fix: csrf check failed on public share with password

Signed-off-by: Luka Trovic <luka@nextcloud.com>

core/js/publicshareauth.js

@@ -52,3 +52,18 @@ document.addEventListener('DOMContentLoaded', function() {
  }
 
 });
+
+// Fix error "CSRF check failed"
+document.addEventListener('DOMContentLoaded', function() {
+ var form = document.getElementById('password-input-form');
+ if (form) {
+ form.addEventListener('submit', async function(event) {
+ event.preventDefault();
+ var requestToken = document.getElementById('requesttoken');
+ if (requestToken) {
+ requestToken.value = await OC.fetchRequestToken();
+ }
+ form.submit();
+ });
+ }
+});

core/src/OC/index.js

@@ -70,6 +70,7 @@ import {
 } from './host.js'
 import {
  getToken as getRequestToken,
+ fetchToken as fetchRequestToken,
 } from './requesttoken.js'
 import {
  hideMenus,
@@ -274,6 +275,7 @@ export default {
  redirect,
  reload,
  requestToken: getRequestToken(),
+ fetchRequestToken,
  /**
  * @deprecated 19.0.0 use `linkTo` from https://www.npmjs.com/package/@nextcloud/router
  */

core/src/OC/requesttoken.js

@@ -22,6 +22,8 @@
  */
 
 import { emit } from '@nextcloud/event-bus'
+import { generateUrl } from '@nextcloud/router'
+import $ from 'jquery'
 
 /**
  * @private
@@ -41,6 +43,15 @@ export const manageToken = (global, emit) => {
  token,
  })
  },
+ fetchToken: async () => {
+ const url = generateUrl('/csrftoken')
+ const resp = await $.get(url)
+ token = resp.token
+ emit('csrf-token-update', {
+ token,
+ })
+ return token
+ },
  }
 }
 
@@ -55,3 +66,8 @@ export const getToken = manageFromDocument.getToken
  * @param {string} newToken new token
  */
 export const setToken = manageFromDocument.setToken
+
+/**
+ * @return {Promise<string>}
+ */
+export const fetchToken = manageFromDocument.fetchToken

core/templates/publicshareauth.php

@@ -22,7 +22,7 @@
  <?php endif; ?>
  <p>
  <label for="password" class="infield"><?php p($l->t('Password')); ?></label>
- <input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
+ <input type="hidden" id="requesttoken" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
  <input type="password" name="password" id="password"
  placeholder="<?php p($l->t('Password')); ?>" value=""
  autocomplete="new-password" autocapitalize="off" spellcheck="false"
@@ -34,7 +34,7 @@ class="svg icon-confirm input-button-inline" value="" disabled="disabled" />
  </p>
  </fieldset>
  </form>
- 
+
  <!-- email prompt form. It should initially be hidden -->
  <?php if (isset($_['identityOk'])): ?>
  <form method="post" id="email-input-form">
@@ -46,7 +46,7 @@ class="svg icon-confirm input-button-inline" value="" disabled="disabled" />
  <p>
  <input type="email" id="email" name="identityToken" placeholder="<?php p($l->t('Email address')); ?>" />
  <input type="submit" id="password-request" name="passwordRequest" class="svg icon-confirm input-button-inline" value="" disabled="disabled"/>
- <input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
+ <input type="hidden" id="requesttoken" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
  <input type="hidden" name="sharingToken" value="<?php p($_['share']->getToken()) ?>" id="sharingToken">
  <input type="hidden" name="sharingType" value="<?php p($_['share']->getShareType()) ?>" id="sharingType">
  </p>
@@ -59,12 +59,12 @@ class="svg icon-confirm input-button-inline" value="" disabled="disabled" />
  <?php endif; ?>
  </fieldset>
  </form>
- 
+
  <!-- request password button -->
  <?php if (!isset($_['identityOk']) && $_['share']->getShareType() === $_['share']::TYPE_EMAIL && !$_['share']->getSendPasswordByTalk()): ?>
  <a id="request-password-button-not-talk"><?php p($l->t('Forgot password?')); ?></a>
  <?php endif; ?>
- 
+
  <!-- back to showShare button -->
  <form method="get">
  <fieldset>