Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable signature auth in public share auth middleware #2831

Merged
merged 1 commit into from
Dec 10, 2021
Merged

enable signature auth in public share auth middleware #2831

merged 1 commit into from
Dec 10, 2021

Conversation

C0rby
Copy link
Contributor

@C0rby C0rby commented Nov 30, 2021

Description

Added signature authentication to the public share auth middleware.

Motivation and Context

To support archive downloads in password protected public links we need some way to authenticate the requests.
We can't provide the password via the Authorization header because the download is triggered via browser mechanisms like <a href= and not via fetch or XmlHttpRequests.
Here the public share signature comes into play. To support archive downloads you can take the signature and expiration parameters from a files downloadURL and append them to the archive download url.

This could look like this:

curl -k 'https://localhost:9200/archiver?public-token=urxyrXobvuXYaFi&id=ZTFhNzNlZGUtNTQ5Yi00MjI2LWFiZGYtNDBlNjljYTgyMzBkOnVyeHlyWG9idnVYWWFGaS9hZGM1Nzc3MS0wNTI2LTQxYzgtYTk3Yy0wNDk5NWZjY2FkMzE=&id=ZTFhNzNlZGUtNTQ5Yi00MjI2LWFiZGYtNDBlNjljYTgyMzBkOnVyeHlyWG9idnVYWWFGaS82ZThiMmQ2NC03ZDAxLTRiMjctOTFkOC0yZjZlNTdmZThjZTk=&signature=eec4738af66435fd2075e0eb5542aa22e5630fb4733c76cf63ece90eac9887ee&expiration=2021-11-30T15:59:20%2b01:00' -o download.tar

There are some drawbacks though, like if there are no files, only folders, in the current PROPFIND response then you don't have access to the signature and expiration. One way to solve that could be to add one or two new attributes to the PROPFIND root where we would add the signature and expiration. This way these values would always be present and accessible. Though this would divert from the behavior in ownCloud 10.

/cc @fschade

How Has This Been Tested?

  • locally via curl

Screenshots (if appropriate):

Types of changes

  • New feature (non-breaking change which adds functionality)

Checklist:

  • Code changes

@C0rby C0rby self-assigned this Nov 30, 2021
@C0rby C0rby mentioned this pull request Dec 1, 2021
Merged
@C0rby C0rby force-pushed the public-link-signature-auth branch from bec1a7c to a85644c Compare December 9, 2021 18:10
@C0rby C0rby marked this pull request as ready for review December 9, 2021 18:12
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 9, 2021

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 1 Code Smell

0.0% 0.0% Coverage
0.0% 0.0% Duplication

@C0rby C0rby merged commit eb4e2d8 into master Dec 10, 2021
@delete-merged-branch delete-merged-branch bot deleted the public-link-signature-auth branch December 10, 2021 08:33
@micbar micbar mentioned this pull request Feb 16, 2022
Closed
22 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@refs refs refs approved these changes

Assignees

@C0rby C0rby

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@C0rby @refs