fix: return 404 for invalid shared link pages (#19493)

2025-07-09 03:04:16 -04:00 · 2025-06-24 11:37:14 -04:00 · 2025-06-24 11:37:14 -04:00 · 88b8afb8d6
commit 88b8afb8d6
parent 2e13543d5d
2 changed files with 22 additions and 24 deletions
--- a/e2e/src/api/specs/shared-link.e2e-spec.ts
+++ b/e2e/src/api/specs/shared-link.e2e-spec.ts
@ -119,6 +119,16 @@ describe('/shared-links', () => {
      expect(resp.header['content-type']).toContain('text/html');
      expect(resp.text).toContain(`<meta property="og:image" content="https://my.immich.app`);
    });
+
+    it('should return 404 for an invalid shared link', async () => {
+      const resp = await request(shareUrl).get(`/invalid-key`);
+      expect(resp.status).toBe(404);
+      expect(resp.header['content-type']).toContain('text/html');
+      expect(resp.text).not.toContain(`og:type`);
+      expect(resp.text).not.toContain(`og:title`);
+      expect(resp.text).not.toContain(`og:description`);
+      expect(resp.text).not.toContain(`og:image`);
+    });
  });

  describe('GET /shared-links', () => {
--- a/server/src/services/api.service.ts
+++ b/server/src/services/api.service.ts
@ -78,36 +78,24 @@ export class ApiService {
        return next();
      }

-      const targets = [
-        {
-          regex: /^\/share\/(.+)$/,
-          onMatch: async (matches: RegExpMatchArray) => {
-            const key = matches[1];
-            const auth = await this.authService.validateSharedLink(key);
-            return this.sharedLinkService.getMetadataTags(auth);
-          },
-        },
-      ];
-
+      let status = 200;
      let html = index;

+      const shareMatches = request.url.match(/^\/share\/(.+)$/);
+      if (shareMatches) {
        try {
-        for (const { regex, onMatch } of targets) {
-          const matches = request.url.match(regex);
-          if (matches) {
-            const meta = await onMatch(matches);
+          const key = shareMatches[1];
+          const auth = await this.authService.validateSharedLink(key);
+          const meta = await this.sharedLinkService.getMetadataTags(auth);
          if (meta) {
            html = render(index, meta);
          }
-
-            break;
-          }
-        }
        } catch {
-        // nothing to do here
+          status = 404;
+        }
      }

-      res.type('text/html').header('Cache-Control', 'no-store').send(html);
+      res.status(status).type('text/html').header('Cache-Control', 'no-store').send(html);
    };
  }
 }