From 62c48ccf33fb0c47093a277c0a79c61ac86e188c Mon Sep 17 00:00:00 2001
From: Alex Kriuchykhin <oleksii@scinote.net>
Date: Mon, 7 Jul 2025 14:15:22 +0200
Subject: [PATCH] Fix WOPI proof verification [SCI-12096] (#8637)

---
 app/models/asset.rb                          |  1 +
 app/models/concerns/versioned_attachments.rb | 15 ++++++++-------
 app/utilities/wopi_util.rb                   |  8 ++++----
 config/initializers/active_storage.rb        | 14 --------------
 4 files changed, 13 insertions(+), 25 deletions(-)

diff --git a/app/models/asset.rb b/app/models/asset.rb
index 071cb90e2..3f221346a 100644
--- a/app/models/asset.rb
+++ b/app/models/asset.rb
@@ -358,6 +358,7 @@ class Asset < ApplicationRecord
   end
 
   def put_wopi_contents(new_file)
+    new_file.rewind
     if file_size.zero? && version.zero?
       # wopi client  puts initial blanc file therefore skipping version creation
       file.attach(io: new_file, filename: file_name)
diff --git a/app/models/concerns/versioned_attachments.rb b/app/models/concerns/versioned_attachments.rb
index 519fa59c1..9563e272e 100644
--- a/app/models/concerns/versioned_attachments.rb
+++ b/app/models/concerns/versioned_attachments.rb
@@ -10,19 +10,20 @@ module VersionedAttachments
 
       define_method :"attach_#{name}_version" do |*args, **options|
         ActiveRecord::Base.transaction(requires_new: true) do
-          __send__(:"previous_#{name.to_s.pluralize}").attach([__send__(name).blob.signed_id]) if __send__(name).attached?
+          __send__(:"previous_#{name.to_s.pluralize}").attach(__send__(name).blob) if __send__(name).attached?
           __send__(name).attach(*args, **options)
 
           new_blob = __send__(name).blob
-          new_blob.metadata['created_by_id'] ||= last_modified_by_id
+          metadata = new_blob.metadata
+          metadata['created_by_id'] ||= last_modified_by_id
 
           # set version of current latest file if previous versions exist
-          new_blob.save! and next unless __send__(:"previous_#{name.to_s.pluralize}").any?
+          if __send__(:"previous_#{name.to_s.pluralize}").any?
+            new_version = (__send__(:"previous_#{name.to_s.pluralize}").last.blob.metadata['version'] || 1) + 1
+            metadata['version'] = new_version
+          end
 
-          new_version =
-            (__send__(:"previous_#{name.to_s.pluralize}").last.blob.metadata['version'] || 1) + 1
-          new_blob.metadata['version'] = new_version
-          new_blob.save!
+          new_blob.persisted? ? new_blob.update_column(:metadata, metadata) : new_blob.metadata = metadata
         end
       end
 
diff --git a/app/utilities/wopi_util.rb b/app/utilities/wopi_util.rb
index 4d3e756ba..0832ffdad 100644
--- a/app/utilities/wopi_util.rb
+++ b/app/utilities/wopi_util.rb
@@ -30,10 +30,10 @@ module WopiUtil
   # with this discovery public key (two key possible old/new)
   def wopi_verify_proof(token, timestamp, signed_proof, signed_proof_old, url)
     discovery = current_wopi_discovery
-    token_length = [token.length].pack('>N').bytes
-    timestamp_bytes = [timestamp.to_i].pack('>Q').bytes.reverse
-    timestamp_length = [timestamp_bytes.length].pack('>N').bytes
-    url_length = [url.length].pack('>N').bytes
+    token_length = [token.length].pack('N').bytes
+    timestamp_bytes = [timestamp.to_i].pack('Q').bytes.reverse
+    timestamp_length = [timestamp_bytes.length].pack('N').bytes
+    url_length = [url.length].pack('N').bytes
 
     expected_proof = token_length + token.bytes +
                      url_length + url.upcase.bytes +
diff --git a/config/initializers/active_storage.rb b/config/initializers/active_storage.rb
index 58a3386e3..35ccc7f34 100644
--- a/config/initializers/active_storage.rb
+++ b/config/initializers/active_storage.rb
@@ -3,7 +3,6 @@
 require 'active_storage/previewer/libreoffice_previewer'
 require 'active_storage/analyzer/image_analyzer/custom_image_magick'
 require 'active_storage/analyzer/text_extraction_analyzer'
-require 'active_storage/downloader'
 
 # Enable PDF previews for files
 Rails.application.config.x.enable_pdf_previews = ENV['ACTIVESTORAGE_ENABLE_PDF_PREVIEWS'] == 'true'
@@ -18,16 +17,3 @@ Rails.application.config.active_storage.variable_content_types << 'image/svg+xml
 
 Rails.application.config.active_storage.variant_processor = :vips if ENV['ACTIVESTORAGE_ENABLE_VIPS'] == 'true'
 
-ActiveStorage::Downloader.class_eval do
-  def open(key, checksum: nil, verify: true, name: 'ActiveStorage-', tmpdir: nil)
-    open_tempfile(name, tmpdir) do |file|
-      download key, file
-      if checksum == 'dummy' || checksum.nil?
-        ActiveStorage::Blob.find_by(key: key).update(checksum: Digest::MD5.file(file).base64digest)
-      else
-        verify_integrity_of(file, checksum: checksum) if verify
-      end
-      yield file
-    end
-  end
-end