Signed files become public through their UID

[gvansanden]

I'm testing with libresign. But I've found that signed document is visible without logging in through it's UUID under
https:///index.php/apps/libresign/pdf/
That is the case even if the person signing it was an internal user. Is that not a security issue?

Libresign 2.4.5 on Ubuntu 20.04, Nextcloud 23.

[vitormattos]

All signed documents have public links to make possible validate the document using the UUID of files.

A good scenario to explain this is when put the qrcode on footer of page with the validation URL. When the document is printed, will be possible read the qrcode to validate the printed document.

Maybe a good new feature is to make the admins enable or disable the public access to validate the document.

[gvansanden]

@vitormattos I think that making them public by default is a huge issue. Most things that need a signature are to some degree confidential (contracts, purchase orders, ...)
I didn't expect that because in the scope of a signature request, the signer has to create an account.

[tasagore]

@vitormattos I think that making them public by default is a huge issue. Most things that need a signature are to some degree confidential (contracts, purchase orders, ...)
I didn't expect that because in the scope of a signature request, the signer has to create an account.

Not a huge issue since most of public documents should be able to be validated online with just the CSV.

Think in a printed contract that should be validated for a third party, it does not have sense create accounts for that.

May be 2FA should be fine in this point, for example if the document is signed by xxx@company.com when someone asks for a validation the app can send a PIN to xxx@company.com to accept the validation. If xxx@company.com is a disabled user then the request could be redirected to admins, etc. But with documents with more than one signature would be problematic.

[gvansanden]

@tasagore It depends on the use case. If you are using it to sign contracts between two entities, then the content of those contract will be confidential and having the docs readable to the entire world is huge. I think having them public serves less use cases then having them private...

[vitormattos]

@gvansanden this could be an app config to define if only will be possible request signature to internal or federated users or if will be possible request signature to a public users.

The point of @tasagore also could be an app config to define if you want to create account or not. This will generate impact in begin of sign flow because will be necessary request all necessary data to generate signature and don't create the user account.

We are currently in need of funding to keep development going and implement any new features or changes in the project.
For now we have a Patreon https://patreon.com/libresign to receive funding from minor supporters but, if you want to start a long time support and got a priority to solve issues and implement new features, you can send an email to contact [ at ] librecode [ dot] coop

[tasagore]

@tasagore It depends on the use case. If you are using it to sign contracts between two entities, then the content of those contract will be confidential and having the docs readable to the entire world is huge. I think having them public serves less use cases then having them private...

I understand, that scenery is for full-private use, in that case could be two easy mods (just an idea):

1. Assign a security setting so the system would be private (only users can access to validate/download PDFs with UUID) or public (actual behavior)

2. Setup a password for the document (same as when you share a document with a link from NC). This could be setting when the signature is requested.

The best...both, I guess it would be a better integration with how NC works. I'm involved in too many projects now but if I get some free time I can try to help with the develop of something like that.