feat: add API key authentication for /v1/* endpoints

2026-01-13 16:46:31 +08:00
parent d1be2e2c1d
commit 6172f5ef10
4 changed files with 37 additions and 0 deletions
--- a/src/config.js
+++ b/src/config.js
@@ -5,6 +5,7 @@ import { logger } from './utils/logger.js';

 // Default config
 const DEFAULT_CONFIG = {
+    apiKey: '',
    webuiPassword: '',
    debug: false,
    logLevel: 'info',
@@ -54,6 +55,7 @@ function loadConfig() {
        }

        // Environment overrides
+        if (process.env.API_KEY) config.apiKey = process.env.API_KEY;
        if (process.env.WEBUI_PASSWORD) config.webuiPassword = process.env.WEBUI_PASSWORD;
        if (process.env.DEBUG === 'true') config.debug = true;

--- a/src/server.js
+++ b/src/server.js
@@ -65,6 +65,37 @@ async function ensureInitialized() {
 app.use(cors());
 app.use(express.json({ limit: REQUEST_BODY_LIMIT }));

+// API Key authentication middleware for /v1/* endpoints
+app.use('/v1', (req, res, next) => {
+    // Skip validation if apiKey is not configured
+    if (!config.apiKey) {
+        return next();
+    }
+
+    const authHeader = req.headers['authorization'];
+    const xApiKey = req.headers['x-api-key'];
+
+    let providedKey = '';
+    if (authHeader && authHeader.startsWith('Bearer ')) {
+        providedKey = authHeader.substring(7);
+    } else if (xApiKey) {
+        providedKey = xApiKey;
+    }
+
+    if (!providedKey || providedKey !== config.apiKey) {
+        logger.warn(`[API] Unauthorized request from ${req.ip}, invalid API key`);
+        return res.status(401).json({
+            type: 'error',
+            error: {
+                type: 'authentication_error',
+                message: 'Invalid or missing API key'
+            }
+        });
+    }
+
+    next();
+});
+
 // Setup usage statistics middleware
 usageStats.setupMiddleware(app);