Restrict management key validation to non-localhost requests only

2026-02-03 04:50:52 +08:00 · 2025-09-09 23:04:46 +08:00
parent d4dc7b0a34
commit 156e3b017d
1 changed files with 10 additions and 7 deletions
--- a/internal/api/handlers/management/handler.go
+++ b/internal/api/handlers/management/handler.go
@@ -65,14 +65,17 @@ func (h *Handler) Middleware() gin.HandlerFunc {
 		if provided == "" {
 			provided = c.GetHeader("X-Management-Key")
 		}
 		if provided == "" {
 			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "missing management key"})
 			return
 		}
-		if err := bcrypt.CompareHashAndPassword([]byte(secret), []byte(provided)); err != nil {
+		if !(clientIP == "127.0.0.1" || clientIP == "::1") {
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid management key"})
+			if provided == "" {
-			return
+				c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "missing management key"})
 				return
 			}
 			if err := bcrypt.CompareHashAndPassword([]byte(secret), []byte(provided)); err != nil {
 				c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid management key"})
 				return
 			}
 		}
 		c.Next()