Encrypt file paths in API URLs using Fernet tokens
Raw filesystem paths were exposed in browser URLs, dev tools, and proxy logs. Now all file-serving endpoints accept an opaque encrypted token (t= param) derived from the session secret via HKDF, with a 4-hour TTL. Backend: - Add core/path_tokens.py with Fernet encrypt/decrypt (HKDF from .session_secret) - Add file_token to all list/gallery/feed/search responses across 7 routers - Accept optional t= param on all file-serving endpoints (backward compatible) Frontend: - Update 4 URL helpers in api.ts to prefer token when available - Add 4 new helpers for paid-content/embedded-metadata URLs - Update all 14 page/component files to pass file_token to URL builders - Add file_token to all relevant TypeScript interfaces Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Todd
@@ -18,6 +18,7 @@ from slowapi import Limiter
|
||||
from slowapi.util import get_remote_address
|
||||
|
||||
from ..core.dependencies import get_current_user, get_app_state, require_admin
|
||||
from ..core.path_tokens import encode_path
|
||||
from ..core.exceptions import (
|
||||
handle_exceptions,
|
||||
DatabaseError,
|
||||
@@ -654,6 +655,7 @@ async def advanced_search_downloads(
|
||||
"content_type": row[3],
|
||||
"filename": row[4],
|
||||
"file_path": row[5],
|
||||
"file_token": encode_path(row[5]) if row[5] else None,
|
||||
"file_size": row[6],
|
||||
"download_date": row[7],
|
||||
"post_date": row[8],
|
||||
|
||||
Reference in New Issue
Block a user