fix: [OCISDEV-147] sign public link archiver download URL

Start signing the archiver download URL in public link context in case
the link is password protected. This allows users to download
large archives without memory limits imposed by browsers.

Author: LukasHirt

changelog/unreleased/bugfix-sign-public-link-archiver-download-url.md

@@ -0,0 +1,7 @@
+Bugfix: Sign public link archiver download URL
+
+We've started signing the archiver download URL in public link context in case the link is password protected.
+This allows users to download large archives without memory limits imposed by browsers.
+
+https://github.com/owncloud/web/pull/12943
+https://github.com/owncloud/web/issues/12811

packages/web-app-files/src/helpers/user/avatarUrl.ts

@@ -23,7 +23,7 @@ export const avatarUrl = async (options: AvatarUrlOptions, cached = false): Prom
     throw new Error(statusText)
   }
 
-  return options.clientService.ocs.signUrl(url, options.username)
+  return options.clientService.ocs.signUrl({ url, username: options.username })
 }
 
 const cacheFactory = async (options: AvatarUrlOptions): Promise<string> => {

packages/web-app-files/tests/unit/helpers/user/avatarUrl.spec.ts

@@ -29,8 +29,8 @@ describe('avatarUrl', () => {
     defaultOptions.clientService.httpAuthenticated.head.mockResolvedValue({
       status: 200
     } as AxiosResponse)
-    defaultOptions.clientService.ocs.signUrl.mockImplementation((url) => {
-      return Promise.resolve(`${url}?signed=true`)
+    defaultOptions.clientService.ocs.signUrl.mockImplementation((payload) => {
+      return Promise.resolve(`${payload.url}?signed=true`)
     })
     const avatarUrlPromise = avatarUrl(defaultOptions)
     await expect(avatarUrlPromise).resolves.toBe(`${buildUrl(defaultOptions)}?signed=true`)
@@ -40,7 +40,9 @@ describe('avatarUrl', () => {
     defaultOptions.clientService.httpAuthenticated.head.mockResolvedValue({
       status: 200
     } as AxiosResponse)
-    defaultOptions.clientService.ocs.signUrl.mockImplementation((url) => Promise.resolve(url))
+    defaultOptions.clientService.ocs.signUrl.mockImplementation((payload) =>
+      Promise.resolve(payload.url)
+    )
 
     const avatarUrlPromiseUncached = avatarUrl(defaultOptions, true)
     await expect(avatarUrlPromiseUncached).resolves.toBe(buildUrl(defaultOptions))

packages/web-client/src/ocs/index.ts

@@ -1,12 +1,12 @@
 import { Capabilities, GetCapabilitiesFactory } from './capabilities'
 import { AxiosInstance } from 'axios'
-import { UrlSign } from './urlSign'
+import { SignUrlPayload, UrlSign } from './urlSign'
 
 export * from './capabilities'
 
 export interface OCS {
   getCapabilities: () => Promise<Capabilities>
-  signUrl: (url: string, username: string) => Promise<string>
+  signUrl: (payload: SignUrlPayload) => Promise<string>
 }
 
 export const ocs = (baseURI: string, axiosClient: AxiosInstance): OCS => {
@@ -22,8 +22,8 @@ export const ocs = (baseURI: string, axiosClient: AxiosInstance): OCS => {
     getCapabilities: () => {
       return capabilitiesFactory.getCapabilities()
     },
-    signUrl: (url: string, username: string) => {
-      return urlSign.signUrl(url, username)
+    signUrl: (payload: SignUrlPayload) => {
+      return urlSign.signUrl(payload)
     }
   }
 }

packages/web-client/src/ocs/urlSign.ts

@@ -8,6 +8,13 @@ export interface UrlSignOptions {
   baseURI: string
 }
 
+export type SignUrlPayload = {
+  url: string
+  username: string
+  publicToken?: string
+  publicLinkPassword?: string
+}
+
 export class UrlSign {
   private axiosClient: AxiosInstance
   private baseURI: string
@@ -24,30 +31,42 @@ export class UrlSign {
     this.baseURI = baseURI
   }
 
-  public async signUrl(url: string, username: string) {
+  public async signUrl({ url, username, publicToken, publicLinkPassword }: SignUrlPayload) {
     const signedUrl = new URL(url)
     signedUrl.searchParams.set('OC-Credential', username)
     signedUrl.searchParams.set('OC-Date', new Date().toISOString())
     signedUrl.searchParams.set('OC-Expires', this.TTL.toString())
     signedUrl.searchParams.set('OC-Verb', 'GET')
 
-    const hashedKey = await this.createHashedKey(signedUrl.toString())
+    const hashedKey = await this.createHashedKey(
+      signedUrl.toString(),
+      publicToken,
+      publicLinkPassword
+    )
 
     signedUrl.searchParams.set('OC-Algo', `PBKDF2/${this.ITERATION_COUNT}-SHA512`)
     signedUrl.searchParams.set('OC-Signature', hashedKey)
 
     return signedUrl.toString()
   }
 
-  private async getSignKey() {
+  private async getSignKey(publicToken?: string, publicLinkPassword?: string) {
     if (this.signingKey) {
       return this.signingKey
     }
 
     const data = await this.axiosClient.get(
       urlJoin(this.baseURI, 'ocs/v1.php/cloud/user/signing-key'),
       {
-        headers: { 'Content-Type': 'application/x-www-form-urlencoded' }
+        params: {
+          ...(publicToken && { 'public-token': publicToken })
+        },
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+          ...(publicLinkPassword && {
+            Authorization: `Basic ${Buffer.from(['public', publicLinkPassword].join(':')).toString('base64')}`
+          })
+        }
       }
     )
 
@@ -56,8 +75,8 @@ export class UrlSign {
     return this.signingKey
   }
 
-  private async createHashedKey(url: string) {
-    const signignKey = await this.getSignKey()
+  private async createHashedKey(url: string, publicToken?: string, publicLinkPassword?: string) {
+    const signignKey = await this.getSignKey(publicToken, publicLinkPassword)
     const hashedKey = pbkdf2Sync(
       url,
       signignKey,

packages/web-client/src/webdav/getFileUrl.ts

@@ -48,7 +48,7 @@ export const GetFileUrlFactory = (
         // sign url
         if (isUrlSigningEnabled && username) {
           const ocsClient = ocs(baseUrl, axiosClient)
-          downloadURL = await ocsClient.signUrl(downloadURL, username)
+          downloadURL = await ocsClient.signUrl({ url: downloadURL, username })
         } else {
           signed = false
         }

packages/web-pkg/src/composables/actions/files/useFileActionsDownloadArchive.ts

@@ -42,13 +42,15 @@ export const useFileActionsDownloadArchive = () => {
           dir: path.dirname(first<Resource>(resources).path) || '/',
           files: resources.map((resource) => resource.name)
         }
+
     return archiverService
       .triggerDownload({
         ...fileOptions,
         ...(space &&
           isPublicSpaceResource(space) && {
             publicToken: space.id as string,
-            publicLinkPassword: authStore.publicLinkPassword
+            publicLinkPassword: authStore.publicLinkPassword,
+            publicLinkShareOwner: space.publicLinkShareOwner
           })
       })
       .catch((e) => {

packages/web-pkg/src/services/archiver.ts

@@ -1,13 +1,10 @@
 import { RuntimeError } from '../errors'
-import { HttpError } from '@ownclouders/web-client'
 import { ClientService } from '../services'
 import { urlJoin } from '@ownclouders/web-client'
-import { triggerDownloadWithFilename } from '../helpers/download'
 
 import { Ref, ref, computed, unref } from 'vue'
 import { ArchiverCapability } from '@ownclouders/web-client/ocs'
 import { UserStore } from '../composables'
-import { AxiosResponseHeaders, RawAxiosResponseHeaders } from 'axios'
 
 interface TriggerDownloadOptions {
   dir?: string
@@ -16,6 +13,7 @@ interface TriggerDownloadOptions {
   downloadSecret?: string
   publicToken?: string
   publicLinkPassword?: string
+  publicLinkShareOwner?: string
 }
 
 function sortArchivers(a: ArchiverCapability, b: ArchiverCapability): number {
@@ -85,42 +83,23 @@ export class ArchiverService {
       throw new RuntimeError('download url could not be built')
     }
 
-    if (options.publicToken && options.publicLinkPassword) {
-      try {
-        const response = await this.clientService.httpUnAuthenticated.get<Blob>(downloadUrl, {
-          headers: {
-            ...(!!options.publicLinkPassword && {
-              Authorization:
-                'Basic ' +
-                Buffer.from(['public', options.publicLinkPassword].join(':')).toString('base64')
-            })
-          },
-          responseType: 'blob'
-        })
-
-        const objectUrl = URL.createObjectURL(response.data)
-        const fileName = this.getFileNameFromResponseHeaders(response.headers)
-        triggerDownloadWithFilename(objectUrl, fileName)
-        return downloadUrl
-      } catch (e) {
-        throw new HttpError('archive could not be fetched', e.response)
-      }
-    }
-
-    const url = options.publicToken
-      ? downloadUrl
-      : await this.clientService.ocs.signUrl(
-          downloadUrl,
-          this.userStore.user?.onPremisesSamAccountName
-        )
+    const url =
+      options.publicToken && !options.publicLinkPassword
+        ? downloadUrl
+        : await this.clientService.ocs.signUrl({
+            url: downloadUrl,
+            username: options.publicLinkShareOwner || this.userStore.user?.onPremisesSamAccountName,
+            publicToken: options.publicToken,
+            publicLinkPassword: options.publicLinkPassword
+          })
 
     window.open(url, '_blank')
     return downloadUrl
   }
 
   private buildDownloadUrl(options: TriggerDownloadOptions): string {
     const queryParams = []
-    if (options.publicToken) {
+    if (options.publicToken && !options.publicLinkPassword) {
       queryParams.push(`public-token=${options.publicToken}`)
     }
 
@@ -138,9 +117,4 @@ export class ArchiverService {
     }
     return urlJoin(this.serverUrl, capability.archiver_url)
   }
-
-  private getFileNameFromResponseHeaders(headers: RawAxiosResponseHeaders | AxiosResponseHeaders) {
-    const fileName = headers['content-disposition']?.split('"')[1]
-    return decodeURI(fileName)
-  }
 }

packages/web-pkg/src/services/client/client.ts

@@ -168,7 +168,8 @@ export class ClientService {
     return {
       'Accept-Language': this.currentLanguage,
       'X-Request-ID': uuidV4(),
-      ...(useAuth && { Authorization: 'Bearer ' + this.authStore.accessToken })
+      ...(useAuth &&
+        this.authStore.accessToken && { Authorization: 'Bearer ' + this.authStore.accessToken })
     }
   }
 

packages/web-pkg/tests/unit/services/archiver.spec.ts

@@ -7,6 +7,7 @@ import { AxiosResponse } from 'axios'
 import { ArchiverCapability } from '@ownclouders/web-client/ocs'
 import { createTestingPinia } from '@ownclouders/web-test-helpers'
 import { useUserStore } from '../../../src/composables/piniaStores'
+import { User } from '@ownclouders/web-client/graph/generated'
 
 const serverUrl = 'https://demo.owncloud.com'
 const getArchiverServiceInstance = (capabilities: Ref<ArchiverCapability[]>) => {
@@ -18,7 +19,7 @@ const getArchiverServiceInstance = (capabilities: Ref<ArchiverCapability[]>) =>
     data: new ArrayBuffer(8),
     headers: { 'content-disposition': 'filename="download.tar"' }
   } as unknown as AxiosResponse)
-  clientServiceMock.ocs.signUrl.mockImplementation((url) => Promise.resolve(url))
+  clientServiceMock.ocs.signUrl.mockImplementation((payload) => Promise.resolve(payload.url))
 
   Object.defineProperty(window, 'open', {
     value: vi.fn(),
@@ -109,4 +110,44 @@ describe('archiver', () => {
     const downloadUrl = await archiverService.triggerDownload({ fileIds: ['any'] })
     expect(downloadUrl.startsWith(archiverUrl + '/v2')).toBeTruthy()
   })
+
+  it('should sign the download url if a public token is not provided', async () => {
+    const archiverService = getArchiverServiceInstance(capabilities)
+
+    const user = mock<User>({ onPremisesSamAccountName: 'private-owner' })
+    archiverService.userStore.user = user
+
+    const fileId = 'asdf'
+    await archiverService.triggerDownload({ fileIds: [fileId] })
+    expect(archiverService.clientService.ocs.signUrl).toHaveBeenCalledWith({
+      url: archiverUrl + '?id=' + fileId,
+      username: 'private-owner',
+      publicToken: undefined,
+      publicLinkPassword: undefined
+    })
+  })
+
+  it('should sign the download url if a public token is provided with a password', async () => {
+    const archiverService = getArchiverServiceInstance(capabilities)
+    const fileId = 'asdf'
+    await archiverService.triggerDownload({
+      fileIds: [fileId],
+      publicToken: 'token',
+      publicLinkPassword: 'password',
+      publicLinkShareOwner: 'owner'
+    })
+    expect(archiverService.clientService.ocs.signUrl).toHaveBeenCalledWith({
+      url: archiverUrl + '?id=' + fileId,
+      username: 'owner',
+      publicToken: 'token',
+      publicLinkPassword: 'password'
+    })
+  })
+
+  it('should not sign the download url if a public token is provided without a password', async () => {
+    const archiverService = getArchiverServiceInstance(capabilities)
+    const fileId = 'asdf'
+    await archiverService.triggerDownload({ fileIds: [fileId], publicToken: 'token' })
+    expect(archiverService.clientService.ocs.signUrl).not.toHaveBeenCalled()
+  })
 })