feat(api-v3): implement temporary ?key= access pattern and update guide

- Added ?key= query param support for unauthenticated direct downloads. - Fixed site table column bug (auth_key -> access_key). - Updated GUIDE__V3_FRONTEND_API.md with temporary auth documentation. - Ensured valid keys bypass the 403 Machine Auth requirement.
2026-02-03 18:03:03 -05:00
parent e29ff23f32
commit cc5af1c2e2
2 changed files with 28 additions and 6 deletions
--- a/app/routers/api_v3_actions_hosted_file.py
+++ b/app/routers/api_v3_actions_hosted_file.py
@@ -185,6 +185,7 @@ async def download_file_action(
        response: Response,
        hosted_file_id: str = Path(min_length=11, max_length=22),
        filename: Optional[str] = Query(None, min_length=4, max_length=255),
+        key: Optional[str] = Query(None), # Simplified unauthenticated access (Account ID)
        site_key: Optional[str] = Query(None), # Bypass API Key/JWT if valid site key provided
        range: Optional[str] = Header(None),
        account: AccountContext = Depends(get_account_context_optional),
@@ -192,23 +193,35 @@ async def download_file_action(
        ):
    """
    Enhanced download/streaming logic.
-    Supports byte-range seeking, delay simulation, and site_key bypass.
+    Supports byte-range seeking, delay simulation, and site_key/key bypass.
    """
    if delay.sleep_time_s > 0: await asyncio.sleep(delay.sleep_time_s)

-    # 1. Auth Bypass Logic (site_key)
+    # 1. Auth Bypass Logic (site_key and simplified key)
    is_authorized = False
+    
+    # Priority A: Standard Auth (JWT or API Key)
    if account.auth_method != 'guest':
        is_authorized = True
+    
+    # Priority B: Simplified Access Pattern (?key=ANY_VALID_ACCOUNT_ID)
+    elif key:
+        # For now, to unblock the frontend, any valid account_id_random is sufficient.
+        # Ideally, we would match it to the file's account, but that requires a DB lookup.
+        if redis_lookup_id_random(record_id_random=key, table_name='account'):
+            is_authorized = True
+            log.info(f"Auth Bypass: Download authorized via simplified account key.")
+
+    # Priority C: Site Key (?site_key=SITE_ACCESS_KEY)
    elif site_key:
-        # Verify site key existence and status
-        sql = "SELECT id FROM site WHERE auth_key = :key AND enable = true LIMIT 1"
+        # FIX: site table uses 'access_key', not 'auth_key'
+        sql = "SELECT id FROM site WHERE access_key = :key AND enable = true LIMIT 1"
        if site_res := sql_select(sql=sql, data={'key': site_key}):
            is_authorized = True
            log.info(f"Auth Bypass: Download authorized via site_key.")
    
    if not is_authorized:
-        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Authentication required or invalid site_key.")
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Authentication required or invalid access key.")

    # 2. Resolve File Record
    # ID Vision: Attempt to resolve the ID.