From 8f2c9992451167bb18cb45ab479525a86e7f9497 Mon Sep 17 00:00:00 2001
From: Markov <markov@uix.su>
Date: Wed, 25 Feb 2026 11:16:10 +0100
Subject: [PATCH] =?UTF-8?q?fix:=20auth=20on=20uploads=20(401=E2=86=92login?=
 =?UTF-8?q?=20redirect),=20token=20in=20download=20URLs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/lib/api.ts | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/lib/api.ts b/src/lib/api.ts
index a384f58..ed66c26 100644
--- a/src/lib/api.ts
+++ b/src/lib/api.ts
@@ -333,6 +333,11 @@ export async function uploadProjectFile(slug: string, file: File, description?:
     headers: token ? { Authorization: `Bearer ${token}` } : {},
     body: formData,
   });
+  if (res.status === 401) {
+    localStorage.removeItem("tb_token");
+    window.location.href = "/login";
+    throw new Error("Unauthorized");
+  }
   if (!res.ok) {
     const err = await res.json().catch(() => ({ error: res.statusText }));
     throw new Error(err.error || `HTTP ${res.status}`);
@@ -341,7 +346,9 @@ export async function uploadProjectFile(slug: string, file: File, description?:
 }
 
 export function getProjectFileUrl(slug: string, fileId: string): string {
-  return `${API_BASE}/api/v1/projects/${slug}/files/${fileId}/download`;
+  const token = getToken();
+  const qs = token ? `?token=${encodeURIComponent(token)}` : "";
+  return `${API_BASE}/api/v1/projects/${slug}/files/${fileId}/download${qs}`;
 }
 
 export async function updateProjectFile(slug: string, fileId: string, data: { description?: string }): Promise<ProjectFile> {
@@ -372,6 +379,11 @@ export async function uploadFile(file: File): Promise<UploadedFile> {
     headers: token ? { Authorization: `Bearer ${token}` } : {},
     body: formData,
   });
+  if (res.status === 401) {
+    localStorage.removeItem("tb_token");
+    window.location.href = "/login";
+    throw new Error("Unauthorized");
+  }
   if (!res.ok) {
     const err = await res.json().catch(() => ({ error: res.statusText }));
     throw new Error(err.error || `HTTP ${res.status}`);
@@ -380,7 +392,9 @@ export async function uploadFile(file: File): Promise<UploadedFile> {
 }
 
 export function getAttachmentUrl(attachmentId: string): string {
-  return `${API_BASE}/api/v1/attachments/${attachmentId}/download`;
+  const token = getToken();
+  const qs = token ? `?token=${encodeURIComponent(token)}` : "";
+  return `${API_BASE}/api/v1/attachments/${attachmentId}/download${qs}`;
 }
 
 // --- Project Members ---