Problem
The Cloud Page inline viewer endpoint requires bearer-token authentication. Native <video>, <audio>, <img>, and embedded PDF elements cannot attach an arbitrary Authorization header, so the frontend cannot use the endpoint directly while preserving native media streaming and byte-range seeking.
Proposed solution
Add an authenticated same-origin frontend route or proxy that:
- authenticates the current Vault Web user using the existing frontend/session flow
- forwards requests to
GET /api/files/view with the backend bearer token
- preserves
Range, conditional request, and relevant response headers
- streams the response without buffering the whole file
- never accepts or exposes paths outside the authenticated user's root
Acceptance criteria
Related to Vault-Web/cloud-page#98 and Vault-Web/cloud-page#102.
Problem
The Cloud Page inline viewer endpoint requires bearer-token authentication. Native
<video>,<audio>,<img>, and embedded PDF elements cannot attach an arbitraryAuthorizationheader, so the frontend cannot use the endpoint directly while preserving native media streaming and byte-range seeking.Proposed solution
Add an authenticated same-origin frontend route or proxy that:
GET /api/files/viewwith the backend bearer tokenRange, conditional request, and relevant response headersAcceptance criteria
206 Partial Contentresponses are preserved.Content-Type,Content-Disposition,ETag,Last-Modified,Content-Range, andAccept-Rangesare forwarded where applicable.Related to Vault-Web/cloud-page#98 and Vault-Web/cloud-page#102.