filebrowser/http/public.go

package http

import (
	"errors"
	"net/http"
	"path"
	"path/filepath"
	"strings"

	"github.com/spf13/afero"
	"golang.org/x/crypto/bcrypt"

	"github.com/filebrowser/filebrowser/v2/files"
	"github.com/filebrowser/filebrowser/v2/share"
)

var withHashFile = func(fn handleFunc) handleFunc {
	return func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
		id, path := ifPathWithName(r)
		link, err := d.store.Share.GetByHash(id)
		if err != nil {
			return errToStatus(err), err
		}

		status, err := authenticateShareRequest(r, link)
		if status != 0 || err != nil {
			return status, err
		}

		user, err := d.store.Users.Get(d.server.Root, link.UserID)
		if err != nil {
			return errToStatus(err), err
		}

		d.user = user

		file, err := files.NewFileInfo(files.FileOptions{
			Fs:         d.user.Fs,
			Path:       link.Path,
			Modify:     d.user.Perm.Modify,
			Expand:     true,
			ReadHeader: d.server.TypeDetectionByHeader,
			Checker:    d,
			Token:      link.Token,
		})
		if err != nil {
			return errToStatus(err), err
		}

		if file.IsDir {
			// set fs root to the shared folder
			d.user.Fs = afero.NewBasePathFs(d.user.Fs, filepath.Dir(link.Path))

			file, err = files.NewFileInfo(files.FileOptions{
				Fs:      d.user.Fs,
				Path:    path,
				Modify:  d.user.Perm.Modify,
				Expand:  true,
				Checker: d,
				Token:   link.Token,
			})
			if err != nil {
				return errToStatus(err), err
			}
		}

		d.raw = file
		return fn(w, r, d)
	}
}

// ref to https://github.com/filebrowser/filebrowser/pull/727
// `/api/public/dl/MEEuZK-v/file-name.txt` for old browsers to save file with correct name
func ifPathWithName(r *http.Request) (id, filePath string) {
	pathElements := strings.Split(r.URL.Path, "/")
	// prevent maliciously constructed parameters like `/api/public/dl/XZzCDnK2_not_exists_hash_name`
	// len(pathElements) will be 1, and golang will panic `runtime error: index out of range`

	switch len(pathElements) {
	case 1:
		return r.URL.Path, "/"
	default:
		return pathElements[0], path.Join("/", path.Join(pathElements[1:]...))
	}
}

var publicShareHandler = withHashFile(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
	file := d.raw.(*files.FileInfo)

	if file.IsDir {
		file.Listing.Sorting = files.Sorting{By: "name", Asc: false}
		file.Listing.ApplySort()
		return renderJSON(w, r, file)
	}

	return renderJSON(w, r, file)
})

var publicDlHandler = withHashFile(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
	file := d.raw.(*files.FileInfo)
	if !file.IsDir {
		return rawFileHandler(w, r, file)
	}

	return rawDirHandler(w, r, d, file)
})

func authenticateShareRequest(r *http.Request, l *share.Link) (int, error) {
	if l.PasswordHash == "" {
		return 0, nil
	}

	if r.URL.Query().Get("token") == l.Token {
		return 0, nil
	}

	password := r.Header.Get("X-SHARE-PASSWORD")
	if password == "" {
		return http.StatusUnauthorized, nil
	}
	if err := bcrypt.CompareHashAndPassword([]byte(l.PasswordHash), []byte(password)); err != nil {
		if errors.Is(err, bcrypt.ErrMismatchedHashAndPassword) {
			return http.StatusUnauthorized, nil
		}
		return 0, err
	}

	return 0, nil
}
feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00			`package http`

			`import (`
feat: allow to password protect shares (#1252) This changes allows to password protect shares. It works by: * Allowing to optionally pass a password when creating a share * If set, the password + salt that is configured via a new flag will be hashed via bcrypt and the hash stored together with the rest of the share * Additionally, a random 96 byte long token gets generated and stored as part of the share * When the backend retrieves an unauthenticated request for a share that has authentication configured, it will return a http 401 * The frontend detects this and will show a login prompt * The actual download links are protected via an url arg that contains the previously generated token. This allows us to avoid buffering the download in the browser and allows pasting the link without breaking it 2021-03-02 11:00:18 +00:00			`"errors"`
feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00			`"net/http"`
feat: download shared subdirectory (#1184) Co-authored-by: Oleg Lobanov <oleg@lobanov.me> 2020-12-28 16:35:29 +00:00			`"path"`
			`"path/filepath"`
Update download names file for weak clients 2019-05-13 14:30:18 +00:00			`"strings"`
feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00
feat: download shared subdirectory (#1184) Co-authored-by: Oleg Lobanov <oleg@lobanov.me> 2020-12-28 16:35:29 +00:00			`"github.com/spf13/afero"`
feat: allow to password protect shares (#1252) This changes allows to password protect shares. It works by: * Allowing to optionally pass a password when creating a share * If set, the password + salt that is configured via a new flag will be hashed via bcrypt and the hash stored together with the rest of the share * Additionally, a random 96 byte long token gets generated and stored as part of the share * When the backend retrieves an unauthenticated request for a share that has authentication configured, it will return a http 401 * The frontend detects this and will show a login prompt * The actual download links are protected via an url arg that contains the previously generated token. This allows us to avoid buffering the download in the browser and allows pasting the link without breaking it 2021-03-02 11:00:18 +00:00			`"golang.org/x/crypto/bcrypt"`
feat: download shared subdirectory (#1184) Co-authored-by: Oleg Lobanov <oleg@lobanov.me> 2020-12-28 16:35:29 +00:00
feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00			`"github.com/filebrowser/filebrowser/v2/files"`
feat: allow to password protect shares (#1252) This changes allows to password protect shares. It works by: * Allowing to optionally pass a password when creating a share * If set, the password + salt that is configured via a new flag will be hashed via bcrypt and the hash stored together with the rest of the share * Additionally, a random 96 byte long token gets generated and stored as part of the share * When the backend retrieves an unauthenticated request for a share that has authentication configured, it will return a http 401 * The frontend detects this and will show a login prompt * The actual download links are protected via an url arg that contains the previously generated token. This allows us to avoid buffering the download in the browser and allows pasting the link without breaking it 2021-03-02 11:00:18 +00:00			`"github.com/filebrowser/filebrowser/v2/share"`
feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00			`)`

			`var withHashFile = func(fn handleFunc) handleFunc {`
			`return func(w http.ResponseWriter, r http.Request, d data) (int, error) {`
feat: download shared subdirectory (#1184) Co-authored-by: Oleg Lobanov <oleg@lobanov.me> 2020-12-28 16:35:29 +00:00			`id, path := ifPathWithName(r)`
			`link, err := d.store.Share.GetByHash(id)`
feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00			`if err != nil {`
feat: download shared subdirectory (#1184) Co-authored-by: Oleg Lobanov <oleg@lobanov.me> 2020-12-28 16:35:29 +00:00			`return errToStatus(err), err`
feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00			`}`

feat: allow to password protect shares (#1252) This changes allows to password protect shares. It works by: * Allowing to optionally pass a password when creating a share * If set, the password + salt that is configured via a new flag will be hashed via bcrypt and the hash stored together with the rest of the share * Additionally, a random 96 byte long token gets generated and stored as part of the share * When the backend retrieves an unauthenticated request for a share that has authentication configured, it will return a http 401 * The frontend detects this and will show a login prompt * The actual download links are protected via an url arg that contains the previously generated token. This allows us to avoid buffering the download in the browser and allows pasting the link without breaking it 2021-03-02 11:00:18 +00:00			`status, err := authenticateShareRequest(r, link)`
			`if status != 0 \|\| err != nil {`
			`return status, err`
			`}`

feat: make server options a struct (#615) Former-commit-id: a54bc7c8a0fb700d4f90f78c54d6cb028e8acea7 [formerly a0946a1d5b82ce5681684bc0f871bd892c4d6c3f] [formerly 6b23b0abbe5cde6a6348f982975d15a1161359de [formerly 0e7abaa7fb4b293e933d233750cf057c48b298bf]] Former-commit-id: cf9ea1110bcb8b5eb30ecd25db1928659ecea922 [formerly 38cebeff1f9e6b03760f7b277a3941f7bd733fb5] Former-commit-id: db44c1d5ff8fed361849b5bf1fe48e04c75d7ce7 2019-01-08 10:29:09 +00:00			`user, err := d.store.Users.Get(d.server.Root, link.UserID)`
feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00			`if err != nil {`
			`return errToStatus(err), err`
			`}`

			`d.user = user`

			`file, err := files.NewFileInfo(files.FileOptions{`
feat: allow disabling file detections by reading header (#1175) 2021-01-07 10:30:17 +00:00			`Fs: d.user.Fs,`
			`Path: link.Path,`
			`Modify: d.user.Perm.Modify,`
			`Expand: true,`
			`ReadHeader: d.server.TypeDetectionByHeader,`
			`Checker: d,`
feat: allow to password protect shares (#1252) This changes allows to password protect shares. It works by: * Allowing to optionally pass a password when creating a share * If set, the password + salt that is configured via a new flag will be hashed via bcrypt and the hash stored together with the rest of the share * Additionally, a random 96 byte long token gets generated and stored as part of the share * When the backend retrieves an unauthenticated request for a share that has authentication configured, it will return a http 401 * The frontend detects this and will show a login prompt * The actual download links are protected via an url arg that contains the previously generated token. This allows us to avoid buffering the download in the browser and allows pasting the link without breaking it 2021-03-02 11:00:18 +00:00			`Token: link.Token,`
feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00			`})`
			`if err != nil {`
			`return errToStatus(err), err`
			`}`

feat: download shared subdirectory (#1184) Co-authored-by: Oleg Lobanov <oleg@lobanov.me> 2020-12-28 16:35:29 +00:00			`if file.IsDir {`
			`// set fs root to the shared folder`
			`d.user.Fs = afero.NewBasePathFs(d.user.Fs, filepath.Dir(link.Path))`

			`file, err = files.NewFileInfo(files.FileOptions{`
			`Fs: d.user.Fs,`
			`Path: path,`
			`Modify: d.user.Perm.Modify,`
			`Expand: true,`
			`Checker: d,`
feat: allow to password protect shares (#1252) This changes allows to password protect shares. It works by: * Allowing to optionally pass a password when creating a share * If set, the password + salt that is configured via a new flag will be hashed via bcrypt and the hash stored together with the rest of the share * Additionally, a random 96 byte long token gets generated and stored as part of the share * When the backend retrieves an unauthenticated request for a share that has authentication configured, it will return a http 401 * The frontend detects this and will show a login prompt * The actual download links are protected via an url arg that contains the previously generated token. This allows us to avoid buffering the download in the browser and allows pasting the link without breaking it 2021-03-02 11:00:18 +00:00			`Token: link.Token,`
feat: download shared subdirectory (#1184) Co-authored-by: Oleg Lobanov <oleg@lobanov.me> 2020-12-28 16:35:29 +00:00			`})`
			`if err != nil {`
			`return errToStatus(err), err`
			`}`
			`}`

feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00			`d.raw = file`
			`return fn(w, r, d)`
			`}`
			`}`

fix: prevent maliciously constructed parameters like `/api/public/dl/XZzCDnK2_not_exists_hash_name` cause panic (#791) 2019-07-05 11:15:57 +00:00			`// ref to https://github.com/filebrowser/filebrowser/pull/727`
			// `/api/public/dl/MEEuZK-v/file-name.txt` for old browsers to save file with correct name
feat: download shared subdirectory (#1184) Co-authored-by: Oleg Lobanov <oleg@lobanov.me> 2020-12-28 16:35:29 +00:00			`func ifPathWithName(r *http.Request) (id, filePath string) {`
Update download names file for weak clients 2019-05-13 14:30:18 +00:00			`pathElements := strings.Split(r.URL.Path, "/")`
fix: prevent maliciously constructed parameters like `/api/public/dl/XZzCDnK2_not_exists_hash_name` cause panic (#791) 2019-07-05 11:15:57 +00:00			// prevent maliciously constructed parameters like `/api/public/dl/XZzCDnK2_not_exists_hash_name`
			// len(pathElements) will be 1, and golang will panic `runtime error: index out of range`
feat: download shared subdirectory (#1184) Co-authored-by: Oleg Lobanov <oleg@lobanov.me> 2020-12-28 16:35:29 +00:00
			`switch len(pathElements) {`
			`case 1:`
			`return r.URL.Path, "/"`
			`default:`
			`return pathElements[0], path.Join("/", path.Join(pathElements[1:]...))`
fix: prevent maliciously constructed parameters like `/api/public/dl/XZzCDnK2_not_exists_hash_name` cause panic (#791) 2019-07-05 11:15:57 +00:00			`}`
Update download names file for weak clients 2019-05-13 14:30:18 +00:00			`}`

feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00			`var publicShareHandler = withHashFile(func(w http.ResponseWriter, r http.Request, d data) (int, error) {`
feat: shared folder file listing 2020-11-03 19:17:22 +00:00			`file := d.raw.(*files.FileInfo)`

			`if file.IsDir {`
			`file.Listing.Sorting = files.Sorting{By: "name", Asc: false}`
			`file.Listing.ApplySort()`
			`return renderJSON(w, r, file)`
			`}`

			`return renderJSON(w, r, file)`
feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00			`})`

			`var publicDlHandler = withHashFile(func(w http.ResponseWriter, r http.Request, d data) (int, error) {`
			`file := d.raw.(*files.FileInfo)`
			`if !file.IsDir {`
			`return rawFileHandler(w, r, file)`
			`}`

			`return rawDirHandler(w, r, d, file)`
			`})`
feat: allow to password protect shares (#1252) This changes allows to password protect shares. It works by: * Allowing to optionally pass a password when creating a share * If set, the password + salt that is configured via a new flag will be hashed via bcrypt and the hash stored together with the rest of the share * Additionally, a random 96 byte long token gets generated and stored as part of the share * When the backend retrieves an unauthenticated request for a share that has authentication configured, it will return a http 401 * The frontend detects this and will show a login prompt * The actual download links are protected via an url arg that contains the previously generated token. This allows us to avoid buffering the download in the browser and allows pasting the link without breaking it 2021-03-02 11:00:18 +00:00
			`func authenticateShareRequest(r http.Request, l share.Link) (int, error) {`
			`if l.PasswordHash == "" {`
			`return 0, nil`
			`}`

			`if r.URL.Query().Get("token") == l.Token {`
			`return 0, nil`
			`}`

			`password := r.Header.Get("X-SHARE-PASSWORD")`
			`if password == "" {`
			`return http.StatusUnauthorized, nil`
			`}`
			`if err := bcrypt.CompareHashAndPassword([]byte(l.PasswordHash), []byte(password)); err != nil {`
			`if errors.Is(err, bcrypt.ErrMismatchedHashAndPassword) {`
			`return http.StatusUnauthorized, nil`
			`}`
			`return 0, err`
			`}`

			`return 0, nil`
			`}`