From b15724f021648ba8107e2a00f5dccc48bda3630e Mon Sep 17 00:00:00 2001
From: Sean Morley <git@seanmorley.com>
Date: Tue, 17 Mar 2026 09:22:45 -0400
Subject: [PATCH] fix: enhance authentication fallback for protected media
 access

---
 backend/server/main/views.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/backend/server/main/views.py b/backend/server/main/views.py
index 3393e137..2cbb4841 100644
--- a/backend/server/main/views.py
+++ b/backend/server/main/views.py
@@ -19,7 +19,20 @@ def serve_protected_media(request, path):
     if any([path.startswith(protected_path) for protected_path in protected_paths]):
         image_id = path.split('/')[1]
         user = request.user
-        media_type =  path.split('/')[0] + '/'
+
+        # Session auth won't populate request.user for API key requests, so
+        # attempt API key authentication as a fallback.
+        if not user.is_authenticated:
+            from users.authentication import APIKeyAuthentication
+            from rest_framework.exceptions import AuthenticationFailed
+            try:
+                result = APIKeyAuthentication().authenticate(request)
+                if result is not None:
+                    user, _ = result
+            except AuthenticationFailed:
+                return HttpResponseForbidden()
+
+        media_type = path.split('/')[0] + '/'
         if checkFilePermission(image_id, user, media_type):
             if settings.DEBUG:
                 # In debug mode, serve the file directly