Add token with short expiration time to send url

2025-09-12 03:25:58 +03:00 · 2021-06-25 20:33:51 +02:00
parent f44b2611e6
commit 2cd17fe7af
3 changed files with 52 additions and 43 deletions
--- a/src/api/core/sends.rs
+++ b/src/api/core/sends.rs
@@ -2,7 +2,7 @@ use std::{io::Read, path::Path};

 use chrono::{DateTime, Duration, Utc};
 use multipart::server::{save::SavedData, Multipart, SaveResult};
-use rocket::{http::ContentType, Data};
+use rocket::{http::ContentType, response::NamedFile, Data};
 use rocket_contrib::json::Json;
 use serde_json::Value;

@@ -16,7 +16,16 @@ use crate::{
 const SEND_INACCESSIBLE_MSG: &str = "Send does not exist or is no longer available";

 pub fn routes() -> Vec<rocket::Route> {
-    routes![post_send, post_send_file, post_access, post_access_file, put_send, delete_send, put_remove_password]
+    routes![
+        post_send,
+        post_send_file,
+        post_access,
+        post_access_file,
+        put_send,
+        delete_send,
+        put_remove_password,
+        download_send
+    ]
 }

 pub fn purge_sends(pool: DbPool) {
@@ -316,13 +325,25 @@ fn post_access_file(

    send.save(&conn)?;

+    let token_claims = crate::auth::generate_send_claims(&send_id, &file_id);
+    let token = crate::auth::encode_jwt(&token_claims);
    Ok(Json(json!({
        "Object": "send-fileDownload",
        "Id": file_id,
-        "Url": format!("{}/sends/{}/{}", &host.host, send_id, file_id)
+        "Url": format!("{}/api/sends/{}/{}?t={}", &host.host, send_id, file_id, token)
    })))
 }

+#[get("/sends/<send_id>/<file_id>?<t>")]
+fn download_send(send_id: String, file_id: String, t: String) -> Option<NamedFile> {
+    if let Ok(claims) = crate::auth::decode_send(&t) {
+        if claims.sub == format!("{}/{}", send_id, file_id) {
+            return NamedFile::open(Path::new(&CONFIG.sends_folder()).join(send_id).join(file_id)).ok();
+        }
+    }
+    None
+}
+
 #[put("/sends/<id>", data = "<data>")]
 fn put_send(id: String, data: JsonUpcase<SendData>, headers: Headers, conn: DbConn, nt: Notify) -> JsonResult {
    enforce_disable_send_policy(&headers, &conn)?;
--- a/src/api/web.rs
+++ b/src/api/web.rs
@@ -10,7 +10,7 @@ pub fn routes() -> Vec<Route> {
    // If addding more routes here, consider also adding them to
    // crate::utils::LOGGED_ROUTES to make sure they appear in the log
    if CONFIG.web_vault_enabled() {
-        routes![web_index, app_id, web_files, attachments, sends, alive, static_files]
+        routes![web_index, app_id, web_files, attachments, alive, static_files]
    } else {
        routes![attachments, alive, static_files]
    }
@@ -60,11 +60,6 @@ fn attachments(uuid: String, file_id: String) -> Option<NamedFile> {
    NamedFile::open(Path::new(&CONFIG.attachments_folder()).join(uuid).join(file_id)).ok()
 }

-#[get("/sends/<send_id>/<file_id>")]
-fn sends(send_id: String, file_id: String) -> Option<NamedFile> {
-    NamedFile::open(Path::new(&CONFIG.sends_folder()).join(send_id).join(file_id)).ok()
-}
-
 #[get("/alive")]
 fn alive() -> Json<String> {
    use crate::util::format_date;