Merge pull request #13033 from owncloud/chore/backport-archiver-fix

LukasHirt · web-flow · commit c17d5896b092 · 2025-08-27T10:23:16.000+02:00
chore: [OCISDEV-147] backport sign public link archiver download URL
diff --git a/changelog/unreleased/bugfix-sign-public-link-archiver-download-url.md b/changelog/unreleased/bugfix-sign-public-link-archiver-download-url.md
@@ -0,0 +1,7 @@
+Bugfix: Sign public link archiver download URL
+
+We've started signing the archiver download URL in public link context in case the link is password protected.
+This allows users to download large archives without memory limits imposed by browsers.
+
+https://github.com/owncloud/web/pull/12943
+https://github.com/owncloud/web/issues/12811
diff --git a/packages/web-app-files/src/helpers/user/avatarUrl.ts b/packages/web-app-files/src/helpers/user/avatarUrl.ts
@@ -23,7 +23,7 @@ export const avatarUrl = async (options: AvatarUrlOptions, cached = false): Prom
     throw new Error(statusText)
   }
 
-  return options.clientService.ocs.signUrl(url, options.username)
+  return options.clientService.ocs.signUrl({ url, username: options.username })
 }
 
 const cacheFactory = async (options: AvatarUrlOptions): Promise<string> => {
diff --git a/packages/web-app-files/tests/unit/helpers/user/avatarUrl.spec.ts b/packages/web-app-files/tests/unit/helpers/user/avatarUrl.spec.ts
@@ -29,8 +29,8 @@ describe('avatarUrl', () => {
     defaultOptions.clientService.httpAuthenticated.head.mockResolvedValue({
       status: 200
     } as AxiosResponse)
-    defaultOptions.clientService.ocs.signUrl.mockImplementation((url) => {
-      return Promise.resolve(`${url}?signed=true`)
+    defaultOptions.clientService.ocs.signUrl.mockImplementation((payload) => {
+      return Promise.resolve(`${payload.url}?signed=true`)
     })
     const avatarUrlPromise = avatarUrl(defaultOptions)
     await expect(avatarUrlPromise).resolves.toBe(`${buildUrl(defaultOptions)}?signed=true`)
@@ -40,7 +40,9 @@ describe('avatarUrl', () => {
     defaultOptions.clientService.httpAuthenticated.head.mockResolvedValue({
       status: 200
     } as AxiosResponse)
-    defaultOptions.clientService.ocs.signUrl.mockImplementation((url) => Promise.resolve(url))
+    defaultOptions.clientService.ocs.signUrl.mockImplementation((payload) =>
+      Promise.resolve(payload.url)
+    )
 
     const avatarUrlPromiseUncached = avatarUrl(defaultOptions, true)
     await expect(avatarUrlPromiseUncached).resolves.toBe(buildUrl(defaultOptions))
diff --git a/packages/web-client/src/ocs/index.ts b/packages/web-client/src/ocs/index.ts
@@ -1,12 +1,12 @@
 import { Capabilities, GetCapabilitiesFactory } from './capabilities'
 import { AxiosInstance } from 'axios'
-import { UrlSign } from './urlSign'
+import { SignUrlPayload, UrlSign } from './urlSign'
 
 export * from './capabilities'
 
 export interface OCS {
   getCapabilities: () => Promise<Capabilities>
-  signUrl: (url: string, username: string) => Promise<string>
+  signUrl: (payload: SignUrlPayload) => Promise<string>
 }
 
 export const ocs = (baseURI: string, axiosClient: AxiosInstance): OCS => {
@@ -22,8 +22,8 @@ export const ocs = (baseURI: string, axiosClient: AxiosInstance): OCS => {
     getCapabilities: () => {
       return capabilitiesFactory.getCapabilities()
     },
-    signUrl: (url: string, username: string) => {
-      return urlSign.signUrl(url, username)
+    signUrl: (payload: SignUrlPayload) => {
+      return urlSign.signUrl(payload)
     }
   }
 }
diff --git a/packages/web-client/src/ocs/urlSign.ts b/packages/web-client/src/ocs/urlSign.ts
@@ -8,6 +8,13 @@ export interface UrlSignOptions {
   baseURI: string
 }
 
+export type SignUrlPayload = {
+  url: string
+  username: string
+  publicToken?: string
+  publicLinkPassword?: string
+}
+
 export class UrlSign {
   private axiosClient: AxiosInstance
   private baseURI: string
@@ -24,30 +31,42 @@ export class UrlSign {
     this.baseURI = baseURI
   }
 
-  public async signUrl(url: string, username: string) {
+  public async signUrl({ url, username, publicToken, publicLinkPassword }: SignUrlPayload) {
     const signedUrl = new URL(url)
     signedUrl.searchParams.set('OC-Credential', username)
     signedUrl.searchParams.set('OC-Date', new Date().toISOString())
     signedUrl.searchParams.set('OC-Expires', this.TTL.toString())
     signedUrl.searchParams.set('OC-Verb', 'GET')
 
-    const hashedKey = await this.createHashedKey(signedUrl.toString())
+    const hashedKey = await this.createHashedKey(
+      signedUrl.toString(),
+      publicToken,
+      publicLinkPassword
+    )
 
     signedUrl.searchParams.set('OC-Algo', `PBKDF2/${this.ITERATION_COUNT}-SHA512`)
     signedUrl.searchParams.set('OC-Signature', hashedKey)
 
     return signedUrl.toString()
   }
 
-  private async getSignKey() {
+  private async getSignKey(publicToken?: string, publicLinkPassword?: string) {
     if (this.signingKey) {
       return this.signingKey
     }
 
     const data = await this.axiosClient.get(
       urlJoin(this.baseURI, 'ocs/v1.php/cloud/user/signing-key'),
       {
-        headers: { 'Content-Type': 'application/x-www-form-urlencoded' }
+        params: {
+          ...(publicToken && { 'public-token': publicToken })
+        },
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+          ...(publicLinkPassword && {
+            Authorization: `Basic ${Buffer.from(['public', publicLinkPassword].join(':')).toString('base64')}`
+          })
+        }
       }
     )
 
@@ -56,8 +75,8 @@ export class UrlSign {
     return this.signingKey
   }
 
-  private async createHashedKey(url: string) {
-    const signignKey = await this.getSignKey()
+  private async createHashedKey(url: string, publicToken?: string, publicLinkPassword?: string) {
+    const signignKey = await this.getSignKey(publicToken, publicLinkPassword)
     const hashedKey = pbkdf2Sync(
       url,
       signignKey,
diff --git a/packages/web-client/src/webdav/getFileUrl.ts b/packages/web-client/src/webdav/getFileUrl.ts
@@ -48,7 +48,7 @@ export const GetFileUrlFactory = (
         // sign url
         if (isUrlSigningEnabled && username) {
           const ocsClient = ocs(baseUrl, axiosClient)
-          downloadURL = await ocsClient.signUrl(downloadURL, username)
+          downloadURL = await ocsClient.signUrl({ url: downloadURL, username })
         } else {
           signed = false
         }
diff --git a/packages/web-pkg/src/composables/actions/files/useFileActionsDownloadArchive.ts b/packages/web-pkg/src/composables/actions/files/useFileActionsDownloadArchive.ts
@@ -42,13 +42,15 @@ export const useFileActionsDownloadArchive = () => {
           dir: path.dirname(first<Resource>(resources).path) || '/',
           files: resources.map((resource) => resource.name)
         }
+
     return archiverService
       .triggerDownload({
         ...fileOptions,
         ...(space &&
           isPublicSpaceResource(space) && {
             publicToken: space.id as string,
-            publicLinkPassword: authStore.publicLinkPassword
+            publicLinkPassword: authStore.publicLinkPassword,
+            publicLinkShareOwner: space.publicLinkShareOwner
           })
       })
       .catch((e) => {
diff --git a/packages/web-pkg/src/services/archiver.ts b/packages/web-pkg/src/services/archiver.ts
@@ -1,13 +1,10 @@
 import { RuntimeError } from '../errors'
-import { HttpError } from '@ownclouders/web-client'
 import { ClientService } from '../services'
 import { urlJoin } from '@ownclouders/web-client'
-import { triggerDownloadWithFilename } from '../helpers/download'
 
 import { Ref, ref, computed, unref } from 'vue'
 import { ArchiverCapability } from '@ownclouders/web-client/ocs'
 import { UserStore } from '../composables'
-import { AxiosResponseHeaders, RawAxiosResponseHeaders } from 'axios'
 
 interface TriggerDownloadOptions {
   dir?: string
@@ -16,6 +13,7 @@ interface TriggerDownloadOptions {
   downloadSecret?: string
   publicToken?: string
   publicLinkPassword?: string
+  publicLinkShareOwner?: string
 }
 
 function sortArchivers(a: ArchiverCapability, b: ArchiverCapability): number {
@@ -85,42 +83,23 @@ export class ArchiverService {
       throw new RuntimeError('download url could not be built')
     }
 
-    if (options.publicToken && options.publicLinkPassword) {
-      try {
-        const response = await this.clientService.httpUnAuthenticated.get<Blob>(downloadUrl, {
-          headers: {
-            ...(!!options.publicLinkPassword && {
-              Authorization:
-                'Basic ' +
-                Buffer.from(['public', options.publicLinkPassword].join(':')).toString('base64')
-            })
-          },
-          responseType: 'blob'
-        })
-
-        const objectUrl = URL.createObjectURL(response.data)
-        const fileName = this.getFileNameFromResponseHeaders(response.headers)
-        triggerDownloadWithFilename(objectUrl, fileName)
-        return downloadUrl
-      } catch (e) {
-        throw new HttpError('archive could not be fetched', e.response)
-      }
-    }
-
-    const url = options.publicToken
-      ? downloadUrl
-      : await this.clientService.ocs.signUrl(
-          downloadUrl,
-          this.userStore.user?.onPremisesSamAccountName
-        )
+    const url =
+      options.publicToken && !options.publicLinkPassword
+        ? downloadUrl
+        : await this.clientService.ocs.signUrl({
+            url: downloadUrl,
+            username: options.publicLinkShareOwner || this.userStore.user?.onPremisesSamAccountName,
+            publicToken: options.publicToken,
+            publicLinkPassword: options.publicLinkPassword
+          })
 
     window.open(url, '_blank')
     return downloadUrl
   }
 
   private buildDownloadUrl(options: TriggerDownloadOptions): string {
     const queryParams = []
-    if (options.publicToken) {
+    if (options.publicToken && !options.publicLinkPassword) {
       queryParams.push(`public-token=${options.publicToken}`)
     }
 
@@ -138,9 +117,4 @@ export class ArchiverService {
     }
     return urlJoin(this.serverUrl, capability.archiver_url)
   }
-
-  private getFileNameFromResponseHeaders(headers: RawAxiosResponseHeaders | AxiosResponseHeaders) {
-    const fileName = headers['content-disposition']?.split('"')[1]
-    return decodeURI(fileName)
-  }
 }
diff --git a/packages/web-pkg/src/services/client/client.ts b/packages/web-pkg/src/services/client/client.ts
@@ -168,7 +168,8 @@ export class ClientService {
     return {
       'Accept-Language': this.currentLanguage,
       'X-Request-ID': uuidV4(),
-      ...(useAuth && { Authorization: 'Bearer ' + this.authStore.accessToken })
+      ...(useAuth &&
+        this.authStore.accessToken && { Authorization: 'Bearer ' + this.authStore.accessToken })
     }
   }
 
diff --git a/packages/web-pkg/tests/unit/services/archiver.spec.ts b/packages/web-pkg/tests/unit/services/archiver.spec.ts
@@ -7,6 +7,7 @@ import { AxiosResponse } from 'axios'
 import { ArchiverCapability } from '@ownclouders/web-client/ocs'
 import { createTestingPinia } from '@ownclouders/web-test-helpers'
 import { useUserStore } from '../../../src/composables/piniaStores'
+import { User } from '@ownclouders/web-client/graph/generated'
 
 const serverUrl = 'https://demo.owncloud.com'
 const getArchiverServiceInstance = (capabilities: Ref<ArchiverCapability[]>) => {
@@ -18,7 +19,7 @@ const getArchiverServiceInstance = (capabilities: Ref<ArchiverCapability[]>) =>
     data: new ArrayBuffer(8),
     headers: { 'content-disposition': 'filename="download.tar"' }
   } as unknown as AxiosResponse)
-  clientServiceMock.ocs.signUrl.mockImplementation((url) => Promise.resolve(url))
+  clientServiceMock.ocs.signUrl.mockImplementation((payload) => Promise.resolve(payload.url))
 
   Object.defineProperty(window, 'open', {
     value: vi.fn(),
@@ -109,4 +110,44 @@ describe('archiver', () => {
     const downloadUrl = await archiverService.triggerDownload({ fileIds: ['any'] })
     expect(downloadUrl.startsWith(archiverUrl + '/v2')).toBeTruthy()
   })
+
+  it('should sign the download url if a public token is not provided', async () => {
+    const archiverService = getArchiverServiceInstance(capabilities)
+
+    const user = mock<User>({ onPremisesSamAccountName: 'private-owner' })
+    archiverService.userStore.user = user
+
+    const fileId = 'asdf'
+    await archiverService.triggerDownload({ fileIds: [fileId] })
+    expect(archiverService.clientService.ocs.signUrl).toHaveBeenCalledWith({
+      url: archiverUrl + '?id=' + fileId,
+      username: 'private-owner',
+      publicToken: undefined,
+      publicLinkPassword: undefined
+    })
+  })
+
+  it('should sign the download url if a public token is provided with a password', async () => {
+    const archiverService = getArchiverServiceInstance(capabilities)
+    const fileId = 'asdf'
+    await archiverService.triggerDownload({
+      fileIds: [fileId],
+      publicToken: 'token',
+      publicLinkPassword: 'password',
+      publicLinkShareOwner: 'owner'
+    })
+    expect(archiverService.clientService.ocs.signUrl).toHaveBeenCalledWith({
+      url: archiverUrl + '?id=' + fileId,
+      username: 'owner',
+      publicToken: 'token',
+      publicLinkPassword: 'password'
+    })
+  })
+
+  it('should not sign the download url if a public token is provided without a password', async () => {
+    const archiverService = getArchiverServiceInstance(capabilities)
+    const fileId = 'asdf'
+    await archiverService.triggerDownload({ fileIds: [fileId], publicToken: 'token' })
+    expect(archiverService.clientService.ocs.signUrl).not.toHaveBeenCalled()
+  })
 })
diff --git a/packages/web-runtime/src/index.ts b/packages/web-runtime/src/index.ts
@@ -33,12 +33,13 @@ import {
 import { applicationStore } from './container/store'
 import {
   buildPublicSpaceResource,
+  DavHttpError,
   isPersonalSpaceResource,
   isPublicSpaceResource,
   PublicSpaceResource
 } from '@ownclouders/web-client'
 import { loadCustomTranslations } from './helpers/customTranslations'
-import { createApp, watch } from 'vue'
+import { createApp, onWatcherCleanup, watch } from 'vue'
 import PortalVue, { createWormhole } from 'portal-vue'
 import { createPinia } from 'pinia'
 import Avatar from './components/Avatar.vue'
@@ -247,7 +248,7 @@ export const bootstrapApp = async (configurationPath: string, appsReadyCallback:
   )
   watch(
     () => authStore.publicLinkContextReady,
-    (publicLinkContextReady) => {
+    async (publicLinkContextReady) => {
       if (!publicLinkContextReady) {
         return
       }
@@ -265,7 +266,46 @@ export const bootstrapApp = async (configurationPath: string, appsReadyCallback:
       })
 
       spacesStore.addSpaces([space])
-      spacesStore.setSpacesInitialized(true)
+
+      const controller = new AbortController()
+
+      onWatcherCleanup(() => {
+        controller.abort()
+      })
+
+      try {
+        const loadedSpace = await clientService.webdav.getFileInfo(
+          space,
+          {},
+          { signal: controller.signal }
+        )
+
+        for (const key in loadedSpace) {
+          if (loadedSpace[key] !== undefined) {
+            space[key] = loadedSpace[key]
+          }
+        }
+
+        spacesStore.upsertSpace(space)
+      } catch (error) {
+        const err = error as DavHttpError
+
+        if (err.statusCode === 401) {
+          return
+        }
+
+        if (err.statusCode === 404) {
+          throw new Error(
+            app.config.globalProperties.$gettext(
+              'The resource could not be located, it may not exist anymore.'
+            )
+          )
+        }
+
+        throw err
+      } finally {
+        spacesStore.setSpacesInitialized(true)
+      }
     },
     {
       immediate: true

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ export const avatarUrl = async (options: AvatarUrlOptions, cached = false): Prom`
`23`	`23`	`throw new Error(statusText)`
`24`	`24`	`}`
`25`	`25`
`26`		`- return options.clientService.ocs.signUrl(url, options.username)`
	`26`	`+ return options.clientService.ocs.signUrl({ url, username: options.username })`
`27`	`27`	`}`
`28`	`28`
`29`	`29`	`const cacheFactory = async (options: AvatarUrlOptions): Promise<string> => {`
Original file line number	Diff line number	Diff line change
`@@ -1,12 +1,12 @@`
`1`	`1`	`import { Capabilities, GetCapabilitiesFactory } from './capabilities'`
`2`	`2`	`import { AxiosInstance } from 'axios'`
`3`		`-import { UrlSign } from './urlSign'`
	`3`	`+import { SignUrlPayload, UrlSign } from './urlSign'`
`4`	`4`
`5`	`5`	`export * from './capabilities'`
`6`	`6`
`7`	`7`	`export interface OCS {`
`8`	`8`	`getCapabilities: () => Promise<Capabilities>`
`9`		`- signUrl: (url: string, username: string) => Promise<string>`
	`9`	`+ signUrl: (payload: SignUrlPayload) => Promise<string>`
`10`	`10`	`}`
`11`	`11`
`12`	`12`	`export const ocs = (baseURI: string, axiosClient: AxiosInstance): OCS => {`
`@@ -22,8 +22,8 @@ export const ocs = (baseURI: string, axiosClient: AxiosInstance): OCS => {`
`22`	`22`	`getCapabilities: () => {`
`23`	`23`	`return capabilitiesFactory.getCapabilities()`
`24`	`24`	`},`
`25`		`- signUrl: (url: string, username: string) => {`
`26`		`- return urlSign.signUrl(url, username)`
	`25`	`+ signUrl: (payload: SignUrlPayload) => {`
	`26`	`+ return urlSign.signUrl(payload)`
`27`	`27`	`}`
`28`	`28`	`}`
`29`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ export const GetFileUrlFactory = (`
`48`	`48`	`// sign url`
`49`	`49`	`if (isUrlSigningEnabled && username) {`
`50`	`50`	`const ocsClient = ocs(baseUrl, axiosClient)`
`51`		`- downloadURL = await ocsClient.signUrl(downloadURL, username)`
	`51`	`+ downloadURL = await ocsClient.signUrl({ url: downloadURL, username })`
`52`	`52`	`} else {`
`53`	`53`	`signed = false`
`54`	`54`	`}`
Original file line number	Diff line number	Diff line change
`@@ -168,7 +168,8 @@ export class ClientService {`
`168`	`168`	`return {`
`169`	`169`	`'Accept-Language': this.currentLanguage,`
`170`	`170`	`'X-Request-ID': uuidV4(),`
`171`		`- ...(useAuth && { Authorization: 'Bearer ' + this.authStore.accessToken })`
	`171`	`+ ...(useAuth &&`
	`172`	`+ this.authStore.accessToken && { Authorization: 'Bearer ' + this.authStore.accessToken })`
`172`	`173`	`}`
`173`	`174`	`}`
`174`	`175`