Herrtian opened a new pull request, #1521:
URL: https://github.com/apache/answer/pull/1521
## Summary
Closes #1508
When `LoginRequired=true` (private mode), the `EjectUserBySiteInfo`
middleware only checked for session-based authentication (cookies). Requests
with valid API keys in the `Authorization` header were rejected with 401
Unauthorized.
## Change
**File:** `internal/base/middleware/auth.go` — `EjectUserBySiteInfo()`
When no user session is found in the context, the middleware now falls back
to API key validation via `authService.AuthAPIKey()` before rejecting the
request. This reuses the same validation logic already used by the
`AuthAPIKey()` middleware for MCP routes.
```go
// Before: immediately reject if no user session
if userInfo == nil {
// 401 Unauthorized
}
// After: try API key before rejecting
if userInfo == nil {
token := ExtractToken(ctx)
if len(token) > 0 {
pass, _ := am.authService.AuthAPIKey(ctx, ctx.Request.Method ==
"GET", token)
if pass {
ctx.Next()
return
}
}
// 401 Unauthorized
}
```
## Test plan
- [x] `go build ./...` compiles successfully
- [x] Read-only API key + GET request in private mode → allowed
- [x] Write-scope API key + POST request in private mode → allowed
- [x] Read-only API key + POST request in private mode → rejected (scope
check)
- [x] No token in private mode → rejected (existing behavior unchanged)
- [x] Session-based auth in private mode → works as before
- [x] Public mode (LoginRequired=false) → no change in behavior
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
