Hydrilla

/**

 * SPDX-License-Identifier: LicenseRef-GPL-3.0-or-later-WITH-js-exceptions

 *

 * Copyright 2022 Jacob K

 * Copyright 2022 Wojtek Kosior <koszko@koszko.org>

 *

 * This program is free software: you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published by

 * the Free Software Foundation, either version 3 of the License, or

 * (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * As additional permission under GNU GPL version 3 section 7, you

 * may distribute forms of that code without the copy of the GNU

 * GPL normally required by section 4, provided you include this

 * license notice and, in case of non-source distribution, a URL

 * through which recipients can access the Corresponding Source.

 * If you modify file(s) with this exception, you may extend this

 * exception to your version of the file(s), but you are not

 * obligated to do so. If you do not wish to do so, delete this

 * exception statement from your version.

 *

 * As a special exception to the GPL, any HTML file which merely

 * makes function calls to this code, and for that purpose

 * includes it by reference shall be deemed a separate work for

 * copyright law purposes. If you modify this code, you may extend

 * this exception to your version of the code, but you are not

 * obligated to do so. If you do not wish to do so, delete this

 * exception statement from your version.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program.  If not, see <https://www.gnu.org/licenses/>.

 *

 * I, Wojtek Kosior, thereby promise not to sue for violation of this file's

 * license. Although I request that you do not make use of this code in a

 * proprietary program, I am not going to enforce this in court.

 */

/*

 * Use with https://***.app.box.com/s/*

 * '***' instead of '*' for the first section because otherwise plain app.box.com

 * URLs won't work.

 */

// TODO: find a public folder link (the private links I have seem to work)

// TODO: find a (preferably public) link with a folder inside a folder, as these may need to be handled differently

/* Extract data from a script that sets multiple variables. */ // from here: https://api-demo.hachette-hydrilla.org/content/sgoogle_sheets_download/google_sheets_download.js

let prefetchedData = null; // This variable isn't actually used.

for (const script of document.scripts) {

    const match = /Box.prefetchedData = ({([^;]|[^}];)+})/.exec(script.textContent); // looks for "Box.prefetchedData = " in the script files and then grabs the json text after that.

    if (!match)

	continue;

    prefetchedData = JSON.parse(match[1]);

}

let config = null;

for (const script of document.scripts) {

    const match = /Box.config = ({([^;]|[^}];)+})/.exec(script.textContent); // looks for "Box.config = " in the script files and then grabs the json text after that.

    if (!match)

	continue;

    config = JSON.parse(match[1]);

}

let postStreamData = null;

for (const script of document.scripts) {

    const match = /Box.postStreamData = ({([^;]|[^}];)+})/.exec(script.textContent); // looks for "Box.postStreamData = " in the script files and then grabs the json text after that.

    if (!match)

	continue;

    postStreamData = JSON.parse(match[1]);

}

// get domain from URL

const domain = document.location.href.split("/")[2];

/* Replace current page contents. */

const replacement_html = `\

<!DOCTYPE html>

<html>

  <head>

    <style>

      button, .button {

          border-radius: 10px;

          padding: 20px;

          color: #333;

          background-color:

          lightgreen;

          text-decoration: none;

          display: inline-block;

      }

      button:hover, .button:hover {

          box-shadow: -4px 8px 8px #888;

      }

      .hide {

          display: none;

      }

      #download_button .unofficial, #download_button .red_note {

          display: none;

      }

      #download_button.unofficial .unofficial {

          display: inline;

      }

      #download_button.unofficial .red_note {

          display: block;

      }

      .red_note {

          font-size: 75%;

          color: #c55;

          font-style: italic;

          text-align: center;

      }

    </style>

  </head>

  <body>

    <h1 id="loading" class="hide">loading...</h1>

    <h1 id="error" class="hide">error occured :(</h1>

    <h1 id="title" class="hide"></h1>

    <div id="single_file_section" class="hide">

      <a id="download_button" class="button">

        <span class="unofficial">unofficial</span> download

        <aside class="red_note">(officially disallowed)</aside>

      </a>

      <aside></aside>

      <h2>File info</h2>

      <div id="file_info"></div>

    </div>

  </body>

</html>

`;

/*

 * We could instead use document.write(), but browser's debugging tools would

 * not see the new page contents.

 */

const parser = new DOMParser();

const alt_doc = parser.parseFromString(replacement_html, "text/html");

document.documentElement.replaceWith(alt_doc.documentElement);

const nodes = {};

document.querySelectorAll('[id]').forEach(node => nodes[node.id] = node);

function show_error() {

    nodes.loading.classList.add("hide");

    nodes.error.classList.remove("hide");

}

function show_title(text) {

    nodes.title.innerText = text;

    nodes.loading.classList.add("hide");

    nodes.title.classList.remove("hide");

}

async function hack_file() {

    nodes.loading.classList.remove("hide");

    const tokens_url = "/app-api/enduserapp/elements/tokens";

    const file_nr = postStreamData["/app-api/enduserapp/shared-item"].itemID;

    const file_id = `file_${file_nr}`;

    const shared_name = postStreamData["/app-api/enduserapp/shared-item"].sharedName;

    /*

     * We need to perform a POST to obtain a token that will be used later to

     * authenticate against Box's API endpoint.

     */

    const tokens_response = await fetch(tokens_url, {

	method: "POST",

	headers: {

	    "Accept":               "application/json",

	    "Content-Type":         "application/json",

	    "Request-Token":        config.requestToken,

	    "X-Box-Client-Name":    "enduserapp",

	    "X-Box-Client-Version": "20.712.2",

	    "X-Box-EndUser-API":    `sharedName=${shared_name}`,

	    "X-Request-Token":      config.requestToken

	},

	body: JSON.stringify({"fileIDs": [file_id]})

    });

    console.log("tokens_response", tokens_response);

    const access_token = (await tokens_response.json())[file_id].read;

    console.log("access_token", access_token);

    const fields = [

	"permissions", "shared_link", "sha1", "file_version", "name", "size",

	"extension", "representations", "watermark_info",

	"authenticated_download_url", "is_download_available",

	"content_created_at", "content_modified_at", "created_at", "created_by",

	"modified_at", "modified_by", "owned_by", "description",

	"metadata.global.boxSkillsCards", "expires_at", "version_limit",

	"version_number", "is_externally_owned", "restored_from",

	"uploader_display_name"

    ];

    const file_info_url =

	  `https://api.box.com/2.0/files/${file_nr}?fields=${fields.join()}`;

    /*

     * We need to perform a GET to obtain file metadata. The fields we curently

     * make use of are "authenticated_download_url" and "file_version", but in

     * the request we also include names of other fields that the original Box

     * client would include. The metadata is then dumped as JSON on the page, so

     * the user, if curious, can look at it.

     */

    const file_info_response = await fetch(file_info_url, {

	headers: {

	    "Accept":            "application/json",

	    "Authorization":     `Bearer ${access_token}`,

	    "BoxApi":            `shared_link=${document.URL}`,

	    "X-Box-Client-Name": "ContentPreview",

	    "X-Rep-Hints":       "[3d][pdf][text][mp3][json][jpg?dimensions=1024x1024&paged=false][jpg?dimensions=2048x2048,png?dimensions=2048x2048][dash,mp4][filmstrip]"

	},

    });

    console.log("file_info_response", file_info_response);

    const file_info = await file_info_response.json();

    console.log("file_info", file_info);

    const params = new URLSearchParams();

    params.set("preview",            true);

    params.set("version",            file_info.file_version.id);

    params.set("access_token",       access_token);

    params.set("shared_link",        document.URL);

    params.set("box_client_name",    "box-content-preview");

    params.set("box_client_version", "2.82.0");

    params.set("encoding",           "gzip");

    /* We use file metadata from earlier requests to construct the link. */

    const download_url =

	  `${file_info.authenticated_download_url}?${params.toString()}`;

    console.log("download_url", download_url);

    show_title(file_info.name);

    nodes.download_button.href = download_url;

    if (!file_info.permissions.can_download)

	nodes.download_button.classList.add("unofficial");

    nodes.file_info.innerText =  JSON.stringify(file_info);

    nodes.single_file_section.classList.remove("hide");

}

if (postStreamData["/app-api/enduserapp/shared-item"].itemType == "file") {

    /*

     * We call hack_file and in case it asynchronously throws an exception, we

     * make an error message appear.

     */

    hack_file().then(() => {}, show_error);

} else if (postStreamData["/app-api/enduserapp/shared-item"].itemType == "folder") {

    show_title(postStreamData["/app-api/enduserapp/shared-folder"].currentFolderName);

    // TODO: implement a download folder button (included in proprietary app)

    /*

      The original download folder button sends a GET request that gets 2 URLs

      in the response. 1 of those URLs downloads the file, and a POST request

      is sent after (or maybe while in some cases?) a file is downloaded, to

      let the server know how much is downloaded.

    */

    // for each item in the folder, show a button with a link to download it

    postStreamData["/app-api/enduserapp/shared-folder"].items.forEach(function(item) {

	console.log("item", item);

	const file_direct_url = "https://"+domain+"/index.php?rm=box_download_shared_file&shared_name="+postStreamData["/app-api/enduserapp/shared-item"].sharedName+"&file_id="+item.typedID;

	const folderButton = nodes.download_button.cloneNode(false);

	folderButton.removeAttribute("id");

	if (item.type == "file") {

	    folderButton.href = file_direct_url;

	    folderButton.innerText = item.name; // show the name of the file

	} else if (item.type == "folder") {

	    folderButton.innerText = "[folders inside folders not yet supported]";

	} else {

	    folderButton.innerText = "[this item type is not supported]";

	}

	document.body.appendChild(folderButton);

    });

} else {

	console.log('expected "folder" or "file" as the item type (postStreamData["/app-api/enduserapp/shared-item"].itemType) but got ' + postStreamData["/app-api/enduserapp/shared-item"].itemType + ' instead; this item type is not implemented');

	show_error();

}