From 40fbdb7370e863022f048cc9aa9501e5184d9d92 Mon Sep 17 00:00:00 2001
From: Eduard Wisch <data@data-it-solution.de>
Date: Wed, 8 Apr 2026 23:27:27 +0200
Subject: [PATCH] fix: JWT als Query-Param bei photo.php (Apache filtert Header
 auf prod)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
[deploy]
---
 lib/api.js | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/lib/api.js b/lib/api.js
index bd4cb73..f9909ea 100644
--- a/lib/api.js
+++ b/lib/api.js
@@ -95,12 +95,11 @@
 
         const t = await getToken();
         if (!t) return null;
-        const params = new URLSearchParams({ relpath });
+        // JWT als Query-Param, weil Apache auf prod den Authorization-Header filtert
+        const params = new URLSearchParams({ relpath, jwt: t });
         if (size) params.set('size', size);
 
-        const r = await fetch(API_BASE + '/photo.php?' + params.toString(), {
-            headers: { Authorization: 'Bearer ' + t },
-        });
+        const r = await fetch(API_BASE + '/photo.php?' + params.toString());
         if (!r.ok) {
             const body = await r.text().catch(() => '');
             console.warn('photo.php failed', r.status, relpath, body);