From 26c1676cddb10019d69e19833901f3b9147b024f Mon Sep 17 00:00:00 2001
From: Maurice <mauriceboe@icloud.com>
Date: Mon, 30 Mar 2026 20:56:56 +0200
Subject: [PATCH] =?UTF-8?q?revert:=20remove=20auth=20from=20file=20uploads?=
 =?UTF-8?q?=20=E2=80=94=20breaks=20img/pdf=20rendering=20in=20browser?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/src/index.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/src/index.ts b/server/src/index.ts
index 5dc9f9d..4cdbe4e 100644
--- a/server/src/index.ts
+++ b/server/src/index.ts
@@ -113,10 +113,10 @@ import { authenticate } from './middleware/auth';
 app.use('/uploads/avatars', express.static(path.join(__dirname, '../uploads/avatars')));
 app.use('/uploads/covers', express.static(path.join(__dirname, '../uploads/covers')));
 
-// Files and photos require authentication (covers and avatars are public — served statically above)
-app.get('/uploads/:type/:filename', authenticate, (req: Request, res: Response) => {
+// Serve uploaded files (UUIDs are unguessable, path traversal protected)
+app.get('/uploads/:type/:filename', (req: Request, res: Response) => {
   const { type, filename } = req.params;
-  const allowedTypes = ['files', 'photos'];
+  const allowedTypes = ['covers', 'files', 'photos'];
   if (!allowedTypes.includes(type)) return res.status(404).send('Not found');
 
   // Prevent path traversal