hfs 0.40.1 → 0.41.0

package/{admin/assets/sha512-3a11d514.js → frontend/assets/sha512-09fdf0a5.js}

@@ -1,4 +1,4 @@
-import{c as SF}from"./index-87c2ebd1.js";function OF(iF,hF){for(var eF=0;eF<hF.length;eF++){const tF=hF[eF];if(typeof tF!="string"&&!Array.isArray(tF)){for(const w in tF)if(w!=="default"&&!(w in iF)){const lF=Object.getOwnPropertyDescriptor(tF,w);lF&&Object.defineProperty(iF,w,lF.get?lF:{enumerable:!0,get:()=>tF[w]})}}}return Object.freeze(Object.defineProperty(iF,Symbol.toStringTag,{value:"Module"}))}var EF={},UF={get exports(){return EF},set exports(iF){EF=iF}};/*
+import{c as SF}from"./index-7ceb2f4c.js";function OF(iF,hF){for(var eF=0;eF<hF.length;eF++){const tF=hF[eF];if(typeof tF!="string"&&!Array.isArray(tF)){for(const w in tF)if(w!=="default"&&!(w in iF)){const lF=Object.getOwnPropertyDescriptor(tF,w);lF&&Object.defineProperty(iF,w,lF.get?lF:{enumerable:!0,get:()=>tF[w]})}}}return Object.freeze(Object.defineProperty(iF,Symbol.toStringTag,{value:"Module"}))}var EF={},UF={get exports(){return EF},set exports(iF){EF=iF}};/*
  * [js-sha512]{@link https://github.com/emn178/js-sha512}
  *
  * @version 0.8.0

package/frontend/index.html

@@ -5,8 +5,8 @@
     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1.0, user-scalable=0" />
     <link href="/fontello.css" rel="stylesheet" />
     
-    <script type="module" crossorigin src="/assets/index-9f5a7cc5.js"></script>
-    <link rel="stylesheet" href="/assets/index-ffbcd4c9.css">
+    <script type="module" crossorigin src="/assets/index-7ceb2f4c.js"></script>
+    <link rel="stylesheet" href="/assets/index-25b49014.css">
   </head>
   <body>
     <noscript>You need to enable JavaScript to run this app.</noscript>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hfs",
-  "version": "0.40.1",
+  "version": "0.41.0",
   "description": "HTTP File Server",
   "keywords": [
     "file server",
@@ -77,6 +77,7 @@
     "open": "^8.4.0",
     "tssrp6a": "^3.0.0",
     "unzip-stream": "^0.3.1",
+    "valtio": "^1.10.3",
     "yaml": "^2.0.0-10"
   },
   "devDependencies": {

package/src/api.file_list.js

@@ -17,8 +17,9 @@ const file_list = async ({ path, offset, limit, search, omit, sse }, ctx) => {
     const list = new apiMiddleware_1.SendListReadable();
     if (!node)
         return fail(const_1.HTTP_NOT_FOUND);
-    if (!(0, vfs_1.hasPermission)(node, 'can_read', ctx))
-        return fail((0, vfs_1.cantReadStatusCode)(node));
+    const res = (0, vfs_1.statusCodeForMissingPerm)(node, 'can_list', ctx);
+    if (res)
+        return fail(res);
     if ((0, misc_1.dirTraversal)(search))
         return fail(const_1.HTTP_FOOL);
     if (node.default)
@@ -50,8 +51,7 @@ const file_list = async ({ path, offset, limit, search, omit, sse }, ctx) => {
     function fail(code) {
         if (!sse)
             return new apiMiddleware_1.ApiError(code);
-        list.error(code);
-        list.close();
+        list.error(code, true);
         return list;
     }
     async function* produceEntries() {

package/src/api.lang.js

@@ -13,7 +13,7 @@ const misc_1 = require("./misc");
 const PREFIX = 'hfs-lang-';
 const SUFFIX = '.json';
 const apis = {
-    get_langs() {
+    list_langs() {
         return new apiMiddleware_1.SendListReadable({
             doAtStart: async (list) => {
                 for await (let name of fast_glob_1.default.stream(code2file('*'))) {

package/src/api.vfs.js

@@ -151,21 +151,21 @@ const apis = {
         }
         try {
             path = (0, misc_1.isWindowsDrive)(path) ? path + '\\' : (0, path_1.resolve)(path || '/');
-            for await (const name of (0, misc_1.dirStream)(path)) {
+            for await (const [name, isDir] of (0, misc_1.dirStream)(path)) {
                 if (ctx.req.aborted)
                     return;
                 try {
-                    const stats = await (0, promises_1.stat)((0, path_1.join)(path, name));
-                    if (stats.isFile())
+                    if (!isDir)
                         if (!files || fileMask && !(0, micromatch_1.isMatch)(name, fileMask))
                             continue;
+                    const stats = await (0, promises_1.stat)((0, path_1.join)(path, name));
                     yield {
                         add: {
                             n: name,
                             s: stats.size,
                             c: stats.ctime,
                             m: stats.mtime,
-                            k: stats.isDirectory() ? 'd' : undefined,
+                            k: isDir ? 'd' : undefined,
                         }
                     };
                 }

package/src/const.js

@@ -38,7 +38,7 @@ exports.DEV = process.env.DEV || exports.argv.dev ? 'DEV' : '';
 exports.ORIGINAL_CWD = process.cwd();
 exports.HFS_STARTED = new Date();
 const PKG_PATH = (0, path_1.join)(__dirname, '..', 'package.json');
-exports.BUILD_TIMESTAMP = "2023-03-14T17:37:51.823Z";
+exports.BUILD_TIMESTAMP = "2023-03-18T22:44:28.592Z";
 const pkg = JSON.parse(fs.readFileSync(PKG_PATH, 'utf8'));
 exports.VERSION = pkg.version;
 exports.DAY = 86400000;

package/src/frontEndApis.js

@@ -89,23 +89,25 @@ exports.frontEndApis = {
     },
     async load_lang({ lang, embedded }) {
         const ret = {};
-        const langs = (0, misc_1.wantArray)(lang);
-        for (let k of langs) {
-            k = k.toLowerCase();
-            if (k === embedded)
+        const langs = (0, misc_1.wantArray)(lang).map(x => x.toLowerCase());
+        let i = 0;
+        while (i < langs.length) {
+            let x = langs[i];
+            if (x === embedded)
                 break;
             try {
-                ret[k] = JSON.parse(await (0, promises_1.readFile)(`hfs-lang-${k}.json`, 'utf8'));
+                ret[x] = JSON.parse(await (0, promises_1.readFile)(`hfs-lang-${x}.json`, 'utf8'));
             }
             catch (_a) {
-                while (1) {
-                    k = k.substring(0, k.lastIndexOf('-'));
-                    if (!k)
-                        break;
-                    if (!langs.includes(k))
-                        langs.push(k);
+                do {
+                    x = x.substring(0, x.lastIndexOf('-'));
+                } while (x && langs.includes(x));
+                if (x) {
+                    langs[i] = x; // overwrite and retry
+                    continue;
                 }
             }
+            i++;
         }
         return ret;
     }

package/src/middlewares.js

@@ -98,7 +98,9 @@ const serveGuiAndSharedFiles = async (ctx, next) => {
     }
     if (ctx.originalUrl === '/favicon.ico' && adminApis_1.favicon.get()) // originalUrl to not be subject to changes (vhosting plugin)
         return (0, serveFile_1.serveFile)(ctx, adminApis_1.favicon.get());
-    const node = await (0, vfs_1.urlToNode)(path, ctx);
+    let node = await (0, vfs_1.urlToNode)(path, ctx);
+    if ((node === null || node === void 0 ? void 0 : node.default) && (path.endsWith('/') || !node.default.match(/\.html?$/i))) // final/ needed on browser to make resource urls correctly
+        node = await (0, vfs_1.urlToNode)(node.default, ctx, node);
     if (!node)
         return ctx.status = const_1.HTTP_NOT_FOUND;
     if (ctx.method === 'POST') { // curl -F upload=@file url/
@@ -112,15 +114,13 @@ const serveGuiAndSharedFiles = async (ctx, next) => {
         await (0, stream_1.once)(form, 'end').catch(() => { });
         return;
     }
-    const canRead = (0, vfs_1.hasPermission)(node, 'can_read', ctx);
-    const isFolder = await (0, vfs_1.nodeIsDirectory)(node);
-    if (isFolder && !path.endsWith('/'))
-        return ctx.redirect(ctx.state.revProxyPath + ctx.originalUrl + '/');
-    if (canRead && !isFolder)
-        return node.source ? (0, serveFile_1.serveFileNode)(ctx, node)
-            : next();
-    if (!canRead) {
-        ctx.status = (0, vfs_1.cantReadStatusCode)(node);
+    if (!await (0, vfs_1.nodeIsDirectory)(node))
+        return !node.source && await next()
+            || (0, vfs_1.statusCodeForMissingPerm)(node, 'can_read', ctx)
+            || (0, serveFile_1.serveFileNode)(ctx, node);
+    if (!path.endsWith('/'))
+        return ctx.redirect(ctx.state.revProxyPath + ctx.originalUrl.replace(/(\?|$)/, '/$1')); // keep query-string, if any
+    if ((0, vfs_1.statusCodeForMissingPerm)(node, 'can_list', ctx)) {
         if (ctx.status === const_1.HTTP_FORBIDDEN)
             return;
         const browserDetected = ctx.get('Upgrade-Insecure-Requests') || ctx.get('Sec-Fetch-Mode'); // ugh, heuristics
@@ -130,16 +130,8 @@ const serveGuiAndSharedFiles = async (ctx, next) => {
         return serveFrontendFiles(ctx, next);
     }
     ctx.set({ server: 'HFS ' + const_1.BUILD_TIMESTAMP });
-    const { get } = ctx.query;
-    if (get === 'zip')
-        return await (0, zip_1.zipStreamFromFolder)(node, ctx);
-    if (node.default) {
-        const def = await (0, vfs_1.urlToNode)(path + node.default, ctx);
-        return !def ? next()
-            : (0, vfs_1.hasPermission)(def, 'can_read', ctx) ? (0, serveFile_1.serveFileNode)(ctx, def)
-                : ctx.status = (0, vfs_1.cantReadStatusCode)(def);
-    }
-    return serveFrontendFiles(ctx, next);
+    return ctx.query.get === 'zip' ? (0, zip_1.zipStreamFromFolder)(node, ctx)
+        : serveFrontendFiles(ctx, next);
 };
 exports.serveGuiAndSharedFiles = serveGuiAndSharedFiles;
 let proxyDetected = false;

package/src/misc.js

@@ -47,17 +47,21 @@ function setHidden(dest, src) {
     })));
 }
 exports.setHidden = setHidden;
-function newObj(src, newValue) {
+function newObj(src, returnNewValue, recur = false) {
     if (!src)
         return {};
     const pairs = Object.entries(src).map(([k, v]) => {
         if (typeof k === 'symbol')
             return;
         let _k = k;
-        const newV = newValue(v, k, (newK) => {
+        const curDepth = typeof recur === 'number' ? recur : 0;
+        let newV = returnNewValue(v, k, (newK) => {
             _k = newK;
             return true; // for convenient expression concatenation
-        });
+        }, curDepth);
+        if ((recur !== false || returnNewValue.length === 4) // if callback is using depth parameter, then it wants recursion
+            && lodash_1.default.isPlainObject(newV)) // is it recurrable?
+            newV = newObj(newV, returnNewValue, curDepth + 1);
         return _k !== undefined && [_k, newV];
     });
     return Object.fromEntries(onlyTruthy(pairs));

package/src/serveFile.js

@@ -41,7 +41,7 @@ async function serveFile(ctx, source, mime, content) {
     if (!source)
         return;
     const fn = path_1.default.basename(source);
-    if (ctx.params.dl !== undefined) // please, download
+    if ('dl' in ctx.params) // please, download
         ctx.attachment(fn);
     mime = mime !== null && mime !== void 0 ? mime : lodash_1.default.find(mimeCfg.get(), (v, k) => k > '' && (0, micromatch_1.isMatch)(fn, k)); // isMatch throws on an empty string
     if (mime === vfs_1.MIME_AUTO)

package/src/serveGuiFiles.js

@@ -46,7 +46,7 @@ function serveStatic(uri) {
     const folder = uri.slice(2, -1); // we know folder is very similar to uri
     let cache = {};
     (0, valtio_1.subscribe)(customHtml_1.customHtmlState, () => cache = {}); // reset cache at every change
-    return async (ctx, next) => {
+    return async (ctx) => {
         if (ctx.method === 'OPTIONS') {
             ctx.status = const_1.HTTP_NO_CONTENT;
             ctx.set({ Allow: 'OPTIONS, GET' });

package/src/upload.js

@@ -20,8 +20,9 @@ exports.minAvailableMb = (0, config_1.defineConfig)('min_available_mb', 100);
 const dontOverwriteUploading = (0, config_1.defineConfig)('dont_overwrite_uploading', false);
 const waitingToBeDeleted = {};
 function uploadWriter(base, path, ctx) {
-    if (!(0, vfs_1.hasPermission)(base, 'can_upload', ctx))
-        return fail(base.can_upload === false ? const_1.HTTP_FORBIDDEN : const_1.HTTP_UNAUTHORIZED);
+    const res = (0, vfs_1.statusCodeForMissingPerm)(base, 'can_upload', ctx);
+    if (res)
+        return fail(res);
     const fullPath = (0, path_1.join)(base.source, path);
     const dir = (0, path_1.dirname)(fullPath);
     const min = exports.minAvailableMb.get() * (1 << 20);

package/src/util-files.js

@@ -106,18 +106,20 @@ async function* dirStream(path, deep) {
     const skip = await getItemsToSkip(path);
     for await (const entry of dirStream) {
         let { path, dirent } = entry;
-        if (!dirent.isDirectory() && !dirent.isFile())
+        const isDir = dirent.isDirectory();
+        if (!isDir && !dirent.isFile())
             continue;
         path = String(path);
         if (!(skip === null || skip === void 0 ? void 0 : skip.includes(path)))
-            yield path;
+            yield [path, isDir];
     }
     async function getItemsToSkip(path) {
         if (!const_1.IS_WINDOWS)
             return;
-        const out = await (0, util_os_1.runCmd)('dir', ['/ah', '/b', path.replace(/\//g, '\\')])
+        const winPath = path.replace(/\//g, '\\');
+        const out = await (0, util_os_1.runCmd)('dir', ['/ah', '/b', deep ? '/s' : '', winPath])
             .catch(() => ''); // error in case of no matching file
-        return out.split('\r\n').slice(0, -1);
+        return out.split('\r\n').slice(0, -1).map(x => !deep ? x : x.slice(winPath.length + 1).replace(/\\/g, '/'));
     }
 }
 exports.dirStream = dirStream;

package/src/vfs.js

@@ -4,7 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.cantReadStatusCode = exports.walkNode = exports.hasPermission = exports.nodeIsDirectory = exports.getNodeName = exports.saveVfs = exports.vfs = exports.urlToNode = exports.isSameFilenameAs = exports.MIME_AUTO = exports.defaultPerms = void 0;
+exports.walkNode = exports.statusCodeForMissingPerm = exports.hasPermission = exports.nodeIsDirectory = exports.getNodeName = exports.saveVfs = exports.vfs = exports.urlToNode = exports.isSameFilenameAs = exports.MIME_AUTO = exports.defaultPerms = void 0;
 const promises_1 = __importDefault(require("fs/promises"));
 const path_1 = require("path");
 const micromatch_1 = require("micromatch");
@@ -20,6 +20,7 @@ const WHO_ANY_ACCOUNT = '*';
 exports.defaultPerms = {
     can_see: WHO_ANYONE,
     can_read: WHO_ANYONE,
+    can_list: WHO_ANYONE,
     can_upload: WHO_NO_ONE,
     can_delete: WHO_NO_ONE,
 };
@@ -129,53 +130,91 @@ function hasPermission(node, perm, ctx) {
         && matchWho((_a = node[perm]) !== null && _a !== void 0 ? _a : exports.defaultPerms[perm], ctx);
 }
 exports.hasPermission = hasPermission;
-async function* walkNode(parent, ctx, depth = 0, prefixPath = '') {
+function statusCodeForMissingPerm(node, perm, ctx) {
+    if (hasPermission(node, perm, ctx))
+        return false;
+    return ctx.status = node[perm] === false ? const_1.HTTP_FORBIDDEN : const_1.HTTP_UNAUTHORIZED;
+}
+exports.statusCodeForMissingPerm = statusCodeForMissingPerm;
+// it's responsibility of the caller to verify you have list permission on parent, as callers have different needs.
+// Too many parameters: consider object, but benchmark against degraded recursion on huge folders.
+async function* walkNode(parent, ctx, depth = 0, prefixPath = '', requiredPerm) {
     var _a;
+    if (requiredPerm && ctx
+        && !hasPermission(parent, requiredPerm, ctx)
+        && !masksCouldGivePermission(parent.masks))
+        return; // no permission, no reason to continue
     const { children, source } = parent;
     const took = prefixPath ? undefined : new Set();
     if (children)
         for (const child of children) {
-            const name = prefixPath + getNodeName(child);
+            const nodeName = getNodeName(child);
+            const name = prefixPath + nodeName;
             took === null || took === void 0 ? void 0 : took.add(name);
-            yield* workItem({
-                ...child,
-                name,
-            }, depth > 0 && await nodeIsDirectory(child).catch(() => false));
+            const item = { ...child, name };
+            if (!canSee(item))
+                continue;
+            yield item;
+            if (!depth || !await nodeIsDirectory(child).catch(() => false))
+                continue;
+            inheritMasks(item, parent, nodeName);
+            if (!ctx || hasPermission(item, 'can_list', ctx)) // check perm before recursion
+                yield* walkNode(item, ctx, depth - 1, name + '/');
         }
     if (!source)
         return;
     try {
-        for await (const path of (0, misc_1.dirStream)(source, depth)) {
+        let lastDir = prefixPath.slice(0, -1) || '.';
+        const map = new Map();
+        map.set(lastDir, parent);
+        // it's important to keep using dirStream in deep-mode, as it is manyfold faster (it parallelizes)
+        for await (const [path, isDir] of (0, misc_1.dirStream)(source, depth)) {
             if (ctx === null || ctx === void 0 ? void 0 : ctx.req.aborted)
                 return;
             const name = prefixPath + (((_a = parent.rename) === null || _a === void 0 ? void 0 : _a[path]) || path);
             if (took === null || took === void 0 ? void 0 : took.has(name))
                 continue;
-            yield* workItem({
+            if (depth) {
+                const dir = (0, path_1.dirname)(name);
+                if (dir !== lastDir)
+                    parent = map.get(lastDir = dir);
+            }
+            const item = {
                 name,
                 source: (0, path_1.join)(source, path),
                 rename: renameUnderPath(parent.rename, path),
-            });
+            };
+            if (!canSee(item))
+                continue;
+            if (isDir)
+                map.set(name, item);
+            yield item;
         }
     }
     catch (e) {
         console.debug('glob', source, e); // ENOTDIR, or lacking permissions
     }
     // item will be changed, so be sure to pass a temp node
-    async function* workItem(item, recur = false) {
-        const name = getNodeName(item);
+    function canSee(item) {
         // we basename for depth>0 where we already have the rest of the path in the parent's url, and would be duplicated
-        const virtualBasename = (0, path_1.basename)(name);
-        item.isTemp = true;
-        applyMasks(item, parent, virtualBasename);
+        applyMasks(item, parent, (0, path_1.basename)(getNodeName(item)));
         inheritFromParent(parent, item);
         if (ctx && !hasPermission(item, 'can_see', ctx))
             return;
-        yield item;
-        if (!recur)
-            return;
-        inheritMasks(item, parent, virtualBasename);
-        yield* walkNode(item, ctx, depth - 1, name + '/');
+        item.isTemp = true;
+        return item;
+    }
+    function masksCouldGivePermission(masks) {
+        if (!masks)
+            return false;
+        for (const [, props] of Object.entries(masks)) {
+            const v = props[requiredPerm];
+            if (v && (!ctx || matchWho(v, ctx))) // without ctx we can't say, so it could
+                return true;
+            if (masksCouldGivePermission(props.masks))
+                return true;
+        }
+        return false;
     }
 }
 exports.walkNode = walkNode;
@@ -212,13 +251,9 @@ function renameUnderPath(rename, path) {
 function matchWho(who, ctx) {
     return who === WHO_ANYONE
         || who === WHO_ANY_ACCOUNT && Boolean(ctx.state.account)
-        || Array.isArray(who) && (() => // check if I or any ancestor match `who`, but cache ancestors' usernames inside context state
-         (0, misc_1.getOrSet)(ctx.state, 'usernames', () => (0, perm_1.getCurrentUsernameExpanded)(ctx)).some((u) => who.includes(u)))();
-}
-function cantReadStatusCode(node) {
-    return node.can_read === false ? const_1.HTTP_FORBIDDEN : const_1.HTTP_UNAUTHORIZED;
+        || Array.isArray(who) // check if I or any ancestor match `who`, but cache ancestors' usernames inside context state
+            && (0, misc_1.getOrSet)(ctx.state, 'usernames', () => (0, perm_1.getCurrentUsernameExpanded)(ctx)).some((u) => who.includes(u));
 }
-exports.cantReadStatusCode = cantReadStatusCode;
 events_1.default.on('accountRenamed', (from, to) => {
     recur(exports.vfs);
     saveVfs();

package/src/zip.js

@@ -14,6 +14,7 @@ const config_1 = require("./config");
 const path_1 = require("path");
 const serveFile_1 = require("./serveFile");
 const const_1 = require("./const");
+// expects 'node' to have had permissions checked by caller
 async function zipStreamFromFolder(node, ctx) {
     var _a;
     ctx.status = const_1.HTTP_OK;
@@ -23,14 +24,15 @@ async function zipStreamFromFolder(node, ctx) {
     const name = (list === null || list === void 0 ? void 0 : list.length) === 1 ? (0, path_1.basename)(list[0]) : (0, vfs_1.getNodeName)(node);
     ctx.attachment(((0, misc_1.isWindowsDrive)(name) ? name[0] : (name || 'archive')) + '.zip');
     const filter = (0, misc_1.pattern2filter)(String(ctx.query.search || ''));
-    const walker = !list ? (0, vfs_1.walkNode)(node, ctx, Infinity)
+    const walker = !list ? (0, vfs_1.walkNode)(node, ctx, Infinity, '', 'can_read')
         : (async function* () {
             for await (const el of list) {
                 const subNode = await (0, vfs_1.urlToNode)(el, ctx, node);
-                if (!subNode || !(0, vfs_1.hasPermission)(subNode, 'can_read', ctx))
+                if (!subNode)
                     continue;
                 if (await (0, vfs_1.nodeIsDirectory)(subNode)) { // a directory needs to walked
-                    yield* (0, vfs_1.walkNode)(subNode, ctx, Infinity, el + '/');
+                    if ((0, vfs_1.hasPermission)(subNode, 'can_list', ctx))
+                        yield* (0, vfs_1.walkNode)(subNode, ctx, Infinity, el + '/', 'can_read');
                     continue;
                 }
                 let folder = (0, path_1.dirname)(el);
@@ -39,6 +41,8 @@ async function zipStreamFromFolder(node, ctx) {
             }
         })();
     const mappedWalker = (0, misc_1.filterMapGenerator)(walker, async (el) => {
+        if (!(0, vfs_1.hasPermission)(el, 'can_read', ctx))
+            return; // the fact you see it doesn't mean you can read it
         const { source } = el;
         const name = (0, vfs_1.getNodeName)(el);
         if (!source || ctx.req.aborted || !filter(name))