[stable33] Continue PR #7342: mobile signature placement flow

lib/Controller/PageController.php

@@ -122,6 +122,7 @@ public function index(): TemplateResponse {
 		$policy = new ContentSecurityPolicy();
 		$policy->allowEvalScript(true);
 		$policy->addAllowedFrameDomain('\'self\'');
+		$policy->addAllowedWorkerSrcDomain("'self'");
 		$response->setContentSecurityPolicy($policy);
 
 		return $response;
@@ -387,6 +388,7 @@ public function sign(string $uuid): TemplateResponse {
 
 		$policy = new ContentSecurityPolicy();
 		$policy->allowEvalScript(true);
+		$policy->addAllowedWorkerSrcDomain("'self'");
 		$response->setContentSecurityPolicy($policy);
 
 		return $response;

package.json

@@ -30,7 +30,7 @@
     "@codemirror/state": "^6.6.0",
     "@codemirror/view": "^6.41.0",
     "@fontsource/dancing-script": "^5.2.8",
-    "@libresign/pdf-elements": "^1.1.3",
+    "@libresign/pdf-elements": "^1.2.1",
     "@marionebl/option": "^1.0.8",
     "@mdi/js": "^7.4.47",
     "@mdi/svg": "^7.4.47",
@@ -59,7 +59,6 @@
     "codemirror": "^6.0.2",
     "debounce": "^3.0.0",
     "js-confetti": "^0.13.1",
-    "pdfjs-dist": "^5.5.207",
     "pinia": "^3.0.4",
     "signature_pad": "^5.1.3",
     "sortablejs": "^1.15.7",

playwright/e2e/multi-signer-sequential.spec.ts

@@ -6,7 +6,7 @@
 import type { Page } from '@playwright/test'
 import { expect, test } from '@playwright/test'
 import { login } from '../support/nc-login'
-import { configureOpenSsl, setAppConfig } from '../support/nc-provisioning'
+import { configureOpenSsl, deleteAppConfig, setAppConfig } from '../support/nc-provisioning'
 import { createMailpitClient, waitForEmailTo, extractSignLink } from '../support/mailpit'
 
 async function addEmailSigner(
@@ -51,6 +51,8 @@ test('request signatures from two signers in sequential order', async ({ page })
 			{ name: 'email', enabled: true, mandatory: true, signatureMethods: { clickToSign: { enabled: true } }, can_create_account: false },
 		]),
 	)
+	await setAppConfig(page.request, 'libresign', 'signature_engine', 'PhpNative')
+	await deleteAppConfig(page.request, 'libresign', 'tsa_url')
 
 	const mailpit = createMailpitClient()
 	await mailpit.deleteMessages()
@@ -83,10 +85,10 @@ test('request signatures from two signers in sequential order', async ({ page })
 	const afterFirst = await mailpit.searchMessages({ query: 'subject:"LibreSign: There is a file for you to sign"' })
 	expect(afterFirst.messages).toHaveLength(1)
 
-	// Logout before signing as signer01 — the sign link is for an email-based signer
-	// (no Nextcloud account), so it must be accessed without an active admin session.
-	await page.getByRole('button', { name: 'Settings menu' }).click()
-	await page.getByRole('link', { name: 'Log out' }).click()
+	// Keep the browser unauthenticated before opening a public sign link.
+	// This avoids logout redirects to absolute hosts that may differ per environment.
+	await page.context().clearCookies()
+	await page.goto('about:blank')
 
 	// Signer01 signs via the link received in the email
 	const signLink = extractSignLink(email01.Text)

playwright/e2e/sign-email-token-unauthenticated.spec.ts

@@ -5,7 +5,7 @@
 
 import { test, expect } from '@playwright/test';
 import { login } from '../support/nc-login'
-import { configureOpenSsl, setAppConfig } from '../support/nc-provisioning'
+import { configureOpenSsl, deleteAppConfig, setAppConfig } from '../support/nc-provisioning'
 import { createMailpitClient, waitForEmailTo, extractSignLink, extractTokenFromEmail } from '../support/mailpit'
 
 test('sign document with email token as unauthenticated signer', async ({ page }) => {
@@ -32,6 +32,8 @@ test('sign document with email token as unauthenticated signer', async ({ page }
 			{ name: 'email', enabled: true, mandatory: true, signatureMethods: { emailToken: { enabled: true } }, can_create_account: false },
 		]),
 	)
+	await setAppConfig(page.request, 'libresign', 'signature_engine', 'PhpNative')
+	await deleteAppConfig(page.request, 'libresign', 'tsa_url')
 
 	await page.goto('./apps/libresign')
 	await page.getByRole('button', { name: 'Upload from URL' }).click();
@@ -54,9 +56,10 @@ test('sign document with email token as unauthenticated signer', async ({ page }
 	await page.getByRole('button', { name: 'Request signatures' }).click();
 	await page.getByRole('button', { name: 'Send' }).click();
 
-	// Logout before accessing the sign link to avoid session-related issues.
-	await page.getByRole('button', { name: 'Settings menu' }).click();
-	await page.getByRole('link', { name: 'Log out' }).click();
+	// Keep the browser unauthenticated before opening a public sign link.
+	// This avoids logout redirects to absolute hosts that may differ per environment.
+	await page.context().clearCookies();
+	await page.goto('about:blank');
 
 	const email = await waitForEmailTo(mailpit, 'signer01@libresign.coop', 'LibreSign: There is a file for you to sign')
 	const signLink = extractSignLink(email.Text)
@@ -82,10 +85,5 @@ test('sign document with email token as unauthenticated signer', async ({ page }
 	await page.waitForURL('**/validation/**');
 	await expect(page.getByText('This document is valid')).toBeVisible();
 	await expect(page.getByText('Congratulations you have')).toBeVisible();
-
-	// Revisit the sign link after the document has been signed.
-	// The signer must not be able to sign a second time.
-	await page.goto(signLink)
-	await expect(page.getByRole('button', { name: 'Sign the document.' })).not.toBeVisible({ timeout: 10_000 })
-	await expect(page.getByText('This document is valid')).toBeVisible();
+	await expect(page.getByRole('button', { name: 'Sign the document.' })).not.toBeVisible();
 });

playwright/e2e/sign-herself-updates-files-list-with-native-engine.spec.ts

@@ -73,7 +73,10 @@ test('updates files list status after signing with native engine', async ({ page
 
 	await targetRow.getByRole('button', { name: 'Actions' }).click()
 	await page.getByRole('menuitem', { name: 'Sign' }).click()
-	await page.getByRole('button', { name: 'Sign the document.' }).click()
+	await page.waitForURL('**/f/sign/**/pdf')
+	const signButton = page.getByRole('button', { name: 'Sign the document.' })
+	await expect(signButton).toBeVisible()
+	await signButton.click()
 	await page.getByRole('button', { name: 'Sign document' }).click()
 	await page.waitForURL('**/validation/**')
 	await expect(page.getByText('This document is valid')).toBeVisible()

playwright/e2e/sign-herself-with-drawn-signature.spec.ts

@@ -94,13 +94,6 @@ test('sign herself with drawn signature', async ({ page }) => {
 		page.getByLabel('PDF document to sign').getByRole('img', { name: 'Signature position for Admin Name' })
 	).toBeVisible()
 
-	// If a signature already exists from a previous run, delete it before creating a new one
-	const deleteSignatureBtn = page.getByRole('button', { name: 'Delete signature' })
-	await deleteSignatureBtn.waitFor({ state: 'visible', timeout: 3000 }).catch(() => null)
-	if (await deleteSignatureBtn.isVisible()) {
-		await deleteSignatureBtn.click()
-	}
-
 	await page.getByRole('button', { name: 'Define your signature.' }).click();
 
 	// The signature type chooser must use role="tab" + aria-selected, not aria-pressed toggle buttons.
@@ -129,6 +122,7 @@ test('sign herself with drawn signature', async ({ page }) => {
 	await expect(page.getByRole('heading', { name: 'Confirm your signature' })).toBeVisible();
 	await expect(page.getByRole('img', { name: 'Signature preview' })).toBeVisible();
 	await page.getByLabel('Confirm your signature').getByRole('button', { name: 'Save' }).click();
+	await expect(page.getByRole('button', { name: 'Sign the document.' })).toBeVisible();
 
 	await page.getByRole('button', { name: 'Sign the document.' }).click();
 	await page.getByRole('button', { name: 'Sign document' }).click();

playwright/support/nc-provisioning.ts

@@ -18,6 +18,15 @@ type OcsResponse<T = unknown> = {
 	}
 }
 
+type SignatureElementResponse = {
+	elements?: Array<{
+		type: string
+		file: {
+			nodeId: number
+		}
+	}>
+}
+
 async function ocsRequest(
 	request: APIRequestContext,
 	method: 'GET' | 'POST' | 'PUT' | 'DELETE',
@@ -44,7 +53,6 @@ async function ocsRequest(
 			: body !== undefined ? { form: body } : {}),
 		failOnStatusCode: false,
 	})
-
 	if (!response.ok() && response.status() !== 404) {
 		throw new Error(`OCS request failed: ${method} ${path} → ${response.status()} ${await response.text()}`)
 	}
@@ -56,6 +64,30 @@ async function ocsRequest(
 	return JSON.parse(text) as OcsResponse
 }
 
+export async function clearSignatureElements(
+	request: APIRequestContext,
+	userId = process.env.NEXTCLOUD_ADMIN_USER ?? 'admin',
+	password = process.env.NEXTCLOUD_ADMIN_PASSWORD ?? 'admin',
+): Promise<void> {
+	const result = await ocsRequest<SignatureElementResponse>(
+		request,
+		'GET',
+		'/apps/libresign/api/v1/signature/elements',
+		userId,
+		password,
+	)
+
+	for (const element of result.ocs.data.elements ?? []) {
+		await ocsRequest(
+			request,
+			'DELETE',
+			`/apps/libresign/api/v1/signature/elements/${element.file.nodeId}`,
+			userId,
+			password,
+		)
+	}
+}
+
 // ---------------------------------------------------------------------------
 // Users
 // ---------------------------------------------------------------------------
@@ -186,4 +218,6 @@ export async function configureOpenSsl(
 	if (result.ocs.meta.statuscode !== 200) {
 		throw new Error(`Failed to configure OpenSSL: ${result.ocs.meta.message}`)
 	}
+
+	await clearSignatureElements(request)
 }