[OCISDEV-617] Public Link Multi-file Download (Archiver) fails with 401 for Project Spaces

[smallkai]

Describe the bug

When attempting to download multiple files (which triggers the Archiver/ZIP download) via a Public Link shared from a Project Space, the request fails with 401 Unauthorized. Single-file downloads from the same link work correctly. Public links shared from Personal folders (User-owned) allow multi-file downloads without issue.

Steps to reproduce

1. Create a "Project Space" (Type 8).
2. Create a Public Link for a folder within this Space (allow download).
3. Open the Public Link in an incognito browser window.
4. Select multiple files.
5. Click "Download" (to trigger the ZIP generation).
6. Result: The browser receives a 401 Unauthorized response. The ZIP download fails.

Expected behavior

The Archiver service should correctly validate the signed URL for Space-owned resources and serve the ZIP file, just as it does for Personal resources.

Actual behavior

The request to /archiver returns 401. Server logs indicate a "User not found" error during the signed_url authentication phase.

Setup

Started via Docker Compose with OIDC (Keycloak).

Details

services:
  ocis:
    image: owncloud/ocis:7.3.1
    environment:
      OCIS_URL: https://ocis.example.com
      PROXY_AUTOPROVISION_ACCOUNTS: "true"
      PROXY_USER_OIDC_CLAIM: "preferred_username"
      PROXY_USER_CS3_CLAIM: "username"
      OCIS_JWT_SECRET: "..."

Additional context

Environment:

OCIS Version: 7.3.1 (Compiled: 2025-11-25)
OS: Linux
Log Analysis & Hypothesis: We compared logs between a successful Personal download and a failed Space download.

Failed Request (Space Public Link): The signed_url authenticator attempts to resolve the user associated with the claim (likely sub). It extracts the Space ID (Resource Owner) and attempts to look it up in the User Provider. Since the ID belongs to a Space (Type 8), not a User (Type 1), the lookup fails (Could not get user by claim).

{"level":"debug","service":"proxy","authenticator":"signed_url","message":"rewrite hook found"}
{"level":"error","service":"proxy","error":"user not found","message":"Could not get user by claim"}
{"level":"info","service":"proxy","status":401,"path":"/archiver"}
Successful Request (Personal Public Link): For personal folders, the Resource Owner is a User. The lookup succeeds, and authentication passes.

The issue appears to be that the Archiver service incorrectly assumes the resource owner in the signed token is always a User, causing failure for Space-owned resources.

[kobergj]

@smallkai thanks, seems I can reproduce this. Can you confirm this is only happening when using a password on the link? I think archiver doesn't play well with password-protected links. Needs investigation.

[smallkai]

Hi @kobergj , thanks for the update. I've just confirmed that the issue is indeed related to the password protection. After removing the password from the link, everything works as expected. Let me know if you need any more logs for the investigation!

[jvillafanez]

I think we'll need to discuss how to solve this...

It seems web is using a signed URL for the download, which contains the authentication. However, the signed URL should be used for impersonation (I think), so it requires a valid existing user.
The problem is that web is using "public" as user, but such user doesn't exists in the system.

I'm not sure how many of the following solutions are really viable:

• Change the authentication in web to use the public share authentication (same as when it list the share contents). I assume this isn't possible since the download might take a long time. Not sure if the validity of the public share authentication has a short time span which might cause problems with the download and that's why we opted for the signed URL option.
• Check for public share authentication inside the signed URL one if the target user is "public". It might work, but I don't think it makes sense. Maintenance might be a problem. In addition, we might either hide a valid user called "public", or this fix might stop working if there is a user called "public" (depending on when we "redirect" the authentication).
• Create a fake user / account that can be fetched when asking for "public". This might cause problems since oCIS won't likely know if the account is real or not.

Is it possible for web to generate a signed URL based on the user who created the share link, or the user who copies the link in oCIS? That might work, although we might expose the account to the outside.

[kobergj]

@jvillafanez in the basic auth header you mean? Isn't that used to signal the password for the public link? Are you sure this is used as the username in the backend?

[jvillafanez]

{"level":"error","service":"proxy","error":"user not found","authenticator":"signed_url","path":"/archiver","time":"2026-01-30T12:21:49Z","line":"/home/juan/src/ocis/ocis/services/proxy/pkg/middleware/signed_url_auth.go:229","message":"Could not get user by claim"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"719d7948407f/Ay4RYLtB3z-002133","traceid":"b33a468ddbb8baa8d3989393de5f6c0f","remote-addr":"10.0.2.28","method":"GET","status":401,"path":"/archiver","duration":4.685268,"bytes":0,"time":"2026-01-30T12:21:49Z","line":"/home/juan/src/ocis/ocis/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}

There is an OC-Credential=public in the URL, as shown in the image, and the error coming from the logs points to the signed_url_auth file. The user provider, whatever it is, fails to find that "public" user.

From what I understand, web is using a signed URL to download the archive (https://github.com/owncloud/web/blob/0ac444b5642ba004ae9e05439eebe56a8f29e730/packages/web-pkg/src/services/archiver.ts#L86-L96) which doesn't contain basic auth. This works fine if the user exists.

I'm not sure if web (or any other client) should be able to generate a signed URL with a user that doesn't exists. Either we have a missing check in the signed URL generation in order to prevent this situation from happening, or we have a missing check to allow this "public" user go through the signed URL authentication.

[2403905]

I will add the context of why the UI switched to use the signing-key for a public link with passwords:

Downloading large archives in public links with passwords fails because Web fetches the file into memory which hits browser/device constrains. The download works fine in public links without passwords because the resource is publicly accessible and in authenticated user context where we can safely generate a pre-signed URL. For public links with passwords, we will either need to provide a new/updated endpoint to allow unauthenticated users in this context to get signing key to pre-sign URLs for downloads or figure out a new approach to downloading resources. Maybe streaming?

#11576

The signing-key endpoint returns the owner userId for the personal space. It works, but looks wrong in a public link context.
For the project space, the endpoint returns the spaceId instead of the userId

We should change or have another signing-key endpoint for signing the public links

[2403905]

I discovered that the download works if I use the signature from the PROPFIND
https://localhost:9200/archiver?public-token=FCVVQpllIorMVND&id=<id>&id=<id>&signature=<signature>&expiration=<date>

[2403905]

The signature & expiration we can get from the PROPFIND oc:downloadURL. The problem is the PROPFIND doesn't have downloadURL for the folders.

[2403905]

UPD. The steps to fix.
#12017

1. Remove the signing-key endpoint call.
2. Add the <oc:signature-auth/> to the propfind request to get the signature and expiration
3. Build a link for download, follow the patternhttps://localhost:9200/archiver?public-token=FCVVQpllIorMVND&id=<id>&id=<id>&signature=<signature>&expiration=<date>