Enhance JWT token retrieval in viewer and auth middleware for improved security and flexibility

2026-01-11 04:34:14 +01:00
parent f0d6d0b8e1
commit a3a9360110
2 changed files with 14 additions and 8 deletions
--- a/go_cloud/internal/http/routes.go
+++ b/go_cloud/internal/http/routes.go
@@ -430,14 +430,13 @@ func viewerHandler(w http.ResponseWriter, r *http.Request, db *database.DB, audi
 	if host == "" {
 		host = "go.b0esche.cloud"
 	}
-	downloadPath := fmt.Sprintf("%s://%s/orgs/%s/files/download?path=%s", scheme, host, orgID.String(), url.QueryEscape(file.Path))
+	// Get JWT token from context (used for header or query fallback)
+	token, _ := middleware.GetToken(r.Context())
+	downloadPath := fmt.Sprintf("%s://%s/orgs/%s/files/download?path=%s&token=%s", scheme, host, orgID.String(), url.QueryEscape(file.Path), url.QueryEscape(token))

 	// Determine if it's a PDF based on file extension
 	isPdf := strings.HasSuffix(strings.ToLower(file.Name), ".pdf")

-	// Get JWT token from context
-	token, _ := middleware.GetToken(r.Context())
-
 	session := struct {
 		ViewUrl      string `json:"viewUrl"`
 		Token        string `json:"token"`
--- a/go_cloud/internal/middleware/middleware.go
+++ b/go_cloud/internal/middleware/middleware.go
@@ -96,12 +96,19 @@ func Auth(jwtManager *jwt.Manager, db *database.DB) func(http.Handler) http.Hand
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			authHeader := r.Header.Get("Authorization")
-			if !strings.HasPrefix(authHeader, "Bearer ") {
-				http.Error(w, "Unauthorized", http.StatusUnauthorized)
-				return
+			var tokenString string
+			if strings.HasPrefix(authHeader, "Bearer ") {
+				tokenString = strings.TrimPrefix(authHeader, "Bearer ")
+			} else {
+				// Fallback to query parameter token (for viewers that cannot set headers)
+				qToken := r.URL.Query().Get("token")
+				if qToken == "" {
+					http.Error(w, "Unauthorized", http.StatusUnauthorized)
+					return
+				}
+				tokenString = qToken
 			}

-			tokenString := strings.TrimPrefix(authHeader, "Bearer ")
 			claims, session, err := jwtManager.ValidateWithSession(r.Context(), tokenString, db)
 			if err != nil {
 				http.Error(w, "Unauthorized", http.StatusUnauthorized)