fix: support ?token= query param for auth (downloads from browser)

2026-02-25 11:16:10 +01:00 · 2026-02-25 11:16:10 +01:00 · 8b993abc37
commit 8b993abc37
parent d2402dc213
3 changed files with 6 additions and 0 deletions
--- a/src/tracker/api/attachments.py
+++ b/src/tracker/api/attachments.py
@ -62,6 +62,7 @@ async def upload_file(
@router.get("/attachments/{attachment_id}/download")
 async def download_attachment(
    attachment_id: str,
+    token: str | None = None,
    db: AsyncSession = Depends(get_db),
 ):
    """Download an attachment by ID."""
--- a/src/tracker/api/project_files.py
+++ b/src/tracker/api/project_files.py
@ -196,6 +196,7 @@ async def get_project_file(
 async def download_project_file(
    slug: str,
    file_id: str,
+    token: Optional[str] = Query(None),
    db: AsyncSession = Depends(get_db),
 ):
    """Download project file."""
--- a/src/tracker/app.py
+++ b/src/tracker/app.py
@ -104,8 +104,12 @@ async def auth_middleware(request: Request, call_next):
        pass
    elif path.startswith("/api/"):
        auth_header = request.headers.get("authorization", "")
+        token = None
        if auth_header.startswith("Bearer "):
            token = auth_header[7:]
+        elif request.query_params.get("token"):
+            token = request.query_params["token"]
+        if token:
            # Check agent token
            async with async_session() as db:
                result = await db.execute(select(Member).where(Member.token == token))