hfs 0.26.7 → 0.26.9

package/frontend/assets/{sha512.bb881250.js → sha512.6af42937.js}

@@ -1,4 +1,4 @@
-import{c as SF}from"./index.1151988f.js";function OF(sF,hF){for(var eF=0;eF<hF.length;eF++){const tF=hF[eF];if(typeof tF!="string"&&!Array.isArray(tF)){for(const w in tF)if(w!=="default"&&!(w in sF)){const lF=Object.getOwnPropertyDescriptor(tF,w);lF&&Object.defineProperty(sF,w,lF.get?lF:{enumerable:!0,get:()=>tF[w]})}}}return Object.freeze(Object.defineProperty(sF,Symbol.toStringTag,{value:"Module"}))}var yF={exports:{}};/*
+import{c as SF}from"./index.27a78796.js";function OF(sF,hF){for(var eF=0;eF<hF.length;eF++){const tF=hF[eF];if(typeof tF!="string"&&!Array.isArray(tF)){for(const w in tF)if(w!=="default"&&!(w in sF)){const lF=Object.getOwnPropertyDescriptor(tF,w);lF&&Object.defineProperty(sF,w,lF.get?lF:{enumerable:!0,get:()=>tF[w]})}}}return Object.freeze(Object.defineProperty(sF,Symbol.toStringTag,{value:"Module"}))}var yF={exports:{}};/*
  * [js-sha512]{@link https://github.com/emn178/js-sha512}
  *
  * @version 0.8.0

package/frontend/index.html

@@ -6,7 +6,7 @@
     <link href="fontello.css" rel="stylesheet" />
     <script>SESSION = _HFS_SESSION_</script>
     <title>File Server</title>
-    <script type="module" crossorigin src="/assets/index.1151988f.js"></script>
+    <script type="module" crossorigin src="/assets/index.27a78796.js"></script>
     <link rel="stylesheet" href="/assets/index.93366732.css">
   </head>
   <body>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hfs",
-  "version": "0.26.7",
+  "version": "0.26.9",
   "description": "HTTP File Server",
   "keywords": [
     "file server",
@@ -24,6 +24,7 @@
     "build-shared": "npm run build --workspace=shared",
     "build-form": "npm run build --workspace=mui-grid-form",
     "server-for-test": "node dist/src --cwd . --config tests",
+    "server-for-test-dev": "cross-env DEV=1 nodemon --ignore tests/ --watch src -e ts,tsx --exec ts-node src -- --cwd . --config tests",
     "test": "mocha -r ts-node/register 'tests/**/*.ts'",
     "pub": "cd dist && npm publish",
     "dist": "npm run build-all && npm run dist-bin",

package/plugins/vhosting/plugin.js

@@ -21,7 +21,7 @@ exports.init = api => ({
     middleware(ctx) {
         let toModify = ctx
         if (ctx.path.startsWith(api.const.SPECIAL_URI)) { // special uris should be excluded...
-            toModify = ctx.request.query
+            toModify = ctx.params
             if (toModify.path === undefined) // ...unless they carry a path in the query. In that case we'll work that.
                 return
         }

package/src/api.accounts.js

@@ -37,14 +37,14 @@ const apis = {
             changes.admin = undefined;
         else if (admin !== undefined && typeof admin !== 'boolean')
             return new apiMiddleware_1.ApiError(400, "invalid admin");
-        return (0, perm_1.setAccount)(username, changes) ? {} : new apiMiddleware_1.ApiError(400);
+        const acc = (0, perm_1.setAccount)(username, changes);
+        return acc ? lodash_1.default.pick(acc, 'username') : new apiMiddleware_1.ApiError(400);
     },
     add_account({ username, ...rest }) {
         if ((0, perm_1.getAccount)(username))
             return new apiMiddleware_1.ApiError(const_1.FORBIDDEN);
-        if (!(0, perm_1.addAccount)(username, rest))
-            return new apiMiddleware_1.ApiError(400);
-        return {};
+        const acc = (0, perm_1.addAccount)(username, rest);
+        return acc ? lodash_1.default.pick(acc, 'username') : new apiMiddleware_1.ApiError(400);
     },
     del_account({ username }) {
         return (0, perm_1.delAccount)(username) ? {} : new apiMiddleware_1.ApiError(400);

package/src/api.auth.js

@@ -23,7 +23,7 @@ async function loggedIn(ctx, username) {
         ctx.cookies.set('csrf', '');
         return;
     }
-    s.username = username;
+    s.username = (0, perm_1.normalizeUsername)(username);
     await (0, middlewares_1.prepareState)(ctx, async () => { }); // updating the state is necessary to send complete session data so that frontend shows admin button
     delete s.login;
     ctx.cookies.set('csrf', (0, misc_1.randomId)(), { signed: false, httpOnly: false });
@@ -34,7 +34,6 @@ function makeExp() {
 const login = async ({ username, password }, ctx) => {
     if (!username || !password) // some validation
         return new apiMiddleware_1.ApiError(400);
-    username = username.toLocaleLowerCase(); // normalize username, to be case-insensitive
     const acc = (0, perm_1.getAccount)(username);
     if (!acc)
         return new apiMiddleware_1.ApiError(const_1.UNAUTHORIZED);
@@ -51,7 +50,6 @@ exports.login = login;
 const loginSrp1 = async ({ username }, ctx) => {
     if (!username)
         return new apiMiddleware_1.ApiError(400);
-    username = username.toLocaleLowerCase();
     const account = (0, perm_1.getAccount)(username);
     if (!ctx.session)
         return new apiMiddleware_1.ApiError(500);
@@ -107,7 +105,7 @@ exports.loginSrp2 = loginSrp2;
 const logout = async ({}, ctx) => {
     if (!ctx.session)
         return new apiMiddleware_1.ApiError(500);
-    loggedIn(ctx, false);
+    await loggedIn(ctx, false);
     // 401 is a convenient code for OK: the browser clears a possible http authentication (hopefully), and Admin automatically triggers login dialog
     return new apiMiddleware_1.ApiError(401);
 };

package/src/apiMiddleware.js

@@ -20,8 +20,7 @@ class ApiError extends Error {
 exports.ApiError = ApiError;
 function apiMiddleware(apis) {
     return async (ctx) => {
-        const params = ctx.method === 'POST' ? await getJsonFromReq(ctx.req)
-            : (0, misc_1.objSameKeys)(ctx.request.query, x => Array.isArray(x) ? x : (0, misc_1.tryJson)(x));
+        const { params } = ctx;
         console.debug('API', ctx.method, ctx.path, { ...params });
         if (!apis.hasOwnProperty(ctx.path)) {
             ctx.body = 'invalid api';
@@ -55,21 +54,6 @@ exports.apiMiddleware = apiMiddleware;
 function isAsyncGenerator(x) {
     return typeof (x === null || x === void 0 ? void 0 : x.next) === 'function';
 }
-async function getJsonFromReq(req) {
-    return new Promise((resolve, reject) => {
-        let data = '';
-        req.on('data', chunk => data += chunk);
-        req.on('error', reject);
-        req.on('end', () => {
-            try {
-                resolve(data && JSON.parse(data));
-            }
-            catch (e) {
-                reject(e);
-            }
-        });
-    });
-}
 class SendListReadable extends stream_1.Readable {
     constructor({ addAtStart, doAtStart, bufferTime } = {}) {
         super({ objectMode: true, read() { } });

package/src/index.js

@@ -33,6 +33,7 @@ exports.app.use(middlewares_1.someSecurity)
     .use((0, log_1.log)())
     .use(throttler_1.throttler)
     .use(middlewares_1.gzipper)
+    .use(middlewares_1.paramsDecoder)
     .use((0, plugins_1.pluginsMiddleware)())
     .use((0, koa_mount_1.default)(const_1.API_URI, (0, apiMiddleware_1.apiMiddleware)({ ...frontEndApis_1.frontEndApis, ...adminApis_1.adminApis })))
     .use(middlewares_1.serveGuiAndSharedFiles)

package/src/middlewares.js

@@ -4,7 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.prepareState = exports.getProxyDetected = exports.someSecurity = exports.serveGuiAndSharedFiles = exports.sessions = exports.headRequests = exports.gzipper = void 0;
+exports.paramsDecoder = exports.prepareState = exports.getProxyDetected = exports.someSecurity = exports.serveGuiAndSharedFiles = exports.sessions = exports.headRequests = exports.gzipper = void 0;
 const koa_compress_1 = __importDefault(require("koa-compress"));
 const koa_session_1 = __importDefault(require("koa-session"));
 const const_1 = require("./const");
@@ -82,7 +82,7 @@ const serveGuiAndSharedFiles = async (ctx, next) => {
             return;
         const browserDetected = ctx.get('Upgrade-Insecure-Requests') || ctx.get('Sec-Fetch-Mode'); // ugh, heuristics
         if (!browserDetected) // we don't want to trigger basic authentication on browsers, it's meant for download managers only
-            ctx.set('WWW-Authenticate', 'Basic'); // we support basic authentication
+            return ctx.set('WWW-Authenticate', 'Basic'); // we support basic authentication
         ctx.state.serveApp = true;
         return serveFrontendFiles(ctx, next);
     }
@@ -126,9 +126,9 @@ function getProxyDetected() {
 }
 exports.getProxyDetected = getProxyDetected;
 const prepareState = async (ctx, next) => {
-    var _a;
+    var _a, _b;
     // calculate these once and for all
-    ctx.state.account = (_a = await getHttpAccount(ctx)) !== null && _a !== void 0 ? _a : (0, perm_1.getAccount)((0, perm_1.getCurrentUsername)(ctx));
+    ctx.state.account = (_a = await getHttpAccount(ctx)) !== null && _a !== void 0 ? _a : (0, perm_1.getAccount)((_b = ctx.session) === null || _b === void 0 ? void 0 : _b.username, false);
     const conn = ctx.state.connection = (0, connections_1.socket2connection)(ctx.socket);
     await next();
     if (conn)
@@ -142,7 +142,6 @@ async function getHttpAccount(ctx) {
         return account;
 }
 async function srpCheck(username, password) {
-    username = username.toLocaleLowerCase();
     const account = (0, perm_1.getAccount)(username);
     if (!(account === null || account === void 0 ? void 0 : account.srp) || !password)
         return false;
@@ -152,3 +151,25 @@ async function srpCheck(username, password) {
     const clientRes2 = await clientRes1.step2(BigInt(salt), BigInt(pubKey));
     return await step1.step2(clientRes2.A, clientRes2.M1).then(() => true, () => false);
 }
+// unify get/post parameters, with JSON decoding to not be limited to strings
+const paramsDecoder = async (ctx, next) => {
+    ctx.params = ctx.method === 'POST' ? (0, misc_1.tryJson)(await getReqData(ctx.req))
+        : (0, misc_1.objSameKeys)(ctx.query, x => Array.isArray(x) ? x : (0, misc_1.tryJson)(x));
+    await next();
+};
+exports.paramsDecoder = paramsDecoder;
+async function getReqData(req) {
+    return new Promise((resolve, reject) => {
+        let data = '';
+        req.on('data', chunk => data += chunk);
+        req.on('error', reject);
+        req.on('end', () => {
+            try {
+                resolve(data);
+            }
+            catch (e) {
+                reject(e);
+            }
+        });
+    });
+}

package/src/perm.js

@@ -4,7 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.anyAccountCanLoginAdmin = exports.accountCanLoginAdmin = exports.accountCanLogin = exports.accountHasPassword = exports.getFromAccount = exports.delAccount = exports.setAccount = exports.addAccount = exports.renameAccount = exports.updateAccount = exports.allowClearTextLogin = exports.saveSrpInfo = exports.getAccount = exports.getCurrentUsernameExpanded = exports.getCurrentUsername = exports.getAccounts = void 0;
+exports.anyAccountCanLoginAdmin = exports.accountCanLoginAdmin = exports.accountCanLogin = exports.accountHasPassword = exports.getFromAccount = exports.delAccount = exports.setAccount = exports.addAccount = exports.renameAccount = exports.normalizeUsername = exports.updateAccount = exports.allowClearTextLogin = exports.saveSrpInfo = exports.getAccount = exports.getCurrentUsernameExpanded = exports.getCurrentUsername = exports.getAccounts = void 0;
 const lodash_1 = __importDefault(require("lodash"));
 const crypt_1 = require("./crypt");
 const misc_1 = require("./misc");
@@ -17,8 +17,8 @@ function getAccounts() {
 }
 exports.getAccounts = getAccounts;
 function getCurrentUsername(ctx) {
-    var _a, _b;
-    return ((_a = ctx.state.account) === null || _a === void 0 ? void 0 : _a.username) || ((_b = ctx.session) === null || _b === void 0 ? void 0 : _b.username) || '';
+    var _a;
+    return ((_a = ctx.state.account) === null || _a === void 0 ? void 0 : _a.username) || '';
 }
 exports.getCurrentUsername = getCurrentUsername;
 // provides the username and all other usernames it inherits based on the 'belongs' attribute. Useful to check permissions
@@ -35,7 +35,9 @@ function getCurrentUsernameExpanded(ctx) {
     return ret;
 }
 exports.getCurrentUsernameExpanded = getCurrentUsernameExpanded;
-function getAccount(username) {
+function getAccount(username, normalize = true) {
+    if (normalize)
+        username = normalizeUsername(username);
     return username ? accounts[username] : undefined;
 }
 exports.getAccount = getAccount;
@@ -77,15 +79,16 @@ accountsConfig.sub(async (v) => {
         const norm = normalizeUsername(k);
         if (!rec) // an empty object in yaml is stored as null
             rec = accounts[norm] = { username: norm };
-        else
-            (0, misc_1.objRenameKey)(accounts, k, norm);
+        else if ((0, misc_1.objRenameKey)(accounts, k, norm))
+            saveAccountsAsap();
         (0, misc_1.setHidden)(rec, { username: norm });
-        await updateAccount(rec);
+        await updateAccount(rec); // work password fields
     }));
 });
 function normalizeUsername(username) {
     return username.toLocaleLowerCase();
 }
+exports.normalizeUsername = normalizeUsername;
 function renameAccount(from, to) {
     from = normalizeUsername(from);
     to = normalizeUsername(to);
@@ -112,9 +115,11 @@ exports.renameAccount = renameAccount;
 // we consider all the following fields, when falsy, as equivalent to be missing. If this changes in the future, please adjust addAccount and setAccount
 const assignableProps = ['redirect', 'ignore_limits', 'belongs', 'admin'];
 function addAccount(username, props) {
-    if (!username || accounts[username])
+    username = normalizeUsername(username);
+    if (!username || getAccount(username, false))
         return;
-    const copy = (0, misc_1.setHidden)(lodash_1.default.pickBy(lodash_1.default.pick(props, assignableProps), Boolean), { username }); // have the field in the object but hidden so that stringification won't include it
+    const filteredProps = lodash_1.default.pickBy(lodash_1.default.pick(props, assignableProps), Boolean);
+    const copy = (0, misc_1.setHidden)(filteredProps, { username }); // have the field in the object but hidden so that stringification won't include it
     accountsConfig.set(accounts => Object.assign(accounts, { [username]: copy }));
     saveAccountsAsap().then();
     return copy;
@@ -132,13 +137,13 @@ function setAccount(username, changes) {
     if (changes.username)
         renameAccount(username, changes.username);
     saveAccountsAsap().then();
-    return true;
+    return acc;
 }
 exports.setAccount = setAccount;
 function delAccount(username) {
     if (!getAccount(username))
         return false;
-    accountsConfig.set(accounts => Object.assign(accounts, { [username]: undefined }));
+    accountsConfig.set(accounts => Object.assign(accounts, { [normalizeUsername(username)]: undefined }));
     saveAccountsAsap().then();
     return true;
 }

package/src/serveFile.js

@@ -89,15 +89,16 @@ function getRange(ctx, totalSize) {
         return ctx.throw(400, 'bad range');
     const max = totalSize - 1;
     const start = bytes[0] ? Number(bytes[0]) : Math.max(0, totalSize - Number(bytes[1])); // a negative start is relative to the end
-    const end = bytes[0] ? Number(bytes[1] || max) : max; // NaN in case we are asked for last N bytes without knowing max
-    if (isNaN(end) || end > max || start > max) {
+    const end = bytes[0] ? Number(bytes[1] || max) : max;
+    // we don't support last-bytes without knowing max
+    if (isNaN(end) && isNaN(max) || end > max || start > max) {
         ctx.status = 416;
         ctx.set('Content-Range', `bytes ${totalSize}`);
         ctx.body = 'Requested Range Not Satisfiable';
         return;
     }
     ctx.status = 206;
-    ctx.set('Content-Range', `bytes ${start}-${end}/${isNaN(totalSize) ? '*' : totalSize}`);
+    ctx.set('Content-Range', `bytes ${start}-${isNaN(end) ? '' : end}/${isNaN(totalSize) ? '*' : totalSize}`);
     ctx.response.length = end - start + 1;
     return { start, end };
 }

package/src/vfs.js

@@ -38,11 +38,14 @@ function inheritFromParent(parent, child) {
 }
 async function urlToNode(url, ctx, parent = exports.vfs) {
     var _a;
-    let i = url.indexOf('/', 1);
-    const name = decodeURIComponent(url.slice(url[0] === '/' ? 1 : 0, i < 0 ? undefined : i));
+    let initialSlashes = 0;
+    while (url[initialSlashes] === '/')
+        initialSlashes++;
+    let nextSlash = url.indexOf('/', initialSlashes);
+    const name = decodeURIComponent(url.slice(initialSlashes, nextSlash < 0 ? undefined : nextSlash));
     if (!name)
         return parent;
-    const rest = i < 0 ? '' : url.slice(i + 1, url.endsWith('/') ? -1 : undefined);
+    const rest = nextSlash < 0 ? '' : url.slice(nextSlash + 1, url.endsWith('/') ? -1 : undefined);
     if ((0, misc_1.dirTraversal)(name) || /[\/]/.test(name)) {
         if (ctx)
             ctx.status = 418;

package/src/zip.js

@@ -57,8 +57,11 @@ async function zipStreamFromFolder(node, ctx) {
     });
     const zip = new QuickZipStream_1.QuickZipStream(mappedWalker);
     const time = 1000 * zipSeconds.get();
-    ctx.response.length = await zip.calculateSize(time);
-    const range = (0, serveFile_1.getRange)(ctx, ctx.response.length);
+    const size = await zip.calculateSize(time);
+    ctx.response.length = size;
+    const range = (0, serveFile_1.getRange)(ctx, size); // keep var size as ctx.response.length won't preserve a NaN
+    if (ctx.status >= 400)
+        return;
     if (range)
         zip.applyRange(range.start, range.end);
     ctx.body = zip;