From 0fa6ba954d74ab96eb94725be54a8d9702893f6b Mon Sep 17 00:00:00 2001
From: Marcos <marcos@tracksteel.com.br>
Date: Sun, 22 Mar 2026 00:08:52 -0300
Subject: [PATCH] fix: allow pwd query param on host_file to bypass header auth
 for img tags

---
 main.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/main.py b/main.py
index 27dd3de..7d4614b 100644
--- a/main.py
+++ b/main.py
@@ -150,12 +150,19 @@ async def get_audio_file(filename: str):
     raise HTTPException(status_code=404, detail="Arquivo de áudio não encontrado.")
 
 @app.get("/api/host_file")
-async def get_host_file(path: str, is_auth: bool = Depends(verify_password)):
+async def get_host_file(path: str, pwd: str = None, x_web_password: str = Header(None)):
     """Serve arquivos (como imagens) da máquina host para exibir no painel de insights."""
+    # Autenticação dupla: via Header (fetch) ou via Query Parâmetro (tag img)
+    cfg = get_config()
+    saved_pwd = cfg.get("web_password", "@@Gi05Br;;")
+    auth_token = pwd or x_web_password
+    if not auth_token or auth_token != saved_pwd:
+         raise HTTPException(status_code=401, detail="Não autorizado")
+
     host_path = f"/host_root{path}" if not path.startswith("/host_root") else path
     
     # Previne directory traversal básico garantindo que comece com /host_root
-    if not host_path.startswith("/host_root"):
+    if not host_path.startswith("/host_root") or ".." in host_path:
          raise HTTPException(status_code=400, detail="Caminho inválido.")
          
     if os.path.isfile(host_path):