@protontech/drive-sdk 0.14.3 → 0.14.5

package/src/internal/nodes/cryptoService.test.ts

@@ -86,6 +86,10 @@ describe('nodesCryptoService', () => {
         };
         // @ts-expect-error No need to implement all methods for mocking
         sharesService = {
+            getRootIDs: jest.fn(async () => ({
+                volumeId: 'volumeId',
+                rootNodeId: 'rootNodeId',
+            })),
             getMyFilesShareMemberEmailKey: jest.fn(async () => ({
                 email: 'email',
                 addressKey: 'key' as unknown as PrivateKey,
@@ -94,7 +98,7 @@ describe('nodesCryptoService', () => {
         };
 
         const nodesCryptoReporter = new NodesCryptoReporter(telemetry, sharesService);
-        cryptoService = new NodesCryptoService(telemetry, driveCrypto, account, nodesCryptoReporter);
+        cryptoService = new NodesCryptoService(telemetry, driveCrypto, account, sharesService, nodesCryptoReporter);
     });
 
     const parentKey = 'parentKey' as unknown as PrivateKey;
@@ -579,6 +583,7 @@ describe('nodesCryptoService', () => {
         const encryptedNode = {
             uid: 'volumeId~nodeId',
             parentUid: 'volumeId~parentId',
+            creationTime: new Date('2026-01-01'),
             encryptedCrypto: {
                 signatureEmail: 'signatureEmail',
                 nameSignatureEmail: 'nameSignatureEmail',
@@ -786,7 +791,13 @@ describe('nodesCryptoService', () => {
                         }) as any,
                 );
 
-                const result = await cryptoService.decryptNode(encryptedNode, parentKey);
+                const result = await cryptoService.decryptNode(
+                    {
+                        ...encryptedNode,
+                        creationTime: new Date('2026-01-01'),
+                    },
+                    parentKey,
+                );
                 verifyResult(result, {
                     keyAuthor: {
                         ok: false,
@@ -796,12 +807,50 @@ describe('nodesCryptoService', () => {
                         },
                     },
                 });
+                expect(account.getOwnAddresses).not.toHaveBeenCalled();
                 verifyLogEventVerificationError({
                     field: 'nodeContentKey',
                     error: 'verification error',
                 });
             });
 
+            it('on content key packet with skipped fallback verification for non-own volume', async () => {
+                driveCrypto.decryptAndVerifySessionKey = jest.fn(
+                    async () =>
+                        Promise.resolve({
+                            sessionKey: 'contentKeyPacketSessionKey',
+                            verified: VERIFICATION_STATUS.SIGNED_AND_INVALID,
+                            verificationErrors: [new Error('verification error')],
+                        }) as any,
+                );
+
+                const result = await cryptoService.decryptNode(
+                    {
+                        ...encryptedNode,
+                        uid: 'otherVolumeId~nodeId',
+                        creationTime: new Date('2022-01-01'),
+                    },
+                    parentKey,
+                );
+
+                verifyResult(result, {
+                    keyAuthor: {
+                        ok: false,
+                        error: {
+                            claimedAuthor: 'signatureEmail',
+                            error: 'Signature verification for content key failed: verification error',
+                        },
+                    },
+                });
+                expect(account.getOwnAddresses).not.toHaveBeenCalled();
+                verifyLogEventVerificationError({
+                    field: 'nodeContentKey',
+                    error: 'verification error',
+                    uid: 'otherVolumeId~nodeId',
+                    fromBefore2024: true,
+                });
+            });
+
             it('on content key packet with successful fallback verification', async () => {
                 driveCrypto.decryptAndVerifySessionKey = jest
                     .fn()
@@ -829,6 +878,7 @@ describe('nodesCryptoService', () => {
                     parentKey,
                 );
                 verifyResult(result);
+                expect(account.getOwnAddresses).toHaveBeenCalled();
                 expect(driveCrypto.decryptAndVerifySessionKey).toHaveBeenCalledTimes(2);
                 expect(driveCrypto.decryptAndVerifySessionKey).toHaveBeenCalledWith(
                     'base64ContentKeyPacket',

package/src/internal/nodes/cryptoService.ts

@@ -33,7 +33,9 @@ import {
     DecryptedUnparsedRevision,
     NodeSigningKeys,
     EncryptedNodeFileCrypto,
+    SharesService,
 } from './interface';
+import { splitNodeUid } from '../uids';
 
 export interface NodesCryptoReporter {
     handleClaimedAuthor(
@@ -76,6 +78,7 @@ export class NodesCryptoService {
         telemetry: ProtonDriveTelemetry,
         protected driveCrypto: DriveCrypto,
         private account: ProtonDriveAccount,
+        private sharesService: Pick<SharesService, 'getRootIDs'>,
         private reporter: NodesCryptoReporter,
     ) {
         this.logger = telemetry.getLogger('nodes-crypto');
@@ -538,6 +541,15 @@ export class NodesCryptoService {
             return result;
         }
 
+        const { volumeId: ownVolumeId } = await this.sharesService.getRootIDs();
+        const { volumeId: nodesVolumeId } = splitNodeUid(node.uid);
+
+        // If the node is not in the own volume, skip the fallback verification,
+        // because it is not possible to load all owners' address keys.
+        if (ownVolumeId !== nodesVolumeId) {
+            return result;
+        }
+
         const allAddresses = await this.account.getOwnAddresses();
         const allKeys = allAddresses.flatMap((address) => address.keys.map(({ key }) => key));
 
@@ -745,7 +757,10 @@ export class NodesCryptoService {
         };
     }
 
-    async generateNameHashes(parentHashKey: Uint8Array<ArrayBuffer>, names: string[]): Promise<{ name: string; hash: string }[]> {
+    async generateNameHashes(
+        parentHashKey: Uint8Array<ArrayBuffer>,
+        names: string[],
+    ): Promise<{ name: string; hash: string }[]> {
         return Promise.all(
             names.map(async (name) => ({
                 name,

package/src/internal/nodes/index.ts

@@ -43,7 +43,7 @@ export function initNodesModule(
     const cache = new NodesCache(telemetry.getLogger('nodes-cache'), driveEntitiesCache);
     const cryptoCache = new NodesCryptoCache(telemetry.getLogger('nodes-cache'), driveCryptoCache);
     const cryptoReporter = new NodesCryptoReporter(telemetry, sharesService);
-    const cryptoService = new NodesCryptoService(telemetry, driveCrypto, account, cryptoReporter);
+    const cryptoService = new NodesCryptoService(telemetry, driveCrypto, account, sharesService, cryptoReporter);
     const nodesAccess = new NodesAccess(telemetry, api, cache, cryptoCache, cryptoService, sharesService);
     const nodesEventHandler = new NodesEventsHandler(telemetry.getLogger('nodes-events'), cache);
     const nodesManagement = new NodesManagement(api, cryptoCache, cryptoService, nodesAccess);

package/src/internal/nodes/nodesManagement.test.ts

@@ -4,9 +4,9 @@ import { NodesCryptoService } from './cryptoService';
 import { NodesAccess } from './nodesAccess';
 import { DecryptedNode } from './interface';
 import { NodesManagement } from './nodesManagement';
-import { NodeResult } from '../../interface';
+import { NodeResult, NodeResultWithError } from '../../interface';
 import { NodeOutOfSyncError } from './errors';
-import { ValidationError } from '../../errors';
+import { NodeWithSameNameExistsValidationError, ValidationError } from '../../errors';
 
 describe('NodesManagement', () => {
     let apiService: NodeAPIService;
@@ -263,6 +263,42 @@ describe('NodesManagement', () => {
         );
     });
 
+    it('moveNodes yields NodeWithSameNameExistsValidationError in case of duplicate node name', async () => {
+        const encryptedCrypto = {
+            encryptedName: 'movedArmoredNodeName',
+            hash: 'movedHash',
+            armoredNodePassphrase: 'movedArmoredNodePassphrase',
+            armoredNodePassphraseSignature: 'movedArmoredNodePassphraseSignature',
+            signatureEmail: 'movedSignatureEmail',
+            nameSignatureEmail: 'movedNameSignatureEmail',
+        };
+        cryptoService.encryptNodeWithNewParent = jest.fn().mockResolvedValue(encryptedCrypto);
+        const error = new NodeWithSameNameExistsValidationError('Node with same name exists', 2500, 'existingNodeUid');
+        apiService.moveNode = jest.fn().mockRejectedValue(error);
+
+        const results: NodeResultWithError[] = [];
+        for await (const result of management.moveNodes(['nodeUid'], 'newParentNodeUid')) {
+            results.push(result);
+        }
+
+        expect(results).toHaveLength(1);
+        expect(results[0]).toEqual({ uid: 'nodeUid', ok: false, error });
+        expect(results[0].ok === false && results[0].error).toBeInstanceOf(NodeWithSameNameExistsValidationError);
+    });
+
+    it('moveNodes yields NodeResultWithError with Error on failure', async () => {
+        const error = new Error('move failed');
+        cryptoService.encryptNodeWithNewParent = jest.fn().mockRejectedValue(error);
+
+        const results: NodeResultWithError[] = [];
+        for await (const result of management.moveNodes(['nodeUid'], 'newParentNodeUid')) {
+            results.push(result);
+        }
+
+        expect(results).toHaveLength(1);
+        expect(results[0]).toEqual({ uid: 'nodeUid', ok: false, error });
+    });
+
     it('copyNode manages copy and updates cache', async () => {
         const encryptedCrypto = {
             encryptedName: 'copiedArmoredNodeName',

package/src/internal/nodes/nodesManagement.ts

@@ -1,6 +1,14 @@
 import { c } from 'ttag';
 
-import { MemberRole, NodeType, NodeResult, NodeResultWithNewUid, resultOk, InvalidNameError } from '../../interface';
+import {
+    MemberRole,
+    NodeType,
+    NodeResult,
+    NodeResultWithNewUid,
+    resultOk,
+    InvalidNameError,
+    NodeResultWithError,
+} from '../../interface';
 import { AbortError, ValidationError } from '../../errors';
 import { createErrorFromUnknown, getErrorMessage } from '../errors';
 import { splitNodeUid } from '../uids';
@@ -107,7 +115,11 @@ export abstract class NodesManagementBase<
     }
 
     // Improvement requested: move nodes in parallel
-    async *moveNodes(nodeUids: string[], newParentNodeUid: string, signal?: AbortSignal): AsyncGenerator<NodeResult> {
+    async *moveNodes(
+        nodeUids: string[],
+        newParentNodeUid: string,
+        signal?: AbortSignal,
+    ): AsyncGenerator<NodeResultWithError> {
         for (const nodeUid of nodeUids) {
             if (signal?.aborted) {
                 throw new AbortError(c('Error').t`Move operation aborted`);
@@ -122,7 +134,7 @@ export abstract class NodesManagementBase<
                 yield {
                     uid: nodeUid,
                     ok: false,
-                    error: getErrorMessage(error),
+                    error: error instanceof Error ? error : new Error(getErrorMessage(error), { cause: error }),
                 };
             }
         }

package/src/internal/photos/index.ts

@@ -123,7 +123,7 @@ export function initPhotosNodesModule(
     const cache = new PhotosNodesCache(telemetry.getLogger('nodes-cache'), driveEntitiesCache);
     const cryptoCache = new NodesCryptoCache(telemetry.getLogger('nodes-cache'), driveCryptoCache);
     const cryptoReporter = new NodesCryptoReporter(telemetry, sharesService);
-    const cryptoService = new NodesCryptoService(telemetry, driveCrypto, account, cryptoReporter);
+    const cryptoService = new NodesCryptoService(telemetry, driveCrypto, account, sharesService, cryptoReporter);
     const nodesAccess = new PhotosNodesAccess(telemetry, api, cache, cryptoCache, cryptoService, sharesService);
     const nodesEventHandler = new NodesEventsHandler(telemetry.getLogger('nodes-events'), cache);
     const nodesManagement = new PhotosNodesManagement(api, cryptoCache, cryptoService, nodesAccess);

package/src/internal/sharing/apiService.ts

@@ -433,6 +433,7 @@ export class SharingAPIService {
         shareId: string,
         invitation: EncryptedInvitationRequest,
         emailDetails: { message?: string; nodeName?: string } = {},
+        externalInvitationId: string | null = null,
     ): Promise<EncryptedInvitation> {
         const response = await this.apiService.post<PostInviteProtonUserRequest, PostInviteProtonUserResponse>(
             `drive/v2/shares/${shareId}/invitations`,
@@ -443,7 +444,7 @@ export class SharingAPIService {
                     Permissions: memberRoleToPermission(invitation.role),
                     KeyPacket: invitation.base64KeyPacket,
                     KeyPacketSignature: invitation.base64KeyPacketSignature,
-                    ExternalInvitationID: null,
+                    ExternalInvitationID: externalInvitationId,
                 },
                 EmailDetails: {
                     Message: emailDetails.message,

package/src/internal/sharing/cryptoService.ts

@@ -182,11 +182,12 @@ export class SharingCryptoService {
         shareSessionKey: SessionKey,
         inviterKey: PrivateKey,
         inviteeEmail: string,
+        forceRefreshKeys?: boolean,
     ): Promise<{
         base64KeyPacket: string;
         base64KeyPacketSignature: string;
     }> {
-        const inviteePublicKeys = await this.account.getPublicKeys(inviteeEmail);
+        const inviteePublicKeys = await this.account.getPublicKeys(inviteeEmail, forceRefreshKeys);
         const result = await this.driveCrypto.encryptInvitation(shareSessionKey, inviteePublicKeys[0], inviterKey);
         return result;
     }

package/src/internal/sharing/sharingManagement.test.ts

@@ -106,6 +106,7 @@ describe('SharingManagement', () => {
                 creatorEmail: 'address@example.com',
                 passphraseSessionKey: 'sharePassphraseSessionKey',
             }),
+            getRootIDs: jest.fn().mockResolvedValue({ volumeId: 'volumeId' }),
         };
         // @ts-expect-error No need to implement all methods for mocking
         nodesService = {
@@ -146,7 +147,7 @@ describe('SharingManagement', () => {
             const invitation = { uid: 'invitaiton', addedByEmail: 'email' };
             apiService.getShareInvitations = jest.fn().mockResolvedValue([invitation]);
 
-            const sharingInfo = await sharingManagement.getSharingInfo('nodeUid');
+            const sharingInfo = await sharingManagement.getSharingInfo('volumeId~nodeUid');
 
             expect(sharingInfo).toEqual({
                 protonInvitations: [invitation],
@@ -161,7 +162,7 @@ describe('SharingManagement', () => {
             const externalInvitation = { uid: 'external-invitation', addedByEmail: 'email' };
             apiService.getShareExternalInvitations = jest.fn().mockResolvedValue([externalInvitation]);
 
-            const sharingInfo = await sharingManagement.getSharingInfo('nodeUid');
+            const sharingInfo = await sharingManagement.getSharingInfo('volumeId~nodeUid');
 
             expect(sharingInfo).toEqual({
                 protonInvitations: [],
@@ -176,7 +177,7 @@ describe('SharingManagement', () => {
             const member = { uid: 'member', addedByEmail: 'email' };
             apiService.getShareMembers = jest.fn().mockResolvedValue([member]);
 
-            const sharingInfo = await sharingManagement.getSharingInfo('nodeUid');
+            const sharingInfo = await sharingManagement.getSharingInfo('volumeId~nodeUid');
 
             expect(sharingInfo).toEqual({
                 protonInvitations: [],
@@ -193,7 +194,7 @@ describe('SharingManagement', () => {
             };
             apiService.getPublicLink = jest.fn().mockResolvedValue(publicLink);
 
-            const sharingInfo = await sharingManagement.getSharingInfo('nodeUid');
+            const sharingInfo = await sharingManagement.getSharingInfo('volumeId~nodeUid');
 
             expect(sharingInfo).toEqual({
                 protonInvitations: [],
@@ -203,6 +204,19 @@ describe('SharingManagement', () => {
             });
             expect(cryptoService.decryptPublicLink).toHaveBeenCalledWith(publicLink);
         });
+
+        it('should NOT return public link when volume ID does not match', async () => {
+            apiService.getPublicLink = jest.fn().mockResolvedValue(null);
+            const sharingInfo = await sharingManagement.getSharingInfo('zolumeId~nodeUid');
+            expect(sharingInfo).toEqual({
+                protonInvitations: [],
+                nonProtonInvitations: [],
+                members: [],
+                publicLink: undefined,
+            });
+            expect(apiService.getPublicLink).not.toHaveBeenCalled();
+            expect(cryptoService.decryptPublicLink).not.toHaveBeenCalled();
+        });
     });
 
     describe('shareNode with share creation', () => {
@@ -889,6 +903,19 @@ describe('SharingManagement', () => {
                 expect(apiService.createStandardShare).not.toHaveBeenCalled();
                 expect(apiService.createPublicLink).not.toHaveBeenCalled();
             });
+
+            it('should not allow creating public link for volume not owned by user', async () => {
+                sharesService.getRootIDs = jest.fn().mockResolvedValue({ volumeId: 'differentVolumeId' });
+                await expect(
+                    sharingManagement.shareNode(nodeUid, {
+                        publicLink: {
+                            role: MemberRole.Viewer,
+                        },
+                    }),
+                ).rejects.toThrow('Cannot create public link for volume not owned by the user');
+
+                expect(apiService.createPublicLink).not.toHaveBeenCalled();
+            });
         });
     });
 
@@ -1111,4 +1138,77 @@ describe('SharingManagement', () => {
             expect(apiService.resendExternalInvitationEmail).not.toHaveBeenCalled();
         });
     });
+
+    describe('convertNonProtonInvitation', () => {
+        const nodeUid = 'volumeId~nodeId';
+        const externalInvitationId = 'inv123';
+        const externalInvitationUid = `${DEFAULT_SHARE_ID}~${externalInvitationId}`;
+        const externalInvitation: NonProtonInvitation = {
+            uid: externalInvitationUid,
+            inviteeEmail: 'external@example.com',
+            addedByEmail: resultOk('inviter@example.com'),
+            role: MemberRole.Viewer,
+            invitationTime: new Date(),
+            state: NonProtonInvitationState.Pending,
+        };
+
+        beforeEach(() => {
+            nodesService.getNode = jest.fn().mockResolvedValue({
+                nodeUid,
+                shareId: DEFAULT_SHARE_ID,
+                directRole: MemberRole.Admin,
+                name: { ok: true, value: 'name' },
+            });
+            apiService.getShareExternalInvitations = jest.fn().mockResolvedValue([externalInvitation]);
+        });
+
+        it('should throw if caller is not admin', async () => {
+            nodesService.getNode = jest.fn().mockResolvedValue({
+                nodeUid,
+                shareId: DEFAULT_SHARE_ID,
+                directRole: MemberRole.Viewer,
+                name: { ok: true, value: 'name' },
+            });
+
+            await expect(
+                sharingManagement.convertNonProtonInvitation(nodeUid, externalInvitationUid),
+            ).rejects.toThrow(ValidationError);
+        });
+
+        it('should throw if no sharing info found', async () => {
+            nodesService.getNode = jest.fn().mockResolvedValue({
+                nodeUid,
+                shareId: undefined,
+                directRole: MemberRole.Admin,
+                name: { ok: true, value: 'name' },
+            });
+
+            await expect(
+                sharingManagement.convertNonProtonInvitation(nodeUid, externalInvitationUid),
+            ).rejects.toThrow(ValidationError);
+        });
+
+        it('should throw if external invitation ID is not found', async () => {
+            await expect(
+                sharingManagement.convertNonProtonInvitation(nodeUid, 'unknownShareId~unknownInvId'),
+            ).rejects.toThrow(ValidationError);
+        });
+
+        it('should invite proton user with force-refreshed keys and the external invitation ID', async () => {
+            await sharingManagement.convertNonProtonInvitation(nodeUid, externalInvitationUid);
+
+            expect(cryptoService.encryptInvitation).toHaveBeenCalledWith(
+                expect.anything(),
+                expect.anything(),
+                externalInvitation.inviteeEmail,
+                true,
+            );
+            expect(apiService.inviteProtonUser).toHaveBeenCalledWith(
+                DEFAULT_SHARE_ID,
+                expect.objectContaining({ inviteeEmail: externalInvitation.inviteeEmail, role: externalInvitation.role }),
+                {},
+                externalInvitationId,
+            );
+        });
+    });
 });

package/src/internal/sharing/sharingManagement.ts

@@ -16,7 +16,7 @@ import {
     SharePublicLinkSettingsObject,
 } from '../../interface';
 import { ErrorCode } from '../apiService';
-import { splitNodeUid } from '../uids';
+import { splitNodeUid, splitInvitationUid } from '../uids';
 import { getErrorMessage } from '../errors';
 import { SharingAPIService } from './apiService';
 import { PUBLIC_LINK_GENERATED_PASSWORD_LENGTH, SharingCryptoService } from './cryptoService';
@@ -77,11 +77,13 @@ export class SharingManagement {
             return;
         }
 
+        const { volumeId } = splitNodeUid(nodeUid);
+
         const [protonInvitations, nonProtonInvitations, members, publicLink, share] = await Promise.all([
             Array.fromAsync(this.iterateShareInvitations(node.shareId)),
             Array.fromAsync(this.iterateShareExternalInvitations(node.shareId)),
             Array.fromAsync(this.iterateShareMembers(node.shareId)),
-            this.getPublicLink(node.shareId),
+            this.getPublicLink(node.shareId, volumeId),
             this.sharesService.loadEncryptedShare(node.shareId),
         ]);
 
@@ -115,11 +117,18 @@ export class SharingManagement {
         }
     }
 
-    private async getPublicLink(shareId: string): Promise<PublicLinkWithCreatorEmail | undefined> {
+    private async getPublicLink(shareId: string, volumeId: string): Promise<PublicLinkWithCreatorEmail | undefined> {
+        const rootIds = await this.sharesService.getRootIDs();
+        // Public links are encrypted by address key, thus it can work only for the owner for now.
+        if (volumeId !== rootIds.volumeId) {
+            return;
+        }
+
         const encryptedPublicLink = await this.apiService.getPublicLink(shareId);
         if (!encryptedPublicLink) {
             return;
         }
+
         return this.cryptoService.decryptPublicLink(encryptedPublicLink);
     }
 
@@ -587,8 +596,52 @@ export class SharingManagement {
         await this.apiService.deleteExternalInvitation(invitationUid);
     }
 
-    private async convertExternalInvitationsToInternal(): Promise<void> {
-        // FIXME
+    async convertNonProtonInvitation(nodeUid: string, nonProtonInvitationUid: string): Promise<ProtonInvitation> {
+        const { invitationId: externalInvitationId } = splitInvitationUid(nonProtonInvitationUid);
+
+        const node = await this.nodesService.getNode(nodeUid);
+        if (node.directRole !== MemberRole.Admin) {
+            throw new ValidationError(c('Error').t`Only admins can convert non-Proton invitations`);
+        }
+
+        const [currentSharing, inviter] = await Promise.all([
+            this.getInternalSharingInfo(nodeUid),
+            this.nodesService.getRootNodeEmailKey(nodeUid),
+        ]);
+        if (!currentSharing) {
+            throw new ValidationError(c('Error').t`The node is not shared anymore`);
+        }
+
+        const externalInvitation = currentSharing.nonProtonInvitations.find(
+            (invitation) => invitation.uid === nonProtonInvitationUid,
+        );
+        if (!externalInvitation) {
+            throw new ValidationError(c('Error').t`Invitation not found`);
+        }
+        this.logger.info(
+            `Converting non-Proton invitation for ${externalInvitation.inviteeEmail} to internal for node ${nodeUid}`,
+        );
+        const invitationCrypto = await this.cryptoService.encryptInvitation(
+            currentSharing.share.passphraseSessionKey,
+            inviter.addressKey,
+            externalInvitation.inviteeEmail,
+            true, // Force refresh keys: the invitee just created a Proton account, so we have "absent" keys in cache
+        );
+        const encryptedInvitation = await this.apiService.inviteProtonUser(
+            currentSharing.share.shareId,
+            {
+                addedByEmail: inviter.email,
+                inviteeEmail: externalInvitation.inviteeEmail,
+                role: externalInvitation.role,
+                ...invitationCrypto,
+            },
+            {},
+            externalInvitationId,
+        );
+        return {
+            ...encryptedInvitation,
+            addedByEmail: resultOk(encryptedInvitation.addedByEmail),
+        };
     }
 
     private async removeMember(memberUid: string): Promise<void> {
@@ -604,6 +657,11 @@ export class SharingManagement {
         share: Share,
         options: SharePublicLinkSettingsObject,
     ): Promise<PublicLinkWithCreatorEmail> {
+        const rootIds = await this.sharesService.getRootIDs();
+        if (share.volumeId !== rootIds.volumeId) {
+            throw new ValidationError(c('Error').t`Cannot create public link for volume not owned by the user`);
+        }
+
         const generatedPassword = await this.cryptoService.generatePublicLinkPassword();
         const password = options.customPassword ? `${generatedPassword}${options.customPassword}` : generatedPassword;
 
@@ -638,6 +696,11 @@ export class SharingManagement {
         publicLink: PublicLinkWithCreatorEmail,
         options: SharePublicLinkSettingsObject,
     ): Promise<PublicLinkWithCreatorEmail> {
+        const rootIds = await this.sharesService.getRootIDs();
+        if (share.volumeId !== rootIds.volumeId) {
+            throw new ValidationError(c('Error').t`Cannot update public link for volume not owned by the user`);
+        }
+
         const generatedPassword = publicLink.url.split('#')[1];
         // Legacy public links didn't have generated password or had various lengths.
         if (!generatedPassword || generatedPassword.length !== PUBLIC_LINK_GENERATED_PASSWORD_LENGTH) {

package/src/internal/sharingPublic/index.ts

@@ -100,7 +100,13 @@ export function initSharingPublicNodesModule(
     const cache = new NodesCache(telemetry.getLogger('nodes-cache'), driveEntitiesCache);
     const cryptoCache = new NodesCryptoCache(telemetry.getLogger('nodes-cache'), driveCryptoCache);
     const cryptoReporter = new SharingPublicCryptoReporter(telemetry);
-    const cryptoService = new SharingPublicNodesCryptoService(telemetry, driveCrypto, account, cryptoReporter);
+    const cryptoService = new SharingPublicNodesCryptoService(
+        telemetry,
+        driveCrypto,
+        account,
+        sharesService,
+        cryptoReporter,
+    );
     const nodesAccess = new SharingPublicNodesAccess(
         telemetry,
         api,

package/src/protonDriveClient.ts

@@ -8,11 +8,13 @@ import {
     MaybeNode,
     MaybeMissingNode,
     NodeResult,
+    NodeResultWithError,
     NodeResultWithNewUid,
     Revision,
     RevisionOrUid,
     ShareNodeSettings,
     UnshareNodeSettings,
+    ProtonInvitation,
     ProtonInvitationOrUid,
     NonProtonInvitationOrUid,
     ProtonInvitationWithNode,
@@ -420,7 +422,7 @@ export class ProtonDriveClient {
         nodeUids: NodeOrUid[],
         newParentNodeUid: NodeOrUid,
         signal?: AbortSignal,
-    ): AsyncGenerator<NodeResult> {
+    ): AsyncGenerator<NodeResultWithError> {
         this.logger.info(`Moving ${nodeUids.length} nodes to ${getUid(newParentNodeUid)}`);
         yield* this.nodes.management.moveNodes(getUids(nodeUids), getUid(newParentNodeUid), signal);
     }
@@ -749,6 +751,22 @@ export class ProtonDriveClient {
         return this.sharing.management.unshareNode(getUid(nodeUid), settings);
     }
 
+    /**
+     * Convert a non-Proton invitation to an internal invitation.
+     * This is called automatically in the background when the SDK receives
+     * a metadata update event, but can also be triggered manually.
+     *
+     * @param nodeUid - Node entity or its UID string.
+     * @param invitationOrUid - Non-Proton invitation entity or its UID string.
+     */
+    async convertNonProtonInvitation(
+        nodeUid: NodeOrUid,
+        invitationOrUid: NonProtonInvitationOrUid,
+    ): Promise<ProtonInvitation> {
+        this.logger.info(`Converting non-Proton invitation ${getUid(invitationOrUid)} for node ${getUid(nodeUid)}`);
+        return this.sharing.management.convertNonProtonInvitation(getUid(nodeUid), getUid(invitationOrUid));
+    }
+
     /**
      * Resend the invitation email to shared node.
      *

package/src/protonDrivePhotosClient.ts

@@ -13,6 +13,7 @@ import {
     ShareNodeSettings,
     ShareResult,
     UnshareNodeSettings,
+    ProtonInvitation,
     ProtonInvitationOrUid,
     NonProtonInvitationOrUid,
     ProtonInvitationWithNode,
@@ -408,6 +409,22 @@ export class ProtonDrivePhotosClient {
         return this.sharing.management.unshareNode(getUid(nodeUid), settings);
     }
 
+    /**
+     * Convert a non-Proton invitation to an internal invitation.
+     * This is called automatically in the background when the SDK receives
+     * a metadata update event, but can also be triggered manually.
+     *
+     * @param nodeUid - Node entity or its UID string.
+     * @param invitationOrUid - Non-Proton invitation entity or its UID string.
+     */
+    async convertNonProtonInvitation(
+        nodeUid: NodeOrUid,
+        invitationOrUid: NonProtonInvitationOrUid,
+    ): Promise<ProtonInvitation> {
+        this.logger.info(`Converting non-Proton invitation ${getUid(invitationOrUid)} for node ${getUid(nodeUid)}`);
+        return this.sharing.management.convertNonProtonInvitation(getUid(nodeUid), getUid(invitationOrUid));
+    }
+
     /**
      * Resend the invitation email to shared node.
      *