From c08ab81334e7508b87dc514efdf4b02fb18f6c55 Mon Sep 17 00:00:00 2001
From: Luka Trovic <luka@nextcloud.com>
Date: Wed, 20 Mar 2024 21:08:54 +0100
Subject: [PATCH] fix: csrf check failed on public share with password

Signed-off-by: Luka Trovic <luka@nextcloud.com>
---
 core/js/publicshareauth.js         | 15 +++++++++++++++
 core/src/OC/index.js               |  2 ++
 core/src/OC/requesttoken.js        | 16 ++++++++++++++++
 core/templates/publicshareauth.php | 10 +++++-----
 4 files changed, 38 insertions(+), 5 deletions(-)

diff --git a/core/js/publicshareauth.js b/core/js/publicshareauth.js
index 3d694c7bfd6..c0df3de3d92 100644
--- a/core/js/publicshareauth.js
+++ b/core/js/publicshareauth.js
@@ -52,3 +52,18 @@ document.addEventListener('DOMContentLoaded', function() {
 	}
 
 });
+
+// Fix error "CSRF check failed"
+document.addEventListener('DOMContentLoaded', function() {
+	var form = document.getElementById('password-input-form');
+	if (form) {
+		form.addEventListener('submit', async function(event) {
+			event.preventDefault();
+			var requestToken = document.getElementById('requesttoken');
+			if (requestToken) {
+				requestToken.value = await OC.fetchRequestToken();
+			}
+			form.submit();
+		});
+	}
+});
diff --git a/core/src/OC/index.js b/core/src/OC/index.js
index 33dd45a17ee..34af0b25522 100644
--- a/core/src/OC/index.js
+++ b/core/src/OC/index.js
@@ -70,6 +70,7 @@ import {
 } from './host.js'
 import {
 	getToken as getRequestToken,
+	fetchToken as fetchRequestToken,
 } from './requesttoken.js'
 import {
 	hideMenus,
@@ -274,6 +275,7 @@ export default {
 	redirect,
 	reload,
 	requestToken: getRequestToken(),
+	fetchRequestToken,
 	/**
 	 * @deprecated 19.0.0 use `linkTo` from https://www.npmjs.com/package/@nextcloud/router
 	 */
diff --git a/core/src/OC/requesttoken.js b/core/src/OC/requesttoken.js
index eba15e88e08..229f8ff0370 100644
--- a/core/src/OC/requesttoken.js
+++ b/core/src/OC/requesttoken.js
@@ -22,6 +22,8 @@
  */
 
 import { emit } from '@nextcloud/event-bus'
+import { generateUrl } from '@nextcloud/router'
+import $ from 'jquery'
 
 /**
  * @private
@@ -41,6 +43,15 @@ export const manageToken = (global, emit) => {
 				token,
 			})
 		},
+		fetchToken: async () => {
+			const url = generateUrl('/csrftoken')
+			const resp = await $.get(url)
+			token = resp.token
+			emit('csrf-token-update', {
+				token,
+			})
+			return token
+		},
 	}
 }
 
@@ -55,3 +66,8 @@ export const getToken = manageFromDocument.getToken
  * @param {string} newToken new token
  */
 export const setToken = manageFromDocument.setToken
+
+/**
+ * @return {Promise<string>}
+ */
+export const fetchToken = manageFromDocument.fetchToken
diff --git a/core/templates/publicshareauth.php b/core/templates/publicshareauth.php
index a48bbbbb7b2..3b7393e0c07 100644
--- a/core/templates/publicshareauth.php
+++ b/core/templates/publicshareauth.php
@@ -22,7 +22,7 @@
 			<?php endif; ?>
 			<p>
 				<label for="password" class="infield"><?php p($l->t('Password')); ?></label>
-				<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
+				<input type="hidden" id="requesttoken" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
 				<input type="password" name="password" id="password"
 					placeholder="<?php p($l->t('Password')); ?>" value=""
 					autocomplete="new-password" autocapitalize="off" spellcheck="false"
@@ -34,7 +34,7 @@
 			</p>
 		</fieldset>
 	</form>
-	
+
 	<!-- email prompt form. It should initially be hidden -->
 	<?php if (isset($_['identityOk'])): ?>
 		<form method="post" id="email-input-form">
@@ -46,7 +46,7 @@
 			 <p>
 				<input type="email" id="email" name="identityToken" placeholder="<?php p($l->t('Email address')); ?>" />
 				<input type="submit" id="password-request" name="passwordRequest" class="svg icon-confirm input-button-inline" value="" disabled="disabled"/>
-				<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
+				<input type="hidden" id="requesttoken" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
 				<input type="hidden" name="sharingToken" value="<?php p($_['share']->getToken()) ?>" id="sharingToken">
 				<input type="hidden" name="sharingType" value="<?php p($_['share']->getShareType()) ?>" id="sharingType">
 			</p>
@@ -59,12 +59,12 @@
 			<?php endif; ?>
 		</fieldset>
 	</form>
-	
+
 	<!-- request password button -->
 	<?php if (!isset($_['identityOk']) && $_['share']->getShareType() === $_['share']::TYPE_EMAIL && !$_['share']->getSendPasswordByTalk()): ?>
 		<a id="request-password-button-not-talk"><?php p($l->t('Forgot password?')); ?></a>
 	<?php endif; ?>
-	
+
 	<!-- back to showShare button -->
 	<form method="get">
 		<fieldset>