Merge pull request #145 from router-for-me/path

feat: prefer util.WritablePath() for logs and local storage

cmd/server/main.go

@@ -147,6 +147,7 @@ func main() {
 		}
 		return "", false
 	}
+	writableBase := util.WritablePath()
 	if value, ok := lookupEnv("PGSTORE_DSN", "pgstore_dsn"); ok {
 		usePostgresStore = true
 		pgStoreDSN = value
@@ -158,6 +159,13 @@ func main() {
 		if value, ok := lookupEnv("PGSTORE_LOCAL_PATH", "pgstore_local_path"); ok {
 			pgStoreLocalPath = value
 		}
+		if pgStoreLocalPath == "" {
+			if writableBase != "" {
+				pgStoreLocalPath = writableBase
+			} else {
+				pgStoreLocalPath = wd
+			}
+		}
 		useGitStore = false
 	}
 	if value, ok := lookupEnv("GITSTORE_GIT_URL", "gitstore_git_url"); ok {
@@ -229,11 +237,14 @@ func main() {
 			log.Infof("postgres-backed token store enabled, workspace path: %s", pgStoreInst.WorkDir())
 		}
 	} else if useObjectStore {
-		objectStoreRoot := objectStoreLocalPath
-		if objectStoreRoot == "" {
-			objectStoreRoot = wd
+		if objectStoreLocalPath == "" {
+			if writableBase != "" {
+				objectStoreLocalPath = writableBase
+			} else {
+				objectStoreLocalPath = wd
+			}
 		}
-		objectStoreRoot = filepath.Join(objectStoreRoot, "objectstore")
+		objectStoreRoot := filepath.Join(objectStoreLocalPath, "objectstore")
 		resolvedEndpoint := strings.TrimSpace(objectStoreEndpoint)
 		useSSL := true
 		if strings.Contains(resolvedEndpoint, "://") {
@@ -289,7 +300,11 @@ func main() {
 		}
 	} else if useGitStore {
 		if gitStoreLocalPath == "" {
-			gitStoreLocalPath = wd
+			if writableBase != "" {
+				gitStoreLocalPath = writableBase
+			} else {
+				gitStoreLocalPath = wd
+			}
 		}
 		gitStoreRoot = filepath.Join(gitStoreLocalPath, "gitstore")
 		authDir := filepath.Join(gitStoreRoot, "auths")

internal/api/handlers/management/logs.go

@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 )
 
 const (
@@ -145,6 +146,9 @@ func (h *Handler) logDirectory() string {
 	if h.logDir != "" {
 		return h.logDir
 	}
+	if base := util.WritablePath(); base != "" {
+		return filepath.Join(base, "logs")
+	}
 	if h.configFilePath != "" {
 		dir := filepath.Dir(h.configFilePath)
 		if dir != "" && dir != "." {

internal/api/server.go

@@ -52,7 +52,11 @@ type serverOptionConfig struct {
 type ServerOption func(*serverOptionConfig)
 
 func defaultRequestLoggerFactory(cfg *config.Config, configPath string) logging.RequestLogger {
-	return logging.NewFileRequestLogger(cfg.RequestLog, "logs", filepath.Dir(configPath))
+	configDir := filepath.Dir(configPath)
+	if base := util.WritablePath(); base != "" {
+		return logging.NewFileRequestLogger(cfg.RequestLog, filepath.Join(base, "logs"), configDir)
+	}
+	return logging.NewFileRequestLogger(cfg.RequestLog, "logs", configDir)
 }
 
 // WithMiddleware appends additional Gin middleware during server construction.
@@ -233,7 +237,11 @@ func NewServer(cfg *config.Config, authManager *auth.Manager, accessManager *sdk
 	if optionState.localPassword != "" {
 		s.mgmt.SetLocalPassword(optionState.localPassword)
 	}
-	s.mgmt.SetLogDirectory(filepath.Join(s.currentPath, "logs"))
+	logDir := filepath.Join(s.currentPath, "logs")
+	if base := util.WritablePath(); base != "" {
+		logDir = filepath.Join(base, "logs")
+	}
+	s.mgmt.SetLogDirectory(logDir)
 	s.localPassword = optionState.localPassword
 
 	// Setup routes

internal/logging/global_logger.go

@@ -10,6 +10,7 @@ import (
 	"sync"
 
 	"github.com/gin-gonic/gin"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	log "github.com/sirupsen/logrus"
 	"gopkg.in/natefinch/lumberjack.v2"
 )
@@ -72,7 +73,10 @@ func ConfigureLogOutput(loggingToFile bool) error {
 	defer writerMu.Unlock()
 
 	if loggingToFile {
-		const logDir = "logs"
+		logDir := "logs"
+		if base := util.WritablePath(); base != "" {
+			logDir = filepath.Join(base, "logs")
+		}
 		if err := os.MkdirAll(logDir, 0o755); err != nil {
 			return fmt.Errorf("logging: failed to create log directory: %w", err)
 		}

internal/logging/request_logger.go

@@ -16,6 +16,7 @@ import (
 	"time"
 
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 )
 
 // RequestLogger defines the interface for logging HTTP requests and responses.
@@ -485,7 +486,8 @@ func (l *FileRequestLogger) formatRequestInfo(url, method string, headers map[st
 	content.WriteString("=== HEADERS ===\n")
 	for key, values := range headers {
 		for _, value := range values {
-			content.WriteString(fmt.Sprintf("%s: %s\n", key, value))
+			masked := util.MaskSensitiveHeaderValue(key, value)
+			content.WriteString(fmt.Sprintf("%s: %s\n", key, masked))
 		}
 	}
 	content.WriteString("\n")

internal/managementasset/updater.go

@@ -64,6 +64,10 @@ func StaticDir(configFilePath string) string {
 		return cleaned
 	}
 
+	if writable := util.WritablePath(); writable != "" {
+		return filepath.Join(writable, "static")
+	}
+
 	configFilePath = strings.TrimSpace(configFilePath)
 	if configFilePath == "" {
 		return ""

internal/runtime/executor/iflow_executor.go

@@ -12,6 +12,7 @@ import (
 
 	iflowauth "github.com/router-for-me/CLIProxyAPI/v6/internal/auth/iflow"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	cliproxyauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	cliproxyexecutor "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/executor"
 	sdktranslator "github.com/router-for-me/CLIProxyAPI/v6/sdk/translator"
@@ -214,18 +215,28 @@ func (e *IFlowExecutor) Refresh(ctx context.Context, auth *cliproxyauth.Auth) (*
 	}
 
 	refreshToken := ""
+	oldAccessToken := ""
 	if auth.Metadata != nil {
 		if v, ok := auth.Metadata["refresh_token"].(string); ok {
 			refreshToken = strings.TrimSpace(v)
 		}
+		if v, ok := auth.Metadata["access_token"].(string); ok {
+			oldAccessToken = strings.TrimSpace(v)
+		}
 	}
 	if refreshToken == "" {
 		return auth, nil
 	}
 
+	// Log the old access token (masked) before refresh
+	if oldAccessToken != "" {
+		log.Debugf("iflow executor: refreshing access token, old: %s", util.HideAPIKey(oldAccessToken))
+	}
+
 	svc := iflowauth.NewIFlowAuth(e.cfg)
 	tokenData, err := svc.RefreshTokens(ctx, refreshToken)
 	if err != nil {
+		log.Errorf("iflow executor: token refresh failed: %v", err)
 		return nil, err
 	}
 
@@ -243,6 +254,9 @@ func (e *IFlowExecutor) Refresh(ctx context.Context, auth *cliproxyauth.Auth) (*
 	auth.Metadata["type"] = "iflow"
 	auth.Metadata["last_refresh"] = time.Now().Format(time.RFC3339)
 
+	// Log the new access token (masked) after successful refresh
+	log.Debugf("iflow executor: token refresh successful, new: %s", util.HideAPIKey(tokenData.AccessToken))
+
 	if auth.Attributes == nil {
 		auth.Attributes = make(map[string]string)
 	}

internal/runtime/executor/logging_helpers.go

@@ -275,7 +275,8 @@ func writeHeaders(builder *strings.Builder, headers http.Header) {
 			continue
 		}
 		for _, value := range values {
-			builder.WriteString(fmt.Sprintf("%s: %s\n", key, sanitizeHeaderValue(key, value)))
+			masked := util.MaskSensitiveHeaderValue(key, value)
+			builder.WriteString(fmt.Sprintf("%s: %s\n", key, masked))
 		}
 	}
 }
@@ -319,18 +320,3 @@ func formatAuthInfo(info upstreamRequestLog) string {
 
 	return strings.Join(parts, ", ")
 }
-
-func sanitizeHeaderValue(key, value string) string {
-	trimmedValue := strings.TrimSpace(value)
-	lowerKey := strings.ToLower(strings.TrimSpace(key))
-	switch {
-	case strings.Contains(lowerKey, "authorization"),
-		strings.Contains(lowerKey, "api-key"),
-		strings.Contains(lowerKey, "apikey"),
-		strings.Contains(lowerKey, "token"),
-		strings.Contains(lowerKey, "secret"):
-		return util.HideAPIKey(trimmedValue)
-	default:
-		return trimmedValue
-	}
-}

internal/util/provider.go

@@ -4,6 +4,8 @@
 package util
 
 import (
+	"strings"
+
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/registry"
 )
@@ -141,3 +143,48 @@ func HideAPIKey(apiKey string) string {
 	}
 	return apiKey
 }
+
+// maskAuthorizationHeader masks the Authorization header value while preserving the auth type prefix.
+// Common formats: "Bearer <token>", "Basic <credentials>", "ApiKey <key>", etc.
+// It preserves the prefix (e.g., "Bearer ") and only masks the token/credential part.
+//
+// Parameters:
+//   - value: The Authorization header value
+//
+// Returns:
+//   - string: The masked Authorization value with prefix preserved
+func MaskAuthorizationHeader(value string) string {
+	parts := strings.SplitN(strings.TrimSpace(value), " ", 2)
+	if len(parts) < 2 {
+		return HideAPIKey(value)
+	}
+	return parts[0] + " " + HideAPIKey(parts[1])
+}
+
+// MaskSensitiveHeaderValue masks sensitive header values while preserving expected formats.
+//
+// Behavior by header key (case-insensitive):
+//   - "Authorization": Preserve the auth type prefix (e.g., "Bearer ") and mask only the credential part.
+//   - Headers containing "api-key": Mask the entire value using HideAPIKey.
+//   - Others: Return the original value unchanged.
+//
+// Parameters:
+//   - key:   The HTTP header name to inspect (case-insensitive matching).
+//   - value: The header value to mask when sensitive.
+//
+// Returns:
+//   - string: The masked value according to the header type; unchanged if not sensitive.
+func MaskSensitiveHeaderValue(key, value string) string {
+	lowerKey := strings.ToLower(strings.TrimSpace(key))
+	switch {
+	case lowerKey == "authorization":
+		return MaskAuthorizationHeader(value)
+	case strings.Contains(lowerKey, "api-key"),
+		strings.Contains(lowerKey, "apikey"),
+		strings.Contains(lowerKey, "token"),
+		strings.Contains(lowerKey, "secret"):
+		return HideAPIKey(value)
+	default:
+		return value
+	}
+}

internal/util/util.go

@@ -84,3 +84,17 @@ func CountAuthFiles(authDir string) int {
 	}
 	return count
 }
+
+// WritablePath returns the cleaned WRITABLE_PATH environment variable when it is set.
+// It accepts both uppercase and lowercase variants for compatibility with existing conventions.
+func WritablePath() string {
+	for _, key := range []string{"WRITABLE_PATH", "writable_path"} {
+		if value, ok := os.LookupEnv(key); ok {
+			trimmed := strings.TrimSpace(value)
+			if trimmed != "" {
+				return filepath.Clean(trimmed)
+			}
+		}
+	}
+	return ""
+}

sdk/auth/iflow.go

@@ -26,7 +26,7 @@ func (a *IFlowAuthenticator) Provider() string { return "iflow" }
 
 // RefreshLead indicates how soon before expiry a refresh should be attempted.
 func (a *IFlowAuthenticator) RefreshLead() *time.Duration {
-	d := 3 * time.Hour
+	d := 24 * time.Hour
 	return &d
 }