支持同时cookie登陆与secret硬编码鉴权两种方式

conf/config.ini

@@ -34,12 +34,6 @@ defaultSnap=./www/logo.png
 # Root directories accessible via the `downloadFile` API. Separate multiple directories with semicolons (;).
 downloadRoot=./www
 
-# 是否采用传统secret硬编码鉴权模式，默认开启，开启后每次http接口请求都需要传递secret
-# 关闭传统鉴权模式后，需要先调用/index/api/login接口登录，成功后将设置cookie，在cookie有效期内访问所有接口都将放行。
-# Whether to enable the legacy secret-based authentication mode (enabled by default). When enabled, every API request requires the secret.
-# When disabled, users must first call `/index/api/login`. Upon success, a cookie auth token is set, allowing unrestricted access to all APIs while the cookie remains valid.
-legacyAuth=1
-
 [ffmpeg]
 # FFmpeg可执行程序路径,支持相对路径/绝对路径
 # Path to the FFmpeg executable. Both relative and absolute paths are supported.

server/WebApi.cpp

@@ -86,7 +86,6 @@ const string kSecret = API_FIELD"secret";
 const string kSnapRoot = API_FIELD"snapRoot";
 const string kDefaultSnap = API_FIELD"defaultSnap";
 const string kDownloadRoot = API_FIELD"downloadRoot";
-const string kLegacyAuth = API_FIELD"legacyAuth";
 
 static onceToken token([]() {
     mINI::Instance()[kApiDebug] = "1";
@@ -94,7 +93,6 @@ static onceToken token([]() {
     mINI::Instance()[kSnapRoot] = "./www/snap/";
     mINI::Instance()[kDefaultSnap] = "./www/logo.png";
     mINI::Instance()[kDownloadRoot] = "./www";
-    mINI::Instance()[kLegacyAuth] = 1;
 });
 }//namespace API
 
@@ -736,19 +734,14 @@ static constexpr size_t kLoginedCookieLifeSeconds = 24 * 3600;
 
 template <typename T>
 void check_secret(toolkit::SockInfo &sender, mediakit::HttpSession::KeyValue &headerOut, const HttpAllArgs<T> &allArgs, Json::Value &val) {
-    GET_CONFIG(bool, legacy_auth , API::kLegacyAuth);
     GET_CONFIG(std::string, api_secret, API::kSecret);
 
     auto ip = sender.get_peer_ip();
     if (!HttpFileManager::isIPAllowed(ip)) {
         throw AuthException("Your ip is not allowed to access the service.");
     }
-    if (legacy_auth) {
+
-        CHECK_ARGS("secret");
+    try {
-        if (api_secret != allArgs["secret"]) {
-            throw AuthException("Incorrect secret");
-        }
-    } else {
         auto logined_cookie = HttpCookieManager::Instance().getCookie(kLoginedCookieName, allArgs.getParser().getHeader());
         if (!logined_cookie) {
             auto unlogin_cookie = HttpCookieManager::Instance().getCookie(kUnLoginCookieName, allArgs.getParser().getHeader());
@@ -759,6 +752,20 @@ void check_secret(toolkit::SockInfo &sender, mediakit::HttpSession::KeyValue &he
             val["cookie"] = unlogin_cookie->getCookie();
             throw AuthException("Please login first", headerOut, val);
         }
+        // 优先cookie登陆鉴权
+    } catch (...) {
+        try {
+            // cookie登陆鉴权失败了再比对secret
+            CHECK_ARGS("secret");
+            if (api_secret != allArgs["secret"]) {
+                throw AuthException("Incorrect secret");
+            }
+            return;
+        } catch (...) {
+            // 未提供secret或secret不匹配，这个异常隐藏
+        }
+        // secret鉴权模式失败，抛出要求cookie登录的异常
+        throw;
     }
 }
 

server/WebApi.h

@@ -55,7 +55,6 @@ typedef enum {
 } ApiErr;
 
 extern const std::string kSecret;
-extern const std::string kLegacyAuth;
 extern const std::string kApiDebug;
 } // namespace API
 

server/pyinvoker.cpp

@@ -157,11 +157,8 @@ void handle_http_request(const py::object &check_route, const py::object &submit
     try {
         auto args = getAllArgs(parser);
         auto allArgs = ArgsMap(parser, args);
-        GET_CONFIG(bool, legacy_auth , API::kLegacyAuth);
+        // Python接口要求登录鉴权
-        if (!legacy_auth) {
-            // 非传统secret鉴权模式，Python接口强制要求登录鉴权
         CHECK_SECRET();
-        }
     } catch (std::exception &ex) {
         auto ex1 = dynamic_cast<ApiRetException *>(&ex);
         if (ex1) {