pre-signed download urls for password protected public links

David Christofas · David Christofas · commit 9fc9ea88f8ba · 2021-02-03T16:23:22.000+01:00
To support clients which don't use cookies I implemented pre-signed urls
for password protected public links. The share password is used as the
signing key and the signed url is then added to the propfind response in
the field `downloadURL` which was added before but never used. This
change allows owncloud Web to implement a more efficient download
mechanism for password protected link shares.
diff --git a/apps/dav/lib/Files/PublicFiles/PublicFilesPlugin.php b/apps/dav/lib/Files/PublicFiles/PublicFilesPlugin.php
@@ -148,6 +148,25 @@ public function propFind(PropFind $propFind, INode $node) {
 				return $node->getNode()->getSize();
 			});
 		}
+		$server = $this->server;
+		$propFind->handle(FilesPlugin::DOWNLOADURL_PROPERTYNAME, static function () use ($node, $server) {
+			$path = $server->getBaseUri() . $server->getRequestUri();
+			$nodeName = $node->getName();
+			if (\substr($path, -\strlen($nodeName)) !== $nodeName) {
+				$path .= '/' . $nodeName;
+			}
+
+			$share = $node->getShare();
+			if ($share->getPassword() === null) {
+				return $path;
+			}
+
+			$validUntil = new \DateTime();
+			$validUntil->add(new \DateInterval("PT1H")); // valid for 1 hour
+			$key = \hash_hkdf('sha256', $share->getPassword());
+			$s = new PublicShareSignature($share->getToken(), $node->getName(), $validUntil, $key);
+			return  $path . '?signature=' . $s->get() . '&expires=' . \urlencode($validUntil->format(\DateTime::ATOM));
+		});
 	}
 
 	/**
diff --git a/apps/dav/lib/Files/PublicFiles/PublicShareSignature.php b/apps/dav/lib/Files/PublicFiles/PublicShareSignature.php
@@ -0,0 +1,45 @@
+<?php
+/**
+ * @author David Christofas <dchristofas@owncloud.com>
+ *
+ * @copyright Copyright (c) 2021, ownCloud GmbH
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OCA\DAV\Files\PublicFiles;
+
+class PublicShareSignature {
+	private $token;
+	private $fileName;
+	private $validUntil;
+	private $signingKey;
+
+	public function __construct(String $token, String $fileName, \DateTime $validUntil, String $signingKey) {
+		$this->token = $token;
+		$this->fileName = $fileName;
+		$this->validUntil = $validUntil->format(\DateTime::ATOM);
+		$this->signingKey = $signingKey;
+	}
+
+	public function get() {
+		return \hash_hmac('sha512/256', \implode('|', [$this->token, $this->fileName, $this->validUntil]), $this->signingKey, false);
+	}
+
+	public function verify($signature) {
+		$sig = $this->get();
+		return $sig === $signature;
+	}
+}
diff --git a/apps/dav/lib/Files/PublicFiles/PublicSharingAuth.php b/apps/dav/lib/Files/PublicFiles/PublicSharingAuth.php
@@ -101,6 +101,24 @@ public function check(RequestInterface $request, ResponseInterface $response) {
 			return [true, 'principals/system/public'];
 		}
 
+		// Clients which don't use cookie based session authentication and want
+		// to use anchor tags `<a href...` to download password protected files
+		// can't add the basic authentication header.
+		// They can use pre-signed urls instead.
+		$query = $request->getQueryParameters();
+		if (isset($query['signature'], $query['expires'])) {
+			$sig = $query['signature'];
+			$validUntil = \DateTime::createFromFormat(\DateTime::ATOM, $query['expires']);
+			$now = new \DateTime();
+			if ($now < $validUntil) {
+				$key = \hash_hkdf('sha256', $this->share->getPassword());
+				$s = new PublicShareSignature($this->share->getToken(), $this->share->getNode()->getName(), $validUntil, $key);
+				if ($s->verify($sig)) {
+					return [true, 'principals/system/public'];
+				}
+			}
+		}
+
 		try {
 			return parent::check($request, $response);
 		} catch (LoginException $e) {
diff --git a/apps/dav/tests/unit/Files/PublicFiles/PublicShareSignatureTest.php b/apps/dav/tests/unit/Files/PublicFiles/PublicShareSignatureTest.php
@@ -0,0 +1,41 @@
+<?php
+/**
+ * @author David Christofas <dchristofas@owncloud.com>
+ *
+ * @copyright Copyright (c) 2021, ownCloud GmbH
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OCA\DAV\Tests\Unit\Files\PublicFiles;
+
+use OCA\DAV\Files\PublicFiles\PublicShareSignature;
+use Test\TestCase;
+
+class PublicShareSignatureTest extends TestCase {
+	public function testGet() {
+		$s = new PublicShareSignature('someToken', 'someFileName', new \DateTime(), 'somekey');
+		$hash = $s->get();
+		self::assertIsString($hash);
+		self::assertEquals(64, \strlen($hash));
+	}
+
+	public function testVerify() {
+		$expectedHash = 'd67966402971bd3eb18aea62faf122a30e2dd5c9101aa9e106a56574cc535c6c';
+		$date = \DateTime::createFromFormat(\DateTime::ATOM, '2009-01-03T18:15:05Z');
+		$s = new PublicShareSignature('someToken', 'someFileName', $date, 'somekey');
+		self::assertEquals($expectedHash, $s->get());
+	}
+}
diff --git a/changelog/unreleased/38376 b/changelog/unreleased/38376
@@ -0,0 +1,5 @@
+Enhancement: Implement pre-signed download urls for public links
+
+Added pre-signed download urls for password protected public links to support clients which don't use cookies.
+
+https://github.com/owncloud/core/pull/38376
