From 5cc46b3e9bb252c0d58f97fefa9b6910bff35a31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=B0=8F=E7=B3=AF=20=F0=9F=90=B1?= <xiaonuo@openclaw.ai>
Date: Mon, 13 Apr 2026 17:14:45 +0800
Subject: [PATCH] fix(engine): return 204 for /favicon.ico instead of 401

Browser requests to /favicon.ico were hitting the auth middleware.
Added explicit route + auth bypass.
---
 packages/engine/src/index.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/packages/engine/src/index.ts b/packages/engine/src/index.ts
index 18895f0..fca7371 100644
--- a/packages/engine/src/index.ts
+++ b/packages/engine/src/index.ts
@@ -117,6 +117,10 @@ app.use('*', async (c, next) => {
 // UI (no auth, served before auth middleware)
 // ============================================
 
+app.get('/favicon.ico', (c) => {
+  return new Response(null, { status: 204 })
+})
+
 app.get('/ui', (c) => {
   return c.html(UI_HTML)
 })
@@ -143,7 +147,7 @@ app.get('/schema', async (c) => {
 
 // Auth middleware for all routes except health, schema, ui, and POST /events (which has its own dual auth)
 app.use('*', async (c, next) => {
-  if (c.req.path === '/health' || c.req.path === '/schema' || c.req.path.startsWith('/ui')) return next()
+  if (c.req.path === '/health' || c.req.path === '/schema' || c.req.path === '/favicon.ico' || c.req.path.startsWith('/ui')) return next()
   if (c.req.method === 'POST' && c.req.path === '/events') return next()
   return bearerAuth(c.env.API_TOKEN)(c, next)
 })