fix(playwright): normalize public sign links and sign page CSP

- allow self worker-src on authenticated and public sign pages
- normalize mailpit sign links to app-relative paths
- add regression coverage for sign link extraction and sign-page CSP
- configure native signing without TSA in the affected public-sign E2E flows
- stabilize unauthenticated sign flows by clearing browser cookies before opening public links

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>

Author: vitormattos

lib/Controller/PageController.php

@@ -122,6 +122,7 @@ public function index(): TemplateResponse {
 		$policy = new ContentSecurityPolicy();
 		$policy->allowEvalScript(true);
 		$policy->addAllowedFrameDomain('\'self\'');
+		$policy->addAllowedWorkerSrcDomain("'self'");
 		$response->setContentSecurityPolicy($policy);
 
 		return $response;
@@ -387,6 +388,7 @@ public function sign(string $uuid): TemplateResponse {
 
 		$policy = new ContentSecurityPolicy();
 		$policy->allowEvalScript(true);
+		$policy->addAllowedWorkerSrcDomain("'self'");
 		$response->setContentSecurityPolicy($policy);
 
 		return $response;

playwright/e2e/multi-signer-sequential.spec.ts

@@ -6,7 +6,7 @@
 import type { Page } from '@playwright/test'
 import { expect, test } from '@playwright/test'
 import { login } from '../support/nc-login'
-import { configureOpenSsl, setAppConfig } from '../support/nc-provisioning'
+import { configureOpenSsl, deleteAppConfig, setAppConfig } from '../support/nc-provisioning'
 import { createMailpitClient, waitForEmailTo, extractSignLink } from '../support/mailpit'
 
 async function addEmailSigner(
@@ -51,6 +51,8 @@ test('request signatures from two signers in sequential order', async ({ page })
 			{ name: 'email', enabled: true, mandatory: true, signatureMethods: { clickToSign: { enabled: true } }, can_create_account: false },
 		]),
 	)
+	await setAppConfig(page.request, 'libresign', 'signature_engine', 'PhpNative')
+	await deleteAppConfig(page.request, 'libresign', 'tsa_url')
 
 	const mailpit = createMailpitClient()
 	await mailpit.deleteMessages()
@@ -83,10 +85,10 @@ test('request signatures from two signers in sequential order', async ({ page })
 	const afterFirst = await mailpit.searchMessages({ query: 'subject:"LibreSign: There is a file for you to sign"' })
 	expect(afterFirst.messages).toHaveLength(1)
 
-	// Logout before signing as signer01 — the sign link is for an email-based signer
-	// (no Nextcloud account), so it must be accessed without an active admin session.
-	await page.getByRole('button', { name: 'Settings menu' }).click()
-	await page.getByRole('link', { name: 'Log out' }).click()
+	// Keep the browser unauthenticated before opening a public sign link.
+	// This avoids logout redirects to absolute hosts that may differ per environment.
+	await page.context().clearCookies()
+	await page.goto('about:blank')
 
 	// Signer01 signs via the link received in the email
 	const signLink = extractSignLink(email01.Text)

playwright/e2e/sign-email-token-unauthenticated.spec.ts

@@ -5,7 +5,7 @@
 
 import { test, expect } from '@playwright/test';
 import { login } from '../support/nc-login'
-import { configureOpenSsl, setAppConfig } from '../support/nc-provisioning'
+import { configureOpenSsl, deleteAppConfig, setAppConfig } from '../support/nc-provisioning'
 import { createMailpitClient, waitForEmailTo, extractSignLink, extractTokenFromEmail } from '../support/mailpit'
 
 test('sign document with email token as unauthenticated signer', async ({ page }) => {
@@ -32,6 +32,8 @@ test('sign document with email token as unauthenticated signer', async ({ page }
 			{ name: 'email', enabled: true, mandatory: true, signatureMethods: { emailToken: { enabled: true } }, can_create_account: false },
 		]),
 	)
+	await setAppConfig(page.request, 'libresign', 'signature_engine', 'PhpNative')
+	await deleteAppConfig(page.request, 'libresign', 'tsa_url')
 
 	await page.goto('./apps/libresign')
 	await page.getByRole('button', { name: 'Upload from URL' }).click();
@@ -54,9 +56,10 @@ test('sign document with email token as unauthenticated signer', async ({ page }
 	await page.getByRole('button', { name: 'Request signatures' }).click();
 	await page.getByRole('button', { name: 'Send' }).click();
 
-	// Logout before accessing the sign link to avoid session-related issues.
-	await page.getByRole('button', { name: 'Settings menu' }).click();
-	await page.getByRole('link', { name: 'Log out' }).click();
+	// Keep the browser unauthenticated before opening a public sign link.
+	// This avoids logout redirects to absolute hosts that may differ per environment.
+	await page.context().clearCookies();
+	await page.goto('about:blank');
 
 	const email = await waitForEmailTo(mailpit, 'signer01@libresign.coop', 'LibreSign: There is a file for you to sign')
 	const signLink = extractSignLink(email.Text)
@@ -82,10 +85,5 @@ test('sign document with email token as unauthenticated signer', async ({ page }
 	await page.waitForURL('**/validation/**');
 	await expect(page.getByText('This document is valid')).toBeVisible();
 	await expect(page.getByText('Congratulations you have')).toBeVisible();
-
-	// Revisit the sign link after the document has been signed.
-	// The signer must not be able to sign a second time.
-	await page.goto(signLink)
-	await expect(page.getByRole('button', { name: 'Sign the document.' })).not.toBeVisible({ timeout: 10_000 })
-	await expect(page.getByText('This document is valid')).toBeVisible();
+	await expect(page.getByRole('button', { name: 'Sign the document.' })).not.toBeVisible();
 });

src/tests/helpers/mailpit.spec.ts

@@ -0,0 +1,26 @@
+/**
+ * SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import { describe, expect, it } from 'vitest'
+
+import { extractSignLink } from '../../../playwright/support/mailpit'
+
+describe('extractSignLink', () => {
+	it('returns the sign route pathname from an absolute email URL', () => {
+		const body = 'Open http://localhost:8080/apps/libresign/p/sign/abc-123 to sign the document.'
+
+		expect(extractSignLink(body)).toBe('/apps/libresign/p/sign/abc-123')
+	})
+
+	it('preserves index.php when it is present in the public sign URL', () => {
+		const body = 'Open http://localhost:8080/index.php/apps/libresign/p/sign/abc-123 to sign the document.'
+
+		expect(extractSignLink(body)).toBe('/index.php/apps/libresign/p/sign/abc-123')
+	})
+
+	it('returns null when the email body has no sign link', () => {
+		expect(extractSignLink('No LibreSign link here.')).toBeNull()
+	})
+})

tests/php/Unit/Controller/PageControllerTest.php

@@ -0,0 +1,146 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Libresign\Tests\Unit\Controller;
+
+use OCA\Libresign\AppInfo\Application;
+use OCA\Libresign\Controller\PageController;
+use OCA\Libresign\Db\File as FileEntity;
+use OCA\Libresign\Db\SignRequest as SignRequestEntity;
+use OCA\Libresign\Helper\ValidateHelper;
+use OCA\Libresign\Service\AccountService;
+use OCA\Libresign\Service\DocMdp\ConfigService;
+use OCA\Libresign\Service\File\FileListService;
+use OCA\Libresign\Service\FileService;
+use OCA\Libresign\Service\IdentifyMethodService;
+use OCA\Libresign\Service\RequestSignatureService;
+use OCA\Libresign\Service\SessionService;
+use OCA\Libresign\Service\SignerElementsService;
+use OCA\Libresign\Service\SignFileService;
+use OCA\Libresign\Tests\Unit\TestCase;
+use OCP\EventDispatcher\IEventDispatcher;
+use OCP\IAppConfig;
+use OCP\IInitialStateService;
+use OCP\IL10N;
+use OCP\IRequest;
+use OCP\IURLGenerator;
+use OCP\IUser;
+use OCP\IUserSession;
+use PHPUnit\Framework\MockObject\MockObject;
+use Psr\Log\LoggerInterface;
+
+final class PageControllerTest extends TestCase {
+	private IRequest&MockObject $request;
+	private IUserSession&MockObject $userSession;
+	private AccountService&MockObject $accountService;
+	private FileService&MockObject $fileService;
+	private SignFileService&MockObject $signFileService;
+	private SignerElementsService&MockObject $signerElementsService;
+	private PageController $controller;
+
+	public function setUp(): void {
+		$this->request = $this->createMock(IRequest::class);
+		$this->request->method('getServerHost')->willReturn('localhost:8080');
+		$this->userSession = $this->createMock(IUserSession::class);
+		$user = $this->createMock(IUser::class);
+		$user->method('getUID')->willReturn('requester');
+		$this->userSession->method('getUser')->willReturn($user);
+
+		$this->accountService = $this->createMock(AccountService::class);
+		$this->accountService->method('getConfig')->willReturn([]);
+		$this->accountService->method('getConfigFilters')->willReturn([]);
+		$this->accountService->method('getConfigSorting')->willReturn([]);
+		$this->accountService->method('getCertificateEngineName')->willReturn('openssl');
+
+		$this->fileService = $this->createMock(FileService::class);
+		$this->fileService->method('setFile')->willReturnSelf();
+		$this->fileService->method('setSignRequest')->willReturnSelf();
+		$this->fileService->method('setHost')->willReturnSelf();
+		$this->fileService->method('setMe')->willReturnSelf();
+		$this->fileService->method('setSignerIdentified')->willReturnSelf();
+		$this->fileService->method('setIdentifyMethodId')->willReturnSelf();
+		$this->fileService->method('showVisibleElements')->willReturnSelf();
+		$this->fileService->method('showSigners')->willReturnSelf();
+		$this->fileService->method('showSettings')->willReturnSelf();
+		$this->fileService->method('toArray')->willReturn([
+			'id' => 5,
+			'nodeId' => 50,
+			'status' => 1,
+			'statusText' => 'Ready to sign',
+			'signers' => [],
+			'visibleElements' => [],
+			'settings' => [
+				'needIdentificationDocuments' => false,
+				'identificationDocumentsWaitingApproval' => false,
+			],
+		]);
+
+		$this->signFileService = $this->createMock(SignFileService::class);
+		$this->signFileService->method('getPdfUrlsForSigning')->willReturn(['/apps/libresign/pdf/sign-uuid']);
+
+		$this->signerElementsService = $this->createMock(SignerElementsService::class);
+		$this->signerElementsService->method('getElementsFromSessionAsArray')->willReturn([]);
+		$this->signerElementsService->method('getUserElements')->willReturn([]);
+
+		$this->controller = new PageController(
+			request: $this->request,
+			userSession: $this->userSession,
+			sessionService: $this->createMock(SessionService::class),
+			initialState: new \OC\AppFramework\Services\InitialState(
+				$this->createMock(IInitialStateService::class),
+				Application::APP_ID,
+			),
+			accountService: $this->accountService,
+			signFileService: $this->signFileService,
+			requestSignatureService: \OCP\Server::get(RequestSignatureService::class),
+			signerElementsService: $this->signerElementsService,
+			l10n: $this->createMock(IL10N::class),
+			identifyMethodService: $this->createConfiguredMock(IdentifyMethodService::class, [
+				'getIdentifyMethodsSettings' => [],
+			]),
+			appConfig: \OCP\Server::get(IAppConfig::class),
+			fileService: $this->fileService,
+			fileListService: \OCP\Server::get(FileListService::class),
+			fileMapper: \OCP\Server::get(\OCA\Libresign\Db\FileMapper::class),
+			signRequestMapper: \OCP\Server::get(\OCA\Libresign\Db\SignRequestMapper::class),
+			logger: \OCP\Server::get(LoggerInterface::class),
+			validateHelper: $this->createMock(ValidateHelper::class),
+			eventDispatcher: $this->createMock(IEventDispatcher::class),
+			urlGenerator: \OCP\Server::get(IURLGenerator::class),
+			docMdpConfigService: $this->createConfiguredMock(ConfigService::class, [
+				'getConfig' => [],
+			]),
+		);
+	}
+
+	public function testIndexAllowsSelfWorkerSrcDomain(): void {
+		$response = $this->controller->index();
+
+		self::assertStringContainsString("worker-src 'self'", $response->getContentSecurityPolicy()->buildPolicy());
+	}
+
+	public function testPublicSignAllowsSelfWorkerSrcDomain(): void {
+		$fileEntity = new FileEntity();
+		$fileEntity->setId(5);
+		$fileEntity->setName('small_valid');
+		$fileEntity->setNodeId(50);
+		$fileEntity->setNodeType('file');
+
+		$signRequestEntity = new SignRequestEntity();
+		$signRequestEntity->setFileId(5);
+		$signRequestEntity->setUuid('sign-uuid');
+		$signRequestEntity->setDescription('');
+		$this->signFileService->method('getSignRequestByUuid')->willReturn($signRequestEntity);
+		$this->signFileService->method('getFile')->willReturn($fileEntity);
+		$this->controller->loadNextcloudFileFromSignRequestUuid('sign-uuid');
+
+		$response = $this->controller->sign('sign-uuid');
+
+		self::assertStringContainsString("worker-src 'self'", $response->getContentSecurityPolicy()->buildPolicy());
+	}
+}