From cbb712484d3bdabc033acaf3b696ef4f5865813d Mon Sep 17 00:00:00 2001 From: Henrique Dias Date: Sat, 21 Jun 2025 09:02:30 +0200 Subject: [PATCH] fix: remove auth query parameter from download and preview links macOS saves the download URL in the metadata of the downloaded file. This means that the downloaded file contains a metadata item with the JWT token of the user. If the user were to share this file with someone else, they would have access to their account using the JWT in the metadata during the validity of the JWT. The JWT has been removed from the URLs. Since the user is logged in, there is an authentication cookie set. A JWT in the URL is not necessary. --- frontend/src/api/files.ts | 5 ----- frontend/src/api/pub.ts | 2 +- frontend/src/api/share.ts | 2 +- frontend/src/api/utils.ts | 14 ++------------ frontend/src/views/files/Preview.vue | 2 +- 5 files changed, 5 insertions(+), 20 deletions(-) diff --git a/frontend/src/api/files.ts b/frontend/src/api/files.ts index 928f5282..0d6a09b7 100644 --- a/frontend/src/api/files.ts +++ b/frontend/src/api/files.ts @@ -75,11 +75,6 @@ export function download(format: any, ...files: string[]) { url += `algo=${format}&`; } - const authStore = useAuthStore(); - if (authStore.jwt) { - url += `auth=${authStore.jwt}&`; - } - window.open(url); } diff --git a/frontend/src/api/pub.ts b/frontend/src/api/pub.ts index 4328f64c..964cb030 100644 --- a/frontend/src/api/pub.ts +++ b/frontend/src/api/pub.ts @@ -71,5 +71,5 @@ export function getDownloadURL(res: Resource, inline = false) { ...(res.token && { token: res.token }), }; - return createURL("api/public/dl/" + res.hash + res.path, params, false); + return createURL("api/public/dl/" + res.hash + res.path, params); } diff --git a/frontend/src/api/share.ts b/frontend/src/api/share.ts index 3748da4e..af8a4ee3 100644 --- a/frontend/src/api/share.ts +++ b/frontend/src/api/share.ts @@ -41,5 +41,5 @@ export async function create( } export function getShareURL(share: Share) { - return createURL("share/" + share.hash, {}, false); + return createURL("share/" + share.hash, {}); } diff --git a/frontend/src/api/utils.ts b/frontend/src/api/utils.ts index 7008e28a..a5a64fa1 100644 --- a/frontend/src/api/utils.ts +++ b/frontend/src/api/utils.ts @@ -76,23 +76,13 @@ export function removePrefix(url: string): string { return url; } -export function createURL(endpoint: string, params = {}, auth = true): string { - const authStore = useAuthStore(); - +export function createURL(endpoint: string, searchParams = {}): string { let prefix = baseURL; if (!prefix.endsWith("/")) { prefix = prefix + "/"; } const url = new URL(prefix + encodePath(endpoint), origin); - - const searchParams: SearchParams = { - ...(auth && { auth: authStore.jwt }), - ...params, - }; - - for (const key in searchParams) { - url.searchParams.set(key, searchParams[key]); - } + url.search = new URLSearchParams(searchParams).toString(); return url.toString(); } diff --git a/frontend/src/views/files/Preview.vue b/frontend/src/views/files/Preview.vue index 934fd238..7170e3da 100644 --- a/frontend/src/views/files/Preview.vue +++ b/frontend/src/views/files/Preview.vue @@ -262,7 +262,7 @@ const raw = computed(() => { } if (isEpub.value) { - return createURL("api/raw" + fileStore.req?.path, {}, false); + return createURL("api/raw" + fileStore.req?.path, {}); } return downloadUrl.value;