Auth: Remove redundant preview/download token wiring for JWT #5230

Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-12-12 00:34:13 +01:00 · 2025-10-29 15:21:49 +01:00
parent 6e43f14476
commit 630506e021
3 changed files with 14 additions and 33 deletions
--- a/internal/api/api_auth_jwt.go
+++ b/internal/api/api_auth_jwt.go
@@ -112,18 +112,6 @@ func authAnyJWT(c *gin.Context, clientIP, authToken string, resource acl.Resourc
 		IssuedAt:  issuedAt,
 		NotBefore: notBefore,
 		ExpiresAt: expiresAt,
-		PreviewToken: func() string {
-			if tokenScopes.Contains(acl.ResourceFiles.String()) {
-				return conf.PreviewToken()
-			}
-			return ""
-		}(),
-		DownloadToken: func() string {
-			if tokenScopes.Contains(acl.ResourceFiles.String()) {
-				return conf.DownloadToken()
-			}
-			return ""
-		}(),
 	})
 }

--- a/internal/api/api_auth_jwt_test.go
+++ b/internal/api/api_auth_jwt_test.go
@@ -86,8 +86,11 @@ func TestAuthAnyJWT(t *testing.T) {
 		session := authAnyJWT(c, "192.0.2.50", token, acl.ResourceFiles, acl.Permissions{acl.AccessLibrary})
 		require.NotNil(t, session)
 		assert.Equal(t, http.StatusOK, session.HttpStatus())
-		assert.Equal(t, fx.preview, session.PreviewToken)
-		assert.Equal(t, fx.download, session.DownloadToken)
+		assert.Empty(t, session.PreviewToken)
+		assert.Empty(t, session.DownloadToken)
+		cfg := fx.nodeConf.ClientSession(session)
+		assert.Equal(t, fx.preview, cfg.PreviewToken)
+		assert.Equal(t, fx.download, cfg.DownloadToken)
 		assert.True(t, session.SessExpires > session.CreatedAt.Unix())
 		assert.True(t, session.LastActive >= session.CreatedAt.Unix())
 	})
--- a/internal/entity/auth_session_jwt.go
+++ b/internal/entity/auth_session_jwt.go
@@ -22,8 +22,6 @@ type JWT struct {
 	IssuedAt  *time.Time
 	NotBefore *time.Time
 	ExpiresAt *time.Time
-	PreviewToken  string
-	DownloadToken string
 }

 // NewSessionFromJWT constructs an in-memory session based on verified
@@ -60,14 +58,6 @@ func NewSessionFromJWT(c *gin.Context, jwt *JWT) *Session {
 	sess.SetClientIP(header.ClientIP(c))
 	sess.SetUserAgent(header.ClientUserAgent(c))

-	// Set media preview and download tokens, if specified.
-	if jwt.PreviewToken != "" {
-		sess.PreviewToken = jwt.PreviewToken
-	}
-	if jwt.DownloadToken != "" {
-		sess.DownloadToken = jwt.DownloadToken
-	}
-
 	// Derive timestamps from JWT claims when available.
 	now := time.Now().UTC()
 	issuedAt := now