Auth: Remove redundant preview/download token wiring for JWT #5230

Signed-off-by: Michael Mayer <michael@photoprism.app>
2026-01-23 02:24:24 +00:00 · 2025-10-29 15:21:49 +01:00 · 2025-10-29 15:21:49 +01:00 · 630506e021
commit 630506e021
parent 6e43f14476
3 changed files with 14 additions and 33 deletions
--- a/internal/api/api_auth_jwt.go
+++ b/internal/api/api_auth_jwt.go
@ -112,18 +112,6 @@ func authAnyJWT(c *gin.Context, clientIP, authToken string, resource acl.Resourc
 		IssuedAt:  issuedAt,
 		NotBefore: notBefore,
 		ExpiresAt: expiresAt,
-		PreviewToken: func() string {
-			if tokenScopes.Contains(acl.ResourceFiles.String()) {
-				return conf.PreviewToken()
-			}
-			return ""
-		}(),
-		DownloadToken: func() string {
-			if tokenScopes.Contains(acl.ResourceFiles.String()) {
-				return conf.DownloadToken()
-			}
-			return ""
-		}(),
 	})
 }

--- a/internal/api/api_auth_jwt_test.go
+++ b/internal/api/api_auth_jwt_test.go
@ -86,8 +86,11 @@ func TestAuthAnyJWT(t *testing.T) {
 		session := authAnyJWT(c, "192.0.2.50", token, acl.ResourceFiles, acl.Permissions{acl.AccessLibrary})
 		require.NotNil(t, session)
 		assert.Equal(t, http.StatusOK, session.HttpStatus())
-		assert.Equal(t, fx.preview, session.PreviewToken)
-		assert.Equal(t, fx.download, session.DownloadToken)
+		assert.Empty(t, session.PreviewToken)
+		assert.Empty(t, session.DownloadToken)
+		cfg := fx.nodeConf.ClientSession(session)
+		assert.Equal(t, fx.preview, cfg.PreviewToken)
+		assert.Equal(t, fx.download, cfg.DownloadToken)
 		assert.True(t, session.SessExpires > session.CreatedAt.Unix())
 		assert.True(t, session.LastActive >= session.CreatedAt.Unix())
 	})
--- a/internal/entity/auth_session_jwt.go
+++ b/internal/entity/auth_session_jwt.go
@ -13,17 +13,15 @@ import (
 // JWT captures the subset of JWT fields needed to construct
 // an in-memory session for portal-to-node authentication flows.
 type JWT struct {
-	Token         string
-	ID            string
-	Issuer        string
-	Subject       string
-	Scope         string
-	Audience      []string
-	IssuedAt      *time.Time
-	NotBefore     *time.Time
-	ExpiresAt     *time.Time
-	PreviewToken  string
-	DownloadToken string
+	Token     string
+	ID        string
+	Issuer    string
+	Subject   string
+	Scope     string
+	Audience  []string
+	IssuedAt  *time.Time
+	NotBefore *time.Time
+	ExpiresAt *time.Time
 }

 // NewSessionFromJWT constructs an in-memory session based on verified
@ -60,14 +58,6 @@ func NewSessionFromJWT(c *gin.Context, jwt *JWT) *Session {
 	sess.SetClientIP(header.ClientIP(c))
 	sess.SetUserAgent(header.ClientUserAgent(c))

-	// Set media preview and download tokens, if specified.
-	if jwt.PreviewToken != "" {
-		sess.PreviewToken = jwt.PreviewToken
-	}
-	if jwt.DownloadToken != "" {
-		sess.DownloadToken = jwt.DownloadToken
-	}
-
 	// Derive timestamps from JWT claims when available.
 	now := time.Now().UTC()
 	issuedAt := now