opencloud icon indicating copy to clipboard operation
opencloud copied to clipboard
Published 3 weeks ago verified publisher icon opencloud-eu

Deprecate and remove `/cloud/user/signing-key` endpoint

Open rhafer opened this issue 5 months ago • 5 comments

With https://github.com/opencloud-eu/opencloud/pull/1191 we're getting one step closer to being able to remove the need to client side created signed urls.

Problem

  • The signing-key endpoint is the last remaining endpoint offered by the ocs service in OpenCloud (not to be confused with the ocs service in reva). Removing it would mean we could delete the whole service
  • The concept of client side signed urls has a few drawbacks
    • The secret used for signing the url leaks the server
    • The client is able to generate any signed url it likes
    • The client is in control of the lifetime of the signature
    • per-user secrets need to be managed and stored on the server side

Solution

Switch all remaining cases where signed urls are needed to be able to download things to use server generated signed urls. Currently client signed urls are used by web at least in these cases:

  • Downloading files using the Download button in the web ui. This could be solved by just using the oc:downloadURL property added by #1191
  • Downloading a directory using the archiver
  • Downloading versions of files https://github.com/opencloud-eu/opencloud/issues/1197#issuecomment-3497043968
  • ???

The other clients (desktop, ios, android) don't seem to be using the signing-key anywhere.

rhafer avatar Jul 09 '25 10:07 rhafer

@kulmann @AlexAndBear file downloads and the archiver are the only place I could find where the signing-key endpoint is still used. Do you know of any other?

For the archiver I guess we'd need to enhance the archiver service itself to be able to return a server signed url for downloading the archive.

rhafer avatar Jul 09 '25 10:07 rhafer

@kulmann @AlexAndBear file downloads and the archiver are the only place I could find where the signing-key endpoint is still used. Do you know of any other?

For the archiver I guess we'd need to enhance the archiver service itself to be able to return a server signed url for downloading the archive.

The new avatar URLs are also client side signed urls 🙈 @AlexAndBear could we use blobs with data urls here and download the avatars with authenticated requests?

kulmann avatar Jul 09 '25 11:07 kulmann

The avatar urls are returned via graph endpoint (and stored as blobs) I don't think they don't have anything to do with this.

AlexAndBear avatar Jul 09 '25 12:07 AlexAndBear

I think the avatar stuff in web that still references the signing-key endpoint is something historic. The requests go to /dav/avatars/. We don't have anything like that in the OpenCloud server.

rhafer avatar Jul 09 '25 14:07 rhafer

We also need to think about version downloads. Currently, the web client manually constructs the version URL (https://github.com/opencloud-eu/web/blob/v4.2.0/packages/web-client/src/webdav/getFileUrl.ts#L42) and then signs it. It would be nice if the server would also respond with a download URL when requesting versions via a PROPFIND on /dev/meta/... (given the downloadURL prop is being requested, of course).

JammingBen avatar Nov 06 '25 12:11 JammingBen