proxy: Fix archiver for public links

Allows /archiver to be used the "public-token" auth middleware. The archiver is a bit of a special case, because it can be uses in several ways: using 'normal' authentication (basic, oidc), using signed-urls or using sharetokens. As only the "sharetoken" part is handled by the "PublicShareAuth" middleware, we needed to special-case it a bit.
2026-02-18 15:13:32 -05:00 · 2022-09-05 16:53:00 +02:00
parent 30f4d788f3
commit ab0c82311a
2 changed files with 41 additions and 1 deletions
--- a/services/proxy/pkg/middleware/public_share_auth.go
+++ b/services/proxy/pkg/middleware/public_share_auth.go
@@ -25,9 +25,22 @@ type PublicShareAuthenticator struct {
 	RevaGatewayClient gateway.GatewayAPIClient
 }

+// The archiver is able to create archives from public shares in which case it needs to use the
+// PublicShareAuthenticator. It might however also be called using "normal" authentication or
+// using signed url, which are handled by other middleware. For this reason we can't just
+// handle `/archiver` with the `isPublicPath()` check.
+func isPublicShareArchive(r *http.Request) bool {
+	if strings.HasPrefix(r.URL.Path, "/archiver") {
+		if r.URL.Query().Get(headerShareToken) != "" || r.Header.Get(headerShareToken) != "" {
+			return true
+		}
+	}
+	return false
+}
+
 // Authenticate implements the authenticator interface to authenticate requests via public share auth.
 func (a PublicShareAuthenticator) Authenticate(r *http.Request) (*http.Request, bool) {
-	if !isPublicPath(r.URL.Path) {
+	if !isPublicPath(r.URL.Path) && !isPublicShareArchive(r) {
 		return nil, false
 	}

--- a/services/proxy/pkg/middleware/public_share_auth_test.go
+++ b/services/proxy/pkg/middleware/public_share_auth_test.go
@@ -28,6 +28,10 @@ var _ = Describe("Authenticating requests", Label("PublicShareAuthenticator"), f
 						return "exampletoken", rpcv1beta1.Code_CODE_OK
 					}

+					if clientID == "sharetoken" && clientSecret == "password|" {
+						return "otherexampletoken", rpcv1beta1.Code_CODE_OK
+					}
+
 					return "", rpcv1beta1.Code_CODE_NOT_FOUND
 				},
 			},
@@ -62,6 +66,29 @@ var _ = Describe("Authenticating requests", Label("PublicShareAuthenticator"), f
 			})
 		})
 	})
+	When("the reguest is for the archiver", func() {
+		Context("using a public-token", func() {
+			It("should successfully authenticate", func() {
+				req := httptest.NewRequest(http.MethodGet, "http://example.com/archiver?public-token=sharetoken", http.NoBody)
+				req2, valid := authenticator.Authenticate(req)
+
+				Expect(valid).To(Equal(true))
+				Expect(req2).ToNot(BeNil())
+
+				h := req2.Header
+				Expect(h.Get(_headerRevaAccessToken)).To(Equal("otherexampletoken"))
+			})
+		})
+		Context("not using a public-token", func() {
+			It("should fail to authenticate", func() {
+				req := httptest.NewRequest(http.MethodGet, "http://example.com/archiver", http.NoBody)
+				req2, valid := authenticator.Authenticate(req)
+
+				Expect(valid).To(Equal(false))
+				Expect(req2).To(BeNil())
+			})
+		})
+	})
 })

 type mockGatewayClient struct {