1️⃣⬇️🔗 One-time download links

[jospoortvliet]

Sometimes you want to offer a download to a recipient, but have it work only once. An expiration date then doesn't do the trick.

Why would you want this?

• Let the recipient download the file/folder but remove the share after they got it. Expiration date only works if you know when they will get the file. This way you don't have to clean up share link.
• Make sure the recipient and ONLY the recipient can download: sent link, check if person downloaded, link has disappeared already. Safe!

• Create Mockup for relocation of Download Limit Setting #43565
• Add advanced external share actions #43881
• Move the files_downloadlimit setting to new location #43566
• Ship files_downloadlimit and enable by default #44038
• Add an admin setting so that the admin can set a default #43567

[rullzer]

First of all.

It is not so simple. Because a link is accessed via webdav as well. So just opening the link is already the first access. Then downloading it is the second access. Or if they navigate in the structure it is all access. Or what hapens when they have a client that previews the page or something? It is all access.

Make sure the recipient and ONLY the recipient can download: sent link, check if person downloaded, link has disappeared already. Safe!

This is really a bogus argument. Because there are only 2 scenarios here:

1. The recipient shared the link with somebody. Which means they intend to have the file. If the download link would only work once they would just share it via other means.
2. You are afraid somebody guesses you share token. However, I would say if somebody has the time to guess a few septillion share tokens they can also just guess your password.

[supremesyntax]

Thought about that some time ago...

You are running into several problems here:

1. Check if the user downloading the file is really the user you sent the link to.
   This would need some kind of authentication (e.g. pgp key validation)

2. You need to be sure the whole file got downloaded and no error occured on client side or the user gets locked out and you would have to re-submit the link. (Timeout, poor connection, browser crash)
   Dunno if this would be possible with javascript to look at every aspect of file transfer
   I remember mega(dot)nz does some kind of browser file caching, maybe hashing is possible to verify file integrity there

[LawnSounds]

Have a look at how Firefox Send works maybe? Open source. Would be great to see this feature!

[jospoortvliet]

Well, the use case I think is clear: you create a public link and want it to go away once the recipient has downloaded the file, without having to go and check up with that person.

Some thoughts:

• We show an Activities thing when a file is downloaded. This doesn't trigger on preview generation does it? Perhaps the same thing that triggers the Activity can trigger the removal of the shared link.
• a grace period makes sense in case a download went wrong. So once download is initiated, give it 10 minutes at least (and until the next Cron run, hehe).

I personally frequently share files by public link for a one-time use case: a screenshot you want to show and other stuff. Automatic cleanup of those links would be nice...

[jpfleury]

Someone mentioned Firefox Send as offering one-time download links. There are also some other open source projects to look at with this feature. Examples:

• Lufi: https://framagit.org/fiat-tux/hat-softwares/lufi
• Jirafeau: https://gitlab.com/mojo42/Jirafeau

[grumpybozo]

This feature and the simpler feature requested in #17934 would be useful and I'd like to see them both. Currently it is not even clear when expiration actually happens, i.e. is it 00:00 UTC? 00:00 in the user's local time zone when setting the expiration? Some other arbitrary time?

My context for this is that we use shared links to communicate initial passwords to users. We'd like these to die when they are no longer needed but no sooner. That is obviously not determinable programmatically, so at least knowing precisely when a link expires (with a fixed time or after a certain number of accesses or something more complex but deterministic) would help.

[armijnhemel]

I would be interested in such functionality. For me it would be enough to drop the guarantee that the client has actually received the data: as soon as the server has sent the data, it should be considered to have been downloaded and the data should be removed after 1 or N downloads. If the client didn't get it: tough luck, wait for a complaint and resend. I think that this would make it less difficult to implement.

[mrizvic]

I vote for that feature too.
In mission impossible style it would be like: this nextcloud share will self destruct after one download :)

[Eviepayne]

Just adding my two cents to this. I think this feature is severely needed.
Currently running a nextcloud for my team to quickly send files around while send.firefox.com is down and this would solve my issue now.

[Woefdram]

Agree, this is a very useful feature, to say the least.

[IIPoliII]

Same here would be interested

[RealKelsar]

Would be nice to share Passwords and Certificates

[sirKitKat]

Maybe, an expiration period after the first download? a default of 24 hours seems reasonable I think to cover errors during download and gives the users some time to retry.

[johnstoneinoue]

I also agree, this feature is a very useful.

[matthewmummert5]

I'm not trying to beat a dead horse, but I think about this suggested feature every year, once per year: U.S. Tax season.

Tax documents have serious identity theft risk for Americans due to the fact that America's financial system lets you impersonate anyone if you have their social security number. I'd like to share my tax documents with my tax accountant with a share link over email, and have that link clean itself up after they download it. Currently, I rely on them writing to me to tell me that they've downloaded it, and me having to manually disable it.

This feature would give me a little more peace of mind.

[Moini]

Same, this would be super useful for sharing sensitive documents without having to also share a password by the same route.

[szaimen]

We have this app available since a while: https://apps.nextcloud.com/apps/files_downloadlimit if you just put in 1 allowed download, you basically achieve the functionality that was requested here?

[szaimen]

However we should decide if we want to ship the app and/or merge it into core so that it is easier to discover...

[Moini]

@szaimen I've seen that app, however, as for many useful apps, it said it wasn't available for my version when I looked (now it is, and I'll install it).

And to find it... well, it cannot be found from the search field, nor is there a separate app search - and apps also aren't strictly ordered by alphabet. You need to know the category to find something... UX is making it so difficult...

[wickning1]

The app @szaimen pointed out looks good, but I am going to add to the argument for it becoming a core feature.

The problem it solves is this: someone has asked you to email a sensitive document. Example: an apartment rental application. Email is not always encrypted in transit, and you or the recipient could be compromised and have your inbox/sentbox exposed. This feature limits the damage.

Limiting the download window to the absolute minimum amount of time is key. It’s still possible that an attacker might access the link before the recipient. This is the worst case, but because of this feature, the recipient can infer that their denial means there was a compromise and the sender can be notified. That’s a further win for this feature that an expiration date cannot provide.

[sunjam]

@szaimen What would you consider a strong reason to not make it core?

[matthewmummert5]

It's a new year, which means U.S. tax season is coming up again. I'd like to be able to email my tax documents to my tax accountant using this feature. For the exact reasons that @wickning1 pointed out, it would be much safer than an email attachment.

[Moini]

@matthewmummert5 For that specific purpose, I'd probably share a password by phone or letter and use password protection. I do agree that a one-time / limited times download would be very useful for less sensitive data.

[szaimen]

@jancborchardt since you have put this on the Design Phase list, why not simply integrating https://github.com/nextcloud/files_downloadlimit into core then? Not sure what we need to design then here?

[jancborchardt]

@jancborchardt since you have put this on the Design Phase list, why not simply integrating https://github.com/nextcloud/files_downloadlimit into core then? Not sure what we need to design then here?

@sorbaugh @AndyScherzinger Do you already have an idea regarding that? Would indeed make sense to just integrate that.
(We did discuss this issue in Files planning, it's just not on the board yet, right? :)

[AndyScherzinger]

We did discuss this issue in Files planning, it's just not on the board yet, right?

Yes, right, added this issue now.

And I would agree with @szaimen that download_limit would work for this while I can't say if we need some kind of UI improvements for a "one-time download" scenario when creating shares or if you would consider it "fine as is" (fance for "good enough") and we integrate it, while the cheapest solution would just be to bundle the app. Alternatively we can of course also thing about integration it into the core code base.

[szaimen]

So I had a look at this again and my recommendation would be to bundle the files_downloadlimit app with server.

---

After that is done, the UX could be improved by moving the setting to the advanced sharing settings for link shares, since the current placement is suboptimal:

Remove it from here	Move it here

---

As a second follow-up, it would be great to add an admin setting so that the admin can set a default to 1 for example.

[sorbaugh]

Edited original comment to split this issue into individual subtasks.

[szaimen]

🎉🎉🎉🎉🎉