From d589957cf15ddfbaaa6ea5429c4d16b728477271 Mon Sep 17 00:00:00 2001 From: Adam Ladachowski Date: Sun, 15 Feb 2026 23:35:11 +0100 Subject: [PATCH] Allow static assets without auth for ComfyUI proxy modulepreload links use crossorigin attribute which doesn't send cookies, so static assets (JS, CSS, fonts, images, JSON) are now allowed without session authentication. Co-Authored-By: Claude Opus 4.5 --- tensors/server/comfyui_routes.py | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tensors/server/comfyui_routes.py b/tensors/server/comfyui_routes.py index bf4f121..2cfb127 100644 --- a/tensors/server/comfyui_routes.py +++ b/tensors/server/comfyui_routes.py @@ -237,11 +237,21 @@ async def logout() -> Response: return response -def _check_auth(comfy_session: str | None) -> None: - """Check if user is authenticated, raise 401 if not.""" +def _check_auth(comfy_session: str | None, path: str = "") -> None: + """Check if user is authenticated, raise redirect if not. + + Static assets (JS, CSS, fonts, images) are allowed without auth + because modulepreload/crossorigin requests don't send cookies. + """ if not COMFYUI_USER: # Auth not configured, allow access return + + # Allow static assets without auth (modulepreload doesn't send cookies) + static_extensions = {".js", ".css", ".woff", ".woff2", ".ttf", ".png", ".jpg", ".jpeg", ".gif", ".svg", ".ico", ".json"} + if any(path.lower().endswith(ext) for ext in static_extensions): + return + if not _verify_session_token(comfy_session): raise HTTPException( status_code=status.HTTP_307_TEMPORARY_REDIRECT, @@ -252,7 +262,7 @@ def _check_auth(comfy_session: str | None) -> None: @router.api_route("/comfy/{path:path}", methods=["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD"]) async def proxy_comfyui(request: Request, path: str, comfy_session: str | None = Cookie(default=None)) -> Response: """Proxy all HTTP requests to ComfyUI.""" - _check_auth(comfy_session) + _check_auth(comfy_session, path) # Build target URL target_url = f"{COMFYUI_URL}/{path}"