@protontech/drive-sdk 0.9.7 → 0.9.8

package/src/internal/photos/albumsCrypto.test.ts

@@ -0,0 +1,181 @@
+import { DriveCrypto, PrivateKey, SessionKey } from '../../crypto';
+import { NodeSigningKeys } from '../nodes/interface';
+import { AlbumsCryptoService } from './albumsCrypto';
+
+describe('AlbumsCryptoService', () => {
+    let driveCrypto: DriveCrypto;
+    let albumsCryptoService: AlbumsCryptoService;
+
+    beforeEach(() => {
+        jest.clearAllMocks();
+
+        // @ts-expect-error No need to implement all methods for mocking
+        driveCrypto = {};
+
+        albumsCryptoService = new AlbumsCryptoService(driveCrypto);
+    });
+
+    describe('createAlbum', () => {
+        let parentKeys: any;
+
+        beforeEach(() => {
+            parentKeys = {
+                key: 'parentKey' as any,
+                hashKey: new Uint8Array([1, 2, 3]),
+            };
+            driveCrypto.generateKey = jest.fn().mockResolvedValue({
+                encrypted: {
+                    armoredKey: 'encryptedNodeKey',
+                    armoredPassphrase: 'encryptedPassphrase',
+                    armoredPassphraseSignature: 'passphraseSignature',
+                },
+                decrypted: {
+                    key: 'nodeKey' as any,
+                    passphrase: 'nodePassphrase',
+                    passphraseSessionKey: 'passphraseSessionKey' as any,
+                },
+            });
+            driveCrypto.encryptNodeName = jest.fn().mockResolvedValue({
+                armoredNodeName: 'encryptedNodeName',
+            });
+            driveCrypto.generateLookupHash = jest.fn().mockResolvedValue('lookupHash');
+            driveCrypto.generateHashKey = jest.fn().mockResolvedValue({
+                armoredHashKey: 'encryptedHashKey',
+                hashKey: new Uint8Array([4, 5, 6]),
+            });
+        });
+
+        it('should encrypt new album with user address key', async () => {
+            const signingKeys: NodeSigningKeys = {
+                type: 'userAddress',
+                email: 'test@example.com',
+                addressId: 'addressId',
+                key: 'addressKey' as any,
+            };
+
+            const result = await albumsCryptoService.createAlbum(parentKeys, signingKeys, 'My Album');
+
+            expect(result).toEqual({
+                encryptedCrypto: {
+                    encryptedName: 'encryptedNodeName',
+                    hash: 'lookupHash',
+                    armoredKey: 'encryptedNodeKey',
+                    armoredNodePassphrase: 'encryptedPassphrase',
+                    armoredNodePassphraseSignature: 'passphraseSignature',
+                    signatureEmail: 'test@example.com',
+                    armoredHashKey: 'encryptedHashKey',
+                },
+                keys: {
+                    passphrase: 'nodePassphrase',
+                    key: 'nodeKey',
+                    passphraseSessionKey: 'passphraseSessionKey',
+                    hashKey: new Uint8Array([4, 5, 6]),
+                },
+            });
+
+            expect(driveCrypto.generateKey).toHaveBeenCalledWith([parentKeys.key], signingKeys.key);
+            expect(driveCrypto.encryptNodeName).toHaveBeenCalledWith(
+                'My Album',
+                undefined,
+                parentKeys.key,
+                signingKeys.key,
+            );
+            expect(driveCrypto.generateLookupHash).toHaveBeenCalledWith('My Album', parentKeys.hashKey);
+            expect(driveCrypto.generateHashKey).toHaveBeenCalledWith('nodeKey');
+        });
+
+        it('should throw error when creating album by anonymous user', async () => {
+            const signingKeys: NodeSigningKeys = {
+                type: 'nodeKey',
+                nodeKey: 'nodeSigningKey' as any,
+                parentNodeKey: 'parentNodeKey' as any,
+            };
+
+            await expect(albumsCryptoService.createAlbum(parentKeys, signingKeys, 'My Album')).rejects.toThrow(
+                'Creating album by anonymous user is not supported',
+            );
+        });
+    });
+
+    describe('renameAlbum', () => {
+        let parentKeys: any;
+        let nodeNameSessionKey: SessionKey;
+
+        beforeEach(() => {
+            parentKeys = {
+                key: 'parentKey' as any,
+                hashKey: new Uint8Array([1, 2, 3]),
+            };
+            nodeNameSessionKey = 'nameSessionKey' as any;
+            driveCrypto.decryptSessionKey = jest.fn().mockResolvedValue(nodeNameSessionKey);
+            driveCrypto.encryptNodeName = jest.fn().mockResolvedValue({
+                armoredNodeName: 'encryptedNewNodeName',
+            });
+            driveCrypto.generateLookupHash = jest.fn().mockResolvedValue('newHash');
+        });
+
+        it('should encrypt new album name with user address key', async () => {
+            const signingKeys: NodeSigningKeys = {
+                type: 'userAddress',
+                email: 'test@example.com',
+                addressId: 'addressId',
+                key: 'addressKey' as any,
+            };
+
+            const result = await albumsCryptoService.renameAlbum(
+                parentKeys,
+                'oldEncryptedName',
+                signingKeys,
+                'Renamed Album',
+            );
+
+            expect(result).toEqual({
+                signatureEmail: 'test@example.com',
+                armoredNodeName: 'encryptedNewNodeName',
+                hash: 'newHash',
+            });
+
+            expect(driveCrypto.decryptSessionKey).toHaveBeenCalledWith('oldEncryptedName', parentKeys.key);
+            expect(driveCrypto.encryptNodeName).toHaveBeenCalledWith(
+                'Renamed Album',
+                nodeNameSessionKey,
+                parentKeys.key,
+                signingKeys.key,
+            );
+            expect(driveCrypto.generateLookupHash).toHaveBeenCalledWith('Renamed Album', parentKeys.hashKey);
+        });
+
+        it('should throw error when renaming album by anonymous user', async () => {
+            const signingKeys: NodeSigningKeys = {
+                type: 'nodeKey',
+                nodeKey: 'nodeSigningKey' as any,
+                parentNodeKey: 'parentNodeKey' as any,
+            };
+
+            await expect(
+                albumsCryptoService.renameAlbum(parentKeys, 'oldEncryptedName', signingKeys, 'Renamed Album'),
+            ).rejects.toThrow('Renaming album by anonymous user is not supported');
+        });
+
+        it('should throw error when parent hash key is not available', async () => {
+            const parentKeysWithoutHashKey = {
+                key: 'parentKey' as any,
+            };
+            const signingKeys: NodeSigningKeys = {
+                type: 'userAddress',
+                email: 'test@example.com',
+                addressId: 'addressId',
+                key: 'addressKey' as any,
+            };
+
+            await expect(
+                albumsCryptoService.renameAlbum(
+                    parentKeysWithoutHashKey,
+                    'oldEncryptedName',
+                    signingKeys,
+                    'Renamed Album',
+                ),
+            ).rejects.toThrow('Cannot rename album: parent folder hash key not available');
+        });
+    });
+});

package/src/internal/photos/albumsCrypto.ts

@@ -0,0 +1,100 @@
+import { DriveCrypto, PrivateKey } from '../../crypto';
+import { DecryptedNodeKeys, NodeSigningKeys } from '../nodes/interface';
+
+/**
+ * Provides crypto operations for albums.
+ *
+ * Albums are special folders in the photos volume. This service reuses
+ * the drive crypto module for key and name encryption operations.
+ */
+export class AlbumsCryptoService {
+    constructor(private driveCrypto: DriveCrypto) {
+        this.driveCrypto = driveCrypto;
+    }
+
+    async createAlbum(
+        parentKeys: { key: PrivateKey; hashKey: Uint8Array },
+        signingKeys: NodeSigningKeys,
+        name: string,
+    ): Promise<{
+        encryptedCrypto: {
+            encryptedName: string;
+            hash: string;
+            armoredKey: string;
+            armoredNodePassphrase: string;
+            armoredNodePassphraseSignature: string;
+            signatureEmail: string;
+            armoredHashKey: string;
+        };
+        keys: DecryptedNodeKeys;
+    }> {
+        if (signingKeys.type !== 'userAddress') {
+            throw new Error('Creating album by anonymous user is not supported');
+        }
+        const email = signingKeys.email;
+        const nameAndPassphraseSigningKey = signingKeys.key;
+
+        const [nodeKeys, { armoredNodeName }, hash] = await Promise.all([
+            this.driveCrypto.generateKey([parentKeys.key], nameAndPassphraseSigningKey),
+            this.driveCrypto.encryptNodeName(name, undefined, parentKeys.key, nameAndPassphraseSigningKey),
+            this.driveCrypto.generateLookupHash(name, parentKeys.hashKey),
+        ]);
+
+        const { armoredHashKey, hashKey } = await this.driveCrypto.generateHashKey(nodeKeys.decrypted.key);
+
+        return {
+            encryptedCrypto: {
+                encryptedName: armoredNodeName,
+                hash,
+                armoredKey: nodeKeys.encrypted.armoredKey,
+                armoredNodePassphrase: nodeKeys.encrypted.armoredPassphrase,
+                armoredNodePassphraseSignature: nodeKeys.encrypted.armoredPassphraseSignature,
+                signatureEmail: email,
+                armoredHashKey,
+            },
+            keys: {
+                passphrase: nodeKeys.decrypted.passphrase,
+                key: nodeKeys.decrypted.key,
+                passphraseSessionKey: nodeKeys.decrypted.passphraseSessionKey,
+                hashKey,
+            },
+        };
+    }
+
+    async renameAlbum(
+        parentKeys: { key: PrivateKey; hashKey?: Uint8Array },
+        encryptedName: string,
+        signingKeys: NodeSigningKeys,
+        newName: string,
+    ): Promise<{
+        signatureEmail: string;
+        armoredNodeName: string;
+        hash: string;
+    }> {
+        if (!parentKeys.hashKey) {
+            throw new Error('Cannot rename album: parent folder hash key not available');
+        }
+        if (signingKeys.type !== 'userAddress') {
+            throw new Error('Renaming album by anonymous user is not supported');
+        }
+        const email = signingKeys.email;
+        const nameSigningKey = signingKeys.key;
+
+        const nodeNameSessionKey = await this.driveCrypto.decryptSessionKey(encryptedName, parentKeys.key);
+
+        const { armoredNodeName } = await this.driveCrypto.encryptNodeName(
+            newName,
+            nodeNameSessionKey,
+            parentKeys.key,
+            nameSigningKey,
+        );
+
+        const hash = await this.driveCrypto.generateLookupHash(newName, parentKeys.hashKey);
+
+        return {
+            signatureEmail: email,
+            armoredNodeName,
+            hash,
+        };
+    }
+}

package/src/internal/photos/apiService.ts

@@ -1,6 +1,9 @@
-import { DriveAPIService, drivePaths } from '../apiService';
+import { c } from 'ttag';
+
+import { ValidationError } from '../../errors';
+import { APICodeError, DriveAPIService, drivePaths } from '../apiService';
 import { EncryptedRootShare, EncryptedShareCrypto, ShareType } from '../shares/interface';
-import { makeNodeUid } from '../uids';
+import { makeNodeUid, splitNodeUid } from '../uids';
 
 type GetPhotoShareResponse =
     drivePaths['/drive/v2/shares/photos']['get']['responses']['200']['content']['application/json'];
@@ -18,6 +21,18 @@ type GetTimelineResponse =
 type GetAlbumsResponse =
     drivePaths['/drive/photos/volumes/{volumeID}/albums']['get']['responses']['200']['content']['application/json'];
 
+type PostCreateAlbumRequest = Extract<
+    drivePaths['/drive/photos/volumes/{volumeID}/albums']['post']['requestBody'],
+    { content: object }
+>['content']['application/json'];
+type PostCreateAlbumResponse =
+    drivePaths['/drive/photos/volumes/{volumeID}/albums']['post']['responses']['200']['content']['application/json'];
+
+type PutUpdateAlbumRequest = Extract<
+    drivePaths['/drive/photos/volumes/{volumeID}/albums/{linkID}']['put']['requestBody'],
+    { content: object }
+>['content']['application/json'];
+
 type PostPhotoDuplicateRequest = Extract<
     drivePaths['/drive/volumes/{volumeID}/photos/duplicates']['post']['requestBody'],
     { content: object }
@@ -25,6 +40,8 @@ type PostPhotoDuplicateRequest = Extract<
 type PostPhotoDuplicateResponse =
     drivePaths['/drive/volumes/{volumeID}/photos/duplicates']['post']['responses']['200']['content']['application/json'];
 
+const ALBUM_CONTAINS_PHOTOS_NOT_IN_TIMELINE_ERROR_CODE = 200302;
+
 /**
  * Provides API communication for fetching and manipulating photos and albums
  * metadata.
@@ -188,4 +205,79 @@ export class PhotosAPIService {
             };
         }).filter((duplicate) => duplicate !== undefined);
     }
+
+    async createAlbum(
+        parentNodeUid: string,
+        album: {
+            encryptedName: string;
+            hash: string;
+            armoredKey: string;
+            armoredNodePassphrase: string;
+            armoredNodePassphraseSignature: string;
+            signatureEmail: string;
+            armoredHashKey: string;
+        },
+    ): Promise<string> {
+        const { volumeId } = splitNodeUid(parentNodeUid);
+        const response = await this.apiService.post<PostCreateAlbumRequest, PostCreateAlbumResponse>(
+            `drive/photos/volumes/${volumeId}/albums`,
+            {
+                Locked: false,
+                Link: {
+                    Name: album.encryptedName,
+                    Hash: album.hash,
+                    NodeKey: album.armoredKey,
+                    NodePassphrase: album.armoredNodePassphrase,
+                    NodePassphraseSignature: album.armoredNodePassphraseSignature,
+                    SignatureEmail: album.signatureEmail,
+                    NodeHashKey: album.armoredHashKey,
+                    XAttr: null,
+                },
+            },
+        );
+
+        return makeNodeUid(volumeId, response.Album.Link.LinkID);
+    }
+
+    async updateAlbum(
+        albumNodeUid: string,
+        coverPhotoNodeUid?: string,
+        updatedName?: {
+            encryptedName: string;
+            hash: string;
+            originalHash: string;
+            nameSignatureEmail: string;
+        },
+    ): Promise<void> {
+        const { volumeId, nodeId: linkId } = splitNodeUid(albumNodeUid);
+        const coverLinkId = coverPhotoNodeUid ? splitNodeUid(coverPhotoNodeUid).nodeId : undefined;
+        await this.apiService.put<PutUpdateAlbumRequest, void>(
+            `drive/photos/volumes/${volumeId}/albums/${linkId}`,
+            {
+                CoverLinkID: coverLinkId,
+                Link: updatedName
+                    ? {
+                          Name: updatedName.encryptedName,
+                          Hash: updatedName.hash,
+                          OriginalHash: updatedName.originalHash,
+                          NameSignatureEmail: updatedName.nameSignatureEmail,
+                      }
+                    : null,
+            },
+        );
+    }
+
+    async deleteAlbum(albumNodeUid: string, options: { force?: boolean } = {}): Promise<void> {
+        const { volumeId, nodeId: linkId } = splitNodeUid(albumNodeUid);
+        try {
+            await this.apiService.delete(
+                `drive/photos/volumes/${volumeId}/albums/${linkId}?DeleteAlbumPhotos=${options.force ? 1 : 0}`,
+            );
+        } catch (error) {
+            if (error instanceof APICodeError && error.code === ALBUM_CONTAINS_PHOTOS_NOT_IN_TIMELINE_ERROR_CODE) {
+                throw new ValidationError(c('Error').t`Album contains photos not in timeline`);
+            }
+            throw error;
+        }
+    }
 }

package/src/internal/photos/index.ts

@@ -1,4 +1,3 @@
-import { DriveAPIService } from '../apiService';
 import { DriveCrypto } from '../../crypto';
 import {
     ProtonDriveAccount,
@@ -6,9 +5,12 @@ import {
     ProtonDriveEntitiesCache,
     ProtonDriveTelemetry,
 } from '../../interface';
+import { DriveAPIService } from '../apiService';
 import { NodesCryptoService } from '../nodes/cryptoService';
 import { NodesCryptoReporter } from '../nodes/cryptoReporter';
 import { NodesCryptoCache } from '../nodes/cryptoCache';
+import { NodesEventsHandler } from '../nodes/events';
+import { NodesRevisons } from '../nodes/nodesRevisions';
 import { ShareTargetType } from '../shares';
 import { SharesCache } from '../shares/cache';
 import { SharesCryptoCache } from '../shares/cryptoCache';
@@ -17,6 +19,7 @@ import { NodesService as UploadNodesService } from '../upload/interface';
 import { UploadTelemetry } from '../upload/telemetry';
 import { UploadQueue } from '../upload/queue';
 import { Albums } from './albums';
+import { AlbumsCryptoService } from './albumsCrypto';
 import { PhotosAPIService } from './apiService';
 import { SharesService } from './interface';
 import { PhotosNodesAPIService, PhotosNodesAccess, PhotosNodesCache, PhotosNodesManagement } from './nodes';
@@ -29,8 +32,6 @@ import {
     PhotoUploadManager,
     PhotoUploadMetadata,
 } from './upload';
-import { NodesRevisons } from '../nodes/nodesRevisions';
-import { NodesEventsHandler } from '../nodes/events';
 
 export type { DecryptedPhotoNode } from './interface';
 
@@ -51,6 +52,7 @@ export function initPhotosModule(
     nodesService: PhotosNodesAccess,
 ) {
     const api = new PhotosAPIService(apiService);
+    const albumsCryptoService = new AlbumsCryptoService(driveCrypto);
     const timeline = new PhotosTimeline(
         telemetry.getLogger('photos-timeline'),
         api,
@@ -58,7 +60,7 @@ export function initPhotosModule(
         photoShares,
         nodesService,
     );
-    const albums = new Albums(api, photoShares, nodesService);
+    const albums = new Albums(api, albumsCryptoService, photoShares, nodesService);
 
     return {
         timeline,

package/src/internal/photos/upload.ts

@@ -109,13 +109,14 @@ export class PhotoStreamUploader extends StreamUploader {
     }
 
     async commitFile(thumbnails: Thumbnail[]) {
-        this.verifyIntegrity(thumbnails);
+        const digests = this.digests.digests();
+        this.verifyIntegrity(thumbnails, digests);
 
         const extendedAttributes = {
             modificationTime: this.metadata.modificationTime,
             size: this.metadata.expectedSize,
             blockSizes: this.uploadedBlockSizes,
-            digests: this.digests.digests(),
+            digests,
         };
 
         await this.photoUploadManager.commitDraftPhoto(this.revisionDraft, this.manifest, extendedAttributes, this.photoMetadata);

package/src/internal/upload/streamUploader.test.ts

@@ -564,6 +564,44 @@ describe('StreamUploader', () => {
 
                 await verifyFailure('Some file bytes failed to upload', 10 * 1024 * 1024 + 1024);
             });
+
+            it('should succeed with matching expectedSha1', async () => {
+                metadata.expectedSha1 = '8c206a1a87599f532ce68675536f0b1546900d7a';
+
+                uploader = new StreamUploader(
+                    telemetry,
+                    apiService,
+                    cryptoService,
+                    uploadManager,
+                    blockVerifier,
+                    revisionDraft,
+                    metadata,
+                    onFinish,
+                    controller,
+                    abortController,
+                );
+
+                await verifySuccess();
+            });
+
+            it('should throw an error if SHA1 does not match', async () => {
+                metadata.expectedSha1 = 'wrong_sha1_hash_that_will_not_match';
+
+                uploader = new StreamUploader(
+                    telemetry,
+                    apiService,
+                    cryptoService,
+                    uploadManager,
+                    blockVerifier,
+                    revisionDraft,
+                    metadata,
+                    onFinish,
+                    controller,
+                    abortController,
+                );
+
+                await verifyFailure('File hash does not match expected hash', 10 * 1024 * 1024 + 1024);
+            });
         });
     });
 

package/src/internal/upload/streamUploader.ts

@@ -219,13 +219,14 @@ export class StreamUploader {
     }
 
     protected async commitFile(thumbnails: Thumbnail[]) {
-        this.verifyIntegrity(thumbnails);
+        const digests = this.digests.digests();
+        this.verifyIntegrity(thumbnails, digests);
 
         const extendedAttributes = {
             modificationTime: this.metadata.modificationTime,
             size: this.metadata.expectedSize,
             blockSizes: this.uploadedBlockSizes,
-            digests: this.digests.digests(),
+            digests,
         };
         await this.uploadManager.commitDraft(
             this.revisionDraft,
@@ -607,7 +608,7 @@ export class StreamUploader {
         }
     }
 
-    protected verifyIntegrity(thumbnails: Thumbnail[]) {
+    protected verifyIntegrity(thumbnails: Thumbnail[], digests: { sha1: string }) {
         const expectedBlockCount =
             Math.ceil(this.metadata.expectedSize / FILE_CHUNK_SIZE) + (thumbnails ? thumbnails?.length : 0);
         if (this.uploadedBlockCount !== expectedBlockCount) {
@@ -622,6 +623,12 @@ export class StreamUploader {
                 expectedFileSize: this.metadata.expectedSize,
             });
         }
+        if (this.metadata.expectedSha1 && digests.sha1 !== this.metadata.expectedSha1) {
+            throw new IntegrityError(c('Error').t`File hash does not match expected hash`, {
+                uploadedSha1: digests.sha1,
+                expectedSha1: this.metadata.expectedSha1,
+            });
+        }
     }
 
     /**

package/src/protonDrivePhotosClient.ts

@@ -117,7 +117,13 @@ export class ProtonDrivePhotosClient {
             this.photoShares,
             fullConfig.clientUid,
         );
-        this.photos = initPhotosModule(telemetry, apiService, cryptoModule, this.photoShares, this.nodes.access);
+        this.photos = initPhotosModule(
+            telemetry,
+            apiService,
+            cryptoModule,
+            this.photoShares,
+            this.nodes.access,
+        );
         this.sharing = initSharingModule(
             telemetry,
             apiService,
@@ -507,6 +513,63 @@ export class ProtonDrivePhotosClient {
         return this.photos.timeline.findPhotoDuplicates(name, generateSha1, signal);
     }
 
+    /**
+     * Creates a new album with the given name.
+     *
+     * @param name - The name for the new album.
+     * @returns The created album node.
+     */
+    async createAlbum(name: string): Promise<MaybePhotoNode> {
+        this.logger.info('Creating album');
+        return convertInternalPhotoNodePromise(this.photos.albums.createAlbum(name));
+    }
+
+    /**
+     * Updates an existing album.
+     *
+     * Updates can include a new name and/or a cover photo.
+     *
+     * @param nodeUid - The UID of the album to edit.
+     * @param updates - The updates to apply.
+     * @returns The updated album node.
+     */
+    async updateAlbum(
+        nodeUid: NodeOrUid,
+        updates: {
+            name?: string;
+            coverPhotoNodeUid?: NodeOrUid;
+        },
+    ): Promise<MaybePhotoNode> {
+        this.logger.info(`Updating album ${getUid(nodeUid)}`);
+        const coverPhotoNodeUid = updates.coverPhotoNodeUid ? getUid(updates.coverPhotoNodeUid) : undefined;
+        return convertInternalPhotoNodePromise(
+            this.photos.albums.updateAlbum(getUid(nodeUid), {
+                name: updates.name,
+                coverPhotoNodeUid,
+            }),
+        );
+    }
+
+    /**
+     * Deletes an album.
+     *
+     * Photos in the timeline will not be deleted. If the album has photos
+     * that are not in the timeline (uploaded by another user), the method
+     * will throw an error. The photos must be moved to the timeline, or
+     * the album must be deleted with `force` option that deletes the photos
+     * not in the timeline as well.
+     *
+     * This operation is irreversible. Both the album and the photos will be
+     * permanently deleted, skipping the trash.
+     *
+     * @param nodeUid - The UID of the album to delete.
+     * @param force - Whether to force the deletion.
+     */
+    async deleteAlbum(nodeUid: NodeOrUid, options: { force?: boolean } = {}): Promise<void> {
+        this.logger.info(`Deleting album ${getUid(nodeUid)}`);
+        await this.photos.albums.deleteAlbum(getUid(nodeUid), options);
+    }
+
     /**
      * Iterates the albums.
      *

package/src/protonDrivePublicLinkClient.ts

@@ -70,6 +70,12 @@ export class ProtonDrivePublicLinkClient {
          * This is used by Docs app to encrypt and decrypt document updates.
          */
         getDocsKey: (nodeUid: NodeOrUid) => Promise<SessionKey>;
+        /**
+         * Experimental feature to get the passphrase for a node.
+         *
+         * This is used by public link page to report abuse.
+         */
+        getNodePassphrase: (nodeUid: NodeOrUid) => Promise<string>;
         /**
          * Experimental feature to check if hashes match the malware database.
          */
@@ -175,6 +181,14 @@ export class ProtonDrivePublicLinkClient {
                 }
                 return keys.contentKeyPacketSessionKey;
             },
+            getNodePassphrase: async (nodeUid: NodeOrUid) => {
+                this.logger.debug(`Getting node passphrase for ${getUid(nodeUid)}`);
+                const keys = await this.sharingPublic.nodes.access.getNodeKeys(getUid(nodeUid));
+                if (!keys.passphrase) {
+                    throw new Error('Node does not have a passphrase');
+                }
+                return keys.passphrase
+            },
             scanHashes: async (hashes: string[]): Promise<NodesSecurityScanResult> => {
                 this.logger.debug(`Scanning ${hashes.length} hashes`);
                 return this.sharingPublic.nodes.security.scanHashes(hashes);