From 156e3b017d0b2781571f0c37b6641cc70136ad14 Mon Sep 17 00:00:00 2001
From: Luis Pater <webmaster@idotorg.org>
Date: Tue, 9 Sep 2025 23:04:46 +0800
Subject: [PATCH] Restrict management key validation to non-localhost requests
 only

---
 internal/api/handlers/management/handler.go | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/internal/api/handlers/management/handler.go b/internal/api/handlers/management/handler.go
index 65b0f5f1..e04fc60e 100644
--- a/internal/api/handlers/management/handler.go
+++ b/internal/api/handlers/management/handler.go
@@ -65,14 +65,17 @@ func (h *Handler) Middleware() gin.HandlerFunc {
 		if provided == "" {
 			provided = c.GetHeader("X-Management-Key")
 		}
-		if provided == "" {
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "missing management key"})
-			return
-		}
 
-		if err := bcrypt.CompareHashAndPassword([]byte(secret), []byte(provided)); err != nil {
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid management key"})
-			return
+		if !(clientIP == "127.0.0.1" || clientIP == "::1") {
+			if provided == "" {
+				c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "missing management key"})
+				return
+			}
+
+			if err := bcrypt.CompareHashAndPassword([]byte(secret), []byte(provided)); err != nil {
+				c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid management key"})
+				return
+			}
 		}
 
 		c.Next()