From b649a800ef2d2696eb10187d8e3b3d9143af76de Mon Sep 17 00:00:00 2001
From: Keita Watanabe <keitaw09@gmail.com>
Date: Thu, 2 Apr 2026 23:36:56 +0000
Subject: [PATCH 1/3] fix: route dataset file browser and preview through
 service to support private buckets (#793)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The UI's fetchManifest and file preview proxy performed unsigned fetch()
against S3 HTTPS URLs, which fails with 403 on private buckets.

Added two service-side proxy endpoints:
- GET /{bucket}/dataset/{name}/manifest — reads manifest JSON from storage
  using bucket credentials (supports S3, GCS, Azure, Swift, TOS)
- GET /{bucket}/dataset/{name}/file-content — streams individual file
  content with storage_path validation against dataset container

Updated UI to call these endpoints through the existing /api catch-all
proxy instead of direct unsigned fetch. Removed unused fetchManifest
server action files.
---
 src/service/core/data/data_service.py         | 60 ++++++++++++
 src/ui/next.config.ts                         |  3 -
 .../dataset/file/route.impl.production.ts     | 95 +++++++++++++------
 .../components/dataset-detail-content.tsx     | 16 +++-
 .../detail/components/file-preview-panel.tsx  | 67 +++++++++----
 src/ui/src/lib/api/adapter/datasets-hooks.ts  |  7 +-
 src/ui/src/lib/api/adapter/datasets.ts        | 22 ++++-
 .../api/server/dataset-actions.production.ts  | 31 ------
 src/ui/src/lib/api/server/dataset-actions.ts  | 59 ------------
 src/ui/src/mocks/handlers.ts                  | 41 ++++++--
 10 files changed, 246 insertions(+), 155 deletions(-)
 delete mode 100644 src/ui/src/lib/api/server/dataset-actions.production.ts
 delete mode 100644 src/ui/src/lib/api/server/dataset-actions.ts

diff --git a/src/service/core/data/data_service.py b/src/service/core/data/data_service.py
index 8f68b3577..3a3fe8d35 100755
--- a/src/service/core/data/data_service.py
+++ b/src/service/core/data/data_service.py
@@ -19,6 +19,7 @@
 import base64
 import datetime
 import json
+import mimetypes
 import shlex
 from typing import Any, Dict, List, Sequence
 import uuid
@@ -988,6 +989,65 @@ def get_info(
                                     versions=rows)
 
 
+@router.get('/{bucket}/dataset/{name}/manifest')
+def get_manifest(
+    bucket: objects.DatasetPattern,
+    name: objects.DatasetPattern,
+    version: str = fastapi.Query(...),
+) -> List:
+    """ This api returns the manifest for a dataset version. """
+    postgres = connectors.PostgresConnector.get_instance()
+    dataset_info = get_dataset(postgres, bucket=bucket, name=name)
+
+    fetch_command = '''
+        SELECT location FROM dataset_version
+        WHERE dataset_id = %s AND version_id = %s AND status = %s;
+    '''
+    rows = postgres.execute_fetch_command(
+        fetch_command, (dataset_info.id, version, objects.DatasetStatus.READY.name))
+    if not rows:
+        raise osmo_errors.OSMODatabaseError(
+            f'Version {version} not found for dataset {name} in bucket {bucket}.')
+
+    bucket_config = postgres.get_dataset_configs().get_bucket_config(bucket)
+    client = storage.Client.create(
+        storage_uri=rows[0].location,
+        data_credential=bucket_config.default_credential,
+    )
+    manifest_content = client.get_object_stream(as_io=True).read()
+    return json.loads(manifest_content)
+
+
+@router.get('/{bucket}/dataset/{name}/file-content')
+def get_file_content(
+    bucket: objects.DatasetPattern,
+    name: objects.DatasetPattern,
+    storage_path: str = fastapi.Query(...),
+) -> fastapi.responses.StreamingResponse:
+    """ This api streams file content from storage for the dataset file preview. """
+    postgres = connectors.PostgresConnector.get_instance()
+    dataset_info = get_dataset(postgres, bucket=bucket, name=name)
+
+    # Validate that the storage path belongs to this dataset's storage prefix
+    requested_backend = storage.construct_storage_backend(storage_path)
+    dataset_backend = storage.construct_storage_backend(dataset_info.hash_location)
+    if requested_backend.container != dataset_backend.container:
+        raise osmo_errors.OSMOUserError(
+            'Storage path does not belong to this dataset.')
+
+    bucket_config = postgres.get_dataset_configs().get_bucket_config(bucket)
+    client = storage.Client.create(
+        storage_uri=storage_path,
+        data_credential=bucket_config.default_credential,
+    )
+
+    content_type = mimetypes.guess_type(storage_path)[0] or 'application/octet-stream'
+    return fastapi.responses.StreamingResponse(
+        client.get_object_stream(),
+        media_type=content_type,
+    )
+
+
 @router.get('/list_dataset')
 def list_dataset_from_bucket(name: objects.DatasetPattern | None = None,
                              user: List[str] | None = fastapi.Query(default = None),
diff --git a/src/ui/next.config.ts b/src/ui/next.config.ts
index d65685c4e..32732d8d5 100644
--- a/src/ui/next.config.ts
+++ b/src/ui/next.config.ts
@@ -198,9 +198,6 @@ const nextConfig: NextConfig = {
             // This allows Turbopack aliasing to work (aliases work for imports, not file discovery)
             "@/app/api/[...path]/route.impl": "@/app/api/[...path]/route.impl.production",
 
-            // Dataset manifest server action - alias to production version (zero mock code)
-            "@/lib/api/server/dataset-actions": "@/lib/api/server/dataset-actions.production",
-
             // Dataset file proxy route - alias to production version (zero mock code)
             "@/app/proxy/dataset/file/route.impl":
               "@/app/proxy/dataset/file/route.impl.production",
diff --git a/src/ui/src/app/proxy/dataset/file/route.impl.production.ts b/src/ui/src/app/proxy/dataset/file/route.impl.production.ts
index 17c7ef928..2c5e3c0f5 100644
--- a/src/ui/src/app/proxy/dataset/file/route.impl.production.ts
+++ b/src/ui/src/app/proxy/dataset/file/route.impl.production.ts
@@ -18,55 +18,96 @@
  * Dataset File Proxy — Production Implementation
  *
  * Server-side proxy for fetching dataset files from storage URLs.
- * Routes requests through the server to avoid CSP restrictions.
  *
- * GET /proxy/dataset/file?url={encodedFileUrl}  → streams file content
- * HEAD /proxy/dataset/file?url={encodedFileUrl} → returns headers only
+ * When bucket/name/storagePath params are present, routes through the backend
+ * service's file-content endpoint (handles private buckets with credentials).
+ * Falls back to direct fetch for legacy callers that only provide a url param.
+ *
+ * GET /proxy/dataset/file?bucket=...&name=...&storagePath=...  → service proxy
+ * GET /proxy/dataset/file?url={encodedFileUrl}                 → direct fetch (legacy)
+ * HEAD variants of the above                                   → headers only
  */
 
+import type { NextRequest } from "next/server";
+import { getServerApiBaseUrl } from "@/lib/api/server/config";
+import { forwardAuthHeaders } from "@/lib/api/server/proxy-headers";
+
 const FORWARDED_HEADERS = ["content-type", "content-length", "last-modified", "etag", "cache-control"] as const;
 
-function parseAndValidateUrl(request: Request): { url: string } | Response {
+function forwardResponseHeaders(upstream: Response): Headers {
+  const headers = new Headers();
+  for (const header of FORWARDED_HEADERS) {
+    const value = upstream.headers.get(header);
+    if (value) headers.set(header, value);
+  }
+  return headers;
+}
+
+interface ServiceParams {
+  bucket: string;
+  name: string;
+  storagePath: string;
+}
+
+interface LegacyParams {
+  url: string;
+}
+
+function parseParams(request: Request): ServiceParams | LegacyParams | Response {
   const { searchParams } = new URL(request.url);
-  const url = searchParams.get("url");
 
-  if (!url) {
-    return Response.json({ error: "url parameter is required" }, { status: 400 });
+  const bucket = searchParams.get("bucket");
+  const name = searchParams.get("name");
+  const storagePath = searchParams.get("storagePath");
+
+  if (bucket && name && storagePath) {
+    return { bucket, name, storagePath };
   }
 
+  // Legacy fallback: direct URL fetch (works for public buckets only)
+  const url = searchParams.get("url");
+  if (!url) {
+    return Response.json({ error: "bucket/name/storagePath or url parameter is required" }, { status: 400 });
+  }
   if (!url.startsWith("http://") && !url.startsWith("https://")) {
     return Response.json({ error: "Only http/https URLs are supported" }, { status: 400 });
   }
-
   return { url };
 }
 
-export async function GET(request: Request) {
-  const result = parseAndValidateUrl(request);
-  if (result instanceof Response) return result;
-
-  const upstream = await fetch(result.url);
+function isServiceParams(params: ServiceParams | LegacyParams): params is ServiceParams {
+  return "storagePath" in params;
+}
 
-  const headers = new Headers();
-  for (const header of FORWARDED_HEADERS) {
-    const value = upstream.headers.get(header);
-    if (value) headers.set(header, value);
+async function fetchUpstream(
+  request: NextRequest,
+  params: ServiceParams | LegacyParams,
+  method: string,
+): Promise<Response> {
+  if (isServiceParams(params)) {
+    const backendUrl = getServerApiBaseUrl();
+    const query = new URLSearchParams({ storage_path: params.storagePath });
+    const serviceUrl = `${backendUrl}/api/bucket/${encodeURIComponent(params.bucket)}/dataset/${encodeURIComponent(params.name)}/file-content?${query}`;
+    const headers = forwardAuthHeaders(request);
+    return fetch(serviceUrl, { method, headers });
   }
-
-  return new Response(upstream.body, { status: upstream.status, headers });
+  return fetch(params.url, { method });
 }
 
-export async function HEAD(request: Request) {
-  const result = parseAndValidateUrl(request);
+export async function GET(request: NextRequest) {
+  const result = parseParams(request);
   if (result instanceof Response) return result;
 
-  const upstream = await fetch(result.url, { method: "HEAD" });
+  const upstream = await fetchUpstream(request, result, "GET");
+  const headers = forwardResponseHeaders(upstream);
+  return new Response(upstream.body, { status: upstream.status, headers });
+}
 
-  const headers = new Headers();
-  for (const header of FORWARDED_HEADERS) {
-    const value = upstream.headers.get(header);
-    if (value) headers.set(header, value);
-  }
+export async function HEAD(request: NextRequest) {
+  const result = parseParams(request);
+  if (result instanceof Response) return result;
 
+  const upstream = await fetchUpstream(request, result, "HEAD");
+  const headers = forwardResponseHeaders(upstream);
   return new Response(null, { status: upstream.status, headers });
 }
diff --git a/src/ui/src/features/datasets/detail/components/dataset-detail-content.tsx b/src/ui/src/features/datasets/detail/components/dataset-detail-content.tsx
index 2e3c5e741..c05137402 100644
--- a/src/ui/src/features/datasets/detail/components/dataset-detail-content.tsx
+++ b/src/ui/src/features/datasets/detail/components/dataset-detail-content.tsx
@@ -176,6 +176,8 @@ export function DatasetDetailContent({ bucket, name }: Props) {
   const {
     versions,
     location,
+    resolvedName,
+    resolvedVersion,
     files: virtualFiles,
     memberSubPath,
     segmentLabels,
@@ -184,6 +186,8 @@ export function DatasetDetailContent({ bucket, name }: Props) {
       return {
         versions: [],
         location: null as string | null,
+        resolvedName: name,
+        resolvedVersion: "",
         files: null as DatasetFile[] | null,
         memberSubPath: "",
         segmentLabels: {} as Record<string, string>,
@@ -197,6 +201,8 @@ export function DatasetDetailContent({ bucket, name }: Props) {
       return {
         versions: detail.versions,
         location: currentVersionData?.location ?? null,
+        resolvedName: name,
+        resolvedVersion: currentVersionData?.version ?? "",
         files: null,
         memberSubPath: path,
         segmentLabels: {},
@@ -221,6 +227,8 @@ export function DatasetDetailContent({ bucket, name }: Props) {
       return {
         versions: [],
         location: null,
+        resolvedName: name,
+        resolvedVersion: "",
         files: memberEntries,
         memberSubPath: "",
         segmentLabels: labels,
@@ -234,11 +242,13 @@ export function DatasetDetailContent({ bucket, name }: Props) {
     return {
       versions: [],
       location: member?.location ?? null,
+      resolvedName: member?.name ?? name,
+      resolvedVersion: member?.version ?? "",
       files: null,
       memberSubPath: subPath,
       segmentLabels: labels,
     };
-  }, [detail, version, path]);
+  }, [detail, version, path, name]);
 
   // ==========================================================================
   // File listing — fetch manifest for selected version/member
@@ -249,7 +259,7 @@ export function DatasetDetailContent({ bucket, name }: Props) {
     isLoading: isFilesLoading,
     error: filesError,
     refetch: refetchFiles,
-  } = useDatasetFiles(location);
+  } = useDatasetFiles(bucket, resolvedName, resolvedVersion, location);
 
   // Normal (unfiltered) directory listing — used for FilterBar suggestions and as base view
   const normalFiles = useMemo(
@@ -573,6 +583,8 @@ export function DatasetDetailContent({ bucket, name }: Props) {
                       <FilePreviewPanel
                         file={panelFileData}
                         path={fileDirPath}
+                        bucket={bucket}
+                        datasetName={resolvedName}
                         onClose={handleClosePanel}
                       />
                     )}
diff --git a/src/ui/src/features/datasets/detail/components/file-preview-panel.tsx b/src/ui/src/features/datasets/detail/components/file-preview-panel.tsx
index 9274ecdef..90dd58e8e 100644
--- a/src/ui/src/features/datasets/detail/components/file-preview-panel.tsx
+++ b/src/ui/src/features/datasets/detail/components/file-preview-panel.tsx
@@ -24,7 +24,7 @@
  * - image/* → <img> via proxy
  * - video/* → <video controls> via proxy
  * - other  → "preview unavailable" message
- * - 401/403 → lock icon + "bucket must be public" error
+ * - 401/403 → lock icon + "access denied" error
  * - 404    → "file not found" error
  * - No URL → metadata-only view
  */
@@ -62,6 +62,10 @@ interface FilePreviewPanelProps {
   file: DatasetFile;
   /** Current directory path (empty = root) */
   path: string;
+  /** Dataset bucket name — required for service-proxied file access */
+  bucket: string;
+  /** Dataset name — required for service-proxied file access */
+  datasetName: string;
   onClose: () => void;
 }
 
@@ -74,12 +78,21 @@ interface HeadResult {
 // HEAD preflight fetch
 // =============================================================================
 
-function toProxyUrl(url: string): string {
-  return getBasePathUrl(`/proxy/dataset/file?url=${encodeURIComponent(url)}`);
+function toProxyUrl(bucket: string, datasetName: string, file: { url?: string; storagePath?: string }): string {
+  if (file.storagePath) {
+    const params = new URLSearchParams({ bucket, name: datasetName, storagePath: file.storagePath });
+    return getBasePathUrl(`/proxy/dataset/file?${params}`);
+  }
+  // Legacy fallback for public buckets without storagePath
+  return getBasePathUrl(`/proxy/dataset/file?url=${encodeURIComponent(file.url ?? "")}`);
 }
 
-async function fetchHeadResult(url: string): Promise<HeadResult> {
-  const response = await fetch(toProxyUrl(url), { method: "HEAD" });
+async function fetchHeadResult(
+  bucket: string,
+  datasetName: string,
+  file: { url?: string; storagePath?: string },
+): Promise<HeadResult> {
+  const response = await fetch(toProxyUrl(bucket, datasetName, file), { method: "HEAD" });
   const contentType = response.headers.get("Content-Type") ?? "";
   return { status: response.status, contentType };
 }
@@ -207,9 +220,15 @@ function TextPreview({ url, contentType, fileName }: { url: string; contentType:
   );
 }
 
-function PreviewContent({ url, contentType, fileName }: { url: string; contentType: string; fileName: string }) {
-  const proxyUrl = toProxyUrl(url);
-
+function PreviewContent({
+  proxyUrl,
+  contentType,
+  fileName,
+}: {
+  proxyUrl: string;
+  contentType: string;
+  fileName: string;
+}) {
   if (isImageType(contentType, fileName)) {
     return (
       <div className="flex flex-1 items-center justify-center overflow-auto p-4">
@@ -279,22 +298,22 @@ type PreviewState =
   | { kind: "error"; retry: () => void }
   | { kind: "denied" }
   | { kind: "not-found" }
-  | { kind: "ready"; url: string; contentType: string };
+  | { kind: "ready"; proxyUrl: string; contentType: string };
 
 function resolvePreviewState(
-  url: string | undefined,
+  proxyUrl: string | undefined,
   isLoading: boolean,
   error: unknown,
   head: HeadResult | undefined,
   retry: () => void,
 ): PreviewState {
-  if (!url) return { kind: "no-url" };
+  if (!proxyUrl) return { kind: "no-url" };
   if (isLoading) return { kind: "loading" };
   if (error) return { kind: "error", retry };
   if (!head) return { kind: "loading" };
   if (head.status === 401 || head.status === 403) return { kind: "denied" };
   if (head.status === 404) return { kind: "not-found" };
-  if (head.status === 200) return { kind: "ready", url, contentType: head.contentType };
+  if (head.status === 200) return { kind: "ready", proxyUrl, contentType: head.contentType };
   // Unexpected status (e.g. 500) — treat as retriable error
   return { kind: "error", retry };
 }
@@ -303,24 +322,32 @@ function resolvePreviewState(
 // Main component
 // =============================================================================
 
-export const FilePreviewPanel = memo(function FilePreviewPanel({ file, path, onClose }: FilePreviewPanelProps) {
+export const FilePreviewPanel = memo(function FilePreviewPanel({
+  file,
+  path,
+  bucket,
+  datasetName,
+  onClose,
+}: FilePreviewPanelProps) {
   const relativePath = file.relativePath ?? (path ? `${path}/${file.name}` : file.name);
+  const hasPreviewSource = !!(file.storagePath || file.url);
+  const proxyUrl = hasPreviewSource ? toProxyUrl(bucket, datasetName, file) : undefined;
 
-  // HEAD preflight — only when we have a URL to check
+  // HEAD preflight — only when we have a source to check
   const {
     data: head,
     isLoading: headLoading,
     error: headError,
     refetch,
   } = useQuery({
-    queryKey: ["file-preview-head", file.url],
-    queryFn: () => fetchHeadResult(file.url!),
-    enabled: !!file.url,
+    queryKey: ["file-preview-head", proxyUrl],
+    queryFn: () => fetchHeadResult(bucket, datasetName, file),
+    enabled: hasPreviewSource,
     staleTime: Infinity,
     retry: false,
   });
 
-  const previewState = resolvePreviewState(file.url, headLoading, headError, head, () => void refetch());
+  const previewState = resolvePreviewState(proxyUrl, headLoading, headError, head, () => void refetch());
 
   return (
     <div className="flex h-full flex-col overflow-hidden">
@@ -366,13 +393,13 @@ export const FilePreviewPanel = memo(function FilePreviewPanel({ file, path, onC
         {previewState.kind === "denied" && (
           <PreviewError
             icon="lock"
-            message="The bucket must be public to preview files. Contact your administrator to enable public access."
+            message="Access denied. The storage bucket may require credentials or the file may not be accessible."
           />
         )}
         {previewState.kind === "not-found" && <PreviewError message="File not found at this path." />}
         {previewState.kind === "ready" && (
           <PreviewContent
-            url={previewState.url}
+            proxyUrl={previewState.proxyUrl}
             contentType={previewState.contentType}
             fileName={file.name}
           />
diff --git a/src/ui/src/lib/api/adapter/datasets-hooks.ts b/src/ui/src/lib/api/adapter/datasets-hooks.ts
index 137eff487..775484986 100644
--- a/src/ui/src/lib/api/adapter/datasets-hooks.ts
+++ b/src/ui/src/lib/api/adapter/datasets-hooks.ts
@@ -105,12 +105,15 @@ export function useDatasetLatest(bucket: string, name: string, options?: { enabl
  * @param options - Query options
  */
 export function useDatasetFiles(
+  bucket: string,
+  name: string,
+  version: string,
   location: string | null,
   options?: { enabled?: boolean },
 ): ReturnType<typeof useQuery<ProcessedManifest>> {
   return useQuery<ProcessedManifest>({
-    queryKey: buildDatasetFilesQueryKey(location),
-    queryFn: () => fetchDatasetFiles(location),
+    queryKey: buildDatasetFilesQueryKey(bucket, name, version),
+    queryFn: () => fetchDatasetFiles(bucket, name, version, location),
     enabled: (options?.enabled ?? true) && !!location,
     staleTime: 60_000, // 1 minute
   });
diff --git a/src/ui/src/lib/api/adapter/datasets.ts b/src/ui/src/lib/api/adapter/datasets.ts
index a2bfd154d..051d785ed 100644
--- a/src/ui/src/lib/api/adapter/datasets.ts
+++ b/src/ui/src/lib/api/adapter/datasets.ts
@@ -487,10 +487,22 @@ export async function fetchDatasetDetailLatest(bucket: string, name: string): Pr
  *
  * @param location - The version's location URL (DatasetVersion.location)
  */
-export async function fetchDatasetFiles(location: string | null): Promise<ProcessedManifest> {
+export async function fetchDatasetFiles(
+  bucket: string,
+  name: string,
+  version: string,
+  location: string | null,
+): Promise<ProcessedManifest> {
   if (!location) return { byPath: [], byFilename: [], fileTypes: [] };
-  const { fetchManifest } = await import("@/lib/api/server/dataset-actions");
-  const items = (await fetchManifest(location)) as RawFileItem[];
+
+  const params = new URLSearchParams({ version });
+  const response = await fetch(
+    `/api/bucket/${encodeURIComponent(bucket)}/dataset/${encodeURIComponent(name)}/manifest?${params}`,
+  );
+  if (!response.ok) {
+    throw new Error(`Failed to fetch manifest: ${response.status}`);
+  }
+  const items = (await response.json()) as RawFileItem[];
 
   // Sort by full relative_path — enables binary-search directory listing
   const byPath = [...items].sort((a, b) => a.relative_path.localeCompare(b.relative_path));
@@ -640,8 +652,8 @@ export function buildDatasetLatestQueryKey(bucket: string, name: string): readon
  * Build query key for the dataset version's full file manifest.
  * Keyed by location URL only — path filtering is done client-side via buildDirectoryListing.
  */
-export function buildDatasetFilesQueryKey(location: string | null): readonly unknown[] {
-  return ["datasets", "files", location] as const;
+export function buildDatasetFilesQueryKey(bucket: string, name: string, version: string): readonly unknown[] {
+  return ["datasets", "files", bucket, name, version] as const;
 }
 
 /**
diff --git a/src/ui/src/lib/api/server/dataset-actions.production.ts b/src/ui/src/lib/api/server/dataset-actions.production.ts
deleted file mode 100644
index 2faf26641..000000000
--- a/src/ui/src/lib/api/server/dataset-actions.production.ts
+++ /dev/null
@@ -1,31 +0,0 @@
-// SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION. All rights reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-// SPDX-License-Identifier: Apache-2.0
-
-"use server";
-
-export async function fetchManifest(url: string): Promise<unknown[]> {
-  if (!url.startsWith("http://") && !url.startsWith("https://")) {
-    throw new Error("Invalid URL: must start with http:// or https://");
-  }
-
-  const response = await fetch(url);
-
-  if (!response.ok) {
-    throw new Error(`Failed to fetch manifest: ${response.status}`);
-  }
-
-  return (await response.json()) as unknown[];
-}
diff --git a/src/ui/src/lib/api/server/dataset-actions.ts b/src/ui/src/lib/api/server/dataset-actions.ts
deleted file mode 100644
index a0b2ed199..000000000
--- a/src/ui/src/lib/api/server/dataset-actions.ts
+++ /dev/null
@@ -1,59 +0,0 @@
-// SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION. All rights reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-// SPDX-License-Identifier: Apache-2.0
-
-"use server";
-
-import http from "node:http";
-import { fetchManifest as prodFetchManifest } from "@/lib/api/server/dataset-actions.production";
-
-/**
- * In mock mode, routes through Node.js http.request to localhost:9999
- * where MSW intercepts it. MSW intercepts http.request but NOT Next.js's
- * undici-based fetch, so we must use the Node.js HTTP client.
- */
-function mockFetchManifest(url: string): Promise<unknown[]> {
-  const params = new URLSearchParams({ url });
-  const path = `/api/datasets/location-files?${params.toString()}`;
-
-  return new Promise((resolve, reject) => {
-    const request = http.request({ hostname: "localhost", port: 9999, path, method: "GET" }, (response) => {
-      const chunks: Buffer[] = [];
-      response.on("data", (chunk: Buffer) => chunks.push(chunk));
-      response.on("end", () => {
-        const body = Buffer.concat(chunks).toString("utf-8");
-        if ((response.statusCode ?? 0) >= 400) {
-          reject(new Error(`Mock request failed: ${response.statusCode ?? "unknown"}`));
-          return;
-        }
-        try {
-          resolve(JSON.parse(body) as unknown[]);
-        } catch {
-          reject(new Error("Mock request returned invalid JSON"));
-        }
-      });
-      response.on("error", reject);
-    });
-    request.on("error", reject);
-    request.end();
-  });
-}
-
-export async function fetchManifest(url: string): Promise<unknown[]> {
-  if (process.env.NEXT_PUBLIC_MOCK_API === "true") {
-    return mockFetchManifest(url);
-  }
-  return prodFetchManifest(url);
-}
diff --git a/src/ui/src/mocks/handlers.ts b/src/ui/src/mocks/handlers.ts
index 7c26a16e9..fbc52ed55 100644
--- a/src/ui/src/mocks/handlers.ts
+++ b/src/ui/src/mocks/handlers.ts
@@ -1281,25 +1281,54 @@ export const handlers = [
     return HttpResponse.json(items);
   }),
 
+  // Dataset manifest via service endpoint — returns a flat file manifest for a dataset version.
+  // Used by the file browser to list files without requiring direct S3 access.
+  http.get("*/api/bucket/:bucket/dataset/:name/manifest", async ({ request, params }) => {
+    await delay(MOCK_DELAY);
+
+    const url = new URL(request.url);
+    const version = url.searchParams.get("version") ?? "1";
+    const datasetName = Array.isArray(params.name) ? params.name[0] : params.name;
+    const bucketName = Array.isArray(params.bucket) ? params.bucket[0] : params.bucket;
+
+    const locationUrl = `s3://${bucketName}/datasets/${datasetName}/v${version}/`;
+    const items = datasetGenerator.generateFlatManifest(datasetName ?? "", bucketName ?? "", locationUrl);
+    return HttpResponse.json(items);
+  }),
+
   // HEAD + GET /proxy/dataset/file — preflight + content for file preview panel.
   // Uses http.all because http.head() does not reliably intercept http.request with method HEAD
   // when routed through the mock port-9999 tunnel.
-  // Returns 401 for datasets that simulate a private bucket, 200/content otherwise.
+  // Supports both new service-proxied params (bucket/name/storagePath) and legacy (url).
   http.all("*/proxy/dataset/file", async ({ request }) => {
     await delay(MOCK_DELAY);
 
     const url = new URL(request.url);
-    const fileUrl = url.searchParams.get("url") ?? "";
 
-    // Extract dataset name from url param: /api/bucket/{bucket}/dataset/{name}/preview
-    const nameMatch = fileUrl.match(/\/dataset\/([^/?]+)\/preview/);
-    const datasetName = nameMatch?.[1] ?? "";
+    // New service-proxied path: bucket/name/storagePath params
+    const storagePath = url.searchParams.get("storagePath");
+    const paramName = url.searchParams.get("name") ?? "";
+
+    let datasetName: string;
+    let filePath: string;
+
+    if (storagePath) {
+      datasetName = paramName;
+      // Extract file path from storage_path like s3://bucket/datasets/name/v1/train/img.jpg
+      const lastSlashBeforeFile = storagePath.lastIndexOf("/");
+      filePath = lastSlashBeforeFile >= 0 ? storagePath.slice(storagePath.indexOf("/", 5) + 1) : storagePath;
+    } else {
+      // Legacy: extract from url param
+      const fileUrl = url.searchParams.get("url") ?? "";
+      const nameMatch = fileUrl.match(/\/dataset\/([^/?]+)\/preview/);
+      datasetName = nameMatch?.[1] ?? "";
+      filePath = new URL(fileUrl, "http://localhost").searchParams.get("path") ?? "";
+    }
 
     if (datasetGenerator.isPrivateDataset(datasetName)) {
       return new HttpResponse(null, { status: 401 });
     }
 
-    const filePath = new URL(fileUrl, "http://localhost").searchParams.get("path") ?? "";
     const ext = filePath.split(".").pop()?.toLowerCase() ?? "";
 
     const contentTypeMap: Record<string, string> = {

From 854d770ad11630ec86da9528edc8943df33d6534 Mon Sep 17 00:00:00 2001
From: Keita Watanabe <keitaw09@gmail.com>
Date: Fri, 3 Apr 2026 00:06:50 +0000
Subject: [PATCH 2/3] fix: support HEAD method on file-content endpoint for
 preview preflight

The file preview panel sends a HEAD request before GET to check
content-type and access. FastAPI's @router.get does not handle HEAD,
returning 405 Method Not Allowed. Changed to @router.api_route with
both GET and HEAD methods.
---
 src/service/core/data/data_service.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/service/core/data/data_service.py b/src/service/core/data/data_service.py
index 3a3fe8d35..9c2a8564a 100755
--- a/src/service/core/data/data_service.py
+++ b/src/service/core/data/data_service.py
@@ -1018,7 +1018,7 @@ def get_manifest(
     return json.loads(manifest_content)
 
 
-@router.get('/{bucket}/dataset/{name}/file-content')
+@router.api_route('/{bucket}/dataset/{name}/file-content', methods=['GET', 'HEAD'])
 def get_file_content(
     bucket: objects.DatasetPattern,
     name: objects.DatasetPattern,

From 2b0c69606e2ab78b63efe19d217ca1c0ab3cd8df Mon Sep 17 00:00:00 2001
From: Keita Watanabe <keitaw09@gmail.com>
Date: Fri, 3 Apr 2026 00:17:33 +0000
Subject: [PATCH 3/3] fix: use server action for manifest fetch to avoid SSR
 auth failure

fetchDatasetFiles used a relative fetch('/api/bucket/...') which fails
during SSR because the request goes through the proxy without browser
auth cookies, resulting in 403 from the API gateway.

Re-introduced the server action pattern: fetchManifest now calls the
backend service directly using getServerApiBaseUrl() (internal URL),
bypassing the auth gateway. Works for both SSR and client hydration.
---
 src/ui/src/lib/api/adapter/datasets.ts        | 10 +----
 .../api/server/dataset-actions.production.ts  | 41 +++++++++++++++++++
 2 files changed, 43 insertions(+), 8 deletions(-)
 create mode 100644 src/ui/src/lib/api/server/dataset-actions.production.ts

diff --git a/src/ui/src/lib/api/adapter/datasets.ts b/src/ui/src/lib/api/adapter/datasets.ts
index 051d785ed..1c6e5644b 100644
--- a/src/ui/src/lib/api/adapter/datasets.ts
+++ b/src/ui/src/lib/api/adapter/datasets.ts
@@ -495,14 +495,8 @@ export async function fetchDatasetFiles(
 ): Promise<ProcessedManifest> {
   if (!location) return { byPath: [], byFilename: [], fileTypes: [] };
 
-  const params = new URLSearchParams({ version });
-  const response = await fetch(
-    `/api/bucket/${encodeURIComponent(bucket)}/dataset/${encodeURIComponent(name)}/manifest?${params}`,
-  );
-  if (!response.ok) {
-    throw new Error(`Failed to fetch manifest: ${response.status}`);
-  }
-  const items = (await response.json()) as RawFileItem[];
+  const { fetchManifest } = await import("@/lib/api/server/dataset-actions.production");
+  const items = (await fetchManifest(bucket, name, version)) as RawFileItem[];
 
   // Sort by full relative_path — enables binary-search directory listing
   const byPath = [...items].sort((a, b) => a.relative_path.localeCompare(b.relative_path));
diff --git a/src/ui/src/lib/api/server/dataset-actions.production.ts b/src/ui/src/lib/api/server/dataset-actions.production.ts
new file mode 100644
index 000000000..d91c50f03
--- /dev/null
+++ b/src/ui/src/lib/api/server/dataset-actions.production.ts
@@ -0,0 +1,41 @@
+// SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+"use server";
+
+import { getServerApiBaseUrl } from "@/lib/api/server/config";
+
+/**
+ * Fetch a dataset manifest through the backend service.
+ *
+ * Runs server-side (via "use server") so it can call the backend directly
+ * using the internal service URL, bypassing the API gateway auth layer.
+ * This is necessary because this function is called during both SSR and
+ * client hydration — during SSR there are no browser auth cookies.
+ */
+export async function fetchManifest(bucket: string, name: string, version: string): Promise<unknown[]> {
+  const baseUrl = getServerApiBaseUrl();
+  const params = new URLSearchParams({ version });
+  const url = `${baseUrl}/api/bucket/${encodeURIComponent(bucket)}/dataset/${encodeURIComponent(name)}/manifest?${params}`;
+
+  const response = await fetch(url);
+
+  if (!response.ok) {
+    throw new Error(`Failed to fetch manifest: ${response.status}`);
+  }
+
+  return (await response.json()) as unknown[];
+}