fix webui auth for assets via referer token fallback

2026-04-13 18:07:36 +08:00 · 2026-02-25 13:29:00 +00:00
parent 94325de477
commit 523ee4bbf4
1 changed files with 9 additions and 0 deletions
--- a/pkg/nodes/registry_server.go
+++ b/pkg/nodes/registry_server.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
@@ -385,6 +386,14 @@ func (s *RegistryServer) checkAuth(r *http.Request) bool {
 	if c, err := r.Cookie("clawgo_webui_token"); err == nil && strings.TrimSpace(c.Value) == s.token {
 		return true
 	}
+	// Browser asset fallback: allow token propagated via Referer query.
+	if ref := strings.TrimSpace(r.Referer()); ref != "" {
+		if u, err := url.Parse(ref); err == nil {
+			if strings.TrimSpace(u.Query().Get("token")) == s.token {
+				return true
+			}
+		}
+	}
 	return false
 }