[full-ci] Allow no permissions on Links

[kobergj]

Adds an endpoint to ocs service that exposes information about link tokens.
Usage:

curling the unprotected endpoint returns standard information

curl --insecure -X GET https://localhost:9200/ocs/v1.php/apps/files_sharing/api/v1/tokeninfo/unprotected/jqDCLhaiyIvXZTp

<TokenInfo>
  <token>jqDCLhaiyIvXZTp</token>
  <linkurl>/s/jqDCLhaiyIvXZTp</linkurl>
  <passwordprotected>false</passwordprotected>
  <storageid>f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c</storageid>
  <opaqueid>c6378f93-0e2d-4f77-812b-a1b2b3ee04ae</opaqueid>
  <path/>
  <spacePath/>
  <spaceAlias/>
  <spaceURL/>
</TokenInfo>

curling a password protected link only returns minimal information

curl --insecure -X GET https://localhost:9200/ocs/v1.php/apps/files_sharing/api/v1/tokeninfo/unprotected/jqDCLhaiyIvXZTp

<TokenInfo>
  <token>jqDCLhaiyIvXZTp</token>
  <linkurl>/s/jqDCLhaiyIvXZTp</linkurl>
  <passwordprotected>true</passwordprotected>
  <storageid/>
  <opaqueid/>
  <path/>
  <spacePath/>
  <spaceAlias/>
  <spaceURL/>
</TokenInfo>

curling the protected endpoint returns full information if user has native access

curl --insecure -X GET https://localhost:9200/ocs/v1.php/apps/files_sharing/api/v1/tokeninfo/protected/jqDCLhaiyIvXZTp -u marie:radioactivity

<TokenInfo>
  <token>jqDCLhaiyIvXZTp</token>
  <linkurl>/s/jqDCLhaiyIvXZTp</linkurl>
  <passwordprotected>false</passwordprotected>
  <storageid>f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c</storageid>
  <opaqueid>c6378f93-0e2d-4f77-812b-a1b2b3ee04ae</opaqueid>
  <path/>
  <spacePath>/users/f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c</spacePath>
  <spaceAlias>personal/marie</spaceAlias>
  <spaceURL>personal/marie/c6378f93-0e2d-4f77-812b-a1b2b3ee04ae</spaceURL>
</TokenInfo>

curling the protected endpoint returns same information as unprotected endpoint if user does not have native access

curl --insecure -X GET https://localhost:9200/ocs/v1.php/apps/files_sharing/api/v1/tokeninfo/protected/jqDCLhaiyIvXZTp -u einstein:relativity

<TokenInfo>
  <token>jqDCLhaiyIvXZTp</token>
  <linkurl>/s/jqDCLhaiyIvXZTp</linkurl>
  <passwordprotected>false</passwordprotected>
  <storageid>f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c</storageid>
  <opaqueid>c6378f93-0e2d-4f77-812b-a1b2b3ee04ae</opaqueid>
  <path/>
  <spacePath/>
  <spaceAlias/>
  <spaceURL/>
</TokenInfo>

curling the protected endpoint without authentication returns 401 Unauthorized

curl --insecure -X GET https://localhost:9200/ocs/v1.php/apps/files_sharing/api/v1/tokeninfo/protected/jqDCLhaiyIvXZTp

HTTP/1.1 401 Unauthorized

[lgtm-com]

This pull request introduces 1 alert when merging f3aed1b into fe9a8c2 - view on LGTM.com

new alerts:

• 1 for Useless assignment to local variable

[butonic]

why does it make sense to have two endpoints? when should clients use /dav/tokeninfo/unprotected/{token} and when /dav/tokeninfo/protected/{token}? why is a single /dav/tokeninfo/{token} endpoint not sufficient?

[kobergj]

@butonic Clients should use the protected endpoint when they have an authenticated user already. The unprotected endpoint is used when there is no user logged in yet.

Of course this could also be done in one endpoint. But then we would need to duplicate authentication logic from the auth interceptor. By using different endpoints the auth middleware can take care of authentication, and future refactorings can be done in auth middleware only.

IMO it was the simplest and stablest approach to use two endpoints and reuse existing code.

[butonic]

could you move this to the ocs service instead of ocdav. this is not really webdav and being able to query this information as json is a lot nicer for the web clients.

[kobergj]

@butonic I moved the handler to ocs. Please recheck!