Skip to content

Add authenticated same-origin proxy for workspace file previews #281

Description

@arnabnandy7

Problem

The Cloud Page inline viewer endpoint requires bearer-token authentication. Native <video>, <audio>, <img>, and embedded PDF elements cannot attach an arbitrary Authorization header, so the frontend cannot use the endpoint directly while preserving native media streaming and byte-range seeking.

Proposed solution

Add an authenticated same-origin frontend route or proxy that:

  • authenticates the current Vault Web user using the existing frontend/session flow
  • forwards requests to GET /api/files/view with the backend bearer token
  • preserves Range, conditional request, and relevant response headers
  • streams the response without buffering the whole file
  • never accepts or exposes paths outside the authenticated user's root

Acceptance criteria

  • Images, audio, video, and PDFs can use a same-origin URL from native browser elements.
  • Byte-range requests and 206 Partial Content responses are preserved.
  • Content-Type, Content-Disposition, ETag, Last-Modified, Content-Range, and Accept-Ranges are forwarded where applicable.
  • Authentication tokens are not placed in query strings or exposed to the browser media URL.
  • Unauthorized and out-of-root requests fail without exposing file contents.

Related to Vault-Web/cloud-page#98 and Vault-Web/cloud-page#102.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions