Files
KohakuHub/scripts/dev
narugo1992 283e38751d fix(ui/range-reads): forward same-origin session on /resolve/ Range probes
The safetensors / parquet / indexed-tar / tar-thumbnail readers all hit
`/resolve/...` directly with `fetch()` and pinned `credentials: "omit"`,
which dropped the SPA session cookie. On a private repo the backend's
HF-compat anti-enumeration path then returned 404 even though the user
was logged in — visible in production where the click-through download
worked but the inline preview's Range probe 404'd. Switch every
range-read entry point to `credentials: "same-origin"`: cookies travel
on the same-origin /resolve/ hop and are dropped automatically on the
cross-origin redirect to S3/MinIO, so presigned URLs answered with
`Access-Control-Allow-Origin: *` still work.

New regression test pins the contract on every entry point and
includes an explicit "404 if credentials would be omitted" case so a
future regression toward `omit` re-trips the test. Demo seed adds two
owner-only repos (`mai_lin/private-range-preview-bench` and
`mai_lin/private-vision-checkpoint`) so the parquet / indexed-tar /
safetensors preview paths can be exercised against a private repo
locally.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 23:10:50 +08:00
..