From a3136c523f1c5253cec5d8a16a15c087261382a6 Mon Sep 17 00:00:00 2001
From: Chris Lu <chrislusf@users.noreply.github.com>
Date: Wed, 11 Feb 2026 13:32:56 -0800
Subject: [PATCH] Fix volume.fsck 401 Unauthorized by adding JWT to HTTP delete
 requests (#8306)

* Fix volume.fsck 401 Unauthorized by adding JWT to HTTP delete requests

* Additionally, for performance, consider fetching the jwt.filer_signing.key once before any loops that call httpDelete, rather than inside httpDelete itself, to avoid repeated configuration lookups.
---
 weed/shell/command_volume_fsck.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/weed/shell/command_volume_fsck.go b/weed/shell/command_volume_fsck.go
index 17c553141..5bf5ada73 100644
--- a/weed/shell/command_volume_fsck.go
+++ b/weed/shell/command_volume_fsck.go
@@ -25,6 +25,7 @@ import (
 	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
 	"github.com/seaweedfs/seaweedfs/weed/pb/master_pb"
 	"github.com/seaweedfs/seaweedfs/weed/pb/volume_server_pb"
+	"github.com/seaweedfs/seaweedfs/weed/security"
 	"github.com/seaweedfs/seaweedfs/weed/storage"
 	"github.com/seaweedfs/seaweedfs/weed/storage/needle"
 	"github.com/seaweedfs/seaweedfs/weed/storage/needle_map"
@@ -39,7 +40,8 @@ func init() {
 }
 
 const (
-	readbufferSize = 16
+	readbufferSize                 = 16
+	jwtFilerTokenExpirationSeconds = 300
 )
 
 type commandVolumeFsck struct {
@@ -53,6 +55,7 @@ type commandVolumeFsck struct {
 	forcePurging             *bool
 	findMissingChunksInFiler *bool
 	verifyNeedle             *bool
+	filerSigningKey          string
 }
 
 func (c *commandVolumeFsck) Name() string {
@@ -139,6 +142,8 @@ func (c *commandVolumeFsck) Do(args []string, commandEnv *CommandEnv, writer io.
 	}
 	defer os.RemoveAll(c.tempFolder)
 
+	c.filerSigningKey = util.GetViper().GetString("jwt.filer_signing.key")
+
 	// collect all volume id locations
 	dataNodeVolumeIdToVInfo, err := c.collectVolumeIds()
 	if err != nil {
@@ -556,6 +561,12 @@ func (c *commandVolumeFsck) httpDelete(path util.FullPath) {
 		Host:   c.env.option.FilerAddress.ToHttpAddress(),
 		Path:   string(path),
 	}
+
+	if c.filerSigningKey != "" {
+		encodedJwt := security.GenJwtForFilerServer(security.SigningKey(c.filerSigningKey), jwtFilerTokenExpirationSeconds)
+		req.Header.Set("Authorization", "BEARER "+string(encodedJwt))
+	}
+
 	if *c.verbose {
 		fmt.Fprintf(c.writer, "full HTTP delete request to be sent: %v\n", req)
 	}