From baa503ea2447b6757de3532a8c9d2e76151ed279 Mon Sep 17 00:00:00 2001
From: Darren Reid <github@reidmail.org>
Date: Thu, 21 Nov 2024 16:48:06 +1100
Subject: [PATCH] Make opt in to only restrict API calls for prompt and apis
 using RESTRICT_APIS_ONLY. Only restricting queuing/prompting a job

---
 comfy/ai-agent-extension/main.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/comfy/ai-agent-extension/main.py b/comfy/ai-agent-extension/main.py
index 01edc2b..e6b05eb 100644
--- a/comfy/ai-agent-extension/main.py
+++ b/comfy/ai-agent-extension/main.py
@@ -102,9 +102,6 @@ async def engines_list(request):
 async def simple_api_key_auth(request, handler):
     # Allow paths that aren't /prompt or don't start with /api
     path = request.path
-    restrict_apis_only = os.getenv('RESTRICT_APIS_ONLY', 'false').lower() == 'true'
-    if path != '/prompt' and not path.startswith('/api/prompt') and restrict_apis_only:
-        return await handler(request)
 
     auth_token = os.getenv('AGENT_PASSWORD')
     is_authorized = False
@@ -121,6 +118,11 @@ async def simple_api_key_auth(request, handler):
         if request.query['apiKey'] == auth_token:
             is_authorized = True
 
+
+    restrict_apis_only = os.getenv('RESTRICT_APIS_ONLY', 'false').lower() == 'true'
+    if path != '/prompt' and not path.startswith('/api/prompt') and restrict_apis_only and is_authorized is False:
+        is_authorized = True
+
     # Return error if neither authentication method succeeded
     if not is_authorized:
         return web.json_response({