hfs 0.47.2 → 0.48.0-alpha1

package/{admin/assets/sha512-0935647a.js → frontend/assets/sha512-549e6c3a.js}

@@ -1,4 +1,4 @@
-import{g as OF,c as UF}from"./index-ca5ac85e.js";function gF(sF,hF){for(var eF=0;eF<hF.length;eF++){const tF=hF[eF];if(typeof tF!="string"&&!Array.isArray(tF)){for(const w in tF)if(w!=="default"&&!(w in sF)){const lF=Object.getOwnPropertyDescriptor(tF,w);lF&&Object.defineProperty(sF,w,lF.get?lF:{enumerable:!0,get:()=>tF[w]})}}}return Object.freeze(Object.defineProperty(sF,Symbol.toStringTag,{value:"Module"}))}var dF={exports:{}};/*
+import{g as OF,c as UF}from"./index-12411ff6.js";function gF(sF,hF){for(var eF=0;eF<hF.length;eF++){const tF=hF[eF];if(typeof tF!="string"&&!Array.isArray(tF)){for(const w in tF)if(w!=="default"&&!(w in sF)){const lF=Object.getOwnPropertyDescriptor(tF,w);lF&&Object.defineProperty(sF,w,lF.get?lF:{enumerable:!0,get:()=>tF[w]})}}}return Object.freeze(Object.defineProperty(sF,Symbol.toStringTag,{value:"Module"}))}var dF={exports:{}};/*
  * [js-sha512]{@link https://github.com/emn178/js-sha512}
  *
  * @version 0.8.0

package/frontend/index.html

@@ -5,8 +5,8 @@
     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1.0, user-scalable=0" />
     <link href="/fontello.css" rel="stylesheet" />
     
-    <script type="module" crossorigin src="/assets/index-7eec0199.js"></script>
-    <link rel="stylesheet" href="/assets/index-0ea37f5f.css">
+    <script type="module" crossorigin src="/assets/index-12411ff6.js"></script>
+    <link rel="stylesheet" href="/assets/index-05dfd82f.css">
   </head>
   <body>
     <noscript>You need to enable JavaScript to run this app.</noscript>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hfs",
-  "version": "0.47.2",
+  "version": "0.48.0-alpha1",
   "description": "HTTP File Server",
   "keywords": [
     "file server",
@@ -9,7 +9,12 @@
   "homepage": "https://rejetto.com/hfs",
   "license": "GPL-3.0",
   "author": "Massimo Melina <a@rejetto.com>",
-  "workspaces": [ "admin", "frontend", "shared", "mui-grid-form" ],
+  "workspaces": [
+    "admin",
+    "frontend",
+    "shared",
+    "mui-grid-form"
+  ],
   "scripts": {
     "watch-server": "cross-env DEV=1 nodemon --ignore tests/ --watch src -e ts,tsx --exec ts-node src",
     "watch-server-proxied": "cross-env FRONTEND_PROXY=3005 ADMIN_PROXY=3006 npm run watch-server",
@@ -25,10 +30,10 @@
     "pub": "cd dist && npm publish",
     "dist": "npm run build-all && npm run dist-bin",
     "dist-bin": "npm run dist-modules && cd dist && pkg . --public -C gzip && mv -f hfs-win-x64.exe hfs.exe && zip hfs-windows.zip hfs.exe -r plugins && cp -f hfs-linux-x64 hfs && zip hfs-linux.zip hfs -r plugins && cp -f hfs-macos-x64 hfs && zip hfs-mac.zip hfs -r plugins && cp -f hfs-macos-arm64 hfs && zip hfs-mac-arm.zip hfs -r plugins && rm hfs",
-    "dist-modules": "cp package*.json dist && cd dist && npm ci --omit=dev && npm run dist-crclib && rm package-lock.json && cd .. && node prune_modules",
+    "dist-modules": "cp package*.json central.json dist && cd dist && npm ci --omit=dev && npm run dist-crclib && rm package-lock.json && cd .. && node prune_modules",
     "dist-crclib": "npm i -f --no-save --omit=dev @node-rs/crc32-win32-x64-msvc @node-rs/crc32-darwin-arm64 @node-rs/crc32-darwin-x64 @node-rs/crc32-linux-x64-gnu",
-    "dist-win": "cp package*.json dist && cd dist && npm ci --omit=dev && npm i -f --no-save --omit=dev @node-rs/crc32-win32 && pkg . --public -C gzip -t node16-win-x64",
-    "dist-mac": "cp package*.json dist && cd dist && npm ci --omit=dev && pkg . --public -C gzip -t node16-macos-arm64",
+    "dist-win": "npm run dist-modules && cd dist && pkg . --public -C gzip -t node16-win-x64",
+    "dist-mac": "npm run dist-modules && cd dist && pkg . --public -C gzip -t node16-macos-arm64",
     "dist-node": "npm run dist-modules && cd dist && zip hfs-node.zip -r * -x *.zip *.exe hfs-* *.log logs"
   },
   "engines": {
@@ -49,14 +54,15 @@
   },
   "pkg": {
     "assets": [
+      "central.json",
       "admin/**/*",
       "frontend/**/*"
     ],
     "targets": [
-      "node16-win-x64",
-      "node16-mac-x64",
-      "node16-mac-arm64",
-      "node16-linux-x64"
+      "node18-win-x64",
+      "node18-mac-x64",
+      "node18-mac-arm64",
+      "node18-linux-x64"
     ]
   },
   "dependencies": {
@@ -64,10 +70,9 @@
     "@node-rs/crc32": "^1.6.0",
     "basic-auth": "^2.0.1",
     "buffer-crc32": "^0.2.13",
-    "cidr-tools": "^4.3.0",
     "fast-glob": "^3.2.7",
     "find-process": "^1.4.7",
-    "formidable": "^2.1.1",
+    "formidable": "^3.5.1",
     "fs-x-attributes": "^1.0.2",
     "koa": "^2.13.4",
     "koa-compress": "^5.1.0",
@@ -76,6 +81,8 @@
     "limiter": "^2.1.0",
     "lodash": "^4.17.21",
     "minimist": "^1.2.6",
+    "nat-upnp": "github:kaden-sharpin/node-nat-upnp",
+    "node-html-parser": "^6.1.5",
     "open": "^8.4.0",
     "tssrp6a": "^3.0.0",
     "unzip-stream": "^0.3.1",
@@ -85,7 +92,7 @@
   "devDependencies": {
     "@types/archiver": "^5.1.1",
     "@types/basic-auth": "^1.1.3",
-    "@types/formidable": "^2.0.5",
+    "@types/formidable": "^3.4.1",
     "@types/koa": "^2.13.4",
     "@types/koa__router": "^8.0.11",
     "@types/koa-compress": "^4.0.3",
@@ -96,7 +103,7 @@
     "@types/mime-types": "^2.1.1",
     "@types/minimist": "^1.2.2",
     "@types/mocha": "^9.0.0",
-    "@types/node": "^16.11.12",
+    "@types/node": "^18.17.14",
     "@types/tough-cookie": "^4.0.2",
     "@types/unzipper": "^0.10.5",
     "axios": "^0.24.0",

package/plugins/vhosting/plugin.js

@@ -1,5 +1,5 @@
 exports.description = "If you want to have different home folders, based on domain"
-exports.version = 3.12
+exports.version = 3.2
 exports.apiRequired = 2 // 2 is for the config 'array'
 
 exports.config = {
@@ -27,12 +27,11 @@ exports.init = api => {
         middleware(ctx) {
             let params // undefined if we are not going to work on api parameters
             if (ctx.path.startsWith(api.const.SPECIAL_URI)) { // special uris should be excluded...
-                // ...unless it's a frontend api with a path param
-                if (!ctx.path.startsWith(api.const.API_URI)) return
+                if (!ctx.path.startsWith(api.const.API_URI)) return // ...unless it's an api
                 let { referer } = ctx.headers
                 referer &&= new URL(referer).pathname
                 if (referer?.startsWith(ctx.state.revProxyPath + api.const.ADMIN_URI)) return // exclude apis for admin-panel
-                params = ctx.params
+                params = ctx.params || ctx.query // for api we'll translate params
             }
 
             const hosts = api.getConfig('hosts')
@@ -46,17 +45,18 @@ exports.init = api => {
                 return
             }
             let { root='' } = row
-            if (root.endsWith('/'))
-                root = root.slice(0, -1)
-            if (root && root[0] !== '/') // normalize
-                root = '/' + root
-            if (!root) return
-            if (!params)
-                ctx.path = root + ctx.path
-            else
-                for (const [k,v] of Object.entries(params))
-                    if (k.startsWith('uri'))
-                        params[k] = Array.isArray(v) ? v.map(x => root + x) : root + v
+            if (!root || root === '/') return
+            if (params === undefined) {
+                ctx.path = join(root, ctx.path)
+                return
+            }
+            for (const [k,v] of Object.entries(params))
+                if (k.startsWith('uri'))
+                    params[k] = Array.isArray(v) ? v.map(x => join(root, x)) : join(root, v)
         }
     }
 }
+
+function join(a, b) {
+    return a + (b && b[0] !== '/' ? '/' : '') + b
+}

package/src/adminApis.js

@@ -37,6 +37,7 @@ const api_accounts_1 = __importDefault(require("./api.accounts"));
 const api_plugins_1 = __importDefault(require("./api.plugins"));
 const api_monitor_1 = __importDefault(require("./api.monitor"));
 const api_lang_1 = __importDefault(require("./api.lang"));
+const api_net_1 = __importDefault(require("./api.net"));
 const connections_1 = require("./connections");
 const misc_1 = require("./misc");
 const events_1 = __importDefault(require("./events"));
@@ -58,6 +59,7 @@ exports.adminApis = {
     ...api_plugins_1.default,
     ...api_monitor_1.default,
     ...api_lang_1.default,
+    ...api_net_1.default,
     async set_config({ values: v }) {
         var _a;
         if (v) {
@@ -104,7 +106,7 @@ exports.adminApis = {
             apiVersion: const_1.API_VERSION,
             compatibleApiVersion: const_1.COMPATIBLE_API_VERSION,
             ...await (0, listen_1.getServerStatus)(),
-            urls: (0, listen_1.getUrls)(),
+            urls: await (0, listen_1.getUrls)(),
             baseUrl: middlewares_1.baseUrl.get(),
             updatePossible: !(0, update_1.updateSupported)() ? false : await (0, update_1.localUpdateAvailable)() ? 'local' : true,
             proxyDetected: (0, middlewares_1.getProxyDetected)(),
@@ -185,7 +187,7 @@ for (const [k, was] of Object.entries(exports.adminApis))
             return new apiMiddleware_1.ApiError(const_1.HTTP_FORBIDDEN);
         if (ctxAdminAccess(ctx))
             return was(params, ctx);
-        const props = { any: anyAccountCanLoginAdmin() };
+        const props = { possible: anyAccountCanLoginAdmin() };
         return ctx.headers.accept === 'text/event-stream'
             ? new apiMiddleware_1.SendListReadable({ doAtStart: x => x.error(const_1.HTTP_UNAUTHORIZED, true, props) })
             : new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED, props);

package/src/api.auth.js

@@ -7,7 +7,6 @@ const crypt_1 = require("./crypt");
 const apiMiddleware_1 = require("./apiMiddleware");
 const tssrp6a_1 = require("tssrp6a");
 const const_1 = require("./const");
-const misc_1 = require("./misc");
 const api_helpers_1 = require("./api.helpers");
 const adminApis_1 = require("./adminApis");
 const middlewares_1 = require("./middlewares");
@@ -22,12 +21,10 @@ async function loggedIn(ctx, username) {
         return ctx.throw(const_1.HTTP_SERVER_ERROR, 'session');
     if (username === false) {
         delete s.username;
-        ctx.cookies.set('csrf', '');
         return;
     }
     s.username = (0, perm_1.normalizeUsername)(username);
     await (0, middlewares_1.prepareState)(ctx, async () => { }); // updating the state is necessary to send complete session data so that frontend shows admin button
-    ctx.cookies.set('csrf', (0, misc_1.randomId)(), { signed: false, httpOnly: false });
 }
 function makeExp() {
     return !keepSessionAlive.get() ? undefined

package/src/api.file_list.js

@@ -4,7 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.file_list = void 0;
+exports.get_file_list = void 0;
 const vfs_1 = require("./vfs");
 const apiMiddleware_1 = require("./apiMiddleware");
 const promises_1 = require("fs/promises");
@@ -12,9 +12,10 @@ const plugins_1 = require("./plugins");
 const misc_1 = require("./misc");
 const lodash_1 = __importDefault(require("lodash"));
 const const_1 = require("./const");
-const file_list = async ({ uri, offset, limit, search, c, sse }, ctx) => {
+const get_file_list = async ({ uri, offset, limit, search, c }, ctx) => {
+    var _a;
     const node = await (0, vfs_1.urlToNode)(uri || '/', ctx);
-    const list = new apiMiddleware_1.SendListReadable();
+    const list = ctx.get('accept') === 'text/event-stream' ? new apiMiddleware_1.SendListReadable() : undefined;
     if (!node)
         return fail(const_1.HTTP_NOT_FOUND);
     if ((0, vfs_1.statusCodeForMissingPerm)(node, 'can_list', ctx))
@@ -22,7 +23,7 @@ const file_list = async ({ uri, offset, limit, search, c, sse }, ctx) => {
     if ((0, misc_1.dirTraversal)(search))
         return fail(const_1.HTTP_FOOL);
     if (node.default)
-        return (sse ? list.custom : lodash_1.default.identity)({
+        return ((_a = list === null || list === void 0 ? void 0 : list.custom) !== null && _a !== void 0 ? _a : lodash_1.default.identity)({
             redirect: uri // tell the browser to access the folder (instead of using this api), so it will get the default file
         });
     if (!await (0, vfs_1.nodeIsDirectory)(node))
@@ -35,7 +36,7 @@ const file_list = async ({ uri, offset, limit, search, c, sse }, ctx) => {
     const can_upload = (0, vfs_1.hasPermission)(node, 'can_upload', ctx);
     const can_delete = (0, vfs_1.hasPermission)(node, 'can_delete', ctx);
     const props = { can_upload, can_delete, accept: node.accept };
-    if (!sse)
+    if (!list)
         return { ...props, list: await (0, misc_1.asyncGeneratorToArray)(produceEntries()) };
     setTimeout(async () => {
         if (can_upload || can_delete)
@@ -46,7 +47,7 @@ const file_list = async ({ uri, offset, limit, search, c, sse }, ctx) => {
     });
     return list;
     function fail(code = ctx.status) {
-        if (!sse)
+        if (!list)
             return new apiMiddleware_1.ApiError(code);
         list.error(code, true);
         return list;
@@ -84,7 +85,7 @@ const file_list = async ({ uri, offset, limit, search, c, sse }, ctx) => {
         }
     }
 };
-exports.file_list = file_list;
+exports.get_file_list = get_file_list;
 async function nodeToDirEntry(ctx, node) {
     let { source, default: def } = node;
     const name = (0, vfs_1.getNodeName)(node);

package/src/api.lang.js

@@ -13,7 +13,7 @@ const misc_1 = require("./misc");
 const lang_1 = require("./lang");
 const embedded_1 = __importDefault(require("./langs/embedded"));
 const apis = {
-    list_langs() {
+    get_langs() {
         return new apiMiddleware_1.SendListReadable({
             doAtStart: async (list) => {
                 for await (let name of fast_glob_1.default.stream((0, lang_1.code2file)('*'))) {

package/src/api.net.js

@@ -0,0 +1,133 @@
+"use strict";
+// This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.externalIp = void 0;
+const apiMiddleware_1 = require("./apiMiddleware");
+const nat_upnp_1 = require("nat-upnp");
+const const_1 = require("./const");
+const axios_1 = __importDefault(require("axios"));
+const node_html_parser_1 = require("node-html-parser");
+const lodash_1 = __importDefault(require("lodash"));
+const listen_1 = require("./listen");
+const github_1 = require("./github");
+const util_http_1 = require("./util-http");
+const child_process_1 = require("child_process");
+const misc_1 = require("./misc");
+const client = new nat_upnp_1.Client({ timeout: 5000 });
+const original = client.getGateway;
+// other client methods call getGateway too, so this will ensure they reuse this same result
+client.getGateway = function getGatewayCaching() {
+    const promise = original.apply(client);
+    client.getGateway = () => promise; // multiple callings = same job
+    promise.then(() => console.debug('caching gateway'), // store in cache only if successful.
+    () => client.getGateway = getGatewayCaching); // failed, try again
+    return promise;
+};
+client.getGateway();
+exports.externalIp = Promise.resolve(''); // poll external ip
+(0, misc_1.repeat)(10 * misc_1.MINUTE, () => exports.externalIp = client.getPublicIp().catch(() => exports.externalIp));
+const getNatInfo = (0, misc_1.debounceAsync)(async () => {
+    var _a, _b;
+    const gettingIp = getPublicIp(); // don't wait, do it in parallel
+    const res = await client.getGateway().catch(() => null);
+    const status = await (0, listen_1.getServerStatus)();
+    const mappings = res && await client.getMappings().catch(() => null);
+    console.debug('mappings found', mappings);
+    const gatewayIp = res ? new URL(res.gateway.description).hostname : await findGateway().catch(() => null);
+    const localIp = (res === null || res === void 0 ? void 0 : res.address) || (await (0, listen_1.getIps)())[0];
+    const internalPort = ((_a = status === null || status === void 0 ? void 0 : status.https) === null || _a === void 0 ? void 0 : _a.listening) && status.https.port || ((_b = status === null || status === void 0 ? void 0 : status.http) === null || _b === void 0 ? void 0 : _b.listening) && status.http.port;
+    const mapped = lodash_1.default.find(mappings, x => x.private.host === localIp && x.private.port === internalPort || x.description === 'hfs');
+    console.debug('responding');
+    return {
+        upnp: Boolean(res),
+        localIp,
+        gatewayIp,
+        publicIp: await gettingIp || await exports.externalIp,
+        externalIp: await exports.externalIp,
+        mapped,
+        internalPort,
+        externalPort: mapped === null || mapped === void 0 ? void 0 : mapped.public.port,
+    };
+});
+async function getPublicIp() {
+    const prjInfo = await (0, github_1.getProjectInfo)();
+    for (const urls of lodash_1.default.chunk(lodash_1.default.shuffle(prjInfo.publicIpServices), 2)) // small parallelization
+        try {
+            return await Promise.any(urls.map(url => (0, util_http_1.httpString)(url).then(res => {
+                var _a;
+                const ip = (_a = res.body) === null || _a === void 0 ? void 0 : _a.trim();
+                if (!/[.:0-9a-fA-F]/.test(ip))
+                    throw Error("bad result: " + ip);
+                return ip;
+            })));
+        }
+        catch (e) {
+            console.debug(String(e));
+        }
+}
+function findGateway() {
+    return new Promise((resolve, reject) => (0, child_process_1.exec)(const_1.IS_WINDOWS || const_1.IS_MAC ? 'netstat -rn' : 'route -n', (err, out) => {
+        var _a;
+        if (err)
+            return reject(err);
+        const re = const_1.IS_WINDOWS ? /(?:0\.0\.0\.0 +){2}([\d.]+)/ : const_1.IS_MAC ? /default +([\d.]+)/ : /^0\.0\.0\.0 +([\d.]+)/;
+        resolve((_a = re.exec(out)) === null || _a === void 0 ? void 0 : _a[1]);
+    }));
+}
+const apis = {
+    get_nat: getNatInfo,
+    async map_port({ external }) {
+        const { gatewayIp, mapped, internalPort } = await getNatInfo();
+        if (!gatewayIp)
+            return new apiMiddleware_1.ApiError(const_1.HTTP_SERVICE_UNAVAILABLE, 'upnp failed');
+        if (!internalPort)
+            return new apiMiddleware_1.ApiError(const_1.HTTP_FAILED_DEPENDENCY, 'no internal port');
+        if (mapped)
+            try {
+                await client.removeMapping({ public: { host: '', port: mapped.public.port } });
+            }
+            catch (e) {
+                return new apiMiddleware_1.ApiError(const_1.HTTP_SERVER_ERROR, 'removeMapping failed: ' + String(e));
+            }
+        if (external) // must use the object form of 'public' to workaround a bug of the library
+            await client.createMapping({ private: internalPort, public: { host: '', port: external }, description: 'hfs', ttl: 0 });
+        return {};
+    },
+    async check_server() {
+        const { publicIp, internalPort, externalPort } = await getNatInfo();
+        if (!publicIp)
+            return new apiMiddleware_1.ApiError(const_1.HTTP_SERVICE_UNAVAILABLE, 'cannot detect public ip');
+        if (!internalPort)
+            return new apiMiddleware_1.ApiError(const_1.HTTP_FAILED_DEPENDENCY, 'no internal port');
+        const prjInfo = await (0, github_1.getProjectInfo)();
+        const port = externalPort || internalPort;
+        console.log(`checking server ${publicIp}:${port}`);
+        for (const services of lodash_1.default.chunk(lodash_1.default.shuffle(prjInfo.checkServerServices), 2)) {
+            try {
+                return Promise.any(services.map(async (svc) => {
+                    var _a, _b;
+                    const service = new URL(svc.url).hostname;
+                    console.log('trying service', service);
+                    const api = axios_1.default[svc.method];
+                    const body = ((_a = svc.body) === null || _a === void 0 ? void 0 : _a.replace('$IP', publicIp).replace('$PORT', String(port))) || '';
+                    const res = await api(svc.url, body, { headers: svc.headers });
+                    const parsed = (_b = (0, node_html_parser_1.parse)(res.data).querySelector(svc.selector)) === null || _b === void 0 ? void 0 : _b.innerText;
+                    if (!parsed)
+                        throw console.debug('empty:' + service);
+                    const success = new RegExp(svc.regexpSuccess).test(parsed);
+                    const failure = new RegExp(svc.regexpFailure).test(parsed);
+                    if (success === failure)
+                        throw console.debug('inconsistent:' + service); // this result cannot be trusted
+                    console.debug(service, 'responded', success);
+                    return { success, service };
+                }));
+            }
+            catch (_a) { }
+        }
+        return new apiMiddleware_1.ApiError(const_1.HTTP_SERVICE_UNAVAILABLE, 'no service available to detect upnp mapping');
+    },
+};
+exports.default = apis;

package/src/api.plugins.js

@@ -15,7 +15,7 @@ const github_1 = require("./github");
 const const_1 = require("./const");
 const apis = {
     get_plugins({}, ctx) {
-        const list = new apiMiddleware_1.SendListReadable({ addAtStart: [...(0, plugins_1.mapPlugins)(serialize), ...(0, plugins_1.getAvailablePlugins)()] });
+        const list = new apiMiddleware_1.SendListReadable({ addAtStart: [...(0, plugins_1.mapPlugins)(serialize), ...(0, plugins_1.getAvailablePlugins)().map(serialize)] });
         return list.events(ctx, {
             pluginInstalled: p => list.add(serialize(p)),
             'pluginStarted pluginStopped pluginUpdated': p => {
@@ -27,35 +27,37 @@ const apis = {
         function serialize(p) {
             const o = 'getData' in p ? Object.assign(lodash_1.default.pick(p, ['id', 'started']), p.getData())
                 : { ...p }; // _.defaults mutates object, and we don't want that
+            if (typeof o.repo === 'object') // custom repo
+                o.repo = o.repo.web;
             return lodash_1.default.defaults(o, { started: null, badApi: null }); // nulls should be used to be sure to overwrite previous values,
         }
     },
     async get_plugin_updates() {
-        const list = new apiMiddleware_1.SendListReadable();
-        setTimeout(async () => {
-            const errs = await Promise.all(lodash_1.default.map((0, github_1.getFolder2repo)(), async (repo, folder) => {
-                try {
-                    if (!repo)
-                        return;
-                    //TODO shouldn't we consider other branches here?
-                    const online = await (0, github_1.readOnlinePlugin)(repo);
-                    if (!online.apiRequired || online.badApi)
-                        return;
-                    const disk = (0, plugins_1.getPluginInfo)(folder);
-                    if (online.version > disk.version)
-                        list.add(online);
-                }
-                catch (err) {
-                    if (err.message === '404') // the plugin is declaring a wrong repo
-                        return;
-                    return err.code || err.message;
-                }
-            }));
-            for (const x of lodash_1.default.uniq((0, misc_1.onlyTruthy)(errs)))
-                list.error(x);
-            list.close();
+        return new apiMiddleware_1.SendListReadable({
+            async doAtStart(list) {
+                const errs = await Promise.all(lodash_1.default.map((0, github_1.getFolder2repo)(), async (repo, folder) => {
+                    try {
+                        if (!repo)
+                            return;
+                        //TODO shouldn't we consider other branches here?
+                        const online = await (0, github_1.readOnlinePlugin)(repo);
+                        if (!(online === null || online === void 0 ? void 0 : online.apiRequired) || online.badApi)
+                            return;
+                        const disk = (0, plugins_1.getPluginInfo)(folder);
+                        if (online.version > disk.version)
+                            list.add(online);
+                    }
+                    catch (err) {
+                        if (err.message === '404') // the plugin is declaring a wrong repo
+                            return;
+                        return err.code || err.message;
+                    }
+                }));
+                for (const x of lodash_1.default.uniq((0, misc_1.onlyTruthy)(errs)))
+                    list.error(x);
+                list.close();
+            }
         });
-        return list;
     },
     async start_plugin({ id }) {
         if ((0, plugins_1.isPluginRunning)(id))
@@ -87,7 +89,7 @@ const apis = {
             }
         };
     },
-    search_online_plugins({ text }, ctx) {
+    get_online_plugins({ text }, ctx) {
         return new apiMiddleware_1.SendListReadable({
             async doAtStart(list) {
                 try {
@@ -98,12 +100,7 @@ const apis = {
                     for await (const pl of (0, github_1.searchPlugins)(text)) {
                         const repo = pl.id;
                         if (lodash_1.default.includes(folder2repo, repo))
-                            continue;
-                        const folder = lodash_1.default.findKey(folder2repo, x => x === repo);
-                        const installed = folder && (0, plugins_1.getPluginInfo)(folder);
-                        Object.assign(pl, {
-                            update: installed && installed.version < pl.version,
-                        });
+                            continue; // don't include installed plugins
                         list.add(pl);
                         // watch for events about this plugin, until this request is closed
                         undo.push((0, misc_1.onOff)(events_1.default, {
@@ -115,10 +112,6 @@ const apis = {
                                 if (repo === (0, github_1.getFolder2repo)()[folder])
                                     list.update({ id: repo }, { installed: false });
                             },
-                            pluginUpdated: p => {
-                                if (p.repo === repo)
-                                    list.update({ id: repo }, { update: p.version < pl.version });
-                            },
                             ['pluginDownload_' + repo](status) {
                                 list.update({ id: repo }, { downloading: status !== null && status !== void 0 ? status : null });
                             }
@@ -161,6 +154,8 @@ const apis = {
 exports.default = apis;
 async function checkDependencies(repo, branch) {
     const rec = await (0, github_1.readOnlinePlugin)(repo, branch);
+    if (!rec)
+        return;
     const miss = rec.depend && rec.depend.map((dep) => {
         const res = (0, plugins_1.findPluginByRepo)(dep.repo);
         const error = !res ? 'missing'

package/src/api.vfs.js

@@ -151,7 +151,7 @@ const apis = {
                 path = (0, path_1.dirname)(path);
         return { path };
     },
-    ls({ path, files = true, fileMask }, ctx) {
+    get_ls({ path, files = true, fileMask }, ctx) {
         return new apiMiddleware_1.SendListReadable({
             async doAtStart(list) {
                 if (!path && const_1.IS_WINDOWS) {

package/src/apiMiddleware.js

@@ -24,14 +24,17 @@ function apiMiddleware(apis) {
     return async (ctx) => {
         if (!logApi.get())
             ctx.state.dont_log = true;
-        const { params } = ctx;
-        console.debug('API', ctx.method, ctx.path, { ...params });
-        const apiFun = apis.hasOwnProperty(ctx.path) && apis[ctx.path];
-        if (!apiFun) {
-            ctx.body = 'invalid api';
-            return ctx.status = const_1.HTTP_NOT_FOUND;
-        }
-        const csrf = ctx.cookies.get('csrf');
+        const isPost = ctx.params;
+        const params = isPost ? ctx.params || {} : ctx.query;
+        const apiName = ctx.path;
+        console.debug('API', ctx.method, apiName, { ...params });
+        const safe = isPost && ctx.get('x-hfs-anti-csrf') // POST is safe because browser will enforce SameSite cookie
+            || apiName.startsWith('get_'); // "get_" apis are safe because they make no change
+        if (!safe)
+            return send(const_1.HTTP_FOOL);
+        const apiFun = apis.hasOwnProperty(apiName) && apis[apiName];
+        if (!apiFun)
+            return send(const_1.HTTP_NOT_FOUND, 'invalid api');
         // we don't rely on SameSite cookie option because it's https-only
         let res;
         try {
@@ -42,10 +45,9 @@ function apiMiddleware(apis) {
                             fixUri(params, k);
                         else if (typeof (v === null || v === void 0 ? void 0 : v[0]) === 'string')
                             v.forEach((x, i) => fixUri(v, i));
-            res = csrf && csrf !== params.csrf ? new ApiError(const_1.HTTP_UNAUTHORIZED, 'csrf')
-                : await apiFun(params || {}, ctx);
-            function fixUri(o, k) {
-                o[k] = (0, misc_1.removeStarting)(ctx.state.revProxyPath, o[k]);
+            res = await apiFun(params, ctx);
+            function fixUri(obj, k) {
+                obj[k] = (0, misc_1.removeStarting)(ctx.state.revProxyPath, obj[k]);
             }
         }
         catch (e) {
@@ -60,15 +62,15 @@ function apiMiddleware(apis) {
              resAsReadable.destroy());
             return;
         }
-        if (res instanceof ApiError) {
-            ctx.body = res.message;
-            return ctx.status = res.status;
-        }
-        if (res instanceof Error) { // generic exception
-            ctx.body = res.message || String(res);
-            return ctx.status = const_1.HTTP_BAD_REQUEST;
-        }
+        if (res instanceof ApiError)
+            return send(res.status, res.message);
+        if (res instanceof Error) // generic error/exception
+            return send(const_1.HTTP_BAD_REQUEST, res.message || String(res));
         ctx.body = res;
+        function send(status, body) {
+            ctx.body = body;
+            ctx.status = status;
+        }
     };
 }
 exports.apiMiddleware = apiMiddleware;