From 2326658518f397237b2fef3a3fad9a9b17134c00 Mon Sep 17 00:00:00 2001
From: gilesb <giles.bradshaw@sigyl.com>
Date: Sat, 10 Jan 2026 00:27:05 +0000
Subject: [PATCH] Fix storage test and delete endpoints to support cookie auth

Both /storage/{id}/test and DELETE /storage/{id} were using Bearer
token auth only. Now they also check cookie auth for browser sessions.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 server.py | 28 ++++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/server.py b/server.py
index 3e7f86c..bdb9faa 100644
--- a/server.py
+++ b/server.py
@@ -3261,28 +3261,48 @@ async def update_storage(storage_id: int, req: UpdateStorageRequest, user: User
 
 
 @app.delete("/storage/{storage_id}")
-async def remove_storage(storage_id: int, user: User = Depends(get_required_user)):
+async def remove_storage(storage_id: int, request: Request, user: User = Depends(get_optional_user)):
     """Remove a storage provider."""
+    # Support both Bearer token and cookie auth
+    username = user.username if user else get_user_from_cookie(request)
+    if not username:
+        raise HTTPException(401, "Not authenticated")
+
     storage = await db.get_storage_by_id(storage_id)
     if not storage:
         raise HTTPException(404, "Storage provider not found")
-    if storage["username"] != user.username:
+    if storage["username"] != username:
         raise HTTPException(403, "Not authorized")
 
     success = await db.remove_user_storage(storage_id)
     if not success:
         raise HTTPException(500, "Failed to remove storage provider")
 
+    # Return empty string for HTMX to remove the element
+    if wants_html(request):
+        return HTMLResponse("")
+
     return {"message": "Storage provider removed"}
 
 
 @app.post("/storage/{storage_id}/test")
-async def test_storage(storage_id: int, request: Request, user: User = Depends(get_required_user)):
+async def test_storage(storage_id: int, request: Request, user: User = Depends(get_optional_user)):
     """Test storage provider connectivity."""
+    # Support both Bearer token and cookie auth
+    username = user.username if user else get_user_from_cookie(request)
+    if not username:
+        if wants_html(request):
+            return HTMLResponse('<span class="text-red-400">Not authenticated</span>', status_code=401)
+        raise HTTPException(401, "Not authenticated")
+
     storage = await db.get_storage_by_id(storage_id)
     if not storage:
+        if wants_html(request):
+            return HTMLResponse('<span class="text-red-400">Storage not found</span>', status_code=404)
         raise HTTPException(404, "Storage provider not found")
-    if storage["username"] != user.username:
+    if storage["username"] != username:
+        if wants_html(request):
+            return HTMLResponse('<span class="text-red-400">Not authorized</span>', status_code=403)
         raise HTTPException(403, "Not authorized")
 
     config = storage["config"] if isinstance(storage["config"], dict) else json.loads(storage["config"])