fix(browser): send Authorization header in Camofox HTTP calls when CAMOFOX_API_KEY is set

The five HTTP call sites in browser_camofox.py (_ensure_tab, _post,
_get, _get_raw, _delete) did not include Authorization headers, causing
403 Forbidden when the Camofox server has API key auth enabled.

Added _auth_headers() helper and wired it into all five call sites.
The health check endpoint (/health) is left without auth since it is
a connectivity probe, not a browser operation.

Regression test covers: header present when key set, absent when unset,
blank key produces empty headers.

Fixes #20476
This commit is contained in:
刘昊 2026-05-06 09:02:56 +08:00 committed by Teknium
parent 270456308c
commit babd9168ba
2 changed files with 124 additions and 4 deletions

View file

@ -52,6 +52,14 @@ _vnc_url: Optional[str] = None # cached from /health response
_vnc_url_checked = False # only probe once per process
def _auth_headers() -> Dict[str, str]:
"""Return Authorization header when CAMOFOX_API_KEY is set."""
key = os.getenv("CAMOFOX_API_KEY", "").strip()
if key:
return {"Authorization": f"Bearer {key}"}
return {}
def get_camofox_url() -> str:
"""Return the configured Camofox server URL, or empty string."""
return os.getenv("CAMOFOX_URL", "").rstrip("/")
@ -349,6 +357,7 @@ def _ensure_tab(task_id: Optional[str], url: str = "about:blank") -> Dict[str, A
"url": url,
},
timeout=_DEFAULT_TIMEOUT,
headers=_auth_headers(),
)
resp.raise_for_status()
data = resp.json()
@ -387,7 +396,7 @@ def camofox_soft_cleanup(task_id: Optional[str] = None) -> bool:
def _post(path: str, body: dict, timeout: int = _DEFAULT_TIMEOUT) -> dict:
"""POST JSON to camofox and return parsed response."""
url = f"{get_camofox_url()}{path}"
resp = requests.post(url, json=body, timeout=timeout)
resp = requests.post(url, json=body, timeout=timeout, headers=_auth_headers())
resp.raise_for_status()
return resp.json()
@ -395,7 +404,7 @@ def _post(path: str, body: dict, timeout: int = _DEFAULT_TIMEOUT) -> dict:
def _get(path: str, params: dict = None, timeout: int = _DEFAULT_TIMEOUT) -> dict:
"""GET from camofox and return parsed response."""
url = f"{get_camofox_url()}{path}"
resp = requests.get(url, params=params, timeout=timeout)
resp = requests.get(url, params=params, timeout=timeout, headers=_auth_headers())
resp.raise_for_status()
return resp.json()
@ -403,7 +412,7 @@ def _get(path: str, params: dict = None, timeout: int = _DEFAULT_TIMEOUT) -> dic
def _get_raw(path: str, params: dict = None, timeout: int = _DEFAULT_TIMEOUT) -> requests.Response:
"""GET from camofox and return raw response (for binary data)."""
url = f"{get_camofox_url()}{path}"
resp = requests.get(url, params=params, timeout=timeout)
resp = requests.get(url, params=params, timeout=timeout, headers=_auth_headers())
resp.raise_for_status()
return resp
@ -411,7 +420,7 @@ def _get_raw(path: str, params: dict = None, timeout: int = _DEFAULT_TIMEOUT) ->
def _delete(path: str, body: dict = None, timeout: int = _DEFAULT_TIMEOUT) -> dict:
"""DELETE to camofox and return parsed response."""
url = f"{get_camofox_url()}{path}"
resp = requests.delete(url, json=body, timeout=timeout)
resp = requests.delete(url, json=body, timeout=timeout, headers=_auth_headers())
resp.raise_for_status()
return resp.json()