Drop /signing-key endpoint

[butonic]

The ocs/v1.php/user/signing-key endpoint is no longer used by ocis web. We should kill the endpoint in ocis and oc10.

For public password protected links the web ui now uses the oc:downloadurl property from the propfind, so there is no longer any need for the ocis signing key.

The OC10 classic ui uses a cookie to access thumbnails.

[kulmann]

Unfortunately it is used quite heavily in ownCloud Web:

• avatars
• file downloads in authenticated context

See https://github.com/owncloud/web/search?q=signUrl for reference

The API endpoint is used in the sdk in context of the signUrl method of the owncloud-sdk

My personal wish would be that everything we do with signed urls would be solved server side. Happy to remove client side url signing again as soon as we switched over. Would need oc10 core changes as well though, so this would not be a fast win.

[butonic]

ok so we should always provide a signed url in the oc:downloadURL property. For ocis we do this https://github.com/cs3org/reva/blob/master/internal/http/services/owncloud/ocdav/propfind.go#L691-L700 And verify it https://github.com/cs3org/reva/blob/ef2574b11e7aac1b5442a27490e11e3a4eead5ab/internal/http/services/owncloud/ocdav/dav.go#L179-L187

@C0rby might want to change aspects of the implementation.

Could we leave oc10 compatability to the sdk? Then we don't need touch oc10 ... and web could remain blissfully ignorant ;-)

[wkloucek]

Seems like we could drop the whole ocs oCIS service (not to be confused with the REVA ocs service running in the oCIS frontend service) as soon as we droped the signing-key endpoint.

See code:

https://github.com/owncloud/ocis/blob/9a2cd49dcafacdc54489199a255784d248509b3c/services/proxy/pkg/config/defaults/defaultconfig.go#L148-L150

https://github.com/owncloud/ocis/issues/3913#issuecomment-1918983902 proposes some ways that could be gone to leverage the graph api for obtaining pre signed URLs