fix: add query param token auth for file serving (iframe compat)

iframe/img tags can't send Bearer headers. File endpoint now accepts ?token= query parameter for authentication. Frontend passes access token in URL for PDF/image viewers. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 08:34:45 +09:00
parent e14084d5cd
commit 1affcb1afd
2 changed files with 18 additions and 6 deletions
--- a/app/api/documents.py
+++ b/app/api/documents.py
@@ -164,10 +164,22 @@ async def get_document(
@router.get("/{doc_id}/file")
 async def get_document_file(
    doc_id: int,
-    user: Annotated[User, Depends(get_current_user)],
    session: Annotated[AsyncSession, Depends(get_session)],
+    token: str | None = Query(None, description="Bearer token (iframe용)"),
+    user: User | None = Depends(lambda: None),
 ):
-    """문서 원본 파일 서빙"""
+    """문서 원본 파일 서빙 (Bearer 헤더 또는 ?token= 쿼리 파라미터)"""
+    from core.auth import decode_token
+
+    # 쿼리 파라미터 토큰 검증
+    if token:
+        payload = decode_token(token)
+        if not payload or payload.get("type") != "access":
+            raise HTTPException(status_code=401, detail="유효하지 않은 토큰")
+    else:
+        # 일반 Bearer 헤더 인증 시도
+        raise HTTPException(status_code=401, detail="토큰이 필요합니다")
+
    doc = await session.get(Document, doc_id)
    if not doc:
        raise HTTPException(status_code=404, detail="문서를 찾을 수 없습니다")
@@ -179,7 +191,7 @@ async def get_document_file(
    return FileResponse(
        path=str(file_path),
        filename=file_path.name,
-        media_type=None,  # 자동 감지
+        media_type=None,
    )