fix: support CloudFront-compatible dashboard auth

CloudFront strips cookies by default, causing dashboard auth to fail.
Added support for Authorization header and query parameter auth as
alternatives. Login now redirects with ?token= for CDN compatibility.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: chrisbbreuer

packages/registry/src/e2e.test.ts

@@ -274,7 +274,7 @@ describe('e2e: binary proxy + analytics + dashboard', () => {
       expect(html).toContain('Sign In')
     })
 
-    it('POST /dashboard/login with valid token sets cookie and redirects', async () => {
+    it('POST /dashboard/login with valid token sets cookie and redirects with token param', async () => {
       const formData = new FormData()
       formData.set('token', TEST_TOKEN)
 
@@ -284,14 +284,28 @@ describe('e2e: binary proxy + analytics + dashboard', () => {
         redirect: 'manual',
       })
       expect(res.status).toBe(302)
-      expect(res.headers.get('location')).toBe('/dashboard')
+      expect(res.headers.get('location')).toContain('/dashboard?token=')
 
       const cookie = res.headers.get('set-cookie')
       expect(cookie).toContain('pantry_token=')
       expect(cookie).toContain('HttpOnly')
       expect(cookie).toContain('SameSite=Strict')
     })
 
+    it('supports auth via query parameter (CloudFront compatible)', async () => {
+      const res = await fetch(`${baseUrl}/dashboard?token=${TEST_TOKEN}`)
+      expect(res.status).toBe(200)
+      expect(res.headers.get('content-type')).toBe('text/html')
+    })
+
+    it('supports auth via Authorization header', async () => {
+      const res = await fetch(`${baseUrl}/dashboard`, {
+        headers: { 'Authorization': `Bearer ${TEST_TOKEN}` },
+      })
+      expect(res.status).toBe(200)
+      expect(res.headers.get('content-type')).toBe('text/html')
+    })
+
     it('POST /dashboard/login with invalid token shows error', async () => {
       const formData = new FormData()
       formData.set('token', 'wrong-token')

packages/registry/src/server.ts

@@ -1012,10 +1012,23 @@ async function handleBinaryProxy(
  */
 const DASHBOARD_TOKEN = process.env.PANTRY_REGISTRY_TOKEN || process.env.PANTRY_TOKEN || 'ABCD1234'
 
-function getDashboardAuth(req: Request): boolean {
+function getDashboardAuth(req: Request, url?: URL): boolean {
+  // Check cookie first (direct access / cookie-forwarding CDN)
   const cookieHeader = req.headers.get('cookie') || ''
-  const match = cookieHeader.match(/pantry_token=([^;]+)/)
-  return match ? match[1] === DASHBOARD_TOKEN : false
+  const cookieMatch = cookieHeader.match(/pantry_token=([^;]+)/)
+  if (cookieMatch && cookieMatch[1] === DASHBOARD_TOKEN) return true
+
+  // Check Authorization header (CloudFront forwards this)
+  const authHeader = req.headers.get('authorization') || ''
+  if (authHeader.startsWith('Bearer ') && authHeader.slice(7) === DASHBOARD_TOKEN) return true
+
+  // Check query parameter (CloudFront forwards query strings)
+  if (url) {
+    const tokenParam = url.searchParams.get('token')
+    if (tokenParam === DASHBOARD_TOKEN) return true
+  }
+
+  return false
 }
 
 async function handleDashboard(
@@ -1053,7 +1066,7 @@ async function handleDashboard(
           status: 302,
           headers: {
             ...noCacheHeaders,
-            'Location': '/dashboard',
+            'Location': `/dashboard?token=${encodeURIComponent(token)}`,
             'Set-Cookie': `pantry_token=${token}; Path=/dashboard; HttpOnly; SameSite=Strict; Max-Age=86400`,
           },
         })
@@ -1066,7 +1079,7 @@ async function handleDashboard(
   }
 
   // Auth gate for all other dashboard routes
-  if (!getDashboardAuth(req)) {
+  if (!getDashboardAuth(req, url)) {
     return new Response(null, {
       status: 302,
       headers: { ...noCacheHeaders, 'Location': '/dashboard/login' },