From 6026d3095d1615e3eb4633f9fc04ca4c588a95ad Mon Sep 17 00:00:00 2001
From: tengtian <tengtianmoemoe@gamil,com>
Date: Wed, 15 Apr 2026 19:45:16 +0200
Subject: [PATCH] fix: support API key authentication in private mode

When LoginRequired=true, EjectUserBySiteInfo middleware only checked for
session-based authentication. API key requests were rejected with 401
even when using a valid key.

Now the middleware falls back to API key validation when no user session
is found, allowing programmatic access to private instances.
---
 internal/base/middleware/auth.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/internal/base/middleware/auth.go b/internal/base/middleware/auth.go
index 57bbaae21..ff57ea914 100644
--- a/internal/base/middleware/auth.go
+++ b/internal/base/middleware/auth.go
@@ -92,6 +92,15 @@ func (am *AuthUserMiddleware) EjectUserBySiteInfo() gin.HandlerFunc {
 		// If site in private mode, user must login.
 		userInfo := GetUserInfoFromContext(ctx)
 		if userInfo == nil {
+			// Also check for valid API key authentication.
+			token := ExtractToken(ctx)
+			if len(token) > 0 {
+				pass, _ := am.authService.AuthAPIKey(ctx, ctx.Request.Method == "GET", token)
+				if pass {
+					ctx.Next()
+					return
+				}
+			}
 			handler.HandleResponse(ctx, errors.Unauthorized(reason.UnauthorizedError), nil)
 			ctx.Abort()
 			return