What steps does it take to reproduce the issue?

This issue can be easily reproduced from the SPA, which uses the bearer token authentication mechanism. Files in a dataset’s draft version are subject to permission checks to ensure that the user attempting to download them has the necessary access rights. The Access API currently relies on the Dataverse session (via the JSESSIONID cookie) to verify user permissions.

We need to decouple the Access API from this responsibility, so that it validates permissions for the authenticated user provided by the API authentication filter—regardless of the authentication mechanism used. In the SPA’s case, this is a bearer token.

At present, there are multiple references to DataverseSession within the Access API. When implementing these changes, it’s important to maintain backward compatibility, since JSF uses these endpoints and relies on the session cookie authentication mechanism.

This is the error we are obtaining from the SPA when attempting to download a file from a draft dataset version:

• When does this issue occur?

Download files from a draft version using the access API

• Which page(s) does it occurs on?

SPA Dataset page

• What happens?

We encounter an API error and files are not downloaded.

• To whom does it occur (all users, curators, superusers)?

SPA and API users

• What did you expect to happen?

Files to be correctly downloaded from draft versions.

Which version of Dataverse are you using?

Latest

Are you thinking about creating a pull request for this issue?
Help is always welcome, is this bug something you or your organization plan to fix?