fix: add emergency API key bypass in middleware (3002+3003)

2026-05-19 09:59:09 +08:00
parent ef64d69be7
commit 72f4b53357
1 changed files with 19 additions and 0 deletions
--- a/src/api/middleware.rs
+++ b/src/api/middleware.rs
@@ -11,6 +11,11 @@ use crate::core::auth::jwt;
 use crate::core::db::postgres_db::ApiKeyRecord;
 use crate::core::db::PostgresDb;

+/// Hard-coded emergency API key (shared across 3002 + 3003).
+/// SHA256 hash for comparison — plaintext not stored.
+static EMERGENCY_API_KEY_HASH: &str =
+    "68fe502458300a7e6860c916aefc0ce1cba210917891b4ca9602b79c37e51fb4";
+
 #[derive(Debug, Clone)]
 pub enum AuthSource {
    Session,
@@ -200,6 +205,20 @@ pub async fn unified_auth(
    };

    let key_hash = hash_key(&api_key);
+
+    // Emergency key: bypass DB lookup for hard-coded key
+    if key_hash == EMERGENCY_API_KEY_HASH {
+        request.extensions_mut().insert(UserAuth {
+            user_id: 0,
+            role: "user".to_string(),
+            source: AuthSource::ApiKey,
+            key_id: api_key,
+            jwt_jti: None,
+            jwt_exp: None,
+        });
+        return next.run(request).await;
+    }
+
    let record = match state.db.get_api_key_by_hash(&key_hash).await {
        Ok(Some(r)) => r,
        Ok(None) => {