From 47bc8ba96684354ff808056bdf97ebd55be7bdd5 Mon Sep 17 00:00:00 2001
From: kevin <kevin@yuno.malio.fr>
Date: Thu, 12 Mar 2026 08:37:53 +0100
Subject: [PATCH 1/3] fix : securite middle  et execfile

---
 components/BackupList.vue        | 10 +++++++---
 components/BackupRun.vue         |  9 +++++++--
 components/MessageDiscord.vue    |  6 +++++-
 components/Speedtest.vue         |  8 ++++++--
 components/StatusSite.vue        |  6 +++++-
 nuxt.config.ts                   |  2 ++
 pages/backup.vue                 | 30 +++++++++++++-----------------
 pages/index.vue                  |  6 +++++-
 server/api/backup-script.post.ts |  9 +++++----
 server/api/disk.get.ts           |  9 +++++----
 server/config/backup-script.json | 20 ++++++++++++++++----
 server/config/disk-commands.json | 13 ++++++++++---
 server/middleware/auth.ts        | 30 ++++++++++++++++++++++++++++++
 13 files changed, 116 insertions(+), 42 deletions(-)
 create mode 100644 server/middleware/auth.ts

diff --git a/components/BackupList.vue b/components/BackupList.vue
index 9dcad3b..1aa8a38 100644
--- a/components/BackupList.vue
+++ b/components/BackupList.vue
@@ -55,6 +55,7 @@
 import {Icon as IconifyIcon} from "@iconify/vue"
 import CircleSkeleton from "~/components/skeleton/CircleSkeleton.vue"
 import TextSkeleton from "~/components/skeleton/TextSkeleton.vue"
+import { downloadApiFile, useApiAuthHeader } from "~/composables/useApiAuth"
 
 const props = defineProps<{
   folder: string | null
@@ -62,15 +63,16 @@ const props = defineProps<{
 
 const backups = ref<string[]>([])
 const loading = ref(false)
+const apiAuthHeader = useApiAuthHeader()
 const title = computed(() => {
   if (!props.folder) return "Fichiers"
   return `Backup — ${props.folder.toUpperCase()}`
 })
 
-const downloadBackup = (file: string) => {
+const downloadBackup = async (file: string) => {
   if (!props.folder) return
   const url = `/api/download?folder=${encodeURIComponent(props.folder)}&file=${encodeURIComponent(file)}`
-  window.location.href = url
+  await downloadApiFile(url, file)
 }
 
 watch(() => props.folder, async (folder) => {
@@ -82,7 +84,9 @@ watch(() => props.folder, async (folder) => {
 
   loading.value = true
   try {
-    const data = await $fetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`)
+    const data = await $fetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`, {
+      headers: apiAuthHeader
+    })
     backups.value = data
   } catch (error) {
     console.error("Erreur récupération backups:", error)
diff --git a/components/BackupRun.vue b/components/BackupRun.vue
index cae972c..36b9db2 100644
--- a/components/BackupRun.vue
+++ b/components/BackupRun.vue
@@ -79,6 +79,7 @@
 <script setup lang="ts">
 import { computed, onMounted, ref } from "vue"
 import { Icon as IconifyIcon } from "@iconify/vue"
+import { useApiAuthHeader } from "~/composables/useApiAuth"
 
 type BackupScript = {
   key: string
@@ -118,6 +119,7 @@ const scripts = ref<BackupScript[]>([])
 const output = ref<string>("")
 const message = ref<string>("")
 const isError = ref(false)
+const apiAuthHeader = useApiAuthHeader()
 
 const statusClass = computed(() => (isError.value ? "status-error" : "status-success"))
 
@@ -134,7 +136,9 @@ const loadScripts = async () => {
     downloadFolders: []
   })
   try {
-    const data = await $fetch<BackupScriptListResponse>("/api/backup-script")
+    const data = await $fetch<BackupScriptListResponse>("/api/backup-script", {
+      headers: apiAuthHeader
+    })
     scripts.value = data.scripts
   } catch (error) {
     scripts.value = []
@@ -162,7 +166,8 @@ const runScript = async (key: string) => {
   try {
     const data = await $fetch<BackupScriptRunResponse>("/api/backup-script", {
       method: "POST",
-      body: { key }
+      body: { key },
+      headers: apiAuthHeader
     })
     message.value = `${data.label} execute avec succes`
     output.value = data.output || "Aucune sortie retournee."
diff --git a/components/MessageDiscord.vue b/components/MessageDiscord.vue
index 6c82c53..6b61904 100644
--- a/components/MessageDiscord.vue
+++ b/components/MessageDiscord.vue
@@ -1,6 +1,10 @@
 <script setup>
 import {Icon as IconifyIcon} from "@iconify/vue"
-const { data: messages } = await useFetch('/api/discord/messages')
+import { useApiAuthHeader } from "~/composables/useApiAuth"
+
+const { data: messages } = await useFetch('/api/discord/messages', {
+  headers: useApiAuthHeader()
+})
 </script>
 
 <template>
diff --git a/components/Speedtest.vue b/components/Speedtest.vue
index 582e20e..09872e5 100644
--- a/components/Speedtest.vue
+++ b/components/Speedtest.vue
@@ -42,11 +42,13 @@
 <script setup lang="ts">
 import {computed, ref} from "vue"
 import {Icon as IconifyIcon} from "@iconify/vue"
+import { useApiAuthHeader, withApiAuth } from "~/composables/useApiAuth"
 
 const ping = ref<number | null>(null)
 const download = ref<number | null>(null)
 const upload = ref<number | null>(null)
 const isTesting = ref(false)
+const apiAuthHeader = useApiAuthHeader()
 
 const metrics = computed(() => [
   { label: "Download", icon: "mdi:arrow-down-bold", value: download.value, unit: "Mbps" },
@@ -56,7 +58,9 @@ const metrics = computed(() => [
 
 async function testDownload() {
   const start = performance.now()
-  const res = await fetch('/api/download')
+  const res = await fetch('/api/download', {
+    headers: apiAuthHeader
+  })
   const blob = await res.blob()
   const end = performance.now()
   const size = blob.size
@@ -68,7 +72,7 @@ async function testUpload() {
   const size = 5 * 1024 * 1024
   const data = new Uint8Array(size)
   const start = performance.now()
-  await fetch('/api/upload', { method: 'POST', body: data })
+  await fetch('/api/upload', withApiAuth({ method: 'POST', body: data }))
   const end = performance.now()
   const seconds = (end - start) / 1000
   upload.value = Math.round((size * 8) / seconds / 1000000)
diff --git a/components/StatusSite.vue b/components/StatusSite.vue
index 507a585..8300daa 100644
--- a/components/StatusSite.vue
+++ b/components/StatusSite.vue
@@ -43,6 +43,7 @@
 import CircleSkeleton from "~/components/skeleton/CircleSkeleton.vue"
 import TextSkeleton from "~/components/skeleton/TextSkeleton.vue"
 import {onBeforeUnmount, onMounted, ref} from "vue"
+import { useApiAuthHeader } from "~/composables/useApiAuth"
 
 interface StatusRow {
   label: string
@@ -71,6 +72,7 @@ const props = withDefaults(
 const rows = ref<StatusRow[]>([])
 const loading = ref(true)
 const initialized = ref(false)
+const apiAuthHeader = useApiAuthHeader()
 let timer: ReturnType<typeof setInterval> | null = null
 
 const statusLabel = (status: number) => {
@@ -84,7 +86,9 @@ const checkStatus = async () => {
     loading.value = true
   }
   try {
-    const data = await $fetch<StatusResponse>(props.endpoint)
+    const data = await $fetch<StatusResponse>(props.endpoint, {
+      headers: apiAuthHeader
+    })
     rows.value = data.results
   } catch (error) {
     rows.value = [
diff --git a/nuxt.config.ts b/nuxt.config.ts
index ffc3361..0145bef 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -35,7 +35,9 @@ export default defineNuxtConfig({
     }
   },
   runtimeConfig: {
+    apiSecretKey: process.env.API_SECRET_KEY,
     public: {
+      apiSecretKey: process.env.API_SECRET_KEY || "",
       appVersion: getRepoVersion()
     }
   },
diff --git a/pages/backup.vue b/pages/backup.vue
index 1124c75..4c33a8a 100644
--- a/pages/backup.vue
+++ b/pages/backup.vue
@@ -96,6 +96,7 @@
 <script setup lang="ts">
 import { ref } from "vue"
 import BackupRun from "~/components/BackupRun.vue"
+import { downloadApiFile, useApiAuthHeader } from "~/composables/useApiAuth"
 
 definePageMeta({ layout: false })
 
@@ -117,35 +118,30 @@ const emptyScriptResult = (): ScriptResult => ({
 
 const selectedBackup = ref<string | null>(null)
 const scriptResult = ref<ScriptResult>(emptyScriptResult())
+const apiAuthHeader = useApiAuthHeader()
 
 const fetchLatestBackup = async (folder: string) => {
-  const files = await $fetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`)
+  const files = await $fetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`, {
+    headers: apiAuthHeader
+  })
   return files[0] || null
 }
 
-const triggerDownload = (folder: string, file: string) => {
-  const link = document.createElement("a")
-  link.href = `/api/download?folder=${encodeURIComponent(folder)}&file=${encodeURIComponent(file)}`
-  link.style.display = "none"
-  document.body.appendChild(link)
-  link.click()
-  link.remove()
+const triggerDownload = async (folder: string, file: string) => {
+  const url = `/api/download?folder=${encodeURIComponent(folder)}&file=${encodeURIComponent(file)}`
+  await downloadApiFile(url, file)
 }
 
-const triggerBatchDownload = (folders: string[]) => {
-  const link = document.createElement("a")
-  link.href = `/api/download-latest?folders=${encodeURIComponent(folders.join(","))}`
-  link.style.display = "none"
-  document.body.appendChild(link)
-  link.click()
-  link.remove()
+const triggerBatchDownload = async (folders: string[]) => {
+  const url = `/api/download-latest?folders=${encodeURIComponent(folders.join(","))}`
+  await downloadApiFile(url, "backup-latest.tar.gz")
 }
 
 const downloadLatestBackup = async (folder: string) => {
   const latestFile = await fetchLatestBackup(folder)
 
   if (latestFile) {
-    triggerDownload(folder, latestFile)
+    await triggerDownload(folder, latestFile)
   }
 }
 
@@ -157,7 +153,7 @@ const handleScriptResult = async (payload: ScriptResult) => {
   }
 
   if (payload.downloadFolders.length > 1) {
-    triggerBatchDownload(payload.downloadFolders)
+    await triggerBatchDownload(payload.downloadFolders)
     return
   }
 
diff --git a/pages/index.vue b/pages/index.vue
index 7d3d125..1f6a1ff 100644
--- a/pages/index.vue
+++ b/pages/index.vue
@@ -49,6 +49,7 @@
 <script setup lang="ts">
 definePageMeta({layout: false})
 import {computed, onMounted, ref} from "vue"
+import { useApiAuthHeader } from "~/composables/useApiAuth"
 
 type DiskSourceResult = {
   key: string
@@ -77,6 +78,7 @@ type DiagramItem = {
 const selectedBackup = ref<string | null>(null)
 const rawResults = ref<DiskSourceResult[]>([])
 const loading = ref(false)
+const apiAuthHeader = useApiAuthHeader()
 const chartRadius = 52
 const chartCircumference = 2 * Math.PI * chartRadius
 
@@ -151,7 +153,9 @@ const runScript = async () => {
   rawResults.value = []
 
   try {
-    const output = await $fetch<DiskApiResponse>("/api/disk")
+    const output = await $fetch<DiskApiResponse>("/api/disk", {
+      headers: apiAuthHeader
+    })
     rawResults.value = output.results
   } catch (error) {
     const message = `Erreur: ${error instanceof Error ? error.message : String(error)}`
diff --git a/server/api/backup-script.post.ts b/server/api/backup-script.post.ts
index 487d786..a9eb7b1 100644
--- a/server/api/backup-script.post.ts
+++ b/server/api/backup-script.post.ts
@@ -1,4 +1,4 @@
-import { exec } from "node:child_process"
+import { execFile } from "node:child_process"
 import scripts from "../config/backup-script.json"
 
 type BackupScript = {
@@ -6,11 +6,12 @@ type BackupScript = {
   label: string
   downloadFolders?: string[]
   command: string
+  args?: string[]
 }
 
-function runCommand(command: string): Promise<string> {
+function runCommand(command: string, args: string[] = []): Promise<string> {
   return new Promise((resolve, reject) => {
-    exec(command, { timeout: 10 * 60 * 1000 }, (error, stdout, stderr) => {
+    execFile(command, args, { timeout: 10 * 60 * 1000 }, (error, stdout, stderr) => {
       if (error) {
         reject(stderr || error.message)
         return
@@ -40,7 +41,7 @@ export default defineEventHandler(async (event) => {
   }
 
   try {
-    const output = await runCommand(script.command)
+    const output = await runCommand(script.command, script.args || [])
     return {
       ok: true,
       key: script.key,
diff --git a/server/api/disk.get.ts b/server/api/disk.get.ts
index da537a9..0c59016 100644
--- a/server/api/disk.get.ts
+++ b/server/api/disk.get.ts
@@ -1,10 +1,11 @@
-import { exec } from "child_process"
+import { execFile } from "child_process"
 import diskSources from "../config/disk-commands.json"
 
 type DiskSource = {
   key: string
   label: string
   command: string
+  args?: string[]
 }
 
 function getCommand(source: DiskSource) {
@@ -15,9 +16,9 @@ function getCommand(source: DiskSource) {
   return process.env[envKey] || (legacyEnvKey ? process.env[legacyEnvKey] : undefined) || source.command
 }
 
-function runCommand(command: string): Promise<string> {
+function runCommand(command: string, args: string[] = []): Promise<string> {
   return new Promise((resolve, reject) => {
-    exec(command, (error, stdout, stderr) => {
+    execFile(command, args, (error, stdout, stderr) => {
       if (error) {
         reject(stderr || error.message)
         return
@@ -31,7 +32,7 @@ export default defineEventHandler(async () => {
   const results = await Promise.all(
     (diskSources as DiskSource[]).map(async (source) => {
       try {
-        const output = await runCommand(getCommand(source))
+        const output = await runCommand(source.command, source.args || [])
         return {
           key: source.key,
           label: source.label,
diff --git a/server/config/backup-script.json b/server/config/backup-script.json
index 00b6829..6d6a054 100644
--- a/server/config/backup-script.json
+++ b/server/config/backup-script.json
@@ -4,19 +4,31 @@
     "label": "Backup BDD recette",
     "icon": "mdi:database-export",
     "downloadFolders": ["ferme", "inventory", "sirh", "user"],
-    "command": "ssh ferme 'cd /home/malio/Malio-ops/RecetteScripts && bash backup-bdd-recette.sh && exit'"
+    "command": "ssh",
+    "args": [
+      "ferme",
+      "cd /home/malio/Malio-ops/RecetteScripts && bash backup-bdd-recette.sh"
+    ]
   },
   {
     "key": "check-statut-recette",
     "label": "Check statut recette",
     "icon": "mdi:server-network",
-    "command": "ssh ferme 'cd /home/malio/Malio-ops/RecetteScripts && bash check-statut-recette.sh && exit'"
+    "command": "ssh",
+    "args": [
+      "ferme",
+      "cd /home/malio/Malio-ops/RecetteScripts && bash check-statut-recette.sh"
+    ]
   },
   {
     "key": "backup-vaultwarden",
     "label": "Backup vaultwarden",
     "icon": "mdi:data",
     "downloadFolders": ["bitwarden"],
-    "command": "ssh bitwarden 'cd /home/matt/vaultwarden/Malio-ops/BackupVaultWarden && bash backup-vaultwarden.sh && exit'"
+    "command": "ssh",
+    "args": [
+      "bitwarden",
+      "cd /home/matt/vaultwarden/Malio-ops/BackupVaultWarden && bash backup-vaultwarden.sh"
+    ]
   }
-]
+]
\ No newline at end of file
diff --git a/server/config/disk-commands.json b/server/config/disk-commands.json
index 17e5c31..3c2e664 100644
--- a/server/config/disk-commands.json
+++ b/server/config/disk-commands.json
@@ -2,11 +2,18 @@
   {
     "key": "remote",
     "label": "Serveur distant",
-    "command": "ssh malio-b 'cd /home/malio-b/Malio-ops/CheckStorage && bash check-storage.sh && exit'"
+    "command": "ssh",
+    "args": [
+      "malio-b",
+      "cd /home/malio-b/Malio-ops/CheckStorage && bash check-storage.sh"
+    ]
   },
   {
     "key": "local",
     "label": "Machine locale",
-    "command": "bash /home/kevin/check_storage.sh"
+    "command": "bash",
+    "args": [
+      "/home/kevin/check_storage.sh"
+    ]
   }
-]
+]
\ No newline at end of file
diff --git a/server/middleware/auth.ts b/server/middleware/auth.ts
new file mode 100644
index 0000000..707f959
--- /dev/null
+++ b/server/middleware/auth.ts
@@ -0,0 +1,30 @@
+export default defineEventHandler((event) => {
+  const path = event.path || event.node.req.url || ""
+
+  // Le middleware ne s'applique qu'aux routes API, sauf l'endpoint de ping
+  // qui reste public pour les tests de connectivite.
+  if (!path.startsWith("/api/") || path === "/api/ping") {
+    return
+  }
+
+  const runtimeConfig = useRuntimeConfig(event)
+  const authorization = getHeader(event, "authorization")
+  const expectedToken = runtimeConfig.apiSecretKey
+
+  // Si aucun secret n'est configure cote serveur, on refuse la requete.
+  if (!expectedToken) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized"
+    })
+  }
+
+  // Le header doit correspondre exactement au format attendu :
+  // Authorization: Bearer <token>
+  if (authorization !== `Bearer ${expectedToken}`) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Unauthorized"
+    })
+  }
+})
-- 
2.39.5


From b3fc6f77b16bdc5b7a0e93b4c0f150c010765961 Mon Sep 17 00:00:00 2001
From: kevin <kevin@yuno.malio.fr>
Date: Thu, 12 Mar 2026 08:58:58 +0100
Subject: [PATCH 2/3] fix : securite regex et message erreur et endpoint

---
 components/BackupList.vue          | 29 +++++++++-
 components/BackupRun.vue           |  4 +-
 components/MessageDiscord.vue      | 20 +++++--
 components/Speedtest.vue           | 33 +++++++++++-
 composables/useApiAuth.ts          | 86 ++++++++++++++++++++++++++++++
 nuxt.config.ts                     |  2 +-
 pages/index.vue                    |  3 +-
 server/api/backup-script.post.ts   |  4 +-
 server/api/backups.get.ts          |  4 +-
 server/api/discord/messages.get.ts | 32 ++++++++---
 server/api/disk.get.ts             |  3 +-
 server/api/download.get.ts         |  2 +-
 12 files changed, 198 insertions(+), 24 deletions(-)
 create mode 100644 composables/useApiAuth.ts

diff --git a/components/BackupList.vue b/components/BackupList.vue
index 1aa8a38..cca8806 100644
--- a/components/BackupList.vue
+++ b/components/BackupList.vue
@@ -22,6 +22,13 @@
       </div>
     </div>
 
+    <div v-else-if="errorMessage" class="empty-state error-state">
+      <IconifyIcon icon="mdi:alert-circle-outline" class="text-3xl text-m-error/70" />
+      <p class="mt-2 font-mono text-xs text-m-error/80">
+        {{ errorMessage }}
+      </p>
+    </div>
+
     <div v-else-if="backups.length === 0" class="empty-state">
       <IconifyIcon icon="mdi:file-hidden" class="text-3xl text-m-muted/40" />
       <p class="mt-2 font-mono text-xs text-m-muted/50">
@@ -63,6 +70,7 @@ const props = defineProps<{
 
 const backups = ref<string[]>([])
 const loading = ref(false)
+const errorMessage = ref("")
 const apiAuthHeader = useApiAuthHeader()
 const title = computed(() => {
   if (!props.folder) return "Fichiers"
@@ -72,25 +80,36 @@ const title = computed(() => {
 const downloadBackup = async (file: string) => {
   if (!props.folder) return
   const url = `/api/download?folder=${encodeURIComponent(props.folder)}&file=${encodeURIComponent(file)}`
-  await downloadApiFile(url, file)
+  errorMessage.value = ""
+
+  try {
+    await downloadApiFile(url, file)
+  } catch (error) {
+    console.error("Erreur telechargement backup:", error)
+    errorMessage.value = "Erreur lors de l'opération"
+  }
 }
 
 watch(() => props.folder, async (folder) => {
   if (!folder) {
     loading.value = false
     backups.value = []
+    errorMessage.value = ""
     return
   }
 
   loading.value = true
+  errorMessage.value = ""
   try {
     const data = await $fetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`, {
-      headers: apiAuthHeader
+      headers: apiAuthHeader,
+      server: false
     })
     backups.value = data
   } catch (error) {
     console.error("Erreur récupération backups:", error)
     backups.value = []
+    errorMessage.value = "Erreur lors de l'opération"
   } finally {
     loading.value = false
   }
@@ -124,6 +143,12 @@ watch(() => props.folder, async (folder) => {
   padding: 2.5rem 1rem;
 }
 
+.error-state {
+  border-radius: 8px;
+  border: 1px solid rgb(var(--m-error) / 0.12);
+  background: rgb(var(--m-error) / 0.06);
+}
+
 .file-list {
   display: flex;
   flex-direction: column;
diff --git a/components/BackupRun.vue b/components/BackupRun.vue
index 36b9db2..7ea5d5f 100644
--- a/components/BackupRun.vue
+++ b/components/BackupRun.vue
@@ -143,7 +143,7 @@ const loadScripts = async () => {
   } catch (error) {
     scripts.value = []
     isError.value = true
-    message.value = `Erreur chargement scripts: ${error instanceof Error ? error.message : String(error)}`
+    message.value = "Erreur lors de l'opération"
     emit("result", {
       key: null,
       label: "",
@@ -180,7 +180,7 @@ const runScript = async (key: string) => {
     })
   } catch (error: any) {
     isError.value = true
-    message.value = error?.data?.statusMessage || "Erreur execution script"
+    message.value = error?.data?.statusMessage || "Erreur lors de l'opération"
     output.value = ""
     emit("result", {
       key,
diff --git a/components/MessageDiscord.vue b/components/MessageDiscord.vue
index 6b61904..9b35026 100644
--- a/components/MessageDiscord.vue
+++ b/components/MessageDiscord.vue
@@ -2,8 +2,9 @@
 import {Icon as IconifyIcon} from "@iconify/vue"
 import { useApiAuthHeader } from "~/composables/useApiAuth"
 
-const { data: messages } = await useFetch('/api/discord/messages', {
-  headers: useApiAuthHeader()
+const { data: messages, error } = await useFetch('/api/discord/messages', {
+  headers: useApiAuthHeader(),
+  server: false
 })
 </script>
 
@@ -17,7 +18,14 @@ const { data: messages } = await useFetch('/api/discord/messages', {
       <span class="font-mono text-[10px] text-m-muted tracking-widest uppercase">Messages</span>
     </div>
 
-    <div v-if="!messages || messages.length === 0" class="empty-state">
+    <div v-if="error" class="empty-state error-state">
+      <IconifyIcon icon="mdi:alert-circle-outline" class="text-3xl text-m-error/70" />
+      <p class="mt-2 font-mono text-xs text-m-error/80">
+        Erreur lors de l'opération
+      </p>
+    </div>
+
+    <div v-else-if="!messages || messages.length === 0" class="empty-state">
       <IconifyIcon icon="mdi:chat-outline" class="text-3xl text-m-muted/40" />
       <p class="mt-2 font-mono text-xs text-m-muted/50">
         Aucun message
@@ -78,6 +86,12 @@ const { data: messages } = await useFetch('/api/discord/messages', {
   padding: 2rem 1rem;
 }
 
+.error-state {
+  border-radius: 8px;
+  border: 1px solid rgb(var(--m-error) / 0.12);
+  background: rgb(var(--m-error) / 0.06);
+}
+
 .message-list {
   display: flex;
   flex-direction: column;
diff --git a/components/Speedtest.vue b/components/Speedtest.vue
index 09872e5..cad8942 100644
--- a/components/Speedtest.vue
+++ b/components/Speedtest.vue
@@ -36,6 +36,10 @@
         </div>
       </div>
     </div>
+
+    <p v-if="errorMessage" class="error-text" role="status" aria-live="polite">
+      {{ errorMessage }}
+    </p>
   </div>
 </template>
 
@@ -48,6 +52,7 @@ const ping = ref<number | null>(null)
 const download = ref<number | null>(null)
 const upload = ref<number | null>(null)
 const isTesting = ref(false)
+const errorMessage = ref("")
 const apiAuthHeader = useApiAuthHeader()
 
 const metrics = computed(() => [
@@ -61,6 +66,9 @@ async function testDownload() {
   const res = await fetch('/api/download', {
     headers: apiAuthHeader
   })
+  if (!res.ok) {
+    throw new Error(`HTTP ${res.status}`)
+  }
   const blob = await res.blob()
   const end = performance.now()
   const size = blob.size
@@ -72,7 +80,10 @@ async function testUpload() {
   const size = 5 * 1024 * 1024
   const data = new Uint8Array(size)
   const start = performance.now()
-  await fetch('/api/upload', withApiAuth({ method: 'POST', body: data }))
+  const response = await fetch('/api/upload', withApiAuth({ method: 'POST', body: data }))
+  if (!response.ok) {
+    throw new Error(`HTTP ${response.status}`)
+  }
   const end = performance.now()
   const seconds = (end - start) / 1000
   upload.value = Math.round((size * 8) / seconds / 1000000)
@@ -80,7 +91,10 @@ async function testUpload() {
 
 async function testPing() {
   const start = performance.now()
-  await fetch('/api/ping')
+  const response = await fetch('/api/ping')
+  if (!response.ok) {
+    throw new Error(`HTTP ${response.status}`)
+  }
   const end = performance.now()
   ping.value = Math.round(end - start)
 }
@@ -90,11 +104,15 @@ async function runTests() {
   download.value = null
   upload.value = null
   ping.value = null
+  errorMessage.value = ""
 
   try {
     await testDownload()
     await testUpload()
     await testPing()
+  } catch (error) {
+    console.error("Erreur speedtest:", error)
+    errorMessage.value = "Erreur lors de l'opération"
   } finally {
     isTesting.value = false
   }
@@ -193,4 +211,15 @@ async function runTests() {
   letter-spacing: 0.1em;
   color: rgb(var(--m-muted));
 }
+
+.error-text {
+  margin-top: 0.75rem;
+  border-radius: 8px;
+  border: 1px solid rgb(var(--m-error) / 0.12);
+  background: rgb(var(--m-error) / 0.06);
+  padding: 0.75rem 0.875rem;
+  font-family: var(--font-mono);
+  font-size: 0.75rem;
+  color: rgb(var(--m-error));
+}
 </style>
diff --git a/composables/useApiAuth.ts b/composables/useApiAuth.ts
new file mode 100644
index 0000000..18b3210
--- /dev/null
+++ b/composables/useApiAuth.ts
@@ -0,0 +1,86 @@
+function toHeadersObject(headers?: HeadersInit): Record<string, string> {
+  if (!headers) {
+    return {}
+  }
+
+  if (headers instanceof Headers) {
+    return Object.fromEntries(headers.entries())
+  }
+
+  if (Array.isArray(headers)) {
+    return Object.fromEntries(headers)
+  }
+
+  return { ...headers }
+}
+
+function getDownloadFileName(contentDisposition: string | null, fallback: string) {
+  if (!contentDisposition) {
+    return fallback
+  }
+
+  const utf8Match = contentDisposition.match(/filename\*=UTF-8''([^;]+)/i)
+  if (utf8Match?.[1]) {
+    return decodeURIComponent(utf8Match[1])
+  }
+
+  const asciiMatch = contentDisposition.match(/filename="([^"]+)"/i)
+  if (asciiMatch?.[1]) {
+    return asciiMatch[1]
+  }
+
+  return fallback
+}
+
+export function useApiAuthHeader() {
+  const runtimeConfig = useRuntimeConfig()
+  const token = runtimeConfig.public.apiSecretKey
+
+  if (!token) {
+    return {}
+  }
+
+  // Tous les appels frontend vers /api/* reutilisent ce header commun.
+  return {
+    Authorization: `Bearer ${token}`
+  }
+}
+
+export async function downloadApiFile(url: string, fileNameFallback: string) {
+  // Les telechargements passent aussi par fetch pour pouvoir envoyer
+  // le header Authorization, contrairement a un simple <a href>.
+  const response = await fetch(url, {
+    headers: useApiAuthHeader()
+  })
+
+  if (!response.ok) {
+    throw new Error(`HTTP ${response.status}`)
+  }
+
+  const blob = await response.blob()
+  const objectUrl = URL.createObjectURL(blob)
+  const fileName = getDownloadFileName(
+    response.headers.get("content-disposition"),
+    fileNameFallback
+  )
+  const link = document.createElement("a")
+
+  link.href = objectUrl
+  link.download = fileName
+  link.style.display = "none"
+  document.body.appendChild(link)
+  link.click()
+  link.remove()
+  URL.revokeObjectURL(objectUrl)
+}
+
+export function withApiAuth(init: RequestInit = {}) {
+  // Fusionne le header d'auth avec d'eventuels headers deja fournis.
+  return {
+    ...init,
+    headers: {
+      ...useApiAuthHeader(),
+      ...toHeadersObject(init.headers)
+    }
+  }
+}
diff --git a/nuxt.config.ts b/nuxt.config.ts
index 0145bef..897c822 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -26,7 +26,7 @@ export default defineNuxtConfig({
     head: {
       link: [
         { rel: "preconnect", href: "https://fonts.googleapis.com" },
-        { rel: "preconnect", href: "https://fonts.gstatic.com", crossorigin: "" },
+        { rel: "preconnect", href: "https://fonts.gstatic.com ", crossorigin: "" },
         {
           rel: "stylesheet",
           href: "https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500;600;700&family=Outfit:wght@300;400;500;600;700;800;900&display=swap"
diff --git a/pages/index.vue b/pages/index.vue
index 1f6a1ff..ac25caf 100644
--- a/pages/index.vue
+++ b/pages/index.vue
@@ -158,13 +158,12 @@ const runScript = async () => {
     })
     rawResults.value = output.results
   } catch (error) {
-    const message = `Erreur: ${error instanceof Error ? error.message : String(error)}`
     rawResults.value = [
       {
         key: "error",
         label: "Source indisponible",
         ok: false,
-        output: message
+        output: "Erreur lors de l'opération"
       }
     ]
   } finally {
diff --git a/server/api/backup-script.post.ts b/server/api/backup-script.post.ts
index a9eb7b1..a018c74 100644
--- a/server/api/backup-script.post.ts
+++ b/server/api/backup-script.post.ts
@@ -50,9 +50,11 @@ export default defineEventHandler(async (event) => {
       output: output.trim()
     }
   } catch (error) {
+    console.error("Erreur execution script:", error)
+
     throw createError({
       statusCode: 500,
-      statusMessage: `Erreur execution script: ${String(error)}`
+      statusMessage: "Erreur lors de l'opération"
     })
   }
 })
diff --git a/server/api/backups.get.ts b/server/api/backups.get.ts
index f81ecb9..ee2582c 100644
--- a/server/api/backups.get.ts
+++ b/server/api/backups.get.ts
@@ -31,9 +31,11 @@ function isMissingPathError(error: unknown): boolean {
 }
 
 function toServerError(error: unknown) {
+  console.error("Erreur backups:", error)
+
   return createError({
     statusCode: 500,
-    statusMessage: `Erreur SSH backups: ${String(error)}`
+    statusMessage: "Erreur lors de l'opération"
   })
 }
 
diff --git a/server/api/discord/messages.get.ts b/server/api/discord/messages.get.ts
index c004834..4e67f88 100644
--- a/server/api/discord/messages.get.ts
+++ b/server/api/discord/messages.get.ts
@@ -1,15 +1,31 @@
 export default defineEventHandler(async () => {
-    const token = process.env.DISCORD_BOT_TOKEN
-    const channel = process.env.DISCORD_CHANNEL_ID
+  const token = process.env.DISCORD_BOT_TOKEN
+  const channel = process.env.DISCORD_CHANNEL_ID
 
+  if (!token || !channel) {
+    throw createError({
+      statusCode: 503,
+      statusMessage: "Service indisponible"
+    })
+  }
+
+  try {
     const messages = await $fetch(
-        `https://discord.com/api/v10/channels/${channel}/messages?limit=20`,
-        {
-            headers: {
-                Authorization: `Bot ${token}`
-            }
+      `https://discord.com/api/v10/channels/${channel}/messages?limit=20`,
+      {
+        headers: {
+          Authorization: `Bot ${token}`
         }
+      }
     )
 
     return messages
-})
\ No newline at end of file
+  } catch (error) {
+    console.error("Erreur Discord messages:", error)
+
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Erreur lors de l'opération"
+    })
+  }
+})
diff --git a/server/api/disk.get.ts b/server/api/disk.get.ts
index 0c59016..b469220 100644
--- a/server/api/disk.get.ts
+++ b/server/api/disk.get.ts
@@ -40,11 +40,12 @@ export default defineEventHandler(async () => {
           output
         }
       } catch (error) {
+        console.error(`Erreur disk source ${source.key}:`, error)
         return {
           key: source.key,
           label: source.label,
           ok: false,
-          output: `Erreur: ${String(error)}`
+          output: "Erreur lors de l'opération"
         }
       }
     })
diff --git a/server/api/download.get.ts b/server/api/download.get.ts
index f317d59..7ca0ebd 100644
--- a/server/api/download.get.ts
+++ b/server/api/download.get.ts
@@ -7,7 +7,7 @@ const REMOTE_ROOT = process.env.BACKUPS_REMOTE_ROOT || "/home/malio-b/backups"
 const FOLDER_MAP = folderMap as Record<string, string>
 
 const isSafeFolder = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
-const isSafeFile = (value: string) => /^[^/\\]+$/.test(value)
+const isSafeFile = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
 const shellQuote = (value: string) => `'${value.replace(/'/g, `'\\''`)}'`
 
 function runSsh(command: string): Promise<string> {
-- 
2.39.5


From 00dc2daa3d62c6eeaf8f530362bbc70b89e418eb Mon Sep 17 00:00:00 2001
From: kevin <kevin@yuno.malio.fr>
Date: Fri, 13 Mar 2026 09:47:09 +0100
Subject: [PATCH 3/3] fix : correctif mr

---
 components/BackupList.vue        |  8 ++-----
 components/BackupRun.vue         | 12 ++++------
 components/MessageDiscord.vue    |  4 ++--
 components/Speedtest.vue         |  9 +++----
 components/StatusSite.vue        |  7 ++----
 composables/useApiAuth.ts        | 41 ++++++++++++--------------------
 nuxt.config.ts                   |  1 -
 pages/backup.vue                 |  7 ++----
 pages/index.vue                  |  7 ++----
 server/middleware/auth-cookie.ts | 25 +++++++++++++++++++
 server/middleware/auth.ts        |  7 +++---
 11 files changed, 61 insertions(+), 67 deletions(-)
 create mode 100644 server/middleware/auth-cookie.ts

diff --git a/components/BackupList.vue b/components/BackupList.vue
index cca8806..63a63ea 100644
--- a/components/BackupList.vue
+++ b/components/BackupList.vue
@@ -62,7 +62,7 @@
 import {Icon as IconifyIcon} from "@iconify/vue"
 import CircleSkeleton from "~/components/skeleton/CircleSkeleton.vue"
 import TextSkeleton from "~/components/skeleton/TextSkeleton.vue"
-import { downloadApiFile, useApiAuthHeader } from "~/composables/useApiAuth"
+import { apiFetch, downloadApiFile } from "~/composables/useApiAuth"
 
 const props = defineProps<{
   folder: string | null
@@ -71,7 +71,6 @@ const props = defineProps<{
 const backups = ref<string[]>([])
 const loading = ref(false)
 const errorMessage = ref("")
-const apiAuthHeader = useApiAuthHeader()
 const title = computed(() => {
   if (!props.folder) return "Fichiers"
   return `Backup — ${props.folder.toUpperCase()}`
@@ -101,10 +100,7 @@ watch(() => props.folder, async (folder) => {
   loading.value = true
   errorMessage.value = ""
   try {
-    const data = await $fetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`, {
-      headers: apiAuthHeader,
-      server: false
-    })
+    const data = await apiFetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`)
     backups.value = data
   } catch (error) {
     console.error("Erreur récupération backups:", error)
diff --git a/components/BackupRun.vue b/components/BackupRun.vue
index 7ea5d5f..77e3c6f 100644
--- a/components/BackupRun.vue
+++ b/components/BackupRun.vue
@@ -79,7 +79,7 @@
 <script setup lang="ts">
 import { computed, onMounted, ref } from "vue"
 import { Icon as IconifyIcon } from "@iconify/vue"
-import { useApiAuthHeader } from "~/composables/useApiAuth"
+import { apiFetch } from "~/composables/useApiAuth"
 
 type BackupScript = {
   key: string
@@ -119,7 +119,6 @@ const scripts = ref<BackupScript[]>([])
 const output = ref<string>("")
 const message = ref<string>("")
 const isError = ref(false)
-const apiAuthHeader = useApiAuthHeader()
 
 const statusClass = computed(() => (isError.value ? "status-error" : "status-success"))
 
@@ -136,9 +135,7 @@ const loadScripts = async () => {
     downloadFolders: []
   })
   try {
-    const data = await $fetch<BackupScriptListResponse>("/api/backup-script", {
-      headers: apiAuthHeader
-    })
+    const data = await apiFetch<BackupScriptListResponse>("/api/backup-script")
     scripts.value = data.scripts
   } catch (error) {
     scripts.value = []
@@ -164,10 +161,9 @@ const runScript = async (key: string) => {
   isError.value = false
 
   try {
-    const data = await $fetch<BackupScriptRunResponse>("/api/backup-script", {
+    const data = await apiFetch<BackupScriptRunResponse>("/api/backup-script", {
       method: "POST",
-      body: { key },
-      headers: apiAuthHeader
+      body: { key }
     })
     message.value = `${data.label} execute avec succes`
     output.value = data.output || "Aucune sortie retournee."
diff --git a/components/MessageDiscord.vue b/components/MessageDiscord.vue
index 9b35026..7f17a83 100644
--- a/components/MessageDiscord.vue
+++ b/components/MessageDiscord.vue
@@ -1,9 +1,9 @@
 <script setup>
 import {Icon as IconifyIcon} from "@iconify/vue"
-import { useApiAuthHeader } from "~/composables/useApiAuth"
+import { apiFetch } from "~/composables/useApiAuth"
 
 const { data: messages, error } = await useFetch('/api/discord/messages', {
-  headers: useApiAuthHeader(),
+  $fetch: apiFetch,
   server: false
 })
 </script>
diff --git a/components/Speedtest.vue b/components/Speedtest.vue
index cad8942..9c16fbf 100644
--- a/components/Speedtest.vue
+++ b/components/Speedtest.vue
@@ -46,14 +46,13 @@
 <script setup lang="ts">
 import {computed, ref} from "vue"
 import {Icon as IconifyIcon} from "@iconify/vue"
-import { useApiAuthHeader, withApiAuth } from "~/composables/useApiAuth"
+import { apiRequest } from "~/composables/useApiAuth"
 
 const ping = ref<number | null>(null)
 const download = ref<number | null>(null)
 const upload = ref<number | null>(null)
 const isTesting = ref(false)
 const errorMessage = ref("")
-const apiAuthHeader = useApiAuthHeader()
 
 const metrics = computed(() => [
   { label: "Download", icon: "mdi:arrow-down-bold", value: download.value, unit: "Mbps" },
@@ -63,9 +62,7 @@ const metrics = computed(() => [
 
 async function testDownload() {
   const start = performance.now()
-  const res = await fetch('/api/download', {
-    headers: apiAuthHeader
-  })
+  const res = await apiRequest('/api/download')
   if (!res.ok) {
     throw new Error(`HTTP ${res.status}`)
   }
@@ -80,7 +77,7 @@ async function testUpload() {
   const size = 5 * 1024 * 1024
   const data = new Uint8Array(size)
   const start = performance.now()
-  const response = await fetch('/api/upload', withApiAuth({ method: 'POST', body: data }))
+  const response = await apiRequest('/api/upload', { method: 'POST', body: data })
   if (!response.ok) {
     throw new Error(`HTTP ${response.status}`)
   }
diff --git a/components/StatusSite.vue b/components/StatusSite.vue
index 8300daa..61ec956 100644
--- a/components/StatusSite.vue
+++ b/components/StatusSite.vue
@@ -43,7 +43,7 @@
 import CircleSkeleton from "~/components/skeleton/CircleSkeleton.vue"
 import TextSkeleton from "~/components/skeleton/TextSkeleton.vue"
 import {onBeforeUnmount, onMounted, ref} from "vue"
-import { useApiAuthHeader } from "~/composables/useApiAuth"
+import { apiFetch } from "~/composables/useApiAuth"
 
 interface StatusRow {
   label: string
@@ -72,7 +72,6 @@ const props = withDefaults(
 const rows = ref<StatusRow[]>([])
 const loading = ref(true)
 const initialized = ref(false)
-const apiAuthHeader = useApiAuthHeader()
 let timer: ReturnType<typeof setInterval> | null = null
 
 const statusLabel = (status: number) => {
@@ -86,9 +85,7 @@ const checkStatus = async () => {
     loading.value = true
   }
   try {
-    const data = await $fetch<StatusResponse>(props.endpoint, {
-      headers: apiAuthHeader
-    })
+    const data = await apiFetch<StatusResponse>(props.endpoint)
     rows.value = data.results
   } catch (error) {
     rows.value = [
diff --git a/composables/useApiAuth.ts b/composables/useApiAuth.ts
index 18b3210..5954b34 100644
--- a/composables/useApiAuth.ts
+++ b/composables/useApiAuth.ts
@@ -32,26 +32,26 @@ function getDownloadFileName(contentDisposition: string | null, fallback: string
   return fallback
 }
 
-export function useApiAuthHeader() {
-  const runtimeConfig = useRuntimeConfig()
-  const token = runtimeConfig.public.apiSecretKey
-
-  if (!token) {
-    return {}
-  }
-
-  // Tous les appels frontend vers /api/* reutilisent ce header commun.
+export function withApiAuth(init: RequestInit = {}) {
+  // Les appels frontend reutilisent les cookies httpOnly poses cote serveur.
   return {
-    Authorization: `Bearer ${token}`
+    ...init,
+    headers: {
+      ...toHeadersObject(init.headers)
+    }
   }
 }
 
+export const apiFetch = $fetch.create({})
+
+export function apiRequest(input: RequestInfo | URL, init: RequestInit = {}) {
+  return fetch(input, withApiAuth(init))
+}
+
 export async function downloadApiFile(url: string, fileNameFallback: string) {
-  // Les telechargements passent aussi par fetch pour pouvoir envoyer
-  // le header Authorization, contrairement a un simple <a href>.
-  const response = await fetch(url, {
-    headers: useApiAuthHeader()
-  })
+  // Les telechargements passent aussi par fetch pour pouvoir recuperer
+  // le contenu et le nom de fichier renvoye par l'API.
+  const response = await apiRequest(url)
 
   if (!response.ok) {
     throw new Error(`HTTP ${response.status}`)
@@ -73,14 +73,3 @@ export async function downloadApiFile(url: string, fileNameFallback: string) {
   link.remove()
   URL.revokeObjectURL(objectUrl)
 }
-
-export function withApiAuth(init: RequestInit = {}) {
-  // Fusionne le header d'auth avec d'eventuels headers deja fournis.
-  return {
-    ...init,
-    headers: {
-      ...useApiAuthHeader(),
-      ...toHeadersObject(init.headers)
-    }
-  }
-}
diff --git a/nuxt.config.ts b/nuxt.config.ts
index 897c822..d3ca763 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -37,7 +37,6 @@ export default defineNuxtConfig({
   runtimeConfig: {
     apiSecretKey: process.env.API_SECRET_KEY,
     public: {
-      apiSecretKey: process.env.API_SECRET_KEY || "",
       appVersion: getRepoVersion()
     }
   },
diff --git a/pages/backup.vue b/pages/backup.vue
index 4c33a8a..3efef01 100644
--- a/pages/backup.vue
+++ b/pages/backup.vue
@@ -96,7 +96,7 @@
 <script setup lang="ts">
 import { ref } from "vue"
 import BackupRun from "~/components/BackupRun.vue"
-import { downloadApiFile, useApiAuthHeader } from "~/composables/useApiAuth"
+import { apiFetch, downloadApiFile } from "~/composables/useApiAuth"
 
 definePageMeta({ layout: false })
 
@@ -118,12 +118,9 @@ const emptyScriptResult = (): ScriptResult => ({
 
 const selectedBackup = ref<string | null>(null)
 const scriptResult = ref<ScriptResult>(emptyScriptResult())
-const apiAuthHeader = useApiAuthHeader()
 
 const fetchLatestBackup = async (folder: string) => {
-  const files = await $fetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`, {
-    headers: apiAuthHeader
-  })
+  const files = await apiFetch<string[]>(`/api/backups?folder=${encodeURIComponent(folder)}`)
   return files[0] || null
 }
 
diff --git a/pages/index.vue b/pages/index.vue
index ac25caf..0f23312 100644
--- a/pages/index.vue
+++ b/pages/index.vue
@@ -49,7 +49,7 @@
 <script setup lang="ts">
 definePageMeta({layout: false})
 import {computed, onMounted, ref} from "vue"
-import { useApiAuthHeader } from "~/composables/useApiAuth"
+import { apiFetch } from "~/composables/useApiAuth"
 
 type DiskSourceResult = {
   key: string
@@ -78,7 +78,6 @@ type DiagramItem = {
 const selectedBackup = ref<string | null>(null)
 const rawResults = ref<DiskSourceResult[]>([])
 const loading = ref(false)
-const apiAuthHeader = useApiAuthHeader()
 const chartRadius = 52
 const chartCircumference = 2 * Math.PI * chartRadius
 
@@ -153,9 +152,7 @@ const runScript = async () => {
   rawResults.value = []
 
   try {
-    const output = await $fetch<DiskApiResponse>("/api/disk", {
-      headers: apiAuthHeader
-    })
+    const output = await apiFetch<DiskApiResponse>("/api/disk")
     rawResults.value = output.results
   } catch (error) {
     rawResults.value = [
diff --git a/server/middleware/auth-cookie.ts b/server/middleware/auth-cookie.ts
new file mode 100644
index 0000000..0464896
--- /dev/null
+++ b/server/middleware/auth-cookie.ts
@@ -0,0 +1,25 @@
+export default defineEventHandler((event) => {
+  const path = event.path || event.node.req.url || ""
+
+  if (path.startsWith("/api/")) {
+    return
+  }
+
+  const runtimeConfig = useRuntimeConfig(event)
+  const expectedToken = runtimeConfig.apiSecretKey
+
+  if (!expectedToken) {
+    return
+  }
+
+  if (getCookie(event, "api_auth_token") === expectedToken) {
+    return
+  }
+
+  setCookie(event, "api_auth_token", expectedToken, {
+    httpOnly: true,
+    sameSite: "lax",
+    secure: process.env.NODE_ENV === "production",
+    path: "/"
+  })
+})
diff --git a/server/middleware/auth.ts b/server/middleware/auth.ts
index 707f959..e1e5919 100644
--- a/server/middleware/auth.ts
+++ b/server/middleware/auth.ts
@@ -9,6 +9,7 @@ export default defineEventHandler((event) => {
 
   const runtimeConfig = useRuntimeConfig(event)
   const authorization = getHeader(event, "authorization")
+  const cookieToken = getCookie(event, "api_auth_token")
   const expectedToken = runtimeConfig.apiSecretKey
 
   // Si aucun secret n'est configure cote serveur, on refuse la requete.
@@ -19,9 +20,9 @@ export default defineEventHandler((event) => {
     })
   }
 
-  // Le header doit correspondre exactement au format attendu :
-  // Authorization: Bearer <token>
-  if (authorization !== `Bearer ${expectedToken}`) {
+  // Le secret peut venir soit d'un header serveur explicite,
+  // soit du cookie httpOnly pose pour l'application web.
+  if (authorization !== `Bearer ${expectedToken}` && cookieToken !== expectedToken) {
     throw createError({
       statusCode: 401,
       statusMessage: "Unauthorized"
-- 
2.39.5