hfs 0.26.9 → 0.27.2

package/src/apiMiddleware.js

@@ -1,5 +1,5 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -24,11 +24,11 @@ function apiMiddleware(apis) {
         console.debug('API', ctx.method, ctx.path, { ...params });
         if (!apis.hasOwnProperty(ctx.path)) {
             ctx.body = 'invalid api';
-            return ctx.status = 404;
+            return ctx.status = const_1.HTTP_NOT_FOUND;
         }
         const csrf = ctx.cookies.get('csrf');
         // we don't rely on SameSite cookie option because it's https-only
-        let res = csrf && csrf !== params.csrf ? new ApiError(const_1.UNAUTHORIZED, 'csrf')
+        let res = csrf && csrf !== params.csrf ? new ApiError(const_1.HTTP_UNAUTHORIZED, 'csrf')
             : await apis[ctx.path](params || {}, ctx);
         if (isAsyncGenerator(res))
             res = (0, misc_1.asyncGeneratorToReadable)(res);
@@ -45,7 +45,7 @@ function apiMiddleware(apis) {
         }
         if (res instanceof Error) { // generic exception
             ctx.body = String(res);
-            return ctx.status = 400;
+            return ctx.status = const_1.HTTP_BAD_REQUEST;
         }
         ctx.body = res;
     };
@@ -95,6 +95,9 @@ class SendListReadable extends stream_1.Readable {
     custom(data) {
         this._push(data);
     }
+    props(props) {
+        this._push({ props });
+    }
     error(msg, close = false) {
         this._push({ error: msg });
         this.lastError = msg;

package/src/block.js

@@ -1,4 +1,5 @@
 "use strict";
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };

package/src/commands.js

@@ -1,4 +1,5 @@
 "use strict";
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };

package/src/config.js

@@ -1,5 +1,5 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };

package/src/connections.js

@@ -1,5 +1,5 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };

package/src/const.js

@@ -1,5 +1,5 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     var desc = Object.getOwnPropertyDescriptor(m, k);
@@ -27,7 +27,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.APP_PATH = exports.IS_WINDOWS = exports.UNAUTHORIZED = exports.FORBIDDEN = exports.NO_CONTENT = exports.METHOD_NOT_ALLOWED = exports.PLUGINS_PUB_URI = exports.API_URI = exports.ADMIN_URI = exports.FRONTEND_URI = exports.SPECIAL_URI = exports.COMPATIBLE_API_VERSION = exports.API_VERSION = exports.SESSION_DURATION = exports.DAY = exports.VERSION = exports.BUILD_TIMESTAMP = exports.HFS_STARTED = exports.ORIGINAL_CWD = exports.DEV = exports.argv = void 0;
+exports.APP_PATH = exports.IS_WINDOWS = exports.HTTP_SERVER_ERROR = exports.HTTP_FOOL = exports.HTTP_RANGE_NOT_SATISFIABLE = exports.HTTP_CONFLICT = exports.HTTP_NOT_ACCEPTABLE = exports.HTTP_METHOD_NOT_ALLOWED = exports.HTTP_NOT_FOUND = exports.HTTP_FORBIDDEN = exports.HTTP_UNAUTHORIZED = exports.HTTP_BAD_REQUEST = exports.HTTP_NOT_MODIFIED = exports.HTTP_TEMPORARY_REDIRECT = exports.HTTP_PARTIAL_CONTENT = exports.HTTP_NO_CONTENT = exports.HTTP_OK = exports.PLUGINS_PUB_URI = exports.API_URI = exports.ADMIN_URI = exports.FRONTEND_URI = exports.SPECIAL_URI = exports.COMPATIBLE_API_VERSION = exports.API_VERSION = exports.SESSION_DURATION = exports.DAY = exports.VERSION = exports.BUILD_TIMESTAMP = exports.HFS_STARTED = exports.ORIGINAL_CWD = exports.DEV = exports.argv = void 0;
 const minimist_1 = __importDefault(require("minimist"));
 const fs = __importStar(require("fs"));
 const os_1 = require("os");
@@ -50,10 +50,21 @@ exports.FRONTEND_URI = exports.SPECIAL_URI + 'frontend/';
 exports.ADMIN_URI = exports.SPECIAL_URI + 'admin/';
 exports.API_URI = exports.SPECIAL_URI + 'api/';
 exports.PLUGINS_PUB_URI = exports.SPECIAL_URI + 'plugins/';
-exports.METHOD_NOT_ALLOWED = 405;
-exports.NO_CONTENT = 204;
-exports.FORBIDDEN = 403;
-exports.UNAUTHORIZED = 401;
+exports.HTTP_OK = 200;
+exports.HTTP_NO_CONTENT = 204;
+exports.HTTP_PARTIAL_CONTENT = 206;
+exports.HTTP_TEMPORARY_REDIRECT = 302;
+exports.HTTP_NOT_MODIFIED = 304;
+exports.HTTP_BAD_REQUEST = 400;
+exports.HTTP_UNAUTHORIZED = 401;
+exports.HTTP_FORBIDDEN = 403;
+exports.HTTP_NOT_FOUND = 404;
+exports.HTTP_METHOD_NOT_ALLOWED = 405;
+exports.HTTP_NOT_ACCEPTABLE = 406;
+exports.HTTP_CONFLICT = 409;
+exports.HTTP_RANGE_NOT_SATISFIABLE = 416;
+exports.HTTP_FOOL = 418;
+exports.HTTP_SERVER_ERROR = 500;
 exports.IS_WINDOWS = process.platform === 'win32';
 const IS_BINARY = !(0, path_1.basename)(process.argv0).includes('node'); // this won't be node if pkg was used
 exports.APP_PATH = (0, path_1.dirname)(IS_BINARY ? process.argv0 : __dirname);
@@ -62,7 +73,7 @@ if (exports.DEV)
     console.clear();
 else
     console.debug = () => { };
-console.log(`HFS ~ HTTP File Server - Copyright 2021-2022, Massimo Melina <a@rejetto.com>`);
+console.log(`HFS ~ HTTP File Server - Copyright 2021-2023, Massimo Melina <a@rejetto.com>`);
 console.log(`License https://www.gnu.org/licenses/gpl-3.0.txt`);
 console.log('started', exports.HFS_STARTED.toLocaleString(), exports.DEV);
 console.log('version', exports.VERSION || '-');

package/src/crypt.js

@@ -1,5 +1,5 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };

package/src/debounceAsync.js

@@ -1,4 +1,5 @@
 "use strict";
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 Object.defineProperty(exports, "__esModule", { value: true });
 // like lodash.debounce, but also avoids async invocations to overlap
 function debounceAsync(callback, wait = 100, { leading = false, maxWait = Infinity } = {}) {

package/src/events.js

@@ -1,5 +1,5 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };

package/src/frontEndApis.js

@@ -1,5 +1,5 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     var desc = Object.getOwnPropertyDescriptor(m, k);

package/src/github.js

@@ -1,4 +1,5 @@
 "use strict";
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -9,6 +10,7 @@ const misc_1 = require("./misc");
 const plugins_1 = require("./plugins");
 const apiMiddleware_1 = require("./apiMiddleware");
 const lodash_1 = __importDefault(require("lodash"));
+const const_1 = require("./const");
 const DIST_ROOT = 'dist/';
 const downloading = {};
 function downloadProgress(id, status) {
@@ -20,7 +22,7 @@ function downloadProgress(id, status) {
 }
 async function downloadPlugin(repo, branch = '', overwrite) {
     if (downloading[repo])
-        return new apiMiddleware_1.ApiError(409, "already downloading");
+        return new apiMiddleware_1.ApiError(const_1.HTTP_CONFLICT, "already downloading");
     downloadProgress(repo, true);
     const rec = await getRepoInfo(repo);
     if (!branch)

package/src/index.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -42,7 +42,8 @@ function errorHandler(err) {
     const { code } = err;
     if (const_1.DEV && code === 'ENOENT' && err.path.endsWith('sockjs-node'))
         return; // spam out dev stuff
-    if (code === 'ECANCELED' || code === 'ECONNRESET' || code === 'ECONNABORTED' || code === 'EPIPE')
+    if (code === 'ECANCELED' || code === 'ECONNRESET' || code === 'ECONNABORTED' || code === 'EPIPE'
+        || code === 'HPE_INVALID_EOF_STATE')
         return; // someone interrupted, don't care
     console.error('server error', err);
 }

package/src/listen.js

@@ -1,5 +1,5 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     var desc = Object.getOwnPropertyDescriptor(m, k);

package/src/log.js

@@ -1,5 +1,5 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     var desc = Object.getOwnPropertyDescriptor(m, k);
@@ -35,7 +35,7 @@ const promises_1 = require("fs/promises");
 const const_1 = require("./const");
 const events_1 = __importDefault(require("./events"));
 const lodash_1 = __importDefault(require("lodash"));
-const path_1 = require("path");
+const util_files_1 = require("./util-files");
 const perm_1 = require("./perm");
 class Logger {
     constructor(name) {
@@ -54,8 +54,8 @@ class Logger {
             this.last = stats.mtime || stats.ctime;
         }
         catch (_b) {
-            await (0, promises_1.mkdir)((0, path_1.dirname)(path), { recursive: true })
-                .catch(() => console.log("cannot create folder for", path));
+            if (await (0, util_files_1.prepareFolder)(path) === false)
+                console.log("cannot create folder for", path);
         }
         this.reopen();
     }

package/src/middlewares.js

@@ -1,5 +1,5 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -22,6 +22,9 @@ const connections_1 = require("./connections");
 const basic_auth_1 = __importDefault(require("basic-auth"));
 const tssrp6a_1 = require("tssrp6a");
 const api_auth_1 = require("./api.auth");
+const path_1 = require("path");
+const fs_1 = require("fs");
+const promises_1 = require("stream/promises");
 exports.gzipper = (0, koa_compress_1.default)({
     threshold: 2048,
     gzip: { flush: require('zlib').constants.Z_SYNC_FLUSH },
@@ -66,9 +69,17 @@ const serveGuiAndSharedFiles = async (ctx, next) => {
         return ctx.redirect(const_1.ADMIN_URI);
     if (path.startsWith(const_1.ADMIN_URI))
         return serveAdminPrefixed(ctx, next);
+    if (ctx.method === 'PUT') { // curl -T file url/
+        const decPath = decodeURI(path);
+        let rest = (0, path_1.basename)(decPath);
+        const folder = await (0, vfs_1.urlToNode)((0, path_1.dirname)(decPath), ctx, vfs_1.vfs, v => rest = v + '/' + rest);
+        if (!folder)
+            return ctx.status = const_1.HTTP_NOT_FOUND;
+        return await receiveUpload(folder, rest, ctx.req, ctx);
+    }
     const node = await (0, vfs_1.urlToNode)(path, ctx);
     if (!node)
-        return ctx.status = 404;
+        return ctx.status = const_1.HTTP_NOT_FOUND;
     const canRead = (0, vfs_1.hasPermission)(node, 'can_read', ctx);
     const isFolder = await (0, vfs_1.nodeIsDirectory)(node);
     if (isFolder && !path.endsWith('/'))
@@ -78,7 +89,7 @@ const serveGuiAndSharedFiles = async (ctx, next) => {
             : next();
     if (!canRead) {
         ctx.status = (0, vfs_1.cantReadStatusCode)(node);
-        if (ctx.status === const_1.FORBIDDEN)
+        if (ctx.status === const_1.HTTP_FORBIDDEN)
             return;
         const browserDetected = ctx.get('Upgrade-Insecure-Requests') || ctx.get('Sec-Fetch-Mode'); // ugh, heuristics
         if (!browserDetected) // we don't want to trigger basic authentication on browsers, it's meant for download managers only
@@ -99,6 +110,15 @@ const serveGuiAndSharedFiles = async (ctx, next) => {
     return serveFrontendFiles(ctx, next);
 };
 exports.serveGuiAndSharedFiles = serveGuiAndSharedFiles;
+async function receiveUpload(base, path, stream, ctx) {
+    if (!base.source || !(0, vfs_1.hasPermission)(base, 'can_upload', ctx))
+        return ctx.status = base.can_upload === false ? const_1.HTTP_FORBIDDEN : const_1.HTTP_UNAUTHORIZED;
+    path = (0, path_1.join)(base.source, path);
+    await (0, misc_1.prepareFolder)(path);
+    const dest = (0, fs_1.createWriteStream)(path);
+    await (0, promises_1.pipeline)(stream, dest);
+    ctx.body = '{}';
+}
 let proxyDetected = false;
 const someSecurity = async (ctx, next) => {
     ctx.request.ip = (0, connections_1.normalizeIp)(ctx.ip);
@@ -108,14 +128,14 @@ const someSecurity = async (ctx, next) => {
         if (const_1.DEV && proxy && [process.env.FRONTEND_PROXY, process.env.ADMIN_PROXY].includes(ctx.get('X-Forwarded-port')))
             proxy = '';
         if ((0, misc_1.dirTraversal)(decodeURI(ctx.path)))
-            return ctx.status = 418;
+            return ctx.status = const_1.HTTP_FOOL;
         if ((0, block_1.applyBlock)(ctx.socket, ctx.ip))
             return;
         proxyDetected || (proxyDetected = proxy > '');
         ctx.state.proxiedFor = proxy;
     }
     catch (_a) {
-        return ctx.status = 418;
+        return ctx.status = const_1.HTTP_FOOL;
     }
     return next();
 };
@@ -153,17 +173,17 @@ async function srpCheck(username, password) {
 }
 // unify get/post parameters, with JSON decoding to not be limited to strings
 const paramsDecoder = async (ctx, next) => {
-    ctx.params = ctx.method === 'POST' ? (0, misc_1.tryJson)(await getReqData(ctx.req))
+    ctx.params = ctx.method === 'POST' ? (0, misc_1.tryJson)(await stream2string(ctx.req))
         : (0, misc_1.objSameKeys)(ctx.query, x => Array.isArray(x) ? x : (0, misc_1.tryJson)(x));
     await next();
 };
 exports.paramsDecoder = paramsDecoder;
-async function getReqData(req) {
+async function stream2string(stream) {
     return new Promise((resolve, reject) => {
         let data = '';
-        req.on('data', chunk => data += chunk);
-        req.on('error', reject);
-        req.on('end', () => {
+        stream.on('data', chunk => data += chunk);
+        stream.on('error', reject);
+        stream.on('end', () => {
             try {
                 resolve(data);
             }

package/src/misc.js

@@ -1,5 +1,5 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     var desc = Object.getOwnPropertyDescriptor(m, k);

package/src/perm.js

@@ -1,10 +1,10 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.anyAccountCanLoginAdmin = exports.accountCanLoginAdmin = exports.accountCanLogin = exports.accountHasPassword = exports.getFromAccount = exports.delAccount = exports.setAccount = exports.addAccount = exports.renameAccount = exports.normalizeUsername = exports.updateAccount = exports.allowClearTextLogin = exports.saveSrpInfo = exports.getAccount = exports.getCurrentUsernameExpanded = exports.getCurrentUsername = exports.getAccounts = void 0;
+exports.anyAccountCanLoginAdmin = exports.accountCanLoginAdmin = exports.accountCanLogin = exports.accountHasPassword = exports.getFromAccount = exports.delAccount = exports.setAccount = exports.addAccount = exports.renameAccount = exports.normalizeUsername = exports.accountsConfig = exports.updateAccount = exports.allowClearTextLogin = exports.saveSrpInfo = exports.getAccount = exports.getCurrentUsernameExpanded = exports.getCurrentUsername = void 0;
 const lodash_1 = __importDefault(require("lodash"));
 const crypt_1 = require("./crypt");
 const misc_1 = require("./misc");
@@ -12,10 +12,6 @@ const config_1 = require("./config");
 const tssrp6a_1 = require("tssrp6a");
 const events_1 = __importDefault(require("./events"));
 let accounts = {};
-function getAccounts() {
-    return accounts;
-}
-exports.getAccounts = getAccounts;
 function getCurrentUsername(ctx) {
     var _a;
     return ((_a = ctx.state.account) === null || _a === void 0 ? void 0 : _a.username) || '';
@@ -63,27 +59,34 @@ async function updateAccount(account, changer) {
         console.log('please reset password for account', username);
         process.exit(1);
     }
-    if (account.belongs)
-        account.belongs = (0, misc_1.wantArray)(account.belongs).filter(b => b in accounts // at this stage the group record may still be null if specified later in the file
-            || console.error(`account ${username} belongs to non-existing ${b}`));
+    if (account.belongs) {
+        account.belongs = (0, misc_1.wantArray)(account.belongs);
+        lodash_1.default.remove(account.belongs, b => {
+            if (b in accounts)
+                return;
+            console.error(`account ${username} belongs to non-existing ${b}`);
+            return true;
+        });
+    }
     if (was !== JSON.stringify(account))
         saveAccountsAsap();
 }
 exports.updateAccount = updateAccount;
-const saveAccountsAsap = config_1.saveConfigAsap;
-const accountsConfig = (0, config_1.defineConfig)('accounts', {});
-accountsConfig.sub(async (v) => {
-    // we should validate content here
-    accounts = v; // keep local reference
-    await Promise.all(lodash_1.default.map(accounts, async (rec, k) => {
+const saveAccountsAsap = () => { (0, config_1.saveConfigAsap)().then(); };
+exports.accountsConfig = (0, config_1.defineConfig)('accounts', {});
+exports.accountsConfig.sub(obj => {
+    // consider some validation here
+    lodash_1.default.each(accounts = obj, (rec, k) => {
         const norm = normalizeUsername(k);
-        if (!rec) // an empty object in yaml is stored as null
-            rec = accounts[norm] = { username: norm };
-        else if ((0, misc_1.objRenameKey)(accounts, k, norm))
-            saveAccountsAsap();
-        (0, misc_1.setHidden)(rec, { username: norm });
-        await updateAccount(rec); // work password fields
-    }));
+        if ((rec === null || rec === void 0 ? void 0 : rec.username) !== norm) {
+            if (!rec) // an empty object in yaml is parsed as null
+                rec = obj[norm] = { username: norm };
+            else if ((0, misc_1.objRenameKey)(obj, k, norm))
+                saveAccountsAsap();
+            (0, misc_1.setHidden)(rec, { username: norm });
+        }
+        updateAccount(rec).then(); // work password fields
+    });
 });
 function normalizeUsername(username) {
     return username.toLocaleLowerCase();
@@ -120,8 +123,7 @@ function addAccount(username, props) {
         return;
     const filteredProps = lodash_1.default.pickBy(lodash_1.default.pick(props, assignableProps), Boolean);
     const copy = (0, misc_1.setHidden)(filteredProps, { username }); // have the field in the object but hidden so that stringification won't include it
-    accountsConfig.set(accounts => Object.assign(accounts, { [username]: copy }));
-    saveAccountsAsap().then();
+    exports.accountsConfig.set(accounts => Object.assign(accounts, { [username]: copy }));
     return copy;
 }
 exports.addAccount = addAccount;
@@ -136,15 +138,15 @@ function setAccount(username, changes) {
     Object.assign(acc, rest);
     if (changes.username)
         renameAccount(username, changes.username);
-    saveAccountsAsap().then();
+    saveAccountsAsap();
     return acc;
 }
 exports.setAccount = setAccount;
 function delAccount(username) {
     if (!getAccount(username))
         return false;
-    accountsConfig.set(accounts => Object.assign(accounts, { [normalizeUsername(username)]: undefined }));
-    saveAccountsAsap().then();
+    exports.accountsConfig.set(accounts => Object.assign(accounts, { [normalizeUsername(username)]: undefined }));
+    saveAccountsAsap();
     return true;
 }
 exports.delAccount = delAccount;
@@ -172,10 +174,10 @@ function accountCanLogin(account) {
 }
 exports.accountCanLogin = accountCanLogin;
 function accountCanLoginAdmin(account) {
-    return accountCanLogin(account) && getFromAccount(account, a => a.admin);
+    return accountCanLogin(account) && Boolean(getFromAccount(account, a => a.admin));
 }
 exports.accountCanLoginAdmin = accountCanLoginAdmin;
 function anyAccountCanLoginAdmin() {
-    return Object.values(accounts).find(accountCanLoginAdmin);
+    return Boolean(lodash_1.default.find(exports.accountsConfig.get(), accountCanLoginAdmin));
 }
 exports.anyAccountCanLoginAdmin = anyAccountCanLoginAdmin;

package/src/plugins.js

@@ -1,5 +1,5 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     var desc = Object.getOwnPropertyDescriptor(m, k);

package/src/serveFile.js

@@ -1,5 +1,5 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -27,7 +27,7 @@ function serveFileNode(node) {
             const ref = (_a = /\/\/([^:/]+)/.exec(ctx.get('referer'))) === null || _a === void 0 ? void 0 : _a[1]; // extract host from url
             if (ref && ref !== host() // automatic accept if referer is basically the hosting domain
                 && !(0, micromatch_1.isMatch)(ref, allowed))
-                return ctx.status = const_1.FORBIDDEN;
+                return ctx.status = const_1.HTTP_FORBIDDEN;
             function host() {
                 const s = ctx.get('host');
                 return s[0] === '[' ? s.slice(1, s.indexOf(']')) : s === null || s === void 0 ? void 0 : s.split(':')[0];
@@ -50,26 +50,26 @@ function serveFile(source, mime, content) {
         if (mime)
             ctx.type = mime;
         if (ctx.method === 'OPTIONS') {
-            ctx.status = const_1.NO_CONTENT;
+            ctx.status = const_1.HTTP_NO_CONTENT;
             ctx.set({ Allow: 'OPTIONS, GET, HEAD' });
             return;
         }
         if (ctx.method !== 'GET')
-            return ctx.status = const_1.METHOD_NOT_ALLOWED;
+            return ctx.status = const_1.HTTP_METHOD_NOT_ALLOWED;
         try {
             const stats = await (0, util_1.promisify)(fs_1.stat)(source); // using fs's function instead of fs/promises, because only the former is supported by pkg
             ctx.set('Last-Modified', stats.mtime.toUTCString());
             ctx.fileSource = source;
-            ctx.status = 200;
+            ctx.status = const_1.HTTP_OK;
             if (ctx.fresh)
-                return ctx.status = 304;
+                return ctx.status = const_1.HTTP_NOT_MODIFIED;
             if (content !== undefined)
                 return ctx.body = content;
             const range = getRange(ctx, stats.size);
             ctx.body = (0, fs_1.createReadStream)(source, range);
         }
         catch (_a) {
-            return ctx.status = 404;
+            return ctx.status = const_1.HTTP_NOT_FOUND;
         }
     };
 }
@@ -83,21 +83,21 @@ function getRange(ctx, totalSize) {
     }
     const ranges = range.split('=')[1];
     if (ranges.includes(','))
-        return ctx.throw(400, 'multi-range not supported');
+        return ctx.throw(const_1.HTTP_BAD_REQUEST, 'multi-range not supported');
     let bytes = ranges === null || ranges === void 0 ? void 0 : ranges.split('-');
     if (!(bytes === null || bytes === void 0 ? void 0 : bytes.length))
-        return ctx.throw(400, 'bad range');
+        return ctx.throw(const_1.HTTP_BAD_REQUEST, 'bad range');
     const max = totalSize - 1;
     const start = bytes[0] ? Number(bytes[0]) : Math.max(0, totalSize - Number(bytes[1])); // a negative start is relative to the end
     const end = bytes[0] ? Number(bytes[1] || max) : max;
     // we don't support last-bytes without knowing max
     if (isNaN(end) && isNaN(max) || end > max || start > max) {
-        ctx.status = 416;
+        ctx.status = const_1.HTTP_RANGE_NOT_SATISFIABLE;
         ctx.set('Content-Range', `bytes ${totalSize}`);
         ctx.body = 'Requested Range Not Satisfiable';
         return;
     }
-    ctx.status = 206;
+    ctx.status = const_1.HTTP_PARTIAL_CONTENT;
     ctx.set('Content-Range', `bytes ${start}-${isNaN(end) ? '' : end}/${isNaN(totalSize) ? '*' : totalSize}`);
     ctx.response.length = end - start + 1;
     return { start, end };

package/src/serveGuiFiles.js

@@ -1,5 +1,5 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     var desc = Object.getOwnPropertyDescriptor(m, k);
@@ -43,12 +43,12 @@ function serveStatic(uri) {
     const cache = {};
     return async (ctx, next) => {
         if (ctx.method === 'OPTIONS') {
-            ctx.status = const_1.NO_CONTENT;
+            ctx.status = const_1.HTTP_NO_CONTENT;
             ctx.set({ Allow: 'OPTIONS, GET' });
             return;
         }
         if (ctx.method !== 'GET')
-            return ctx.status = const_1.METHOD_NOT_ALLOWED;
+            return ctx.status = const_1.HTTP_METHOD_NOT_ALLOWED;
         const serveApp = shouldServeApp(ctx);
         const fullPath = (0, path_1.join)(__dirname, '..', DEV_STATIC, folder, serveApp ? '/index.html' : ctx.path);
         const content = await (0, misc_1.getOrSet)(cache, ctx.path, async () => {
@@ -57,7 +57,7 @@ function serveStatic(uri) {
                 : adjustBundlerLinks(ctx.path, uri, data);
         });
         if (content === null)
-            return ctx.status = 404;
+            return ctx.status = const_1.HTTP_NOT_FOUND;
         if (!serveApp)
             return (0, serveFile_1.serveFile)(fullPath, 'auto', content)(ctx, next);
         // we don't cache the index as it's small and may prevent plugins change to apply

package/src/sse.js

@@ -1,7 +1,8 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 Object.defineProperty(exports, "__esModule", { value: true });
 const stream_1 = require("stream");
+const const_1 = require("./const");
 function createSSE(ctx) {
     const { socket } = ctx.req;
     socket.setTimeout(0);
@@ -13,7 +14,7 @@ function createSSE(ctx) {
         'Connection': 'keep-alive',
         'X-Accel-Buffering': 'no', // avoid buffering when reverse-proxied through nginx
     });
-    ctx.status = 200;
+    ctx.status = const_1.HTTP_OK;
     return ctx.body = new stream_1.Transform({
         objectMode: true,
         transform(chunk, encoding, cb) {

package/src/throttler.js

@@ -1,5 +1,5 @@
 "use strict";
-// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };

package/src/update.js

@@ -1,4 +1,5 @@
 "use strict";
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.update = exports.getUpdate = void 0;
 const github_1 = require("./github");