From 17635df68798d82744148271f87f0714155bb026 Mon Sep 17 00:00:00 2001
From: Hitenjain14 <hitenjain146@gmail.com>
Date: Sun, 3 Nov 2024 23:27:47 +0530
Subject: [PATCH 1/3] use prefix for directory

---
 .../go/0chain.net/blobbercore/handler/authticket.go | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/code/go/0chain.net/blobbercore/handler/authticket.go b/code/go/0chain.net/blobbercore/handler/authticket.go
index c96abc0ba..b53282605 100644
--- a/code/go/0chain.net/blobbercore/handler/authticket.go
+++ b/code/go/0chain.net/blobbercore/handler/authticket.go
@@ -3,8 +3,7 @@ package handler
 import (
 	"context"
 	"encoding/json"
-	"fmt"
-	"regexp"
+	"strings"
 
 	"github.com/0chain/blobber/code/go/0chain.net/blobbercore/allocation"
 	"github.com/0chain/blobber/code/go/0chain.net/blobbercore/readmarker"
@@ -28,14 +27,18 @@ func verifyAuthTicket(ctx context.Context, authTokenString string, allocationObj
 	}
 
 	if refRequested.LookupHash != authToken.FilePathHash {
-		authTokenRef, err := reference.GetLimitedRefFieldsByLookupHashWith(ctx, authToken.AllocationID, authToken.FilePathHash, []string{"id", "path"})
+		authTokenRef, err := reference.GetLimitedRefFieldsByLookupHashWith(ctx, authToken.AllocationID, authToken.FilePathHash, []string{"id", "path", "type"})
 		if err != nil {
 			return nil, err
 		}
-
-		if matched, _ := regexp.MatchString(fmt.Sprintf("^%v", authTokenRef.Path), refRequested.Path); !matched {
+		if authTokenRef.Type == reference.FILE {
+			return nil, common.NewError("invalid_parameters", "Auth ticket is not valid for the resource being requested")
+		}
+		prefixPath := authTokenRef.Path + "/"
+		if !strings.HasPrefix(refRequested.Path, prefixPath) {
 			return nil, common.NewError("invalid_parameters", "Auth ticket is not valid for the resource being requested")
 		}
+
 	}
 	if verifyShare {
 		shareInfo, err := reference.GetShareInfo(ctx, authToken.ClientID, authToken.FilePathHash)

From f3d6beb0e03d78f2c5c8036f7c6637867cef0f36 Mon Sep 17 00:00:00 2001
From: Hitenjain14 <hitenjain146@gmail.com>
Date: Mon, 4 Nov 2024 00:14:24 +0530
Subject: [PATCH 2/3] only check path

---
 code/go/0chain.net/blobbercore/handler/authticket.go | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/code/go/0chain.net/blobbercore/handler/authticket.go b/code/go/0chain.net/blobbercore/handler/authticket.go
index b53282605..b40e719ac 100644
--- a/code/go/0chain.net/blobbercore/handler/authticket.go
+++ b/code/go/0chain.net/blobbercore/handler/authticket.go
@@ -27,13 +27,10 @@ func verifyAuthTicket(ctx context.Context, authTokenString string, allocationObj
 	}
 
 	if refRequested.LookupHash != authToken.FilePathHash {
-		authTokenRef, err := reference.GetLimitedRefFieldsByLookupHashWith(ctx, authToken.AllocationID, authToken.FilePathHash, []string{"id", "path", "type"})
+		authTokenRef, err := reference.GetLimitedRefFieldsByLookupHashWith(ctx, authToken.AllocationID, authToken.FilePathHash, []string{"id", "path"})
 		if err != nil {
 			return nil, err
 		}
-		if authTokenRef.Type == reference.FILE {
-			return nil, common.NewError("invalid_parameters", "Auth ticket is not valid for the resource being requested")
-		}
 		prefixPath := authTokenRef.Path + "/"
 		if !strings.HasPrefix(refRequested.Path, prefixPath) {
 			return nil, common.NewError("invalid_parameters", "Auth ticket is not valid for the resource being requested")

From 2a1158081d8ec9e245b39d2ae573e3ecc0910de4 Mon Sep 17 00:00:00 2001
From: Hitenjain14 <hitenjain146@gmail.com>
Date: Mon, 4 Nov 2024 00:53:14 +0530
Subject: [PATCH 3/3] fix ut

---
 code/go/0chain.net/blobbercore/handler/authticket.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/code/go/0chain.net/blobbercore/handler/authticket.go b/code/go/0chain.net/blobbercore/handler/authticket.go
index b40e719ac..d4ede2a8b 100644
--- a/code/go/0chain.net/blobbercore/handler/authticket.go
+++ b/code/go/0chain.net/blobbercore/handler/authticket.go
@@ -31,7 +31,10 @@ func verifyAuthTicket(ctx context.Context, authTokenString string, allocationObj
 		if err != nil {
 			return nil, err
 		}
-		prefixPath := authTokenRef.Path + "/"
+		prefixPath := authTokenRef.Path
+		if prefixPath != "/" {
+			prefixPath += "/"
+		}
 		if !strings.HasPrefix(refRequested.Path, prefixPath) {
 			return nil, common.NewError("invalid_parameters", "Auth ticket is not valid for the resource being requested")
 		}