fix(attachments): download via authenticated signed URL (framework #2970)#2538
Merged
Conversation
…framework #2970) The framework now requires an authenticated session to download an attachments-scope file — the stable /storage/files/:fileId endpoint returns 401/403 for them. RecordAttachmentsPanel's download control no longer uses a bare <a href> (which can't carry the console's Bearer token): it fetches a short-lived signed URL from /storage/files/:fileId/url with createAuthenticatedFetch, then opens it. 403 ATTACHMENT_DOWNLOAD_DENIED / 401 AUTH_REQUIRED map to friendly copy instead of a broken link. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_0187NT3Qer9oep5dCRb9b8Lt
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
Contributor
✅ Console Performance Budget
📦 Bundle Size Report
Size Limits
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Companion to framework #2984 (issue objectstack-ai/framework#2970, item 2).
The framework now requires an authenticated session to download an attachments-scope file — the stable
GET /storage/files/:fileIdendpoint returns401 AUTH_REQUIRED/403 ATTACHMENT_DOWNLOAD_DENIEDfor them (parent-derived access). A bare<a href>can't carry the console's Bearer token, soRecordAttachmentsPanel's download control changes:createAuthenticatedFetchGETs/storage/files/:fileId/url(Bearer token), receives a short-lived signed URL, andwindow.opens it. The signed URL itself needs no credentials.403 ATTACHMENT_DOWNLOAD_DENIED→ "You don't have access to download this attachment.";401 AUTH_REQUIRED→ "Please sign in to download this attachment." — instead of a broken link / raw error.Non-attachments files (avatars, field images, org logos) are unaffected: the framework leaves their stable capability URL anonymous (they're embedded in
<img src>), soImageField/avatar rendering is untouched.Verification
RecordAttachmentsPanel.test.tsx(6 ✓): the download button fetches/files/:id/urlwith auth and opens the signed URL;403/401map to friendly copy and open no tab.app-shellsweep: 1346 ✓.Merge order
Framework #2984 first (server gate before the panel adapts).
🤖 Generated with Claude Code
Generated by Claude Code