fix(dav): multiple fixes in usage of webdav library

1. Refresh token on update 2. Fix some very weird imports 3. Patch fetch instead of request to prevent accessing impl details Signed-off-by: Varun Patil <varunpatil@ucla.edu>
6 months ago · b03fd6e363
parent dfd42307f0
commit b03fd6e363
34 changed files with 157 additions and 103 deletions
--- a/apps/comments/src/services/DavClient.js
+++ b/apps/comments/src/services/DavClient.js
@ -22,16 +22,23 @@

 import { createClient } from 'webdav'
 import { getRootPath } from '../utils/davUtils.js'
-import { getRequestToken } from '@nextcloud/auth'
+import { getRequestToken, onRequestTokenUpdate } from '@nextcloud/auth'

 // init webdav client
-const client = createClient(getRootPath(), {
-	headers: {
-		// Add this so the server knows it is an request from the browser
-		'X-Requested-With': 'XMLHttpRequest',
-		// Inject user auth
-		requesttoken: getRequestToken() ?? '',
-	},
-})
+const client = createClient(getRootPath())
+
+// set CSRF token header
+const setHeaders = (token) => {
+  client.setHeaders({
+    // Add this so the server knows it is an request from the browser
+    'X-Requested-With': 'XMLHttpRequest',
+    // Inject user auth
+    requesttoken: token ?? '',
+  })
+}
+
+// refresh headers when request token changes
+onRequestTokenUpdate(setHeaders)
+setHeaders(getRequestToken())

 export default client
--- a/apps/comments/src/services/GetComments.ts
+++ b/apps/comments/src/services/GetComments.ts
@ -23,8 +23,8 @@
 import { parseXML, type DAVResult, type FileStat, type ResponseDataDetailed } from 'webdav'

 // https://github.com/perry-mitchell/webdav-client/issues/339
-import { processResponsePayload } from '../../../../node_modules/webdav/dist/node/response.js'
-import { prepareFileFromProps } from '../../../../node_modules/webdav/dist/node/tools/dav.js'
+import { processResponsePayload } from 'webdav/dist/node/response.js'
+import { prepareFileFromProps } from 'webdav/dist/node/tools/dav.js'
 import client from './DavClient.js'

 export const DEFAULT_LIMIT = 20
@ -77,10 +77,8 @@ const getDirectoryFiles = function(
 	// Map all items to a consistent output structure (results)
 	return responseItems.map(item => {
 		// Each item should contain a stat object
-		const {
-			propstat: { prop: props },
-		} = item
+		const props = item.propstat!.prop!;

-		return prepareFileFromProps(props, props.id.toString(), isDetailed)
+		return prepareFileFromProps(props, props.id!.toString(), isDetailed)
 	})
 }
--- a/apps/dav/src/dav/client.js
+++ b/apps/dav/src/dav/client.js
@ -19,21 +19,29 @@
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

-import * as webdav from 'webdav'
-import axios from '@nextcloud/axios'
+import { createClient } from 'webdav'
 import memoize from 'lodash/fp/memoize.js'
 import { generateRemoteUrl } from '@nextcloud/router'
-import { getCurrentUser } from '@nextcloud/auth'
+import { getCurrentUser, getRequestToken, onRequestTokenUpdate } from '@nextcloud/auth'

 export const getClient = memoize((service) => {
-	// Add this so the server knows it is an request from the browser
-	axios.defaults.headers['X-Requested-With'] = 'XMLHttpRequest'
+	// init webdav client
+	const remote = generateRemoteUrl(`dav/${service}/${getCurrentUser().uid}`)
+	const client = createClient(remote)

-	// force our axios
-	const patcher = webdav.getPatcher()
-	patcher.patch('request', axios)
+	// set CSRF token header
+	const setHeaders = (token) => {
+		client.setHeaders({
+			// Add this so the server knows it is an request from the browser
+			'X-Requested-With': 'XMLHttpRequest',
+			// Inject user auth
+			requesttoken: token ?? '',
+		})
+	}

-	return webdav.createClient(
-		generateRemoteUrl(`dav/${service}/${getCurrentUser().uid}`)
-	)
+	// refresh headers when request token changes
+	onRequestTokenUpdate(setHeaders)
+	setHeaders(getRequestToken())
+
+	return client;
 })
--- a/apps/files/src/services/WebdavClient.ts
+++ b/apps/files/src/services/WebdavClient.ts
@ -19,22 +19,30 @@
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 *
 */
-import type { RequestOptions, Response } from 'webdav'

 import { createClient, getPatcher } from 'webdav'
 import { generateRemoteUrl } from '@nextcloud/router'
-import { getCurrentUser, getRequestToken } from '@nextcloud/auth'
-import { request } from 'webdav/dist/node/request.js'
+import { getCurrentUser, getRequestToken, onRequestTokenUpdate } from '@nextcloud/auth'

 export const rootPath = `/files/${getCurrentUser()?.uid}`
 export const defaultRootUrl = generateRemoteUrl('dav' + rootPath)

 export const getClient = (rootUrl = defaultRootUrl) => {
-	const client = createClient(rootUrl, {
-		headers: {
-			requesttoken: getRequestToken() || '',
-		},
-	})
+	const client = createClient(rootUrl)
+
+	// set CSRF token header
+	const setHeaders = (token: string | null) => {
+		client?.setHeaders({
+			// Add this so the server knows it is an request from the browser
+			'X-Requested-With': 'XMLHttpRequest',
+			// Inject user auth
+			requesttoken: token ?? '',
+		});
+	}
+
+	// refresh headers when request token changes
+	onRequestTokenUpdate(setHeaders)
+	setHeaders(getRequestToken())

 	/**
 	 * Allow to override the METHOD to support dav REPORT
@ -45,12 +53,14 @@ export const getClient = (rootUrl = defaultRootUrl) => {
 	// eslint-disable-next-line @typescript-eslint/ban-ts-comment
 	// @ts-ignore
 	// https://github.com/perry-mitchell/hot-patcher/issues/6
-	patcher.patch('request', (options: RequestOptions): Promise<Response> => {
-		if (options.headers?.method) {
-			options.method = options.headers.method
-			delete options.headers.method
+	patcher.patch('fetch', (url: string, options: RequestInit): Promise<Response> => {
+		const headers = options.headers as Record<string, string>
+		if (headers?.method) {
+			options.method = headers.method
+			delete headers.method
 		}
-		return request(options)
+		return fetch(url, options)
 	})
-	return client
+
+	return client;
 }
--- a/apps/files_trashbin/src/services/client.ts
+++ b/apps/files_trashbin/src/services/client.ts
@ -19,15 +19,28 @@
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 *
 */
+
 import { createClient } from 'webdav'
 import { generateRemoteUrl } from '@nextcloud/router'
-import { getCurrentUser, getRequestToken } from '@nextcloud/auth'
+import { getCurrentUser, getRequestToken, onRequestTokenUpdate } from '@nextcloud/auth'

+// init webdav client
 export const rootPath = `/trashbin/${getCurrentUser()?.uid}/trash`
 export const rootUrl = generateRemoteUrl('dav' + rootPath)
-const client = createClient(rootUrl, {
-	headers: {
-		requesttoken: getRequestToken(),
-	},
-})
+const client = createClient(rootUrl)
+
+// set CSRF token header
+const setHeaders = (token: string | null) => {
+  client.setHeaders({
+    // Add this so the server knows it is an request from the browser
+    'X-Requested-With': 'XMLHttpRequest',
+    // Inject user auth
+    requesttoken: token ?? '',
+  })
+}
+
+// refresh headers when request token changes
+onRequestTokenUpdate(setHeaders)
+setHeaders(getRequestToken())
+
 export default client
--- a/apps/files_versions/src/utils/davClient.js
+++ b/apps/files_versions/src/utils/davClient.js
@ -21,17 +21,25 @@

 import { createClient } from 'webdav'
 import { generateRemoteUrl } from '@nextcloud/router'
-import { getRequestToken } from '@nextcloud/auth'
+import { getRequestToken, onRequestTokenUpdate } from '@nextcloud/auth'

+// init webdav client
 const rootPath = 'dav'
-
-// init webdav client on default dav endpoint
 const remote = generateRemoteUrl(rootPath)
-export default createClient(remote, {
-	headers: {
-		// Add this so the server knows it is an request from the browser
-		'X-Requested-With': 'XMLHttpRequest',
-		// Inject user auth
-		requesttoken: getRequestToken() ?? '',
-	},
-})
+const client = createClient(remote)
+
+// set CSRF token header
+const setHeaders = (token) => {
+  client.setHeaders({
+    // Add this so the server knows it is an request from the browser
+    'X-Requested-With': 'XMLHttpRequest',
+    // Inject user auth
+    requesttoken: token ?? '',
+  })
+}
+
+// refresh headers when request token changes
+onRequestTokenUpdate(setHeaders)
+setHeaders(getRequestToken())
+
+export default client
--- a/apps/systemtags/src/services/davClient.ts
+++ b/apps/systemtags/src/services/davClient.ts
@ -22,12 +22,22 @@

 import { createClient } from 'webdav'
 import { generateRemoteUrl } from '@nextcloud/router'
-import { getRequestToken } from '@nextcloud/auth'
+import { getRequestToken, onRequestTokenUpdate } from '@nextcloud/auth'

+// init webdav client
 const rootUrl = generateRemoteUrl('dav')
+export const davClient = createClient(rootUrl)

-export const davClient = createClient(rootUrl, {
-	headers: {
-		requesttoken: getRequestToken() ?? '',
-	},
-})
+// set CSRF token header
+const setHeaders = (token: string | null) => {
+  davClient.setHeaders({
+    // Add this so the server knows it is an request from the browser
+    'X-Requested-With': 'XMLHttpRequest',
+    // Inject user auth
+    requesttoken: token ?? '',
+  })
+}
+
+// refresh headers when request token changes
+onRequestTokenUpdate(setHeaders)
+setHeaders(getRequestToken())
--- a/dist/comments-comments-app.js
+++ b/dist/comments-comments-app.js
--- a/dist/comments-comments-app.js.map
+++ b/dist/comments-comments-app.js.map
--- a/dist/comments-comments-tab.js
+++ b/dist/comments-comments-tab.js
--- a/dist/comments-comments-tab.js.map
+++ b/dist/comments-comments-tab.js.map
--- a/dist/core-common.js
+++ b/dist/core-common.js
--- a/dist/core-common.js.LICENSE.txt
+++ b/dist/core-common.js.LICENSE.txt
@ -70,12 +70,8 @@

 /*! @license DOMPurify 3.0.9 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.9/LICENSE */

-/*! https://mths.be/punycode v1.4.1 by @mathias */
-
 /*! ieee754. BSD-3-Clause License. Feross Aboukhadijeh <https://feross.org/opensource> */

-/*! safe-buffer. MIT License. Feross Aboukhadijeh <https://feross.org/opensource> */
-
 /**
 * @copyright 2021 Christoph Wurst <christoph@winzerhof-wurst.at>
 *
--- a/dist/core-common.js.map
+++ b/dist/core-common.js.map
--- a/dist/dav-settings-personal-availability.js
+++ b/dist/dav-settings-personal-availability.js
--- a/dist/dav-settings-personal-availability.js.map
+++ b/dist/dav-settings-personal-availability.js.map
--- a/dist/files-init.js
+++ b/dist/files-init.js
--- a/dist/files-init.js.map
+++ b/dist/files-init.js.map
--- a/dist/files-main.js
+++ b/dist/files-main.js
--- a/dist/files-main.js.LICENSE.txt
+++ b/dist/files-main.js.LICENSE.txt
@ -12,6 +12,8 @@

 /*! http://mths.be/fromcodepoint v0.1.0 by @mathias */

+/*! safe-buffer. MIT License. Feross Aboukhadijeh <https://feross.org/opensource> */
+
 /**
 * @copyright 2019 Christoph Wurst <christoph@winzerhof-wurst.at>
 *
--- a/dist/files-main.js.map
+++ b/dist/files-main.js.map
--- a/dist/files-sidebar.js
+++ b/dist/files-sidebar.js
--- a/dist/files-sidebar.js.map
+++ b/dist/files-sidebar.js.map
--- a/dist/files_trashbin-main.js
+++ b/dist/files_trashbin-main.js
--- a/dist/files_trashbin-main.js.map
+++ b/dist/files_trashbin-main.js.map
--- a/dist/files_versions-files_versions.js
+++ b/dist/files_versions-files_versions.js
--- a/dist/files_versions-files_versions.js.map
+++ b/dist/files_versions-files_versions.js.map
--- a/dist/systemtags-admin.js
+++ b/dist/systemtags-admin.js
--- a/dist/systemtags-admin.js.map
+++ b/dist/systemtags-admin.js.map
--- a/dist/systemtags-init.js
+++ b/dist/systemtags-init.js
--- a/dist/systemtags-init.js.map
+++ b/dist/systemtags-init.js.map
--- a/dist/theming-personal-theming.js
+++ b/dist/theming-personal-theming.js
--- a/dist/theming-personal-theming.js.LICENSE.txt
+++ b/dist/theming-personal-theming.js.LICENSE.txt
@ -1,3 +1,5 @@
+/*! https://mths.be/punycode v1.4.1 by @mathias */
+
 /**
 * @copyright Copyright (c) 2018 John Molakvoæ <skjnldsv@protonmail.com>
 *
--- a/dist/theming-personal-theming.js.map
+++ b/dist/theming-personal-theming.js.map