vic/filebrozer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: remove auth query parameter from download and preview links

Browse Source 
macOS saves the download URL in the metadata of the downloaded file.
This means that the downloaded file contains a metadata item with the JWT
token of the user. If the user were to share this file with someone else,
they would have access to their account using the JWT in the metadata
during the validity of the JWT.

The JWT has been removed from the URLs. Since the user is logged in, there
is an authentication cookie set. A JWT in the URL is not necessary.
This commit is contained in:
Henrique Dias
2025-06-21 09:02:30 +02:00
parent 8a14018861
commit cbb712484d
5 changed files with 5 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
frontend/src/api/utils.ts
View File

@@ -76,23 +76,13 @@ export function removePrefix(url: string): string {
return url;
}
export function createURL(endpoint: string, params = {}, auth = true): string {
const authStore = useAuthStore();
export function createURL(endpoint: string, searchParams = {}): string {
let prefix = baseURL;
if (!prefix.endsWith("/")) {
prefix = prefix + "/";
}
const url = new URL(prefix + encodePath(endpoint), origin);
const searchParams: SearchParams = {
...(auth && { auth: authStore.jwt }),
...params,
};
for (const key in searchParams) {
url.searchParams.set(key, searchParams[key]);
}
url.search = new URLSearchParams(searchParams).toString();
return url.toString();
}