From 34dff7e36962fbad6e6fcc7ee2315e23d438e40e Mon Sep 17 00:00:00 2001
From: Glary-Bot <glary-bot@users.noreply.github.com>
Date: Tue, 12 May 2026 05:09:45 +0000
Subject: [PATCH] fix(remote): scope auth header attachment to comfyApi client
 only

Only fetch and attach the platform auth header when descriptor.client === 'comfyApi'. The RemoteRequestClient union currently only contains 'comfyApi', but this guard prevents future additions from accidentally leaking platform credentials to external/non-platform routes.
---
 src/platform/remote/composables/useRemoteOptions.ts | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/platform/remote/composables/useRemoteOptions.ts b/src/platform/remote/composables/useRemoteOptions.ts
index a4c28a96c9..98ab5ed92a 100644
--- a/src/platform/remote/composables/useRemoteOptions.ts
+++ b/src/platform/remote/composables/useRemoteOptions.ts
@@ -30,9 +30,12 @@ async function executeRemoteRequest(
   descriptor: RemoteRequestDescriptor,
   signal: AbortSignal
 ): Promise<unknown> {
-  const authStore = useAuthStore()
-  const authHeader = await authStore.getAuthHeader()
-  const headers = authHeader ? { ...authHeader } : undefined
+  let headers: Record<string, string> | undefined
+  if (descriptor.client === 'comfyApi') {
+    const authStore = useAuthStore()
+    const authHeader = await authStore.getAuthHeader()
+    headers = authHeader ? { ...authHeader } : undefined
+  }
   const url = resolveUrl(descriptor, getComfyApiBaseUrl())
   const response = await axios.get(url, {
     params: descriptor.params,