Prepare for send direct upload (#1174)

* Add sendId to path Event Grid returns the blob path, which will be used to grab a Send and verify file size * Re-validate access upon file download Increment access count only when file is downloaded. File name and size are leaked, but this is a good first step toward solving the access-download race
2025-07-01 16:12:49 -05:00 · 2021-03-01 15:01:04 -06:00
parent 13f12aaf58
commit 8d5fc21b51
7 changed files with 119 additions and 34 deletions
--- a/src/Api/Controllers/SendsController.cs
+++ b/src/Api/Controllers/SendsController.cs
@ -61,7 +61,8 @@ namespace Bit.Api.Controllers
            }

            var sendResponse = new SendAccessResponseModel(send, _globalSettings);
-            if (send.UserId.HasValue) {
+            if (send.UserId.HasValue)
+            {
                var creator = await _userService.GetUserByIdAsync(send.UserId.Value);
                sendResponse.CreatorIdentifier = creator.Email;
            }
@ -69,14 +70,40 @@ namespace Bit.Api.Controllers
        }

        [AllowAnonymous]
-        [HttpGet("access/file/{id}")]
-        public async Task<SendFileDownloadDataResponseModel> GetSendFileDownloadData(string id)
+        [HttpPost("{encodedSendId}/access/file/{fileId}")]
+        public async Task<IActionResult> GetSendFileDownloadData(string encodedSendId,
+            string fileId, [FromBody] SendAccessRequestModel model)
        {
-            return new SendFileDownloadDataResponseModel()
+            var sendId = new Guid(CoreHelpers.Base64UrlDecode(encodedSendId));
+            var send = await _sendRepository.GetByIdAsync(sendId);
+
+            if (send == null)
            {
-                Id = id,
-                Url = await _sendFileStorageService.GetSendFileDownloadUrlAsync(id),
-            };
+                throw new BadRequestException("Could not locate send");
+            }
+
+            var (url, passwordRequired, passwordInvalid) = await _sendService.GetSendFileDownloadUrlAsync(send, fileId,
+                model.Password);
+
+            if (passwordRequired)
+            {
+                return new UnauthorizedResult();
+            }
+            if (passwordInvalid)
+            {
+                await Task.Delay(2000);
+                throw new BadRequestException("Invalid password.");
+            }
+            if (send == null)
+            {
+                throw new NotFoundException();
+            }
+
+            return new ObjectResult(new SendFileDownloadDataResponseModel()
+            {
+                Id = fileId,
+                Url = url,
+            });
        }

        [HttpGet("{id}")]