signed url download (#2402)

* signed url download

* exclude download path

* direct state store

Author: breardon2011

taco/internal/api/routes.go

@@ -274,14 +274,14 @@ func RegisterRoutes(e *echo.Echo, deps Dependencies) {
 	tfeGroup.POST("/workspaces/:workspace_id/actions/force-unlock", tfeHandler.ForceUnlockWorkspace)
 	tfeGroup.GET("/workspaces/:workspace_id/current-state-version", tfeHandler.GetCurrentStateVersion)
 	tfeGroup.POST("/workspaces/:workspace_id/state-versions", tfeHandler.CreateStateVersion)
-	tfeGroup.GET("/state-versions/:id/download", tfeHandler.DownloadStateVersion)
 	tfeGroup.GET("/state-versions/:id", tfeHandler.ShowStateVersion)
 
-	// Upload endpoints exempt from auth middleware (Terraform doesn't send auth headers)
-	// Security: These validate lock ownership and have RBAC checks in handlers
-	// Upload URLs can only be obtained from authenticated CreateStateVersion calls
+	// Upload/Download endpoints use signed URLs instead of auth middleware
+	// Reason: Terraform 1.5.x doesn't send Authorization headers for downloads
+	// Security: URLs are signed with expiration and can only be obtained from authenticated calls
 	tfeSignedUrlsGroup := e.Group("/tfe/api/v2")
 	tfeSignedUrlsGroup.Use(middleware.VerifySignedURL)
+	tfeSignedUrlsGroup.GET("/state-versions/:id/download", tfeHandler.DownloadStateVersion)
 	tfeSignedUrlsGroup.PUT("/state-versions/:id/upload", tfeHandler.UploadStateVersion)
 	tfeSignedUrlsGroup.PUT("/state-versions/:id/json-upload", tfeHandler.UploadJSONStateOutputs)
 

taco/internal/tfe/workspaces.go

@@ -864,7 +864,11 @@ func (h *TfeHandler) GetCurrentStateVersion(c echo.Context) error {
 	stateVersionID := generateStateVersionID(stateID, stateMeta.Updated.Unix())
 
 	baseURL := getBaseURL(c)
-	downloadURL := fmt.Sprintf("%s/tfe/api/v2/state-versions/%s/download", baseURL, stateVersionID)
+	// Sign the download URL for Terraform 1.5.x compatibility (doesn't send auth headers)
+	downloadURL, err := auth.SignURL(baseURL, fmt.Sprintf("/tfe/api/v2/state-versions/%s/download", stateVersionID), time.Now().Add(10*time.Minute))
+	if err != nil {
+		return c.JSON(500, map[string]string{"error": "Failed to sign download URL"})
+	}
 
 	// Return current state version info
 	return c.JSON(200, map[string]interface{}{
@@ -1174,7 +1178,7 @@ func (h *TfeHandler) DownloadStateVersion(c echo.Context) error {
 	unitUUID := extractUnitUUID(stateID)
 
 	// Download the state data
-	stateData, err := h.stateStore.Download(c.Request().Context(), unitUUID)
+	stateData, err := h.directStateStore.Download(c.Request().Context(), unitUUID)
 	if err != nil {
 		if err == storage.ErrNotFound {
 			return c.JSON(404, map[string]string{"error": "State version not found"})
@@ -1359,7 +1363,11 @@ func (h *TfeHandler) ShowStateVersion(c echo.Context) error {
 	}
 
 	baseURL := getBaseURL(c)
-	downloadURL := fmt.Sprintf("%s/tfe/api/v2/state-versions/%s/download", baseURL, id)
+	// Sign the download URL for Terraform 1.5.x compatibility
+	downloadURL, err := auth.SignURL(baseURL, fmt.Sprintf("/tfe/api/v2/state-versions/%s/download", id), time.Now().Add(10*time.Minute))
+	if err != nil {
+		return c.JSON(500, map[string]string{"error": "Failed to sign download URL"})
+	}
 
 	resp := map[string]interface{}{
 		"data": map[string]interface{}{

ui/src/routes/tfe/$.tsx

@@ -17,8 +17,12 @@ async function handler({ request }) {
     /^\/tfe\/api\/v2\/state-versions\/[^\/]+\/upload$/.test(url.pathname) ||
     /^\/tfe\/api\/v2\/state-versions\/[^\/]+\/json-upload$/.test(url.pathname);
 
+  const isDownloadPath =
+    /^\/tfe\/api\/v2\/state-versions\/[^\/]+\/download$/.test(url.pathname);
+  
+
   // OAuth and upload paths: forward directly to public statesman endpoints
-  if (isOAuthPath || isUploadPath) {
+  if (isOAuthPath || isUploadPath || isDownloadPath) {
     const outgoingHeaders = new Headers(request.headers);
     const originalHost = outgoingHeaders.get('host') ?? '';
     if (originalHost) outgoingHeaders.set('x-forwarded-host', originalHost);