From a85644cddd6c7428ecebe0636e53170b736bab99 Mon Sep 17 00:00:00 2001
From: David Christofas <dchristofas@owncloud.com>
Date: Tue, 30 Nov 2021 16:46:29 +0100
Subject: [PATCH] enable signature auth in public share auth middleware

---
 .../unreleased/public-link-signature-auth.md  |  5 +++++
 proxy/pkg/middleware/public_share_auth.go     | 22 ++++++++++++++-----
 2 files changed, 22 insertions(+), 5 deletions(-)
 create mode 100644 changelog/unreleased/public-link-signature-auth.md

diff --git a/changelog/unreleased/public-link-signature-auth.md b/changelog/unreleased/public-link-signature-auth.md
new file mode 100644
index 00000000000..fc50ca8657c
--- /dev/null
+++ b/changelog/unreleased/public-link-signature-auth.md
@@ -0,0 +1,5 @@
+Enhancement: Support signature auth in the public share auth middleware
+
+Enabled public share requests to be authenticated using the public share signature.
+
+https://github.com/owncloud/ocis/pull/2831
diff --git a/proxy/pkg/middleware/public_share_auth.go b/proxy/pkg/middleware/public_share_auth.go
index 62e8d4206de..9b3ddcd5ffd 100644
--- a/proxy/pkg/middleware/public_share_auth.go
+++ b/proxy/pkg/middleware/public_share_auth.go
@@ -2,6 +2,7 @@ package middleware
 
 import (
 	"net/http"
+	"strings"
 
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 )
@@ -32,12 +33,23 @@ func PublicShareAuth(opts ...Option) func(next http.Handler) http.Handler {
 				return
 			}
 
-			// We can ignore the username since it is always set to "public" in public shares.
-			_, password, ok := r.BasicAuth()
+			var sharePassword string
+			if signature := r.URL.Query().Get("signature"); signature != "" {
+				expiration := r.URL.Query().Get("expiration")
+				if expiration == "" {
+					logger.Warn().Str("signature", signature).Msg("cannot do signature auth without the expiration")
+					next.ServeHTTP(w, r)
+					return
+				}
+				sharePassword = strings.Join([]string{"signature", signature, expiration}, "|")
+			} else {
+				// We can ignore the username since it is always set to "public" in public shares.
+				_, password, ok := r.BasicAuth()
 
-			sharePassword := basicAuthPasswordPrefix
-			if ok {
-				sharePassword += password
+				sharePassword = basicAuthPasswordPrefix
+				if ok {
+					sharePassword += password
+				}
 			}
 
 			authResp, err := options.RevaGatewayClient.Authenticate(r.Context(), &gateway.AuthenticateRequest{