diff --git a/CODEOWNERS b/CODEOWNERS
index 830c037728..4c9822be14 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -11,5 +11,7 @@ pkg/storage/fs/owncloudsql            @cs3org/owncloud-team
 pkg/storage/fs/owncloud               @cs3org/owncloud-team
 pkg/storage/fs/ocis                   @cs3org/owncloud-team
 pkg/storage/utils/decomposedfs        @cs3org/owncloud-team
+pkg/storage/utils/eosfs               @labkode @ishank011 @glpatcern
 pkg/user/manager/owncloudsql          @cs3org/owncloud-team
+pkg/eosclient                         @labkode @ishank011 @glpatcern
 pkg/app                               @labkode @ishank011 @wkloucek @glpatcern
diff --git a/changelog/unreleased/fix-share-recyclebin.md b/changelog/unreleased/fix-share-recyclebin.md
new file mode 100644
index 0000000000..fb0b500138
--- /dev/null
+++ b/changelog/unreleased/fix-share-recyclebin.md
@@ -0,0 +1,3 @@
+Bugfix: Remove share refs from trashbin
+
+https://github.com/cs3org/reva/pull/2298
\ No newline at end of file
diff --git a/changelog/unreleased/public-link-propfind.md b/changelog/unreleased/public-link-propfind.md
new file mode 100644
index 0000000000..d2809bbdb0
--- /dev/null
+++ b/changelog/unreleased/public-link-propfind.md
@@ -0,0 +1,6 @@
+Enhancement: Add new attributes to public link propfinds
+
+Added a new property "oc:signature-auth" to public link propfinds.
+This is a necessary change to be able to support archive downloads in password protected public links.
+
+https://github.com/cs3org/reva/pull/2315
diff --git a/internal/http/services/owncloud/ocdav/propfind.go b/internal/http/services/owncloud/ocdav/propfind.go
index e1c43146b6..320049dfe1 100644
--- a/internal/http/services/owncloud/ocdav/propfind.go
+++ b/internal/http/services/owncloud/ocdav/propfind.go
@@ -847,6 +847,24 @@ func (s *svc) mdToPropResponse(ctx context.Context, pf *propfindXML, md *provide
 					} else {
 						propstatNotFound.Prop = append(propstatNotFound.Prop, s.newProp("oc:"+pf.Prop[i].Local, ""))
 					}
+				case "signature-auth":
+					if isPublic {
+						// We only want to add the attribute to the root of the propfind.
+						if strings.HasSuffix(md.Path, ls.Token) && ls.Signature != nil {
+							expiration := time.Unix(int64(ls.Signature.SignatureExpiration.Seconds), int64(ls.Signature.SignatureExpiration.Nanos))
+							var sb strings.Builder
+							sb.WriteString("<oc:signature>")
+							sb.WriteString(ls.Signature.Signature)
+							sb.WriteString("</oc:signature>")
+							sb.WriteString("<oc:expiration>")
+							sb.WriteString(expiration.Format(time.RFC3339))
+							sb.WriteString("</oc:expiration>")
+
+							propstatOK.Prop = append(propstatOK.Prop, s.newPropRaw("oc:signature-auth", sb.String()))
+						} else {
+							propstatNotFound.Prop = append(propstatNotFound.Prop, s.newProp("oc:signature-auth", ""))
+						}
+					}
 				case "privatelink": // phoenix only
 					// <oc:privatelink>https://phoenix.owncloud.com/f/9</oc:privatelink>
 					fallthrough
diff --git a/internal/http/services/owncloud/ocdav/publicfile.go b/internal/http/services/owncloud/ocdav/publicfile.go
index b369f6650b..ed75e31672 100644
--- a/internal/http/services/owncloud/ocdav/publicfile.go
+++ b/internal/http/services/owncloud/ocdav/publicfile.go
@@ -181,9 +181,6 @@ func (s *svc) handlePropfindOnToken(w http.ResponseWriter, r *http.Request, ns s
 		w.WriteHeader(http.StatusNotFound)
 		return
 	}
-	// adjust path
-	tokenStatInfo.Path = path.Join("/", tokenStatInfo.Path, path.Base(pathRes.Path))
-
 	infos := s.getPublicFileInfos(onContainer, depth == "0", tokenStatInfo)
 
 	propRes, err := s.multistatusResponse(ctx, &pf, infos, ns, nil)
diff --git a/pkg/eosclient/eosbinary/eosbinary.go b/pkg/eosclient/eosbinary/eosbinary.go
index 6773513962..b9c1f6a5a4 100644
--- a/pkg/eosclient/eosbinary/eosbinary.go
+++ b/pkg/eosclient/eosbinary/eosbinary.go
@@ -632,8 +632,12 @@ func (c *Client) CreateDir(ctx context.Context, auth eosclient.Authorization, pa
 }
 
 // Remove removes the resource at the given path
-func (c *Client) Remove(ctx context.Context, auth eosclient.Authorization, path string) error {
-	args := []string{"rm", "-r", path}
+func (c *Client) Remove(ctx context.Context, auth eosclient.Authorization, path string, noRecycle bool) error {
+	args := []string{"rm", "-r"}
+	if noRecycle {
+		args = append(args, "--no-recycle-bin") // do not put the file in the recycle bin
+	}
+	args = append(args, path)
 	_, _, err := c.executeEOS(ctx, args, auth)
 	return err
 }
diff --git a/pkg/eosclient/eosclient.go b/pkg/eosclient/eosclient.go
index 30aed21697..c4e47e7b23 100644
--- a/pkg/eosclient/eosclient.go
+++ b/pkg/eosclient/eosclient.go
@@ -44,7 +44,7 @@ type EOSClient interface {
 	Chown(ctx context.Context, auth, chownauth Authorization, path string) error
 	Chmod(ctx context.Context, auth Authorization, mode, path string) error
 	CreateDir(ctx context.Context, auth Authorization, path string) error
-	Remove(ctx context.Context, auth Authorization, path string) error
+	Remove(ctx context.Context, auth Authorization, path string, noRecycle bool) error
 	Rename(ctx context.Context, auth Authorization, oldPath, newPath string) error
 	List(ctx context.Context, auth Authorization, path string) ([]*FileInfo, error)
 	Read(ctx context.Context, auth Authorization, path string) (io.ReadCloser, error)
diff --git a/pkg/eosclient/eosgrpc/eosgrpc.go b/pkg/eosclient/eosgrpc/eosgrpc.go
index 5e4df305d0..ea906c9de5 100644
--- a/pkg/eosclient/eosgrpc/eosgrpc.go
+++ b/pkg/eosclient/eosgrpc/eosgrpc.go
@@ -981,7 +981,7 @@ func (c *Client) CreateDir(ctx context.Context, auth eosclient.Authorization, pa
 
 }
 
-func (c *Client) rm(ctx context.Context, auth eosclient.Authorization, path string) error {
+func (c *Client) rm(ctx context.Context, auth eosclient.Authorization, path string, noRecycle bool) error {
 	log := appctx.GetLogger(ctx)
 	log.Info().Str("func", "rm").Str("uid,gid", auth.Role.UID+","+auth.Role.GID).Str("path", path).Msg("")
 
@@ -995,6 +995,7 @@ func (c *Client) rm(ctx context.Context, auth eosclient.Authorization, path stri
 
 	msg.Id = new(erpc.MDId)
 	msg.Id.Path = []byte(path)
+	msg.Norecycle = noRecycle
 
 	rq.Command = &erpc.NSRequest_Unlink{Unlink: msg}
 
@@ -1016,7 +1017,7 @@ func (c *Client) rm(ctx context.Context, auth eosclient.Authorization, path stri
 
 }
 
-func (c *Client) rmdir(ctx context.Context, auth eosclient.Authorization, path string) error {
+func (c *Client) rmdir(ctx context.Context, auth eosclient.Authorization, path string, noRecycle bool) error {
 	log := appctx.GetLogger(ctx)
 	log.Info().Str("func", "rmdir").Str("uid,gid", auth.Role.UID+","+auth.Role.GID).Str("path", path).Msg("")
 
@@ -1031,7 +1032,7 @@ func (c *Client) rmdir(ctx context.Context, auth eosclient.Authorization, path s
 	msg.Id = new(erpc.MDId)
 	msg.Id.Path = []byte(path)
 	msg.Recursive = true
-	msg.Norecycle = false
+	msg.Norecycle = noRecycle
 
 	rq.Command = &erpc.NSRequest_Rm{Rm: msg}
 
@@ -1053,7 +1054,7 @@ func (c *Client) rmdir(ctx context.Context, auth eosclient.Authorization, path s
 }
 
 // Remove removes the resource at the given path
-func (c *Client) Remove(ctx context.Context, auth eosclient.Authorization, path string) error {
+func (c *Client) Remove(ctx context.Context, auth eosclient.Authorization, path string, noRecycle bool) error {
 	log := appctx.GetLogger(ctx)
 	log.Info().Str("func", "Remove").Str("uid,gid", auth.Role.UID+","+auth.Role.GID).Str("path", path).Msg("")
 
@@ -1064,10 +1065,10 @@ func (c *Client) Remove(ctx context.Context, auth eosclient.Authorization, path
 	}
 
 	if nfo.IsDir {
-		return c.rmdir(ctx, auth, path)
+		return c.rmdir(ctx, auth, path, noRecycle)
 	}
 
-	return c.rm(ctx, auth, path)
+	return c.rm(ctx, auth, path, noRecycle)
 }
 
 // Rename renames the resource referenced by oldPath to newPath
diff --git a/pkg/storage/utils/eosfs/eosfs.go b/pkg/storage/utils/eosfs/eosfs.go
index 08fe448cfc..a02d83621f 100644
--- a/pkg/storage/utils/eosfs/eosfs.go
+++ b/pkg/storage/utils/eosfs/eosfs.go
@@ -1283,7 +1283,7 @@ func (fs *eosfs) Delete(ctx context.Context, ref *provider.Reference) error {
 		return err
 	}
 
-	return fs.c.Remove(ctx, auth, fn)
+	return fs.c.Remove(ctx, auth, fn, false)
 }
 
 func (fs *eosfs) deleteShadow(ctx context.Context, p string) error {
@@ -1292,19 +1292,17 @@ func (fs *eosfs) deleteShadow(ctx context.Context, p string) error {
 	}
 
 	if fs.isShareFolderChild(ctx, p) {
-		u, err := getUser(ctx)
-		if err != nil {
-			return errors.Wrap(err, "eosfs: no user in ctx")
-		}
-
 		fn := fs.wrapShadow(ctx, p)
 
-		auth, err := fs.getUserAuth(ctx, u, "")
+		// in order to remove the folder or the file without
+		// moving it to the recycle bin, we should take
+		// the privileges of the root
+		auth, err := fs.getRootAuth(ctx)
 		if err != nil {
 			return err
 		}
 
-		return fs.c.Remove(ctx, auth, fn)
+		return fs.c.Remove(ctx, auth, fn, true)
 	}
 
 	return errors.New("eosfs: shadow delete of share folder that is neither root nor child. path=" + p)