SECURITY: Fix potential password bypass vulnerability by:
Frontend changes:
- Add password_hash field to Share interface
- Only show direct download button for single files without password protection
- Update hasDownloadLink() to check both file type and password status
Backend changes:
- Remove token-based authentication bypass for password-protected shares
- Enforce password authentication for all protected shares, even with valid tokens
- Add security comments explaining the rationale
This ensures that password-protected shares cannot be accessed via direct
download links, closing the security vulnerability while preserving the
convenience of direct downloads for public shares.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add back the missing direct download link button that was removed.
This button allows users to copy a direct download URL for shared files,
which is different from the share page URL.
Changes:
- Add direct download link button with content_paste_go icon
- Import pub API for download URL generation
- Add hasDownloadLink() method to check if file can be directly downloaded
- Add buildDownloadLink() method to generate direct download URLs
- Only show button for single file selections (not directories)
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
91% of minimum 50% translated source file: 'frontend/src/i18n/en.json'
on 'sk'.
Sync of partially translated files:
untranslated content is included with an empty translation
or source language content depending on file format
99% of minimum 50% translated source file: 'frontend/src/i18n/en.json'
on 'zh_TW'.
Sync of partially translated files:
untranslated content is included with an empty translation
or source language content depending on file format
macOS saves the download URL in the metadata of the downloaded file.
This means that the downloaded file contains a metadata item with the JWT
token of the user. If the user were to share this file with someone else,
they would have access to their account using the JWT in the metadata
during the validity of the JWT.
The JWT has been removed from the URLs. Since the user is logged in, there
is an authentication cookie set. A JWT in the URL is not necessary.
