npm - hfs - Versions diffs - 3.0.7 → 3.1.0-alpha2 - Mend

hfs 3.0.7 → 3.1.0-alpha2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (317) hide show

package/README.md +1 -1
package/admin/assets/index-CDiYkO8j.css +1 -0
package/admin/assets/index-Dm5BN1iZ.js +1 -0
package/admin/assets/index-P5i8LyWl.js +822 -0
package/admin/assets/{sha512-gDcjPgJS.js → sha512-DG-ElrDe.js} +1 -1
package/admin/flags/freakflags.css +284 -0
package/admin/flags/sprite.png +0 -0
package/admin/index.html +3 -2
package/frontend/assets/index-legacy-CG_og8xL.js +1 -0
package/frontend/assets/index-legacy-DDLKWGcm.js +9 -0
package/frontend/assets/{sha512-legacy-BBwwadDl.js → sha512-legacy-D1zEZzDe.js} +1 -1
package/frontend/fontello.css +3 -1
package/frontend/fontello.woff2 +0 -0
package/frontend/index.html +1 -1
package/npm-shrinkwrap.json +16409 -0
package/package.json +12 -11
package/plugins/antibrute/plugin.js +14 -3
package/src/AsapStream.js +49 -0
package/src/ThrottledStream.js +1 -1
package/src/adminApis.js +16 -5
package/src/api.accounts.js +1 -6
package/src/api.auth.js +103 -100
package/src/api.get_file_list.js +7 -0
package/src/api.lang.js +1 -0
package/src/api.log.js +5 -3
package/src/api.monitor.js +5 -0
package/src/api.net.js +5 -0
package/src/api.plugins.js +13 -2
package/src/api.vfs.js +41 -28
package/src/apiMiddleware.js +5 -4
package/src/auth.js +39 -6
package/src/commands.js +16 -27
package/src/comments.js +4 -4
package/src/config.js +5 -2
package/src/const.js +2 -16
package/src/cross-const.js +5 -2
package/src/cross.js +21 -15
package/src/expiringCache.js +16 -5
package/src/fileAttr.js +1 -1
package/src/first.js +7 -4
package/src/frontEndApis.js +88 -102
package/src/github.js +32 -21
package/src/ips.js +1 -1
package/src/log.js +5 -3
package/src/middlewares.js +2 -1
package/src/misc.js +2 -20
package/src/perm.js +27 -12
package/src/persistence.js +1 -1
package/src/plugins.js +12 -6
package/src/serveFile.js +3 -3
package/src/serveGuiAndSharedFiles.js +3 -0
package/src/serveGuiFiles.js +2 -1
package/src/srp.js +5 -6
package/src/stat.js +4 -1
package/src/update.js +18 -25
package/src/upload.js +4 -3
package/src/util-files.js +2 -1
package/src/util-http.js +3 -3
package/src/vfs.js +4 -2
package/src/webdav.js +297 -0
package/admin/assets/index-Bj9Dk3JN.js +0 -822
package/admin/assets/index-Byv1_NxP.css +0 -1
package/admin/flags/ad.png +0 -0
package/admin/flags/ae.png +0 -0
package/admin/flags/af.png +0 -0
package/admin/flags/ag.png +0 -0
package/admin/flags/ai.png +0 -0
package/admin/flags/al.png +0 -0
package/admin/flags/am.png +0 -0
package/admin/flags/ao.png +0 -0
package/admin/flags/aq.png +0 -0
package/admin/flags/ar.png +0 -0
package/admin/flags/as.png +0 -0
package/admin/flags/at.png +0 -0
package/admin/flags/au.png +0 -0
package/admin/flags/aw.png +0 -0
package/admin/flags/ax.png +0 -0
package/admin/flags/az.png +0 -0
package/admin/flags/ba.png +0 -0
package/admin/flags/bb.png +0 -0
package/admin/flags/bd.png +0 -0
package/admin/flags/be.png +0 -0
package/admin/flags/bf.png +0 -0
package/admin/flags/bg.png +0 -0
package/admin/flags/bh.png +0 -0
package/admin/flags/bi.png +0 -0
package/admin/flags/bj.png +0 -0
package/admin/flags/bl.png +0 -0
package/admin/flags/bm.png +0 -0
package/admin/flags/bn.png +0 -0
package/admin/flags/bo.png +0 -0
package/admin/flags/bq.png +0 -0
package/admin/flags/br.png +0 -0
package/admin/flags/bs.png +0 -0
package/admin/flags/bt.png +0 -0
package/admin/flags/bv.png +0 -0
package/admin/flags/bw.png +0 -0
package/admin/flags/by.png +0 -0
package/admin/flags/bz.png +0 -0
package/admin/flags/ca.png +0 -0
package/admin/flags/cc.png +0 -0
package/admin/flags/cd.png +0 -0
package/admin/flags/cf.png +0 -0
package/admin/flags/cg.png +0 -0
package/admin/flags/ch.png +0 -0
package/admin/flags/ci.png +0 -0
package/admin/flags/ck.png +0 -0
package/admin/flags/cl.png +0 -0
package/admin/flags/cm.png +0 -0
package/admin/flags/cn.png +0 -0
package/admin/flags/co.png +0 -0
package/admin/flags/cr.png +0 -0
package/admin/flags/cu.png +0 -0
package/admin/flags/cv.png +0 -0
package/admin/flags/cw.png +0 -0
package/admin/flags/cx.png +0 -0
package/admin/flags/cy.png +0 -0
package/admin/flags/cz.png +0 -0
package/admin/flags/de.png +0 -0
package/admin/flags/dj.png +0 -0
package/admin/flags/dk.png +0 -0
package/admin/flags/dm.png +0 -0
package/admin/flags/do.png +0 -0
package/admin/flags/dz.png +0 -0
package/admin/flags/ec.png +0 -0
package/admin/flags/ee.png +0 -0
package/admin/flags/eg.png +0 -0
package/admin/flags/eh.png +0 -0
package/admin/flags/er.png +0 -0
package/admin/flags/es.png +0 -0
package/admin/flags/et.png +0 -0
package/admin/flags/fi.png +0 -0
package/admin/flags/fj.png +0 -0
package/admin/flags/fk.png +0 -0
package/admin/flags/fm.png +0 -0
package/admin/flags/fo.png +0 -0
package/admin/flags/fr.png +0 -0
package/admin/flags/ga.png +0 -0
package/admin/flags/gb-eng.png +0 -0
package/admin/flags/gb-nir.png +0 -0
package/admin/flags/gb-sct.png +0 -0
package/admin/flags/gb-wls.png +0 -0
package/admin/flags/gb.png +0 -0
package/admin/flags/gd.png +0 -0
package/admin/flags/ge.png +0 -0
package/admin/flags/gf.png +0 -0
package/admin/flags/gg.png +0 -0
package/admin/flags/gh.png +0 -0
package/admin/flags/gi.png +0 -0
package/admin/flags/gl.png +0 -0
package/admin/flags/gm.png +0 -0
package/admin/flags/gn.png +0 -0
package/admin/flags/gp.png +0 -0
package/admin/flags/gq.png +0 -0
package/admin/flags/gr.png +0 -0
package/admin/flags/gs.png +0 -0
package/admin/flags/gt.png +0 -0
package/admin/flags/gu.png +0 -0
package/admin/flags/gw.png +0 -0
package/admin/flags/gy.png +0 -0
package/admin/flags/hk.png +0 -0
package/admin/flags/hm.png +0 -0
package/admin/flags/hn.png +0 -0
package/admin/flags/hr.png +0 -0
package/admin/flags/ht.png +0 -0
package/admin/flags/hu.png +0 -0
package/admin/flags/id.png +0 -0
package/admin/flags/ie.png +0 -0
package/admin/flags/il.png +0 -0
package/admin/flags/im.png +0 -0
package/admin/flags/in.png +0 -0
package/admin/flags/io.png +0 -0
package/admin/flags/iq.png +0 -0
package/admin/flags/ir.png +0 -0
package/admin/flags/is.png +0 -0
package/admin/flags/it.png +0 -0
package/admin/flags/je.png +0 -0
package/admin/flags/jm.png +0 -0
package/admin/flags/jo.png +0 -0
package/admin/flags/jp.png +0 -0
package/admin/flags/ke.png +0 -0
package/admin/flags/kg.png +0 -0
package/admin/flags/kh.png +0 -0
package/admin/flags/ki.png +0 -0
package/admin/flags/km.png +0 -0
package/admin/flags/kn.png +0 -0
package/admin/flags/kp.png +0 -0
package/admin/flags/kr.png +0 -0
package/admin/flags/kw.png +0 -0
package/admin/flags/ky.png +0 -0
package/admin/flags/kz.png +0 -0
package/admin/flags/la.png +0 -0
package/admin/flags/lb.png +0 -0
package/admin/flags/lc.png +0 -0
package/admin/flags/li.png +0 -0
package/admin/flags/lk.png +0 -0
package/admin/flags/lr.png +0 -0
package/admin/flags/ls.png +0 -0
package/admin/flags/lt.png +0 -0
package/admin/flags/lu.png +0 -0
package/admin/flags/lv.png +0 -0
package/admin/flags/ly.png +0 -0
package/admin/flags/ma.png +0 -0
package/admin/flags/mc.png +0 -0
package/admin/flags/md.png +0 -0
package/admin/flags/me.png +0 -0
package/admin/flags/mf.png +0 -0
package/admin/flags/mg.png +0 -0
package/admin/flags/mh.png +0 -0
package/admin/flags/mk.png +0 -0
package/admin/flags/ml.png +0 -0
package/admin/flags/mm.png +0 -0
package/admin/flags/mn.png +0 -0
package/admin/flags/mo.png +0 -0
package/admin/flags/mp.png +0 -0
package/admin/flags/mq.png +0 -0
package/admin/flags/mr.png +0 -0
package/admin/flags/ms.png +0 -0
package/admin/flags/mt.png +0 -0
package/admin/flags/mu.png +0 -0
package/admin/flags/mv.png +0 -0
package/admin/flags/mw.png +0 -0
package/admin/flags/mx.png +0 -0
package/admin/flags/my.png +0 -0
package/admin/flags/mz.png +0 -0
package/admin/flags/na.png +0 -0
package/admin/flags/nc.png +0 -0
package/admin/flags/ne.png +0 -0
package/admin/flags/nf.png +0 -0
package/admin/flags/ng.png +0 -0
package/admin/flags/ni.png +0 -0
package/admin/flags/nl.png +0 -0
package/admin/flags/no.png +0 -0
package/admin/flags/np.png +0 -0
package/admin/flags/nr.png +0 -0
package/admin/flags/nu.png +0 -0
package/admin/flags/nz.png +0 -0
package/admin/flags/om.png +0 -0
package/admin/flags/pa.png +0 -0
package/admin/flags/pe.png +0 -0
package/admin/flags/pf.png +0 -0
package/admin/flags/pg.png +0 -0
package/admin/flags/ph.png +0 -0
package/admin/flags/pk.png +0 -0
package/admin/flags/pl.png +0 -0
package/admin/flags/pm.png +0 -0
package/admin/flags/pn.png +0 -0
package/admin/flags/pr.png +0 -0
package/admin/flags/ps.png +0 -0
package/admin/flags/pt.png +0 -0
package/admin/flags/pw.png +0 -0
package/admin/flags/py.png +0 -0
package/admin/flags/qa.png +0 -0
package/admin/flags/re.png +0 -0
package/admin/flags/ro.png +0 -0
package/admin/flags/rs.png +0 -0
package/admin/flags/ru.png +0 -0
package/admin/flags/rw.png +0 -0
package/admin/flags/sa.png +0 -0
package/admin/flags/sb.png +0 -0
package/admin/flags/sc.png +0 -0
package/admin/flags/sd.png +0 -0
package/admin/flags/se.png +0 -0
package/admin/flags/sg.png +0 -0
package/admin/flags/sh.png +0 -0
package/admin/flags/si.png +0 -0
package/admin/flags/sj.png +0 -0
package/admin/flags/sk.png +0 -0
package/admin/flags/sl.png +0 -0
package/admin/flags/sm.png +0 -0
package/admin/flags/sn.png +0 -0
package/admin/flags/so.png +0 -0
package/admin/flags/sr.png +0 -0
package/admin/flags/ss.png +0 -0
package/admin/flags/st.png +0 -0
package/admin/flags/sv.png +0 -0
package/admin/flags/sx.png +0 -0
package/admin/flags/sy.png +0 -0
package/admin/flags/sz.png +0 -0
package/admin/flags/tc.png +0 -0
package/admin/flags/td.png +0 -0
package/admin/flags/tf.png +0 -0
package/admin/flags/tg.png +0 -0
package/admin/flags/th.png +0 -0
package/admin/flags/tj.png +0 -0
package/admin/flags/tk.png +0 -0
package/admin/flags/tl.png +0 -0
package/admin/flags/tm.png +0 -0
package/admin/flags/tn.png +0 -0
package/admin/flags/to.png +0 -0
package/admin/flags/tr.png +0 -0
package/admin/flags/tt.png +0 -0
package/admin/flags/tv.png +0 -0
package/admin/flags/tw.png +0 -0
package/admin/flags/tz.png +0 -0
package/admin/flags/ua.png +0 -0
package/admin/flags/ug.png +0 -0
package/admin/flags/um.png +0 -0
package/admin/flags/us.png +0 -0
package/admin/flags/uy.png +0 -0
package/admin/flags/uz.png +0 -0
package/admin/flags/va.png +0 -0
package/admin/flags/vc.png +0 -0
package/admin/flags/ve.png +0 -0
package/admin/flags/vg.png +0 -0
package/admin/flags/vi.png +0 -0
package/admin/flags/vn.png +0 -0
package/admin/flags/vu.png +0 -0
package/admin/flags/wf.png +0 -0
package/admin/flags/ws.png +0 -0
package/admin/flags/xk.png +0 -0
package/admin/flags/ye.png +0 -0
package/admin/flags/yt.png +0 -0
package/admin/flags/za.png +0 -0
package/admin/flags/zm.png +0 -0
package/admin/flags/zw.png +0 -0
package/frontend/assets/index-legacy-COBT1YmS.js +0 -50

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "hfs",
-  "version": "3.0.7",
+  "version": "3.1.0-alpha2",
   "description": "HTTP File Server",
   "keywords": ["file server", "http server"],
   "homepage": "https://rejetto.com/hfs",
@@ -13,8 +13,8 @@
     "watch-server-full": "npm run start --workspace=frontend & npm run start --workspace=admin & cross-env FRONTEND_PROXY=3005 ADMIN_PROXY=3006 npm run watch-server",
     "start-frontend": "npm run start --workspace=frontend",
     "start-admin": "npm run start --workspace=admin",
-    "build-all": "rm -rf dist && npm run build-server && npm run test-with-server && (npm run build-frontend & npm run build-admin) && echo COMPLETED",
-    "build-server": "rm -rf dist/src dist/plugins && npm i && tsc && touch package.json && cp -v -r package.json central.json README* LICENSE* hfs.ico plugins dist && find dist -name .DS_Store -o -name storage -exec rm -rf {} + && node afterbuild.js",
+    "build-all": "rm -rf dist && npm run build-server && (npm run build-frontend & npm run build-admin) && echo COMPLETED",
+    "build-server": "rm -rf dist/src dist/plugins && npm i && tsc && touch package.json && cp -v -r package.json central.json README* LICENSE* hfs.ico plugins dist && find dist -name .DS_Store -o -name storage -exec rm -rf {} + && node scripts/afterbuild.js",
     "build-frontend": "npm run build --workspace=frontend",
     "build-admin": "npm run build --workspace=admin",
     "server-for-test": "node dist/src --cwd tests/work --config tests --debug",
@@ -22,13 +22,13 @@
     "test": "node --import tsx --test tests/test.ts",
     "test-with-server": "sh -c 'npm run port-is-free && tsc && rm -rf tests/work tests/tmp && (node dist/src --cwd tests/work --config tests & echo $! > .server_pid) && sleep 2 && node --import tsx --test \"$@\" tests/test.ts; _exit=$?; if [ -f ./.server_pid ]; then SERVER_PID=$(cat ./.server_pid); kill \"$SERVER_PID\" 2>/dev/null || true; rm -f ./.server_pid; fi; exit $_exit' --",
     "port-is-free": "node -e \"const port=process.argv[1]||8081;process.exit(await fetch('http://localhost:'+port).then(() => console.log('BUSY')||1, () => 0))\" --",
-    "test-ui": "npx playwright test frontend && npx playwright test serial",
-    "test-with-ui": "sh -c 'npm run port-is-free -- 3005 && npm run start-frontend & npm run port-is-free -- 3006 && npm run start-admin & cross-env TEST_WITH_UI=1 npx playwright test --ui'",
+    "test-ui": "npx playwright test frontend && npx playwright test serial && npx playwright test admin-vfs",
+    "test-with-ui": "sh -c 'npm run port-is-free -- 3005 && npm run start-frontend & npm run port-is-free -- 3006 && npm run start-admin & cross-env TEST_WITH_UI=1 npx playwright test --ui \"$@\"' --",
     "pub": "cd dist && npm publish",
     "dist": "STASHED=; if ! git diff-index --quiet HEAD --; then git stash push -m 'dist' && STASHED=1; fi; CI=1 FORCE_COLOR=1 npm run dist-uncommitted || (EXIT_CODE=$?; [ -n \"$STASHED\" ] && git stash pop; exit $EXIT_CODE); [ -n \"$STASHED\" ] && git stash pop",
-    "dist-uncommitted": "npm audit --omit=dev --audit-level=moderate && npm run build-all && npm run test-ui && npm run dist-bin",
+    "dist-uncommitted": "npm audit --omit=dev --audit-level=moderate && rm -rf dist && npm run build-server && npm run test-with-server && (npm run build-frontend & npm run build-admin) && npm run test-ui && npm run dist-bin",
     "dist-bin": "npm run dist-modules && npm run dist-bin-win && npm run dist-bin-linux && npm run dist-bin-linux-arm && npm run dist-bin-mac && npm run dist-bin-mac-arm",
-    "dist-modules": "cp package*.json central.json README.md dist && cd dist && npm ci --omit=dev && cd .. && node prune_modules",
+    "dist-modules": "cp package*.json central.json README.md dist && cd dist && npm ci --omit=dev && npm shrinkwrap && cd .. && node scripts/prune_modules.js",
     "dist-bin-win": "cd dist && pkg . --public -C gzip -t node20-win-x64 && npx resedit-cli --in hfs.exe --icon 1,../hfs.ico --out hfs.exe && zip hfs-windows-x64-$(jq -r .version ../package.json).zip hfs.exe -r plugins && cd ..",
     "dist-bin-mac-arm": "cd dist && pkg . --public -C gzip -t node20-macos-arm64 && zip hfs-mac-arm64-$(jq -r .version ../package.json).zip hfs -r plugins && cd ..",
     "dist-bin-mac": "cd dist && pkg . --public -C gzip -t node20-macos-x64 && zip hfs-mac-x64-$(jq -r .version ../package.json).zip hfs -r plugins && cd ..",
@@ -45,6 +45,7 @@
   },
   "files": [
     "central.json",
+    "npm-shrinkwrap.json",
     "src/*",
     "admin/*",
     "frontend/*",
@@ -79,7 +80,7 @@
   },
   "dependencies": {
     "@gregoranders/csv": "^0.0.13",
-    "@rejetto/kvstorage": "^0.16.0",
+    "@rejetto/kvstorage": "^0.17.1",
     "acme-client": "^5.4.0",
     "busboy": "^1.6.0",
     "crc-32": "^1.2.2",
@@ -90,8 +91,8 @@
     "iconv-lite": "^0.7.0",
     "immer": "^10.1.3",
     "ip2location-nodejs": "^9.7.0",
-    "koa": "^3.1.1",
-    "koa-compress": "^5.1.1",
+    "koa": "^3.1.2",
+    "koa-compress": "^5.2.0",
     "koa-mount": "^4.2.0",
     "koa-session": "^7.0.2",
     "limiter": "^3.0.0",
@@ -122,7 +123,7 @@
     "@types/node": "^20.17.30",
     "@types/node-forge": "^1.3.14",
     "@types/picomatch": "^4.0.2",
-    "@yao-pkg/pkg": "6.13.1",
+    "@yao-pkg/pkg": "6.14.1",
     "cross-env": "^10.0.0",
     "koa-better-http-proxy": "^0.2.10",
     "nm-prune": "^5.0.0",

package/plugins/antibrute/plugin.js CHANGED Viewed

@@ -1,4 +1,4 @@
-exports.version = 3
+exports.version = 3.1
 exports.description = "Introduce increasing delays between login attempts."
 exports.apiRequired = 9.6 // addBlock
@@ -7,6 +7,7 @@ exports.config = {
     max: { type: 'number', min: 1, defaultValue: 60, label: "Max delay", unit: "seconds", helperText: "Max seconds to delay before next login is allowed" },
     blockAfter: { type: 'number', xs: 6, min: 1, max: 9999, defaultValue: 100, label: "Block IP after", unit: "attempts", helperText: "localhost excluded" },
     blockForHours: { type: 'number', xs: 6, min: 0, defaultValue: 24, label: "Block for", unit: "hours" },
+    exclude: { type: 'string', defaultValue: '', label: "Exclude IPs", helperText: "Net mask syntax" },
 }
 exports.configDialog = {
     maxWidth: 'xs',
@@ -15,7 +16,7 @@ exports.configDialog = {
 const byIp = {}
 exports.init = api => {
-    const { isLocalHost, HOUR } = api.misc
+    const { isLocalHost, HOUR, netMatches } = api.misc
     api.events.multi({
         async attemptingLogin({ ctx }) {
             const { ip } = ctx
@@ -25,7 +26,7 @@ exports.init = api => {
             const delay = Math.min(max, 1000 * api.getConfig('increment') * ++rec.attempts)
             const wait = rec.next - now
             rec.next = new Date(+rec.next + delay)
-            if (rec.attempts > api.getConfig('blockAfter') && !isLocalHost(ctx)) {
+            if (rec.attempts > api.getConfig('blockAfter') && !isLocalHost(ctx) && !isExcluded(ip)) {
                 const hours = api.getConfig('blockForHours')
                 api.addBlock({ ip, comment: "From antibrute plugin", expire: hours ? new Date(now.getTime() + hours * HOUR) : undefined })
             }
@@ -42,4 +43,14 @@ exports.init = api => {
                 delete byIp[ctx.ip] // reset if login was successful
         }
     })
+    function isExcluded(ip) {
+        const mask = api.getConfig('exclude')
+        if (!mask) return false
+        try { return netMatches(ip, mask) }
+        catch (e) {
+            api.log("bad exclude mask:", String(e))
+            return false
+        }
+    }
 }

package/src/AsapStream.js ADDED Viewed

@@ -0,0 +1,49 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AsapStream = void 0;
+const stream_1 = require("stream");
+const cross_1 = require("./cross");
+// produces as promises resolve, not sequentially
+class AsapStream extends stream_1.Readable {
+    promises;
+    finished = false;
+    constructor(promises) {
+        super({ objectMode: true });
+        this.promises = promises;
+    }
+    _read() {
+        if (this.finished)
+            return;
+        this.finished = true;
+        void (async () => {
+            const pending = [];
+            try {
+                if ((0, cross_1.isAsyncIterable)(this.promises)) {
+                    const iterator = this.promises[Symbol.asyncIterator]();
+                    while (true) {
+                        const { value, done } = await iterator.next();
+                        if (done)
+                            break;
+                        const promise = Promise.resolve(value);
+                        pending.push(promise);
+                        promise.then(x => x !== undefined && this.push(x), e => this.emit('error', e));
+                    }
+                }
+                else {
+                    for (const p of this.promises) {
+                        const promise = Promise.resolve(p);
+                        pending.push(promise);
+                        promise.then(x => x !== undefined && this.push(x), e => this.emit('error', e));
+                    }
+                }
+                await Promise.allSettled(pending);
+                this.push(null);
+            }
+            catch (e) {
+                this.emit('error', e);
+                this.push(null);
+            }
+        })();
+    }
+}
+exports.AsapStream = AsapStream;

package/src/ThrottledStream.js CHANGED Viewed

@@ -72,7 +72,7 @@ class ThrottleGroup {
     }
     updateLimit(kBs) {
         if (kBs < 0)
-            throw new Error('invalid bytesPerSecond');
+            throw Error('invalid bytesPerSecond');
         kBs *= 1000;
         return this.bucket = new limiter_1.TokenBucket({
             bucketSize: kBs,

package/src/adminApis.js CHANGED Viewed

@@ -71,10 +71,16 @@ exports.adminApis = {
             customHtml: customHtml_1.customHtml.getText(),
         };
     },
-    set_config_text: ({ text }) => config_1.configFile.save(text, { reparse: true }),
-    update: ({ tag }) => (0, update_1.update)(tag).catch(e => {
-        throw e.cause?.statusCode ? new apiMiddleware_1.ApiError(e.cause?.statusCode) : e;
-    }),
+    set_config_text: ({ text }) => {
+        (0, misc_1.apiAssertTypes)({ string: { text } });
+        return config_1.configFile.save(text, { reparse: true });
+    },
+    update: ({ tag }) => {
+        (0, misc_1.apiAssertTypes)({ string_undefined: { tag } });
+        return (0, update_1.update)(tag).catch(e => {
+            throw e.cause?.statusCode ? new apiMiddleware_1.ApiError(e.cause?.statusCode) : e;
+        });
+    },
     async check_update() {
         return { options: await (0, update_1.getUpdates)() };
     },
@@ -88,6 +94,10 @@ exports.adminApis = {
         return {};
     },
     async ip_country({ ips }) {
+        (0, misc_1.apiAssertTypes)({
+            array: { ips },
+            string: { ips0: ips[0] }
+        });
         const res = await Promise.allSettled(ips.map(geo_1.ip2country));
         return {
             codes: res.map(x => x.status === 'rejected' || x.value === '-' ? '' : x.value)
@@ -110,6 +120,7 @@ exports.adminApis = {
         };
     },
     async set_custom_html({ sections }) {
+        (0, misc_1.apiAssertTypes)({ object: { sections } });
         await (0, customHtml_1.saveCustomHtml)(sections);
         return {};
     },
@@ -196,7 +207,7 @@ const frpDebounced = (0, misc_1.debounceAsync)(async () => {
     }
 }, { retain: 10_000 });
 function anyAccountCanLoginAdmin() {
-    return Boolean(lodash_1.default.find(perm_1.accounts.get(), perm_1.accountCanLoginAdmin));
+    return lodash_1.default.some(perm_1.accounts.get(), perm_1.accountCanLoginAdmin);
 }
 function preventAdminAccess(ctx) {
     return !(0, misc_1.isLocalHost)(ctx) && !exports.adminNet.compiled()(ctx.ip);

package/src/api.accounts.js CHANGED Viewed

@@ -40,6 +40,7 @@ exports.default = {
         return { list: Object.keys(perm_1.accounts.get()) };
     },
     get_account({ username }, ctx) {
+        (0, misc_1.apiAssertTypes)({ string: { username } });
         return prepareAccount((0, perm_1.getAccount)(username || (0, auth_1.getCurrentUsername)(ctx)))
             || new apiMiddleware_1.ApiError(const_1.HTTP_NOT_FOUND);
     },
@@ -85,10 +86,4 @@ exports.default = {
         auth_1.invalidateSessionBefore.set((0, perm_1.normalizeUsername)(username), Date.now());
         return {};
     },
-    async change_srp({ username, salt, verifier }) {
-        (0, misc_1.apiAssertTypes)({ string: { username, salt, verifier } });
-        const a = (0, perm_1.getAccount)(username);
-        return a ? (0, perm_1.changeSrpHelper)(a, salt, verifier)
-            : new apiMiddleware_1.ApiError(const_1.HTTP_NOT_FOUND);
-    }
 };

package/src/api.auth.js CHANGED Viewed

@@ -4,7 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.change_my_srp = exports.refresh_session = exports.logout = exports.loginSrp2 = exports.loginSrp1 = exports.login = void 0;
+exports.authApis = void 0;
 const perm_1 = require("./perm");
 const apiMiddleware_1 = require("./apiMiddleware");
 const const_1 = require("./const");
@@ -13,103 +13,14 @@ const middlewares_1 = require("./middlewares");
 const auth_1 = require("./auth");
 const config_1 = require("./config");
 const events_1 = __importDefault(require("./events"));
+const misc_1 = require("./misc");
 const ongoingLogins = {}; // store data that doesn't fit session object
 const keepSessionAlive = (0, config_1.defineConfig)('keep_session_alive', true);
-const login = async ({ username, password }, ctx) => {
-    if (!username)
-        return new apiMiddleware_1.ApiError(const_1.HTTP_BAD_REQUEST);
-    if (!ctx.session)
-        return new apiMiddleware_1.ApiError(const_1.HTTP_SERVER_ERROR);
-    try {
-        const account = await (0, auth_1.clearTextLogin)(ctx, username, password, 'api');
-        if (!account)
-            return new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED);
-        await (0, auth_1.setLoggedIn)(ctx, account.username);
-    }
-    catch (e) {
-        return new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED, String(e));
-    }
-    return {
-        redirect: ctx.state.account?.redirect,
-        ...await (0, exports.refresh_session)({}, ctx)
-    };
-};
-exports.login = login;
-const loginSrp1 = async ({ username }, ctx) => {
-    if (!username)
-        return new apiMiddleware_1.ApiError(const_1.HTTP_BAD_REQUEST);
-    const account = (0, perm_1.getAccount)(username);
-    if (!ctx.session)
-        return new apiMiddleware_1.ApiError(const_1.HTTP_SERVER_ERROR);
-    if (account?.plugin?.auth) // tell client to do clear-text login, before firing attemptingLogin, before triggering anti-brute
-        return new apiMiddleware_1.ApiError(const_1.HTTP_METHOD_NOT_ALLOWED);
-    if ((await events_1.default.emitAsync('attemptingLogin', { ctx, username }))?.isDefaultPrevented())
-        return;
-    if (!account || !(0, perm_1.accountCanLogin)(account)) { // TODO simulate fake account to prevent knowing valid usernames
-        ctx.logExtra({ u: username });
-        ctx.state.dontLog = false; // log even if log_api is false
-        return new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED, account && (0, perm_1.accountIsDisabled)(account) ? 'Account disabled' : undefined);
-    }
-    if ((0, middlewares_1.failAllowNet)(ctx, account))
-        return new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED);
-    try {
-        const { srpServer, ...rest } = await (0, auth_1.srpServerStep1)(account);
-        const sid = Math.random();
-        ongoingLogins[sid] = srpServer;
-        setTimeout(() => delete ongoingLogins[sid], 60_000);
-        ctx.session.loggingIn = { username, sid }; // temporarily store until process is complete
-        return rest;
-    }
-    catch (code) {
-        return new apiMiddleware_1.ApiError(code);
-    }
-};
-exports.loginSrp1 = loginSrp1;
-const loginSrp2 = async ({ pubKey, proof }, ctx) => {
-    if (!ctx.session)
-        return new apiMiddleware_1.ApiError(const_1.HTTP_SERVER_ERROR);
-    if (!ctx.session.loggingIn)
-        return new apiMiddleware_1.ApiError(const_1.HTTP_CONFLICT);
-    const { username, sid } = ctx.session.loggingIn;
-    delete ctx.session.loggingIn;
-    const step1 = ongoingLogins[sid];
-    if (!step1)
-        return new apiMiddleware_1.ApiError(const_1.HTTP_NOT_FOUND);
-    try {
-        const M2 = await step1.step2(BigInt(pubKey), BigInt(proof))
-            .catch(() => { throw ''; });
-        await (0, auth_1.setLoggedIn)(ctx, username);
-        return {
-            proof: String(M2),
-            redirect: ctx.state.account?.redirect,
-            ...await (0, exports.refresh_session)({}, ctx)
-        };
-    }
-    catch (e) {
-        ctx.logExtra({ u: username });
-        ctx.state.dontLog = false; // log even if log_api is false
-        events_1.default.emit('failedLogin', { ctx, username });
-        return new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED, e ? String(e) : undefined);
-    }
-    finally {
-        delete ongoingLogins[sid];
-    }
-};
-exports.loginSrp2 = loginSrp2;
-// this api is here for consistency, but frontend is actually using
-const logout = async ({}, ctx) => {
-    if (!ctx.session)
-        return new apiMiddleware_1.ApiError(const_1.HTTP_SERVER_ERROR);
-    await (0, auth_1.setLoggedIn)(ctx, false);
-    // 401 is a convenient code for OK: the browser clears a possible http authentication (hopefully), and Admin automatically triggers login dialog
-    return new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED);
-};
-exports.logout = logout;
 const refresh_session = async ({}, ctx) => {
     const username = (0, auth_1.getCurrentUsername)(ctx);
     return !ctx.session ? new apiMiddleware_1.ApiError(const_1.HTTP_SERVER_ERROR) : {
         username,
-        expandedUsername: (0, perm_1.expandUsername)(username),
+        expandedUsername: Array.from((0, perm_1.expandUsername)(username)),
         adminUrl: (0, adminApis_1.ctxAdminAccess)(ctx) ? ctx.state.revProxyPath + const_1.ADMIN_URI : undefined,
         canChangePassword: (0, perm_1.accountCanChangePassword)(ctx.state.account),
         requireChangePassword: ctx.state.account?.require_password_change,
@@ -117,12 +28,104 @@ const refresh_session = async ({}, ctx) => {
         accountExp: ctx.state.account?.expire,
     };
 };
-exports.refresh_session = refresh_session;
-const change_my_srp = async ({ salt, verifier }, ctx) => {
-    const a = ctx.state.account;
-    return !a || !(0, perm_1.accountCanChangePassword)(a) ? new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED)
-        : (0, perm_1.changeSrpHelper)(a, salt, verifier).then(() => {
-            delete a.require_password_change;
-        });
+exports.authApis = {
+    async login({ username, password }, ctx) {
+        if (!username)
+            return new apiMiddleware_1.ApiError(const_1.HTTP_BAD_REQUEST);
+        if (!ctx.session)
+            return new apiMiddleware_1.ApiError(const_1.HTTP_SERVER_ERROR);
+        try {
+            const account = await (0, auth_1.clearTextLogin)(ctx, username, password, 'api');
+            if (!account)
+                return new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED);
+            await (0, auth_1.setLoggedIn)(ctx, account.username);
+        }
+        catch (e) {
+            return new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED, String(e));
+        }
+        return {
+            redirect: ctx.state.account?.redirect,
+            ...await refresh_session({}, ctx)
+        };
+    },
+    async loginSrp1({ username }, ctx) {
+        (0, misc_1.apiAssertTypes)({ string: { username } });
+        if (!username)
+            return new apiMiddleware_1.ApiError(const_1.HTTP_BAD_REQUEST);
+        const account = (0, perm_1.getAccount)(username);
+        if (!ctx.session)
+            return new apiMiddleware_1.ApiError(const_1.HTTP_SERVER_ERROR);
+        if (account?.plugin?.auth) // tell client to do clear-text login, before firing attemptingLogin, before triggering anti-brute
+            return new apiMiddleware_1.ApiError(const_1.HTTP_METHOD_NOT_ALLOWED);
+        if ((await events_1.default.emitAsync('attemptingLogin', { ctx, username }))?.isDefaultPrevented())
+            return;
+        if (!account || !(0, perm_1.accountCanLogin)(account)) { // TODO simulate fake account to prevent knowing valid usernames
+            ctx.logExtra({ u: username });
+            ctx.state.dontLog = false; // log even if log_api is false
+            return new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED, account && (0, perm_1.accountIsDisabled)(account) ? 'Account disabled' : undefined);
+        }
+        if ((0, middlewares_1.failAllowNet)(ctx, account))
+            return new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED);
+        try {
+            const { srpServer, ...rest } = await (0, auth_1.srpServerStep1)(account);
+            const sid = Math.random();
+            ongoingLogins[sid] = srpServer;
+            setTimeout(() => delete ongoingLogins[sid], 60_000);
+            ctx.session.loggingIn = { username, sid }; // temporarily store until process is complete
+            return rest;
+        }
+        catch (code) {
+            return new apiMiddleware_1.ApiError(code);
+        }
+    },
+    async loginSrp2({ pubKey, proof }, ctx) {
+        if (!ctx.session)
+            return new apiMiddleware_1.ApiError(const_1.HTTP_SERVER_ERROR);
+        if (!ctx.session.loggingIn)
+            return new apiMiddleware_1.ApiError(const_1.HTTP_CONFLICT);
+        const { username, sid } = ctx.session.loggingIn;
+        delete ctx.session.loggingIn;
+        const step1 = ongoingLogins[sid];
+        if (!step1)
+            return new apiMiddleware_1.ApiError(const_1.HTTP_NOT_FOUND);
+        try {
+            const M2 = await step1.step2(BigInt(pubKey), BigInt(proof))
+                .catch(() => { throw ''; });
+            await (0, auth_1.setLoggedIn)(ctx, username);
+            return {
+                proof: String(M2),
+                redirect: ctx.state.account?.redirect,
+                ...await refresh_session({}, ctx)
+            };
+        }
+        catch (e) {
+            ctx.logExtra({ u: username });
+            ctx.state.dontLog = false; // log even if log_api is false
+            events_1.default.emit('failedLogin', { ctx, username });
+            return new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED, e ? String(e) : undefined);
+        }
+        finally {
+            delete ongoingLogins[sid];
+        }
+    },
+    // this api is here for consistency, but frontend is actually using
+    async logout({}, ctx) {
+        if (!ctx.session)
+            return new apiMiddleware_1.ApiError(const_1.HTTP_SERVER_ERROR);
+        await (0, auth_1.setLoggedIn)(ctx, false);
+        // 401 is a convenient code for OK: the browser clears a possible http authentication (hopefully), and Admin automatically triggers login dialog
+        return new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED);
+    },
+    refresh_session,
+    async change_srp({ username, salt, verifier }, ctx) {
+        const a = username && (0, perm_1.getAccount)(username);
+        const can = a && ((0, adminApis_1.ctxAdminAccess)(ctx) || username === (0, auth_1.getCurrentUsername)(ctx) && (0, perm_1.accountCanChangePassword)(a));
+        if (!can)
+            return new apiMiddleware_1.ApiError(const_1.HTTP_UNAUTHORIZED);
+        if (!salt || !verifier)
+            return new apiMiddleware_1.ApiError(const_1.HTTP_BAD_REQUEST, 'missing parameters');
+        await (0, perm_1.updateAccount)(a, a => (0, perm_1.saveSrpInfo)(a, salt, verifier));
+        delete a.require_password_change;
+        return {};
+    }
 };
-exports.change_my_srp = change_my_srp;

package/src/api.get_file_list.js CHANGED Viewed

@@ -1,5 +1,8 @@
 "use strict";
 // This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.get_file_list = void 0;
 exports.paramsToFilter = paramsToFilter;
@@ -14,6 +17,7 @@ const connections_1 = require("./connections");
 const adminApis_1 = require("./adminApis");
 const upload_1 = require("./upload");
 const SendList_1 = require("./SendList");
+const events_1 = __importDefault(require("./events"));
 function paramsToFilter({ search, wild, searchComment, fileMask }) {
     search = String(search || '').toLocaleLowerCase();
     searchComment = String(searchComment || '').toLocaleLowerCase();
@@ -25,6 +29,7 @@ function paramsToFilter({ search, wild, searchComment, fileMask }) {
     };
 }
 const get_file_list = async ({ uri = '/', offset, limit, c, onlyFolders, onlyFiles, admin, ...rest }, ctx) => {
+    (0, misc_1.apiAssertTypes)({ string: { uri } });
     const node = await (0, vfs_1.urlToNode)(uri, ctx);
     const list = ctx.get('accept') === 'text/event-stream' ? new SendList_1.SendListReadable() : undefined;
     if (!node)
@@ -81,6 +86,8 @@ const get_file_list = async ({ uri = '/', offset, limit, c, onlyFolders, onlyFil
                 const res = await Promise.all(onDirEntryHandlers.map(cb => cb(cbParams)));
                 if (res.some(x => x === false))
                     continue;
+                if ((await events_1.default.emitAsync('dirEntry', cbParams))?.isDefaultPrevented())
+                    continue;
             }
             catch (e) {
                 console.log("a plugin with onDirEntry is causing problems:", e);

package/src/api.lang.js CHANGED Viewed

@@ -43,6 +43,7 @@ const apis = {
         }
     },
     async add_langs({ langs }) {
+        (0, misc_1.apiAssertTypes)({ object: { langs } });
         for (let [code, content] of Object.entries(langs)) {
             code = (0, lang_1.file2code)(code);
             validateCode(code);

package/src/api.log.js CHANGED Viewed

@@ -19,6 +19,7 @@ exports.default = {
         return { current, rotated: await (0, log_1.getRotatedFiles)() };
     },
     async get_log_file({ file = 'log', range = '' }, ctx) {
+        (0, misc_1.apiAssertTypes)({ string: { file, range } });
         const log = lodash_1.default.find(log_1.loggers, { name: file });
         if (!log)
             throw cross_1.HTTP_NOT_FOUND;
@@ -33,7 +34,8 @@ exports.default = {
         return null;
     },
     get_log({ file = 'log' }, ctx) {
-        const files = file.split('|'); // potentially more then one
+        (0, misc_1.apiAssertTypes)({ string: { file } });
+        const files = file.split('|'); // potentially more than one
         return new SendList_1.SendListReadable({
             bufferTime: 10,
             async doAtStart(list) {
@@ -58,10 +60,10 @@ exports.default = {
                     return list.ready();
                 }
                 // for other logs we only provide updates. Use get_log_file to download past content
-                if (lodash_1.default.some(files, x => !lodash_1.default.find(log_1.loggers, { name: x })))
+                if (lodash_1.default.some(files, x => !lodash_1.default.some(log_1.loggers, { name: x })))
                     return list.error(cross_1.HTTP_NOT_FOUND, true);
                 list.ready();
-                // unsubscribe when connection is interrupted
+                // unsubscribe when the connection is interrupted
                 ctx.res.once('close', events_1.default.on(files, x => list.add(Object.assign(lodash_1.default.pick(x.ctx, ['ip', 'method', 'status']), x, { ctx: undefined }))));
             }
         });

package/src/api.monitor.js CHANGED Viewed

@@ -13,6 +13,11 @@ const SendList_1 = require("./SendList");
 const persistence_1 = require("./persistence");
 exports.default = {
     async disconnect({ ip, port, allButLocalhost }) {
+        (0, misc_1.apiAssertTypes)({
+            string_undefined: { ip },
+            number_undefined: { port },
+            boolean_undefined: { allButLocalhost },
+        });
         const match = allButLocalhost ? ((x) => !(0, misc_1.isLocalHost)(x.ip))
             : lodash_1.default.matches({ ip, port });
         const found = (0, connections_1.getConnections)().filter(c => match(getConnAddress(c)));

package/src/api.net.js CHANGED Viewed

@@ -44,6 +44,7 @@ exports.default = {
         return {};
     },
     async map_port({ external, internal }) {
+        (0, misc_1.apiAssertTypes)({ number_undefined: { external, internal } });
         const { upnp, externalPort, internalPort } = await (0, nat_1.getNatInfo)();
         if (!upnp)
             return new apiMiddleware_1.ApiError(const_1.HTTP_SERVICE_UNAVAILABLE, "upnp failed");
@@ -64,6 +65,7 @@ exports.default = {
         return {};
     },
     async self_check({ url }) {
+        (0, misc_1.apiAssertTypes)({ string_undefined: { url } });
         if (url)
             return await (0, selfCheck_1.selfCheck)(url)
                 || new apiMiddleware_1.ApiError(const_1.HTTP_SERVICE_UNAVAILABLE);
@@ -79,6 +81,9 @@ exports.default = {
         return results.length ? results : new apiMiddleware_1.ApiError(const_1.HTTP_SERVICE_UNAVAILABLE);
     },
     async make_cert({ domain, email, altNames }) {
+        (0, misc_1.apiAssertTypes)({ string: { domain }, string_undefined: { email }, array_undefined: { altNames } });
+        if (altNames?.some((name) => typeof name !== 'string'))
+            return new apiMiddleware_1.ApiError(const_1.HTTP_BAD_REQUEST, 'bad altNames');
         await (0, acme_1.makeCert)(domain, email, altNames).catch(e => {
             throw new apiMiddleware_1.ApiError(const_1.HTTP_SERVER_ERROR, e.message || String(e));
         });