From 0e7dcc0ea19cd1e08a72ff8d9c74a954ee824c99 Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Sun, 17 Sep 2023 20:45:21 +0800
Subject: [PATCH] :art: Authenticate requests with the Origin header other than
 127.0.0.1 https://github.com/siyuan-note/siyuan/issues/9180

---
 kernel/model/session.go | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/kernel/model/session.go b/kernel/model/session.go
index 089d89b32..04dbd9ccc 100644
--- a/kernel/model/session.go
+++ b/kernel/model/session.go
@@ -165,12 +165,21 @@ func CheckAuth(c *gin.Context) {
 			u, parseErr := url.Parse(origin)
 			if nil != parseErr {
 				logging.LogWarnf("parse origin [%s] failed: %s", origin, parseErr)
-			} else {
-				if !strings.HasPrefix(u.Host, util.LocalHost) && !strings.HasPrefix(u.Host, "[::1]") {
-					c.JSON(401, map[string]interface{}{"code": -1, "msg": "Auth failed"})
-					c.Abort()
-					return
-				}
+				c.JSON(401, map[string]interface{}{"code": -1, "msg": "Auth failed"})
+				c.Abort()
+				return
+
+			}
+
+			if "chrome-extension" == strings.ToLower(u.Scheme) {
+				c.Next()
+				return
+			}
+
+			if !strings.HasPrefix(u.Host, util.LocalHost) && !strings.HasPrefix(u.Host, "[::1]") {
+				c.JSON(401, map[string]interface{}{"code": -1, "msg": "Auth failed"})
+				c.Abort()
+				return
 			}
 		}