accessor fix; typo fix;

Author: x1arch

apps/server/src/share/content_renderer.ts

@@ -40,8 +40,8 @@ interface Subroot {
 
 type GetNoteFunction = (id: string) => SNote | BNote | null;
 
-function addContentAccessQuery(note: any, secondEl?:boolean) {
-    if ((note as SNote).contentAccessor && (note as SNote).contentAccessor?.type === "query") {
+function addContentAccessQuery(note: SNote | BNote, secondEl?:boolean) {
+    if (!(note instanceof BNote) && note.contentAccessor && note.contentAccessor?.type === "query") {
         return secondEl ? `&cat=${note.contentAccessor.getToken()}` : `?cat=${note.contentAccessor.getToken()}`;
     }
     return ""
@@ -447,7 +447,7 @@ function renderMermaid(result: Result, note: SNote | BNote) {
 }
 
 function renderImage(result: Result, note: SNote | BNote) {
-    result.content = `<img src="../api/images/${note.noteId}/${note.encodedTitle}?${note.utcDateModified}${addContentAccessQuery(note, true)}">`;
+    result.content = `<img src="api/images/${note.noteId}/${note.encodedTitle}?${note.utcDateModified}${addContentAccessQuery(note, true)}">`;
 }
 
 function renderFile(note: SNote | BNote, result: Result) {

apps/server/src/share/routes.ts

@@ -61,7 +61,10 @@ function checkNoteAccess(noteId: string, req: Request, res: Response) {
 
     if (!header?.startsWith("Basic ")) {
         if (req.path.startsWith("/share/api") && note.contentAccessor) {
-            const contentAccessToken = "" + (note.contentAccessor.type === "cookie" ? req.cookies["trilium.cat"]  || "" : note.contentAccessor.type === "query" ? req.query['cat'] || "" : "")
+            let contentAccessToken = "" 
+            if (note.contentAccessor.type === "cookie") contentAccessToken += req.cookies["trilium.cat"] || ""
+            else if (note.contentAccessor.type === "query") contentAccessToken += req.query['cat'] || ""
+
             if (contentAccessToken){
                 if (note.contentAccessor.isTokenValid(contentAccessToken)){
                     return note

apps/server/src/share/shaca/entities/content_accessor.ts

@@ -2,25 +2,22 @@ import crypto from "crypto";
 import SNote from "./snote";
 import utils from "../../../services/utils";
 
-export const DefultAccessTimeoutSec = 10 * 60; // 10 minutes
-
+const DefaultAccessTimeoutSec = 10 * 60; // 10 minutes
 
 export class ContentAccessor {
     note: SNote;
     token: string;
     timestamp: number;
     type: string;
     timeout: number;
-    key: NonSharedBuffer;
-    iv: NonSharedBuffer;
+    key: Buffer;
 
     constructor(note: SNote) {
         this.note = note;
         this.key = crypto.randomBytes(32);
-        this.iv = crypto.randomBytes(16);
         this.token = "";
         this.timestamp = 0;
-        this.timeout = Number(this.note.getAttributeValue("label", "shareAccessTokenTimeout") || DefultAccessTimeoutSec)
+        this.timeout = Number(this.note.getAttributeValue("label", "shareAccessTokenTimeout") || DefaultAccessTimeoutSec)
 
         switch (this.note.getAttributeValue("label", "shareContentAccess")) {
             case "basic": this.type = "basic"; break
@@ -31,18 +28,20 @@ export class ContentAccessor {
     }
 
     __encrypt(text: string) {
-        const cipher = crypto.createCipheriv('aes-256-cbc', this.key, this.iv);
-        let encrypted = cipher.update(text);
-        encrypted = Buffer.concat([encrypted, cipher.final()]);
-        return encrypted.toString('hex');
+        const iv = crypto.randomBytes(16); 
+        const cipher = crypto.createCipheriv('aes-256-cbc', this.key, iv);
+        let encrypted = cipher.update(text, 'utf8', 'hex');
+        encrypted += cipher.final('hex');
+        return iv.toString('hex') + encrypted; 
     }
 
     __decrypt(encryptedText: string) {
         try {
-            const decipher = crypto.createDecipheriv('aes-256-cbc', this.key, this.iv);
-            let decrypted = decipher.update(Buffer.from(encryptedText, 'hex'));
-            decrypted = Buffer.concat([decrypted, decipher.final()]);
-            return decrypted.toString();
+            const iv = Buffer.from(encryptedText.slice(0, 32), 'hex');
+            const decipher = crypto.createDecipheriv('aes-256-cbc', this.key, iv);
+            let decrypted = decipher.update(encryptedText.slice(32), 'hex', 'utf8');
+            decrypted += decipher.final('utf8');
+            return decrypted;
         } catch {
             return ""
         }
@@ -55,6 +54,7 @@ export class ContentAccessor {
     update() {
         if (new Date().getTime() < this.timestamp + this.getTimeout() * 1000) return
         this.token = utils.randomString(36);
+        this.key = crypto.randomBytes(32);
         this.timestamp = new Date().getTime();
     }
 

docs/User Guide/User Guide/Advanced Usage/Sharing.md

@@ -131,7 +131,7 @@ To do so, create a shared text note and apply the `shareIndex` label. When viewe
 
 ## Attribute reference
 
-<table class="ck-table-resized"><colgroup><col style="width:18.38%;"><col style="width:81.62%;"></colgroup><thead><tr><th>Attribute</th><th>Description</th></tr></thead><tbody><tr><td><code>#shareHiddenFromTree</code></td><td>this note is hidden from left navigation tree, but still accessible with its URL</td></tr><tr><td><code>#shareTemplateNoPrevNext</code></td><td>hide bottom page navigation prev and next page.</td></tr><tr><td><code>#shareTemplateNoLeftPanel</code></td><td>hide left panel fully.</td></tr><tr><td><code>#shareExclude</code></td><td>this note will be excluded from share, not accessible via direct URL (implemented to hide scripts from share)</td></tr><tr><td><code>#shareContentAccess</code></td><td>method for attachments authorization in case when note protected with login and password (#shareCredentials). Could be cookie (the cookie will provided when page loads) / query (every url will be updated with token) / basic (only basic header authorization)). By default for browser used cookie.</td></tr><tr><td><code>#shareAccessTokenTimeout</code></td><td>token expiration timeout in seconds, by default 10 minutes. While token not expired user couls download attachment, after that he will get message `Access is expired. Return back and update the page.`</td></tr><tr><td><code>#shareExternalLink</code></td><td>note will act as a link to an external website in the share tree</td></tr><tr><td><code>#shareAlias</code></td><td>define an alias using which the note will be available under <code>https://your_trilium_host/share/[your_alias]</code></td></tr><tr><td><code>#shareOmitDefaultCss</code></td><td>default share page CSS will be omitted. Use when you make extensive styling changes.</td></tr><tr><td><code>#shareRoot</code></td><td>marks note which is served on /share root.</td></tr><tr><td><code>#shareDescription</code></td><td>define text to be added to the HTML meta tag for description</td></tr><tr><td><code>#shareRaw</code></td><td>Note will be served in its raw format, without HTML wrapper. See also&nbsp;<a class="reference-link" href="Sharing/Serving%20directly%20the%20content%20o.md">Serving directly the content of a note</a>&nbsp;for an alternative method without setting an attribute.</td></tr><tr><td><code>#shareDisallowRobotIndexing</code></td><td><p>Indicates to web crawlers that the page should not be indexed of this note by:</p><ul><li data-list-item-id="e6baa9f60bf59d085fd31aa2cce07a0e7">Setting the <code>X-Robots-Tag: noindex</code> HTTP header.</li><li data-list-item-id="ec0d067db136ef9794e4f1033405880b7">Setting the <code>noindex, follow</code> meta tag.</li></ul></td></tr><tr><td><code>#shareCredentials</code></td><td>require credentials to access this shared note. Value is expected to be in format <code>username:password</code>. Don't forget to make this inheritable to apply to child-notes/images.</td></tr><tr><td><code>#shareIndex</code></td><td>Note with this label will list all roots of shared notes.</td></tr><tr><td><code>#shareHtmlLocation</code></td><td>defines where custom HTML injected via <code>~shareHtml</code> relation should be placed. Applied to the HTML snippet note itself. Format: <code>location:position</code> where location is <code>head</code>, <code>body</code>, or <code>content</code> and position is <code>start</code> or <code>end</code>. Defaults to <code>content:end</code>.</td></tr></tbody></table>
+<table class="ck-table-resized"><colgroup><col style="width:18.38%;"><col style="width:81.62%;"></colgroup><thead><tr><th>Attribute</th><th>Description</th></tr></thead><tbody><tr><td><code>#shareHiddenFromTree</code></td><td>this note is hidden from left navigation tree, but still accessible with its URL</td></tr><tr><td><code>#shareTemplateNoPrevNext</code></td><td>hide bottom page navigation prev and next page.</td></tr><tr><td><code>#shareTemplateNoLeftPanel</code></td><td>hide left panel fully.</td></tr><tr><td><code>#shareExclude</code></td><td>this note will be excluded from share, not accessible via direct URL (implemented to hide scripts from share)</td></tr><tr><td><code>#shareContentAccess</code></td><td>method for attachments authorization in case when note protected with login and password (#shareCredentials). Could be cookie (the cookie will be provided when page loads) / query (every url will be updated with token) / basic (only basic header authorization)). By default for browser used cookie.</td></tr><tr><td><code>#shareAccessTokenTimeout</code></td><td>token expiration timeout in seconds, by default 10 minutes. While token not expired user could download attachment, after that he will get message `Access is expired. Return back and update the page.`</td></tr><tr><td><code>#shareExternalLink</code></td><td>note will act as a link to an external website in the share tree</td></tr><tr><td><code>#shareAlias</code></td><td>define an alias using which the note will be available under <code>https://your_trilium_host/share/[your_alias]</code></td></tr><tr><td><code>#shareOmitDefaultCss</code></td><td>default share page CSS will be omitted. Use when you make extensive styling changes.</td></tr><tr><td><code>#shareRoot</code></td><td>marks note which is served on /share root.</td></tr><tr><td><code>#shareDescription</code></td><td>define text to be added to the HTML meta tag for description</td></tr><tr><td><code>#shareRaw</code></td><td>Note will be served in its raw format, without HTML wrapper. See also&nbsp;<a class="reference-link" href="Sharing/Serving%20directly%20the%20content%20o.md">Serving directly the content of a note</a>&nbsp;for an alternative method without setting an attribute.</td></tr><tr><td><code>#shareDisallowRobotIndexing</code></td><td><p>Indicates to web crawlers that the page should not be indexed of this note by:</p><ul><li data-list-item-id="e6baa9f60bf59d085fd31aa2cce07a0e7">Setting the <code>X-Robots-Tag: noindex</code> HTTP header.</li><li data-list-item-id="ec0d067db136ef9794e4f1033405880b7">Setting the <code>noindex, follow</code> meta tag.</li></ul></td></tr><tr><td><code>#shareCredentials</code></td><td>require credentials to access this shared note. Value is expected to be in format <code>username:password</code>. Don't forget to make this inheritable to apply to child-notes/images.</td></tr><tr><td><code>#shareIndex</code></td><td>Note with this label will list all roots of shared notes.</td></tr><tr><td><code>#shareHtmlLocation</code></td><td>defines where custom HTML injected via <code>~shareHtml</code> relation should be placed. Applied to the HTML snippet note itself. Format: <code>location:position</code> where location is <code>head</code>, <code>body</code>, or <code>content</code> and position is <code>start</code> or <code>end</code>. Defaults to <code>content:end</code>.</td></tr></tbody></table>
 
 ### Customizing logo