[Security] Sharing links lack expiration — permanently valid shared notes can't be revoked

[anshul23102]

Executive Summary

When users share notes via link, those links never expire. Even if the user regrets sharing or deletes the note, the link remains valid and accessible forever.

Proposed Solution

const ShareLinkSchema = new Schema({
  noteId: String,
  userId: String,  // note owner
  token: String,   // unique share token
  createdAt: Date,
  expiresAt: Date,
  accessCount: Number,
  maxAccess: Number,  // null = unlimited
  isRevoked: Boolean,
});

// Create share link
app.post('/api/notes/:id/share', authenticateUser, async (req, res) => {
  const note = await Note.findOne({ _id: req.params.id, userId: req.user.id });
  if (!note) return res.status(404).json({ error: 'Note not found' });
  
  const token = crypto.randomBytes(32).toString('hex');
  const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);  // 7 days default
  
  const shareLink = await ShareLink.create({
    noteId: note._id,
    userId: req.user.id,
    token,
    createdAt: new Date(),
    expiresAt,
    accessCount: 0,
    maxAccess: req.body.maxAccess || null,
    isRevoked: false,
  });
  
  res.json({ 
    shareUrl: `${process.env.APP_URL}/share/${token}`,
    expiresAt,
    maxAccess: shareLink.maxAccess,
  });
});

// Access shared note
app.get('/api/share/:token', async (req, res) => {
  const shareLink = await ShareLink.findOne({ token: req.params.token });
  
  if (!shareLink) return res.status(404).json({ error: 'Link not found' });
  if (shareLink.isRevoked) return res.status(403).json({ error: 'Link revoked' });
  if (new Date() > shareLink.expiresAt) return res.status(403).json({ error: 'Link expired' });
  if (shareLink.maxAccess && shareLink.accessCount >= shareLink.maxAccess) {
    return res.status(403).json({ error: 'Max access limit reached' });
  }
  
  const note = await Note.findById(shareLink.noteId);
  shareLink.accessCount += 1;
  await shareLink.save();
  
  res.json({ note });
});

// Revoke share link
app.delete('/api/share/:token', authenticateUser, async (req, res) => {
  const shareLink = await ShareLink.findOne({ token: req.params.token });
  
  if (!shareLink || shareLink.userId !== req.user.id) {
    return res.status(403).json({ error: 'Unauthorized' });
  }
  
  shareLink.isRevoked = true;
  await shareLink.save();
  
  res.json({ message: 'Share link revoked' });
});

Checklist

• I have searched existing issues and confirmed this is not a duplicate
• I have read the CONTRIBUTING.md guidelines
• I have provided clear steps to reproduce the issue
• I have described expected vs. actual behavior clearly
• This issue title is clear and specific
• This repository has been verified as NSOC on https://www.nsoc.in/projects

@HarshYadav152 Could you please /assign this issue to me? I would like to implement expiring and revocable share links under NSOC '26.

/assign

[HarshYadav152]

@anshul23102 Check again
When user make note private again share url will also be invalid
and same for when user delete note
Both works fine

[anshul23102]

Hi @HarshYadav152 👋

I am the author of this issue and would like to work on the fix. This contribution is being made under NSoC 2026 (Nexus Spring of Code).

I have reviewed the issue and am ready to implement the solution. Could you please assign this to me?

Thank you!

[anshul23102]

You are right, @HarshYadav152, and thank you for checking. I traced the flow in the code and confirmed your point:

• Making a note private again (PUT /api/notes/share/[id]) sets isPublic = false and shareEncryptedContent = null, after which GET /api/public/notes/[id] returns 403 "Note is private".
• Deleting the note makes the same public route return 404.

So manual revocation does work, and my original "can't be revoked" wording was inaccurate. Apologies for the imprecise framing.

The one gap that remains is time-based expiration. Today a share link stays valid indefinitely until the owner manually toggles privacy or deletes the note; the Notes schema has no shareExpiresAt / TTL field, so there is no way to say "this link should stop working after N days." That is a common need for sharing something temporarily without having to remember to revoke it later.

Given your feedback, I would suggest narrowing this issue to its accurate scope: add an optional expiration date to share links (owner sets an expiry; the public route treats an expired link the same as a private one). If you feel that is out of scope for now, I am equally happy to close this. Either way, please let me know your preference and I will follow it.

[anshul23102]

Hi @HarshYadav152,

I've identified this security concern regarding unencrypted sharing links. This is part of my NSoC'26 contributions.

I'd like to be assigned to this issue so I can implement a solution with link expiration and access controls. Could a maintainer please assign this to me? Thank you!

[VinayKumar42]

@anshul23102
Please finish your current issue before taking on a new one. New issues will be assigned only after the previous one has been completed.