From 8b993abc37171aec9565c76eb5c578582f21f997 Mon Sep 17 00:00:00 2001 From: markov Date: Wed, 25 Feb 2026 11:16:10 +0100 Subject: [PATCH] fix: support ?token= query param for auth (downloads from browser) --- src/tracker/api/attachments.py | 1 + src/tracker/api/project_files.py | 1 + src/tracker/app.py | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/src/tracker/api/attachments.py b/src/tracker/api/attachments.py index f66e03b..d9fad5c 100644 --- a/src/tracker/api/attachments.py +++ b/src/tracker/api/attachments.py @@ -62,6 +62,7 @@ async def upload_file( @router.get("/attachments/{attachment_id}/download") async def download_attachment( attachment_id: str, + token: str | None = None, db: AsyncSession = Depends(get_db), ): """Download an attachment by ID.""" diff --git a/src/tracker/api/project_files.py b/src/tracker/api/project_files.py index 085a1ae..4dacd4d 100644 --- a/src/tracker/api/project_files.py +++ b/src/tracker/api/project_files.py @@ -196,6 +196,7 @@ async def get_project_file( async def download_project_file( slug: str, file_id: str, + token: Optional[str] = Query(None), db: AsyncSession = Depends(get_db), ): """Download project file.""" diff --git a/src/tracker/app.py b/src/tracker/app.py index 0f09feb..1d588d1 100644 --- a/src/tracker/app.py +++ b/src/tracker/app.py @@ -104,8 +104,12 @@ async def auth_middleware(request: Request, call_next): pass elif path.startswith("/api/"): auth_header = request.headers.get("authorization", "") + token = None if auth_header.startswith("Bearer "): token = auth_header[7:] + elif request.query_params.get("token"): + token = request.query_params["token"] + if token: # Check agent token async with async_session() as db: result = await db.execute(select(Member).where(Member.token == token))