Clarify Collabora proxy token handling for iframe cross-origin requests

2026-01-12 16:08:35 +01:00
parent 2ded9b00f9
commit 350eb27e30
3 changed files with 97 additions and 42 deletions
--- a/go_cloud/internal/http/wopi_handlers.go
+++ b/go_cloud/internal/http/wopi_handlers.go
@@ -603,3 +603,65 @@ func wopiSessionHandler(w http.ResponseWriter, r *http.Request, db *database.DB,

 	fmt.Printf("[WOPI-REQUEST] Session created: file=%s user=%s\n", fileID, userID.String())
 }
+// CollaboraProxyHandler serves an HTML page that POSTs WOPISrc to Collabora
+// This avoids CORS issues by having the POST originate from our domain
+func collaboraProxyHandler(w http.ResponseWriter, r *http.Request, db *database.DB, jwtManager *jwt.Manager, collaboraURL string) {
+	fileID := r.PathValue("fileId")
+	if fileID == "" {
+		errors.WriteError(w, errors.CodeInvalidArgument, "Missing fileId", http.StatusBadRequest)
+		return
+	}
+
+	// Get user from context (from auth middleware)
+	userIDStr, ok := middleware.GetUserID(r.Context())
+	if !ok {
+		errors.WriteError(w, errors.CodeUnauthenticated, "Not authenticated", http.StatusUnauthorized)
+		return
+	}
+
+	userID, err := uuid.Parse(userIDStr)
+	if err != nil {
+		errors.WriteError(w, errors.CodeInvalidArgument, "Invalid user ID", http.StatusBadRequest)
+		return
+	}
+
+	// Create WOPI session
+	wopiSrc, accessToken, err := createWOPISession(r.Context(), db, jwtManager, userID, fileID)
+	if err != nil {
+		fmt.Printf("[WOPI-ERROR] Failed to create session: %v\n", err)
+		errors.WriteError(w, errors.CodeInternal, "Failed to create WOPI session", http.StatusInternalServerError)
+		return
+	}
+
+	// Return HTML page with auto-submitting form
+	htmlContent := fmt.Sprintf(`<!DOCTYPE html>
+<html>
+<head>
+  <title>Loading Document...</title>
+  <style>
+    body { margin: 0; padding: 0; background: #f5f5f5; }
+    .container { display: flex; justify-content: center; align-items: center; height: 100vh; }
+    .message { font-family: sans-serif; color: #666; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="message">Loading document in Collabora Online...</div>
+  </div>
+  <form method="POST" action="%s/loleaflet/dist/loleaflet.html" id="collaboraForm" style="display: none;">
+    <input type="hidden" name="WOPISrc" value="%s">
+  </form>
+  <script>
+    // Submit the form immediately to Collabora
+    document.getElementById('collaboraForm').submit();
+  </script>
+</body>
+</html>`, collaboraURL, wopiSrc)
+
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Header().Set("X-Frame-Options", "SAMEORIGIN")
+	w.WriteHeader(http.StatusOK)
+	w.Write([]byte(htmlContent))
+
+	fmt.Printf("[COLLABORA-PROXY] Served HTML form: file=%s user=%s\n", fileID, userID.String())
+}