mirror of
https://github.com/KohakuBlueleaf/KohakuHub.git
synced 2026-07-16 10:42:49 -05:00
The safetensors / parquet / indexed-tar / tar-thumbnail readers all hit `/resolve/...` directly with `fetch()` and pinned `credentials: "omit"`, which dropped the SPA session cookie. On a private repo the backend's HF-compat anti-enumeration path then returned 404 even though the user was logged in — visible in production where the click-through download worked but the inline preview's Range probe 404'd. Switch every range-read entry point to `credentials: "same-origin"`: cookies travel on the same-origin /resolve/ hop and are dropped automatically on the cross-origin redirect to S3/MinIO, so presigned URLs answered with `Access-Control-Allow-Origin: *` still work. New regression test pins the contract on every entry point and includes an explicit "404 if credentials would be omitted" case so a future regression toward `omit` re-trips the test. Demo seed adds two owner-only repos (`mai_lin/private-range-preview-bench` and `mai_lin/private-vision-checkpoint`) so the parquet / indexed-tar / safetensors preview paths can be exercised against a private repo locally. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>