Canvas image GET returns 401 in proxy mode (X-Hero-User parsed as u64, not external_id) #28

New issue

Closed

opened 2026-04-27 16:48:38 +00:00 by sameh-farouk · 0 comments

sameh-farouk commented

2026-04-27 16:48:38 +00:00

Member

Symptom

Every canvas image upload in proxy mode renders as a broken placeholder. DevTools shows:

GET http://localhost:9997/hero_collab/ui/api/attachment/{id} 401 (Unauthorized)

Affects every proxy-mode user including the image's own uploader.

Root cause

attachment_http.rs::get_bytes parsed X-Hero-User as u64. In proxy mode the header is external_id/email (a string), so parse fails → caller_id=None → check_attachment_access hits the proxy-mode fail-closed branch → 401.

The JSON-RPC dispatcher (main.rs::handle_rpc) does the right thing (cache → external_id → email/alias). The HTTP attachment route never got the same treatment.

Surfaced in

#10 dogfooding thread while testing canvas content with a freshly-created canvas + image upload as viewer_test@example.com.

Fix in

PR linked below.

### Symptom Every canvas image upload in proxy mode renders as a broken placeholder. DevTools shows: ``` GET http://localhost:9997/hero_collab/ui/api/attachment/{id} 401 (Unauthorized) ``` Affects every proxy-mode user including the image's own uploader. ### Root cause `attachment_http.rs::get_bytes` parsed `X-Hero-User` as `u64`. In proxy mode the header is `external_id`/email (a string), so parse fails → `caller_id=None` → `check_attachment_access` hits the proxy-mode fail-closed branch → 401. The JSON-RPC dispatcher (`main.rs::handle_rpc`) does the right thing (cache → external_id → email/alias). The HTTP attachment route never got the same treatment. ### Surfaced in [#10 dogfooding thread](https://forge.ourworld.tf/lhumina_code/hero_collab/issues/10) while testing canvas content with a freshly-created canvas + image upload as `viewer_test@example.com`. ### Fix in PR linked below.