From a3a93601105e97f8f0ede0e486be5c3e5bc8f03b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leon=20B=C3=B6sche?= Date: Sun, 11 Jan 2026 04:34:14 +0100 Subject: [PATCH] Enhance JWT token retrieval in viewer and auth middleware for improved security and flexibility --- go_cloud/internal/http/routes.go | 7 +++---- go_cloud/internal/middleware/middleware.go | 15 +++++++++++---- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/go_cloud/internal/http/routes.go b/go_cloud/internal/http/routes.go index 3208ee4..9a5527b 100644 --- a/go_cloud/internal/http/routes.go +++ b/go_cloud/internal/http/routes.go @@ -430,14 +430,13 @@ func viewerHandler(w http.ResponseWriter, r *http.Request, db *database.DB, audi if host == "" { host = "go.b0esche.cloud" } - downloadPath := fmt.Sprintf("%s://%s/orgs/%s/files/download?path=%s", scheme, host, orgID.String(), url.QueryEscape(file.Path)) + // Get JWT token from context (used for header or query fallback) + token, _ := middleware.GetToken(r.Context()) + downloadPath := fmt.Sprintf("%s://%s/orgs/%s/files/download?path=%s&token=%s", scheme, host, orgID.String(), url.QueryEscape(file.Path), url.QueryEscape(token)) // Determine if it's a PDF based on file extension isPdf := strings.HasSuffix(strings.ToLower(file.Name), ".pdf") - // Get JWT token from context - token, _ := middleware.GetToken(r.Context()) - session := struct { ViewUrl string `json:"viewUrl"` Token string `json:"token"` diff --git a/go_cloud/internal/middleware/middleware.go b/go_cloud/internal/middleware/middleware.go index 6fe8a05..e6e29e4 100644 --- a/go_cloud/internal/middleware/middleware.go +++ b/go_cloud/internal/middleware/middleware.go @@ -96,12 +96,19 @@ func Auth(jwtManager *jwt.Manager, db *database.DB) func(http.Handler) http.Hand return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { authHeader := r.Header.Get("Authorization") - if !strings.HasPrefix(authHeader, "Bearer ") { - http.Error(w, "Unauthorized", http.StatusUnauthorized) - return + var tokenString string + if strings.HasPrefix(authHeader, "Bearer ") { + tokenString = strings.TrimPrefix(authHeader, "Bearer ") + } else { + // Fallback to query parameter token (for viewers that cannot set headers) + qToken := r.URL.Query().Get("token") + if qToken == "" { + http.Error(w, "Unauthorized", http.StatusUnauthorized) + return + } + tokenString = qToken } - tokenString := strings.TrimPrefix(authHeader, "Bearer ") claims, session, err := jwtManager.ValidateWithSession(r.Context(), tokenString, db) if err != nil { http.Error(w, "Unauthorized", http.StatusUnauthorized)