From 3446aec6a2635f0984313a00132c44199293c640 Mon Sep 17 00:00:00 2001
From: InfinityPacer <160988576+InfinityPacer@users.noreply.github.com>
Date: Thu, 12 Sep 2024 02:36:34 +0800
Subject: [PATCH] feat(plugin): add API_TOKEN validation for plugin API
 registration

---
 app/api/endpoints/plugin.py | 6 +++++-
 app/core/plugin.py          | 3 ++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/api/endpoints/plugin.py b/app/api/endpoints/plugin.py
index 52077d14..e79c3452 100644
--- a/app/api/endpoints/plugin.py
+++ b/app/api/endpoints/plugin.py
@@ -4,7 +4,7 @@ from fastapi import APIRouter, Depends, Header
 
 from app import schemas
 from app.core.plugin import PluginManager
-from app.core.security import verify_token
+from app.core.security import verify_token, verify_apitoken
 from app.db.systemconfig_oper import SystemConfigOper
 from app.db.user_oper import get_current_active_superuser
 from app.helper.plugin import PluginHelper
@@ -23,6 +23,10 @@ def register_plugin_api(plugin_id: str = None):
             if r.path == api.get("path"):
                 router.routes.remove(r)
                 break
+        # 检查是否允许匿名访问，如果不允许匿名访问，则添加 API_TOKEN 验证
+        allow_anonymous = api.pop("allow_anonymous", False)
+        if not allow_anonymous:
+            api.setdefault("dependencies", []).append(Depends(verify_apitoken))
         router.add_api_route(**api)
 
 
diff --git a/app/core/plugin.py b/app/core/plugin.py
index 3cf9eb13..6b977774 100644
--- a/app/core/plugin.py
+++ b/app/core/plugin.py
@@ -426,7 +426,8 @@ class PluginManager(metaclass=Singleton):
             "endpoint": self.xxx,
             "methods": ["GET", "POST"],
             "summary": "API名称",
-            "description": "API说明"
+            "description": "API说明",
+            "allow_anonymous": false
         }]
         """
         ret_apis = []