Thumbnail (and other) API Endpoints Do Not Respect Bearer Token

[timbueno]

Thumbnail (and other) API Endpoints Do Not Respect Bearer Token

What happened?
Media endpoints (like /api/v1/media/book/{bookId}/thumbnail require a token query or they do not work.

How can we see it happen?
Steps to reproduce the issue:

1. Request a a thumbnail from the above url, include your JWT headers like all other requests.
2. See request failure (403)

What did you expect to happen?
Access to the resource.

Screenshots or Error Messages

About your setup:

• Booklore version (e.g., v1.10.0)

Anything else we should know?

• Appending ?token={auth.token} to the endpoint, allows me to gain access to the resource.
• This requires odd workarounds for the standard API pattern. Especially if the token expires.

[acx10]

Thanks for reporting this. This is actually a known limitation. For image and media endpoints, the UI cannot reliably pass the bearer token in the headers when the browser is fetching the file directly. Because of that, these endpoints currently require the token to be appended as a query parameter.

I agree this isn’t ideal, and it does lead to workarounds like the one you mentioned, especially with token expiration. I’m looking into improving this flow so media endpoints can follow the same auth pattern as the rest of the API.

[timbueno]

Understood! I'll keep an eye on the issue.

As far as I can tell this limitation isn't documented anywhere correct? Would be nice for it to show up in the swagger docs or something.

I had to run a proxy on another app to intercept the requests to figure it out. Did I just take the hard way and it's shown some where?