diff --git a/backend/src/tools/dateien/public-share-public.js b/backend/src/tools/dateien/public-share-public.js index 529edca..aab71a4 100644 --- a/backend/src/tools/dateien/public-share-public.js +++ b/backend/src/tools/dateien/public-share-public.js @@ -41,6 +41,16 @@ router.get('/:token', (req, res) => { }); }); +// POST /:token/verify – nur Passwort prüfen, kein Download +router.post('/:token/verify', async (req, res) => { + const s = getShare(req.params.token); + if (!s) return res.status(404).json({ error: 'Nicht gefunden' }); + if (isExpired(s)) return res.status(410).json({ error: 'Link abgelaufen' }); + const ok = await bcrypt.compare(req.body?.password || '', s.password_hash); + if (!ok) return res.status(403).json({ error: 'Falsches Passwort' }); + res.json({ ok: true, file_name: s.file_name, file_size: s.file_size, mime_type: s.mime_type, is_folder: !!s.folder_id }); +}); + // POST /:token/download – Datei herunterladen router.post('/:token/download', async (req, res) => { const s = getShare(req.params.token); diff --git a/frontend/src/App.jsx b/frontend/src/App.jsx index 8a5ae85..e35cd85 100644 --- a/frontend/src/App.jsx +++ b/frontend/src/App.jsx @@ -2951,23 +2951,13 @@ function PublicFileShare({ token }) { setFiles(d.files || []); setPhase('ready'); } else { - // Datei: erst PW testen via Download (streams bei Erfolg) - const res = await fetch(BASE + '/download', { + // Datei: nur PW prüfen via /verify (kein Download) + const res = await fetch(BASE + '/verify', { method:'POST', headers:{'Content-Type':'application/json'}, body: JSON.stringify({ password: pw }), }); - if (!res.ok) { - const d = await res.json().catch(() => ({})); - setErrMsg(d.error || 'Falsches Passwort'); - return; - } - // Korrekt → Download starten + Phase wechseln - const blob = await res.blob(); - const objUrl = URL.createObjectURL(blob); - const a = document.createElement('a'); - a.href = objUrl; a.download = info.file_name || 'download'; - document.body.appendChild(a); a.click(); document.body.removeChild(a); - setTimeout(() => URL.revokeObjectURL(objUrl), 5000); + const d = await res.json().catch(() => ({})); + if (!res.ok) { setErrMsg(d.error || 'Falsches Passwort'); return; } setPassword(pw); setPhase('ready'); }