feat: secure proof-of-payment download routes with shareId validation

Changes: - Update download links in UI to use shareId instead of locationID - Add shareId validation to per-bill proof download route - Add shareId validation to combined proof download route - Validate TTL before allowing downloads - Extract locationId from shareId using extractShareId helper Security: - Download routes now validate checksum and TTL - Prevents unauthorized access to proof-of-payment files - Returns 404 for invalid/expired share links 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-08 01:01:38 +01:00
parent 669fb08582
commit f19e1bc023
5 changed files with 63 additions and 16 deletions
--- a/app/[locale]/share/proof-of-payment/per-bill/[id]/route.tsx
+++ b/app/[locale]/share/proof-of-payment/per-bill/[id]/route.tsx
@@ -1,12 +1,28 @@
 import { getDbClient } from '@/app/lib/dbClient';
 import { BillingLocation } from '@/app/lib/db-types';
 import { notFound } from 'next/navigation';
+import { extractShareId, validateShareChecksum } from '@/app/lib/shareChecksum';

-export async function GET(_request: Request, { params:{ id } }: { params: { id:string } }) {
-    // Parse locationID-billID format
-    const [locationID, billID] = id.split('-');
+export async function GET(_request: Request, { params: { id } }: { params: { id: string } }) {
+    // Parse shareId-billID format
+    // shareId = 40 chars (locationId 24 + checksum 16)
+    const shareId = id.substring(0, 40);
+    const billID = id.substring(41); // Skip the '-' separator

-    if (!locationID || !billID) {
+    if (!shareId || !billID) {
+        notFound();
+    }
+
+    // Validate shareId and extract locationId
+    const extracted = extractShareId(shareId);
+    if (!extracted) {
+        notFound();
+    }
+
+    const { locationId: locationID, checksum } = extracted;
+
+    // Validate checksum
+    if (!validateShareChecksum(locationID, checksum)) {
        notFound();
    }

@@ -14,13 +30,19 @@ export async function GET(_request: Request, { params:{ id } }: { params: { id:s
    const location = await dbClient.collection<BillingLocation>("lokacije")
        .findOne({ _id: locationID }, {
            projection: {
-                // Don't load bill attachments, only proof of payment
+                // Don't load bill attachments, only proof of payment and shareTTL
                "bills._id": 1,
                "bills.proofOfPayment": 1,
+                "shareTTL": 1,
            }
        });

-    if(!location) {
+    if (!location) {
+        notFound();
+    }
+
+    // Check if sharing is active and not expired
+    if (!location.shareTTL || new Date() > location.shareTTL) {
        notFound();
    }