Browse Source
Fix some issues/comments
Signed-off-by: BlackDex <black.dex@gmail.com>
pull/6485/head
BlackDex
1 week ago
No known key found for this signature in database
GPG Key ID: 58C80A2AA6C765E1
3 changed files with
25 additions and
4 deletions
-
src/api/core/sends.rs
-
src/db/models/attachment.rs
-
src/sso.rs
|
|
|
@ -568,7 +568,7 @@ async fn post_access_file( |
|
|
|
async fn download_url(host: &Host, send_id: &SendId, file_id: &SendFileId) -> Result<String, crate::Error> { |
|
|
|
let operator = CONFIG.opendal_operator_for_path_type(&PathType::Sends)?; |
|
|
|
|
|
|
|
if operator.info().scheme() == String::from(opendal::Scheme::Fs) { |
|
|
|
if operator.info().scheme() == <&'static str>::from(opendal::Scheme::Fs) { |
|
|
|
let token_claims = crate::auth::generate_send_claims(send_id, file_id); |
|
|
|
let token = crate::auth::encode_jwt(&token_claims); |
|
|
|
|
|
|
|
|
|
|
|
@ -46,7 +46,7 @@ impl Attachment { |
|
|
|
pub async fn get_url(&self, host: &str) -> Result<String, crate::Error> { |
|
|
|
let operator = CONFIG.opendal_operator_for_path_type(&PathType::Attachments)?; |
|
|
|
|
|
|
|
if operator.info().scheme() == String::from(opendal::Scheme::Fs) { |
|
|
|
if operator.info().scheme() == <&'static str>::from(opendal::Scheme::Fs) { |
|
|
|
let token = encode_jwt(&generate_file_download_claims(self.cipher_uuid.clone(), self.id.clone())); |
|
|
|
Ok(format!("{host}/attachments/{}/{}?token={token}", self.cipher_uuid, self.id)) |
|
|
|
} else { |
|
|
|
|
|
|
|
@ -132,6 +132,12 @@ struct BasicTokenClaims { |
|
|
|
exp: i64, |
|
|
|
} |
|
|
|
|
|
|
|
#[derive(Deserialize)] |
|
|
|
struct BasicTokenClaimsValidation { |
|
|
|
exp: u64, |
|
|
|
iss: String, |
|
|
|
} |
|
|
|
|
|
|
|
impl BasicTokenClaims { |
|
|
|
fn nbf(&self) -> i64 { |
|
|
|
self.nbf.or(self.iat).unwrap_or_else(|| Utc::now().timestamp()) |
|
|
|
@ -139,8 +145,23 @@ impl BasicTokenClaims { |
|
|
|
} |
|
|
|
|
|
|
|
fn decode_token_claims(token_name: &str, token: &str) -> ApiResult<BasicTokenClaims> { |
|
|
|
match jsonwebtoken::dangerous::insecure_decode(token) { |
|
|
|
Ok(btc) => Ok(btc.claims), |
|
|
|
// We need to manually validate this token, since `insecure_decode` does not do this
|
|
|
|
match jsonwebtoken::dangerous::insecure_decode::<BasicTokenClaimsValidation>(token) { |
|
|
|
Ok(btcv) => { |
|
|
|
let now = jsonwebtoken::get_current_timestamp(); |
|
|
|
let validate_claim = btcv.claims; |
|
|
|
// Validate the exp in the claim with a leeway of 60 seconds, same as jsonwebtoken does
|
|
|
|
if validate_claim.exp < now - 60 { |
|
|
|
err_silent!(format!("Expired Signature for base token claim from {token_name}")) |
|
|
|
} |
|
|
|
if validate_claim.iss.ne(&CONFIG.sso_authority()) { |
|
|
|
err_silent!(format!("Invalid Issuer for base token claim from {token_name}")) |
|
|
|
} |
|
|
|
|
|
|
|
// All is validated and ok, lets decode again using the wanted struct
|
|
|
|
let btc = jsonwebtoken::dangerous::insecure_decode::<BasicTokenClaims>(token).unwrap(); |
|
|
|
Ok(btc.claims) |
|
|
|
} |
|
|
|
Err(err) => err_silent!(format!("Failed to decode basic token claims from {token_name}: {err}")), |
|
|
|
} |
|
|
|
} |
|
|
|
|
