From 1bfef200a56ae1470b97576303cd41f57a08e7fd Mon Sep 17 00:00:00 2001
From: martin <74269598+martabal@users.noreply.github.com>
Date: Tue, 30 Jan 2024 22:34:00 +0100
Subject: [PATCH] fix(server): avoid leaking people data on shared links
 (#6779)

* fix: avoid leaking people data on shared links

* test: add e2e test
---
 server/e2e/api/specs/asset.e2e-spec.ts   | 41 ++++++++++++++++++++++++
 server/src/domain/asset/asset.service.ts |  2 +-
 2 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/server/e2e/api/specs/asset.e2e-spec.ts b/server/e2e/api/specs/asset.e2e-spec.ts
index 389d66f3ed..e38f08d0ca 100644
--- a/server/e2e/api/specs/asset.e2e-spec.ts
+++ b/server/e2e/api/specs/asset.e2e-spec.ts
@@ -559,6 +559,47 @@ describe(`${AssetController.name} (e2e)`, () => {
       expect(status).toBe(200);
       expect(body).toMatchObject({ id: asset1.id });
     });
+
+    it('should not send people data for shared links for un-authenticated users', async () => {
+      const personRepository = app.get<IPersonRepository>(IPersonRepository);
+      const person = await personRepository.create({ ownerId: asset1.ownerId, name: 'Test Person' });
+
+      await personRepository.createFaces([
+        {
+          assetId: asset1.id,
+          personId: person.id,
+          embedding: Array.from({ length: 512 }, Math.random),
+        },
+      ]);
+
+      const { status, body } = await request(server)
+        .put(`/asset/${asset1.id}`)
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({ isFavorite: true });
+      expect(status).toEqual(200);
+      expect(body).toMatchObject({
+        id: asset1.id,
+        isFavorite: true,
+        people: [
+          {
+            birthDate: null,
+            id: expect.any(String),
+            isHidden: false,
+            name: 'Test Person',
+            thumbnailPath: '',
+          },
+        ],
+      });
+
+      const sharedLink = await api.sharedLinkApi.create(server, user1.accessToken, {
+        type: SharedLinkType.INDIVIDUAL,
+        assetIds: [asset1.id],
+      });
+
+      const data = await request(server).get(`/asset/assetById/${asset1.id}?key=${sharedLink.key}`);
+      expect(data.status).toBe(200);
+      expect(data.body).toMatchObject({ people: [] });
+    });
   });
 
   describe('GET /asset/:id', () => {
diff --git a/server/src/domain/asset/asset.service.ts b/server/src/domain/asset/asset.service.ts
index 4d1abe1872..087a5ebcf2 100644
--- a/server/src/domain/asset/asset.service.ts
+++ b/server/src/domain/asset/asset.service.ts
@@ -321,7 +321,7 @@ export class AssetService {
       delete data.owner;
     }
 
-    if (data.ownerId !== auth.user.id) {
+    if (data.ownerId !== auth.user.id || auth.sharedLink) {
       data.people = [];
     }