fix: support API key authentication in private mode

tengtian · claude · tengtian · commit 5c3e926df1c4 · 2026-04-15T19:45:16.000+02:00
When LoginRequired=true, EjectUserBySiteInfo middleware only checked for
session-based authentication. API key requests were rejected with 401
even when using a valid key.

Now the middleware falls back to API key validation when no user session
is found, allowing programmatic access to private instances.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/internal/base/middleware/auth.go b/internal/base/middleware/auth.go
@@ -92,6 +92,15 @@ func (am *AuthUserMiddleware) EjectUserBySiteInfo() gin.HandlerFunc {
 		// If site in private mode, user must login.
 		userInfo := GetUserInfoFromContext(ctx)
 		if userInfo == nil {
+			// Also check for valid API key authentication.
+			token := ExtractToken(ctx)
+			if len(token) > 0 {
+				pass, _ := am.authService.AuthAPIKey(ctx, ctx.Request.Method == "GET", token)
+				if pass {
+					ctx.Next()
+					return
+				}
+			}
 			handler.HandleResponse(ctx, errors.Unauthorized(reason.UnauthorizedError), nil)
 			ctx.Abort()
 			return
