[Go] Fix beta auth for /documents/images/:image_id and /documents/:id/preview and /thumbnails (#16453)

internal/handler/auth.go

@@ -49,17 +49,16 @@ func NewAuthHandler() *AuthHandler {
 	}
 }
 
-// BetaAuthMiddleware resolves a `beta` API token from the Authorization
-// header and sets the user on the gin.Context, mirroring Python's
-// @login_required(auth_types=AUTH_BETA) used by /chatbots and
-// /agentbots route groups.
+// BetaAuthMiddleware resolves a user token, API token, or `beta` API token
+// from the Authorization header and sets the user on the gin.Context.
 //
-// A beta token can also be a regular user JWT — in that case we
-// delegate to the existing AuthMiddleware logic. Order of precedence:
+// A beta token can also be a regular user JWT or API token. Order of
+// precedence:
 //
 //  1. JWT (regular session) → existing UserService.GetUserByToken
-//  2. Beta API token          → GetUserByBetaAPIToken
-//  3. Fall through            → 401
+//  2. API token              → GetUserByAPIToken
+//  3. Beta API token         → GetUserByBetaAPIToken
+//  4. Fall through           → 401
 //
 // IMPORTANT: the regular-user branch is NOT gated on a "Bearer "
 // prefix. UserService.GetUserByToken accepts the raw Authorization
@@ -82,6 +81,12 @@ func (h *AuthHandler) BetaAuthMiddleware() gin.HandlerFunc {
 			c.Next()
 			return
 		}
+		if u, code, err := h.userService.GetUserByAPIToken(auth); err == nil && code == common.CodeSuccess {
+			c.Set("user", u)
+			c.Set("auth_via_api_token", true)
+			c.Next()
+			return
+		}
 		// Fall back to beta API token (public bot access).
 		if u, code, err := h.userService.GetUserByBetaAPIToken(auth); err == nil && code == common.CodeSuccess {
 			c.Set("user", u)

internal/router/router.go

@@ -172,9 +172,6 @@ func (r *Router) Setup(engine *gin.Engine) {
 		// Register
 		apiNoAuth.POST("/users", r.userHandler.Register)
 
-		// Document images are embedded directly in pages and match Python's public route.
-		apiNoAuth.GET("/documents/images/:image_id", r.documentHandler.GetDocumentImage)
-
 		// Google redirects here after Gmail / Google Drive web OAuth completes.
 		apiNoAuth.GET("/connectors/gmail/oauth/web/callback", r.connectorHandler.GmailWebOAuthCallback)
 		apiNoAuth.GET("/connectors/google-drive/oauth/web/callback", r.connectorHandler.GoogleDriveWebOAuthCallback)
@@ -204,6 +201,9 @@ func (r *Router) Setup(engine *gin.Engine) {
 			agentbotGroup := apiBetaAuth.Group("/agentbots")
 			RegisterAgentbotRoutes(agentbotGroup, r.botHandler)
 		}
+		apiBetaAuth.GET("/documents/images/:image_id", r.documentHandler.GetDocumentImage)
+		apiBetaAuth.GET("/documents/:id/preview", r.documentHandler.GetDocumentPreview)
+		apiBetaAuth.GET("/thumbnails", r.documentHandler.GetThumbnail)
 	}
 
 	// Protected routes
@@ -263,7 +263,6 @@ func (r *Router) Setup(engine *gin.Engine) {
 				documents.POST("/upload", r.documentHandler.UploadInfo)
 				documents.GET("", r.documentHandler.ListDocuments)
 				documents.GET("/artifact/:filename", r.documentHandler.GetDocumentArtifact)
-				documents.GET("/:id/preview", r.documentHandler.GetDocumentPreview)
 				documents.GET("/:id", r.documentHandler.GetDocumentByID)
 				documents.PUT("/:id", r.documentHandler.UpdateDocument)
 				documents.DELETE("/:id", r.documentHandler.DeleteDocument)
@@ -664,8 +663,6 @@ func (r *Router) Setup(engine *gin.Engine) {
 			doc.POST("/delete_meta", r.documentHandler.DeleteMeta) // Internal API only for GO
 		}
 
-		v1.GET("/thumbnails", r.documentHandler.GetThumbnail)
-
 		// Chunk routes
 		chunk := v1.Group("/chunk")
 		{