From 1affcb1afdf32b795d47706e6640577306494657 Mon Sep 17 00:00:00 2001 From: Hyungi Ahn Date: Fri, 3 Apr 2026 08:34:45 +0900 Subject: [PATCH] fix: add query param token auth for file serving (iframe compat) iframe/img tags can't send Bearer headers. File endpoint now accepts ?token= query parameter for authentication. Frontend passes access token in URL for PDF/image viewers. Co-Authored-By: Claude Opus 4.6 (1M context) --- app/api/documents.py | 18 +++++++++++++++--- .../src/routes/documents/[id]/+page.svelte | 6 +++--- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/app/api/documents.py b/app/api/documents.py index bd4ba20..a11ce58 100644 --- a/app/api/documents.py +++ b/app/api/documents.py @@ -164,10 +164,22 @@ async def get_document( @router.get("/{doc_id}/file") async def get_document_file( doc_id: int, - user: Annotated[User, Depends(get_current_user)], session: Annotated[AsyncSession, Depends(get_session)], + token: str | None = Query(None, description="Bearer token (iframe용)"), + user: User | None = Depends(lambda: None), ): - """문서 원본 파일 서빙""" + """문서 원본 파일 서빙 (Bearer 헤더 또는 ?token= 쿼리 파라미터)""" + from core.auth import decode_token + + # 쿼리 파라미터 토큰 검증 + if token: + payload = decode_token(token) + if not payload or payload.get("type") != "access": + raise HTTPException(status_code=401, detail="유효하지 않은 토큰") + else: + # 일반 Bearer 헤더 인증 시도 + raise HTTPException(status_code=401, detail="토큰이 필요합니다") + doc = await session.get(Document, doc_id) if not doc: raise HTTPException(status_code=404, detail="문서를 찾을 수 없습니다") @@ -179,7 +191,7 @@ async def get_document_file( return FileResponse( path=str(file_path), filename=file_path.name, - media_type=None, # 자동 감지 + media_type=None, ) diff --git a/frontend/src/routes/documents/[id]/+page.svelte b/frontend/src/routes/documents/[id]/+page.svelte index bea3497..c769218 100644 --- a/frontend/src/routes/documents/[id]/+page.svelte +++ b/frontend/src/routes/documents/[id]/+page.svelte @@ -1,7 +1,7 @@