Skip to content

feat: prepare for deprecating client signed urls#448

Draft
rhafer wants to merge 2 commits intoopencloud-eu:mainfrom
rhafer:versions-downloadURL
Draft

feat: prepare for deprecating client signed urls#448
rhafer wants to merge 2 commits intoopencloud-eu:mainfrom
rhafer:versions-downloadURL

Conversation

@rhafer
Copy link

@rhafer rhafer commented Dec 3, 2025
edited
Loading

PROPFIND requests to '/dav/meta/.../v' now also include the 'oc:downloadURL' property in the response, if requested.

Also the archive is able now to produce signed urls for downloading an archive.

Partial: opencloud-eu/opencloud#1197

@rhafer rhafer self-assigned this Dec 3, 2025
@rhafer rhafer force-pushed the versions-downloadURL branch from 0dae00e to cfdb2cb Compare December 4, 2025 11:02
@rhafer
feat: add 'oc:downloadURL' to revision endpoints
e7de9ec 
PROPFIND requests to '/dav/meta/.../v' now also include the
'oc:downloadURL' property in the response, if requested.

Partial: opencloud-eu/opencloud#1197
@rhafer rhafer force-pushed the versions-downloadURL branch from cfdb2cb to c69af3d Compare December 8, 2025 15:47
@rhafer rhafer changed the title feat: add 'oc:downloadURL' to revision endpoints feat: prepare for deprecating client signed urls Dec 8, 2025
@rhafer
Copy link
Author

rhafer commented Dec 8, 2025

@JammingBen This introduces a new endpoint for the archive that will redirect to a server signed urls for generating an archive.

You'd send a request to archiver/v2?id=.... and will get back a 303 with the location header set to the signed URL for downloading the archive:

> curl -ki -u admin:admin 'https://localhost:9200/archiver/v2?id=4697c284-c203-477e-9a7b-0d0986cbc53f%246cbc8cd2-92ad-43b5-986d-f756e8f85bfd%219a33c973-1fb7-4e07-8601-66212980afc0'
HTTP/1.1 303 See Other
Content-Length: 0
Content-Security-Policy: child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/opencloud-eu/awesome-apps/ https://update.opencloud.eu/ https://companion.opencloud.test/ wss://companion.opencloud.test/ https://keycloak.opencloud.test/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/ https://collabora.opencloud.test/ https://docs.opencloud.eu; img-src 'self' data: blob: https://raw.githubusercontent.com/opencloud-eu/awesome-apps/ https://tile.openstreetmap.org/ https://collabora.opencloud.test/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline' https://keycloak.opencloud.test/; style-src 'self' 'unsafe-inline'
Content-Type: none
Date: Mon, 08 Dec 2025 15:56:31 GMT
Location: https://localhost:9200/archiver?id=4697c284-c203-477e-9a7b-0d0986cbc53f%246cbc8cd2-92ad-43b5-986d-f756e8f85bfd%219a33c973-1fb7-4e07-8601-66212980afc0&oc-jwt-sig=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0YXJnZXRfdXJsIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6OTIwMC9hcmNoaXZlcj9pZD00Njk3YzI4NC1jMjAzLTQ3N2UtOWE3Yi0wZDA5ODZjYmM1M2YlMjQ2Y2JjOGNkMi05MmFkLTQzYjUtOTg2ZC1mNzU2ZThmODViZmQlMjE5YTMzYzk3My0xZmI3LTRlMDctODYwMS02NjIxMjk4MGFmYzAiLCJpc3MiOiJyZXZhIiwic3ViIjoiODYyY2ZhMDItZTQ2Mi00ZDI5LWJiMTMtMGQ2NWI4ZGY5MTZjIiwiZXhwIjoxNzY1MjExMTkxLCJpYXQiOjE3NjUyMDkzOTF9.VIj1G681zcM1uXUxeANOBilWDLCENwGoBZ6LyVA798w
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=315360000; preload
Vary: Origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: 02a384f2f6e2/mTZqGhbPjw-000021
X-Robots-Tag: none
X-Xss-Protection: 1; mode=block

Does that make sense for web? Or would you prefer some different kind of interface here?

@rhafer rhafer force-pushed the versions-downloadURL branch from c69af3d to 08a052b Compare December 8, 2025 15:58
@JammingBen
Copy link

JammingBen commented Dec 9, 2025
edited
Loading

Yup this should be fine! Does it work unauthenticated on public links and with basic auth on password-protected links as well? And how would I concatenate multiple ids?

@rhafer
Copy link
Author

rhafer commented Dec 9, 2025

Yup this should be fine! Does it work unauthenticated on public links and with basic auth on password-protected links as well?

I'd hope so. But I still need to try.

And how would I concatenate multiple ids?

Just like on the old endpoint /archiver/v2?id=1&id=2&id=3

@rhafer
feat: leverage server signed urls for the archiver
ab26470 
This introduces the new `archiver/v2` endpoint that leverages the
recently added url signing mechanism to generated archive download
urls. Request to `archiver/v2?id=...&id=...` will get a 303 Response
with the `Location` Header pointing to the signed url that can be used
for downloading the archive.

Partial: opencloud-eu/opencloud#1197
@rhafer rhafer force-pushed the versions-downloadURL branch from 08a052b to ab26470 Compare December 9, 2025 10:01
@rhafer
Copy link
Author

rhafer commented Dec 9, 2025

Does it work unauthenticated on public links and with basic auth on password-protected links as well?

I can confirm that this works for public links (password protected or not) as well.

@rhafer rhafer requested review from aduffeck and butonic December 9, 2025 10:43
@rhafer rhafer mentioned this pull request Dec 9, 2025
Draft
@rhafer
Copy link
Author

rhafer commented Dec 9, 2025

Argh, I just noticed I introduced a stupid bug that would allow downloading arbitrary files from the creator of a public link. 🤦‍♂️

@rhafer rhafer marked this pull request as draft December 9, 2025 12:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aduffeck aduffeck Awaiting requested review from aduffeck

@butonic butonic Awaiting requested review from butonic

At least 1 approving review is required to merge this pull request.

Assignees

@rhafer rhafer

Labels

Type:Enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rhafer @JammingBen