SECURITY: Fix potential password bypass vulnerability by:
Frontend changes:
- Add password_hash field to Share interface
- Only show direct download button for single files without password protection
- Update hasDownloadLink() to check both file type and password status
Backend changes:
- Remove token-based authentication bypass for password-protected shares
- Enforce password authentication for all protected shares, even with valid tokens
- Add security comments explaining the rationale
This ensures that password-protected shares cannot be accessed via direct
download links, closing the security vulnerability while preserving the
convenience of direct downloads for public shares.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add back the missing direct download link button that was removed.
This button allows users to copy a direct download URL for shared files,
which is different from the share page URL.
Changes:
- Add direct download link button with content_paste_go icon
- Import pub API for download URL generation
- Add hasDownloadLink() method to check if file can be directly downloaded
- Add buildDownloadLink() method to generate direct download URLs
- Only show button for single file selections (not directories)
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
This changes allows to password protect shares. It works by:
* Allowing to optionally pass a password when creating a share
* If set, the password + salt that is configured via a new flag will be
hashed via bcrypt and the hash stored together with the rest of the
share
* Additionally, a random 96 byte long token gets generated and stored
as part of the share
* When the backend retrieves an unauthenticated request for a share that
has authentication configured, it will return a http 401
* The frontend detects this and will show a login prompt
* The actual download links are protected via an url arg that contains
the previously generated token. This allows us to avoid buffering the
download in the browser and allows pasting the link without breaking
it
