From c8e79c378732ad7ce4af1337c074bacaf61665cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=BB=84=E5=A7=9C=E6=81=92?= Date: Wed, 25 Mar 2026 17:19:11 +0800 Subject: [PATCH] fix(cursor): prevent session key collision across users Include client API key in session key derivation to prevent different users sharing the same proxy from accidentally resuming each other's H2 streams when they send identical first messages with the same model. Co-Authored-By: Claude Opus 4.6 (1M context) --- internal/runtime/executor/cursor_executor.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/internal/runtime/executor/cursor_executor.go b/internal/runtime/executor/cursor_executor.go index 3debf73c..699c8d21 100644 --- a/internal/runtime/executor/cursor_executor.go +++ b/internal/runtime/executor/cursor_executor.go @@ -295,7 +295,7 @@ func (e *CursorExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.A log.Debugf("cursor: parsed request: model=%s userText=%d chars, turns=%d, tools=%d, toolResults=%d", parsed.Model, len(parsed.UserText), len(parsed.Turns), len(parsed.Tools), len(parsed.ToolResults)) - sessionKey := deriveSessionKey(parsed.Model, parsed.Messages) + sessionKey := deriveSessionKey(apiKeyFromContext(ctx), parsed.Model, parsed.Messages) needsTranslate := from.String() != "" && from.String() != "openai" // Check if we can resume an existing session with tool results @@ -1089,7 +1089,7 @@ func newH2Client() *http.Client { } } -func deriveSessionKey(model string, messages []gjson.Result) string { +func deriveSessionKey(clientKey string, model string, messages []gjson.Result) string { var firstUserContent string for _, msg := range messages { if msg.Get("role").String() == "user" { @@ -1097,9 +1097,10 @@ func deriveSessionKey(model string, messages []gjson.Result) string { break } } - input := model + ":" + firstUserContent - if len(input) > 200 { - input = input[:200] + // Include client API key to prevent session collisions across users + input := clientKey + ":" + model + ":" + firstUserContent + if len(input) > 300 { + input = input[:300] } h := sha256.Sum256([]byte(input)) return hex.EncodeToString(h[:])[:16]