itsscb/filebrowser
1
0
Fork 0
mirror of https://github.com/filebrowser/filebrowser.git synced 2025-06-22 09:13:00 +00:00
Code Issues Packages Projects Releases 1 Wiki Activity

fix: remove auth query parameter from download and preview links

Browse Source 
macOS saves the download URL in the metadata of the downloaded file.
This means that the downloaded file contains a metadata item with the JWT
token of the user. If the user were to share this file with someone else,
they would have access to their account using the JWT in the metadata
during the validity of the JWT.

The JWT has been removed from the URLs. Since the user is logged in, there
is an authentication cookie set. A JWT in the URL is not necessary.
This commit is contained in:
Henrique Dias 2025-06-21 09:02:30 +02:00
parent 8a14018861
commit cbb712484d
5 changed files with 5 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
frontend/src/api/files.ts
View File

@ -75,11 +75,6 @@ export function download(format: any, ...files: string[]) {
url += `algo=${format}&`; url += `algo=${format}&`;
} }
const authStore = useAuthStore();
if (authStore.jwt) {
url += `auth=${authStore.jwt}&`;
}
window.open(url); window.open(url);
} }

2
frontend/src/api/pub.ts
View File

@ -71,5 +71,5 @@ export function getDownloadURL(res: Resource, inline = false) {
...(res.token && { token: res.token }), ...(res.token && { token: res.token }),
}; };
return createURL("api/public/dl/" + res.hash + res.path, params, false); return createURL("api/public/dl/" + res.hash + res.path, params);
} }

2
frontend/src/api/share.ts
View File

@ -41,5 +41,5 @@ export async function create(
} }
export function getShareURL(share: Share) { export function getShareURL(share: Share) {
return createURL("share/" + share.hash, {}, false); return createURL("share/" + share.hash, {});
} }

14
frontend/src/api/utils.ts
View File

@ -76,23 +76,13 @@ export function removePrefix(url: string): string {
return url; return url;
} }
export function createURL(endpoint: string, params = {}, auth = true): string { export function createURL(endpoint: string, searchParams = {}): string {
const authStore = useAuthStore();
let prefix = baseURL; let prefix = baseURL;
if (!prefix.endsWith("/")) { if (!prefix.endsWith("/")) {
prefix = prefix + "/"; prefix = prefix + "/";
} }
const url = new URL(prefix + encodePath(endpoint), origin); const url = new URL(prefix + encodePath(endpoint), origin);
url.search = new URLSearchParams(searchParams).toString();
const searchParams: SearchParams = {
...(auth && { auth: authStore.jwt }),
...params,
};
for (const key in searchParams) {
url.searchParams.set(key, searchParams[key]);
}
return url.toString(); return url.toString();
} }

2
frontend/src/views/files/Preview.vue
View File

@ -262,7 +262,7 @@ const raw = computed(() => {
} }
if (isEpub.value) { if (isEpub.value) {
return createURL("api/raw" + fileStore.req?.path, {}, false); return createURL("api/raw" + fileStore.req?.path, {});
} }
return downloadUrl.value; return downloadUrl.value;