conf/config.ini

@@ -34,6 +34,12 @@ defaultSnap=./www/logo.png
 # Root directories accessible via the `downloadFile` API. Separate multiple directories with semicolons (;).
 downloadRoot=./www
 
+# 是否采用传统secret硬编码鉴权模式，默认开启，开启后每次http接口请求都需要传递secret
+# 关闭传统鉴权模式后，需要先调用/index/api/login接口登录，成功后将设置cookie，在cookie有效期内访问所有接口都将放行。
+# Whether to enable the legacy secret-based authentication mode (enabled by default). When enabled, every API request requires the secret.
+# When disabled, users must first call `/index/api/login`. Upon success, a cookie auth token is set, allowing unrestricted access to all APIs while the cookie remains valid.
+legacyAuth=1
+
 [ffmpeg]
 # FFmpeg可执行程序路径,支持相对路径/绝对路径
 # Path to the FFmpeg executable. Both relative and absolute paths are supported.

server/WebApi.cpp

@@ -86,6 +86,7 @@ const string kSecret = API_FIELD"secret";
 const string kSnapRoot = API_FIELD"snapRoot";
 const string kDefaultSnap = API_FIELD"defaultSnap";
 const string kDownloadRoot = API_FIELD"downloadRoot";
+const string kLegacyAuth = API_FIELD"legacyAuth";
 
 static onceToken token([]() {
     mINI::Instance()[kApiDebug] = "1";
@@ -93,6 +94,7 @@ static onceToken token([]() {
     mINI::Instance()[kSnapRoot] = "./www/snap/";
     mINI::Instance()[kDefaultSnap] = "./www/logo.png";
     mINI::Instance()[kDownloadRoot] = "./www";
+    mINI::Instance()[kLegacyAuth] = 1;
 });
 }//namespace API
 
@@ -734,14 +736,19 @@ static constexpr size_t kLoginedCookieLifeSeconds = 24 * 3600;
 
 template <typename T>
 void check_secret(toolkit::SockInfo &sender, mediakit::HttpSession::KeyValue &headerOut, const HttpAllArgs<T> &allArgs, Json::Value &val) {
+    GET_CONFIG(bool, legacy_auth , API::kLegacyAuth);
     GET_CONFIG(std::string, api_secret, API::kSecret);
 
     auto ip = sender.get_peer_ip();
     if (!HttpFileManager::isIPAllowed(ip)) {
         throw AuthException("Your ip is not allowed to access the service.");
     }
-
+    if (legacy_auth) {
-    try {
+        CHECK_ARGS("secret");
+        if (api_secret != allArgs["secret"]) {
+            throw AuthException("Incorrect secret");
+        }
+    } else {
         auto logined_cookie = HttpCookieManager::Instance().getCookie(kLoginedCookieName, allArgs.getParser().getHeader());
         if (!logined_cookie) {
             auto unlogin_cookie = HttpCookieManager::Instance().getCookie(kUnLoginCookieName, allArgs.getParser().getHeader());
@@ -752,20 +759,6 @@ void check_secret(toolkit::SockInfo &sender, mediakit::HttpSession::KeyValue &he
             val["cookie"] = unlogin_cookie->getCookie();
             throw AuthException("Please login first", headerOut, val);
         }
-        // 优先cookie登陆鉴权
-    } catch (...) {
-        try {
-            // cookie登陆鉴权失败了再比对secret
-            CHECK_ARGS("secret");
-            if (api_secret != allArgs["secret"]) {
-                throw AuthException("Incorrect secret");
-            }
-            return;
-        } catch (...) {
-            // 未提供secret或secret不匹配，这个异常隐藏
-        }
-        // secret鉴权模式失败，抛出要求cookie登录的异常
-        throw;
     }
 }
 

server/WebApi.h

@@ -55,6 +55,7 @@ typedef enum {
 } ApiErr;
 
 extern const std::string kSecret;
+extern const std::string kLegacyAuth;
 extern const std::string kApiDebug;
 } // namespace API
 

server/pyinvoker.cpp

@@ -157,8 +157,11 @@ void handle_http_request(const py::object &check_route, const py::object &submit
     try {
         auto args = getAllArgs(parser);
         auto allArgs = ArgsMap(parser, args);
-        // Python接口要求登录鉴权
+        GET_CONFIG(bool, legacy_auth , API::kLegacyAuth);
-        CHECK_SECRET();
+        if (!legacy_auth) {
+            // 非传统secret鉴权模式，Python接口强制要求登录鉴权
+            CHECK_SECRET();
+        }
     } catch (std::exception &ex) {
         auto ex1 = dynamic_cast<ApiRetException *>(&ex);
         if (ex1) {
@@ -546,7 +549,7 @@ bool set_python_path() {
         PrintI("PYTHONPATH is already set to: %s", env_var);
         return false;
     }
-    auto default_path = exeDir() + "/python:" + exeDir() + "/pymkui/backend";
+    auto default_path = exeDir() + "/python";
     // 1 表示覆盖已存在的值
     if (!set_env("PYTHONPATH", default_path.data())) {
         PrintW("Failed to set PYTHONPATH");