hfs 0.27.2 → 0.29.0

package/frontend/assets/index-cbcc6ac5.css

@@ -0,0 +1 @@
+@charset "UTF-8";:root{--bg: #fff;--text: #555;--faint-contrast: #0002;--mild-contrast: #0005;--good-contrast: #000a;--button-bg: #68a;--button-text: #fff;--focus-color: #468}:root .theme-dark{--bg: #000;--text: #999;--faint-contrast: #fff2;--mild-contrast: #fff5;--good-contrast: #fffa;--button-bg: #345;--button-text: #999}:root .theme-dark body{color-scheme:dark}:root .theme-dark a{color:#8ac}:root .theme-dark .dialog-closer{background:#633}:root .theme-dark .dialog-icon{color:#ccc}:root .theme-dark .dialog-icon .icon{color:#aaa;margin-left:-1px;font-size:95%}:root .theme-dark .dialog-backdrop{background:rgba(51,51,51,.7333333333)}:root .theme-dark .error-msg{color:#b88;background-color:#623}body{background:var(--bg);margin:0;font-family:-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Cantarell,Fira Sans,Droid Sans,Helvetica Neue,sans-serif;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}body,button,select,input{font-size:12pt}#root{max-width:50em;margin:auto;min-height:100vh;display:flex;flex-direction:column}body,input{color:var(--text)}code{font-family:source-code-pro,Menlo,Monaco,Consolas,Courier New,monospace}input,select{padding:.3em .4em;border-radius:.5em;background:var(--bg);border-color:var(--mild-contrast);color:var(--good-contrast);max-width:100%;box-sizing:border-box}input[type=checkbox]{margin:0 1.3em 0 .8em;transform:scale(1.7);accent-color:var(--button-bg)}.hidden{display:none!important}.icon{font-size:1.2em}.icon.mirror:before{transform:scaleX(-1)}a{text-decoration:none;color:#57a}button{background-color:var(--button-bg);color:var(--button-text);padding:.5em 1em;border:transparent;text-decoration:none;border-radius:.3em;vertical-align:middle;cursor:pointer}button.toggled{opacity:.6}button:focus-visible,.breadcrumb:focus-visible{outline:3px solid var(--focus-color)}input:focus-visible,select:focus-visible,ul a:focus-visible{border-radius:.3em;border-color:transparent;outline:2px solid var(--focus-color)}.error-msg{background-color:#faa;color:#833;padding:.5em 1em}header{position:sticky;top:0;background:var(--bg);padding:.2em;z-index:1}.ani-working{animation:1s blink infinite}@keyframes blink{0%{opacity:1}50%{opacity:.2}}@keyframes spin{to{transform:rotate(360deg)}}@keyframes fade-in{0%{opacity:0}to{opacity:1}}.spinner,.icon.spinner:before{animation:1.5s spin infinite linear}.icon.emoji.spinner{display:inline-block}.breadcrumb{padding:.1em .6em .2em;line-height:1.8em;border-radius:.7em;background-color:var(--button-bg);color:var(--button-text);border-top:1px solid #666;margin-right:-.1em}.breadcrumb:nth-child(-n+3) .icon{padding:0 .2em}#folder-stats{font-size:90%;margin:.4em 0 0 .5em;float:right}#folder-stats .icon{margin-right:.3em}header input{width:100%;margin:.2em auto;box-sizing:border-box}#filter-bar{display:flex;gap:.3em;margin:.5em 0}#filter-bar input{flex:1}#filter-bar button{padding:0 .5em}ul.dir{flex:1;padding:0;margin:0;clear:both}ul.dir li{display:block;list-style-type:none;margin-bottom:.3em;padding:.3em;border-top:1px solid var(--button-bg)}ul.dir li a{word-break:break-word;padding-right:.3em}ul.dir li a .icon{margin-right:.3em}ul.dir li a.container-folder:hover{text-decoration:underline}ul.dir li .entry-props{float:right;font-size:90%;margin-left:12px;margin-top:.2em}ul.dir li .entry-props .icon{margin:0 .3em}ul.dir li .entry-props .entry-size{display:inline-block}#menu-panel{margin-bottom:.2em}#menu-bar{display:flex;justify-content:space-evenly;flex-wrap:wrap}#menu-bar>*{flex:auto;margin:.1em}#menu-bar button{padding-left:0;padding-right:0}#menu-bar>a>button{width:100%}#searched{margin:.2em}#user-panel{display:flex;flex-direction:column;gap:1em}#user-panel a>button{width:100%}button label{cursor:inherit;margin-left:.5em}.dialog-backdrop.working{font-size:5em;animation:1s fade-in}.dialog-content{padding:.2em}.dialog{--color: var(--button-bg)}#paging{display:flex;position:sticky;bottom:0;background:var(--bg);gap:.5em;overflow-x:auto}#paging>button{flex:1;background:var(--button-bg);text-align:center}.upload-progress:before{content:" \2013  "}.upload-progress{min-width:4em;display:inline-block;margin-left:.5em}.upload-list td:nth-child(1){width:0}.upload-list td:nth-child(2){text-align:right;width:0;white-space:nowrap;padding-left:.5em}.upload-list td:nth-child(3){padding:.2em .5em;word-break:break-word}*{scrollbar-width:thin;scrollbar-color:var(--button-bg) var(--faint-contrast)}*::-webkit-scrollbar{width:12px}*::-webkit-scrollbar-track{background:var(--faint-contrast)}*::-webkit-scrollbar-thumb{background-color:var(--button-bg);border-radius:20px;border:1px solid var(--faint-contrast)}@media (max-width: 42em){body,button,select{font-size:14pt}#menu-bar button label{display:none}#filter-bar{margin:.2em 0}#filter-bar label{display:none}#filter-bar button{width:17.6vw;height:2.3em}.breadcrumb{word-break:break-all}.breadcrumb .icon{font-size:24px}}.dialog-backdrop{position:fixed;inset:0;background:#888a;display:flex;justify-content:center;align-items:center;z-index:1000}.dialog{background:#fff;background:var(--bg);padding:max(.5em,1vw);border-radius:1em;position:relative;margin:0 3vw;overflow:hidden;max-height:calc(100vh - 2em)}.dialog-icon{color:#fff;background-color:var(--color);position:absolute;top:0;width:1.8em;height:1.7em;text-align:center;border-radius:.8em 0}.dialog-title{margin-top:-.4em;font-size:110%}.dialog-icon~.dialog-title{text-align:center}.dialog-closer{border-radius:0 .8em;right:0;padding:0;background-color:#c99}.dialog-icon~.dialog-content{margin-top:2em}.dialog-type{left:0;top:0;overflow:hidden;line-height:1.7em}.dialog-content{overflow:auto;max-height:calc(100vh - 4.5em)}.dialog-content p{white-space:pre-wrap;margin:.5em 0}.dialog-confirm .dialog-content button{margin-top:1em}.dialog-alert-info{--color: #282 }.dialog-alert-warning{--color: #c91 }.dialog-alert-error{--color: #822}@media (max-width: 50em){.dialog-closer{font-size:120%}.dialog-icon~.dialog-content{margin-top:2em}}

package/{admin/assets/sha512-738f0943.js → frontend/assets/sha512-2c2fa926.js}

@@ -1,4 +1,4 @@
-import{c as SF}from"./index-509bb1d6.js";function OF(iF,hF){for(var eF=0;eF<hF.length;eF++){const tF=hF[eF];if(typeof tF!="string"&&!Array.isArray(tF)){for(const w in tF)if(w!=="default"&&!(w in iF)){const lF=Object.getOwnPropertyDescriptor(tF,w);lF&&Object.defineProperty(iF,w,lF.get?lF:{enumerable:!0,get:()=>tF[w]})}}}return Object.freeze(Object.defineProperty(iF,Symbol.toStringTag,{value:"Module"}))}var EF={},UF={get exports(){return EF},set exports(iF){EF=iF}};/*
+import{c as SF}from"./index-72e96bb2.js";function OF(iF,hF){for(var eF=0;eF<hF.length;eF++){const tF=hF[eF];if(typeof tF!="string"&&!Array.isArray(tF)){for(const w in tF)if(w!=="default"&&!(w in iF)){const lF=Object.getOwnPropertyDescriptor(tF,w);lF&&Object.defineProperty(iF,w,lF.get?lF:{enumerable:!0,get:()=>tF[w]})}}}return Object.freeze(Object.defineProperty(iF,Symbol.toStringTag,{value:"Module"}))}var EF={},UF={get exports(){return EF},set exports(iF){EF=iF}};/*
  * [js-sha512]{@link https://github.com/emn178/js-sha512}
  *
  * @version 0.8.0

package/frontend/index.html

@@ -6,8 +6,8 @@
     <link href="/fontello.css" rel="stylesheet" />
     <script>SESSION = _HFS_SESSION_</script>
     <title>File Server</title>
-    <script type="module" crossorigin src="/assets/index-aea7654e.js"></script>
-    <link rel="stylesheet" href="/assets/index-6e178dfd.css">
+    <script type="module" crossorigin src="/assets/index-72e96bb2.js"></script>
+    <link rel="stylesheet" href="/assets/index-cbcc6ac5.css">
   </head>
   <body>
     <div hidden>_HFS_PLUGINS_</div>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hfs",
-  "version": "0.27.2",
+  "version": "0.29.0",
   "description": "HTTP File Server",
   "keywords": [
     "file server",
@@ -64,6 +64,7 @@
     "cidr-tools": "^4.3.0",
     "fast-glob": "^3.2.7",
     "find-process": "^1.4.7",
+    "formidable": "^2.1.1",
     "koa": "^2.13.4",
     "koa-compress": "^5.1.0",
     "koa-mount": "^4.0.0",
@@ -73,12 +74,13 @@
     "minimist": "^1.2.6",
     "open": "^8.4.0",
     "tssrp6a": "^3.0.0",
-    "yaml": "^2.0.0-10",
-    "unzip-stream": "^0.3.1"
+    "unzip-stream": "^0.3.1",
+    "yaml": "^2.0.0-10"
   },
   "devDependencies": {
     "@types/archiver": "^5.1.1",
     "@types/basic-auth": "^1.1.3",
+    "@types/formidable": "^2.0.5",
     "@types/koa": "^2.13.4",
     "@types/koa__router": "^8.0.11",
     "@types/koa-compress": "^4.0.3",
@@ -90,16 +92,16 @@
     "@types/minimist": "^1.2.2",
     "@types/mocha": "^9.0.0",
     "@types/node": "^16.11.12",
+    "@types/tough-cookie": "^4.0.2",
     "@types/unzipper": "^0.10.5",
     "axios": "^0.24.0",
     "axios-cookiejar-support": "^4.0.1",
-    "tough-cookie": "^4.0.0",
-    "@types/tough-cookie": "^4.0.2",
     "koa-better-http-proxy": "^0.2.9",
     "mocha": "^9.1.3",
     "nm-prune": "^5.0.0",
     "nodemon": "^2.0.15",
     "pkg": "^5.7.0",
+    "tough-cookie": "^4.0.0",
     "ts-node": "^10.4.0"
   }
 }

package/plugins/vhosting/plugin.js

@@ -24,7 +24,7 @@ exports.init = api => {
             let toModify = ctx
             if (ctx.path.startsWith(api.const.SPECIAL_URI)) { // special uris should be excluded...
                 toModify = ctx.params
-                if (toModify.path === undefined) // ...unless they carry a path in the query. In that case we'll work that.
+                if (toModify?.path === undefined) // ...unless they carry a path in the query. In that case we'll work that.
                     return
             }
             const hosts = api.getConfig('hosts')

package/src/QuickZipStream.js

@@ -1,28 +1,5 @@
 "use strict";
 // This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -35,7 +12,7 @@ const assert_1 = __importDefault(require("assert"));
 const ZIP64_SIZE_LIMIT = 0xffffffff;
 const ZIP64_NUMBER_LIMIT = 0xffff;
 let crc32function;
-Promise.resolve().then(() => __importStar(require('@node-rs/crc32'))).then(lib => crc32function = lib.crc32, () => {
+import('@node-rs/crc32').then(lib => crc32function = lib.crc32, () => {
     console.log('using generic lib for crc32');
     crc32function = buffer_crc32_1.unsigned;
 });

package/src/adminApis.js

@@ -149,11 +149,9 @@ exports.adminApis = {
         }
     },
 };
-for (const k in exports.adminApis) {
-    const was = exports.adminApis[k];
+for (const [k, was] of Object.entries(exports.adminApis))
     exports.adminApis[k] = (params, ctx) => ctxAdminAccess(ctx) ? was(params, ctx)
-        : new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED);
-}
+        : new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED, { any: (0, perm_1.anyAccountCanLoginAdmin)() });
 exports.localhostAdmin = (0, config_1.defineConfig)('localhost_admin', true);
 function ctxAdminAccess(ctx) {
     return !ctx.state.proxiedFor // we consider localhost_admin only if no proxy is detected

package/src/api.accounts.js

@@ -42,7 +42,7 @@ const apis = {
     },
     add_account({ username, ...rest }) {
         if ((0, perm_1.getAccount)(username))
-            return new apiMiddleware_1.ApiError(const_1.HTTP_FORBIDDEN);
+            return new apiMiddleware_1.ApiError(const_1.HTTP_CONFLICT);
         const acc = (0, perm_1.addAccount)(username, rest);
         return acc ? lodash_1.default.pick(acc, 'username') : new apiMiddleware_1.ApiError(const_1.HTTP_BAD_REQUEST);
     },

package/src/api.auth.js

@@ -72,6 +72,8 @@ async function srpStep1(account) {
     if (!account.srp)
         throw const_1.HTTP_NOT_ACCEPTABLE;
     const [salt, verifier] = account.srp.split('|');
+    if (!salt || !verifier)
+        throw Error("malformed account");
     const srpSession = new tssrp6a_1.SRPServerSession(srp6aNimbusRoutines);
     const step1 = await srpSession.step1(account.username, BigInt(salt), BigInt(verifier));
     return { step1, salt, pubKey: String(step1.B) }; // cast to string cause bigint can't be jsonized
@@ -85,6 +87,8 @@ const loginSrp2 = async ({ pubKey, proof }, ctx) => {
         return new apiMiddleware_1.ApiError(const_1.HTTP_CONFLICT);
     const { username, sid } = ctx.session.login;
     const step1 = ongoingLogins[sid];
+    if (!step1)
+        return new apiMiddleware_1.ApiError(const_1.HTTP_NOT_FOUND);
     try {
         const M2 = await step1.step2(BigInt(pubKey), BigInt(proof));
         await loggedIn(ctx, username);

package/src/api.vfs.js

@@ -10,10 +10,9 @@ const promises_1 = require("fs/promises");
 const apiMiddleware_1 = require("./apiMiddleware");
 const path_1 = require("path");
 const misc_1 = require("./misc");
-const child_process_1 = require("child_process");
-const util_1 = require("util");
 const const_1 = require("./const");
 const micromatch_1 = require("micromatch");
+const util_os_1 = require("./util-os");
 // to manipulate the tree we need the original node
 async function urlToNodeOriginal(uri) {
     const n = await (0, vfs_1.urlToNode)(uri);
@@ -68,7 +67,7 @@ const apis = {
         if (!n)
             return new apiMiddleware_1.ApiError(const_1.HTTP_NOT_FOUND, 'invalid under');
         if (n.isTemp || !await (0, vfs_1.nodeIsDirectory)(n))
-            return new apiMiddleware_1.ApiError(const_1.HTTP_FORBIDDEN, 'invalid under');
+            return new apiMiddleware_1.ApiError(const_1.HTTP_NOT_ACCEPTABLE, 'invalid under');
         if ((0, misc_1.isWindowsDrive)(source))
             source += '\\'; // slash must be included, otherwise it will refer to the cwd of that drive
         const a = n.children || (n.children = []);
@@ -91,7 +90,7 @@ const apis = {
                 const parent = (0, path_1.dirname)(uri);
                 const parentNode = await urlToNodeOriginal(parent);
                 if (!parentNode)
-                    return const_1.HTTP_FORBIDDEN;
+                    return const_1.HTTP_NOT_ACCEPTABLE;
                 const { children } = parentNode;
                 if (!children) // shouldn't happen
                     return const_1.HTTP_SERVER_ERROR;
@@ -115,7 +114,7 @@ const apis = {
     async *ls({ path, files = true, fileMask }, ctx) {
         if (!path && const_1.IS_WINDOWS) {
             try {
-                for (const n of await getDrives())
+                for (const n of await (0, util_os_1.getDrives)())
                     yield { add: { n, k: 'd' } };
             }
             catch (error) {
@@ -161,7 +160,3 @@ function pickProps(o, keys) {
                 ret[k] = o[k] === null || o[k] === '' ? undefined : o[k];
     return ret;
 }
-async function getDrives() {
-    const { stdout } = await (0, util_1.promisify)(child_process_1.exec)('wmic logicaldisk get name');
-    return stdout.split('\n').slice(1).map(x => x.trim()).filter(Boolean);
-}

package/src/apiMiddleware.js

@@ -13,7 +13,7 @@ const const_1 = require("./const");
 const lodash_1 = __importDefault(require("lodash"));
 class ApiError extends Error {
     constructor(status, message) {
-        super(typeof message === 'string' ? message : message === null || message === void 0 ? void 0 : message.message);
+        super(typeof message === 'string' ? message : message && message instanceof Error ? message.message : JSON.stringify(message));
         this.status = status;
     }
 }
@@ -22,21 +22,25 @@ function apiMiddleware(apis) {
     return async (ctx) => {
         const { params } = ctx;
         console.debug('API', ctx.method, ctx.path, { ...params });
-        if (!apis.hasOwnProperty(ctx.path)) {
+        const apiFun = apis.hasOwnProperty(ctx.path) && apis[ctx.path];
+        if (!apiFun) {
             ctx.body = 'invalid api';
             return ctx.status = const_1.HTTP_NOT_FOUND;
         }
+        ctx.params = ctx.method === 'POST' ? (0, misc_1.tryJson)(await (0, misc_1.stream2string)(ctx.req))
+            : (0, misc_1.objSameKeys)(ctx.query, x => Array.isArray(x) ? x : (0, misc_1.tryJson)(x));
+        console.debug('API', ctx.method, ctx.path, { ...ctx.params });
         const csrf = ctx.cookies.get('csrf');
         // we don't rely on SameSite cookie option because it's https-only
-        let res = csrf && csrf !== params.csrf ? new ApiError(const_1.HTTP_UNAUTHORIZED, 'csrf')
-            : await apis[ctx.path](params || {}, ctx);
+        let res = csrf && csrf !== ctx.params.csrf ? new ApiError(const_1.HTTP_UNAUTHORIZED, 'csrf')
+            : await apiFun(ctx.params || {}, ctx);
         if (isAsyncGenerator(res))
             res = (0, misc_1.asyncGeneratorToReadable)(res);
         if (res instanceof stream_1.Readable) { // Readable, we'll go SSE-mode
             res.pipe((0, sse_1.default)(ctx));
-            const stillRes = res; // satisfy ts
+            const resAsReadable = res; // satisfy ts
             ctx.req.on('close', () => // by closing the generated stream, creator of the stream will know the request is over without having to access anything else
-             stillRes.destroy());
+             resAsReadable.destroy());
             return;
         }
         if (res instanceof ApiError) {

package/src/config.js

@@ -147,7 +147,8 @@ function setConfig1(k, newV, saveChanges = true) {
     var _a;
     if (lodash_1.default.isPlainObject(newV))
         newV = lodash_1.default.pickBy(newV, x => x !== undefined);
-    if ((0, misc_1.same)(newV, (_a = configProps[k]) === null || _a === void 0 ? void 0 : _a.defaultValue))
+    const def = (_a = configProps[k]) === null || _a === void 0 ? void 0 : _a.defaultValue;
+    if ((0, misc_1.same)(newV !== null && newV !== void 0 ? newV : null, def !== null && def !== void 0 ? def : null))
         newV = undefined;
     if (started && (0, misc_1.same)(newV, state[k]))
         return; // no change

package/src/const.js

@@ -27,7 +27,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.APP_PATH = exports.IS_WINDOWS = exports.HTTP_SERVER_ERROR = exports.HTTP_FOOL = exports.HTTP_RANGE_NOT_SATISFIABLE = exports.HTTP_CONFLICT = exports.HTTP_NOT_ACCEPTABLE = exports.HTTP_METHOD_NOT_ALLOWED = exports.HTTP_NOT_FOUND = exports.HTTP_FORBIDDEN = exports.HTTP_UNAUTHORIZED = exports.HTTP_BAD_REQUEST = exports.HTTP_NOT_MODIFIED = exports.HTTP_TEMPORARY_REDIRECT = exports.HTTP_PARTIAL_CONTENT = exports.HTTP_NO_CONTENT = exports.HTTP_OK = exports.PLUGINS_PUB_URI = exports.API_URI = exports.ADMIN_URI = exports.FRONTEND_URI = exports.SPECIAL_URI = exports.COMPATIBLE_API_VERSION = exports.API_VERSION = exports.SESSION_DURATION = exports.DAY = exports.VERSION = exports.BUILD_TIMESTAMP = exports.HFS_STARTED = exports.ORIGINAL_CWD = exports.DEV = exports.argv = void 0;
+exports.APP_PATH = exports.IS_WINDOWS = exports.HTTP_SERVER_ERROR = exports.HTTP_FOOL = exports.HTTP_RANGE_NOT_SATISFIABLE = exports.HTTP_PAYLOAD_TOO_LARGE = exports.HTTP_CONFLICT = exports.HTTP_NOT_ACCEPTABLE = exports.HTTP_METHOD_NOT_ALLOWED = exports.HTTP_NOT_FOUND = exports.HTTP_FORBIDDEN = exports.HTTP_UNAUTHORIZED = exports.HTTP_BAD_REQUEST = exports.HTTP_NOT_MODIFIED = exports.HTTP_TEMPORARY_REDIRECT = exports.HTTP_PARTIAL_CONTENT = exports.HTTP_NO_CONTENT = exports.HTTP_OK = exports.PLUGINS_PUB_URI = exports.API_URI = exports.ADMIN_URI = exports.FRONTEND_URI = exports.SPECIAL_URI = exports.COMPATIBLE_API_VERSION = exports.API_VERSION = exports.SESSION_DURATION = exports.DAY = exports.VERSION = exports.BUILD_TIMESTAMP = exports.HFS_STARTED = exports.ORIGINAL_CWD = exports.DEV = exports.argv = void 0;
 const minimist_1 = __importDefault(require("minimist"));
 const fs = __importStar(require("fs"));
 const os_1 = require("os");
@@ -62,6 +62,7 @@ exports.HTTP_NOT_FOUND = 404;
 exports.HTTP_METHOD_NOT_ALLOWED = 405;
 exports.HTTP_NOT_ACCEPTABLE = 406;
 exports.HTTP_CONFLICT = 409;
+exports.HTTP_PAYLOAD_TOO_LARGE = 413;
 exports.HTTP_RANGE_NOT_SATISFIABLE = 416;
 exports.HTTP_FOOL = 418;
 exports.HTTP_SERVER_ERROR = 500;

package/src/frontEndApis.js

@@ -23,16 +23,37 @@ var __importStar = (this && this.__importStar) || function (mod) {
     __setModuleDefault(result, mod);
     return result;
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.frontEndApis = void 0;
+exports.notifyClient = exports.frontEndApis = void 0;
+const apiMiddleware_1 = require("./apiMiddleware");
 const api_file_list_1 = require("./api.file_list");
 const api_auth = __importStar(require("./api.auth"));
 const config_1 = require("./config");
+const events_1 = __importDefault(require("./events"));
 const customHeader = (0, config_1.defineConfig)('custom_header');
 exports.frontEndApis = {
     file_list: api_file_list_1.file_list,
     ...api_auth,
     config() {
         return Object.fromEntries([customHeader].map(x => [x.key(), x.get()]));
+    },
+    get_notifications({ channel }, ctx) {
+        const list = new apiMiddleware_1.SendListReadable();
+        list.ready(); // on chrome109 EventSource doesn't emit 'open' until something is sent
+        return list.events(ctx, {
+            [NOTIFICATION_PREFIX + channel](name, data) {
+                list.custom({ name, data });
+            }
+        });
     }
 };
+function notifyClient(ctx, name, data) {
+    const { notificationChannel } = ctx.query;
+    if (notificationChannel)
+        events_1.default.emit(NOTIFICATION_PREFIX + notificationChannel, name, data);
+}
+exports.notifyClient = notifyClient;
+const NOTIFICATION_PREFIX = 'notificationChannel:';

package/src/github.js

@@ -28,6 +28,8 @@ async function downloadPlugin(repo, branch = '', overwrite) {
     if (!branch)
         branch = rec.default_branch;
     const short = repo.split('/')[1]; // second part, repo without the owner
+    if (!short)
+        return new apiMiddleware_1.ApiError(const_1.HTTP_BAD_REQUEST, "bad repo");
     const folder2repo = getFolder2repo();
     const folder = overwrite ? lodash_1.default.findKey(folder2repo, x => x === repo) // use existing folder
         : short in folder2repo ? repo.replace('/', '-') // longer form only if another plugin is using short form

package/src/index.js

@@ -23,6 +23,7 @@ const config_1 = require("./config");
 const assert_1 = require("assert");
 const lodash_1 = __importDefault(require("lodash"));
 const misc_1 = require("./misc");
+//import body from 'koa-better-body'
 (0, assert_1.ok)(lodash_1.default.intersection(Object.keys(frontEndApis_1.frontEndApis), Object.keys(adminApis_1.adminApis)).length === 0); // they share same endpoints
 const keys = ((_a = process.env.COOKIE_SIGN_KEYS) === null || _a === void 0 ? void 0 : _a.split(',')) || [(0, misc_1.randomId)(30)];
 exports.app = new koa_1.default({ keys });
@@ -33,9 +34,9 @@ exports.app.use(middlewares_1.someSecurity)
     .use((0, log_1.log)())
     .use(throttler_1.throttler)
     .use(middlewares_1.gzipper)
-    .use(middlewares_1.paramsDecoder)
     .use((0, plugins_1.pluginsMiddleware)())
     .use((0, koa_mount_1.default)(const_1.API_URI, (0, apiMiddleware_1.apiMiddleware)({ ...frontEndApis_1.frontEndApis, ...adminApis_1.adminApis })))
+    //.use(body({ multipart: false }))
     .use(middlewares_1.serveGuiAndSharedFiles)
     .on('error', errorHandler);
 function errorHandler(err) {

package/src/listen.js

@@ -132,6 +132,8 @@ function startServer(srv, { port, host }) {
         try {
             if (port < 0 || !host && !await testIpV4()) // !host means ipV4+6, and if v4 port alone is busy we won't be notified of the failure, so we'll first test it on its own
                 return resolve(0);
+            // from a few tests, this seems enough to support the expect-100 http/1.1 mechanism, at least with curl -T, not used by chrome|firefox anyway
+            srv.on('checkContinue', (req, res) => srv.emit('request', req, res));
             port = await listen(host);
             if (port)
                 console.log(srv.name, "serving on", host || "any network", ':', port);
@@ -223,9 +225,10 @@ function printUrls(port, proto) {
         if (!nets || ignore.test(name))
             continue;
         lodash_1.default.remove(nets, 'internal');
-        if (!nets.length)
+        const first = nets[0];
+        if (!first)
             continue;
-        const best = lodash_1.default.find(nets, { family: 'IPv4' }) || nets[0];
+        const best = lodash_1.default.find(nets, { family: 'IPv4' }) || first;
         const appendPort = port === (proto === 'https' ? 443 : 80) ? '' : ':' + port;
         let { address } = best;
         if (address.includes(':'))

package/src/log.js

@@ -81,7 +81,7 @@ const logRotation = (0, config_1.defineConfig)('log_rotation', 'weekly');
 function log() {
     const debounce = lodash_1.default.debounce(cb => cb(), 1000);
     return async (ctx, next) => {
-        var _a;
+        var _a, _b;
         await next();
         const isError = ctx.status >= 400;
         const logger = isError && accessErrorLog || accessLogger;
@@ -112,7 +112,7 @@ function log() {
             }
         }
         const format = '%s - %s [%s] "%s %s HTTP/%s" %d %s\n'; // Apache's Common Log Format
-        const date = a[2] + '/' + a[1] + '/' + a[3] + ':' + a[4] + ' ' + a[5].slice(3);
+        const date = a[2] + '/' + a[1] + '/' + a[3] + ':' + a[4] + ' ' + ((_b = a[5]) === null || _b === void 0 ? void 0 : _b.slice(3));
         const user = (0, perm_1.getCurrentUsername)(ctx);
         events_1.default.emit(logger.name, Object.assign(lodash_1.default.pick(ctx, ['ip', 'method', 'status', 'length']), { user, ts: now, uri: ctx.path }));
         console.debug(ctx.status, ctx.method, ctx.path);

package/src/middlewares.js

@@ -4,7 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.paramsDecoder = exports.prepareState = exports.getProxyDetected = exports.someSecurity = exports.serveGuiAndSharedFiles = exports.sessions = exports.headRequests = exports.gzipper = void 0;
+exports.prepareState = exports.getProxyDetected = exports.someSecurity = exports.serveGuiAndSharedFiles = exports.sessions = exports.headRequests = exports.gzipper = void 0;
 const koa_compress_1 = __importDefault(require("koa-compress"));
 const koa_session_1 = __importDefault(require("koa-session"));
 const const_1 = require("./const");
@@ -23,8 +23,9 @@ const basic_auth_1 = __importDefault(require("basic-auth"));
 const tssrp6a_1 = require("tssrp6a");
 const api_auth_1 = require("./api.auth");
 const path_1 = require("path");
-const fs_1 = require("fs");
 const promises_1 = require("stream/promises");
+const formidable_1 = __importDefault(require("formidable"));
+const upload_1 = require("./upload");
 exports.gzipper = (0, koa_compress_1.default)({
     threshold: 2048,
     gzip: { flush: require('zlib').constants.Z_SYNC_FLUSH },
@@ -75,11 +76,27 @@ const serveGuiAndSharedFiles = async (ctx, next) => {
         const folder = await (0, vfs_1.urlToNode)((0, path_1.dirname)(decPath), ctx, vfs_1.vfs, v => rest = v + '/' + rest);
         if (!folder)
             return ctx.status = const_1.HTTP_NOT_FOUND;
-        return await receiveUpload(folder, rest, ctx.req, ctx);
+        const dest = (0, upload_1.uploadWriter)(folder, rest, ctx);
+        if (dest) {
+            await (0, promises_1.pipeline)(ctx.req, dest);
+            ctx.body = {};
+        }
+        return;
     }
     const node = await (0, vfs_1.urlToNode)(path, ctx);
     if (!node)
         return ctx.status = const_1.HTTP_NOT_FOUND;
+    if (ctx.method === 'POST') { // curl -F upload=@file url/
+        ctx.body = {};
+        const form = (0, formidable_1.default)({
+            maxFileSize: Infinity,
+            //@ts-ignore wrong in the .d.ts file
+            fileWriteStreamHandler: f => (0, upload_1.uploadWriter)(node, f.originalFilename, ctx)
+        });
+        form.parse(ctx.req);
+        await (0, stream_1.once)(form, 'end').catch(() => { });
+        return;
+    }
     const canRead = (0, vfs_1.hasPermission)(node, 'can_read', ctx);
     const isFolder = await (0, vfs_1.nodeIsDirectory)(node);
     if (isFolder && !path.endsWith('/'))
@@ -110,15 +127,6 @@ const serveGuiAndSharedFiles = async (ctx, next) => {
     return serveFrontendFiles(ctx, next);
 };
 exports.serveGuiAndSharedFiles = serveGuiAndSharedFiles;
-async function receiveUpload(base, path, stream, ctx) {
-    if (!base.source || !(0, vfs_1.hasPermission)(base, 'can_upload', ctx))
-        return ctx.status = base.can_upload === false ? const_1.HTTP_FORBIDDEN : const_1.HTTP_UNAUTHORIZED;
-    path = (0, path_1.join)(base.source, path);
-    await (0, misc_1.prepareFolder)(path);
-    const dest = (0, fs_1.createWriteStream)(path);
-    await (0, promises_1.pipeline)(stream, dest);
-    ctx.body = '{}';
-}
 let proxyDetected = false;
 const someSecurity = async (ctx, next) => {
     ctx.request.ip = (0, connections_1.normalizeIp)(ctx.ip);
@@ -128,14 +136,14 @@ const someSecurity = async (ctx, next) => {
         if (const_1.DEV && proxy && [process.env.FRONTEND_PROXY, process.env.ADMIN_PROXY].includes(ctx.get('X-Forwarded-port')))
             proxy = '';
         if ((0, misc_1.dirTraversal)(decodeURI(ctx.path)))
-            return ctx.status = const_1.HTTP_FOOL;
+            return ctx.status = 418;
         if ((0, block_1.applyBlock)(ctx.socket, ctx.ip))
             return;
         proxyDetected || (proxyDetected = proxy > '');
         ctx.state.proxiedFor = proxy;
     }
     catch (_a) {
-        return ctx.status = const_1.HTTP_FOOL;
+        return ctx.status = 418;
     }
     return next();
 };
@@ -171,25 +179,3 @@ async function srpCheck(username, password) {
     const clientRes2 = await clientRes1.step2(BigInt(salt), BigInt(pubKey));
     return await step1.step2(clientRes2.A, clientRes2.M1).then(() => true, () => false);
 }
-// unify get/post parameters, with JSON decoding to not be limited to strings
-const paramsDecoder = async (ctx, next) => {
-    ctx.params = ctx.method === 'POST' ? (0, misc_1.tryJson)(await stream2string(ctx.req))
-        : (0, misc_1.objSameKeys)(ctx.query, x => Array.isArray(x) ? x : (0, misc_1.tryJson)(x));
-    await next();
-};
-exports.paramsDecoder = paramsDecoder;
-async function stream2string(stream) {
-    return new Promise((resolve, reject) => {
-        let data = '';
-        stream.on('data', chunk => data += chunk);
-        stream.on('error', reject);
-        stream.on('end', () => {
-            try {
-                resolve(data);
-            }
-            catch (e) {
-                reject(e);
-            }
-        });
-    });
-}

package/src/misc.js

@@ -18,7 +18,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.tryJson = exports.same = exports.isLocalHost = exports.with_ = exports.typedKeys = exports.objRenameKey = exports.onOff = exports.pendingPromise = exports.onlyTruthy = exports.truthy = exports.pattern2filter = exports.onFirstEvent = exports.onProcessExit = exports.randomId = exports.getOrSet = exports.wantArray = exports.wait = exports.objSameKeys = exports.setHidden = exports.prefix = exports.enforceFinal = exports.debounceAsync = void 0;
+exports.try_ = exports.stream2string = exports.tryJson = exports.same = exports.isLocalHost = exports.with_ = exports.typedKeys = exports.objRenameKey = exports.onOff = exports.pendingPromise = exports.onlyTruthy = exports.truthy = exports.pattern2filter = exports.onFirstEvent = exports.onProcessExit = exports.randomId = exports.getOrSet = exports.wantArray = exports.wait = exports.objSameKeys = exports.setHidden = exports.prefix = exports.enforceFinal = exports.debounceAsync = void 0;
 const path_1 = require("path");
 const lodash_1 = __importDefault(require("lodash"));
 const assert_1 = __importDefault(require("assert"));
@@ -158,3 +158,28 @@ function tryJson(s) {
     catch (_a) { }
 }
 exports.tryJson = tryJson;
+async function stream2string(stream) {
+    return new Promise((resolve, reject) => {
+        let data = '';
+        stream.on('data', chunk => data += chunk);
+        stream.on('error', reject);
+        stream.on('end', () => {
+            try {
+                resolve(data);
+            }
+            catch (e) {
+                reject(e);
+            }
+        });
+    });
+}
+exports.stream2string = stream2string;
+function try_(cb, onException) {
+    try {
+        return cb();
+    }
+    catch (e) {
+        return onException === null || onException === void 0 ? void 0 : onException(e);
+    }
+}
+exports.try_ = try_;

package/src/plugins.js

@@ -92,9 +92,8 @@ function pluginsMiddleware() {
         var _a;
         const after = [];
         // run middleware plugins
-        for (const id in plugins)
+        for (const [id, pl] of Object.entries(plugins))
             try {
-                const pl = plugins[id];
                 const res = await ((_a = pl.middleware) === null || _a === void 0 ? void 0 : _a.call(pl, ctx));
                 if (res === true)
                     ctx.pluginStopped = true;
@@ -225,7 +224,7 @@ async function rescan() {
             try {
                 const alreadyRunning = plugins[id];
                 console.log(alreadyRunning ? "reloading plugin" : "loading plugin", id);
-                const { init, ...data } = await Promise.resolve().then(() => __importStar(require(module)));
+                const { init, ...data } = await import(module);
                 delete data.default;
                 deleteModule(require.resolve(module)); // avoid caching at next import
                 calculateBadApi(data);
@@ -277,8 +276,7 @@ async function rescan() {
             }
         });
     }
-    for (const id in foundDisabled) {
-        const p = foundDisabled[id];
+    for (const [id, p] of Object.entries(foundDisabled)) {
         const a = availablePlugins[id];
         if ((0, misc_1.same)(a, p))
             continue;
@@ -293,9 +291,9 @@ async function rescan() {
             delete availablePlugins[id];
             events_1.default.emit('pluginUninstalled', id);
         }
-    for (const id in plugins)
+    for (const [id, p] of Object.entries(plugins))
         if (!found.includes(id))
-            await plugins[id].unload();
+            await p.unload();
 }
 exports.rescan = rescan;
 function deleteModule(id) {

package/src/serveFile.js

@@ -81,8 +81,10 @@ function getRange(ctx, totalSize) {
         ctx.response.length = totalSize;
         return;
     }
-    const ranges = range.split('=')[1];
-    if (ranges.includes(','))
+    const [unit, ranges] = range.split('=');
+    if (unit !== 'bytes')
+        return ctx.throw(const_1.HTTP_BAD_REQUEST, 'bad range unit');
+    if (ranges === null || ranges === void 0 ? void 0 : ranges.includes(','))
         return ctx.throw(const_1.HTTP_BAD_REQUEST, 'multi-range not supported');
     let bytes = ranges === null || ranges === void 0 ? void 0 : ranges.split('-');
     if (!(bytes === null || bytes === void 0 ? void 0 : bytes.length))