2026-04-18 09:54:12 +02:00
3 changed files with 19 additions and 5 deletions
--- a/backend/auth.py
+++ b/backend/auth.py
@ -76,22 +76,30 @@ def require_auth(x_auth_token: Optional[str] = Header(default=None)):
    return session


-def require_auth_flexible(x_auth_token: Optional[str] = Header(default=None), auth_token: Optional[str] = Query(default=None, alias="token")):
+def require_auth_flexible(x_auth_token: Optional[str] = Header(default=None), ssetoken: Optional[str] = Query(default=None)):
    """
    FastAPI dependency - auth via header OR query parameter.

-    Used for endpoints accessed by <img> tags that can't send headers.
-    Query parameter is 'token' (via alias) to avoid conflicts with endpoint parameters.
+    Used for endpoints accessed by <img> tags and SSE connections that can't send headers.
+    Query parameter is 'ssetoken' to avoid conflicts with endpoint 'token' parameters.

    Usage:
        @app.get("/api/photos/{id}")
        def get_photo(id: str, session: dict = Depends(require_auth_flexible)):
            ...

+    Call with: ?ssetoken=XXX or Header: X-Auth-Token: XXX
+
    Raises:
        HTTPException 401 if not authenticated
    """
-    session = get_session(x_auth_token or auth_token)
+    import logging
+    logger = logging.getLogger("uvicorn.error")
+    logger.info(f"[AUTH_FLEX] header={x_auth_token!r}, query={ssetoken!r}")
+
+    session = get_session(x_auth_token or ssetoken)
+    logger.info(f"[AUTH_FLEX] session={session!r}")
+
    if not session:
        raise HTTPException(401, "Nicht eingeloggt")
    return session
--- a/backend/routers/prompts.py
+++ b/backend/routers/prompts.py
@ -32,6 +32,11 @@ OPENROUTER_MODEL = os.getenv("OPENROUTER_MODEL", "anthropic/claude-sonnet-4")

 router = APIRouter(prefix="/api/prompts", tags=["prompts"])

+@router.get("/test-ssetoken")
+def test_ssetoken_auth(session: dict = Depends(require_auth_flexible)):
+    """Test endpoint for SSE token auth debugging"""
+    return {"status": "ok", "profile_id": session['profile_id']}
+
 # Metadaten-Schlüssel in workflow aggregate_results (nicht als „einziger“ Nutzer-Output)
 _WORKFLOW_AGG_META_KEYS = frozenset({
    "combined_analysis",
--- a/frontend/src/utils/api.js
+++ b/frontend/src/utils/api.js
@ -484,8 +484,9 @@ export const api = {

    // TODO: Security improvement - use session cookie instead of token in URL
    // For now, send token as query param since EventSource doesn't support custom headers
+    // Using 'ssetoken' to avoid conflicts with endpoint 'token' parameters
    const token = getToken()
-    if (token) params.append('token', token)
+    if (token) params.append('ssetoken', token)

    if (modules) {
      Object.entries(modules).forEach(([k, v]) => params.append(`modules[${k}]`, v))