feat: use query param for download tokens

jeanvier · jeanvier · commit a44899270df1 · 2026-02-03T09:35:27.000+01:00
diff --git a/README.md b/README.md
@@ -421,13 +421,13 @@ Response: { "token": "<jwt_token>" }
 **Download file (forces download):**
 
 ```
-GET /attachment/download/file/{token}
+GET /attachment/download/file?token={token}
 ```
 
 **Stream file inline (for video/PDF preview):**
 
 ```
-GET /attachment/download/stream/{token}
+GET /attachment/download/stream?token={token}
 ```
 
 **Get ZIP token for multiple files:**
diff --git a/config/routes.php b/config/routes.php
@@ -30,9 +30,9 @@
         'Trois/Attachment',
         ['path' => '/attachment'],
         function (RouteBuilder $builder): void {
-            // Download routes - must be before setExtensions to avoid JWT token parsing issues
-            $builder->connect('/download/file/{token}', ['controller' => 'Download', 'action' => 'file'], ['pass' => ['token']]);
-            $builder->connect('/download/stream/{token}', ['controller' => 'Download', 'action' => 'stream'], ['pass' => ['token']]);
+            // Download routes - token passed as query param to avoid JWT parsing issues
+            $builder->connect('/download/file', ['controller' => 'Download', 'action' => 'file']);
+            $builder->connect('/download/stream', ['controller' => 'Download', 'action' => 'stream']);
             $builder->connect('/download/get-file-token', ['controller' => 'Download', 'action' => 'getFileToken']);
             $builder->connect('/download/get-zip-token', ['controller' => 'Download', 'action' => 'getZipToken']);
             $builder->connect('/download/files', ['controller' => 'Download', 'action' => 'files']);
diff --git a/resources/assets/components/Attachment.vue b/resources/assets/components/Attachment.vue
@@ -237,7 +237,7 @@ export default
         client.post(this.settings.url + 'attachment/download/get-file-token', { file: attachment.id })
         .then((response) => {
           const token = response.data.token
-          return client.get(this.settings.url + 'attachment/download/file/' + token, {responseType: 'arraybuffer'})
+          return client.get(this.settings.url + 'attachment/download/file?token=' + token, {responseType: 'arraybuffer'})
         })
         .then(async (response) => {
           await this.forceFileDownload(response, attachment)
diff --git a/resources/assets/components/Preview.vue b/resources/assets/components/Preview.vue
@@ -129,10 +129,10 @@ export default {
       // Check if profile uses secure download
       if (profile && profile.secureDownload) {
         // Token-based secure download
-        client.post(this.settings.url + 'attachment/download/get-file-token.json', { file: attachment.id })
+        client.post(this.settings.url + 'attachment/download/get-file-token', { file: attachment.id })
         .then((response) => {
           const token = response.data.token
-          return client.get(this.settings.url + 'attachment/download/file/' + token, {responseType: 'arraybuffer'})
+          return client.get(this.settings.url + 'attachment/download/file?token=' + token, {responseType: 'arraybuffer'})
         })
         .then((response) => {
           this.forceFileDownload(response, attachment)
@@ -160,7 +160,7 @@ export default {
 
       // Fetch token for video/PDF preview
       if (attachment.type === 'video' || attachment.subtype === 'pdf') {
-        client.post(this.settings.url + 'attachment/download/get-file-token.json', { file: attachment.id })
+        client.post(this.settings.url + 'attachment/download/get-file-token', { file: attachment.id })
         .then((response) => {
           this.$set(this.previewTokens, attachment.id, response.data.token)
         })
@@ -171,7 +171,7 @@ export default {
       const profile = this.$store.get(this.aid + '/settings.profiles.' + attachment.profile)
 
       if (profile && profile.secureDownload && this.previewTokens[attachment.id]) {
-        return this.settings.url + 'attachment/download/stream/' + this.previewTokens[attachment.id]
+        return this.settings.url + 'attachment/download/stream?token=' + this.previewTokens[attachment.id]
       }
       return attachment.url
     },
diff --git a/src/Controller/DownloadController.php b/src/Controller/DownloadController.php
@@ -44,8 +44,10 @@ public function getFileToken()
     $this->viewBuilder()->setOption('serialize', ['token']);
   }
   // (new Token)->encode(['file' => $attachment->id])
-  public function file($token)
+  public function file()
   {
+    $token = $this->getRequest()->getQuery('token');
+    if (empty($token)) throw new BadRequestException('Token required');
     // get Attachment
     $attachment = $this->fetchTable('Trois/Attachment.Attachments')->find()
     ->where(['id' => (new Token)->decode($token)->file])
@@ -61,8 +63,10 @@ public function file($token)
    * Stream file inline for preview (videos, PDFs)
    * Unlike file() which forces download, this renders inline in browser
    */
-  public function stream($token)
+  public function stream()
   {
+    $token = $this->getRequest()->getQuery('token');
+    if (empty($token)) throw new BadRequestException('Token required');
     // get Attachment
     $attachment = $this->fetchTable('Trois/Attachment.Attachments')->find()
     ->where(['id' => (new Token)->decode($token)->file])
