From 17d10e5815ee467d65973f78550beff7355e6352 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20B=C3=B6sche?= <leonboesche1999@gmail.com>
Date: Sun, 11 Jan 2026 17:54:01 +0100
Subject: [PATCH] Remove invalid custom HTTP client - use query parameter token
 for SfPdfViewer

---
 b0esche_cloud/lib/pages/document_viewer.dart | 137 +------------------
 go_cloud/api                                 | Bin 16699154 -> 16699154 bytes
 go_cloud/internal/http/routes.go             |   6 +-
 3 files changed, 3 insertions(+), 140 deletions(-)

diff --git a/b0esche_cloud/lib/pages/document_viewer.dart b/b0esche_cloud/lib/pages/document_viewer.dart
index 69f8b5a..2535262 100644
--- a/b0esche_cloud/lib/pages/document_viewer.dart
+++ b/b0esche_cloud/lib/pages/document_viewer.dart
@@ -10,138 +10,6 @@ import '../services/file_service.dart';
 import '../injection.dart';
 import 'package:syncfusion_flutter_pdfviewer/pdfviewer.dart';
 import 'package:go_router/go_router.dart';
-import 'dart:io';
-
-// Custom HTTP client for SfPdfViewer that injects Bearer token
-class AuthorizedHttpClient extends HttpClient {
-  final String token;
-  final HttpClient _inner = HttpClient();
-
-  AuthorizedHttpClient(this.token);
-
-  @override
-  Future<HttpClientRequest> getUrl(Uri url) async {
-    final request = await _inner.getUrl(url);
-    request.headers.set('Authorization', 'Bearer $token');
-    return request;
-  }
-
-  @override
-  Future<HttpClientRequest> openUrl(String method, Uri url) async {
-    final request = await _inner.openUrl(method, url);
-    request.headers.set('Authorization', 'Bearer $token');
-    return request;
-  }
-
-  @override
-  set connectionTimeout(Duration? timeout) =>
-      _inner.connectionTimeout = timeout;
-
-  @override
-  Duration? get connectionTimeout => _inner.connectionTimeout;
-
-  @override
-  set maxConnectionsPerHost(int? value) =>
-      _inner.maxConnectionsPerHost = value;
-
-  @override
-  int? get maxConnectionsPerHost => _inner.maxConnectionsPerHost;
-
-  @override
-  Future<HttpClientRequest> delete(String host,
-      [int port = 0, String requestPath = '/']) async {
-    final request = await _inner.delete(host, port, requestPath);
-    request.headers.set('Authorization', 'Bearer $token');
-    return request;
-  }
-
-  @override
-  Future<HttpClientRequest> deleteUrl(Uri url) async {
-    final request = await _inner.deleteUrl(url);
-    request.headers.set('Authorization', 'Bearer $token');
-    return request;
-  }
-
-  @override
-  Future<HttpClientRequest> get(String host,
-      [int port = 0, String requestPath = '/']) async {
-    final request = await _inner.get(host, port, requestPath);
-    request.headers.set('Authorization', 'Bearer $token');
-    return request;
-  }
-
-  @override
-  Future<HttpClientRequest> head(String host,
-      [int port = 0, String requestPath = '/']) async {
-    final request = await _inner.head(host, port, requestPath);
-    request.headers.set('Authorization', 'Bearer $token');
-    return request;
-  }
-
-  @override
-  Future<HttpClientRequest> headUrl(Uri url) async {
-    final request = await _inner.headUrl(url);
-    request.headers.set('Authorization', 'Bearer $token');
-    return request;
-  }
-
-  @override
-  Future<HttpClientRequest> patch(String host,
-      [int port = 0, String requestPath = '/']) async {
-    final request = await _inner.patch(host, port, requestPath);
-    request.headers.set('Authorization', 'Bearer $token');
-    return request;
-  }
-
-  @override
-  Future<HttpClientRequest> patchUrl(Uri url) async {
-    final request = await _inner.patchUrl(url);
-    request.headers.set('Authorization', 'Bearer $token');
-    return request;
-  }
-
-  @override
-  Future<HttpClientRequest> post(String host,
-      [int port = 0, String requestPath = '/']) async {
-    final request = await _inner.post(host, port, requestPath);
-    request.headers.set('Authorization', 'Bearer $token');
-    return request;
-  }
-
-  @override
-  Future<HttpClientRequest> postUrl(Uri url) async {
-    final request = await _inner.postUrl(url);
-    request.headers.set('Authorization', 'Bearer $token');
-    return request;
-  }
-
-  @override
-  Future<HttpClientRequest> put(String host,
-      [int port = 0, String requestPath = '/']) async {
-    final request = await _inner.put(host, port, requestPath);
-    request.headers.set('Authorization', 'Bearer $token');
-    return request;
-  }
-
-  @override
-  Future<HttpClientRequest> putUrl(Uri url) async {
-    final request = await _inner.putUrl(url);
-    request.headers.set('Authorization', 'Bearer $token');
-    return request;
-  }
-
-  @override
-  set badCertificateCallback(
-          bool Function(X509Certificate, String, int)? callback) =>
-      _inner.badCertificateCallback = callback;
-
-  @override
-  bool Function(X509Certificate, String, int)? get badCertificateCallback =>
-      _inner.badCertificateCallback;
-
-  @override
-  void close({bool force = false}) => _inner.close(force: force);
-}
 
 // Modal version for overlay display
 class DocumentViewerModal extends StatefulWidget {
@@ -312,16 +180,13 @@ class _DocumentViewerModalState extends State<DocumentViewerModal> {
                   if (state.caps.isPdf) {
                     // Log the URL being used for debugging
                     print('Loading PDF from: ${state.viewUrl}');
-                    // Create custom HTTP client that injects the Bearer token
-                    final httpClient = AuthorizedHttpClient(state.token);
-                    // Token is passed via Authorization header, not in URL
+                    // Token is passed via Authorization header in SessionBloc context
                     return SfPdfViewer.network(
                       state.viewUrl.toString(),
                       onDocumentLoadFailed: (details) {
                         print('PDF load failed: ${details.error}');
                         print('Description: ${details.description}');
                       },
-                      httpClient: httpClient,
                     );
                   } else {
                     return Container(
diff --git a/go_cloud/api b/go_cloud/api
index 70675ae53756cf8b24262326caa23f3d463f0ef3..79f6ad8dbc34629971a0dcf5d25ef60e86998995 100755
GIT binary patch
delta 1307
zcmbWzSz8nY0EOX4i%1Ft)Wk|1Tgggh!x=CP5Df-O1rf|LVHlQhGMJII$kGmGnMoOh
z2@#bfWvIy%tyI>5c8$_D3zIAjk_scNJpF|(-plXit7#bVuaUL`0l}r~4{bPUiRm0F
zNUy55&l=c$G$7nBEhW=f>~&_Q*cX@0DfW0uU1?5tM8zsozBj{ZD#*^vuvVnbT{7R1
z8DT6jyN!i8#<H~dEKkNtcYL-hDI(9|O-pyiCFK<+7Fna*3*x*k+ZtzZwKI5>jFvOx
zO!1Sm#9z*qF%lr>$hi_IK{8hU>q8_|#>se@Am_<M36n{3zFZ&|%4C@$Q^g?D<RZCP
zE|E*+GPzvB<qDZDSISj#wakzRF^WmdViBuE%1p6|U7{pfX2~@YBeUgNiIq5smpPIk
zb7h`fCyA0I4oQ|2xn6FN`LaM3N~)yEBA+ujeQRU5E7xYRS<O*7Gfl=wv)OF1m~D1f
zuGJQ4&xy)5n{2tZETb#RSsUJ#KE*H69Bs5$C%2``V#$z9St2*eQn^WPmSu8_ESD_F
z7N_KhOL8So@})p-l|oq|Zn;fX%I#7l#o`gKtdbHbl`<)p3aOMk<W8xQyJWT8E%(S8
zSu6Jnq*~U=eX?Hemj`5nJSZFGA=xA~@~}K2o8?idl{$G$>Sc>OE?cER8s!OJa$8gE
z#Q$@;R;Q<fP2iJYGx!wvH24g-4Qv6Q1-FB(;B(;f;12KwunpV^?gDp%FM@l(cF+gD
z1ilP*fUkhBg0F$EgKvOuf}P-7;M?Fk;9l@u@I8=V7uXHH4}JiC2z~^941NNB3ho2<
zgP(yt;OF2M-~sR;_$Bxi_%-+q_$_z{{0{sc>;(^lKY&NTKJZ8IDEJfjGk6R<4*ml6
zg9G5N;0bUL{0;ma`~w^UPlA7f!{A@wNIOrZ2F9M)Gcqc#Z*=~~694?ohwC>j>JAER
zTvoX>;a_*vjIp&l_qQBR@wWDl59(al9Fo)Mzr8oBXKJi@S|5iKTARy5d^J6%46TN+
zZbwLTMB?nqV?jgXdWyQb+>VCc34xQ>4R|_2O~WnQ_O1TA&ak4RuY4$O@7lqb;j*fh
dyyZu>lv^hCcg)){rm6SfuDTK5VAwx~_R}?6R;2&{

delta 1307
zcmbWz+g}p|0LAeS6`G`lkZGZ|k_xHV7#nO@1enISco`x@slk}2fMg5=3o^xnr6pkr
zSps%Z(#q)+GEFP74rMpXOQK!WQcI)2($KQgztF???VOiiUE_tmb>cl35ZKicRN2!R
znR{SQ!18k)4y*5EK$w5}3{Q!3LVl*Zc+#8%N0L2ta%P3o=#2K{Wmqisgsjn-&hl{<
zi>GkB(NtzGG8N>R%F`2bN-~R!5_8=SW7gP$g8W%!c1MP@FnL}=evzkQ?m|~!jVsVk
zE|bgU3h|dd(pRpOei9&8Nq-q2SIaf>-+!P4Nw8cigXB6HEJNgaxj{l?s0@?ga-$gJ
zCb?NgNT}Q*x5{l2CL<+WZkIdcPKgksm?Ton5+xR~O0>j?P3#gYqvS5RTjJy%iI)UP
zl+kjpjFGW&pCpMxk|jk_B~8Z3c$pv*#VP4Bsm&Fbv8pL7D$iyz#hBeOxzla#Xq(NP
zW6Q~NStG4>m)o4<a+$5UZi@!>Vcv}4{!x*!kufzX-VB*6nUW><OSU{956TpoD%0d4
z$&p-fNuIc6y5!3YnJKfRKnkTuW=pX=EOX=$DG`s9N}0@+a;cDc@~Au}l~N^-%Y1o4
z7RW-WmPG=ok;U?)JS9tHsXQ&u$TF#wXQfV-%X9L)tdM$XkQZd7yeKcpDruA^X>LpL
zu8tr4e@fS@bU3&gd>MQNd=-2RTm!BJTfo=Bb>MpN4e(9yEpP+q1vi45Kp(gn+yb_O
zZQ$GBR`4Bg8@L^O7u*5v1m6SS2R{IJf$iXK@I&w;kYES+G586%2mBQL4E!AY0{jx(
z3w{ND4ekT?g9pHa;5XnQuoFBC9s$1vzXQJqe*lky$H3#@kKj+>3GgI%3j7)T1w0L&
z0e=O%z~8{%!EUezJPZB-{t2D~&x3z~z2JpbUUUwKZ*JklOSOY`?hlQr?keNvX}-p#
z!P{fEgvMr1J=%F{)Fwkj8p6s`NA`&;7?w19U3hZ8;Kue^--*KG)|w4Lacy<`E*jPw
zde<z9Z5Y_=7_p;iW%b68>|ImN`)xbDVwtxp#JBixm3Qsl`F}SUE>*=voHh1eaO6;P
gL+Q-4jx+Y8p_Pelzn;?U?)KeVkF|9V`Nz=uFTQ_Qz5oCK

diff --git a/go_cloud/internal/http/routes.go b/go_cloud/internal/http/routes.go
index 07185eb..3a7b67f 100644
--- a/go_cloud/internal/http/routes.go
+++ b/go_cloud/internal/http/routes.go
@@ -459,8 +459,7 @@ func viewerHandler(w http.ResponseWriter, r *http.Request, db *database.DB, jwtM
 		errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
 		return
 	}
-	// Download URL without token - will use Authorization header instead
-	downloadPath := fmt.Sprintf("%s://%s/orgs/%s/files/download?path=%s", scheme, host, orgID.String(), url.QueryEscape(file.Path))
+	downloadPath := fmt.Sprintf("%s://%s/orgs/%s/files/download?path=%s&token=%s", scheme, host, orgID.String(), url.QueryEscape(file.Path), url.QueryEscape(viewerToken))
 
 	// Determine if it's a PDF based on file extension
 	isPdf := strings.HasSuffix(strings.ToLower(file.Name), ".pdf")
@@ -543,8 +542,7 @@ func userViewerHandler(w http.ResponseWriter, r *http.Request, db *database.DB,
 		errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
 		return
 	}
-	// Download URL without token - will use Authorization header instead
-	downloadPath := fmt.Sprintf("%s://%s/user/files/download?path=%s", scheme, host, url.QueryEscape(file.Path))
+	downloadPath := fmt.Sprintf("%s://%s/user/files/download?path=%s&token=%s", scheme, host, url.QueryEscape(file.Path), url.QueryEscape(viewerToken))
 
 	// Determine if it's a PDF based on file extension
 	isPdf := strings.HasSuffix(strings.ToLower(file.Name), ".pdf")