Update: 2026-05-07 03:50:16

app/modules_app/invoices/file.php

@@ -19,15 +19,14 @@ function outputErrorImage($message) {
     exit;
 }
 
-// Extract token from header OR query string
-$headers = getallheaders();
-$authHeader = $headers['Authorization'] ?? $headers['authorization'] ?? '';
-$token = '';
-
-if (preg_match('/Bearer\s(\S+)/', $authHeader, $matches)) {
-    $token = $matches[1];
-} elseif (isset($_GET['token'])) {
-    $token = $_GET['token'];
+// Extract token from header OR query string using helper
+$token = input('token');
+if (!$token) {
+    $headers = getallheaders();
+    $authHeader = $headers['Authorization'] ?? $headers['authorization'] ?? '';
+    if (preg_match('/Bearer\s(\S+)/', $authHeader, $matches)) {
+        $token = $matches[1];
+    }
 }
 
 if (!$token) outputErrorImage('Forbidden: No token');

app/modules_app/invoices/view.php

@@ -91,8 +91,13 @@ try {
         $invoice['jofotara'] = null;
     }
 
-    // 5. Build the secure file URL using the invoice ID (file.php fetches path from DB)
-    $invoice['file_url'] = '/index.php?route=v1/invoices/file&id=' . urlencode($id);
+    // 5. Build the secure file URL with token (for Image.network compatibility)
+    $authHeader = getallheaders()['Authorization'] ?? getallheaders()['authorization'] ?? '';
+    $token = '';
+    if (preg_match('/Bearer\s(\S+)/', $authHeader, $matches)) {
+        $token = $matches[1];
+    }
+    $invoice['file_url'] = '/index.php?route=v1/invoices/file&id=' . urlencode($id) . '&token=' . $token;
 
     // 6. Include local QR code from invoices table if available
     // (This is used as a fallback in shell.php if jofotara object is missing)