fix: share auth for download url endpoint (#254)

Co-authored-by: Daniel Luiz Alves <daniel.xcoders@gmail.com>
2025-10-23 06:11:58 +00:00 · 2025-09-10 07:40:17 -04:00
parent b078e94189
commit 3117904009
10 changed files with 145 additions and 23 deletions
--- a/apps/server/src/modules/file/controller.ts
+++ b/apps/server/src/modules/file/controller.ts
@@ -1,3 +1,4 @@
+import bcrypt from "bcryptjs";
 import { FastifyReply, FastifyRequest } from "fastify";

 import { env } from "../../env";
@@ -183,6 +184,7 @@ export class FileController {
        objectName: string;
      };
      const objectName = decodeURIComponent(encodedObjectName);
+      const { password } = request.query as { password?: string };

      if (!objectName) {
        return reply.status(400).send({ error: "The 'objectName' parameter is required." });
@@ -193,6 +195,51 @@ export class FileController {
      if (!fileRecord) {
        return reply.status(404).send({ error: "File not found." });
      }
+
+      let hasAccess = false;
+
+      console.log("Requested file with password " + password);
+
+      const shares = await prisma.share.findMany({
+        where: {
+          files: {
+            some: {
+              id: fileRecord.id,
+            },
+          },
+        },
+        include: {
+          security: true,
+        },
+      });
+
+      for (const share of shares) {
+        if (!share.security.password) {
+          hasAccess = true;
+          break;
+        } else if (password) {
+          const isPasswordValid = await bcrypt.compare(password, share.security.password);
+          if (isPasswordValid) {
+            hasAccess = true;
+            break;
+          }
+        }
+      }
+
+      if (!hasAccess) {
+        try {
+          await request.jwtVerify();
+          const userId = (request as any).user?.userId;
+          if (userId && fileRecord.userId === userId) {
+            hasAccess = true;
+          }
+        } catch (err) {}
+      }
+
+      if (!hasAccess) {
+        return reply.status(401).send({ error: "Unauthorized access to file." });
+      }
+
      const fileName = fileRecord.name;
      const expires = parseInt(env.PRESIGNED_URL_EXPIRATION);
      const url = await this.fileService.getPresignedGetUrl(objectName, expires, fileName);
--- a/apps/server/src/modules/file/routes.ts
+++ b/apps/server/src/modules/file/routes.ts
@@ -108,7 +108,6 @@ export async function fileRoutes(app: FastifyInstance) {
  app.get(
    "/files/:objectName/download",
    {
-      preValidation,
      schema: {
        tags: ["File"],
        operationId: "getDownloadUrl",
@@ -117,6 +116,9 @@ export async function fileRoutes(app: FastifyInstance) {
        params: z.object({
          objectName: z.string().min(1, "The objectName is required"),
        }),
+        querystring: z.object({
+          password: z.string().optional().describe("Share password if required"),
+        }),
        response: {
          200: z.object({
            url: z.string().describe("The download URL"),
--- a/apps/web/src/app/(shares)/s/[alias]/components/files-table.tsx
+++ b/apps/web/src/app/(shares)/s/[alias]/components/files-table.tsx
@@ -30,6 +30,7 @@ interface ShareFilesTableProps {
  onDownloadFolder?: (folderId: string, folderName: string) => Promise<void>;
  onNavigateToFolder?: (folderId: string) => void;
  enableNavigation?: boolean;
+  sharePassword?: string;
 }

 export function ShareFilesTable({
@@ -39,6 +40,7 @@ export function ShareFilesTable({
  onDownloadFolder,
  onNavigateToFolder,
  enableNavigation = false,
+  sharePassword,
 }: ShareFilesTableProps) {
  const t = useTranslations();
  const [isPreviewOpen, setIsPreviewOpen] = useState(false);
@@ -213,7 +215,14 @@ export function ShareFilesTable({
        </Table>
      </div>

-      {selectedFile && <FilePreviewModal isOpen={isPreviewOpen} onClose={handleClosePreview} file={selectedFile} />}
+      {selectedFile && (
+        <FilePreviewModal
+          isOpen={isPreviewOpen}
+          onClose={handleClosePreview}
+          file={selectedFile}
+          sharePassword={sharePassword}
+        />
+      )}
    </div>
  );
 }
--- a/apps/web/src/app/(shares)/s/[alias]/components/share-details.tsx
+++ b/apps/web/src/app/(shares)/s/[alias]/components/share-details.tsx
@@ -46,7 +46,7 @@ interface Folder {
  };
 }

-interface ShareDetailsPropsExtended extends Omit<ShareDetailsProps, "onBulkDownload" | "password"> {
+interface ShareDetailsPropsExtended extends Omit<ShareDetailsProps, "onBulkDownload"> {
  onBulkDownload?: () => Promise<void>;
  onSelectedItemsBulkDownload?: (files: File[], folders: Folder[]) => Promise<void>;
  folders: Folder[];
@@ -60,6 +60,7 @@ interface ShareDetailsPropsExtended extends Omit<ShareDetailsProps, "onBulkDownl

 export function ShareDetails({
  share,
+  password,
  onDownload,
  onBulkDownload,
  onSelectedItemsBulkDownload,
@@ -186,6 +187,7 @@ export function ShareDetails({
            setSelectedFile(null);
          }}
          file={selectedFile}
+          sharePassword={password}
        />
      )}
    </>
--- a/apps/web/src/app/(shares)/s/[alias]/hooks/use-public-share.ts
+++ b/apps/web/src/app/(shares)/s/[alias]/hooks/use-public-share.ts
@@ -232,6 +232,7 @@ export function usePublicShare() {
      await downloadShareFolderWithQueue(folderId, folderName, share.files || [], share.folders || [], {
        silent: true,
        showToasts: false,
+        sharePassword: password,
      });
    } catch (error) {
      console.error("Error downloading folder:", error);
@@ -253,6 +254,7 @@ export function usePublicShare() {
          downloadFileWithQueue(objectName, fileName, {
            silent: true,
            showToasts: false,
+            sharePassword: password,
          }),
          {
            loading: t("share.messages.downloadStarted"),
@@ -320,9 +322,15 @@ export function usePublicShare() {
      }

      toast.promise(
-        bulkDownloadShareWithQueue(allItems, share.files || [], share.folders || [], zipName, undefined, true).then(
-          () => {}
-        ),
+        bulkDownloadShareWithQueue(
+          allItems,
+          share.files || [],
+          share.folders || [],
+          zipName,
+          undefined,
+          true,
+          password
+        ).then(() => {}),
        {
          loading: t("shareManager.creatingZip"),
          success: t("shareManager.zipDownloadSuccess"),
@@ -387,9 +395,15 @@ export function usePublicShare() {
      const zipName = `${share.name || t("shareManager.defaultShareName")}-selected.zip`;

      toast.promise(
-        bulkDownloadShareWithQueue(allItems, share.files || [], share.folders || [], zipName, undefined, false).then(
-          () => {}
-        ),
+        bulkDownloadShareWithQueue(
+          allItems,
+          share.files || [],
+          share.folders || [],
+          zipName,
+          undefined,
+          false,
+          password
+        ).then(() => {}),
        {
          loading: t("shareManager.creatingZip"),
          success: t("shareManager.zipDownloadSuccess"),
--- a/apps/web/src/app/(shares)/s/[alias]/page.tsx
+++ b/apps/web/src/app/(shares)/s/[alias]/page.tsx
@@ -43,6 +43,7 @@ export default function PublicSharePage() {
          {share && (
            <ShareDetails
              share={share}
+              password={password}
              onDownload={handleDownload}
              onBulkDownload={handleBulkDownload}
              onSelectedItemsBulkDownload={handleSelectedItemsBulkDownload}
--- a/apps/web/src/app/api/(proxy)/files/download/[...objectPath]/route.ts
+++ b/apps/web/src/app/api/(proxy)/files/download/[...objectPath]/route.ts
@@ -8,7 +8,9 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ obje
  const { objectPath } = await params;
  const cookieHeader = req.headers.get("cookie");
  const objectName = objectPath.join("/");
-  const url = `${API_BASE_URL}/files/${encodeURIComponent(objectName)}/download`;
+  const searchParams = req.nextUrl.searchParams;
+  const queryString = searchParams.toString();
+  const url = `${API_BASE_URL}/files/${encodeURIComponent(objectName)}/download${queryString ? `?${queryString}` : ""}`;

  const apiRes = await fetch(url, {
    method: "GET",
--- a/apps/web/src/components/modals/file-preview-modal.tsx
+++ b/apps/web/src/components/modals/file-preview-modal.tsx
@@ -20,11 +20,18 @@ interface FilePreviewModalProps {
    description?: string;
  };
  isReverseShare?: boolean;
+  sharePassword?: string;
 }

-export function FilePreviewModal({ isOpen, onClose, file, isReverseShare = false }: FilePreviewModalProps) {
+export function FilePreviewModal({
+  isOpen,
+  onClose,
+  file,
+  isReverseShare = false,
+  sharePassword,
+}: FilePreviewModalProps) {
  const t = useTranslations();
-  const previewState = useFilePreview({ file, isOpen, isReverseShare });
+  const previewState = useFilePreview({ file, isOpen, isReverseShare, sharePassword });

  return (
    <Dialog open={isOpen} onOpenChange={onClose}>
--- a/apps/web/src/hooks/use-file-preview.ts
+++ b/apps/web/src/hooks/use-file-preview.ts
@@ -27,9 +27,10 @@ interface UseFilePreviewProps {
  };
  isOpen: boolean;
  isReverseShare?: boolean;
+  sharePassword?: string;
 }

-export function useFilePreview({ file, isOpen, isReverseShare = false }: UseFilePreviewProps) {
+export function useFilePreview({ file, isOpen, isReverseShare = false, sharePassword }: UseFilePreviewProps) {
  const t = useTranslations();
  const [state, setState] = useState<FilePreviewState>({
    previewUrl: null,
@@ -181,7 +182,17 @@ export function useFilePreview({ file, isOpen, isReverseShare = false }: UseFile
        url = response.data.url;
      } else {
        const encodedObjectName = encodeURIComponent(file.objectName);
-        const response = await getDownloadUrl(encodedObjectName);
+        const params: Record<string, string> = {};
+        if (sharePassword) params.password = sharePassword;
+
+        const response = await getDownloadUrl(
+          encodedObjectName,
+          Object.keys(params).length > 0
+            ? {
+                params: { ...params },
+              }
+            : undefined
+        );
        url = response.data.url;
      }

@@ -218,6 +229,7 @@ export function useFilePreview({ file, isOpen, isReverseShare = false }: UseFile
    file.id,
    file.objectName,
    fileType,
+    sharePassword,
    loadVideoPreview,
    loadAudioPreview,
    loadPdfPreview,
@@ -236,13 +248,14 @@ export function useFilePreview({ file, isOpen, isReverseShare = false }: UseFile
        });
      } else {
        await downloadFileWithQueue(file.objectName, file.name, {
+          sharePassword,
          onFail: () => toast.error(t("filePreview.downloadError")),
        });
      }
    } catch (error) {
      console.error("Download error:", error);
    }
-  }, [isReverseShare, file.id, file.objectName, file.name, t]);
+  }, [isReverseShare, file.id, file.objectName, file.name, sharePassword, t]);

  useEffect(() => {
    const fileKey = isReverseShare ? file.id : file.objectName;
--- a/apps/web/src/utils/download-queue-utils.ts
+++ b/apps/web/src/utils/download-queue-utils.ts
@@ -7,6 +7,7 @@ interface DownloadWithQueueOptions {
  useQueue?: boolean;
  silent?: boolean;
  showToasts?: boolean;
+  sharePassword?: string;
  onStart?: (downloadId: string) => void;
  onComplete?: (downloadId: string) => void;
  onFail?: (downloadId: string, error: string) => void;
@@ -89,7 +90,7 @@ export async function downloadFileWithQueue(
  fileName: string,
  options: DownloadWithQueueOptions = {}
 ): Promise<void> {
-  const { useQueue = true, silent = false, showToasts = true } = options;
+  const { useQueue = true, silent = false, showToasts = true, sharePassword } = options;
  const downloadId = `${Date.now()}-${Math.random().toString(36).substring(2, 11)}`;

  try {
@@ -98,7 +99,18 @@ export async function downloadFileWithQueue(
    }

    const encodedObjectName = encodeURIComponent(objectName);
-    const response = await getDownloadUrl(encodedObjectName);
+
+    const params: Record<string, string> = {};
+    if (sharePassword) params.password = sharePassword;
+
+    const response = await getDownloadUrl(
+      encodedObjectName,
+      Object.keys(params).length > 0
+        ? {
+            params: { ...params },
+          }
+        : undefined
+    );

    if (response.status === 202 && useQueue) {
      if (!silent && showToasts) {
@@ -181,7 +193,8 @@ export async function downloadFileAsBlobWithQueue(
  objectName: string,
  fileName: string,
  isReverseShare: boolean = false,
-  fileId?: string
+  fileId?: string,
+  sharePassword?: string
 ): Promise<Blob> {
  try {
    let downloadUrl: string;
@@ -196,7 +209,18 @@ export async function downloadFileAsBlobWithQueue(
      }
    } else {
      const encodedObjectName = encodeURIComponent(objectName);
-      const response = await getDownloadUrl(encodedObjectName);
+
+      const params: Record<string, string> = {};
+      if (sharePassword) params.password = sharePassword;
+
+      const response = await getDownloadUrl(
+        encodedObjectName,
+        Object.keys(params).length > 0
+          ? {
+              params: { ...params },
+            }
+          : undefined
+      );

      if (response.status === 202) {
        downloadUrl = await waitForDownloadReady(objectName, fileName);
@@ -345,7 +369,7 @@ export async function downloadShareFolderWithQueue(
  shareFolders: any[],
  options: DownloadWithQueueOptions = {}
 ): Promise<void> {
-  const { silent = false, showToasts = true } = options;
+  const { silent = false, showToasts = true, sharePassword } = options;
  const downloadId = `share-folder-${Date.now()}-${Math.random().toString(36).substring(2, 11)}`;

  try {
@@ -373,7 +397,7 @@ export async function downloadShareFolderWithQueue(

    for (const file of folderFiles) {
      try {
-        const blob = await downloadFileAsBlobWithQueue(file.objectName, file.name);
+        const blob = await downloadFileAsBlobWithQueue(file.objectName, file.name, false, undefined, sharePassword);
        zip.file(file.zipPath, blob);
      } catch (error) {
        console.error(`Error downloading file ${file.name}:`, error);
@@ -515,7 +539,8 @@ export async function bulkDownloadShareWithQueue(
  shareFolders: any[],
  zipName: string,
  onProgress?: (current: number, total: number) => void,
-  wrapInFolder?: boolean
+  wrapInFolder?: boolean,
+  sharePassword?: string
 ): Promise<void> {
  try {
    const JSZip = (await import("jszip")).default;
@@ -562,7 +587,7 @@ export async function bulkDownloadShareWithQueue(
    for (let i = 0; i < allFilesToDownload.length; i++) {
      const file = allFilesToDownload[i];
      try {
-        const blob = await downloadFileAsBlobWithQueue(file.objectName, file.name);
+        const blob = await downloadFileAsBlobWithQueue(file.objectName, file.name, false, undefined, sharePassword);
        zip.file(file.zipPath, blob);
        onProgress?.(i + 1, allFilesToDownload.length);
      } catch (error) {