fix(cursor): prevent session key collision across users

Include client API key in session key derivation to prevent different users sharing the same proxy from accidentally resuming each other's H2 streams when they send identical first messages with the same model. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-07 02:25:47 +08:00 · 2026-03-25 17:19:11 +08:00
parent 8afef43887
commit c8e79c3787
1 changed files with 6 additions and 5 deletions
--- a/internal/runtime/executor/cursor_executor.go
+++ b/internal/runtime/executor/cursor_executor.go
@@ -295,7 +295,7 @@ func (e *CursorExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.A
 	log.Debugf("cursor: parsed request: model=%s userText=%d chars, turns=%d, tools=%d, toolResults=%d",
 		parsed.Model, len(parsed.UserText), len(parsed.Turns), len(parsed.Tools), len(parsed.ToolResults))

-	sessionKey := deriveSessionKey(parsed.Model, parsed.Messages)
+	sessionKey := deriveSessionKey(apiKeyFromContext(ctx), parsed.Model, parsed.Messages)
 	needsTranslate := from.String() != "" && from.String() != "openai"

 	// Check if we can resume an existing session with tool results
@@ -1089,7 +1089,7 @@ func newH2Client() *http.Client {
 	}
 }

-func deriveSessionKey(model string, messages []gjson.Result) string {
+func deriveSessionKey(clientKey string, model string, messages []gjson.Result) string {
 	var firstUserContent string
 	for _, msg := range messages {
 		if msg.Get("role").String() == "user" {
@@ -1097,9 +1097,10 @@ func deriveSessionKey(model string, messages []gjson.Result) string {
 			break
 		}
 	}
-	input := model + ":" + firstUserContent
-	if len(input) > 200 {
-		input = input[:200]
+	// Include client API key to prevent session collisions across users
+	input := clientKey + ":" + model + ":" + firstUserContent
+	if len(input) > 300 {
+		input = input[:300]
 	}
 	h := sha256.Sum256([]byte(input))
 	return hex.EncodeToString(h[:])[:16]