Skip to content

feat(sign): add eu-dss sign and verify file actions#3943

Merged
Crash-- merged 2 commits into
masterfrom
feat/sign
Jun 22, 2026
Merged

feat(sign): add eu-dss sign and verify file actions#3943
Crash-- merged 2 commits into
masterfrom
feat/sign

Conversation

@Crash--

@Crash-- Crash-- commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add "Sign" and "Verify signature" actions to the file "..." menu, gated behind the drive.sign.enabled flag.
  • Build an eudss:// deeplink with a short-lived public download link as doc_url and a cozy-stack write callback carrying a short-ttl permission token.
  • Restrict the actions to a single non-folder file with write access.
  • Route the callback through /sharings/drives/<driveId>/files when the document belongs to a shared drive.

Summary by CodeRabbit

New Features

  • Digital signature signing: Added a new “Sign” action for EU DSS–based signing (shown when signing is enabled, one file is selected, and the context is writable/non-public).
  • Digital signature verification: Added a new “Verify signature” action for EU DSS–based verification with the same visibility rules.
  • EU DSS deeplinks: Signing and verification now redirect to the appropriate EU DSS flow from the drive folder action menu.
  • UI + i18n: Added localized labels for both actions in supported languages.
  • Tests: Added coverage to validate deeplink construction and callback behavior.

@coderabbitai

coderabbitai Bot commented Jun 21, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2fb7cced-0a9e-4669-87ad-3c7717529a7f

📥 Commits

Reviewing files that changed from the base of the PR and between 83ab0b9 and 0e3b6d7.

📒 Files selected for processing (9)
  • src/lib/flags.js
  • src/locales/en.json
  • src/locales/fr.json
  • src/modules/actions/helpers/euDss.js
  • src/modules/actions/helpers/euDss.spec.js
  • src/modules/actions/index.js
  • src/modules/actions/signWithEuDss.jsx
  • src/modules/actions/verifyWithEuDss.jsx
  • src/modules/views/Drive/DriveFolderView.jsx

Walkthrough

The pull request adds two new drive actions—sign and verify—using the EU DSS (European Digital Signature Service) protocol. A new helper module (euDss.js) exports constants for the eudss:// URL scheme and operations, and implements buildEuDssDeeplink, which fetches a file's public download URL, creates a short-lived (10-minute) sharing link for a POST callback, constructs the callback URL with an operation-dependent filename (.asice or -verification.xml), and returns a fully-parameterized deep link. Two new action factory modules (signWithEuDss.jsx, verifyWithEuDss.jsx) use this helper, gated by the new drive.sign.enabled feature flag, write access, and single-file selection. Both are wired into DriveFolderView via makeActions. Localization strings are added in English and French.

Suggested labels

e2e

Suggested reviewers

  • JF-Cozy
  • rezk2ll
  • doubleface
  • lethemanh
  • codescene-delta-analysis
  • zatteo
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'feat(sign): add eu-dss sign and verify file actions' accurately describes the main change: adding EU-DSS sign and verify actions to the file menu.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/sign

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

codescene-delta-analysis[bot]

This comment was marked as outdated.

@bundlemon

bundlemon Bot commented Jun 21, 2026

Copy link
Copy Markdown

BundleMon

Files updated (1)
Status Path Size Limits
static/js/main.(hash).js
48.79KB (+553B +1.12%) -
Unchanged files (19)
Status Path Size Limits
static/js/cozy.(hash).js
928.16KB -
static/resource/(hash).js
336.09KB -
services/qualificationMigration.js
283.39KB -
services/dacc.js
263.13KB -
static/js/lib-react.(hash).js
43.88KB -
static/css/cozy.(hash).css
30.13KB -
static/js/lib-polyfill.(hash).js
22.77KB -
static/js/lib-router.(hash).js
21.86KB -
static/js/public.(hash).js
19.77KB -
static/css/main.(hash).css
13.57KB -
static/js/intents.(hash).js
8.96KB -
static/js/(chunkId).(hash).js
8.6KB -
static/js/async/(chunkId).(hash).js
7.5KB -
manifest.webapp
3.09KB -
static/css/public.(hash).css
2.34KB -
index.html
772B -
public/index.html
705B -
intents/index.html
643B -
assets/manifest.json
185B -

Total files change +555B +0.03%

Groups updated (1)
Status Path Size Limits
**/*.js
5.98MB (+620B +0.01%) -
Unchanged groups (2)
Status Path Size Limits
**/*.{png,svg,ico}
2.16MB -
**/*.css
77.42KB -

Final result: ✅

View report in BundleMon website ➡️


Current branch size history | Target branch size history

Comment thread src/lib/flags.js
flag('drive.pdf-editor.enabled')
flag('sharing.auto-open-settings.enabled')
flag('sharing.generate-link-button.enabled')
flag('drive.sign.enabled')

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to be removed. I think this file doesn't work well ATM.

Comment on lines +129 to +130
signWithEuDss,
verifyWithEuDss,

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll not do a refactoring right now. But this file needs a cleanup for sure!

@Crash-- Crash-- marked this pull request as ready for review June 22, 2026 06:28

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/modules/actions/helpers/euDss.js`:
- Around line 37-63: The function containing the return statement at line 37
allows null to be returned when the shortcode is missing, which then gets passed
to buildCallbackUrl and serialized as token=null in the URL parameters, creating
an invalid deeplink. Instead of returning null in the shortcode extraction
logic, throw an error to fail immediately when the callback token cannot be
created. This ensures the null value never reaches buildCallbackUrl and allows
proper error handling in buildEuDssDeeplink.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 79a73f98-e765-48a2-9480-097260907627

📥 Commits

Reviewing files that changed from the base of the PR and between bb252b9 and 83ab0b9.

📒 Files selected for processing (9)
  • src/lib/flags.js
  • src/locales/en.json
  • src/locales/fr.json
  • src/modules/actions/helpers/euDss.js
  • src/modules/actions/helpers/euDss.spec.js
  • src/modules/actions/index.js
  • src/modules/actions/signWithEuDss.jsx
  • src/modules/actions/verifyWithEuDss.jsx
  • src/modules/views/Drive/DriveFolderView.jsx

Comment on lines +37 to +63
return permission.attributes?.shortcodes?.code ?? null
}

// Files inside a shared drive live behind the /sharings/drives/<driveId>
// proxy, so writing the result back must target that route instead of the
// member's own VFS (which does not hold the document).
const getFilesApiPrefix = file =>
file.driveId ? `/sharings/drives/${file.driveId}/files` : '/files'

// cozy-stack only authenticates via the Authorization header, never a query
// param. The token is passed in the URL by convention: the eu-dss desktop app
// reads it and replays it as a Bearer header on its POST to the callback.
const buildCallbackUrl = (client, file, operation, token) => {
const stackUri = client.getStackClient().uri
const params = new URLSearchParams({
Type: 'file',
Name: getCallbackFileName(file, operation),
token
})
return `${stackUri}${getFilesApiPrefix(file)}/${file.dir_id}?${params}`
}

export const buildEuDssDeeplink = async (client, file, operation) => {
const docUrl = await fetchPublicDownloadUrl(client, file)
const token = await fetchCallbackToken(client, file)
const callbackUrl = buildCallbackUrl(client, file, operation, token)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fail fast when callback token creation does not return a shortcode.

Line 37 can return null, and then Line 54 serializes it as token=null, producing a deeplink that will fail later during the EU-DSS callback. Throwing here gives a deterministic failure path and lets the action fallback alert handle it cleanly.

Suggested fix
 const fetchCallbackToken = async (client, file) => {
   const { data: permission } = await client
     .collection(DOCTYPE_PERMISSIONS)
     .createSharingLink(
       { _id: file.dir_id, _type: DOCTYPE_FILES },
       { verbs: ['POST'], ttl: CALLBACK_PERMISSION_TTL }
     )
-  return permission.attributes?.shortcodes?.code ?? null
+  const code = permission.attributes?.shortcodes?.code
+  if (!code) {
+    throw new Error('Unable to create EU-DSS callback token')
+  }
+  return code
 }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/modules/actions/helpers/euDss.js` around lines 37 - 63, The function
containing the return statement at line 37 allows null to be returned when the
shortcode is missing, which then gets passed to buildCallbackUrl and serialized
as token=null in the URL parameters, creating an invalid deeplink. Instead of
returning null in the shortcode extraction logic, throw an error to fail
immediately when the callback token cannot be created. This ensures the null
value never reaches buildCallbackUrl and allows proper error handling in
buildEuDssDeeplink.

Crash-- added 2 commits June 22, 2026 09:54
Add "Sign" and "Verify signature" entries to the file "..." menu,
gated behind the drive.sign.enabled flag. Each builds an eudss://
deeplink with a short-lived public download link as doc_url and a
cozy-stack write callback carrying a short-ttl permission token, then
hands off to the EU-DSS desktop app.
A shared drive document is not in the member's own VFS, so the write
callback must target /sharings/drives/<driveId>/files instead of /files.

@codescene-delta-analysis codescene-delta-analysis Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gates Failed
Prevent hotspot decline (1 hotspot with Complex Method)

Our agent can fix these. Install it.

Gates Passed
2 Quality Gates Passed

Reason for failure
Prevent hotspot decline Violations Code Health Impact
DriveFolderView.jsx 1 rule in this hotspot 9.08 → 9.07 Suppress

See analysis details in CodeScene

Quality Gate Profile: The Bare Minimum
Install CodeScene MCP: safeguard and uplift AI-generated code. Catch issues early with our IDE extension and CLI tool.

@Crash-- Crash-- merged commit d2e35aa into master Jun 22, 2026
5 of 7 checks passed
@Crash-- Crash-- deleted the feat/sign branch June 22, 2026 08:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants