mirror of
https://github.com/screentinker/screentinker.git
synced 2026-06-15 02:33:15 -06:00
6760f61fb8
After uploading, content thumbnails were blank until the item was added to a playlist/widget. The public /api/content/:id/thumbnail (and /file) endpoints are reference-gated (an anonymous player with a UUID must not pull arbitrary tenants' media), and a plain <img> can't send a Bearer token - so a just-uploaded item 403'd. - Backend: add an authenticated bypass - a logged-in user who can access the content's workspace (verified from the Bearer token) may view its file/thumbnail even when unreferenced. Anonymous players still hit the reference gate. - Frontend: the content library lazy-fetches thumbnails/previews WITH the token and swaps in an object URL (IntersectionObserver keeps it under the rate limit; the URL is revoked after load). Verified: unreferenced thumbnail now 200 with a bearer token, still 403 anonymous. |
||
|---|---|---|
| .. | ||
| config | ||
| db | ||
| lib | ||
| middleware | ||
| player | ||
| routes | ||
| services | ||
| test | ||
| ws | ||
| .gitignore | ||
| config.js | ||
| package-lock.json | ||
| package.json | ||
| server.js | ||