diff --git a/kernel/model/session.go b/kernel/model/session.go
index e2011d77c..fc8e8c64a 100644
--- a/kernel/model/session.go
+++ b/kernel/model/session.go
@@ -182,6 +182,45 @@ func CheckAuth(c *gin.Context) {
 		return
 	}
 
+	// 通过 API token (header: Authorization)
+	if authHeader := c.GetHeader("Authorization"); "" != authHeader {
+		var token string
+		if strings.HasPrefix(authHeader, "Token ") {
+			token = strings.TrimPrefix(authHeader, "Token ")
+		} else if strings.HasPrefix(authHeader, "token ") {
+			token = strings.TrimPrefix(authHeader, "token ")
+		} else if strings.HasPrefix(authHeader, "Bearer ") {
+			token = strings.TrimPrefix(authHeader, "Bearer ")
+		} else if strings.HasPrefix(authHeader, "bearer ") {
+			token = strings.TrimPrefix(authHeader, "bearer ")
+		}
+
+		if "" != token {
+			if Conf.Api.Token == token {
+				c.Set(RoleContextKey, RoleAdministrator)
+				c.Next()
+				return
+			}
+
+			c.JSON(http.StatusUnauthorized, map[string]interface{}{"code": -1, "msg": "Auth failed [header: Authorization]"})
+			c.Abort()
+			return
+		}
+	}
+
+	// 通过 API token (query-params: token)
+	if token := c.Query("token"); "" != token {
+		if Conf.Api.Token == token {
+			c.Set(RoleContextKey, RoleAdministrator)
+			c.Next()
+			return
+		}
+
+		c.JSON(http.StatusUnauthorized, map[string]interface{}{"code": -1, "msg": "Auth failed [query: token]"})
+		c.Abort()
+		return
+	}
+
 	//logging.LogInfof("check auth for [%s]", c.Request.RequestURI)
 	localhost := util.IsLocalHost(c.Request.RemoteAddr)
 
@@ -267,45 +306,6 @@ func CheckAuth(c *gin.Context) {
 		}
 	}
 
-	// 通过 API token (header: Authorization)
-	if authHeader := c.GetHeader("Authorization"); "" != authHeader {
-		var token string
-		if strings.HasPrefix(authHeader, "Token ") {
-			token = strings.TrimPrefix(authHeader, "Token ")
-		} else if strings.HasPrefix(authHeader, "token ") {
-			token = strings.TrimPrefix(authHeader, "token ")
-		} else if strings.HasPrefix(authHeader, "Bearer ") {
-			token = strings.TrimPrefix(authHeader, "Bearer ")
-		} else if strings.HasPrefix(authHeader, "bearer ") {
-			token = strings.TrimPrefix(authHeader, "bearer ")
-		}
-
-		if "" != token {
-			if Conf.Api.Token == token {
-				c.Set(RoleContextKey, RoleAdministrator)
-				c.Next()
-				return
-			}
-
-			c.JSON(http.StatusUnauthorized, map[string]interface{}{"code": -1, "msg": "Auth failed [header: Authorization]"})
-			c.Abort()
-			return
-		}
-	}
-
-	// 通过 API token (query-params: token)
-	if token := c.Query("token"); "" != token {
-		if Conf.Api.Token == token {
-			c.Set(RoleContextKey, RoleAdministrator)
-			c.Next()
-			return
-		}
-
-		c.JSON(http.StatusUnauthorized, map[string]interface{}{"code": -1, "msg": "Auth failed [query: token]"})
-		c.Abort()
-		return
-	}
-
 	// WebDAV BasicAuth Authenticate
 	if strings.HasPrefix(c.Request.RequestURI, "/webdav") ||
 		strings.HasPrefix(c.Request.RequestURI, "/caldav") ||