user only for api:

app/api/api.go

@@ -451,7 +451,6 @@ func (a *api) start() error {
 		iam.AddPolicy("$anon", "$none", "api:/api", "GET|HEAD|OPTIONS")
 		iam.AddPolicy("$anon", "$none", "api:/api/v3/widget/process/**", "GET|HEAD|OPTIONS")
 
-		iam.AddPolicy("$localhost", "$none", "fs:/**", "GET|HEAD|OPTIONS")
 		iam.AddPolicy("$localhost", "$none", "api:/api", "GET|HEAD|OPTIONS")
 		iam.AddPolicy("$localhost", "$none", "api:/api/v3/widget/process/**", "GET|HEAD|OPTIONS")
 
@@ -469,7 +468,6 @@ func (a *api) start() error {
 
 		if !cfg.Storage.Memory.Auth.Enable {
 			iam.AddPolicy("$anon", "$none", "fs:/memfs/**", "ANY")
-			iam.AddPolicy("$localhost", "$none", "fs:/memfs/**", "ANY")
 		}
 
 		if cfg.RTMP.Enable && len(cfg.RTMP.Token) == 0 {

http/middleware/iam/iam.go

@@ -111,6 +111,7 @@ func NewWithConfig(config Config) echo.MiddlewareFunc {
 			var identity iam.IdentityVerifier = nil
 			var err error
 
+			username := "$anon"
 			resource := c.Request().URL.Path
 			var domain string
 
@@ -152,6 +153,11 @@ func NewWithConfig(config Config) echo.MiddlewareFunc {
 					}
 				}
 
+				ip := c.RealIP()
+				if ip == "127.0.0.1" || ip == "::1" {
+					username = "$localhost"
+				}
+
 				domain = c.QueryParam("group")
 				resource = "api:" + resource
 			} else {
@@ -164,14 +170,7 @@ func NewWithConfig(config Config) echo.MiddlewareFunc {
 				resource = "fs:" + resource
 			}
 
-			username := "$anon"
-			if identity == nil {
-				ip := c.RealIP()
-
-				if ip == "127.0.0.1" || ip == "::1" {
-					username = "$localhost"
-				}
-			} else {
+			if identity != nil {
 				username = identity.Name()
 			}