Restore token auth for cross-origin access

2026-04-14 22:09:37 +08:00 · 2026-03-16 17:34:09 +08:00
parent 2bef01f820
commit 5a6a455f43
2 changed files with 5 additions and 2 deletions
--- a/pkg/api/server.go
+++ b/pkg/api/server.go
@@ -484,6 +484,9 @@ func (s *Server) checkAuth(r *http.Request) bool {
 	if s.isBearerAuthorized(r) {
 		return true
 	}
+	if r != nil && strings.TrimSpace(r.URL.Query().Get("token")) == strings.TrimSpace(s.token) {
+		return true
+	}
 	if c, err := r.Cookie("clawgo_webui_token"); err == nil && strings.TrimSpace(c.Value) == s.token {
 		return true
 	}
--- a/pkg/api/server_security_test.go
+++ b/pkg/api/server_security_test.go
@@ -31,8 +31,8 @@ func TestCheckAuthAllowsBearerAndCookieOnly(t *testing.T) {
 	}

 	queryReq := httptest.NewRequest(http.MethodGet, "/?token=secret-token", nil)
-	if srv.checkAuth(queryReq) {
-		t.Fatalf("expected query token auth to fail")
+	if !srv.checkAuth(queryReq) {
+		t.Fatalf("expected query token auth to succeed")
 	}

 	refererReq := httptest.NewRequest(http.MethodGet, "/", nil)