Shareable links still valid after expiration or deletion #33

New Issue

GiteaMirror · 2025-11-13T11:48:07-06:00

GiteaMirror commented

2025-11-13 11:48:07 -06:00

Originally created by @cusergit on GitHub (Jan 23, 2025).

Hello,
I create "Shareable link" for one of my resources (1 hour expiration).
The link is visible under "Manage Share Links" with creation and expiration times.
The link works well, I can access the resource with no problem.
After some time ( 1 hour I guess ) the link has been deleted as expected ..

but it is still valid, I mean I still can access my resource from any machine/browser.

The same occurs if the link is "deleted" before expiration, the resource still can be accessed any from machine/browser.

Expiration time is how long the link will be usable and provide access to the resource.
After this time, the link will no longer work, and users who used this link will lose access to the resource._

Thanks

Originally created by @cusergit on GitHub (Jan 23, 2025). Hello, I create "Shareable link" for one of my resources (1 hour expiration). The link is visible under "Manage Share Links" with creation and expiration times. The link works well, I can access the resource with no problem. After some time ( 1 hour I guess ) the link has been deleted as expected .. but it is still valid, I mean I still can access my resource from any machine/browser. The same occurs if the link is "deleted" before expiration, the resource still can be accessed any from machine/browser. _Expiration time is how long the link will be usable and provide access to the resource. After this time, the link will no longer work, and users who used this link will lose access to the resource.__ Thanks

GiteaMirror closed this issue

2025-11-13 11:48:08 -06:00

GiteaMirror commented

2025-11-13 11:48:08 -06:00

@miloschwartz commented on GitHub (Jan 23, 2025):

I am trying to reproduce this but so far I am unable to, and the links do expire, but I will keep trying with different values.

Also wanted to ask:

Are you accessing the share link from a browser that is already logged in with SSO? Does this still occur if you access the resource via the share link from an incognito window that has never been logged in before?

I am asking because the share link does not override the other auth methods if they were previously used. You must also have at least one auth method enabled on the resource for the share link to provide temporary access, as otherwise, the resource is accessible to everyone anyway.

@miloschwartz commented on GitHub (Jan 23, 2025): I am trying to reproduce this but so far I am unable to, and the links do expire, but I will keep trying with different values. Also wanted to ask: Are you accessing the share link from a browser that is already logged in with SSO? Does this still occur if you access the resource via the share link from an incognito window that has never been logged in before? I am asking because the share link does not override the other auth methods if they were previously used. You must also have at least one auth method enabled on the resource for the share link to provide temporary access, as otherwise, the resource is accessible to everyone anyway.

GiteaMirror commented

2025-11-13 11:48:09 -06:00

@cusergit commented on GitHub (Jan 24, 2025):

Hello, thanks for your reply.

Yes , I have tried from different machines and browsers without previous login to pangolin or the resource itself and still occurs.

No, I don´t have any authentication method (not even "Use Platform SSO") , so I guess that the cause.

I am aware of the warning in the documentation:
It is not recommended to expose a resource without some form of authentication.
Only do this if you need to for the functionality of the resource or you trust the built-in auth

but don´t you think it is a valid use case ?

not authentication at all if I use my defined access url (only known by me) ie. myresource.mydomain.com .
but still possible to allow others temporal access using the shareable link ie. pangolin.mydomain/x?token=xxxxxx

Many thanks for your time.
Regards

@cusergit commented on GitHub (Jan 24, 2025): Hello, thanks for your reply. Yes , I have tried from different machines and browsers without previous login to pangolin or the resource itself and still occurs. No, I don´t have any authentication method (not even "Use Platform SSO") , so I guess that the cause. I am aware of the warning in the documentation: _It is not recommended to expose a resource without some form of authentication. Only do this if you need to for the functionality of the resource or you trust the built-in auth_ but don´t you think it is a valid use case ? - not authentication at all if I use my defined access url (only known by me) ie. myresource.mydomain.com . - but still possible to allow others temporal access using the shareable link ie. pangolin.mydomain/x?token=xxxxxx Many thanks for your time. Regards

GiteaMirror commented

2025-11-13 11:48:09 -06:00

@cusergit commented on GitHub (Jan 24, 2025):

Sorry, I realized that's nonsense.
When using the share link, a redirect will be made and my resource URL will be perfectly visible.
Thanks

@cusergit commented on GitHub (Jan 24, 2025): Sorry, I realized that's nonsense. When using the share link, a redirect will be made and my resource URL will be perfectly visible. Thanks

GiteaMirror referenced this issue

2025-11-13 12:10:46 -06:00

[PR #33] [MERGED] fix regex for base_domain #782

GiteaMirror referenced this issue

2026-04-16 09:17:47 -05:00

[PR #33] [MERGED] fix regex for base_domain #2265

GiteaMirror referenced this issue

2026-04-20 08:42:53 -05:00

[PR #33] [MERGED] fix regex for base_domain #4208

GiteaMirror referenced this issue

2026-04-23 02:24:04 -05:00

[PR #33] [MERGED] fix regex for base_domain #5152