Fix subfolder sharing with directory scope enforcement

Fixes issue #1068 — subfolders inaccessible when browsing a shared folder link.

Root causes fixed:
- SearchManager: recursiveDir flag adds path LIKE clause so subdirectory
  media and directory listings are visible under a share root
- SessionManager: passes recursiveDir=true to both projection query builders
- GalleryRouter + AuthenticationMWs: LimitedGuest role now reaches the
  directory listing route; authoriseSharingDirectory enforces that the
  requested path is the share root or a descendant — unrelated paths get 401
- SharingMWs + SharingDTO: /share/<key>/key endpoint returns passwordProtected
  flag so the frontend can decide whether to show a password prompt
- navigation.service / error.interceptor / authentication.service: fixed
  blank-screen deadlock and 401 redirect loop on password-protected shares
- gallery.component: directory shares navigate to gallery/<dir> view so
  subfolder cards are clickable, not to the flat search results view
- navigator: breadcrumb links enabled for paths at or below the share root;
  routes observable now uses combineLatest so breadcrumbs recompute when
  share metadata arrives (fixes stale-null race on cached content loads)
- share.service: removed debug console.log

Security:
- authoriseSharingDirectory fails closed — unrecognised AND query shapes
  return 401 rather than silently granting access
- normalizeDirPath canonicalises '.' (Utils.concatUrls root form), '/' and ''
  to the same empty string so root-directory shares are not falsely rejected
- Non-directory shares (date/person) permitted at the route level; content
  scope is enforced by the DB-layer projectionQuery

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: alexkoon

src/backend/middlewares/SharingMWs.ts

@@ -47,9 +47,11 @@ export class SharingMWs {
         return next();
       }
       const sharingKey = req.params[QueryParams.gallery.sharingKey_params];
-
-      req.resultPipe =
-        {sharingKey: (await ObjectManagers.getInstance().SharingManager.findOne(sharingKey)).sharingKey} as SharingDTOKey;
+      const sharing = await ObjectManagers.getInstance().SharingManager.findOne(sharingKey);
+      req.resultPipe = {
+        sharingKey: sharing.sharingKey,
+        passwordProtected: !!(sharing.password || Config.Sharing.passwordRequired),
+      } as SharingDTOKey;
       return next();
     } catch (err) {
       return next(

src/backend/middlewares/user/AuthenticationMWs.ts

@@ -9,6 +9,7 @@ import {QueryParams} from '../../../common/QueryParams';
 import * as path from 'path';
 import {Logger} from '../../Logger';
 import {ContextUser} from '../../model/SessionContext';
+import {ANDSearchQuery, SearchQueryDTO, SearchQueryTypes, TextSearch, TextSearchQueryMatchTypes} from '../../../common/entities/SearchQueryDTO';
 
 const LOG_TAG = 'AuthenticationMWs';
 
@@ -298,6 +299,71 @@ export class AuthenticationMWs {
     return next();
   }
 
+  /**
+   * Canonical form for directory path comparison:
+   * - backslashes → forward slashes
+   * - trailing slashes stripped
+   * - '.' → '' (Utils.concatUrls returns '.' for the gallery root; normalise to empty string)
+   */
+  private static normalizeDirPath(p: string): string {
+    const fwd = p.replace(/\\/g, '/');
+    let end = fwd.length;
+    while (end > 0 && fwd[end - 1] === '/') end--;
+    const s = fwd.slice(0, end);
+    return s === '.' ? '' : s;
+  }
+
+  /**
+   * Middleware: allows LimitedGuest (sharing) users through only when the requested
+   * directory is the share root or a descendant of it. All other roles pass unconditionally.
+   */
+  public static authoriseSharingDirectory(req: Request, res: Response, next: NextFunction): void {
+    if (req.session?.context?.user?.role !== UserRoles.LimitedGuest) {
+      return next();
+    }
+    const allowQuery = req.session.context.user.allowQuery;
+    if (!allowQuery) {
+      return next();
+    }
+    const requestedDir = AuthenticationMWs.normalizeDirPath(req.params['directory'] || '');
+    if (AuthenticationMWs.isDirInShareScope(requestedDir, allowQuery)) {
+      return next();
+    }
+    res.status(401);
+    return next(new ErrorDTO(ErrorCodes.NOT_AUTHORISED));
+  }
+
+  /**
+   * Returns true when `dir` is within the directory scope of a share's allowQuery.
+   *
+   * - Exact-match directory share: dir must equal or be a descendant of the share root.
+   * - AND query: the top-level list must contain an exact-match directory clause; if none
+   *   is found the function fails closed (false) rather than granting access silently.
+   * - Non-directory shares (date, person, etc.): any directory is permitted here because
+   *   the DB-layer projectionQuery already restricts which media rows are returned.
+   */
+  private static isDirInShareScope(dir: string, query: SearchQueryDTO): boolean {
+    if (
+      query.type === SearchQueryTypes.directory &&
+      (query as TextSearch).matchType === TextSearchQueryMatchTypes.exact_match
+    ) {
+      const shareRoot = AuthenticationMWs.normalizeDirPath((query as TextSearch).value);
+      // Empty shareRoot means the gallery root — every directory is in scope.
+      if (shareRoot === '') return true;
+      return dir === shareRoot || dir.startsWith(shareRoot + '/');
+    }
+    if (query.type === SearchQueryTypes.AND) {
+      const dirClause = (query as ANDSearchQuery).list.find(
+        q => q.type === SearchQueryTypes.directory &&
+             (q as TextSearch).matchType === TextSearchQueryMatchTypes.exact_match
+      );
+      // Fail closed: an AND query with no recognisable directory clause is not granted access.
+      return dirClause ? AuthenticationMWs.isDirInShareScope(dir, dirClause) : false;
+    }
+    // Non-directory shares: projectionQuery enforces content scope at the DB layer.
+    return true;
+  }
+
   private static async getSharingUser(req: Request): Promise<ContextUser> {
     if (
       Config.Sharing.enabled === true &&

src/backend/model/database/SearchManager.ts

@@ -481,15 +481,16 @@ export class SearchManager {
 
   public async prepareAndBuildWhereQuery(
     queryIN: SearchQueryDTO, directoryOnly = false,
-    aliases: { [key: string]: string } = {}): Promise<Brackets> {
+    aliases: { [key: string]: string } = {},
+    recursiveDir = false): Promise<Brackets> {
     let query = await this.prepareQuery(queryIN);
     if (directoryOnly) {
       query = this.filterDirectoryQuery(query);
       if (query === null) {
         return null;
       }
     }
-    return this.buildWhereQuery(query, directoryOnly, aliases);
+    return this.buildWhereQuery(query, directoryOnly, aliases, recursiveDir);
   }
 
   public async prepareQuery(queryIN: SearchQueryDTO): Promise<SearchQueryDTO> {
@@ -509,22 +510,23 @@ export class SearchManager {
   public buildWhereQuery(
     query: SearchQueryDTO,
     directoryOnly = false,
-    aliases: { [key: string]: string } = {}
+    aliases: { [key: string]: string } = {},
+    recursiveDir = false
   ): Brackets {
     const queryId = (query as SearchQueryDTOWithID).queryId;
     switch (query.type) {
       case SearchQueryTypes.AND:
         return new Brackets((q): unknown => {
           (query as ANDSearchQuery).list.forEach((sq) => {
-              q.andWhere(this.buildWhereQuery(sq, directoryOnly));
+              q.andWhere(this.buildWhereQuery(sq, directoryOnly, aliases, recursiveDir));
             }
           );
           return q;
         });
       case SearchQueryTypes.OR:
         return new Brackets((q): unknown => {
           (query as ANDSearchQuery).list.forEach((sq) => {
-              q.orWhere(this.buildWhereQuery(sq, directoryOnly));
+              q.orWhere(this.buildWhereQuery(sq, directoryOnly, aliases, recursiveDir));
             }
           );
           return q;
@@ -968,6 +970,19 @@ export class SearchManager {
             return dq;
           })
         );
+        // For sharing projection queries, also match subdirectories recursively
+        if (
+          recursiveDir &&
+          query.type === SearchQueryTypes.directory &&
+          (query as TextSearch).matchType === TextSearchQueryMatchTypes.exact_match
+        ) {
+          const normalizedDirPath = dirPathStr.endsWith('/') ? dirPathStr : dirPathStr + '/';
+          textParam['subDirPath' + queryId] = normalizedDirPath + '%';
+          q[whereFN](
+            `${alias}.path ${LIKE} :subDirPath${queryId} COLLATE ` + SQL_COLLATE,
+            textParam
+          );
+        }
       }
 
       if (

src/backend/model/database/SessionManager.ts

@@ -41,10 +41,10 @@ export class SessionManager {
 
     if (finalQuery) {
       // Build the Brackets-based query
-      context.projectionQuery = await ObjectManagers.getInstance().SearchManager.prepareAndBuildWhereQuery(finalQuery);
+      context.projectionQuery = await ObjectManagers.getInstance().SearchManager.prepareAndBuildWhereQuery(finalQuery, false, {}, true);
       context.hasDirectoryProjection = ObjectManagers.getInstance().SearchManager.hasDirectoryQuery(finalQuery);
       if (context.hasDirectoryProjection) {
-        context.projectionQueryForSubDir = await ObjectManagers.getInstance().SearchManager.prepareAndBuildWhereQuery(finalQuery, true, {directory: 'directories'});
+        context.projectionQueryForSubDir = await ObjectManagers.getInstance().SearchManager.prepareAndBuildWhereQuery(finalQuery, true, {directory: 'directories'}, true);
       }
       context.user.projectionKey = this.createProjectionKey(finalQuery);
       if (SearchQueryUtils.isQueryEmpty(finalQuery)) {

src/backend/routes/GalleryRouter.ts

@@ -35,8 +35,9 @@ export class GalleryRouter {
       [Config.Server.apiPath + '/gallery/content/:directory(*)', Config.Server.apiPath + '/gallery/', Config.Server.apiPath + '/gallery//'],
       // common part
       AuthenticationMWs.authenticate,
-      AuthenticationMWs.authorise(UserRoles.Guest), //sharing user can only go through search. They can't just wander through the whole gallery
+      AuthenticationMWs.authorise(UserRoles.LimitedGuest),
       AuthenticationMWs.normalizePathParam('directory'),
+      AuthenticationMWs.authoriseSharingDirectory, // LimitedGuest: scope-checks the requested directory against the share root
       VersionMWs.injectGalleryVersion,
 
       // specific part
@@ -51,7 +52,7 @@ export class GalleryRouter {
   protected static addDirectoryZip(app: Express): void {
     app.get(
       [Config.Server.apiPath + '/gallery/zip/:searchQueryDTO(*)'],
-      // common part
+      // LimitedGuest allowed; content is scoped to the share by the session projectionQuery
       AuthenticationMWs.authenticate,
       AuthenticationMWs.authorise(UserRoles.LimitedGuest),
 
@@ -162,7 +163,7 @@ export class GalleryRouter {
   protected static addRandom(app: Express): void {
     app.get(
       [Config.Server.apiPath + '/gallery/random/:searchQueryDTO'],
-      // common part
+      // LimitedGuest allowed; content is scoped to the share by the session projectionQuery
       AuthenticationMWs.authenticate,
       AuthenticationMWs.authorise(UserRoles.LimitedGuest),
       VersionMWs.injectGalleryVersion,
@@ -256,7 +257,7 @@ export class GalleryRouter {
   protected static addSearch(app: Express): void {
     app.get(
       Config.Server.apiPath + '/search/:searchQueryDTO(*)',
-      // common part
+      // LimitedGuest allowed; content is scoped to the share by the session projectionQuery
       AuthenticationMWs.authenticate,
       AuthenticationMWs.authorise(UserRoles.LimitedGuest),
       VersionMWs.injectGalleryVersion,
@@ -274,7 +275,7 @@ export class GalleryRouter {
   protected static addAutoComplete(app: Express): void {
     app.get(
       Config.Server.apiPath + '/autocomplete/:value(*)',
-      // common part
+      // LimitedGuest allowed; content is scoped to the share by the session projectionQuery
       AuthenticationMWs.authenticate,
       AuthenticationMWs.authorise(UserRoles.LimitedGuest),
       VersionMWs.injectGalleryVersion,

src/backend/routes/SharingRouter.ts

@@ -41,7 +41,7 @@ export class SharingRouter {
       // its a public path
       SharingMWs.getSharingKey,
       ServerTimingMWs.addServerTiming,
-      RenderingMWs.renderSharing
+      RenderingMWs.renderResult
     );
   }
 

src/common/entities/SharingDTO.ts

@@ -3,6 +3,7 @@ import {SearchQueryDTO} from './SearchQueryDTO';
 
 export interface SharingDTOKey {
   sharingKey: string;
+  passwordProtected?: boolean;
 }
 
 export interface BaseSharingDTO extends SharingDTOKey {

src/frontend/app/model/navigation.service.ts

@@ -4,8 +4,6 @@ import {IsActiveMatchOptions, Router} from '@angular/router';
 import {ShareService} from '../ui/gallery/share.service';
 import {Config} from '../../../common/config/public/Config';
 import {NavigationLinkTypes} from '../../../common/config/public/ClientConfig';
-import {firstValueFrom} from 'rxjs';
-
 @Injectable()
 export class NavigationService {
   constructor(private router: Router, private shareService: ShareService) {
@@ -31,7 +29,8 @@ export class NavigationService {
   public async toLogin(): Promise<boolean> {
     await this.shareService.wait();
     if (this.shareService.isSharing()) {
-      if ((await firstValueFrom(this.shareService.currentSharing)).passwordProtected === true) {
+      // sharingPasswordProtected is set synchronously from the /key endpoint before ReadyPR resolves
+      if (this.shareService.sharingPasswordProtected === true) {
         return this.router.navigate(['shareLogin'], {
           queryParams: {sk: this.shareService.getSharingKey()},
         });

src/frontend/app/model/network/authentication.service.ts

@@ -19,6 +19,7 @@ declare module ServerInject {
 @Injectable({providedIn: 'root'})
 export class AuthenticationService {
   public readonly user: BehaviorSubject<UserDTO>;
+  private sessionUserPromise: Promise<void> | null = null;
 
   constructor(
     private userService: UserService,
@@ -39,7 +40,8 @@ export class AuthenticationService {
       ) {
         this.user.next(ServerInject.user);
       }
-      this.getSessionUser().catch(console.error);
+      this.sessionUserPromise = this.getSessionUser();
+      this.sessionUserPromise.catch(console.error);
     } else {
       if (Config.Users.authenticationRequired === false) {
         this.user.next({
@@ -99,14 +101,19 @@ export class AuthenticationService {
   public async logout(): Promise<void> {
     await this.userService.logout();
     this.user.next(null);
-    // even on logout try to get sharing user if it's a sharing
+    // Restore a non-password-protected sharing session after logout.
+    // Skip for password-protected shares — getSessionUser always returns 401 until re-auth.
     await this.shareService.wait();
-    if(this.shareService.isSharing()){
+    if (this.shareService.isSharing() && this.shareService.sharingPasswordProtected !== true) {
       await this.getSessionUser();
     }
   }
 
-  private async getSessionUser(): Promise<void> {
+  public waitForSessionUser(): Promise<void> {
+    return this.sessionUserPromise ?? Promise.resolve();
+  }
+
+  public async getSessionUser(): Promise<void> {
     try {
       this.user.next(await this.userService.getSessionUser());
     } catch (error) {

src/frontend/app/model/network/helper/auth.guard.ts

@@ -2,23 +2,37 @@ import {Injectable} from '@angular/core';
 import {ActivatedRouteSnapshot, CanActivate, RouterStateSnapshot} from '@angular/router';
 import {AuthenticationService} from '../authentication.service';
 import {NavigationService} from '../../navigation.service';
+import {ShareService} from '../../../ui/gallery/share.service';
 
 @Injectable({providedIn: 'root'})
-export class AuthGuard implements CanActivate{
+export class AuthGuard implements CanActivate {
   constructor(
-      private authenticationService: AuthenticationService,
-      private navigationService: NavigationService
+    private authenticationService: AuthenticationService,
+    private navigationService: NavigationService,
+    private shareService: ShareService,
   ) {
   }
 
-  canActivate(
-      route: ActivatedRouteSnapshot,
-      state: RouterStateSnapshot
-  ): boolean {
-    if (this.authenticationService.isAuthenticated() === true) {
+  async canActivate(
+    route: ActivatedRouteSnapshot,
+    state: RouterStateSnapshot
+  ): Promise<boolean> {
+    // Wait for session cookie restoration (async HTTP call started in constructor)
+    await this.authenticationService.waitForSessionUser();
+
+    if (this.authenticationService.isAuthenticated()) {
       return true;
     }
 
+    // For no-password shares, try backend auto-authentication via the sharing key
+    await this.shareService.wait();
+    if (this.shareService.isSharing() && this.shareService.sharingPasswordProtected === false) {
+      await this.authenticationService.getSessionUser();
+      if (this.authenticationService.isAuthenticated()) {
+        return true;
+      }
+    }
+
     this.navigationService.toLogin().catch(console.error);
     return false;
   }