/
share_by_link.go
72 lines (64 loc) · 2.33 KB
/
share_by_link.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
package auth
import (
"encoding/base64"
"errors"
"net/http"
"github.com/cozy/cozy-stack/model/permission"
"github.com/cozy/cozy-stack/model/session"
build "github.com/cozy/cozy-stack/pkg/config"
"github.com/cozy/cozy-stack/pkg/couchdb"
"github.com/cozy/cozy-stack/pkg/crypto"
"github.com/cozy/cozy-stack/web/middlewares"
"github.com/labstack/echo/v4"
)
// checkPasswordForShareByLink checks the password for a share by link
// protected by password, and creates a cookie if the password is correct.
func checkPasswordForShareByLink(c echo.Context) error {
res := c.Response()
origin := c.Request().Header.Get(echo.HeaderOrigin)
res.Header().Set(echo.HeaderAccessControlAllowOrigin, origin)
res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")
res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)
inst := middlewares.GetInstance(c)
permID := c.FormValue("perm_id")
perm, err := permission.GetByID(inst, permID)
if err != nil {
if couchdb.IsNotFoundError(err) || errors.Is(err, permission.ErrExpiredToken) {
return c.JSON(http.StatusNotFound, echo.Map{"error": err.Error()})
}
return c.JSON(http.StatusInternalServerError, echo.Map{"error": err.Error()})
}
hash64, _ := perm.Password.(string)
if len(hash64) == 0 {
return c.JSON(http.StatusOK, echo.Map{"password": "none"})
}
hash, err := base64.StdEncoding.DecodeString(hash64)
if err != nil {
return c.JSON(http.StatusInternalServerError, echo.Map{"error": err.Error()})
}
password := []byte(c.FormValue("password"))
_, err = crypto.CompareHashAndPassphrase(hash, password)
if err != nil {
msg := inst.Translate("Share by link Password Invalid")
return c.JSON(http.StatusForbidden, echo.Map{"error": msg})
}
// Put a cookie so that later requests can use the sharecode
cookieName := "pass" + permID
cfg := crypto.MACConfig{Name: cookieName, MaxLen: 256}
encoded, err := crypto.EncodeAuthMessage(cfg, inst.SessionSecret(), []byte(permID), nil)
if err != nil {
return c.JSON(http.StatusInternalServerError, echo.Map{"error": err.Error()})
}
cookie := &http.Cookie{
Name: cookieName,
Value: string(encoded),
MaxAge: 0,
Path: "/",
Domain: session.CookieDomain(inst),
Secure: !build.IsDevRelease(),
HttpOnly: true,
SameSite: http.SameSiteLaxMode,
}
c.SetCookie(cookie)
return c.JSON(http.StatusOK, echo.Map{"password": "ok"})
}