From 6e9099ea12ba692b4aab7cef34bc61458eb6ec14 Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Tue, 10 Oct 2023 16:52:40 +0800
Subject: [PATCH] :lock: Authenticate requests of assets other than 127.0.0.1
 Fix https://github.com/siyuan-note/siyuan/issues/9388

---
 kernel/model/session.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/kernel/model/session.go b/kernel/model/session.go
index 87bcae012..96198f9ec 100644
--- a/kernel/model/session.go
+++ b/kernel/model/session.go
@@ -183,6 +183,15 @@ func CheckAuth(c *gin.Context) {
 			}
 		}
 
+		if !strings.HasPrefix(c.Request.RemoteAddr, util.LocalHost) && !strings.HasPrefix(c.Request.RemoteAddr, "[::1]") {
+			// Authenticate requests of assets other than 127.0.0.1 https://github.com/siyuan-note/siyuan/issues/9388
+			if strings.HasPrefix(c.Request.RequestURI, "/assets/") {
+				c.JSON(401, map[string]interface{}{"code": -1, "msg": "Auth failed: for security reasons, please set [Access authorization code] when using non-127.0.0.1 access\n\n为安全起见，使用非 127.0.0.1 访问时请设置 [访问授权码]"})
+				c.Abort()
+				return
+			}
+		}
+
 		c.Next()
 		return
 	}
@@ -197,8 +206,7 @@ func CheckAuth(c *gin.Context) {
 	}
 
 	// 放过来自本机的某些请求
-	if strings.HasPrefix(c.Request.RemoteAddr, util.LocalHost) ||
-		strings.HasPrefix(c.Request.RemoteAddr, "[::1]") {
+	if strings.HasPrefix(c.Request.RemoteAddr, util.LocalHost) || strings.HasPrefix(c.Request.RemoteAddr, "[::1]") {
 		if strings.HasPrefix(c.Request.RequestURI, "/assets/") {
 			c.Next()
 			return