npm - hfs - Versions diffs - 3.0.7 → 3.1.0-alpha2 - Mend

hfs 3.0.7 → 3.1.0-alpha2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (317) hide show

package/README.md +1 -1
package/admin/assets/index-CDiYkO8j.css +1 -0
package/admin/assets/index-Dm5BN1iZ.js +1 -0
package/admin/assets/index-P5i8LyWl.js +822 -0
package/admin/assets/{sha512-gDcjPgJS.js → sha512-DG-ElrDe.js} +1 -1
package/admin/flags/freakflags.css +284 -0
package/admin/flags/sprite.png +0 -0
package/admin/index.html +3 -2
package/frontend/assets/index-legacy-CG_og8xL.js +1 -0
package/frontend/assets/index-legacy-DDLKWGcm.js +9 -0
package/frontend/assets/{sha512-legacy-BBwwadDl.js → sha512-legacy-D1zEZzDe.js} +1 -1
package/frontend/fontello.css +3 -1
package/frontend/fontello.woff2 +0 -0
package/frontend/index.html +1 -1
package/npm-shrinkwrap.json +16409 -0
package/package.json +12 -11
package/plugins/antibrute/plugin.js +14 -3
package/src/AsapStream.js +49 -0
package/src/ThrottledStream.js +1 -1
package/src/adminApis.js +16 -5
package/src/api.accounts.js +1 -6
package/src/api.auth.js +103 -100
package/src/api.get_file_list.js +7 -0
package/src/api.lang.js +1 -0
package/src/api.log.js +5 -3
package/src/api.monitor.js +5 -0
package/src/api.net.js +5 -0
package/src/api.plugins.js +13 -2
package/src/api.vfs.js +41 -28
package/src/apiMiddleware.js +5 -4
package/src/auth.js +39 -6
package/src/commands.js +16 -27
package/src/comments.js +4 -4
package/src/config.js +5 -2
package/src/const.js +2 -16
package/src/cross-const.js +5 -2
package/src/cross.js +21 -15
package/src/expiringCache.js +16 -5
package/src/fileAttr.js +1 -1
package/src/first.js +7 -4
package/src/frontEndApis.js +88 -102
package/src/github.js +32 -21
package/src/ips.js +1 -1
package/src/log.js +5 -3
package/src/middlewares.js +2 -1
package/src/misc.js +2 -20
package/src/perm.js +27 -12
package/src/persistence.js +1 -1
package/src/plugins.js +12 -6
package/src/serveFile.js +3 -3
package/src/serveGuiAndSharedFiles.js +3 -0
package/src/serveGuiFiles.js +2 -1
package/src/srp.js +5 -6
package/src/stat.js +4 -1
package/src/update.js +18 -25
package/src/upload.js +4 -3
package/src/util-files.js +2 -1
package/src/util-http.js +3 -3
package/src/vfs.js +4 -2
package/src/webdav.js +297 -0
package/admin/assets/index-Bj9Dk3JN.js +0 -822
package/admin/assets/index-Byv1_NxP.css +0 -1
package/admin/flags/ad.png +0 -0
package/admin/flags/ae.png +0 -0
package/admin/flags/af.png +0 -0
package/admin/flags/ag.png +0 -0
package/admin/flags/ai.png +0 -0
package/admin/flags/al.png +0 -0
package/admin/flags/am.png +0 -0
package/admin/flags/ao.png +0 -0
package/admin/flags/aq.png +0 -0
package/admin/flags/ar.png +0 -0
package/admin/flags/as.png +0 -0
package/admin/flags/at.png +0 -0
package/admin/flags/au.png +0 -0
package/admin/flags/aw.png +0 -0
package/admin/flags/ax.png +0 -0
package/admin/flags/az.png +0 -0
package/admin/flags/ba.png +0 -0
package/admin/flags/bb.png +0 -0
package/admin/flags/bd.png +0 -0
package/admin/flags/be.png +0 -0
package/admin/flags/bf.png +0 -0
package/admin/flags/bg.png +0 -0
package/admin/flags/bh.png +0 -0
package/admin/flags/bi.png +0 -0
package/admin/flags/bj.png +0 -0
package/admin/flags/bl.png +0 -0
package/admin/flags/bm.png +0 -0
package/admin/flags/bn.png +0 -0
package/admin/flags/bo.png +0 -0
package/admin/flags/bq.png +0 -0
package/admin/flags/br.png +0 -0
package/admin/flags/bs.png +0 -0
package/admin/flags/bt.png +0 -0
package/admin/flags/bv.png +0 -0
package/admin/flags/bw.png +0 -0
package/admin/flags/by.png +0 -0
package/admin/flags/bz.png +0 -0
package/admin/flags/ca.png +0 -0
package/admin/flags/cc.png +0 -0
package/admin/flags/cd.png +0 -0
package/admin/flags/cf.png +0 -0
package/admin/flags/cg.png +0 -0
package/admin/flags/ch.png +0 -0
package/admin/flags/ci.png +0 -0
package/admin/flags/ck.png +0 -0
package/admin/flags/cl.png +0 -0
package/admin/flags/cm.png +0 -0
package/admin/flags/cn.png +0 -0
package/admin/flags/co.png +0 -0
package/admin/flags/cr.png +0 -0
package/admin/flags/cu.png +0 -0
package/admin/flags/cv.png +0 -0
package/admin/flags/cw.png +0 -0
package/admin/flags/cx.png +0 -0
package/admin/flags/cy.png +0 -0
package/admin/flags/cz.png +0 -0
package/admin/flags/de.png +0 -0
package/admin/flags/dj.png +0 -0
package/admin/flags/dk.png +0 -0
package/admin/flags/dm.png +0 -0
package/admin/flags/do.png +0 -0
package/admin/flags/dz.png +0 -0
package/admin/flags/ec.png +0 -0
package/admin/flags/ee.png +0 -0
package/admin/flags/eg.png +0 -0
package/admin/flags/eh.png +0 -0
package/admin/flags/er.png +0 -0
package/admin/flags/es.png +0 -0
package/admin/flags/et.png +0 -0
package/admin/flags/fi.png +0 -0
package/admin/flags/fj.png +0 -0
package/admin/flags/fk.png +0 -0
package/admin/flags/fm.png +0 -0
package/admin/flags/fo.png +0 -0
package/admin/flags/fr.png +0 -0
package/admin/flags/ga.png +0 -0
package/admin/flags/gb-eng.png +0 -0
package/admin/flags/gb-nir.png +0 -0
package/admin/flags/gb-sct.png +0 -0
package/admin/flags/gb-wls.png +0 -0
package/admin/flags/gb.png +0 -0
package/admin/flags/gd.png +0 -0
package/admin/flags/ge.png +0 -0
package/admin/flags/gf.png +0 -0
package/admin/flags/gg.png +0 -0
package/admin/flags/gh.png +0 -0
package/admin/flags/gi.png +0 -0
package/admin/flags/gl.png +0 -0
package/admin/flags/gm.png +0 -0
package/admin/flags/gn.png +0 -0
package/admin/flags/gp.png +0 -0
package/admin/flags/gq.png +0 -0
package/admin/flags/gr.png +0 -0
package/admin/flags/gs.png +0 -0
package/admin/flags/gt.png +0 -0
package/admin/flags/gu.png +0 -0
package/admin/flags/gw.png +0 -0
package/admin/flags/gy.png +0 -0
package/admin/flags/hk.png +0 -0
package/admin/flags/hm.png +0 -0
package/admin/flags/hn.png +0 -0
package/admin/flags/hr.png +0 -0
package/admin/flags/ht.png +0 -0
package/admin/flags/hu.png +0 -0
package/admin/flags/id.png +0 -0
package/admin/flags/ie.png +0 -0
package/admin/flags/il.png +0 -0
package/admin/flags/im.png +0 -0
package/admin/flags/in.png +0 -0
package/admin/flags/io.png +0 -0
package/admin/flags/iq.png +0 -0
package/admin/flags/ir.png +0 -0
package/admin/flags/is.png +0 -0
package/admin/flags/it.png +0 -0
package/admin/flags/je.png +0 -0
package/admin/flags/jm.png +0 -0
package/admin/flags/jo.png +0 -0
package/admin/flags/jp.png +0 -0
package/admin/flags/ke.png +0 -0
package/admin/flags/kg.png +0 -0
package/admin/flags/kh.png +0 -0
package/admin/flags/ki.png +0 -0
package/admin/flags/km.png +0 -0
package/admin/flags/kn.png +0 -0
package/admin/flags/kp.png +0 -0
package/admin/flags/kr.png +0 -0
package/admin/flags/kw.png +0 -0
package/admin/flags/ky.png +0 -0
package/admin/flags/kz.png +0 -0
package/admin/flags/la.png +0 -0
package/admin/flags/lb.png +0 -0
package/admin/flags/lc.png +0 -0
package/admin/flags/li.png +0 -0
package/admin/flags/lk.png +0 -0
package/admin/flags/lr.png +0 -0
package/admin/flags/ls.png +0 -0
package/admin/flags/lt.png +0 -0
package/admin/flags/lu.png +0 -0
package/admin/flags/lv.png +0 -0
package/admin/flags/ly.png +0 -0
package/admin/flags/ma.png +0 -0
package/admin/flags/mc.png +0 -0
package/admin/flags/md.png +0 -0
package/admin/flags/me.png +0 -0
package/admin/flags/mf.png +0 -0
package/admin/flags/mg.png +0 -0
package/admin/flags/mh.png +0 -0
package/admin/flags/mk.png +0 -0
package/admin/flags/ml.png +0 -0
package/admin/flags/mm.png +0 -0
package/admin/flags/mn.png +0 -0
package/admin/flags/mo.png +0 -0
package/admin/flags/mp.png +0 -0
package/admin/flags/mq.png +0 -0
package/admin/flags/mr.png +0 -0
package/admin/flags/ms.png +0 -0
package/admin/flags/mt.png +0 -0
package/admin/flags/mu.png +0 -0
package/admin/flags/mv.png +0 -0
package/admin/flags/mw.png +0 -0
package/admin/flags/mx.png +0 -0
package/admin/flags/my.png +0 -0
package/admin/flags/mz.png +0 -0
package/admin/flags/na.png +0 -0
package/admin/flags/nc.png +0 -0
package/admin/flags/ne.png +0 -0
package/admin/flags/nf.png +0 -0
package/admin/flags/ng.png +0 -0
package/admin/flags/ni.png +0 -0
package/admin/flags/nl.png +0 -0
package/admin/flags/no.png +0 -0
package/admin/flags/np.png +0 -0
package/admin/flags/nr.png +0 -0
package/admin/flags/nu.png +0 -0
package/admin/flags/nz.png +0 -0
package/admin/flags/om.png +0 -0
package/admin/flags/pa.png +0 -0
package/admin/flags/pe.png +0 -0
package/admin/flags/pf.png +0 -0
package/admin/flags/pg.png +0 -0
package/admin/flags/ph.png +0 -0
package/admin/flags/pk.png +0 -0
package/admin/flags/pl.png +0 -0
package/admin/flags/pm.png +0 -0
package/admin/flags/pn.png +0 -0
package/admin/flags/pr.png +0 -0
package/admin/flags/ps.png +0 -0
package/admin/flags/pt.png +0 -0
package/admin/flags/pw.png +0 -0
package/admin/flags/py.png +0 -0
package/admin/flags/qa.png +0 -0
package/admin/flags/re.png +0 -0
package/admin/flags/ro.png +0 -0
package/admin/flags/rs.png +0 -0
package/admin/flags/ru.png +0 -0
package/admin/flags/rw.png +0 -0
package/admin/flags/sa.png +0 -0
package/admin/flags/sb.png +0 -0
package/admin/flags/sc.png +0 -0
package/admin/flags/sd.png +0 -0
package/admin/flags/se.png +0 -0
package/admin/flags/sg.png +0 -0
package/admin/flags/sh.png +0 -0
package/admin/flags/si.png +0 -0
package/admin/flags/sj.png +0 -0
package/admin/flags/sk.png +0 -0
package/admin/flags/sl.png +0 -0
package/admin/flags/sm.png +0 -0
package/admin/flags/sn.png +0 -0
package/admin/flags/so.png +0 -0
package/admin/flags/sr.png +0 -0
package/admin/flags/ss.png +0 -0
package/admin/flags/st.png +0 -0
package/admin/flags/sv.png +0 -0
package/admin/flags/sx.png +0 -0
package/admin/flags/sy.png +0 -0
package/admin/flags/sz.png +0 -0
package/admin/flags/tc.png +0 -0
package/admin/flags/td.png +0 -0
package/admin/flags/tf.png +0 -0
package/admin/flags/tg.png +0 -0
package/admin/flags/th.png +0 -0
package/admin/flags/tj.png +0 -0
package/admin/flags/tk.png +0 -0
package/admin/flags/tl.png +0 -0
package/admin/flags/tm.png +0 -0
package/admin/flags/tn.png +0 -0
package/admin/flags/to.png +0 -0
package/admin/flags/tr.png +0 -0
package/admin/flags/tt.png +0 -0
package/admin/flags/tv.png +0 -0
package/admin/flags/tw.png +0 -0
package/admin/flags/tz.png +0 -0
package/admin/flags/ua.png +0 -0
package/admin/flags/ug.png +0 -0
package/admin/flags/um.png +0 -0
package/admin/flags/us.png +0 -0
package/admin/flags/uy.png +0 -0
package/admin/flags/uz.png +0 -0
package/admin/flags/va.png +0 -0
package/admin/flags/vc.png +0 -0
package/admin/flags/ve.png +0 -0
package/admin/flags/vg.png +0 -0
package/admin/flags/vi.png +0 -0
package/admin/flags/vn.png +0 -0
package/admin/flags/vu.png +0 -0
package/admin/flags/wf.png +0 -0
package/admin/flags/ws.png +0 -0
package/admin/flags/xk.png +0 -0
package/admin/flags/ye.png +0 -0
package/admin/flags/yt.png +0 -0
package/admin/flags/za.png +0 -0
package/admin/flags/zm.png +0 -0
package/admin/flags/zw.png +0 -0
package/frontend/assets/index-legacy-COBT1YmS.js +0 -50

package/src/expiringCache.js CHANGED Viewed

@@ -2,15 +2,26 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.expiringCache = expiringCache;
 function expiringCache(ttlMs) {
+    if (!ttlMs)
+        throw Error('invalid TTL');
     const o = new Map();
     return Object.assign(o, {
+        // creator can return undefined if the value should not be cached. `invalidate` is useful in case you have some custom logic for it, other than ttl.
         try(k, creator) {
             let ret = o.get(k);
-            if (ret === undefined) {
-                ret = creator();
-                o.set(k, ret);
-                // in case of async, wait for it to be done before starting the timer
-                Promise.resolve(ret).finally(() => setTimeout(() => o.delete(k), ttlMs)).catch(() => { });
+            if (ret === undefined) { // undefined = missing, as we don't accept this value in our cache
+                ret = creator(invalidate);
+                if (ret !== undefined) {
+                    o.set(k, ret);
+                    Promise.resolve(ret).then(v => {
+                        if (v === undefined) // even in a promise, we'll consider undefined as a request to cancel the caching
+                            invalidate();
+                    }, () => { }) // avoid js warning
+                        .finally(() => setTimeout(invalidate, ttlMs)); // wait for async (in case) before starting the timer
+                }
+                function invalidate() {
+                    o.delete(k);
+                }
             }
             return ret;
         },

package/src/fileAttr.js CHANGED Viewed

@@ -16,7 +16,7 @@ const fsx = (0, cross_1.try_)(() => {
     return { set: (0, util_1.promisify)(lib.set), get: (0, util_1.promisify)(lib.get) };
 }, () => console.warn('fs-x-attributes not available'));
 const fileAttrDb = new kvstorage_1.KvStorage({ defaultPutDelay: 1000, maxPutDelay: 5000 });
-(0, first_1.onProcessExit)(() => fileAttrDb.flush());
+(0, first_1.onProcessExit)(() => fileAttrDb.close());
 const FN = 'file-attr.kv';
 (0, promises_1.access)(FN).then(() => fileAttrDb.open(FN).catch(e => console.error(String(e))), () => { });
 const FILE_ATTR_PREFIX = 'user.hfs.'; // user. prefix to be linux compatible

package/src/first.js CHANGED Viewed

@@ -9,12 +9,15 @@ function onProcessExit(cb) {
     return () => cbsOnExit.delete(cb);
 }
 exports.quitting = false;
-onProcessExit(() => exports.quitting = true);
 // 'exit' event is handled as the last resort, but it's not compatible with async callbacks
-onFirstEvent(process, ['exit', 'SIGQUIT', 'SIGTERM', 'SIGINT', 'SIGHUP'], signal => Promise.allSettled(Array.from(cbsOnExit).map(cb => cb(signal))).then(() => {
+onFirstEvent(process, ['exit', 'SIGQUIT', 'SIGTERM', 'SIGINT', 'SIGHUP'], signal => {
+    exports.quitting = true;
     console.log('quitting', signal || '');
-    process.exit(0);
-}));
+    return Promise.allSettled(Array.from(cbsOnExit).map(cb => cb(signal))).then(() => {
+        console.debug('process exit');
+        process.exit(0);
+    });
+});
 // keep calling cb in a sync fashion – returning a promise instead would break the code for argv.updating (update.ts)
 function onFirstEvent(emitter, events, cb) {
     let already = false;

package/src/frontEndApis.js CHANGED Viewed

@@ -1,47 +1,16 @@
 "use strict";
 // This file is part of HFS - Copyright 2021-2023, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.frontEndApis = void 0;
 exports.notifyClient = notifyClient;
+exports.moveFiles = moveFiles;
+exports.requestedRename = requestedRename;
 const apiMiddleware_1 = require("./apiMiddleware");
 const api_get_file_list_1 = require("./api.get_file_list");
-const api_auth = __importStar(require("./api.auth"));
+const api_auth_1 = require("./api.auth");
 const events_1 = __importDefault(require("./events"));
 const util_files_1 = require("./util-files");
 const const_1 = require("./const");
@@ -58,7 +27,7 @@ const lodash_1 = __importDefault(require("lodash"));
 const partialFolderSize = {};
 exports.frontEndApis = {
     get_file_list: api_get_file_list_1.get_file_list,
-    ...api_auth,
+    ...api_auth_1.authApis,
     get_notifications({ channel }, ctx) {
         (0, misc_1.apiAssertTypes)({ string: { channel } });
         const list = new SendList_1.SendListReadable();
@@ -70,7 +39,7 @@ exports.frontEndApis = {
         });
     },
     async get_file_details({ uris }, ctx) {
-        if (typeof uris?.[0] !== 'string')
+        if (!Array.isArray(uris) || typeof uris[0] !== 'string')
             return new apiMiddleware_1.ApiError(const_1.HTTP_BAD_REQUEST, 'bad uris');
         const isAdmin = (0, adminApis_1.ctxAdminAccess)(ctx);
         return {
@@ -97,7 +66,7 @@ exports.frontEndApis = {
         catch {
             return new apiMiddleware_1.ApiError(const_1.HTTP_BAD_REQUEST);
         }
-        if (!(0, util_files_1.isValidFileName)(name))
+        if (!name || !(0, util_files_1.isValidFileName)(name))
             return new apiMiddleware_1.ApiError(const_1.HTTP_BAD_REQUEST, 'bad name');
         const parentNode = await (0, vfs_1.urlToNode)(uri, ctx);
         if (!parentNode)
@@ -124,76 +93,19 @@ exports.frontEndApis = {
         }
         const node = await (0, vfs_1.urlToNode)(uri, ctx);
         if (!node)
-            return new apiMiddleware_1.ApiError(const_1.HTTP_NOT_FOUND);
+            throw new apiMiddleware_1.ApiError(const_1.HTTP_NOT_FOUND);
         if ((0, vfs_1.isRoot)(node) || !(0, util_files_1.isValidFileName)(dest))
             return new apiMiddleware_1.ApiError(const_1.HTTP_FORBIDDEN);
-        if ((0, vfs_1.statusCodeForMissingPerm)(node, 'can_delete', ctx))
-            return new apiMiddleware_1.ApiError(ctx.status);
-        if (!node.source)
-            return new apiMiddleware_1.ApiError(const_1.HTTP_FAILED_DEPENDENCY);
-        const destNode = await (0, vfs_1.urlToNode)((0, misc_1.pathEncode)(dest), ctx, node.parent);
-        if (destNode && (0, vfs_1.statusCodeForMissingPerm)(destNode, 'can_delete', ctx)) // if destination exists, you need delete permission
-            return new apiMiddleware_1.ApiError(ctx.status);
-        try {
-            const destSource = (0, path_1.join)((0, path_1.dirname)(node.source), dest);
-            await (0, promises_1.rename)(node.source, destSource);
-            (0, comments_1.getCommentFor)(node.source).then(c => {
-                if (!c)
-                    return;
-                void (0, comments_1.setCommentFor)(node.source, '');
-                void (0, comments_1.setCommentFor)(destSource, c);
-            });
-            return {};
-        }
-        catch (e) {
-            return new apiMiddleware_1.ApiError(const_1.HTTP_SERVER_ERROR, e);
-        }
+        await requestedRename(node, dest, ctx);
+        return {};
     },
-    async move_files({ uri_from, uri_to }, ctx, override) {
-        (0, misc_1.apiAssertTypes)({ array: { uri_from }, string: { uri_to } });
-        try {
-            ctx.logExtra(null, { target: uri_from.map(misc_1.pathDecode), destination: (0, misc_1.pathDecode)(uri_to) });
-        }
-        catch {
-            return new apiMiddleware_1.ApiError(const_1.HTTP_BAD_REQUEST);
-        }
-        const destNode = await (0, vfs_1.urlToNode)(uri_to, ctx);
-        const err = !destNode ? const_1.HTTP_NOT_FOUND
-            : !(0, vfs_1.nodeIsFolder)(destNode) ? const_1.HTTP_METHOD_NOT_ALLOWED
-                : (0, vfs_1.statusCodeForMissingPerm)(destNode, 'can_upload', ctx);
-        if (err)
-            return new apiMiddleware_1.ApiError(err);
-        return {
-            errors: await Promise.all(uri_from.map(async (from1) => {
-                if (typeof from1 !== 'string')
-                    return const_1.HTTP_BAD_REQUEST;
-                const srcNode = await (0, vfs_1.urlToNode)(from1, ctx);
-                const src = srcNode?.source;
-                if (!src)
-                    return const_1.HTTP_NOT_FOUND;
-                const destName = (0, path_1.basename)(src);
-                const destChild = await (0, vfs_1.urlToNode)(destName, ctx, destNode);
-                if (destChild && (0, vfs_1.statusCodeForMissingPerm)(destChild, 'can_delete', ctx))
-                    return ctx.status;
-                const dest = (0, path_1.join)(destNode.source, destName);
-                if (lodash_1.default.isFunction(override))
-                    return override?.(srcNode, dest);
-                return (0, vfs_1.statusCodeForMissingPerm)(srcNode, 'can_delete', ctx)
-                    || (0, promises_1.rename)(src, dest).catch(async (e) => {
-                        if (e.code !== 'EXDEV')
-                            throw e; // exdev = different drive
-                        await (0, promises_1.copyFile)(src, dest);
-                        await (0, promises_1.unlink)(src);
-                    }).catch(e => e.code || String(e));
-            }))
-        };
+    async move_files({ uri_from, uri_to }, ctx) {
+        return moveFiles(uri_from, uri_to, ctx);
     },
-    async copy_files(params, ctx) {
-        return exports.frontEndApis.move_files(params, ctx, // same parameters
-        (srcNode, dest) => // but override behavior
+    async copy_files({ uri_from, uri_to }, ctx) {
+        return moveFiles(uri_from, uri_to, ctx, (srcNode, dest) => // override behavior
          (0, vfs_1.statusCodeForMissingPerm)(srcNode, 'can_read', ctx)
-            // .source is checked by move_files
-            || (0, promises_1.copyFile)(srcNode.source, dest, fs_1.default.constants.COPYFILE_EXCL | fs_1.default.constants.COPYFILE_FICLONE)
+            || (0, promises_1.copyFile)(srcNode.source, dest, fs_1.default.constants.COPYFILE_EXCL | fs_1.default.constants.COPYFILE_FICLONE) // .source is checked by moveFiles
                 .catch(e => e.code || String(e)));
     },
     async comment({ uri, comment }, ctx) {
@@ -243,3 +155,77 @@ function notifyClient(channel, name, data) {
     events_1.default.emit(NOTIFICATION_PREFIX + channel, name, data);
 }
 const NOTIFICATION_PREFIX = 'notificationChannel:';
+async function moveFiles(uri_from, uri_to, ctx, override) {
+    (0, misc_1.apiAssertTypes)({ array: { uri_from }, string: { uri_to } });
+    try {
+        ctx.logExtra(null, { target: uri_from.map(misc_1.pathDecode), destination: (0, misc_1.pathDecode)(uri_to) });
+    }
+    catch {
+        return new apiMiddleware_1.ApiError(const_1.HTTP_BAD_REQUEST);
+    }
+    const destNode = await (0, vfs_1.urlToNode)(uri_to, ctx);
+    const err = !destNode ? const_1.HTTP_NOT_FOUND
+        : !(0, vfs_1.nodeIsFolder)(destNode) ? const_1.HTTP_METHOD_NOT_ALLOWED
+            : (0, vfs_1.statusCodeForMissingPerm)(destNode, 'can_upload', ctx);
+    if (err)
+        return new apiMiddleware_1.ApiError(err);
+    return {
+        errors: await Promise.all(uri_from.map(async (from1) => {
+            if (typeof from1 !== 'string')
+                return const_1.HTTP_BAD_REQUEST;
+            const srcNode = await (0, vfs_1.urlToNode)(from1, ctx);
+            const src = srcNode?.source;
+            if (!src)
+                return const_1.HTTP_NOT_FOUND;
+            const destName = (0, path_1.basename)(src);
+            const destChild = await (0, vfs_1.urlToNode)(destName, ctx, destNode);
+            if (destChild && (0, vfs_1.statusCodeForMissingPerm)(destChild, 'can_delete', ctx))
+                return ctx.status;
+            const dest = (0, path_1.join)(destNode.source, destName);
+            if (lodash_1.default.isFunction(override))
+                return override?.(srcNode, dest);
+            return (0, vfs_1.statusCodeForMissingPerm)(srcNode, 'can_delete', ctx)
+                || (0, promises_1.rename)(src, dest).catch(async (e) => {
+                    if (e.code !== 'EXDEV')
+                        throw e; // exdev = different drive
+                    await (0, promises_1.copyFile)(src, dest);
+                    await (0, promises_1.unlink)(src);
+                }).catch(e => e.code || String(e));
+        }))
+    };
+}
+async function requestedRename(node, newName, ctx) {
+    if (!node)
+        throw new apiMiddleware_1.ApiError(const_1.HTTP_NOT_FOUND);
+    if ((0, vfs_1.statusCodeForMissingPerm)(node, 'can_delete', ctx))
+        return new apiMiddleware_1.ApiError(ctx.status);
+    try {
+        if (node.name) // virtual name = virtual rename
+            node.name = newName;
+        else {
+            if (!node.source)
+                throw new apiMiddleware_1.ApiError(const_1.HTTP_FAILED_DEPENDENCY);
+            const destNode = await (0, vfs_1.urlToNode)((0, misc_1.pathEncode)(newName), ctx, node.parent);
+            if (destNode && (0, vfs_1.statusCodeForMissingPerm)(destNode, 'can_delete', ctx)) // if destination exists, you need delete permission
+                return new apiMiddleware_1.ApiError(ctx.status);
+            try {
+                const destSource = (0, path_1.join)((0, path_1.dirname)(node.source), newName);
+                await (0, promises_1.rename)(node.source, destSource);
+                (0, comments_1.getCommentFor)(node.source).then(c => {
+                    if (!c)
+                        return;
+                    void (0, comments_1.setCommentFor)(node.source, '');
+                    void (0, comments_1.setCommentFor)(destSource, c);
+                });
+                return {};
+            }
+            catch (e) {
+                return new apiMiddleware_1.ApiError(const_1.HTTP_SERVER_ERROR, e);
+            }
+        }
+        return;
+    }
+    catch (e) {
+        throw new apiMiddleware_1.ApiError(const_1.HTTP_SERVER_ERROR, e);
+    }
+}

package/src/github.js CHANGED Viewed

@@ -235,27 +235,38 @@ async function isPluginBlacklisted(repo) {
     return (0, exports.getProjectInfo)().then(x => x?.repo_blacklist?.[repo]?.message || '', () => undefined);
 }
 async function searchPlugins(text = '', { skipRepos = [''] } = {}) {
-    // github doesn't allow complex search, so we have to do it multiple times and merge the results
-    const searches = [
-        ...text.split(' ').filter(Boolean).slice(0, 2).map(x => 'user:' + encodeURI(x)), // first 2 words can be the author of the plugin
-        encodeURI(text), // search elsewhere, and results after the author search
-    ];
-    const list = await Promise.all(searches.map(x => (0, misc_1.asyncGeneratorToArray)(apiGithubPaginated(`search/repositories?q=topic:hfs-plugin+${x}`))));
-    const deduped = lodash_1.default.uniqBy(list.flat(), x => x.full_name);
-    return new misc_1.AsapStream(deduped.map(async (it) => {
-        const repo = it.full_name;
-        if (skipRepos.includes(repo) || await isPluginBlacklisted(repo))
-            return;
-        const pl = await readOnlineCompatiblePlugin(repo, it.default_branch).catch(() => undefined);
-        if (!pl)
-            return;
-        Object.assign(pl, {
-            repo, // overwrite parsed value, that may be wrong
-            downloading: exports.downloading[repo],
-            license: it.license?.spdx_id,
-        }, lodash_1.default.pick(it, ['pushed_at', 'stargazers_count', 'default_branch']));
-        return pl;
-    }));
+    const seen = new Set();
+    return new misc_1.AsapStream(pluginPromises());
+    async function* pluginPromises() {
+        // github doesn't allow complex search, so we have to do it multiple times and merge the results
+        const searches = [
+            ...text.split(' ').filter(Boolean).slice(0, 2).map(x => 'user:' + encodeURI(x)), // first 2 words can be the author of the plugin
+            encodeURI(text), // search elsewhere, and results after the author search
+        ];
+        for (const term of searches) {
+            for await (const it of apiGithubPaginated(`search/repositories?q=topic:hfs-plugin+${term}`)) {
+                const repo = it.full_name;
+                if (!repo || seen.has(repo)) // avoid duplicates, as we search multiple times
+                    continue;
+                seen.add(repo);
+                if (skipRepos.includes(repo))
+                    continue;
+                yield (async () => {
+                    if (await isPluginBlacklisted(repo))
+                        return;
+                    const pl = await readOnlineCompatiblePlugin(repo, it.default_branch).catch(() => undefined);
+                    if (!pl)
+                        return;
+                    Object.assign(pl, {
+                        repo,
+                        downloading: exports.downloading[repo],
+                        license: it.license?.spdx_id,
+                    }, lodash_1.default.pick(it, ['pushed_at', 'stargazers_count', 'default_branch']));
+                    return pl;
+                })();
+            }
+        }
+    }
 }
 exports.alerts = persistence_1.storedMap.singleSync('alerts', []);
 const cachedCentralInfo = persistence_1.storedMap.singleSync('cachedCentralInfo', ''); // persisting it could also be useful for no-internet instances, so that you can provide a fresher copy

package/src/ips.js CHANGED Viewed

@@ -12,7 +12,7 @@ exports.ips = new kvstorage_1.KvStorage({
     maxPutDelay: 10 * misc_1.MINUTE,
     maxPutDelayCreate: 0,
 });
-(0, first_1.onProcessExit)(() => exports.ips.flush());
+(0, first_1.onProcessExit)(() => exports.ips.close());
 const trackIpsMw = async (ctx, next) => {
     if (exports.ips.isOpen() && !(0, misc_1.isLocalHost)(ctx))
         exports.ips.put(ctx.ip, { ts: new Date, country: ctx.state.connection.country });

package/src/log.js CHANGED Viewed

@@ -106,10 +106,12 @@ const logMw = async (ctx, next) => {
     // do it now so it's available for returning plugins
     ctx.state.completed = Promise.race([(0, events_1.once)(ctx.res, 'finish'), (0, events_1.once)(ctx.res, 'close')]);
     await next();
-    console.debug(ctx.status, ctx.method, ctx.originalUrl, ctx.isAborted() ? '(aborted)' : '');
+    if (!ctx.state.dontLog) // with Finder's webdav spam, it's best to not report even in console
+        console.debug(ctx.status, ctx.method, ctx.originalUrl, ctx.isAborted() ? '(aborted)' : '');
     if (!logSpam.get()
-        && (ctx.querystring.includes('{.exec|')
-            || ctx.status === misc_1.HTTP_NOT_FOUND && /wlwmanifest.xml$|robots.txt$|\.(php)$|cgi/.test(ctx.path))) {
+        && (ctx.querystring.includes('{.exec|') // v2's bug
+            // requests generated by security scanners, other bots, and macos' finder
+            || ctx.status === misc_1.HTTP_NOT_FOUND && /wlwmanifest.xml$|\.(php)$|cgi|robots.txt$/.test(ctx.path))) {
         events_2.default.emit('spam', ctx);
         return;
     }

package/src/middlewares.js CHANGED Viewed

@@ -27,8 +27,9 @@ const allowAuthorizationHeader = (0, config_1.defineConfig)('authorization_heade
 exports.sessionDuration = (0, config_1.defineConfig)('session_duration', Number(process.env.SESSION_DURATION) || misc_1.DAY / 1000, v => v * 1000);
 exports.gzipper = (0, koa_compress_1.default)({
     threshold: 2048,
-    gzip: { flush: zlib_1.constants.Z_SYNC_FLUSH },
+    gzip: { flush: zlib_1.constants.Z_SYNC_FLUSH }, // flush is necessary for SSE, at least in Chrome145
     deflate: { flush: zlib_1.constants.Z_SYNC_FLUSH },
+    zstd: { flush: zlib_1.constants.Z_SYNC_FLUSH },
     br: false, // disable brotli
     filter(type) {
         return /text|javascript|style/i.test(type);

package/src/misc.js CHANGED Viewed

@@ -18,7 +18,6 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AsapStream = void 0;
 exports.pattern2filter = pattern2filter;
 exports.isLocalHost = isLocalHost;
 exports.netMatches = netMatches;
@@ -33,6 +32,7 @@ __exportStar(require("./util-files"), exports);
 __exportStar(require("./fileAttr"), exports);
 __exportStar(require("./cross"), exports);
 __exportStar(require("./debounceAsync"), exports);
+__exportStar(require("./AsapStream"), exports);
 const stream_1 = require("stream");
 const node_net_1 = require("node:net");
 const apiMiddleware_1 = require("./apiMiddleware");
@@ -131,30 +131,12 @@ function asyncGeneratorToReadable(generator) {
         }
     });
 }
-// produces as promises resolve, not sequentially
-class AsapStream extends stream_1.Readable {
-    promises;
-    finished = false;
-    constructor(promises) {
-        super({ objectMode: true });
-        this.promises = promises;
-    }
-    _read() {
-        if (this.finished)
-            return;
-        this.finished = true;
-        for (const p of this.promises)
-            p.then(x => x !== undefined && this.push(x), e => this.emit('error', e));
-        Promise.allSettled(this.promises).then(() => this.push(null));
-    }
-}
-exports.AsapStream = AsapStream;
 function apiAssertTypes(paramsByType) {
     for (const [types, params] of Object.entries(paramsByType)) {
         if (!lodash_1.default.isPlainObject(params))
             throw "invalid apiAssertTypes call";
         for (const [name, val] of Object.entries(params))
-            if (!types.split('_').some(type => type === 'array' ? Array.isArray(val) : typeof val === type))
+            if (!types.split('_').some(t => t === 'array' ? Array.isArray(val) : t === 'object' ? lodash_1.default.isPlainObject(val) : typeof val === t))
                 throw new apiMiddleware_1.ApiError(const_1.HTTP_BAD_REQUEST, 'bad ' + name);
     }
 }

package/src/perm.js CHANGED Viewed

@@ -22,23 +22,21 @@ exports.accountCanLogin = accountCanLogin;
 exports.accountIsDisabled = accountIsDisabled;
 exports.accountCanLoginAdmin = accountCanLoginAdmin;
 exports.accountCanChangePassword = accountCanChangePassword;
-exports.changeSrpHelper = changeSrpHelper;
 const lodash_1 = __importDefault(require("lodash"));
 const misc_1 = require("./misc");
 const config_1 = require("./config");
 const tssrp6a_1 = require("tssrp6a");
 const events_1 = __importDefault(require("./events"));
-const apiMiddleware_1 = require("./apiMiddleware");
 const auth_1 = require("./auth");
 // provides the username and all other usernames it inherits based on the 'belongs' attribute. Useful to check permissions
 function expandUsername(who) {
-    const ret = [];
+    const ret = new Set();
     const q = [who];
     for (const u of q) {
         const a = getAccount(u);
         if (!a || a.disabled)
             continue;
-        ret.push(u);
+        ret.add(u);
         if (a.belongs)
             q.push(...a.belongs);
     }
@@ -46,8 +44,8 @@ function expandUsername(who) {
 }
 // check if current username or any ancestor match the provided usernames
 function ctxBelongsTo(ctx, usernames) {
-    return (ctx.state.usernames ||= expandUsername((0, auth_1.getCurrentUsername)(ctx))) // cache ancestors' usernames inside context state
-        .some((u) => usernames.includes(u));
+    const s = ctx.state.usernames ||= expandUsername((0, auth_1.getCurrentUsername)(ctx));
+    return usernames.some(u => s.has(u)); // cache ancestors' usernames inside context state
 }
 function getUsernames() {
     return Object.keys(exports.accounts.get());
@@ -125,7 +123,30 @@ exports.accounts.sub(lodash_1.default.debounce(obj => {
             (0, misc_1.setHidden)(rec, { username: norm });
         }
         void updateAccount(rec, {}); // work fields
+        removeLoops(norm);
     });
+    function removeLoops(normalizedUsername, visiting = new Set()) {
+        if (visiting.has(normalizedUsername))
+            return;
+        visiting.add(normalizedUsername);
+        const account = obj[normalizedUsername];
+        const removed = lodash_1.default.remove(account.belongs, parent => {
+            const k = normalizeUsername(parent);
+            return obj[k] && visiting.has(k);
+        });
+        if (removed.length)
+            saveAccountsAsap();
+        if (account?.belongs?.length) {
+            for (const parent of account.belongs) {
+                const k = normalizeUsername(parent);
+                if (obj[k])
+                    removeLoops(k, visiting);
+            }
+            if (!account.belongs.length)
+                delete account.belongs;
+        }
+        visiting.delete(normalizedUsername);
+    }
 })); // don't trigger in the middle of a series of deletion, as we may have an inconsistent state
 function normalizeUsername(username) {
     return username.toLocaleLowerCase();
@@ -202,9 +223,3 @@ function accountCanLoginAdmin(account) {
 function accountCanChangePassword(account) {
     return account && !getFromAccount(account, a => a.disable_password_change);
 }
-async function changeSrpHelper(account, salt, verifier) {
-    if (!salt || !verifier)
-        return new apiMiddleware_1.ApiError(misc_1.HTTP_BAD_REQUEST, 'missing parameters');
-    await updateAccount(account, account => saveSrpInfo(account, salt, verifier));
-    return {};
-}

package/src/persistence.js CHANGED Viewed

@@ -22,4 +22,4 @@ exports.storedMap.open('data.kv').catch(e => {
     for (const x of await (0, fast_glob_1.default)('*.kv.lock')) // legacy pre 3.0.5
         (0, promises_1.unlink)(x).catch(() => { });
 });
-(0, first_1.onProcessExit)(() => exports.storedMap.flush());
+(0, first_1.onProcessExit)(() => exports.storedMap.close());

package/src/plugins.js CHANGED Viewed

@@ -219,11 +219,7 @@ const pluginsMiddleware = async (ctx, next) => {
     await Promise.all(mapPlugins(async (pl, id) => {
         try {
             const res = await pl.middleware?.(ctx);
-            if (lastStatus !== ctx.status || lastBody !== ctx.body) {
-                console.debug("plugin changed response", id);
-                lastStatus = ctx.status;
-                lastBody = ctx.body;
-            }
+            printChange(id);
             if (ctx.isAborted())
                 ctx.stop();
             // don't just check ctx.isStopped, as the async plugin that called ctx.stop will reach here after sync ones
@@ -236,7 +232,7 @@ const pluginsMiddleware = async (ctx, next) => {
             printError(id, e);
         }
     }));
-    // expose public plugins' files`
+    // expose public plugins' files
     if (!ctx.isStopped) {
         const { path } = ctx;
         if (path.startsWith(const_1.PLUGINS_PUB_URI)) {
@@ -252,13 +248,23 @@ const pluginsMiddleware = async (ctx, next) => {
         if (ctx.body === undefined && ctx.status === const_1.HTTP_NOT_FOUND) // no response was provided by plugins, so we'll do
             await next();
     }
+    lastStatus = ctx.status;
+    lastBody = ctx.body;
     for (const [id, f] of Object.entries(after))
         try {
             await f();
+            printChange(id);
         }
         catch (e) {
             printError(id, e);
         }
+    function printChange(id) {
+        if (id === exports.SERVER_CODE_ID || (lastStatus === ctx.status && lastBody === ctx.body))
+            return;
+        console.debug("plugin changed response:", id);
+        lastStatus = ctx.status;
+        lastBody = ctx.body;
+    }
     function printError(id, e) {
         console.log(`error middleware plugin ${id}: ${e?.message || e}`);
         console.debug(e);

package/src/serveFile.js CHANGED Viewed

@@ -36,7 +36,7 @@ function forceDownload(ctx, name) {
     disposition(ctx, name, true);
 }
 function disposition(ctx, name, forceDownload = false) {
-    // ctx.attachment is not working well on Windows. Eg: for file "èÖ.txt" it is producing `Content-Disposition: attachment; filename="??.txt"`. Koa uses module content-disposition, that actually produces a better result anyway: ``
+    // ctx.attachment is not working well on Windows. Eg: for the file "èÖ.txt" it is producing `Content-Disposition: attachment; filename="??.txt"`. Koa uses module content-disposition, that actually produces a better result anyway: ``
     ctx.set('Content-Disposition', (forceDownload ? 'attachment; ' : '')
         + `filename="${toAsciiEquivalent(name)}"; filename*=UTF-8''${encodeURIComponent(name)}`);
 }
@@ -44,10 +44,10 @@ async function serveFileNode(ctx, node) {
     const { source, mime } = node;
     const name = (0, vfs_1.getNodeName)(node);
     const mimeString = typeof mime === 'string' ? mime
-        : lodash_1.default.find(mime, (val, mask) => (0, misc_1.matches)(name, mask));
+        : lodash_1.default.find(mime, (_val, mask) => (0, misc_1.matches)(name, mask));
     if (allowedReferer.get()) {
         const ref = (0, misc_1.try_)(() => new URL(ctx.get('referer') || '').host);
-        if (ref && ref !== ctx.host // automatically accept if referer is basically the hosting domain
+        if (ref && ref !== ctx.host // automatically accept if the referer is basically the hosting domain
             && !(0, misc_1.matches)(ref, allowedReferer.get()))
             return ctx.status = const_1.HTTP_FORBIDDEN;
     }

package/src/serveGuiAndSharedFiles.js CHANGED Viewed

@@ -28,6 +28,7 @@ const comments_1 = require("./comments");
 const basicWeb_1 = require("./basicWeb");
 const icons_1 = require("./icons");
 const plugins_1 = require("./plugins");
+const webdav_1 = require("./webdav");
 const serveFrontendFiles = (0, serveGuiFiles_1.serveGuiFiles)(process.env.FRONTEND_PROXY, cross_const_1.FRONTEND_URI);
 const serveFrontendPrefixed = (0, koa_mount_1.default)(cross_const_1.FRONTEND_URI.slice(0, -1), serveFrontendFiles);
 const serveAdminFiles = (0, serveGuiFiles_1.serveGuiFiles)(process.env.ADMIN_PROXY, cross_const_1.ADMIN_URI);
@@ -58,6 +59,8 @@ const serveGuiAndSharedFiles = async (ctx, next) => {
         ctx.state.considerAsGui = true;
         return (0, serveFile_1.serveFile)(ctx, (0, path_1.join)(plugin?.folder || '', icons_1.ICONS_FOLDER, file), const_1.MIME_AUTO);
     }
+    if (await (0, webdav_1.handledWebdav)(ctx))
+        return;
     const { get } = ctx.query;
     const getUploadTempHash = get === cross_const_1.UPLOAD_TEMP_HASH;
     if (ctx.method === 'PUT' || getUploadTempHash) { // PUT is what you get with `curl -T file url/`

package/src/serveGuiFiles.js CHANGED Viewed

@@ -62,7 +62,7 @@ const getFaviconTimestamp = (0, misc_1.debounceAsync)(async () => {
     return !f ? 0 : (0, misc_1.statWithTimeout)(f).then(x => x?.mtimeMs || 0, () => 0);
 }, { retain: 5_000 });
 async function treatIndex(ctx, filesUri, body) {
-    const session = await (0, api_auth_1.refresh_session)({}, ctx);
+    const session = await api_auth_1.authApis.refresh_session({}, ctx);
     ctx.set('etag', '');
     ctx.set('Cache-Control', 'no-store, no-cache, must-revalidate');
     ctx.type = 'html';
@@ -105,6 +105,7 @@ async function treatIndex(ctx, filesUri, body) {
                 lang
             }, null, 4).replace(/<(\/script)/g, '<"+"$1') /*avoid breaking our script container*/}
                     document.documentElement.setAttribute('ver', HFS.VERSION.split('-')[0])
+                    document.documentElement.setAttribute('browser', ${JSON.stringify((0, misc_1.shortenAgent)(ctx.get('user-agent')))})
                     </script>
                     ${isFrontend && `
                         <title>${adminApis_1.title.get()}</title>