1

server-rs/crates/api-server/src/auth.rs

@@ -59,7 +59,7 @@ pub async fn require_bearer_auth(
     mut request: Request,
     next: Next,
 ) -> Result<Response, AppError> {
-    if request.uri().path().starts_with("/api/runtime/big-fish/")
+    if allows_internal_forwarded_auth(request.uri().path())
         && let Some(claims) = try_build_internal_forwarded_claims(&state, request.headers())
     {
         request
@@ -187,6 +187,11 @@ fn extract_bearer_token(headers: &HeaderMap) -> Result<String, AppError> {
     Ok(token.to_string())
 }
 
+fn allows_internal_forwarded_auth(path: &str) -> bool {
+    // Node 代理已经完成平台账号 JWT 校验，Rust 运行时只信任这些明确的内部转发路径。
+    path.starts_with("/api/runtime/big-fish/") || path.starts_with("/api/runtime/puzzle/")
+}
+
 fn try_build_internal_forwarded_claims(
     state: &AppState,
     headers: &HeaderMap,
@@ -234,7 +239,7 @@ fn try_build_internal_forwarded_claims(
 mod tests {
     use super::{
         INTERNAL_API_SECRET_HEADER, INTERNAL_AUTH_USER_ID_HEADER, RefreshSessionToken,
-        extract_bearer_token, try_build_internal_forwarded_claims,
+        allows_internal_forwarded_auth, extract_bearer_token, try_build_internal_forwarded_claims,
     };
     use crate::{config::AppConfig, state::AppState};
     use axum::{
@@ -272,6 +277,15 @@ mod tests {
         assert_eq!(token.token(), "refresh-token-01");
     }
 
+    #[test]
+    fn internal_forwarded_auth_allows_node_proxy_runtime_paths() {
+        assert!(allows_internal_forwarded_auth(
+            "/api/runtime/big-fish/sessions"
+        ));
+        assert!(allows_internal_forwarded_auth("/api/runtime/puzzle/works"));
+        assert!(!allows_internal_forwarded_auth("/api/auth/me"));
+    }
+
     #[test]
     fn internal_forwarded_claims_require_matching_secret() {
         let mut config = AppConfig::default();