Halo Manager
Manage Halo blogs through the official API.
First-Time Setup
When this skill is first used, ask the user for:
- 1. Blog URL (e.g.,
https://blog.example.com) - Username
- Password
Then save credentials to ~/halo-manager/config.json:
CODEBLOCK0
Security Note: Never expose credentials in logs, responses, or shared channels.
Authentication
Halo uses RSA-encrypted password + CSRF token + Session cookie.
Login Flow
- 1. GET
/login - Extract CSRF token and RSA public key - Encrypt password with RSA public key (JSEncrypt)
- POST
/login with form data (username, encrypted password, CSRF token) - Receive SESSION cookie for subsequent requests
Session Management
- - Use SESSION cookie for all authenticated requests
- If session expires, re-login automatically
- Store session state in �INLINECODE4
API Endpoints
Console API Base
�CODEBLOCK1
Posts
| Operation | Method | Endpoint |
|---|
| List posts | GET | INLINECODE5 |
| Get post |
GET |
/posts/{name} |
| Create post | POST |
/posts |
| Update post | PUT |
/posts/{name} |
| Delete post | DELETE |
/posts/{name} |
Categories
| Operation | Method | Endpoint |
|---|
| List categories | GET | INLINECODE10 |
| Create category |
POST |
/categories |
| Update category | PUT |
/categories/{name} |
| Delete category | DELETE |
/categories/{name} |
Tags
| Operation | Method | Endpoint |
|---|
| List tags | GET | INLINECODE14 |
| Create tag |
POST |
/tags |
| Update tag | PUT |
/tags/{name} |
| Delete tag | DELETE |
/tags/{name} |
Users
| Operation | Method | Endpoint |
|---|
| List users | GET | INLINECODE18 |
| Get current user |
GET |
/users/- |
Comments
| Operation | Method | Endpoint |
|---|
| List comments | GET | INLINECODE20 |
| Approve comment |
PUT |
/comments/{name}/approval |
| Delete comment | DELETE |
/comments/{name} |
Media
| Operation | Method | Endpoint |
|---|
| List attachments | GET | INLINECODE23 |
| Upload attachment |
POST |
/attachments |
| Delete attachment | DELETE |
/attachments/{name} |
Common Workflows
Create a Post
- 1. Login to get session
- Prepare post data:
CODEBLOCK2
- 3. POST to �INLINECODE26
- Verify creation
Upload Media
- 1. Login to get session
- Prepare multipart form data
- POST to �INLINECODE27
- Get attachment URL from response
Error Handling
| Status | Meaning | Action |
|---|
| 401 | Unauthorized | Re-login |
| 403 |
Forbidden | Check permissions |
| 404 | Not found | Verify resource exists |
| 500 | Server error | Retry or report |
Output Format
CODEBLOCK3
Security Best Practices
- 1. Never log credentials - Mask passwords in all outputs
- Use HTTPS - Always prefer secure connections
- Session timeout - Re-authenticate when session expires
- Local storage only - Credentials stay on user's machine
References
Halo 管理器
通过官方 API 管理 Halo 博客。
首次设置
首次使用此技能时,请向用户询问:
- 1. 博客网址(例如:https://blog.example.com)
- 用户名
- 密码
然后将凭据保存到 ~/halo-manager/config.json:
json
{
blog_url: https://blog.example.com,
username: your-username,
password: your-password
}
安全提示: 切勿在日志、响应或共享渠道中暴露凭据。
身份验证
Halo 使用 RSA 加密密码 + CSRF 令牌 + Session Cookie。
登录流程
- 1. GET /login - 提取 CSRF 令牌和 RSA 公钥
- 使用 RSA 公钥加密密码(JSEncrypt)
- POST /login 并附带表单数据(用户名、加密密码、CSRF 令牌)
- 接收 SESSION cookie 用于后续请求
会话管理
- - 对所有已验证的请求使用 SESSION cookie
- 如果会话过期,自动重新登录
- 将会话状态存储在 ~/halo-manager/session.json 中
API 端点
控制台 API 基础地址
{blog_url}/apis/api.console.halo.run/v1alpha1/
文章
GET | /posts/{name} |
| 创建文章 | POST | /posts |
| 更新文章 | PUT | /posts/{name} |
| 删除文章 | DELETE | /posts/{name} |
分类
| 操作 | 方法 | 端点 |
|---|
| 列出分类 | GET | /categories |
| 创建分类 |
POST | /categories |
| 更新分类 | PUT | /categories/{name} |
| 删除分类 | DELETE | /categories/{name} |
标签
POST | /tags |
| 更新标签 | PUT | /tags/{name} |
| 删除标签 | DELETE | /tags/{name} |
用户
| 操作 | 方法 | 端点 |
|---|
| 列出用户 | GET | /users |
| 获取当前用户 |
GET | /users/- |
评论
| 操作 | 方法 | 端点 |
|---|
| 列出评论 | GET | /comments |
| 审核评论 |
PUT | /comments/{name}/approval |
| 删除评论 | DELETE | /comments/{name} |
媒体
| 操作 | 方法 | 端点 |
|---|
| 列出附件 | GET | /attachments |
| 上传附件 |
POST | /attachments |
| 删除附件 | DELETE | /attachments/{name} |
常见工作流程
创建文章
- 1. 登录获取会话
- 准备文章数据:
json
{
post: {
spec: {
title: 文章标题,
slug: 文章-slug,
content: Markdown 格式的文章内容,
rawType: markdown,
categories: [分类名称],
tags: [标签1, 标签2],
publish: true
}
}
}
- 3. POST 到 /posts
- 验证创建结果
上传媒体
- 1. 登录获取会话
- 准备 multipart 表单数据
- POST 到 /attachments
- 从响应中获取附件 URL
错误处理
禁止访问 | 检查权限 |
| 404 | 未找到 | 确认资源存在 |
| 500 | 服务器错误 | 重试或报告 |
输出格式
【操作名称】
请求:{method} {endpoint}
状态:{status_code}
结果:成功/失败
详情:...
安全最佳实践
- 1. 切勿记录密码 - 在所有输出中屏蔽密码
- 使用 HTTPS - 始终优先使用安全连接
- 会话超时 - 会话过期时重新认证
- 仅本地存储 - 凭据保留在用户本地机器上
参考
