feat: prepare for deprecating client signed urls

[rhafer]

PROPFIND requests to '/dav/meta/.../v' now also include the 'oc:downloadURL' property in the response, if requested.

Also the archive is able now to produce signed urls for downloading an archive.

Partial: opencloud-eu/opencloud#1197

[rhafer]

@JammingBen This introduces a new endpoint for the archive that will redirect to a server signed urls for generating an archive.

You'd send a request to archiver/v2?id=.... and will get back a 303 with the location header set to the signed URL for downloading the archive:

> curl -ki -u admin:admin 'https://localhost:9200/archiver/v2?id=4697c284-c203-477e-9a7b-0d0986cbc53f%246cbc8cd2-92ad-43b5-986d-f756e8f85bfd%219a33c973-1fb7-4e07-8601-66212980afc0'
HTTP/1.1 303 See Other
Content-Length: 0
Content-Security-Policy: child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/opencloud-eu/awesome-apps/ https://update.opencloud.eu/ https://companion.opencloud.test/ wss://companion.opencloud.test/ https://keycloak.opencloud.test/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/ https://collabora.opencloud.test/ https://docs.opencloud.eu; img-src 'self' data: blob: https://raw.githubusercontent.com/opencloud-eu/awesome-apps/ https://tile.openstreetmap.org/ https://collabora.opencloud.test/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline' https://keycloak.opencloud.test/; style-src 'self' 'unsafe-inline'
Content-Type: none
Date: Mon, 08 Dec 2025 15:56:31 GMT
Location: https://localhost:9200/archiver?id=4697c284-c203-477e-9a7b-0d0986cbc53f%246cbc8cd2-92ad-43b5-986d-f756e8f85bfd%219a33c973-1fb7-4e07-8601-66212980afc0&oc-jwt-sig=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0YXJnZXRfdXJsIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6OTIwMC9hcmNoaXZlcj9pZD00Njk3YzI4NC1jMjAzLTQ3N2UtOWE3Yi0wZDA5ODZjYmM1M2YlMjQ2Y2JjOGNkMi05MmFkLTQzYjUtOTg2ZC1mNzU2ZThmODViZmQlMjE5YTMzYzk3My0xZmI3LTRlMDctODYwMS02NjIxMjk4MGFmYzAiLCJpc3MiOiJyZXZhIiwic3ViIjoiODYyY2ZhMDItZTQ2Mi00ZDI5LWJiMTMtMGQ2NWI4ZGY5MTZjIiwiZXhwIjoxNzY1MjExMTkxLCJpYXQiOjE3NjUyMDkzOTF9.VIj1G681zcM1uXUxeANOBilWDLCENwGoBZ6LyVA798w
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=315360000; preload
Vary: Origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: 02a384f2f6e2/mTZqGhbPjw-000021
X-Robots-Tag: none
X-Xss-Protection: 1; mode=block

Does that make sense for web? Or would you prefer some different kind of interface here?

[JammingBen]

Yup this should be fine! Does it work unauthenticated on public links and with basic auth on password-protected links as well? And how would I concatenate multiple ids?

[rhafer]

Yup this should be fine! Does it work unauthenticated on public links and with basic auth on password-protected links as well?

I'd hope so. But I still need to try.

And how would I concatenate multiple ids?

Just like on the old endpoint /archiver/v2?id=1&id=2&id=3

[rhafer]

Does it work unauthenticated on public links and with basic auth on password-protected links as well?

I can confirm that this works for public links (password protected or not) as well.

[rhafer]

Argh, I just noticed I introduced a stupid bug that would allow downloading arbitrary files from the creator of a public link. 🤦‍♂️