Direct links to files do not count towards download count

[PL-Peter]

🐛 Bug Report

When a file is uploaded to PasswordPusher, there are 2 URLs per file.

1. The "secret" URL which is to be passed to the receiver of the file.
   The secret URL is constructed like "https://[server]/f/[Token]

2. The "real" URL or direct link to the file
   The real URL is looking like "https://[server]/rails/active_storage/blobs/redirect/[long random string]/[real file name]"
   This URL can be copied from the link presented unter "Attached Files".

When the receiver of the file passes on the "real URL", an unlimited amount of downloads can be made.
No restrictions seem to be active for those links.

🔬 How To Reproduce

1. Upload a file to PasswordPusher
2. Open the secret Link in another browser or incognito window and copy the "real link"
3. Open as many additional tabs/windows as you like and download the file

Environment

Where are you running/using Password Pusher?

• [X ] Docker Image
  • [X ] pwpush

If applicable, what version of Password Pusher?
1.36.5

📈 Expected behavior

"Real" URL should either be counting towards view count/download count/age restrictions or not be directly reachable.

[github-actions]

Hello @PL-Peter, thanks for contributing to the Password Pusher community! We will respond as soon as possible.

[pglombardo]

Hi @PL-Peter - you are correct and I'm not sure how to fix this yet.

1. File downloads should be added to the Audit Log
2. Should we add a max download setting that would apply per-file? e.g. 10 views on the push, but max 10 downloads of each file? I'm not sure yet.

Let me know what you think.

[PL-Peter]

Hi @pglombardo ,

what made me wonder was when I pushed some files with only a single view each, that was used by the preview to extract the direct DL URL and the direct download still worked afterwards on the already expired item.

I guess it depends heavily on the use case how the solution should look like.
I'm currently testing single file pushes over the API. In my case download==view.
In my script I'm extracting the direct download URL from the preview page - currently it's not available via API call, as far as I know.

With multiple file pushes it gets a little difficult.
Maybe an elegant (?) solution would be to ZIP pushes with multiple files in an archive to get a single file to download.
At least this is how web based file managers usually solve the "how to download multiple files" problem.
This would also reduce possible download situations to a single case and solve the views/downloads counter problem.