From 0c737964b7901c31380f2c6f5b631676fff8ad56 Mon Sep 17 00:00:00 2001 From: Br1an67 <932039080@qq.com> Date: Mon, 2 Mar 2026 01:34:28 +0800 Subject: [PATCH] fix: require api_token for /token endpoint when configured Add api_token field to security config and TokenRequest. When security.api_token is set in config.yml, the /token endpoint validates the provided api_token before issuing a JWT. Existing deployments without api_token configured are unaffected (backward compatible). Closes #1627 --- deploy/docker/auth.py | 3 ++- deploy/docker/config.yml | 1 + deploy/docker/server.py | 3 +++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/deploy/docker/auth.py b/deploy/docker/auth.py index 6fcef3399..ebc4eea1f 100644 --- a/deploy/docker/auth.py +++ b/deploy/docker/auth.py @@ -70,4 +70,5 @@ def jwt_required(credentials: HTTPAuthorizationCredentials = Depends(security)) class TokenRequest(BaseModel): - email: EmailStr \ No newline at end of file + email: EmailStr + api_token: Optional[str] = None \ No newline at end of file diff --git a/deploy/docker/config.yml b/deploy/docker/config.yml index db3193a69..8175c2e1e 100644 --- a/deploy/docker/config.yml +++ b/deploy/docker/config.yml @@ -44,6 +44,7 @@ rate_limiting: security: enabled: false jwt_enabled: false + api_token: "" # When set, /token endpoint requires this secret to issue JWTs https_redirect: false trusted_hosts: ["*"] headers: diff --git a/deploy/docker/server.py b/deploy/docker/server.py index 7ae1adb8b..3c9c05f3e 100644 --- a/deploy/docker/server.py +++ b/deploy/docker/server.py @@ -303,6 +303,9 @@ def _safe_eval_config(expr: str) -> dict: # ──────────────────────── Endpoints ────────────────────────── @app.post("/token") async def get_token(req: TokenRequest): + expected_token = config.get("security", {}).get("api_token", "") + if expected_token and req.api_token != expected_token: + raise HTTPException(401, "Invalid or missing api_token") if not verify_email_domain(req.email): raise HTTPException(400, "Invalid email domain") token = create_access_token({"sub": req.email})