Misc. bug: Serving of custom static files is broken when API key is set. #10475
Description
Name and Version
version: 4154 (55ed008)
built with cc (GCC) 14.2.1 20240910 for x86_64-pc-linux-gnu
Which operating systems do you know to be affected?
Linux
Which llama.cpp modules do you know to be affected?
llama-server
Steps to Reproduce
llama-server -m FNAME --path PATH --api-key-file FNAME
Put a file with a custom name like "test1.html" into PATH.
Open test1.html in browser, get response 401.
First Bad Commit
Relevant log output
Unauthorized: Invalid API Key
request: GET /test1.html 127.0.0.1 401
Problem description
llama-server supports only bearer token authorization. Browsers have no way to supply it during navigation and fetching of referenced resources like images. This makes --path option mostly useless when it is in unnecessary conflict with options --api-key and --api-key-file.
Embedded static files are accessible without authorization. Custom static files were also accessible before #9776.
Workaround
To solve this problem for myself, I replaced authorization requirement logic with a simpler one: GET requests don't require authorization. Besides static files, this gives public access to the following endpoints:
- /health
- /metrics
- /props (read-only)
- /models
- /v1/models
- /lora-adapters (only list)
- /slots (read-only)
In my usage, none of these create a concern. In particular, "/slots" is disabled.