From 1f3b70ba747be1ee3ad5ee463588efb92ada97f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20B=C3=B6sche?= <leonboesche1999@gmail.com>
Date: Sun, 25 Jan 2026 02:47:39 +0100
Subject: [PATCH] Fix shared audio/video viewer: add CORS and Content-Type
 headers to public endpoints

---
 go_cloud/internal/http/routes.go | 35 ++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/go_cloud/internal/http/routes.go b/go_cloud/internal/http/routes.go
index 67c7145..0a2c53b 100644
--- a/go_cloud/internal/http/routes.go
+++ b/go_cloud/internal/http/routes.go
@@ -2962,6 +2962,11 @@ func publicFileShareHandler(w http.ResponseWriter, r *http.Request, db *database
 	viewerSession.Capabilities.IsPdf = isPdf
 	viewerSession.Capabilities.MimeType = mimeType
 
+	// Add CORS headers for public access
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+	w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS")
+	w.Header().Set("Access-Control-Allow-Headers", "Range")
+
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(viewerSession)
 }
@@ -3032,6 +3037,9 @@ func publicFileDownloadHandler(w http.ResponseWriter, r *http.Request, db *datab
 		return
 	}
 
+	// Determine MIME type
+	mimeType := getMimeType(file.Name)
+
 	// Get WebDAV client for the file's owner
 	client, err := getUserWebDAVClient(r.Context(), db, *file.UserID, cfg.NextcloudURL, cfg.NextcloudUser, cfg.NextcloudPass)
 	if err != nil {
@@ -3049,11 +3057,21 @@ func publicFileDownloadHandler(w http.ResponseWriter, r *http.Request, db *datab
 	}
 	defer resp.Body.Close()
 
-	// Copy headers
+	// Add CORS headers for public access
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+	w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS")
+	w.Header().Set("Access-Control-Allow-Headers", "Range")
+
+	// Copy headers from Nextcloud response
 	for k, v := range resp.Header {
 		w.Header()[k] = v
 	}
 
+	// Ensure Content-Type is set
+	if w.Header().Get("Content-Type") == "" {
+		w.Header().Set("Content-Type", mimeType)
+	}
+
 	// Ensure download behavior
 	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s\"", file.Name))
 
@@ -3127,6 +3145,9 @@ func publicFileViewHandler(w http.ResponseWriter, r *http.Request, db *database.
 		return
 	}
 
+	// Determine MIME type
+	mimeType := getMimeType(file.Name)
+
 	// Get WebDAV client for the file's owner
 	client, err := getUserWebDAVClient(r.Context(), db, *file.UserID, cfg.NextcloudURL, cfg.NextcloudUser, cfg.NextcloudPass)
 	if err != nil {
@@ -3144,11 +3165,21 @@ func publicFileViewHandler(w http.ResponseWriter, r *http.Request, db *database.
 	}
 	defer resp.Body.Close()
 
-	// Copy headers
+	// Add CORS headers for public access
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+	w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS")
+	w.Header().Set("Access-Control-Allow-Headers", "Range")
+
+	// Copy headers from Nextcloud response
 	for k, v := range resp.Header {
 		w.Header()[k] = v
 	}
 
+	// Ensure Content-Type is set
+	if w.Header().Get("Content-Type") == "" {
+		w.Header().Set("Content-Type", mimeType)
+	}
+
 	// Ensure inline viewing behavior (no Content-Disposition attachment)
 	w.Header().Del("Content-Disposition")
 	w.Header().Set("Content-Disposition", fmt.Sprintf("inline; filename=\"%s\"", file.Name))