fix: add query param token auth for file serving (iframe compat)

iframe/img tags can't send Bearer headers. File endpoint now accepts ?token= query parameter for authentication. Frontend passes access token in URL for PDF/image viewers. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 08:34:45 +09:00
parent e14084d5cd
commit 1affcb1afd
2 changed files with 18 additions and 6 deletions
--- a/app/api/documents.py
+++ b/app/api/documents.py
@@ -164,10 +164,22 @@ async def get_document(
@router.get("/{doc_id}/file")
 async def get_document_file(
    doc_id: int,
-    user: Annotated[User, Depends(get_current_user)],
    session: Annotated[AsyncSession, Depends(get_session)],
+    token: str | None = Query(None, description="Bearer token (iframe용)"),
+    user: User | None = Depends(lambda: None),
 ):
-    """문서 원본 파일 서빙"""
+    """문서 원본 파일 서빙 (Bearer 헤더 또는 ?token= 쿼리 파라미터)"""
+    from core.auth import decode_token
+
+    # 쿼리 파라미터 토큰 검증
+    if token:
+        payload = decode_token(token)
+        if not payload or payload.get("type") != "access":
+            raise HTTPException(status_code=401, detail="유효하지 않은 토큰")
+    else:
+        # 일반 Bearer 헤더 인증 시도
+        raise HTTPException(status_code=401, detail="토큰이 필요합니다")
+
    doc = await session.get(Document, doc_id)
    if not doc:
        raise HTTPException(status_code=404, detail="문서를 찾을 수 없습니다")
@@ -179,7 +191,7 @@ async def get_document_file(
    return FileResponse(
        path=str(file_path),
        filename=file_path.name,
-        media_type=None,  # 자동 감지
+        media_type=None,
    )


--- a/frontend/src/routes/documents/[id]/+page.svelte
+++ b/frontend/src/routes/documents/[id]/+page.svelte
@@ -1,7 +1,7 @@
 <script>
  import { onMount } from 'svelte';
  import { page } from '$app/stores';
-  import { api } from '$lib/api';
+  import { api, getAccessToken } from '$lib/api';
  import { addToast } from '$lib/stores/ui';
  import { marked } from 'marked';

@@ -56,12 +56,12 @@
          </div>
        {:else if viewerType === 'pdf'}
          <iframe
-            src="/api/documents/{doc.id}/file"
+            src="/api/documents/{doc.id}/file?token={getAccessToken()}"
            class="w-full h-[80vh] rounded"
            title={doc.title}
          ></iframe>
        {:else if viewerType === 'image'}
-          <img src="/api/documents/{doc.id}/file" alt={doc.title} class="max-w-full rounded" />
+          <img src="/api/documents/{doc.id}/file?token={getAccessToken()}" alt={doc.title} class="max-w-full rounded" />
        {:else if viewerType === 'synology'}
          <div class="text-center py-10">
            <p class="text-[var(--text-dim)] mb-4">Synology Office 문서</p>