diff --git a/src/controllers/CardController.ts b/src/controllers/CardController.ts
index 1ebcd6f..7a513d7 100644
--- a/src/controllers/CardController.ts
+++ b/src/controllers/CardController.ts
@@ -1,10 +1,11 @@
 import BaseController from "../common/base.controller";
-import {router} from "../decorators/router";
+import {role, router} from "../decorators/router";
 import {CardGroup} from "../models/CardGroup";
 import {ZError} from "../common/ZError";
 import {Card} from "../models/subdoc/Card";
 import {MoneyTypeConst} from "../constants/MoneyTypeConst";
 import {BaseConst} from "../constants/BaseConst";
+import {User} from "../models/User";
 
 export default class CardController extends BaseController {
     @router('post /api/:accountid/card_group/:heroid')
@@ -23,6 +24,28 @@ export default class CardController extends BaseController {
         return result;
     }
 
+    @role('svr')
+    @router('get /api/:accountid/group_info/:heroid/:gid')
+    async cardGroupInfo(req: any) {
+        let {accountid, heroid, gid} = req.params;
+        let record;
+        if (gid) {
+            record = await CardGroup.findById(gid);
+        }
+        if (!record) {
+            if (!heroid || !accountid) {
+                throw new ZError(101, 'not enough params');
+            }
+            heroid = parseInt(heroid);
+            record = await CardGroup.findOne({accountid, heroid, deleted: false, isdefault: true});
+        }
+        if (!record) {
+            throw new ZError(103, 'no card group found');
+        }
+        return record.toJson();
+    }
+
+
     @router('post /api/:accountid/card_group/save/:gid')
     async saveCardGroup(req: any) {
         let {accountid, gid, heroid, selected, cards} = req.params;
diff --git a/src/plugins/apiauth.ts b/src/plugins/apiauth.ts
index 79fc9fc..6eac69f 100644
--- a/src/plugins/apiauth.ts
+++ b/src/plugins/apiauth.ts
@@ -28,6 +28,10 @@ const apiAuthPlugin: FastifyPluginAsync = async function(
     fastify.decorate("apiAuth", async function(request: FastifyRequest, reply: FastifyReply) {
         if (!request.roles || request.roles.indexOf('anon') == -1) {
             try {
+                if (request.roles.indexOf('svr') >= 0) {
+                    // TODO: check svr
+                    return;
+                }
                 // @ts-ignore
                 let { accountid, sessionid } = request.params;
                 //TODO: 增加sessionid的校验