fix: csrf check failed on public share with password

Signed-off-by: Luka Trovic <luka@nextcloud.com>
2026-05-28 04:32:30 -04:00 · 2024-03-20 21:08:54 +01:00 · 2024-03-20 21:08:54 +01:00 · c08ab81334
commit c08ab81334
parent a40838b61c
4 changed files with 38 additions and 5 deletions
--- a/core/js/publicshareauth.js
+++ b/core/js/publicshareauth.js
@ -52,3 +52,18 @@ document.addEventListener('DOMContentLoaded', function() {
 	}

 });
+
+// Fix error "CSRF check failed"
+document.addEventListener('DOMContentLoaded', function() {
+	var form = document.getElementById('password-input-form');
+	if (form) {
+		form.addEventListener('submit', async function(event) {
+			event.preventDefault();
+			var requestToken = document.getElementById('requesttoken');
+			if (requestToken) {
+				requestToken.value = await OC.fetchRequestToken();
+			}
+			form.submit();
+		});
+	}
+});
--- a/core/src/OC/index.js
+++ b/core/src/OC/index.js
@ -70,6 +70,7 @@ import {
 } from './host.js'
 import {
 	getToken as getRequestToken,
+	fetchToken as fetchRequestToken,
 } from './requesttoken.js'
 import {
 	hideMenus,
@ -274,6 +275,7 @@ export default {
 	redirect,
 	reload,
 	requestToken: getRequestToken(),
+	fetchRequestToken,
 	/**
 	 * @deprecated 19.0.0 use `linkTo` from https://www.npmjs.com/package/@nextcloud/router
 	 */
--- a/core/src/OC/requesttoken.js
+++ b/core/src/OC/requesttoken.js
@ -22,6 +22,8 @@
 */

 import { emit } from '@nextcloud/event-bus'
+import { generateUrl } from '@nextcloud/router'
+import $ from 'jquery'

 /**
 * @private
@ -41,6 +43,15 @@ export const manageToken = (global, emit) => {
 				token,
 			})
 		},
+		fetchToken: async () => {
+			const url = generateUrl('/csrftoken')
+			const resp = await $.get(url)
+			token = resp.token
+			emit('csrf-token-update', {
+				token,
+			})
+			return token
+		},
 	}
 }

@ -55,3 +66,8 @@ export const getToken = manageFromDocument.getToken
 * @param {string} newToken new token
 */
 export const setToken = manageFromDocument.setToken
+
+/**
+ * @return {Promise<string>}
+ */
+export const fetchToken = manageFromDocument.fetchToken
--- a/core/templates/publicshareauth.php
+++ b/core/templates/publicshareauth.php
@ -22,7 +22,7 @@
 			<?php endif; ?>
 			<p>
 				<label for="password" class="infield"><?php p($l->t('Password')); ?></label>
-				<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
+				<input type="hidden" id="requesttoken" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
 				<input type="password" name="password" id="password"
 					placeholder="<?php p($l->t('Password')); ?>" value=""
 					autocomplete="new-password" autocapitalize="off" spellcheck="false"
@ -34,7 +34,7 @@
 			</p>
 		</fieldset>
 	</form>
-	
+
 	<!-- email prompt form. It should initially be hidden -->
 	<?php if (isset($_['identityOk'])): ?>
 		<form method="post" id="email-input-form">
@ -46,7 +46,7 @@
 			 <p>
 				<input type="email" id="email" name="identityToken" placeholder="<?php p($l->t('Email address')); ?>" />
 				<input type="submit" id="password-request" name="passwordRequest" class="svg icon-confirm input-button-inline" value="" disabled="disabled"/>
-				<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
+				<input type="hidden" id="requesttoken" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
 				<input type="hidden" name="sharingToken" value="<?php p($_['share']->getToken()) ?>" id="sharingToken">
 				<input type="hidden" name="sharingType" value="<?php p($_['share']->getShareType()) ?>" id="sharingType">
 			</p>
@ -59,12 +59,12 @@
 			<?php endif; ?>
 		</fieldset>
 	</form>
-	
+
 	<!-- request password button -->
 	<?php if (!isset($_['identityOk']) && $_['share']->getShareType() === $_['share']::TYPE_EMAIL && !$_['share']->getSendPasswordByTalk()): ?>
 		<a id="request-password-button-not-talk"><?php p($l->t('Forgot password?')); ?></a>
 	<?php endif; ?>
-	
+
 	<!-- back to showShare button -->
 	<form method="get">
 		<fieldset>