New way

2025-08-08 07:28:26 +00:00 · 2024-11-27 10:17:56 +05:30 · 2024-11-27 10:17:56 +05:30 · 9f1e8f9254
commit 9f1e8f9254
parent 74117db8b0
2 changed files with 75 additions and 0 deletions
--- a/web/packages/base/http.ts
+++ b/web/packages/base/http.ts
@ -24,6 +24,47 @@ export const publicRequestHeaders = () => ({
    "X-Client-Package": clientPackageName,
 });

+/**
+ * A set of credentials needed to make public collections related API requests.
+ */
+interface PublicAlbumsCredentials {
+    /**
+     * An access token that does the same job as the "X-Auth-Token" for usual
+     * authenticated API requests, except it will be passed as the
+     * ""X-Auth-Access-Token" header.
+     */
+    accessToken: string;
+    /**
+     * [Note: Password token for public albums requests].
+     *
+     * A password protected access token. This is only needed for albums that
+     * are behind a password. In such cases, the client needs to fetch this
+     * extra token from remote (in exchange for the public album's password),
+     * and then pass it as the "X-Auth-Access-Token-JWT" header in authenticated
+     * public collections related API requests.
+     */
+    accessTokenJWT?: string | undefined;
+}
+
+/**
+ * Return headers that should be passed alongwith public collection related
+ * authenticated `fetch` calls that we make to our API servers.
+ *
+ * -   The auth token.
+ * -   The password protected auth token (if provided).
+ * -   The client package name.
+ */
+export const authenticatedPublicAlbumsRequestHeaders = ({
+    accessToken,
+    accessTokenJWT,
+}: PublicAlbumsCredentials) => ({
+    "X-Auth-Access-Token": accessToken,
+    ...(accessTokenJWT && {
+        "X-Auth-Access-Token-JWT": accessTokenJWT,
+    }),
+    "X-Client-Package": clientPackageName,
+});
+
 /**
 * A custom Error that is thrown if a fetch fails with a non-2xx HTTP status.
 */
--- a/web/packages/new/albums/services/publicCollection.ts
+++ b/web/packages/new/albums/services/publicCollection.ts
@ -0,0 +1,34 @@
+import { authenticatedPublicAlbumsRequestHeaders, ensureOk } from "@/base/http";
+import { apiURL } from "@/base/origins";
+import { z } from "zod";
+
+/**
+ * Verify with remote that the password (hash) entered by the user is the same
+ * as the password that was set by the person who shared the album. If they
+ * match, remote will provide us with another token that can be used to make API
+ * calls for this password protected public album.
+ *
+ * See: [Note: Password token for public albums requests]
+ *
+ * @param passwordHash The hash of the password entered by the user.
+ *
+ * @param token The access token to make API requests for a particular public
+ * album.
+ *
+ * @returns The password token ("accessTokenJWT").
+ */
+export const verifyPublicCollectionPassword = async (
+    passwordHash: string,
+    accessToken: string,
+) => {
+    const res = await fetch(
+        await apiURL("/public-collection/verify-password"),
+        {
+            method: "POST",
+            headers: authenticatedPublicAlbumsRequestHeaders({ accessToken }),
+            body: JSON.stringify({ passHash: passwordHash }),
+        },
+    );
+    ensureOk(res);
+    return z.object({ jwtToken: z.string() }).parse(await res.json()).jwtToken;
+};