feat: secure proof-of-payment download routes with shareId validation

Changes: - Update download links in UI to use shareId instead of locationID - Add shareId validation to per-bill proof download route - Add shareId validation to combined proof download route - Validate TTL before allowing downloads - Extract locationId from shareId using extractShareId helper Security: - Download routes now validate checksum and TTL - Prevents unauthorized access to proof-of-payment files - Returns 404 for invalid/expired share links 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-08 01:01:38 +01:00
parent 669fb08582
commit f19e1bc023
5 changed files with 63 additions and 16 deletions
--- a/app/[locale]/share/proof-of-payment/combined/[id]/route.tsx
+++ b/app/[locale]/share/proof-of-payment/combined/[id]/route.tsx
@@ -1,19 +1,39 @@
 import { getDbClient } from '@/app/lib/dbClient';
 import { BillingLocation } from '@/app/lib/db-types';
 import { notFound } from 'next/navigation';
+import { extractShareId, validateShareChecksum } from '@/app/lib/shareChecksum';

-export async function GET(request: Request, { params:{ id } }: { params: { id:string } }) {
-    const locationID = id;
+export async function GET(request: Request, { params: { id } }: { params: { id: string } }) {
+    const shareId = id;
+
+    // Validate shareId and extract locationId
+    const extracted = extractShareId(shareId);
+    if (!extracted) {
+        notFound();
+    }
+
+    const { locationId: locationID, checksum } = extracted;
+
+    // Validate checksum
+    if (!validateShareChecksum(locationID, checksum)) {
+        notFound();
+    }

    const dbClient = await getDbClient();
    const location = await dbClient.collection<BillingLocation>("lokacije")
        .findOne({ _id: locationID }, {
            projection: {
                utilBillsProofOfPayment: 1,
+                shareTTL: 1,
            }
        });

-    if(!location?.utilBillsProofOfPayment) {
+    if (!location?.utilBillsProofOfPayment) {
+        notFound();
+    }
+
+    // Check if sharing is active and not expired
+    if (!location.shareTTL || new Date() > location.shareTTL) {
        notFound();
    }