Allow anonymous token creation (#422)

steunix · web-flow · commit 21686e4e44b4 · 2025-10-14T11:45:46.000+02:00
Fixes #421
diff --git a/api/v1/routes/onetimetokens.mjs b/api/v1/routes/onetimetokens.mjs
@@ -7,15 +7,11 @@
  */
 
 import { Router } from 'express'
-import * as auth from '../../../lib/auth.mjs'
 
 import * as oneTimeTokensController from '../controllers/onetimetokens.mjs'
 
 const router = Router({ mergeParams: true })
 
-// Validation middleware
-router.use(/\/$/, auth.validateJWT)
-
 router.post('/', oneTimeTokensController.create)
 
 router.get('/:id', oneTimeTokensController.get)
diff --git a/docs/apidoc/paths/onetimetokens.yaml b/docs/apidoc/paths/onetimetokens.yaml
@@ -6,8 +6,7 @@ get:
   description: |
     Get one time token content, encrypted with the key provided in the request. The token is then deleted and will not be accessible anymore.
     The response will contain the initialization vector and the base64-encoded encrypted data in the form "iv:data". The key used for encryption is provided in the request.
-  security:
-    - bearerAuth: []
+    You don't need to be authenticated to use this endpoint, but the token will be retreived only if you're the correct audience.
   parameters:
     - $ref: '..\parameters\onetimetokens.yaml#/token'
     - $ref: '..\parameters\onetimetokens.yaml#/key'
@@ -26,14 +25,12 @@ post:
     - One time tokens
   operationId: "createOneTimeToken"
   summary: Create a one time token
-  description: Create a one time token
+  description: Create a one time token; you don't need to be authenticated to use it.
   requestBody:
     content:
       application/json:
         schema:
           $ref: '..\requestbodies\onetimetokens.yaml#/oneTimeTokenCreateBody'
-  security:
-    - bearerAuth: []
   responses:
     "201":
       $ref: '..\responsebodies\default.yaml#/created'
diff --git a/docs/index.md b/docs/index.md
@@ -120,12 +120,17 @@ While groups can be nested to form a tree, there is no membership inheritance: i
 
 ### One time secrets
 
-OTS are an easy way to share a secret with someone: you provide the data to share and you will receive back a unique token: accessing the token through the API, you will have access to the the decrypted data, **but only once**: once "consumed", the token will be deleted.
+OTS are an easy way to share a secret with someone: you provide the data to share and you will receive back a unique token: accessing the token through the API, you will have access to the the decrypted data, **but only once**: once "consumed", the token will be deleted. You can choose the audience of the OTS:
+- anyone (logged in or not)
+- anyone logged in (requires authentication for reading the token)
+- a specific user (both creator and reader must be authenticated)
 
 This is similar to various public services you can find online.
 
 You can share both random text, or an entire item.
 
+Note that both creation and consumption of OTS don't require any authentication.
+
 ### API keys
 
 API keys can be created to easier credential handling in case of automated clients. An API key is bound to a user, whose authentication method must be 'apikey': this way you can easily manage permissions as you would do for a regular
