b0esche/b0esche_cloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix nullable org_id handling in public share handlers

Browse Source
This commit is contained in:
Leon Bösche
2026-01-24 22:56:10 +01:00
parent cca21c09d5
commit 421e95d83b
2 changed files with 31 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
go_cloud/api
View File

Binary file not shown.

52
go_cloud/internal/http/routes.go
View File

@@ -2819,7 +2819,7 @@ func createFileShareLinkHandler(w http.ResponseWriter, r *http.Request, db *data
return
}
link, err := db.CreateFileShareLink(r.Context(), token, fileUUID, orgID, userID)
link, err := db.CreateFileShareLink(r.Context(), token, fileUUID, &orgID, userID)
if err != nil {
errors.LogError(r, err, "Failed to create share link")
errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
@@ -2911,7 +2911,11 @@ func publicFileShareHandler(w http.ResponseWriter, r *http.Request, db *database
}
// Generate a short-lived token for download (1 hour)
viewerToken, err := jwtManager.GenerateWithDuration("", []string{link.OrgID.String()}, "", time.Hour)
var orgIDs []string
if link.OrgID != nil {
orgIDs = []string{link.OrgID.String()}
}
viewerToken, err := jwtManager.GenerateWithDuration("", orgIDs, "", time.Hour)
if err != nil {
errors.LogError(r, err, "Failed to generate viewer token")
errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
@@ -2974,24 +2978,6 @@ func publicFileDownloadHandler(w http.ResponseWriter, r *http.Request, db *datab
return
}
// Verify viewer token (contains org ID)
claims, err := jwtManager.Validate(viewerToken)
if err != nil {
errors.LogError(r, err, "Invalid viewer token")
errors.WriteError(w, errors.CodeUnauthenticated, "Invalid token", http.StatusUnauthorized)
return
}
if len(claims.OrgIDs) == 0 {
errors.WriteError(w, errors.CodeUnauthenticated, "Invalid token", http.StatusUnauthorized)
return
}
orgID, err := uuid.Parse(claims.OrgIDs[0])
if err != nil {
errors.WriteError(w, errors.CodeUnauthenticated, "Invalid token", http.StatusUnauthorized)
return
}
link, err := db.GetFileShareLinkByToken(r.Context(), token)
if err != nil {
if err == sql.ErrNoRows {
@@ -3003,11 +2989,35 @@ func publicFileDownloadHandler(w http.ResponseWriter, r *http.Request, db *datab
return
}
if link.OrgID != orgID {
// Verify viewer token (contains org ID for org files, empty for personal)
claims, err := jwtManager.Validate(viewerToken)
if err != nil {
errors.LogError(r, err, "Invalid viewer token")
errors.WriteError(w, errors.CodeUnauthenticated, "Invalid token", http.StatusUnauthorized)
return
}
if link.OrgID == nil {
if len(claims.OrgIDs) != 0 {
errors.WriteError(w, errors.CodeUnauthenticated, "Invalid token", http.StatusUnauthorized)
return
}
} else {
if len(claims.OrgIDs) == 0 {
errors.WriteError(w, errors.CodeUnauthenticated, "Invalid token", http.StatusUnauthorized)
return
}
orgID, err := uuid.Parse(claims.OrgIDs[0])
if err != nil {
errors.WriteError(w, errors.CodeUnauthenticated, "Invalid token", http.StatusUnauthorized)
return
}
if *link.OrgID != orgID {
errors.WriteError(w, errors.CodeUnauthenticated, "Invalid token", http.StatusUnauthorized)
return
}
}
// Get file metadata
file, err := db.GetFileByID(r.Context(), link.FileID)
if err != nil {