/**
* SPDX-License-Identifier: LicenseRef-GPL-3.0-or-later-WITH-js-exceptions
*
* Copyright 2022 Jacob K
* Copyright 2022 Wojtek Kosior <koszko@koszko.org>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* As additional permission under GNU GPL version 3 section 7, you
* may distribute forms of that code without the copy of the GNU
* GPL normally required by section 4, provided you include this
* license notice and, in case of non-source distribution, a URL
* through which recipients can access the Corresponding Source.
* If you modify file(s) with this exception, you may extend this
* exception to your version of the file(s), but you are not
* obligated to do so. If you do not wish to do so, delete this
* exception statement from your version.
*
* As a special exception to the GPL, any HTML file which merely
* makes function calls to this code, and for that purpose
* includes it by reference shall be deemed a separate work for
* copyright law purposes. If you modify this code, you may extend
* this exception to your version of the code, but you are not
* obligated to do so. If you do not wish to do so, delete this
* exception statement from your version.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* I, Wojtek Kosior, thereby promise not to sue for violation of this file's
* license. Although I request that you do not make use of this code in a
* proprietary program, I am not going to enforce this in court.
*/
/*
* Use with https://***.app.box.com/s/*
* '***' instead of '*' for the first section because otherwise plain app.box.com
* URLs won't work.
*/
// TODO: find a public folder link (the private links I have seem to work)
// TODO: find a (preferably public) link with a folder inside a folder, as these may need to be handled differently
/* Extract data from a script that sets multiple variables. */ // from here: https://api-demo.hachette-hydrilla.org/content/sgoogle_sheets_download/google_sheets_download.js
let prefetchedData = null; // This variable isn't actually used.
for (const script of document.scripts) {
const match = /Box.prefetchedData = ({([^;]|[^}];)+})/.exec(script.textContent); // looks for "Box.prefetchedData = " in the script files and then grabs the json text after that.
if (!match)
continue;
prefetchedData = JSON.parse(match[1]);
}
let config = null;
for (const script of document.scripts) {
const match = /Box.config = ({([^;]|[^}];)+})/.exec(script.textContent); // looks for "Box.config = " in the script files and then grabs the json text after that.
if (!match)
continue;
config = JSON.parse(match[1]);
}
let postStreamData = null;
for (const script of document.scripts) {
const match = /Box.postStreamData = ({([^;]|[^}];)+})/.exec(script.textContent); // looks for "Box.postStreamData = " in the script files and then grabs the json text after that.
if (!match)
continue;
postStreamData = JSON.parse(match[1]);
}
// get domain from URL
const domain = document.location.href.split("/")[2];
/* Replace current page contents. */
const replacement_html = `\
<!DOCTYPE html>
<html>
<head>
<style>
button, .button {
border-radius: 10px;
padding: 20px;
color: #333;
background-color:
lightgreen;
text-decoration: none;
display: inline-block;
}
button:hover, .button:hover {
box-shadow: -4px 8px 8px #888;
}
.hide {
display: none;
}
#download_button .unofficial, #download_button .red_note {
display: none;
}
#download_button.unofficial .unofficial {
display: inline;
}
#download_button.unofficial .red_note {
display: block;
}
.red_note {
font-size: 75%;
color: #c55;
font-style: italic;
text-align: center;
}
</style>
</head>
<body>
<h1 id="loading" class="hide">loading...</h1>
<h1 id="error" class="hide">error occured :(</h1>
<h1 id="title" class="hide"></h1>
<div id="single_file_section" class="hide">
<a id="download_button" class="button">
<span class="unofficial">unofficial</span> download
<aside class="red_note">(officially disallowed)</aside>
</a>
<aside></aside>
<h2>File info</h2>
<div id="file_info"></div>
</div>
</body>
</html>
`;
/*
* We could instead use document.write(), but browser's debugging tools would
* not see the new page contents.
*/
const parser = new DOMParser();
const alt_doc = parser.parseFromString(replacement_html, "text/html");
document.documentElement.replaceWith(alt_doc.documentElement);
const nodes = {};
document.querySelectorAll('[id]').forEach(node => nodes[node.id] = node);
function show_error() {
nodes.loading.classList.add("hide");
nodes.error.classList.remove("hide");
}
function show_title(text) {
nodes.title.innerText = text;
nodes.loading.classList.add("hide");
nodes.title.classList.remove("hide");
}
async function hack_file() {
nodes.loading.classList.remove("hide");
const tokens_url = "/app-api/enduserapp/elements/tokens";
const file_nr = postStreamData["/app-api/enduserapp/shared-item"].itemID;
const file_id = `file_${file_nr}`;
const shared_name = postStreamData["/app-api/enduserapp/shared-item"].sharedName;
/*
* We need to perform a POST to obtain a token that will be used later to
* authenticate against Box's API endpoint.
*/
const tokens_response = await fetch(tokens_url, {
method: "POST",
headers: {
"Accept": "application/json",
"Content-Type": "application/json",
"Request-Token": config.requestToken,
"X-Box-Client-Name": "enduserapp",
"X-Box-Client-Version": "20.712.2",
"X-Box-EndUser-API": `sharedName=${shared_name}`,
"X-Request-Token": config.requestToken
},
body: JSON.stringify({"fileIDs": [file_id]})
});
console.log("tokens_response", tokens_response);
const access_token = (await tokens_response.json())[file_id].read;
console.log("access_token", access_token);
const fields = [
"permissions", "shared_link", "sha1", "file_version", "name", "size",
"extension", "representations", "watermark_info",
"authenticated_download_url", "is_download_available",
"content_created_at", "content_modified_at", "created_at", "created_by",
"modified_at", "modified_by", "owned_by", "description",
"metadata.global.boxSkillsCards", "expires_at", "version_limit",
"version_number", "is_externally_owned", "restored_from",
"uploader_display_name"
];
const file_info_url =
`https://api.box.com/2.0/files/${file_nr}?fields=${fields.join()}`;
/*
* We need to perform a GET to obtain file metadata. The fields we curently
* make use of are "authenticated_download_url" and "file_version", but in
* the request we also include names of other fields that the original Box
* client would include. The metadata is then dumped as JSON on the page, so
* the user, if curious, can look at it.
*/
const file_info_response = await fetch(file_info_url, {
headers: {
"Accept": "application/json",
"Authorization": `Bearer ${access_token}`,
"BoxApi": `shared_link=${document.URL}`,
"X-Box-Client-Name": "ContentPreview",
"X-Rep-Hints": "[3d][pdf][text][mp3][json][jpg?dimensions=1024x1024&paged=false][jpg?dimensions=2048x2048,png?dimensions=2048x2048][dash,mp4][filmstrip]"
},
});
console.log("file_info_response", file_info_response);
const file_info = await file_info_response.json();
console.log("file_info", file_info);
const params = new URLSearchParams();
params.set("preview", true);
params.set("version", file_info.file_version.id);
params.set("access_token", access_token);
params.set("shared_link", document.URL);
params.set("box_client_name", "box-content-preview");
params.set("box_client_version", "2.82.0");
params.set("encoding", "gzip");
/* We use file metadata from earlier requests to construct the link. */
const download_url =
`${file_info.authenticated_download_url}?${params.toString()}`;
console.log("download_url", download_url);
show_title(file_info.name);
nodes.download_button.href = download_url;
if (!file_info.permissions.can_download)
nodes.download_button.classList.add("unofficial");
nodes.file_info.innerText = JSON.stringify(file_info);
nodes.single_file_section.classList.remove("hide");
}
if (postStreamData["/app-api/enduserapp/shared-item"].itemType == "file") {
/*
* We call hack_file and in case it asynchronously throws an exception, we
* make an error message appear.
*/
hack_file().then(() => {}, show_error);
} else if (postStreamData["/app-api/enduserapp/shared-item"].itemType == "folder") {
show_title(postStreamData["/app-api/enduserapp/shared-folder"].currentFolderName);
// TODO: implement a download folder button (included in proprietary app)
/*
The original download folder button sends a GET request that gets 2 URLs
in the response. 1 of those URLs downloads the file, and a POST request
is sent after (or maybe while in some cases?) a file is downloaded, to
let the server know how much is downloaded.
*/
// for each item in the folder, show a button with a link to download it
postStreamData["/app-api/enduserapp/shared-folder"].items.forEach(function(item) {
console.log("item", item);
const file_direct_url = "https://"+domain+"/index.php?rm=box_download_shared_file&shared_name="+postStreamData["/app-api/enduserapp/shared-item"].sharedName+"&file_id="+item.typedID;
const folderButton = nodes.download_button.cloneNode(false);
folderButton.removeAttribute("id");
if (item.type == "file") {
folderButton.href = file_direct_url;
folderButton.innerText = item.name; // show the name of the file
} else if (item.type == "folder") {
folderButton.innerText = "[folders inside folders not yet supported]";
} else {
folderButton.innerText = "[this item type is not supported]";
}
document.body.appendChild(folderButton);
});
} else {
console.log('expected "folder" or "file" as the item type (postStreamData["/app-api/enduserapp/shared-item"].itemType) but got ' + postStreamData["/app-api/enduserapp/shared-item"].itemType + ' instead; this item type is not implemented');
show_error();
}
