feat: Add @microsoft.graph.downloadUrl annotation and /content endpoi…#38
feat: Add @microsoft.graph.downloadUrl annotation and /content endpoi…#38
Conversation
dschmidt
requested review from
butonic,
dragotin,
fschade,
kulmann,
micbar and
rhafer
as code owners
There was a problem hiding this comment.
Pull request overview
This PR updates the Libre Graph OpenAPI spec to support generating short-lived, pre-authenticated download URLs for driveItem content—mirroring Microsoft Graph’s @microsoft.graph.downloadUrl annotation and /content redirect pattern.
Changes:
- Adds optional
@microsoft.graph.downloadUrlinstance annotation to thedriveItemschema (opt-in via$select). - Introduces a new
driveItemSelect$selectparameter component to request the annotation. - Adds
GET /v1beta1/drives/{drive-id}/items/{item-id}/contentreturning302with aLocationheader, and wires$selectintoGetDriveItem.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
butonic
left a comment
butonic
left a comment
There was a problem hiding this comment.
I prefer the @microsoft.graph.downloadUrl as we can implement it cleanly. I like this!
|
Ok, who merges it when? For some reason I seem to be allowed to merge, but I'm not sure whether one approving review is enough and/or who should click merge. |
Adds an optional, `$select`-gated instance annotation on `driveItem` that carries the list of libre.graph actions the caller is allowed to perform on the item. Mirrors the annotation of the same name on the `/permissions` endpoint so clients (e.g. a sharing dialog in a search/listing UI) can get the effective-actions view inline without a separate round-trip per item. - Adds `@libre.graph.permissions.actions.allowedValues` to the `driveItem` schema, marked read-only and documented as only populated when requested. - Adds a reusable `driveItemSelect` component parameter with a narrow enum, following the same pattern as PR #38 (feat/download-url). When both land, the enum values merge. - Wires the new parameter to `GetDriveItem`. Rationale discussed in #34.
Problem
The libre-graph-api spec currently provides no way to create signed links for a
driveItem. Clients that need file content and can't send auth headers for the download have to leave Graph and fall back to:PROPFINDwith theoc:downloadURLproperty, or/ocs/v1.php/cloud/user/signing-key, which is [planned for removal in opencloud](Deprecate and remove/cloud/user/signing-keyendpoint opencloud#1197)This forces every Graph-consuming client that ever needs to generate a signed url for a file to switch protocol to WebDAV.
Proposal
Mirror the Microsoft Graph API's two-pronged approach:
@microsoft.graph.downloadUrlinstance annotation ondriveItem, opt-in via$select, for clients that want to obtain the URL without following a redirect (useful for prefetching, scheduling, or inspecting the URL).GET /v1beta1/drives/{drive-id}/items/{item-id}/contentreturning302 Foundredirecting to the same pre-authenticated URL, for clients that just want to download and are happy to follow redirects.Both mechanisms return the same short-lived URL. The annotation is opt-in because computing the URL requires a signing operation; clients shouldn't pay that cost when they only wanted metadata.
We can use the regular dav endpoint as content for downloadUrl and as redirect target for /content.
What's in this PR
Three additions to
api/openapi-spec/v1.0.yaml:Schema: Adds
@microsoft.graph.downloadUrlas an optionalstringproperty on thedriveItemschema, alongside the existing@client.synchronizeand@UI.Hiddenannotations.Parameter component: Adds a new
driveItemSelectcomponent (following thedrivesSelect/permissionsSelectpattern) with anenumlisting@microsoft.graph.downloadUrl.Endpoints:
$selectto the existingGetDriveItemoperation.GetDriveItemContentoperation at/v1beta1/drives/{drive-id}/items/{item-id}/contentreturning302.Design decisions (happy to revisit)
Name:
@microsoft.graph.downloadUrl, matching MS Graph exactly. Alternative would be@libre.graph.downloadUrl, which would be more consistent with existing project-specific annotations like@libre.graph.hasTrashedItemsand@libre.graph.quickLink. I went with the MS-compatible name. Happy to switch to@libre.graph.downloadUrlif you take a different stance on this.Opt-in via
$select: Mirrors the WebDAVPROPFINDpattern, whereoc:downloadURLis only returned when explicitly requested. Signing is cheap but non-zero, and the resulting URL is short-lived garbage if unused.302 redirect on
/content: Matches MS Graph. We can just use the existing endpoint in WebDAV.Open questions for the implementation side (not in this PR)
These are for the corresponding opencloud implementation, but worth flagging here since they affect the contract:
TTL. WebDAV
PROPFIND'sdownloadURLhardcodes 30 minutes in Reva ([propfind.go:1770](https://github.com/opencloud-eu/reva/blob/main/internal/http/services/owncloud/ocdav/propfind/propfind.go#L1770)). MS Graph documents its equivalent as "a few minutes to 1 hour". The implementation should probably share a constant (or config) across both code paths for predictable behavior.Public shares. WebDAV's
downloadURLhas a separate signing path for public-share contexts (PublicShare.Signature).I'm willing to take care of the implementation.