Summary:
Make the “View sources” action work for shared chats as well as private chats.
Why:
SharedChatPage reuses the same getMessageSources(messageId) call as the private chat page, but the backend route GET /message/sources/:messageId is protected by verifyStrictJWT. A public viewer can see the conversation history, yet the source panel stays empty or fails when they click “View sources”, which removes one of the main trust features of the app.
Files to change:
backend/controllers/chatMessage.controller.js
backend/routers/chatMessage.route.js
src/pages/SharedChatPage.tsx
src/lib/api.ts
Acceptance criteria:
- Shared chat viewers can fetch the sources for a message without signing in.
- Private chats still do not leak sources to unrelated users.
- The shared chat UI shows the same source cards/links as the private chat UI.
Implementation notes:
- Add a share-token-aware source path, or extend the controller to accept a public/shared context.
- Keep the response shape identical so the frontend can reuse the same rendering path.
Summary:
Make the “View sources” action work for shared chats as well as private chats.
Why:
SharedChatPagereuses the samegetMessageSources(messageId)call as the private chat page, but the backend routeGET /message/sources/:messageIdis protected byverifyStrictJWT. A public viewer can see the conversation history, yet the source panel stays empty or fails when they click “View sources”, which removes one of the main trust features of the app.Files to change:
backend/controllers/chatMessage.controller.jsbackend/routers/chatMessage.route.jssrc/pages/SharedChatPage.tsxsrc/lib/api.tsAcceptance criteria:
Implementation notes: