Lars/mitai-jinkendo
1
0
Fork 0
Code Issues 23 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix: photos now display in History with token auth
All checks were successful
Deploy Development / deploy (push) Successful in 54s
Details
Build Test / lint-backend (push) Successful in 0s
Details
Build Test / build-frontend (push) Successful in 13s
Details

Browse Source 
Problem: Photo endpoint requires auth header, but <img src> can't send headers.

Solution:
- Backend: Added require_auth_flexible() that accepts token via header OR query param
- Backend: Photo endpoint uses flexible auth
- Frontend: photoUrl() now appends ?token=xxx to URL

Photos in History/Verlauf now display correctly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Lars 2026-03-18 22:48:40 +01:00
parent b6f8b11685
commit e10e9d7eb9
2 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
backend/main.py
View File

@ -149,6 +149,12 @@ def require_auth(x_auth_token: Optional[str]=Header(default=None)):
if not session: raise HTTPException(401, "Nicht eingeloggt")
return session
def require_auth_flexible(x_auth_token: Optional[str]=Header(default=None), token: Optional[str]=Query(default=None)):
"""Auth via header OR query parameter (for <img> tags)."""
session = get_session(x_auth_token or token)
if not session: raise HTTPException(401, "Nicht eingeloggt")
return session
def require_admin(x_auth_token: Optional[str]=Header(default=None)):
session = get_session(x_auth_token)
if not session: raise HTTPException(401, "Nicht eingeloggt")
@ -500,13 +506,17 @@ async def upload_photo(file: UploadFile=File(...), date: str="",
return {"id":fid,"date":date}
@app.get("/api/photos/{fid}")
def get_photo(fid: str, session: dict=Depends(require_auth)):
def get_photo(fid: str, session: dict=Depends(require_auth_flexible)):
"""Get photo by ID. Auth via header or query param (for <img> tags)."""
with get_db() as conn:
cur = get_cursor(conn)
cur.execute("SELECT path FROM photos WHERE id=%s", (fid,))
row = cur.fetchone()
if not row: raise HTTPException(404)
return FileResponse(row['path'])
if not row: raise HTTPException(404, "Photo not found")
photo_path = Path(PHOTOS_DIR) / row['path']
if not photo_path.exists():
raise HTTPException(404, "Photo file not found")
return FileResponse(photo_path)
@app.get("/api/photos")
def list_photos(x_profile_id: Optional[str]=Header(default=None), session: dict=Depends(require_auth)):

5
frontend/src/utils/api.js
View File

@ -68,7 +68,10 @@ export const api = {
return fetch(`${BASE}/photos`,{method:'POST',body:fd,headers:hdrs()}).then(r=>r.json())
},
listPhotos: () => req('/photos'),
photoUrl: (pid) => `${BASE}/photos/${pid}`,
photoUrl: (pid) => {
const token = getToken()
return `${BASE}/photos/${pid}${token ? `?token=${token}` : ''}`
},
// Nutrition
importCsv: async(file)=>{