From 22dcde4bf392156d5f2bd48657a406b9ecea8cc2 Mon Sep 17 00:00:00 2001
From: xia-chu <771730766@qq.com>
Date: Thu, 19 Mar 2026 19:32:58 +0800
Subject: [PATCH] =?UTF-8?q?=E6=94=AF=E6=8C=81=E5=90=8C=E6=97=B6cookie?=
 =?UTF-8?q?=E7=99=BB=E9=99=86=E4=B8=8Esecret=E7=A1=AC=E7=BC=96=E7=A0=81?=
 =?UTF-8?q?=E9=89=B4=E6=9D=83=E4=B8=A4=E7=A7=8D=E6=96=B9=E5=BC=8F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 conf/config.ini      |  6 ------
 server/WebApi.cpp    | 25 ++++++++++++++++---------
 server/WebApi.h      |  1 -
 server/pyinvoker.cpp |  7 ++-----
 4 files changed, 18 insertions(+), 21 deletions(-)

diff --git a/conf/config.ini b/conf/config.ini
index d6770fa5..9be5e411 100644
--- a/conf/config.ini
+++ b/conf/config.ini
@@ -34,12 +34,6 @@ defaultSnap=./www/logo.png
 # Root directories accessible via the `downloadFile` API. Separate multiple directories with semicolons (;).
 downloadRoot=./www
 
-# 是否采用传统secret硬编码鉴权模式，默认开启，开启后每次http接口请求都需要传递secret
-# 关闭传统鉴权模式后，需要先调用/index/api/login接口登录，成功后将设置cookie，在cookie有效期内访问所有接口都将放行。
-# Whether to enable the legacy secret-based authentication mode (enabled by default). When enabled, every API request requires the secret.
-# When disabled, users must first call `/index/api/login`. Upon success, a cookie auth token is set, allowing unrestricted access to all APIs while the cookie remains valid.
-legacyAuth=1
-
 [ffmpeg]
 # FFmpeg可执行程序路径,支持相对路径/绝对路径
 # Path to the FFmpeg executable. Both relative and absolute paths are supported.
diff --git a/server/WebApi.cpp b/server/WebApi.cpp
index 2b1cc2f3..148f4500 100755
--- a/server/WebApi.cpp
+++ b/server/WebApi.cpp
@@ -86,7 +86,6 @@ const string kSecret = API_FIELD"secret";
 const string kSnapRoot = API_FIELD"snapRoot";
 const string kDefaultSnap = API_FIELD"defaultSnap";
 const string kDownloadRoot = API_FIELD"downloadRoot";
-const string kLegacyAuth = API_FIELD"legacyAuth";
 
 static onceToken token([]() {
     mINI::Instance()[kApiDebug] = "1";
@@ -94,7 +93,6 @@ static onceToken token([]() {
     mINI::Instance()[kSnapRoot] = "./www/snap/";
     mINI::Instance()[kDefaultSnap] = "./www/logo.png";
     mINI::Instance()[kDownloadRoot] = "./www";
-    mINI::Instance()[kLegacyAuth] = 1;
 });
 }//namespace API
 
@@ -736,19 +734,14 @@ static constexpr size_t kLoginedCookieLifeSeconds = 24 * 3600;
 
 template <typename T>
 void check_secret(toolkit::SockInfo &sender, mediakit::HttpSession::KeyValue &headerOut, const HttpAllArgs<T> &allArgs, Json::Value &val) {
-    GET_CONFIG(bool, legacy_auth , API::kLegacyAuth);
     GET_CONFIG(std::string, api_secret, API::kSecret);
 
     auto ip = sender.get_peer_ip();
     if (!HttpFileManager::isIPAllowed(ip)) {
         throw AuthException("Your ip is not allowed to access the service.");
     }
-    if (legacy_auth) {
-        CHECK_ARGS("secret");
-        if (api_secret != allArgs["secret"]) {
-            throw AuthException("Incorrect secret");
-        }
-    } else {
+
+    try {
         auto logined_cookie = HttpCookieManager::Instance().getCookie(kLoginedCookieName, allArgs.getParser().getHeader());
         if (!logined_cookie) {
             auto unlogin_cookie = HttpCookieManager::Instance().getCookie(kUnLoginCookieName, allArgs.getParser().getHeader());
@@ -759,6 +752,20 @@ void check_secret(toolkit::SockInfo &sender, mediakit::HttpSession::KeyValue &he
             val["cookie"] = unlogin_cookie->getCookie();
             throw AuthException("Please login first", headerOut, val);
         }
+        // 优先cookie登陆鉴权
+    } catch (...) {
+        try {
+            // cookie登陆鉴权失败了再比对secret
+            CHECK_ARGS("secret");
+            if (api_secret != allArgs["secret"]) {
+                throw AuthException("Incorrect secret");
+            }
+            return;
+        } catch (...) {
+            // 未提供secret或secret不匹配，这个异常隐藏
+        }
+        // secret鉴权模式失败，抛出要求cookie登录的异常
+        throw;
     }
 }
 
diff --git a/server/WebApi.h b/server/WebApi.h
index b950f588..8883d918 100755
--- a/server/WebApi.h
+++ b/server/WebApi.h
@@ -55,7 +55,6 @@ typedef enum {
 } ApiErr;
 
 extern const std::string kSecret;
-extern const std::string kLegacyAuth;
 extern const std::string kApiDebug;
 } // namespace API
 
diff --git a/server/pyinvoker.cpp b/server/pyinvoker.cpp
index 935903a0..cab96903 100644
--- a/server/pyinvoker.cpp
+++ b/server/pyinvoker.cpp
@@ -157,11 +157,8 @@ void handle_http_request(const py::object &check_route, const py::object &submit
     try {
         auto args = getAllArgs(parser);
         auto allArgs = ArgsMap(parser, args);
-        GET_CONFIG(bool, legacy_auth , API::kLegacyAuth);
-        if (!legacy_auth) {
-            // 非传统secret鉴权模式，Python接口强制要求登录鉴权
-            CHECK_SECRET();
-        }
+        // Python接口要求登录鉴权
+        CHECK_SECRET();
     } catch (std::exception &ex) {
         auto ex1 = dynamic_cast<ApiRetException *>(&ex);
         if (ex1) {