diff --git a/server/cmd/server/router.go b/server/cmd/server/router.go index 406860bf1..d2674d634 100644 --- a/server/cmd/server/router.go +++ b/server/cmd/server/router.go @@ -449,42 +449,11 @@ func NewRouterWithOptions(pool *pgxpool.Pool, hub *realtime.Hub, bus *events.Bus realtime.HandleWebSocket(hub, mc, pr, slugResolver, w, r) }) - // Local file serving (when using local storage). - // - // The disclosure (security-findings-2026-06-02) explicitly flagged this - // route as a layer in the SVG-XSS chain: it was unauthenticated, served - // directory listings, and lacked nosniff/CSP. The primary fix (PR #3023) - // broke the inline-render step by forcing Content-Disposition: attachment - // for non-media types, but the layered defenses here stay open until we - // add them. - // - // Auth dispatch is two-track: - // - Signed-query (?exp=&sig=): the route bypasses middleware.Auth and - // ServeLocalUpload validates the HMAC signature itself. This is the - // path used by token-auth clients (Desktop, legacy-token Web, - // mobile) for inline /