From 587954b1640a14a0166caf12ec346261de5e3137 Mon Sep 17 00:00:00 2001
From: Nils Pukropp <nils@narl.io>
Date: Wed, 25 Mar 2026 14:50:15 +0100
Subject: [PATCH] fixed file upload?

---
 frontend/astro.config.mjs           |  3 +++
 frontend/src/pages/api/[...path].ts | 22 +++++++++++++---------
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/frontend/astro.config.mjs b/frontend/astro.config.mjs
index 941943b..e29dbaa 100644
--- a/frontend/astro.config.mjs
+++ b/frontend/astro.config.mjs
@@ -8,6 +8,9 @@ import node from '@astrojs/node';
 // https://astro.build/config
 export default defineConfig({
   output: 'server',
+  security: {
+    checkOrigin: false
+  },
   image: {
     service: { entrypoint: 'astro/assets/services/noop' }
   },
diff --git a/frontend/src/pages/api/[...path].ts b/frontend/src/pages/api/[...path].ts
index 00d53fd..357c9aa 100644
--- a/frontend/src/pages/api/[...path].ts
+++ b/frontend/src/pages/api/[...path].ts
@@ -14,9 +14,7 @@ export const ALL: APIRoute = async ({ request, params }) => {
   url.search = requestUrl.search;
 
   const headers = new Headers();
-  // We must NOT forward 'host' (causes backend to reject if it doesn't match)
-  // We must NOT forward 'connection'
-  // We should let fetch recalculate 'content-length'
+  // Filter headers to avoid conflicts.
   const forbiddenHeaders = ['host', 'connection', 'content-length', 'transfer-encoding', 'origin', 'referer'];
   
   request.headers.forEach((value, key) => {
@@ -35,13 +33,19 @@ export const ALL: APIRoute = async ({ request, params }) => {
       headers: headers,
     };
 
-    // Only attach body for methods that allow it
+    // Safely handle body for mutating requests
     if (request.method !== 'GET' && request.method !== 'HEAD') {
-        // Pass the raw stream directly. This is crucial for multipart/form-data.
-        fetchOptions.body = request.body;
-        // Required by Node.js fetch when body is a ReadableStream
-        // @ts-ignore
-        fetchOptions.duplex = 'half';
+        // Clone the request to safely access the body stream
+        const reqClone = request.clone();
+        
+        // For DELETE requests, check if a body actually exists before attaching it
+        // Some fetch implementations fail if a body is provided for DELETE
+        if (request.method !== 'DELETE' || reqClone.body) {
+             fetchOptions.body = reqClone.body;
+             // Required by Node.js fetch when body is a ReadableStream
+             // @ts-ignore
+             fetchOptions.duplex = 'half';
+        }
     }
 
     const response = await fetch(url.toString(), fetchOptions);