2026-05-21 09:07:49 +08:00
4 changed files with 22 additions and 19 deletions
--- a/conf/config.ini
+++ b/conf/config.ini
@ -34,6 +34,12 @@ defaultSnap=./www/logo.png
 # Root directories accessible via the `downloadFile` API. Separate multiple directories with semicolons (;).
 downloadRoot=./www

+# 是否采用传统secret硬编码鉴权模式，默认开启，开启后每次http接口请求都需要传递secret
+# 关闭传统鉴权模式后，需要先调用/index/api/login接口登录，成功后将设置cookie，在cookie有效期内访问所有接口都将放行。
+# Whether to enable the legacy secret-based authentication mode (enabled by default). When enabled, every API request requires the secret.
+# When disabled, users must first call `/index/api/login`. Upon success, a cookie auth token is set, allowing unrestricted access to all APIs while the cookie remains valid.
+legacyAuth=1
+
 [ffmpeg]
 # FFmpeg可执行程序路径,支持相对路径/绝对路径
 # Path to the FFmpeg executable. Both relative and absolute paths are supported.
--- a/server/WebApi.cpp
+++ b/server/WebApi.cpp
@ -86,6 +86,7 @@ const string kSecret = API_FIELD"secret";
 const string kSnapRoot = API_FIELD"snapRoot";
 const string kDefaultSnap = API_FIELD"defaultSnap";
 const string kDownloadRoot = API_FIELD"downloadRoot";
+const string kLegacyAuth = API_FIELD"legacyAuth";

 static onceToken token([]() {
    mINI::Instance()[kApiDebug] = "1";
@ -93,6 +94,7 @@ static onceToken token([]() {
    mINI::Instance()[kSnapRoot] = "./www/snap/";
    mINI::Instance()[kDefaultSnap] = "./www/logo.png";
    mINI::Instance()[kDownloadRoot] = "./www";
+    mINI::Instance()[kLegacyAuth] = 1;
 });
 }//namespace API

@ -734,14 +736,19 @@ static constexpr size_t kLoginedCookieLifeSeconds = 24 * 3600;

 template <typename T>
 void check_secret(toolkit::SockInfo &sender, mediakit::HttpSession::KeyValue &headerOut, const HttpAllArgs<T> &allArgs, Json::Value &val) {
+    GET_CONFIG(bool, legacy_auth , API::kLegacyAuth);
    GET_CONFIG(std::string, api_secret, API::kSecret);

    auto ip = sender.get_peer_ip();
    if (!HttpFileManager::isIPAllowed(ip)) {
        throw AuthException("Your ip is not allowed to access the service.");
    }
-
-    try {
+    if (legacy_auth) {
+        CHECK_ARGS("secret");
+        if (api_secret != allArgs["secret"]) {
+            throw AuthException("Incorrect secret");
+        }
+    } else {
        auto logined_cookie = HttpCookieManager::Instance().getCookie(kLoginedCookieName, allArgs.getParser().getHeader());
        if (!logined_cookie) {
            auto unlogin_cookie = HttpCookieManager::Instance().getCookie(kUnLoginCookieName, allArgs.getParser().getHeader());
@ -752,20 +759,6 @@ void check_secret(toolkit::SockInfo &sender, mediakit::HttpSession::KeyValue &he
            val["cookie"] = unlogin_cookie->getCookie();
            throw AuthException("Please login first", headerOut, val);
        }
-        // 优先cookie登陆鉴权
-    } catch (...) {
-        try {
-            // cookie登陆鉴权失败了再比对secret
-            CHECK_ARGS("secret");
-            if (api_secret != allArgs["secret"]) {
-                throw AuthException("Incorrect secret");
-            }
-            return;
-        } catch (...) {
-            // 未提供secret或secret不匹配，这个异常隐藏
-        }
-        // secret鉴权模式失败，抛出要求cookie登录的异常
-        throw;
    }
 }

--- a/server/WebApi.h
+++ b/server/WebApi.h
@ -55,6 +55,7 @@ typedef enum {
 } ApiErr;

 extern const std::string kSecret;
+extern const std::string kLegacyAuth;
 extern const std::string kApiDebug;
 } // namespace API

--- a/server/pyinvoker.cpp
+++ b/server/pyinvoker.cpp
@ -157,8 +157,11 @@ void handle_http_request(const py::object &check_route, const py::object &submit
    try {
        auto args = getAllArgs(parser);
        auto allArgs = ArgsMap(parser, args);
-        // Python接口要求登录鉴权
-        CHECK_SECRET();
+        GET_CONFIG(bool, legacy_auth , API::kLegacyAuth);
+        if (!legacy_auth) {
+            // 非传统secret鉴权模式，Python接口强制要求登录鉴权
+            CHECK_SECRET();
+        }
    } catch (std::exception &ex) {
        auto ex1 = dynamic_cast<ApiRetException *>(&ex);
        if (ex1) {
@ -546,7 +549,7 @@ bool set_python_path() {
        PrintI("PYTHONPATH is already set to: %s", env_var);
        return false;
    }
-    auto default_path = exeDir() + "/python:" + exeDir() + "/pymkui/backend";
+    auto default_path = exeDir() + "/python";
    // 1 表示覆盖已存在的值
    if (!set_env("PYTHONPATH", default_path.data())) {
        PrintW("Failed to set PYTHONPATH");