Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replacement for TokenInfo Endpoint #8858

Open
14 tasks
micbar opened this issue Apr 15, 2024 · 6 comments
Open
14 tasks

Replacement for TokenInfo Endpoint #8858

micbar opened this issue Apr 15, 2024 · 6 comments
Assignees
@2403905
Labels
Type:Story User Story

Comments

@micbar
Copy link
Contributor

micbar commented Apr 15, 2024
edited by rhafer

Description

Apart from just re-implementing the tokeninfo logic for sharing-ng, we could try to find a cleaner way to get the same functionality. After some some discussion we came up with this, which should not need a tokeninfo endpoint at all and could purely work with webdav. It is still somewhat rough and we would have to prove that it does actually work:

The client should basically always sent a PROPFIND to /dav/public-files/{sharetoken}

  • authenticated clients accessing an internal link are redirected to the "real" resource (`/dav/spaces/{target-resource-id}
  • authenticated clients accessing a pubic link (password protected or not) for a resource they already have access to are also redirected to the "real" resource. (and always need to supply the password) (this is case is handled by the client, no server redirect involved here)
  • unauthenticated clients accessing an internal link get a 401 returned with WWW-Authenticate set to Bearer (so that the client knows that it need to get a token via the IDP login page.
  • unauthenticated clients accessing a password protected link get a 401 returned with WWW-Authenticate set to Basic to indicate the requirement for needing the link's password.

This would however require some changes our ocdav service (it does not handled the above request on the publicstorageids yet) and AFAICS also in the way we handle authentication for ocdav. So it requires some more research.

User Stories

  • As a client, i want to understand the context of my link (internal, public, password-protected) to give my users the best User Experience

Value

UX

Acceptance Criteria

  • The requirements from above are fulfillable with WebDAV

Definition of ready

  • Everybody needs to understand the value written in the user story
  • Acceptance criteria have to be defined
  • All dependencies of the user story need to be identified
  • Feature should be seen from an end user perspective
  • Story has to be estimated
  • Story points need to be less than 20

Definition of done

  • Functional requirements
    • Functionality described in the user story works
    • Acceptance criteria are fulfilled
  • Quality
    • Code review happened
    • CI is green (that includes new and existing automated tests)
    • Critical code received unit tests by the developer
  • Non-functional requirements
    • No sonar cloud issues
  • Configuration changes
    • The next branch of the ocis charts is compatible
@micbar micbar added the Type:Story User Story label Apr 15, 2024
@micbar micbar mentioned this issue Apr 15, 2024
Closed
This was referenced Apr 15, 2024
Open
Open
@rhafer
Copy link
Contributor

rhafer commented Apr 17, 2024

I've adjusted the initial description a bit. In the discussion in #8617 we agreed on the initial WebDAV endpoint for public links being /dav/public-files/{sharetoken} to avoid more usage of hardcoded server uuid's. (See #8617 (comment))

This was referenced Apr 23, 2024
Merged
Open
@2403905
Copy link
Contributor

2403905 commented Apr 23, 2024
edited

@micbar @rhafer @kobergj Please have a look at the POC.
It still needs to change the response format for the internal link PROPFIND request.

<d:multistatus xmlns:s="http://sabredav.org/ns" xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns">
    <d:response>
        <d:href>/remote.php/dav/public-files/spaces/storage-users-1$some-admin-user-id-0000-000000000000%21b0985455-4a74-4a90-98b0-e8e153e45f51/</d:href>
        <d:propstat>
            <d:prop>
                <oc:permissions>S</oc:permissions>
                <oc:favorite>0</oc:favorite>
                <oc:fileid>storage-users-1$some-admin-user-id-0000-000000000000!b0985455-4a74-4a90-98b0-e8e153e45f51</oc:fileid>
                <oc:file-parent>storage-users-1$some-admin-user-id-0000-000000000000!some-admin-user-id-0000-000000000000</oc:file-parent>
                <oc:name>f2</oc:name>
                <oc:share-types>
                    <oc:share-type>0</oc:share-type>
                </oc:share-types>
                <oc:privatelink>https://localhost:9200/f/storage-users-1$some-admin-user-id-0000-000000000000%21b0985455-4a74-4a90-98b0-e8e153e45f51</oc:privatelink>
                <oc:size>0</oc:size>
                <d:getlastmodified>Mon, 22 Apr 2024 16:26:09 GMT</d:getlastmodified>
                <d:getetag>"0b708c66b247127357ecefdd6aadecf0"</d:getetag>
                <d:resourcetype>
                    <d:collection/>
                </d:resourcetype>
                <oc:tags></oc:tags>
            </d:prop>
            <d:status>HTTP/1.1 200 OK</d:status>
        </d:propstat>
        <d:propstat>
            <d:prop>
                <oc:owner-id></oc:owner-id>
                <oc:owner-display-name></oc:owner-display-name>
                <oc:shareroot></oc:shareroot>
                <d:getcontentlength></d:getcontentlength>
                <d:getcontenttype></d:getcontenttype>
                <oc:downloadURL></oc:downloadURL>
            </d:prop>
            <d:status>HTTP/1.1 404 Not Found</d:status>
        </d:propstat>
    </d:response>
    <d:response>
        <d:href>/remote.php/dav/public-files/spaces/storage-users-1$some-admin-user-id-0000-000000000000%21b0985455-4a74-4a90-98b0-e8e153e45f51/f2fl1.txt/</d:href>
        <d:propstat>
            <d:prop>
                <oc:permissions></oc:permissions>
                <oc:favorite>0</oc:favorite>
                <oc:fileid>storage-users-1$some-admin-user-id-0000-000000000000!6e14bcfc-a997-410a-889c-fbb7ab52dd97</oc:fileid>
                <oc:file-parent>storage-users-1$some-admin-user-id-0000-000000000000!b0985455-4a74-4a90-98b0-e8e153e45f51</oc:file-parent>
                <oc:name>f2fl1.txt</oc:name>
                <oc:privatelink>https://localhost:9200/f/storage-users-1$some-admin-user-id-0000-000000000000%216e14bcfc-a997-410a-889c-fbb7ab52dd97</oc:privatelink>
                <oc:size>0</oc:size>
                <d:getlastmodified>Mon, 22 Apr 2024 16:26:09 GMT</d:getlastmodified>
                <d:getetag>"3c9d1b04a808215002b85c56c81d5356"</d:getetag>
                <d:resourcetype>
                    <d:collection/>
                </d:resourcetype>
                <oc:tags></oc:tags>
            </d:prop>
            <d:status>HTTP/1.1 200 OK</d:status>
        </d:propstat>
        <d:propstat>
            <d:prop>
                <oc:owner-id></oc:owner-id>
                <oc:owner-display-name></oc:owner-display-name>
                <oc:shareroot></oc:shareroot>
                <oc:share-types></oc:share-types>
                <d:getcontentlength></d:getcontentlength>
                <d:getcontenttype></d:getcontenttype>
                <oc:downloadURL></oc:downloadURL>
            </d:prop>
            <d:status>HTTP/1.1 404 Not Found</d:status>
        </d:propstat>
    </d:response>
</d:multistatus>

Against the public link response:

<d:multistatus xmlns:s="http://sabredav.org/ns" xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns">
    <d:response>
        <d:href>/remote.php/dav/public-files/csgVsREiAOeCxAa/</d:href>
        <d:propstat>
            <d:prop>
                <oc:permissions>Z</oc:permissions>
                <oc:fileid>storage-users-1$some-admin-user-id-0000-000000000000!ad0788f4-abbc-4adb-9de3-c3729e26ea3a</oc:fileid>
                <oc:file-parent>storage-users-1$some-admin-user-id-0000-000000000000!some-admin-user-id-0000-000000000000</oc:file-parent>
                <oc:name>csgVsREiAOeCxAa</oc:name>
                <oc:owner-id>admin</oc:owner-id>
                <oc:owner-display-name>Admin</oc:owner-display-name>
                <oc:privatelink>https://localhost:9200/f/storage-users-1$some-admin-user-id-0000-000000000000%21ad0788f4-abbc-4adb-9de3-c3729e26ea3a</oc:privatelink>
                <d:getlastmodified>Wed, 17 Apr 2024 10:32:32 GMT</d:getlastmodified>
                <d:getetag>"9139088991bbebbd3e762394a48a0b3c"</d:getetag>
                <d:resourcetype>
                    <d:collection/>
                </d:resourcetype>
                <oc:tags></oc:tags>
            </d:prop>
            <d:status>HTTP/1.1 200 OK</d:status>
        </d:propstat>
        <d:propstat>
            <d:prop>
                <oc:favorite></oc:favorite>
                <oc:shareroot></oc:shareroot>
                <oc:share-types></oc:share-types>
                <d:getcontentlength></d:getcontentlength>
                <oc:size></oc:size>
                <d:getcontenttype></d:getcontenttype>
                <oc:downloadURL></oc:downloadURL>
            </d:prop>
            <d:status>HTTP/1.1 404 Not Found</d:status>
        </d:propstat>
    </d:response>
</d:multistatus>

@rhafer
Copy link
Contributor

rhafer commented Apr 29, 2024

It still needs to change the response format for the internal link PROPFIND request.

I think the intention for internal links was to have the /dav/public-files/ endpoint reply with a HTTP redirect (Status code 301 or 302) pointing the client to the correct location at /dav/files/<resourceid>.

@2403905
Copy link
Contributor

2403905 commented May 2, 2024

It still needs to change the response format for the internal link PROPFIND request.

I think the intention for internal links was to have the /dav/public-files/ endpoint reply with a HTTP redirect (Status code 301 or 302) pointing the client to the correct location at /dav/files/<resourceid>.

Do you mean the redirect to the /dav/spaces/<resourceid> ?

JammingBen added a commit to owncloud/web that referenced this issue May 2, 2024
@JammingBen
refactor: remove tokeninfo endpoint usage
993cf84 
Removes the tokeninfo endpoint usage and uses the webdav response instead to retrieve all necessary information to resolve a public/internal link.

The biggest change here is that we don't get the file id anymore when resolving an internal link. To solve this we need to login the user first and then redirect to the link resolving page again (only this time with an authenticated context, hence the new route `/i/...`). After that last redirect the authenticated user can now fetch all necessary information for resolving.

See owncloud/ocis#8858 for more detail.
@JammingBen JammingBen mentioned this issue May 2, 2024
Draft
7 tasks
@2403905
Copy link
Contributor

2403905 commented May 2, 2024

@micbar @rhafer Based on @JammingBen suggestion I removed the WWW-Authenticate Basic header in case when unauthenticated clients accessing a password protected link.

@micbar
Copy link
Contributor Author

micbar commented May 2, 2024

Ok, fine for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@2403905 2403905

Labels
Type:Story User Story
Projects
Infinite Scale Team Board
Status: In progress
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rhafer @micbar @2403905