App-Dev: how to implement token in app

[Rello]

Hello NC masters,

I am working on a new app. this is providing a public page. A token will be used to "hide" the content to be shown. I investigated existing apps...

I found $this->shareManager->newShare(); (used in file_sharing ShareAPIController).
This is using IManager to create a token and store it in oc_share table.
This standard API seems pretty usable!

BUT: IManager only knows 2 types "file" and "folder", so I am not sure if this is the correct way to misuse this for an own app, where the share is not linked to files.

The alternative would be to implement an own token-api-logic in my app and store it in an app-specific _share table, but I like the standard API approach

Any advice?
thank you and keep up NC!

[Rello]

@nickvergessen are you a good partner for this request?

[Rello]

• My current PoC is working via a @Public section in the PageController. there I would need to implement a token logic I guess
• @juliushaertl implemented the sharing via his own board_acl
• calendar has some storage which I could not find
• NC docu mentions to go via PublicShareController https://docs.nextcloud.com/server/17/developer_manual/app/publicpage.html

as sharing is the core part, a more flexible oc_share approach would sound good to me to reuse all logic including automatic expiration & co

[Rello]

nextcloud/deck#14

[Rello]

@rullzer
I think you are the master of AuthPublicShareController.php
thank you

[rullzer]

Implement your own logic. We used to have it all in one place but this became full of hacks.

[nickvergessen]

Yeah, talk also has the logic in it's own place. Just much simpler and easier to adjust in case it's needed

[Rello]

Hello,
Do you mean to ge-do the AuthPublic with all the automated session/logonscreen/expiration again in every app? Quite some effort and security risk I think.

I think more flexibility in the oc_share table for not only the 2 types would be a good start

[nickvergessen]

I think more flexibility in the oc_share table for not only the 2 types would be a good start

We really had exactly that in the past. But it is just not suitable, which is why when the calendar/contacts backend was redone, it was moved to it's own table.

A "logonscreen" is as easy as:
https://github.com/nextcloud/spreed/blob/master/lib/Controller/PageController.php#L229-L245

When oc_share contains shares from all the apps, we can not clean it up easily anymore. permissions might or might not work in the same way they do for file, *_id files being integers might be the next problem etc. The list is just too long and you would have to put a lot of effort in the sharing thing additionally causing lots of compatibility issues with the existing users of the API.

[rullzer]

@Rello note that you can use the AuthPublicShareController etc just fine. It is an abstraction and you can hook in your own logic.

This means you then just have to verify token (and password) if needed.

[Rello]

Hello @nickvergessen
thank you for the hint with spreed. I hacked my own version here which works

BUT: for some reason the session-part is the only that that is not working. the password seems not to be stored in the session. Do I need to initialise the session usage somewhere?

thank you

[nickvergessen]

You need to add the @UseSession annotation to the doc block. Otherwise the session is closed already and can only be read not written

[Rello]

sweet. thank you so much.

one more - could not find it in Talk:
the route has a definition for GET
['name' => 'page#indexPublic', 'url' => '/p/{token}', 'verb' => 'GET'],

But the authentication.php password form triggers a POST to the same page and the route can only have one entry.

Talk has the same setup, but I could not figure out how you got it working because it also only offers

'routes' => [
		[
			'name' => 'Page#index',
			'url' => '/',
			'verb' => 'GET',
		],
	],

[nickvergessen]

Talk is hardcoded in the server, to allow us to use short links without apps/spreed inside:

server/core/routes.php

Lines 96 to 97 in 9237350

	['name' => 'pagecontroller#showCall', 'url' => '/call/{token}', 'verb' => 'GET', 'app' => 'spreed'],
	['name' => 'pagecontroller#authenticatePassword', 'url' => '/call/{token}', 'verb' => 'POST', 'app' => 'spreed'],

So yeah, just define a POST route too and it should work

[nickvergessen]

do you use unique method names? That is important I think.
Otherwise maybe you can point to your code so I can look into it a bit better?

[Rello]

It took me 1 night to understand your answer;-)
I will test tonight. Your reference helped

[Rello]

Thank you @nickvergessen for helping out. Everything is working now

[JenHa]

Hi,
I got a similar problem. How did you define your route?
In the AuthPublicShareController the route is build within the method getRoute() and returns somethink like mynamespace.AuthSecretShareController.method, but the route couldn't be found. And I don't know how to define it, so it could be found.
Thanks in advance.

[Rello]

hello,

check here if it helps:

https://github.com/Rello/analytics/blob/master/appinfo/routes.php#L16-L17
https://github.com/Rello/analytics/blob/master/lib/Controller/PageController.php#L101