diff --git a/internal/handler/auth.go b/internal/handler/auth.go index 895e76f4eb..c116df41ac 100644 --- a/internal/handler/auth.go +++ b/internal/handler/auth.go @@ -49,17 +49,16 @@ func NewAuthHandler() *AuthHandler { } } -// BetaAuthMiddleware resolves a `beta` API token from the Authorization -// header and sets the user on the gin.Context, mirroring Python's -// @login_required(auth_types=AUTH_BETA) used by /chatbots and -// /agentbots route groups. +// BetaAuthMiddleware resolves a user token, API token, or `beta` API token +// from the Authorization header and sets the user on the gin.Context. // -// A beta token can also be a regular user JWT — in that case we -// delegate to the existing AuthMiddleware logic. Order of precedence: +// A beta token can also be a regular user JWT or API token. Order of +// precedence: // // 1. JWT (regular session) → existing UserService.GetUserByToken -// 2. Beta API token → GetUserByBetaAPIToken -// 3. Fall through → 401 +// 2. API token → GetUserByAPIToken +// 3. Beta API token → GetUserByBetaAPIToken +// 4. Fall through → 401 // // IMPORTANT: the regular-user branch is NOT gated on a "Bearer " // prefix. UserService.GetUserByToken accepts the raw Authorization @@ -82,6 +81,12 @@ func (h *AuthHandler) BetaAuthMiddleware() gin.HandlerFunc { c.Next() return } + if u, code, err := h.userService.GetUserByAPIToken(auth); err == nil && code == common.CodeSuccess { + c.Set("user", u) + c.Set("auth_via_api_token", true) + c.Next() + return + } // Fall back to beta API token (public bot access). if u, code, err := h.userService.GetUserByBetaAPIToken(auth); err == nil && code == common.CodeSuccess { c.Set("user", u) diff --git a/internal/router/router.go b/internal/router/router.go index 90eadf6c82..9a51844936 100644 --- a/internal/router/router.go +++ b/internal/router/router.go @@ -172,9 +172,6 @@ func (r *Router) Setup(engine *gin.Engine) { // Register apiNoAuth.POST("/users", r.userHandler.Register) - // Document images are embedded directly in pages and match Python's public route. - apiNoAuth.GET("/documents/images/:image_id", r.documentHandler.GetDocumentImage) - // Google redirects here after Gmail / Google Drive web OAuth completes. apiNoAuth.GET("/connectors/gmail/oauth/web/callback", r.connectorHandler.GmailWebOAuthCallback) apiNoAuth.GET("/connectors/google-drive/oauth/web/callback", r.connectorHandler.GoogleDriveWebOAuthCallback) @@ -204,6 +201,9 @@ func (r *Router) Setup(engine *gin.Engine) { agentbotGroup := apiBetaAuth.Group("/agentbots") RegisterAgentbotRoutes(agentbotGroup, r.botHandler) } + apiBetaAuth.GET("/documents/images/:image_id", r.documentHandler.GetDocumentImage) + apiBetaAuth.GET("/documents/:id/preview", r.documentHandler.GetDocumentPreview) + apiBetaAuth.GET("/thumbnails", r.documentHandler.GetThumbnail) } // Protected routes @@ -263,7 +263,6 @@ func (r *Router) Setup(engine *gin.Engine) { documents.POST("/upload", r.documentHandler.UploadInfo) documents.GET("", r.documentHandler.ListDocuments) documents.GET("/artifact/:filename", r.documentHandler.GetDocumentArtifact) - documents.GET("/:id/preview", r.documentHandler.GetDocumentPreview) documents.GET("/:id", r.documentHandler.GetDocumentByID) documents.PUT("/:id", r.documentHandler.UpdateDocument) documents.DELETE("/:id", r.documentHandler.DeleteDocument) @@ -664,8 +663,6 @@ func (r *Router) Setup(engine *gin.Engine) { doc.POST("/delete_meta", r.documentHandler.DeleteMeta) // Internal API only for GO } - v1.GET("/thumbnails", r.documentHandler.GetThumbnail) - // Chunk routes chunk := v1.Group("/chunk") {