAPIKey(ctx context.Context, read bool, apiKey string) (pass bool, err error) {
+	apiKeyInfo, exist, err := as.apiKeyRepo.GetAPIKey(ctx, apiKey)
+	if err != nil {
+		return false, err
+	}
+	if !exist {
+		return false, nil
+	}
+	// If the request is not read-only, check if the API key has write permissions
+	if !read && apiKeyInfo.Scope == "read-only" {
+		log.Warnf("API key %s does not have write permissions", apiKeyInfo.AccessKey)
+		return false, nil
+	}
+	log.Infof("API key %s is valid, scope: %s", apiKeyInfo.AccessKey, apiKeyInfo.Scope)
+	return true, nil
+}

Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,9 @@ var (`
`76`	`76`	`&entity.BadgeAward{},`
`77`	`77`	`&entity.FileRecord{},`
`78`	`78`	`&entity.PluginKVStorage{},`
	`79`	`+ &entity.APIKey{},`
	`80`	`+ &entity.AIConversation{},`
	`81`	`+ &entity.AIConversationRecord{},`
`79`	`82`	`}`
`80`	`83`
`81`	`84`	`roles = []*entity.Role{`