fix content access for credentials protected notes; add new attributes for hide parts of share template

Author: x1arch

apps/server/src/share/content_renderer.ts

@@ -38,6 +38,13 @@ interface Subroot {
     branch?: SBranch | BBranch
 }
 
+function addContentAccessQuery(note: any, secondEl?:boolean) {
+    if ((note as SNote).contentAccessor && (note as SNote).contentAccessor?.type === "query") {
+        return secondEl ? `&cat=${note.contentAccessor.getToken()}` : `?cat=${note.contentAccessor.getToken()}`;
+    }
+    return ""
+}
+
 export function getSharedSubTreeRoot(note: SNote | BNote | undefined, parentId: string | undefined = undefined): Subroot {
     if (!note || note.noteId === shareRoot.SHARE_ROOT_NOTE_ID) {
         // share root itself is not shared
@@ -109,19 +116,19 @@ export function renderNoteContent(note: SNote) {
         cssToLoad.push(`../assets/scripts.css`);
     }
     for (const cssRelation of note.getRelations("shareCss")) {
-        cssToLoad.push(`../api/notes/${cssRelation.value}/download`);
+        cssToLoad.push(`../api/notes/${cssRelation.value}/download${addContentAccessQuery(note)}`);
     }
 
     // Determine JS to load.
     const jsToLoad: string[] = [
         "../assets/scripts.js"
     ];
     for (const jsRelation of note.getRelations("shareJs")) {
-        jsToLoad.push(`../api/notes/${jsRelation.value}/download`);
+        jsToLoad.push(`../api/notes/${jsRelation.value}/download${addContentAccessQuery(note)}`);
     }
 
     const customLogoId = note.getRelation("shareLogo")?.value;
-    const logoUrl = customLogoId ? `../api/images/${customLogoId}/image.png` : `../../${assetUrlFragment}/images/icon-color.svg`;
+    const logoUrl = customLogoId ? `../api/images/${customLogoId}/image.png${addContentAccessQuery(note)}` : `../../${assetUrlFragment}/images/icon-color.svg`;
 
     return renderNoteContentInternal(note, {
         subRoot,
@@ -131,7 +138,7 @@ export function renderNoteContent(note: SNote) {
         logoUrl,
         ancestors,
         isStatic: false,
-        faviconUrl: note.hasRelation("shareFavicon") ? `../api/notes/${note.getRelationValue("shareFavicon")}/download` : `../../favicon.ico`
+        faviconUrl: note.hasRelation("shareFavicon") ? `../api/notes/${note.getRelationValue("shareFavicon")}/download${addContentAccessQuery(note)}` : `../../favicon.ico`
     });
 }
 
@@ -156,6 +163,7 @@ function renderNoteContentInternal(note: SNote | BNote, renderArgs: RenderArgs)
         isEmpty,
         assetPath: shareAdjustedAssetPath,
         assetUrlFragment,
+        addContentAccessQuery: (second: boolean | undefined) => addContentAccessQuery(note, second),
         showLoginInShareTheme,
         t,
         isDev,
@@ -319,7 +327,7 @@ function renderText(result: Result, note: SNote | BNote) {
             }
 
             if (href?.startsWith("#")) {
-                handleAttachmentLink(linkEl, href, getNote, getAttachment);
+                handleAttachmentLink(linkEl, href, getNote, getAttachment, note);
             }
         }
 
@@ -343,15 +351,15 @@ function renderText(result: Result, note: SNote | BNote) {
     }
 }
 
-function handleAttachmentLink(linkEl: HTMLElement, href: string, getNote: (id: string) => SNote | BNote | null, getAttachment: (id: string) => BAttachment | SAttachment | null) {
+function handleAttachmentLink(linkEl: HTMLElement, href: string, getNote: (id: string) => SNote | BNote | null, getAttachment: (id: string) => BAttachment | SAttachment | null, note: SNote | BNote) {
     const linkRegExp = /attachmentId=([a-zA-Z0-9_]+)/g;
     let attachmentMatch;
     if ((attachmentMatch = linkRegExp.exec(href))) {
         const attachmentId = attachmentMatch[1];
         const attachment = getAttachment(attachmentId);
 
         if (attachment) {
-            linkEl.setAttribute("href", `../api/attachments/${attachmentId}/download`);
+            linkEl.setAttribute("href", `../api/attachments/${attachmentId}/download${addContentAccessQuery(note)}`);
             linkEl.classList.add(`attachment-link`);
             linkEl.classList.add(`role-${attachment.role}`);
             linkEl.childNodes.length = 0;
@@ -402,7 +410,7 @@ function renderMermaid(result: Result, note: SNote | BNote) {
     }
 
     result.content = `
-<img src="../api/images/${note.noteId}/${note.encodedTitle}?${note.utcDateModified}">
+<img src="../api/images/${note.noteId}/${note.encodedTitle}?${note.utcDateModified}${addContentAccessQuery(note, true)}">
 <hr>
 <details>
     <summary>Chart source</summary>
@@ -411,14 +419,14 @@ function renderMermaid(result: Result, note: SNote | BNote) {
 }
 
 function renderImage(result: Result, note: SNote | BNote) {
-    result.content = `<img src="../api/images/${note.noteId}/${note.encodedTitle}?${note.utcDateModified}">`;
+    result.content = `<img src="../api/images/${note.noteId}/${note.encodedTitle}?${note.utcDateModified}${addContentAccessQuery(note, true)}">`;
 }
 
 function renderFile(note: SNote | BNote, result: Result) {
     if (note.mime === "application/pdf") {
-        result.content = `<iframe class="pdf-view" src="../api/notes/${note.noteId}/view"></iframe>`;
+        result.content = `<iframe class="pdf-view" src="../api/notes/${note.noteId}/view${addContentAccessQuery(note)}"></iframe>`;
     } else {
-        result.content = `<button type="button" onclick="location.href='../api/notes/${note.noteId}/download'">Download file</button>`;
+        result.content = `<button type="button" onclick="location.href='../api/notes/${note.noteId}/download${addContentAccessQuery(note)}'">Download file</button>`;
     }
 }
 

apps/server/src/share/routes.ts

@@ -60,6 +60,17 @@ function checkNoteAccess(noteId: string, req: Request, res: Response) {
     const header = req.header("Authorization");
 
     if (!header?.startsWith("Basic ")) {
+        if (req.path.startsWith("/share/api") && note.contentAccessor) {
+            const contentAccessToken = "" + (note.contentAccessor.type === "cookie" ? req.cookies["trilium.cat"]  || "" : note.contentAccessor.type === "query" ? req.query['cat'] || "" : "")
+            if (contentAccessToken){
+                if (note.contentAccessor.isTokenValid(contentAccessToken)){
+                    return note
+                }
+                res.status(401).send("Access is expired. Return back and update the page.");
+
+                return false;
+            }
+        }
         return false;
     }
 
@@ -143,6 +154,10 @@ function register(router: Router) {
             return;
         }
 
+        if (note.contentAccessor && note.contentAccessor.type === "cookie") {
+            res.cookie('trilium.cat', note.contentAccessor.getToken(), { maxAge: note.contentAccessor.getTokenExpiration() * 1000, httpOnly: true })
+        }
+
         res.send(renderNoteContent(note));
     }
 
@@ -170,6 +185,7 @@ function register(router: Router) {
         const note = shaca.aliasToNote[shareId] || shaca.notes[shareId];
         if (note){
             note.parentId = parentShareId
+            note.initContentAccessor()
         }
 
         renderNote(note, req, res);
@@ -184,7 +200,6 @@ function register(router: Router) {
         const parent = getSharedSubTreeRoot(note)
 
         res.redirect(`${parent?.note?.noteId}/${shareId}`)
-        // renderNote(note, req, res);
     });
 
     router.get("/share/api/notes/:noteId", (req, res) => {

apps/server/src/share/shaca/entities/content_accessor.ts

@@ -0,0 +1,81 @@
+import crypto from "crypto";
+import SNote from "./snote";
+import utils from "../../../services/utils";
+
+export const DefultAccessTimeoutSec = 10 * 60; // 10 minutes
+
+
+export class ContentAccessor {
+    note: SNote;
+    token: string;
+    timestamp: number;
+    type: string;
+    timeout: number;
+    key: NonSharedBuffer;
+    iv: NonSharedBuffer;
+
+    constructor(note: SNote) {
+        this.note = note;
+        this.key = crypto.randomBytes(32);
+        this.iv = crypto.randomBytes(16);
+        this.token = "";
+        this.timestamp = 0;
+        this.timeout = Number(this.note.getAttributeValue("label", "shareAccessTokenTimeout") || DefultAccessTimeoutSec)
+
+        switch (this.note.getAttributeValue("label", "shareContentAccess")) {
+            case "basic": this.type = "basic"; break
+            case "query": this.type = "query"; break
+            default: this.type = "cookie"; break
+        };
+
+    }
+
+    __encrypt(text: string) {
+        const cipher = crypto.createCipheriv('aes-256-cbc', this.key, this.iv);
+        let encrypted = cipher.update(text);
+        encrypted = Buffer.concat([encrypted, cipher.final()]);
+        return encrypted.toString('hex');
+    }
+
+    __decrypt(encryptedText: string) {
+        try {
+            const decipher = crypto.createDecipheriv('aes-256-cbc', this.key, this.iv);
+            let decrypted = decipher.update(Buffer.from(encryptedText, 'hex'));
+            decrypted = Buffer.concat([decrypted, decipher.final()]);
+            return decrypted.toString();
+        } catch {
+            return ""
+        }
+    }
+
+    __compare(originalText: string, encryptedText: string) {
+        return originalText === this.__decrypt(encryptedText)
+    }
+
+    update() {
+        if (new Date().getTime() < this.timestamp + this.getTimeout() * 1000) return
+        this.token = utils.randomString(36);
+        this.timestamp = new Date().getTime();
+    }
+
+    isTokenValid(encToken: string) {
+        return this.__compare(this.token, encToken) && new Date().getTime() < this.timestamp + this.getTimeout() * 1000;
+    }
+
+    getToken() {
+        return this.__encrypt(this.token);
+    }
+
+    getTokenExpiration() {
+        return (this.timestamp + (this.timeout * 1000) - new Date().getTime()) /1000;
+    }
+    
+    getTimeout() {
+        return this.timeout;
+    }
+
+    getContentAccessType() {
+       return this.type;
+    }
+
+}

apps/server/src/share/shaca/entities/snote.ts

@@ -10,6 +10,7 @@ import type SAttribute from "./sattribute.js";
 import type SBranch from "./sbranch.js";
 import type { SNoteRow } from "./rows.js";
 import { NOTE_TYPE_ICONS } from "../../../becca/entities/bnote.js";
+import { ContentAccessor } from "./content_accessor.js";
 
 const LABEL = "label";
 const RELATION = "relation";
@@ -34,6 +35,7 @@ class SNote extends AbstractShacaEntity {
     private __inheritableAttributeCache: SAttribute[] | null;
     targetRelations: SAttribute[];
     attachments: SAttachment[];
+    contentAccessor: ContentAccessor | undefined;
 
     constructor([noteId, title, type, mime, blobId, utcDateModified, isProtected]: SNoteRow) {
         super();
@@ -61,6 +63,15 @@ class SNote extends AbstractShacaEntity {
         this.shaca.notes[this.noteId] = this;
     }
 
+    initContentAccessor(){
+        if (!this.contentAccessor && this.getCredentials().length > 0) {
+            this.contentAccessor = new ContentAccessor(this);
+        }
+        if (this.contentAccessor) {
+            this.contentAccessor.update()
+        }
+    }
+
     getParentId() {
         return this.parentId;
     }

docs/User Guide/User Guide/Advanced Usage/Sharing.md

@@ -131,7 +131,7 @@ To do so, create a shared text note and apply the `shareIndex` label. When viewe
 
 ## Attribute reference
 
-<table class="ck-table-resized"><colgroup><col style="width:18.38%;"><col style="width:81.62%;"></colgroup><thead><tr><th>Attribute</th><th>Description</th></tr></thead><tbody><tr><td><code>#shareHiddenFromTree</code></td><td>this note is hidden from left navigation tree, but still accessible with its URL</td></tr><tr><td><code>#shareExclude</code></td><td>this note will be excluded from share, not accessible via direct URL (implemented to hide scripts from share)</td></tr><tr><td><code>#shareExternalLink</code></td><td>note will act as a link to an external website in the share tree</td></tr><tr><td><code>#shareAlias</code></td><td>define an alias using which the note will be available under <code>https://your_trilium_host/share/[your_alias]</code></td></tr><tr><td><code>#shareOmitDefaultCss</code></td><td>default share page CSS will be omitted. Use when you make extensive styling changes.</td></tr><tr><td><code>#shareRoot</code></td><td>marks note which is served on /share root.</td></tr><tr><td><code>#shareDescription</code></td><td>define text to be added to the HTML meta tag for description</td></tr><tr><td><code>#shareRaw</code></td><td>Note will be served in its raw format, without HTML wrapper. See also&nbsp;<a class="reference-link" href="Sharing/Serving%20directly%20the%20content%20o.md">Serving directly the content of a note</a>&nbsp;for an alternative method without setting an attribute.</td></tr><tr><td><code>#shareDisallowRobotIndexing</code></td><td><p>Indicates to web crawlers that the page should not be indexed of this note by:</p><ul><li data-list-item-id="e6baa9f60bf59d085fd31aa2cce07a0e7">Setting the <code>X-Robots-Tag: noindex</code> HTTP header.</li><li data-list-item-id="ec0d067db136ef9794e4f1033405880b7">Setting the <code>noindex, follow</code> meta tag.</li></ul></td></tr><tr><td><code>#shareCredentials</code></td><td>require credentials to access this shared note. Value is expected to be in format <code>username:password</code>. Don't forget to make this inheritable to apply to child-notes/images.</td></tr><tr><td><code>#shareIndex</code></td><td>Note with this label will list all roots of shared notes.</td></tr><tr><td><code>#shareHtmlLocation</code></td><td>defines where custom HTML injected via <code>~shareHtml</code> relation should be placed. Applied to the HTML snippet note itself. Format: <code>location:position</code> where location is <code>head</code>, <code>body</code>, or <code>content</code> and position is <code>start</code> or <code>end</code>. Defaults to <code>content:end</code>.</td></tr></tbody></table>
+<table class="ck-table-resized"><colgroup><col style="width:18.38%;"><col style="width:81.62%;"></colgroup><thead><tr><th>Attribute</th><th>Description</th></tr></thead><tbody><tr><td><code>#shareHiddenFromTree</code></td><td>this note is hidden from left navigation tree, but still accessible with its URL</td></tr><tr><td><code>#shareTemplateNoPrevNext</code></td><td>hide bottom page navigation prev and next page.</td></tr><tr><td><code>#shareTemplateNoLeftPanel</code></td><td>hide left panel fully.</td></tr><tr><td><code>#shareExclude</code></td><td>this note will be excluded from share, not accessible via direct URL (implemented to hide scripts from share)</td></tr><tr><td><code>#shareContentAccess</code></td><td>method for attachments authorization in case when note protected with login and password (#shareCredentials). Could be cookie (the cookie will provided when page loads) / query (every url will be updated with token) / basic (only basic header authorization)). By default for browser used cookie.</td></tr><tr><td><code>#shareAccessTokenTimeout</code></td><td>token expiration timeout in seconds, by default 10 minutes. While token not expired user couls download attachment, after that he will get message `Access is expired. Return back and update the page.`</td></tr><tr><td><code>#shareExternalLink</code></td><td>note will act as a link to an external website in the share tree</td></tr><tr><td><code>#shareAlias</code></td><td>define an alias using which the note will be available under <code>https://your_trilium_host/share/[your_alias]</code></td></tr><tr><td><code>#shareOmitDefaultCss</code></td><td>default share page CSS will be omitted. Use when you make extensive styling changes.</td></tr><tr><td><code>#shareRoot</code></td><td>marks note which is served on /share root.</td></tr><tr><td><code>#shareDescription</code></td><td>define text to be added to the HTML meta tag for description</td></tr><tr><td><code>#shareRaw</code></td><td>Note will be served in its raw format, without HTML wrapper. See also&nbsp;<a class="reference-link" href="Sharing/Serving%20directly%20the%20content%20o.md">Serving directly the content of a note</a>&nbsp;for an alternative method without setting an attribute.</td></tr><tr><td><code>#shareDisallowRobotIndexing</code></td><td><p>Indicates to web crawlers that the page should not be indexed of this note by:</p><ul><li data-list-item-id="e6baa9f60bf59d085fd31aa2cce07a0e7">Setting the <code>X-Robots-Tag: noindex</code> HTTP header.</li><li data-list-item-id="ec0d067db136ef9794e4f1033405880b7">Setting the <code>noindex, follow</code> meta tag.</li></ul></td></tr><tr><td><code>#shareCredentials</code></td><td>require credentials to access this shared note. Value is expected to be in format <code>username:password</code>. Don't forget to make this inheritable to apply to child-notes/images.</td></tr><tr><td><code>#shareIndex</code></td><td>Note with this label will list all roots of shared notes.</td></tr><tr><td><code>#shareHtmlLocation</code></td><td>defines where custom HTML injected via <code>~shareHtml</code> relation should be placed. Applied to the HTML snippet note itself. Format: <code>location:position</code> where location is <code>head</code>, <code>body</code>, or <code>content</code> and position is <code>start</code> or <code>end</code>. Defaults to <code>content:end</code>.</td></tr></tbody></table>
 
 ### Customizing logo