GET /object: allow no-auth access

norrisng-bc · norrisng-bc · commit 63a8aafee129 · 2025-07-18T13:38:03.000-07:00
When no-auth, forbid search params beyond the bare minimum (limit/order/page/sort is still allowed though) and redact potentially sensitive response fields (createdBy, updatedBy, lastSyncedDate)
diff --git a/app/src/controllers/object.js b/app/src/controllers/object.js
@@ -3,6 +3,7 @@ const cors = require('cors');
 const { v4: uuidv4, NIL: SYSTEM_USER } = require('uuid');
 
 const {
+  AuthType,
   DEFAULTCORS,
   DownloadMode,
   MAXCOPYOBJECTLENGTH,
@@ -26,7 +27,8 @@ const {
   mixedQueryToArray,
   toLowerKeys,
   getBucket,
-  renameObjectProperty
+  renameObjectProperty,
+  hasOnlyPermittedKeys
 } = require('../components/utils');
 const utils = require('../db/models/utils');
 
@@ -1057,10 +1059,30 @@ const controller = {
       };
       // if scoping to current user permissions on objects
       if (getConfigBoolean('server.privacyMask')) {
+
+        if (req.currentUser.authType === AuthType.NONE) {
+          const permittedPublicSearchParams = ['bucketId', 'objectId', 'public', 'page', 'limit', 'sort'];
+
+          if (!hasOnlyPermittedKeys(req.query, permittedPublicSearchParams) || !params.public) {
+            throw new Problem(403, {
+              detail: 'User lacks permission to complete this action',
+              instance: req.originalUrl
+            });
+          }
+        }
         params.userId = await userService.getCurrentUserId(getCurrentIdentity(req.currentUser, SYSTEM_USER));
       }
+
       const response = await objectService.searchObjects(params);
-      res.setHeader('X-Total-Rows', response.total).status(200).json(response.data);
+      const redactedFields = ['createdBy', 'updatedBy', 'lastSyncedDate'];
+
+      if (req.currentUser.authType === AuthType.NONE) {
+        const redactedResponseData = response.data.map(object => utils.redactSecrets(object, redactedFields));
+        res.setHeader('X-Total-Rows', response.total).status(200).json(redactedResponseData);
+      }
+      else {
+        res.setHeader('X-Total-Rows', response.total).status(200).json(response.data);
+      }
     } catch (error) {
       next(error);
     }
diff --git a/app/src/routes/v1/object.js b/app/src/routes/v1/object.js
@@ -28,7 +28,6 @@ router.put('/',
 
 /** Search for objects */
 router.get('/',
-  requireSomeAuth,
   objectValidator.searchObjects,
   checkS3BasicAccess,
   (req, res, next) => {
