refactor: clean up health check and task access logic by removing unused code

backend/app/routes/health.py

@@ -1,10 +1,13 @@
 """Health check endpoint."""
 from flask import Blueprint, jsonify
 
+from app.extensions import limiter
+
 health_bp = Blueprint("health", __name__)
 
 
 @health_bp.route("/health", methods=["GET"])
+@limiter.exempt
 def health_check():
     """Simple health check — returns 200 if the service is running."""
     return jsonify({

backend/app/routes/tasks.py

@@ -11,7 +11,6 @@ from app.services.policy_service import (
     resolve_api_actor,
     resolve_web_actor,
 )
-from app.utils.auth import remember_task_access
 
 tasks_bp = Blueprint("tasks", __name__)
 
@@ -53,17 +52,6 @@ def get_task_status(task_id: str):
         task_result = result.result or {}
         response["result"] = task_result
 
-        # Remember the file UUID in the session so the download route can verify access.
-        # The download URL contains a different UUID than the Celery task ID.
-        download_url = task_result.get("download_url", "")
-        if download_url:
-            parts = download_url.split("/")
-            # URL format: /api/download/<file_uuid>/<filename>
-            if len(parts) >= 4:
-                file_uuid = parts[3]
-                if file_uuid != task_id:
-                    remember_task_access(file_uuid)
-
     elif result.state == "FAILURE":
         response["error"] = str(result.info) if result.info else "Task failed."
 

backend/app/services/account_service.py

@@ -678,23 +678,6 @@ def has_task_access(user_id: int, source: str, task_id: str) -> bool:
     return row is not None
 
 
-def has_download_access(user_id: int, file_task_id: str) -> bool:
-    """Return whether one user owns a file_history entry whose download_url contains the given file task id."""
-    pattern = f"/api/download/{file_task_id}/"
-    with _connect() as conn:
-        row = conn.execute(
-            """
-            SELECT 1
-            FROM file_history
-            WHERE user_id = ? AND download_url LIKE ?
-            LIMIT 1
-            """,
-            (user_id, f"%{pattern}%"),
-        ).fetchone()
-
-    return row is not None
-
-
 # ---------------------------------------------------------------------------
 # Password reset tokens
 # ---------------------------------------------------------------------------

backend/app/services/policy_service.py

@@ -8,7 +8,6 @@ from app.services.account_service import (
     get_api_key_actor,
     get_user_by_id,
     get_current_period_month,
-    has_download_access,
     has_task_access,
     normalize_plan,
     record_usage_event,
@@ -228,13 +227,8 @@ def build_task_tracking_kwargs(actor: ActorContext) -> dict:
 
 def assert_api_task_access(actor: ActorContext, task_id: str):
     """Ensure one API actor can poll one task id."""
-    if actor.user_id is None:
+    if actor.user_id is None or not has_task_access(actor.user_id, "api", task_id):
         raise PolicyError("Task not found.", 404)
-    if has_task_access(actor.user_id, "api", task_id):
-        return
-    if has_download_access(actor.user_id, task_id):
-        return
-    raise PolicyError("Task not found.", 404)
 
 
 def assert_web_task_access(actor: ActorContext, task_id: str):
@@ -242,9 +236,6 @@ def assert_web_task_access(actor: ActorContext, task_id: str):
     if actor.user_id is not None and has_task_access(actor.user_id, "web", task_id):
         return
 
-    if actor.user_id is not None and has_download_access(actor.user_id, task_id):
-        return
-
     if has_session_task_access(task_id):
         return