fix: proxy-image handles internal gallery paths; gallery image endpoint needs no auth

backend/app/main.py

@@ -1087,29 +1087,19 @@ def gallery_list(
 
 
 @app.get("/api/gallery/image/{entry_id}")
-def gallery_serve_image(
-    entry_id: str,
-    token: str | None = None,
-    credentials: HTTPAuthorizationCredentials | None = Depends(security),
-):
-    """Serve a gallery image directly from R2. Accepts JWT via Authorization header OR ?token= query param (for img src tags)."""
+def gallery_serve_image(entry_id: str):
+    """
+    Serve a gallery image directly from R2. No auth required — the UUID entry_id
+    acts as a capability token (unguessable). This also means old frontend code that
+    routes through /api/proxy-image still works since proxy-image will detect this
+    internal path and serve it directly.
+    """
     from app.r2 import get_object as r2_get_object
-    from app.auth import decode_token, get_user_by_username
-    # Resolve token from header or query param
-    raw_token = None
-    if credentials and credentials.scheme == "Bearer":
-        raw_token = credentials.credentials
-    elif token:
-        raw_token = token
-    if not raw_token:
-        raise HTTPException(status_code=401, detail="Not authenticated")
-    payload = decode_token(raw_token)
-    if not payload or not payload.get("sub"):
-        raise HTTPException(status_code=401, detail="Invalid or expired token")
-    username = payload["sub"]
-    if not get_user_by_username(username):
-        raise HTTPException(status_code=401, detail="User not found")
-    entry = gallery_get_entry(username, entry_id)
+    from app.mongo import get_mongo_db
+    db = get_mongo_db()
+    if db is None:
+        raise HTTPException(status_code=503, detail="Database unavailable")
+    entry = db["gallery_entries"].find_one({"id": entry_id}, {"_id": 0})
     if not entry:
         raise HTTPException(status_code=404, detail="Not found")
     r2_key = entry.get("r2_key")
@@ -1542,16 +1532,35 @@ ALLOWED_IMAGE_PROXY_SUFFIXES = [
 async def proxy_image(url: str):
     """
     Proxy GET request to an R2 presigned URL or Replicate delivery URL.
-    Used so the frontend can load images without CORS issues.
+    Also handles internal /api/gallery/image/{id} paths for backwards compat with old frontend.
     """
     from urllib.parse import urlparse
 
     try:
+        # Handle internal gallery image paths (old frontend compat)
+        # Old frontend wraps /api/gallery/image/{id} inside proxy-image — serve directly from R2.
+        if url.startswith("/api/gallery/image/"):
+            from app.r2 import get_object as r2_get_object
+            from app.mongo import get_mongo_db
+            entry_id = url.split("/api/gallery/image/")[1].split("?")[0].strip()
+            db = get_mongo_db()
+            entry = db["gallery_entries"].find_one({"id": entry_id}, {"_id": 0}) if db else None
+            if not entry:
+                raise HTTPException(status_code=404, detail="Not found")
+            r2_key = entry.get("r2_key", "")
+            if not r2_key:
+                raise HTTPException(status_code=404, detail="No image")
+            image_bytes = r2_get_object(r2_key)
+            if not image_bytes:
+                raise HTTPException(status_code=404, detail="Image not found in storage")
+            ext = r2_key.lower()
+            ctype = "image/jpeg" if ext.endswith((".jpg", ".jpeg")) else "image/webp" if ext.endswith(".webp") else "image/png"
+            return Response(content=image_bytes, media_type=ctype, headers={"Cache-Control": "private, max-age=3600"})
+
         parsed = urlparse(url)
         host = (parsed.hostname or "").lower()
         if not host:
             raise HTTPException(status_code=400, detail="Invalid URL: missing hostname")
-        
         # Check if host ends with any allowed suffix
         is_allowed = any(host == s or host.endswith(s) for s in ALLOWED_IMAGE_PROXY_SUFFIXES)
         

backend/app/static/index.html

@@ -8,7 +8,7 @@
     <link rel="preconnect" href="https://fonts.googleapis.com">
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
     <link href="https://fonts.googleapis.com/css2?family=Cormorant+Garamond:ital,wght@0,400;0,500;0,600;1,400&family=Outfit:wght@300;400;500;600&display=swap" rel="stylesheet">
-    <script type="module" crossorigin src="/assets/index-Dc2J5x3o.js"></script>
+    <script type="module" crossorigin src="/assets/index-CSuQU2kS.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-CUbY3dMk.css">
   </head>
   <body>

frontend/src/Gallery.jsx

@@ -7,20 +7,12 @@ const API_BASE = '/api'
 const AUTH_TOKEN_KEY = 'amalfa_auth_token'
 const GALLERY_PAGE_SIZE = 48
 
-/**
- * Return the URL to use for displaying an image.
- * Internal gallery image URLs (/api/gallery/image/...) are served directly by
- * our backend with ?token= query param for auth (browser img tags can't send headers).
- * External presigned R2 URLs are still routed through /api/proxy-image for CORS.
- */
+/** Return the display URL for a gallery image or external image. */
 function proxyImageUrl(url) {
   if (!url) return ''
-  // Internal backend gallery image URL — append token for auth
-  if (url.startsWith('/api/gallery/image/')) {
-    const token = typeof localStorage !== 'undefined' ? localStorage.getItem(AUTH_TOKEN_KEY) : null
-    return token ? `${url}?token=${encodeURIComponent(token)}` : url
-  }
-  // External presigned URL — route through our proxy
+  // Internal backend gallery image — served directly, no auth needed (UUID = capability URL)
+  if (url.startsWith('/api/gallery/image/')) return url
+  // External presigned URL — route through our proxy to avoid CORS
   return `${API_BASE}/proxy-image?url=${encodeURIComponent(url)}`
 }