fix: robust CI auto-import script, fix admin auth token verification

- Replace fragile inline bash with register/auto_import.py module
- Fix _verify_admin: accept both raw password and hashed token as Bearer
- Previous bug: login returns SHA256 hash but Bearer check only matched raw password

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/register-outlook.yml

@@ -71,61 +71,4 @@ jobs:
         env:
           OUTLOOK2API_URL: ${{ secrets.OUTLOOK2API_URL }}
           ADMIN_PASSWORD: ${{ secrets.ADMIN_PASSWORD }}
-        run: |
-          if [ -z "$OUTLOOK2API_URL" ] || [ -z "$ADMIN_PASSWORD" ]; then
-            echo "Skipping auto-import (OUTLOOK2API_URL or ADMIN_PASSWORD not set)"
-            exit 0
-          fi
-          # Login and get token
-          TOKEN=$(curl -sf -X POST "$OUTLOOK2API_URL/admin/api/login" \
-            -H 'Content-Type: application/json' \
-            -d "{\"password\": \"$ADMIN_PASSWORD\"}" | python3 -c "import sys,json;print(json.load(sys.stdin)['token'])" 2>/dev/null)
-          if [ -z "$TOKEN" ]; then
-            echo "Admin login failed, skipping import"
-            exit 0
-          fi
-          # Collect accounts from staging files
-          ACCOUNTS="[]"
-          if [ -d "output/.staging_outlook" ]; then
-            ACCOUNTS=$(python3 -c "
-          import os, json, glob
-          accs = []
-          for f in glob.glob('output/.staging_outlook/outlook_*.json'):
-              try:
-                  d = json.load(open(f))
-                  if d.get('email') and d.get('password'):
-                      accs.append(d['email'] + ':' + d['password'])
-              except: pass
-          print(json.dumps(accs))
-          ")
-          fi
-          # Also try the zip file
-          for z in output/*Outlook.zip; do
-            [ -f "$z" ] || continue
-            python3 -c "
-          import zipfile, json, sys
-          with zipfile.ZipFile('$z') as zf:
-              for name in zf.namelist():
-                  if name.endswith('.txt'):
-                      content = zf.read(name).decode('utf-8', errors='replace')
-                      existing = json.loads(sys.argv[1]) if sys.argv[1] != '[]' else []
-                      for line in content.strip().splitlines():
-                          line = line.strip()
-                          if ':' in line and line not in existing:
-                              existing.append(line)
-                      print(json.dumps(existing))
-                      sys.exit(0)
-          print(sys.argv[1])
-          " "$ACCOUNTS" > /tmp/accs.json && ACCOUNTS=$(cat /tmp/accs.json)
-          done
-          COUNT=$(echo "$ACCOUNTS" | python3 -c "import sys,json;print(len(json.load(sys.stdin)))")
-          if [ "$COUNT" = "0" ]; then
-            echo "No accounts to import"
-            exit 0
-          fi
-          echo "Importing $COUNT accounts..."
-          RESULT=$(curl -sf -X POST "$OUTLOOK2API_URL/admin/api/accounts/bulk" \
-            -H "Authorization: Bearer $TOKEN" \
-            -H 'Content-Type: application/json' \
-            -d "{\"accounts\": $ACCOUNTS, \"source\": \"ci\"}")
-          echo "Import result: $RESULT"
+        run: python -m register.auto_import

outlook2api/admin_routes.py

@@ -21,14 +21,17 @@ def _verify_admin(request: Request) -> None:
     """Check admin password from cookie or Authorization header."""
     cfg = get_config()
     expected = cfg["admin_password"]
+    expected_hash = hashlib.sha256(expected.encode()).hexdigest()
     # Cookie auth
     token = request.cookies.get("admin_token", "")
-    if token and token == hashlib.sha256(expected.encode()).hexdigest():
+    if token and token == expected_hash:
         return
-    # Header auth
+    # Header auth: accept both raw password and hashed token
     auth = request.headers.get("Authorization", "")
-    if auth.startswith("Bearer ") and auth[7:].strip() == expected:
-        return
+    if auth.startswith("Bearer "):
+        bearer = auth[7:].strip()
+        if bearer == expected or bearer == expected_hash:
+            return
     raise HTTPException(status_code=401, detail="Unauthorized")
 
 

register/auto_import.py

@@ -0,0 +1,104 @@
+#!/usr/bin/env python3
+"""Auto-import registered accounts to the admin panel.
+
+Reads accounts from output/*Outlook.zip or output/.staging_outlook/*.json
+and POSTs them to the admin bulk import endpoint.
+
+Usage:
+    python -m register.auto_import
+
+Environment variables:
+    OUTLOOK2API_URL  - Admin panel URL (e.g. https://ohmyapi-outlook2api.hf.space)
+    ADMIN_PASSWORD   - Admin panel password
+"""
+import glob
+import json
+import os
+import sys
+import zipfile
+
+import requests
+
+
+def collect_accounts() -> list[str]:
+    """Collect email:password lines from zip files and staging dir."""
+    accounts = []
+    seen = set()
+
+    # From zip files
+    for zpath in sorted(glob.glob("output/*Outlook.zip")):
+        try:
+            with zipfile.ZipFile(zpath) as zf:
+                for name in zf.namelist():
+                    if name.endswith(".txt"):
+                        content = zf.read(name).decode("utf-8", errors="replace")
+                        for line in content.strip().splitlines():
+                            line = line.strip()
+                            if ":" in line and line not in seen:
+                                seen.add(line)
+                                accounts.append(line)
+        except Exception as e:
+            print(f"[Import] Error reading {zpath}: {e}")
+
+    # From staging dir
+    for fpath in sorted(glob.glob("output/.staging_outlook/outlook_*.json")):
+        try:
+            with open(fpath) as f:
+                d = json.load(f)
+            email = d.get("email", "").strip()
+            password = d.get("password", "").strip()
+            if email and password:
+                line = f"{email}:{password}"
+                if line not in seen:
+                    seen.add(line)
+                    accounts.append(line)
+        except Exception:
+            pass
+
+    return accounts
+
+
+def main():
+    url = os.environ.get("OUTLOOK2API_URL", "").rstrip("/")
+    password = os.environ.get("ADMIN_PASSWORD", "")
+
+    if not url or not password:
+        print("[Import] Skipping: OUTLOOK2API_URL or ADMIN_PASSWORD not set")
+        return
+
+    # Login
+    try:
+        r = requests.post(f"{url}/admin/api/login",
+                          json={"password": password}, timeout=15)
+        r.raise_for_status()
+        token = r.json()["token"]
+        print(f"[Import] Logged in to {url}")
+    except Exception as e:
+        print(f"[Import] Login failed: {e}")
+        return
+
+    # Collect accounts
+    accounts = collect_accounts()
+    if not accounts:
+        print("[Import] No accounts to import")
+        return
+
+    print(f"[Import] Found {len(accounts)} accounts")
+
+    # Bulk import
+    try:
+        r = requests.post(
+            f"{url}/admin/api/accounts/bulk",
+            headers={"Authorization": f"Bearer {token}"},
+            json={"accounts": accounts, "source": "ci"},
+            timeout=30,
+        )
+        r.raise_for_status()
+        result = r.json()
+        print(f"[Import] Result: imported={result.get('imported')}, skipped={result.get('skipped')}")
+    except Exception as e:
+        print(f"[Import] Bulk import failed: {e}")
+
+
+if __name__ == "__main__":
+    main()