chuan/CLIProxyAPI
1
0
Fork 0
mirror of https://github.com/router-for-me/CLIProxyAPI.git synced 2026-02-02 20:40:52 +08:00
Code Issues Packages Projects Releases Wiki Activity

Restrict management key validation to non-localhost requests only

Browse Source
This commit is contained in:
Luis Pater
2025-09-09 23:04:46 +08:00
parent d4dc7b0a34
commit 156e3b017d
1 changed files with 10 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
internal/api/handlers/management/handler.go
View File

@@ -65,14 +65,17 @@ func (h *Handler) Middleware() gin.HandlerFunc {
if provided == "" {
provided = c.GetHeader("X-Management-Key")
}
if provided == "" {
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "missing management key"})
return
}
if err := bcrypt.CompareHashAndPassword([]byte(secret), []byte(provided)); err != nil {
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid management key"})
return
if !(clientIP == "127.0.0.1" || clientIP == "::1") {
if provided == "" {
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "missing management key"})
return
}
if err := bcrypt.CompareHashAndPassword([]byte(secret), []byte(provided)); err != nil {
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid management key"})
return
}
}
c.Next()