H1K0
d357ae3156
The file viewer's preview is now a real link (target=_blank) to the original, instead of fetching it into a blob. A navigation can't send the auth header, so the access token rides in the query — the auth middleware accepts ?access_token= as a fallback, but only for GET, so a crafted link can't drive a mutation. GetContent gains an ?inline=1 toggle (Content-Disposition: inline) so the tab views the original instead of downloading it; download stays the default. Documented in openapi.yaml; TestMediaQueryTokenAuth covers GET-with-query-token (200), missing token (401) and query-token rejected on a non-GET (401). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>