Open
Conversation
- Add public share check endpoint: GET /v1/marketplace/shareinfo/public/check/{allocation}
- Add public share recipients endpoint: GET /v1/marketplace/shareinfo/public/recipients/{allocation}
- Add public share recipient removal endpoint: DELETE /v1/marketplace/shareinfo/public/recipient/{allocation}
- Add public share revoke endpoint: DELETE /v1/marketplace/shareinfo/public/{allocation}
Security & Features:
- Owner-scoped recipient queries (prevents cross-owner data access)
- Allocation ownership verification for all operations
- Support for both private and public share types
- Auth ticket validation and signature verification
- Comprehensive error handling and validation
- Rate limiting and connection management
Database Operations:
- CheckPublicShareExists: Verify public share existence
- GetPublicShareRecipients: Get all recipients (owner-scoped)
- RemovePublicShareRecipient: Remove specific recipient
- RevokePublicShare: Remove all recipients for a file
API Endpoints:
- GET /v1/marketplace/shareinfo/public/check/{allocation} - Check existence
- GET /v1/marketplace/shareinfo/public/recipients/{allocation} - List recipients
- DELETE /v1/marketplace/shareinfo/public/recipient/{allocation} - Remove recipient
- DELETE /v1/marketplace/shareinfo/public/{allocation} - Revoke share
Security Fix: Added owner_id filtering to prevent cross-owner data access
RokibulHasan7
force-pushed
the
feat/public-share-with-revoke
branch
28 times, most recently
from
d3b1995 to
1d6f879
Compare
…ic/recipient/ (handler.go)
RokibulHasan7
force-pushed
the
feat/public-share-with-revoke
branch
5 times, most recently
from
355f2dd to
ef2bb38
Compare
RokibulHasan7
force-pushed
the
feat/public-share-with-revoke
branch
from
ef2bb38 to
8b4e77f
Compare
…ublic share handlers
B-C1 — DeletePublicShareInfo revokes private shares
Add `AND client_id = ''` to the WHERE clause so revoking a public share
does not also revoke private (targeted) shares on the same file path.
Public shares are identified by client_id = '', set by the owner inside
their cryptographically signed auth ticket.
B-C2 — GORM zero-value silently drops revoked = false from WHERE
GORM v2 ignores zero-value struct fields in Where(&ShareInfo{}). Since
bool false is Go's zero value, the revoked = false predicate was omitted
from the generated SQL, causing already-revoked rows to be re-matched.
Replace struct-based WHERE conditions with explicit string predicates and
use map[string]interface{} for Updates across DeleteShareInfo,
RemovePublicShareRecipient, and DeletePublicShareInfo.
B-H1 — Ownership check ordered after file-path DB lookup
GetLimitedRefFieldsByLookupHash was called before the clientID ownership
assertion in all five share handlers, leaking whether a file path exists
to non-owners via different error messages. Move the ownership check to
immediately after signature verification in RevokeShare, RevokePublicShare,
RemovePublicShareRecipient, CheckPublicShareExists, and GetPublicShareRecipients.
B-H2 — CheckPublicShareExists counts private shares
Missing client_id = '' filter caused the function to return true whenever
any share (public or private) existed for the path, producing false
positives for owners who had only shared a file privately.
B-H3 — GetPublicShareRecipients returns private recipients and key material
Missing client_id = '' filter allowed private recipients to appear in the
public listing. Additionally, the implicit SELECT * returned re_encryption_key
and client_encryption_public_key — sensitive proxy re-encryption key
material — over a public-facing endpoint. Add the client_id filter and
restrict the SELECT to non-sensitive identity and timing columns only.
…revocation - Add share_type to ShareInfo (reference/shareinfo.go): - Constants ShareTypePrivate, ShareTypePublic. - ShareInfo.ShareType field; default "private" when empty. - GetShareInfoByType(ownerID, filePathHash, shareType) for type-scoped lookups. - GetAnyActiveShare(ownerID, filePathHash) for download/auth (any type). - AddShareInfo / DeleteShareInfo use share_type; DeleteShareInfo filters by owner, client, file_path_hash, share_type. - CheckPublicShareExists, GetPublicShareRecipients, RemovePublicShareRecipient, RevokePublicShare scoped by share_type where applicable. - Migration (goose/migrations/1742500000_share_type.sql): - Add column share_type VARCHAR(16) NOT NULL DEFAULT 'private' to marketplace_share_info. - Indexes: (owner_id, file_path_hash, share_type), (client_id, file_path_hash, share_type). - Handlers (handler/handler.go): - InsertShare: read share_type from form; upsert by (owner, client, file_path_hash, share_type). - RevokeShare: pass ShareTypePrivate for private revoke. - Public share endpoints (RevokePublicShare, RemovePublicShareRecipient, CheckPublicShareExists, GetPublicShareRecipients) use ShareTypePublic and owner scoping. - Download/auth (authticket.go, object_operation_handler.go, storage_handler.go): - Use GetAnyActiveShare so either a public or private share allows access; no special client_id semantics. Aligns blobber with 0box per-recipient model and enables revoking only public or only private when the same user has both.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Added public share with revoking feature
Fixes
Tests
Tasks to complete before merging PR:
Associated PRs (Link as appropriate):