Misc. bug: Serving of custom static files is broken when API key is set.

[shibe2]

Name and Version

version: 4154 (55ed008)
built with cc (GCC) 14.2.1 20240910 for x86_64-pc-linux-gnu

Which operating systems do you know to be affected?

Linux

Which llama.cpp modules do you know to be affected?

llama-server

Steps to Reproduce

llama-server -m FNAME --path PATH --api-key-file FNAME

Put a file with a custom name like "test1.html" into PATH.

Open test1.html in browser, get response 401.

First Bad Commit

458367a

Relevant log output

Unauthorized: Invalid API Key
request: GET /test1.html 127.0.0.1 401

Problem description

llama-server supports only bearer token authorization. Browsers have no way to supply it during navigation and fetching of referenced resources like images. This makes --path option mostly useless when it is in unnecessary conflict with options --api-key and --api-key-file.

Embedded static files are accessible without authorization. Custom static files were also accessible before #9776.

Workaround

To solve this problem for myself, I replaced authorization requirement logic with a simpler one: GET requests don't require authorization. Besides static files, this gives public access to the following endpoints:

• /health
• /metrics
• /props (read-only)
• /models
• /v1/models
• /lora-adapters (only list)
• /slots (read-only)

In my usage, none of these create a concern. In particular, "/slots" is disabled.

[github-actions]

This issue was closed because it has been inactive for 14 days since being marked as stale.