hfs 3.1.0-alpha3 → 3.1.0-beta4

package/package.json

@@ -1,12 +1,14 @@
 {
   "name": "hfs",
-  "version": "3.1.0-alpha3",
+  "version": "3.1.0-beta4",
   "description": "HTTP File Server",
-  "keywords": ["file server", "http server"],
+  "keywords": [
+    "file server",
+    "http server"
+  ],
   "homepage": "https://rejetto.com/hfs",
   "license": "GPL-3.0",
   "author": "Massimo Melina <a@rejetto.com>",
-  "workspaces": [ "admin", "frontend", "shared", "mui-grid-form" ],
   "scripts": {
     "watch-server": "cross-env DEV=1 nodemon --ignore tests/ --watch src -e ts,tsx --exec tsx src",
     "watch-server-proxied": "cross-env FRONTEND_PROXY=3005 ADMIN_PROXY=3006 npm run watch-server",
@@ -28,7 +30,7 @@
     "dist": "STASHED=; if ! git diff-index --quiet HEAD --; then git stash push -m 'dist' && STASHED=1; fi; CI=1 FORCE_COLOR=1 npm run dist-uncommitted || (EXIT_CODE=$?; [ -n \"$STASHED\" ] && git stash pop; exit $EXIT_CODE); [ -n \"$STASHED\" ] && git stash pop",
     "dist-uncommitted": "npm audit --omit=dev --audit-level=moderate && rm -rf dist && npm run build-server && npm run test-with-server && (npm run build-frontend & npm run build-admin) && npm run test-ui && npm run dist-bin",
     "dist-bin": "npm run dist-modules && npm run dist-bin-win && npm run dist-bin-linux && npm run dist-bin-linux-arm && npm run dist-bin-mac && npm run dist-bin-mac-arm",
-    "dist-modules": "cp package*.json central.json README.md dist && cd dist && npm ci --omit=dev && npm shrinkwrap && cd .. && node scripts/prune_modules.js",
+    "dist-modules": "cp package.json central.json README.md dist && cd dist && npm pkg delete devDependencies workspaces && rm -rf node_modules && npm install --omit=dev && npm shrinkwrap && cd .. && node scripts/prune_modules.js",
     "dist-bin-win": "cd dist && pkg . --public -C gzip -t node20-win-x64 && npx resedit-cli --in hfs.exe --icon 1,../hfs.ico --out hfs.exe && zip hfs-windows-x64-$(jq -r .version ../package.json).zip hfs.exe -r plugins && cd ..",
     "dist-bin-mac-arm": "cd dist && pkg . --public -C gzip -t node20-macos-arm64 && zip hfs-mac-arm64-$(jq -r .version ../package.json).zip hfs -r plugins && cd ..",
     "dist-bin-mac": "cd dist && pkg . --public -C gzip -t node20-macos-x64 && zip hfs-mac-x64-$(jq -r .version ../package.json).zip hfs -r plugins && cd ..",
@@ -85,6 +87,7 @@
     "busboy": "^1.6.0",
     "crc-32": "^1.2.2",
     "fast-glob": "^3.3.3",
+    "fast-xml-parser": "^5.4.2",
     "find-process": "^2.0.0",
     "fs-x-attributes": "^1.0.2",
     "fswin": "^3.24.829",
@@ -108,27 +111,5 @@
     "valtio": "^1.13.2",
     "xxhashjs": "^0.2.2",
     "yaml": "^2.8.1"
-  },
-  "devDependencies": {
-    "@playwright/test": "^1.55.1",
-    "@types/busboy": "^1.5.4",
-    "@types/koa": "^3.0.0",
-    "@types/koa__router": "^12.0.4",
-    "@types/koa-compress": "^4.0.6",
-    "@types/koa-mount": "^4.0.5",
-    "@types/koa-session": "^6.4.5",
-    "@types/lodash": "^4.17.20",
-    "@types/mime-types": "^3.0.1",
-    "@types/minimist": "^1.2.5",
-    "@types/node": "^20.17.30",
-    "@types/node-forge": "^1.3.14",
-    "@types/picomatch": "^4.0.2",
-    "@yao-pkg/pkg": "6.14.1",
-    "cross-env": "^10.0.0",
-    "koa-better-http-proxy": "^0.2.10",
-    "nm-prune": "^5.0.0",
-    "nodemon": "^3.1.10",
-    "tsx": "^4.20.5",
-    "typescript": "^5.9.2"
   }
 }

package/src/commands.js

@@ -20,6 +20,7 @@ const cross_1 = require("./cross");
 const api_monitor_1 = __importDefault(require("./api.monitor"));
 const argv_1 = require("./argv");
 const listen_2 = require("./listen");
+let debugEnabled = argv_1.argv.debug || process.env.HFS_DEBUG;
 if (!argv_1.argv.updating && !config_1.showHelp) {
     try {
         // Not sure if the try is necessary for when stdin is unavailable, but someone reported a problem using nohup https://github.com/rejetto/hfs/issues/74 and I've found this example try-catching https://github.com/DefinitelyTyped/DefinitelyTyped/blob/dda83a906914489e09ca28afea12948529015d4a/types/node/readline.d.ts#L489
@@ -29,7 +30,7 @@ if (!argv_1.argv.updating && !config_1.showHelp) {
             .on('SIGINT', () => process.emit('SIGINT')); // readline swallows the first ctrl+c unless we forward it to process-level handlers
         let isClean = true;
         const showPrompt = tty && lodash_1.default.debounce(() => {
-            if (first_1.quitting || !tty)
+            if (first_1.quitting || !tty || !isClean)
                 return;
             prompter.prompt(true);
             isClean = false;
@@ -43,12 +44,14 @@ if (!argv_1.argv.updating && !config_1.showHelp) {
         }
         showPrompt?.();
         for (const k of ['log', 'warn', 'error', 'debug']) {
-            const v = console[k];
+            const original = console[k];
             console[k] = (...args) => {
+                if (k === 'debug' && !debugEnabled)
+                    return;
                 if (!first_1.quitting && tty)
                     clean();
                 try {
-                    v(...args);
+                    original(...args);
                 }
                 finally {
                     showPrompt?.();
@@ -58,6 +61,8 @@ if (!argv_1.argv.updating && !config_1.showHelp) {
     }
     catch {
         console.log("console commands not available");
+        const original = console.debug;
+        console.debug = (...args) => debugEnabled && original(...args);
     }
 }
 async function parseCommandLine(line) {
@@ -156,6 +161,13 @@ const commands = {
             console.log(const_1.VERSION, 'build', const_1.BUILD_TIMESTAMP);
         }
     },
+    debug: {
+        params: '',
+        cb() {
+            debugEnabled = !debugEnabled;
+            console.log(`debug messages ${debugEnabled ? "on" : "off"}`);
+        }
+    },
     'start-plugin': {
         params: '<name>',
         cb: plugins_1.startPlugin,

package/src/const.js

@@ -36,16 +36,34 @@ var __importStar = (this && this.__importStar) || (function () {
 var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CONFIG_FILE = exports.MIME_AUTO = exports.APP_PATH = exports.IS_BINARY = exports.IS_MAC = exports.IS_WINDOWS = exports.RUNNING_BETA = exports.VERSION = exports.BUILD_TIMESTAMP = exports.HFS_STARTED = exports.ORIGINAL_CWD = exports.DEV = exports.COMPATIBLE_API_VERSION = exports.API_VERSION = void 0;
+exports.CONFIG_FILE = exports.MIME_AUTO = exports.APP_PATH = exports.IS_BINARY = exports.IS_MAC = exports.IS_WINDOWS = exports.RUNNING_BETA = exports.VERSION = exports.BUILD_TIMESTAMP = exports.HFS_STARTED = exports.ORIGINAL_CWD = exports.DEV = exports.ARGS_FILE = exports.COMPATIBLE_API_VERSION = exports.API_VERSION = void 0;
+const minimist_1 = __importDefault(require("minimist"));
 const fs = __importStar(require("fs"));
 const os_1 = require("os");
+const lodash_1 = __importDefault(require("lodash"));
 const path_1 = require("path");
 const cross_1 = require("./cross");
 const argv_1 = require("./argv");
 __exportStar(require("./cross-const"), exports);
 exports.API_VERSION = 13;
 exports.COMPATIBLE_API_VERSION = 1; // the day we break with the past, we'll update this
+// you can add arguments with this file, currently used for the update process on mac/linux.
+// we are using homedir because it's the only stable path both the old and new process can agree on (open() doesn't preserve cwd)
+exports.ARGS_FILE = (0, path_1.join)((0, os_1.homedir)(), 'hfs-args');
+try {
+    const s = fs.readFileSync(exports.ARGS_FILE, 'utf-8');
+    console.log('additional arguments', s);
+    lodash_1.default.defaults(argv_1.argv, (0, minimist_1.default)(JSON.parse(s)));
+    fs.unlinkSync(exports.ARGS_FILE);
+}
+catch (e) {
+    if (e?.code !== 'ENOENT')
+        console.error(exports.ARGS_FILE, String(e));
+}
 exports.DEV = process.env.DEV ? 'DEV' : '';
 exports.ORIGINAL_CWD = process.cwd();
 exports.HFS_STARTED = new Date();
@@ -65,14 +83,11 @@ if (exports.DEV) {
     console.clear();
     process.env.DEBUG = 'acme-client';
 }
-else if (!argv_1.argv.debug && !process.env.HFS_DEBUG)
-    console.debug = () => { };
 console.log(`HFS ~ HTTP File Server`);
 console.log(`© Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt`);
 console.log('started', (0, cross_1.formatTimestamp)(exports.HFS_STARTED), exports.DEV);
 console.log('version', exports.VERSION || '-');
 console.log('build', exports.BUILD_TIMESTAMP || '-');
-console.debug('arguments', argv_1.argv);
 // still considering whether to use ".hfs" with Windows users, who may be less accustomed to it
 const dir = argv_1.argv.cwd || useHomeDir() && (0, path_1.join)((0, os_1.homedir)(), '.hfs');
 if (dir) {

package/src/frontEndApis.js

@@ -141,12 +141,17 @@ exports.frontEndApis = {
             return new apiMiddleware_1.ApiError(ctx.status);
         let bytes = 0;
         let files = 0;
-        for await (const n of (0, vfs_1.walkNode)(folder, { ctx, onlyFiles: true, depth: Infinity })) {
-            bytes += await (0, vfs_1.nodeStats)(n).then(x => x?.size || 0, () => 0);
-            files++;
-            partialFolderSize[id] = { bytes, files };
+        let folders = 0;
+        for await (const n of (0, vfs_1.walkNode)(folder, { ctx, depth: Infinity })) {
+            if (n.isFolder)
+                folders++;
+            else {
+                bytes += await (0, vfs_1.nodeStats)(n).then(x => x?.size || 0, () => 0);
+                files++;
+            }
+            partialFolderSize[id] = { bytes, files, folders };
         }
-        return (0, misc_1.popKey)(partialFolderSize, id) || { bytes, files };
+        return (0, misc_1.popKey)(partialFolderSize, id) || { bytes, files, folders };
     },
 };
 function notifyClient(channel, name, data) {

package/src/plugins.js

@@ -204,18 +204,16 @@ async function initPlugin(pl, morePassedToInit) {
     events_1.default.emit('pluginInitialized', pl);
     return pl;
 }
-const already = new Set();
-function warnOnce(msg) {
-    if (already.has(msg))
-        return;
-    already.add(msg);
-    console.log('Warning: ' + msg);
-}
 const pluginsMiddleware = async (ctx, next) => {
     const after = {};
     // run middleware plugins
     let lastStatus = ctx.status;
     let lastBody = ctx.body;
+    const res = await events_1.default.emitAsync('request', { ctx });
+    if (ctx.isAborted() || res?.isDefaultPrevented())
+        return;
+    if (res?.length)
+        after['/event'] = () => res.forEach(misc_1.callable);
     await Promise.all(mapPlugins(async (pl, id) => {
         try {
             const res = await pl.middleware?.(ctx);

package/src/roots.js

@@ -12,7 +12,7 @@ const lodash_1 = __importDefault(require("lodash"));
 exports.roots = (0, config_1.defineConfig)(misc_1.CFG.roots, {}, map => {
     const list = Object.keys(map);
     const matchers = list.map(hostMask => (0, misc_1.makeMatcher)(hostMask));
-    const values = Object.values(map).map(x => (0, misc_1.enforceFinal)('/', (0, misc_1.enforceStarting)('/', x)));
+    const values = Object.values(map).map(x => (0, misc_1.enforceFinal)('/', (0, misc_1.enforceStarting)('/', x.replace(/\/{2,}/g, '/'))));
     return (host) => values[matchers.findIndex(m => m(host))];
 });
 const forceAddress = (0, config_1.defineConfig)(misc_1.CFG.force_address, false);

package/src/update.js

@@ -19,6 +19,7 @@ const misc_1 = require("./misc");
 const fs_1 = require("fs");
 const plugins_1 = require("./plugins");
 const promises_1 = require("fs/promises");
+const open_1 = __importDefault(require("open"));
 const config_1 = require("./config");
 const util_os_1 = require("./util-os");
 const first_1 = require("./first");
@@ -190,11 +191,24 @@ if (argv_1.argv.updating) { // we were launched with a temporary name, restore o
     // have to relaunch with the new name, or otherwise the next update will fail with EBUSY on hfs.exe
     console.log(`renamed binary file to "${argv_1.argv.updating}" and now restarting`);
     // if you change anything, be sure to test launching both double-clicking and in a terminal
-    if (const_1.IS_WINDOWS) // windows-only; this method on Mac works only once, and without the console
+    if (const_1.IS_WINDOWS) // windows-only; this method on mac+linux works only once, and without the console
         (0, first_1.onProcessExit)(() => (0, child_process_1.spawn)((0, util_os_1.cmdEscape)(dest), ['--updated', '--cwd .'], { detached: true, shell: true, stdio: [0, 1, 2] })); // launch+sync here would cause the old process to stay open, locking ports
-    else if (process.stdin.isTTY && process.stdout.isTTY) // keep interactive terminal users attached to the restarted process
-        (0, child_process_1.spawnSync)(dest, ['--updated', '--cwd', process.cwd()], { stdio: [0, 1, 2] });
-    else
-        (0, child_process_1.spawn)(dest, ['--updated', '--cwd', process.cwd()], { detached: true, stdio: 'ignore' }).unref();
+    else if (const_1.IS_MAC) {
+        // open() is the only consistent way that I could find working on macos preserving console input/output over relaunching,
+        // and it doesn't let us pass cli arguments, so we pass them through a temp file consumed at the next startup.
+        // For the record, on mac you can: write "./hfs arg1 arg2" to /tmp/tmp.sh with 0o700, and then spawn "open -a Terminal /tmp/tmp.sh"
+        try {
+            (0, fs_1.writeFileSync)(const_1.ARGS_FILE, JSON.stringify(['--updated', '--cwd', process.cwd()]));
+        }
+        catch { }
+        console.log('open-ing');
+        void (0, open_1.default)(dest);
+    }
+    else { // linux and other *nix
+        if (process.stdin.isTTY && process.stdout.isTTY) // in interactive terminals, block this bridge process on the restarted hfs so the terminal session stays attached
+            (0, child_process_1.spawnSync)(dest, ['--updated', '--cwd', process.cwd()], { stdio: [0, 1, 2] });
+        else
+            (0, child_process_1.spawn)(dest, ['--updated', '--cwd', process.cwd()], { detached: true, stdio: 'ignore' }).unref();
+    }
     process.exit();
 }

package/src/vfs.js

@@ -324,6 +324,7 @@ async function* walkNode(parent, { ctx, depth = Infinity, prefixPath = '', requi
                     && !hasPermission(parent, requiredPerm, ctx)
                     && !masksCouldGivePermission(parent.masks, requiredPerm))
                     return;
+                const pathMaskApplier = parentMaskApplier(parent, true);
                 try {
                     await (0, walkDir_1.walkDir)(source, { depth, ctx, hidden: showHiddenFiles.get(), parallelizeRecursion }, async (entry) => {
                         if (ctx?.isAborted()) {
@@ -344,6 +345,8 @@ async function* walkNode(parent, { ctx, depth = Infinity, prefixPath = '', requi
                         if (taken?.has(normalizeFilename(name))) // taken by vfs node above
                             return false; // false just in case it's a folder
                         const item = { name, isFolder, source: (0, path_1.join)(source, path), parent };
+                        // masks containing '/' must be matched against the relative path while keeping walkDir recursion enabled
+                        await pathMaskApplier(item, renamed || path);
                         if (await cantSee(item)) // can't see: don't produce and don't recur
                             return false;
                         if (onlyFiles ? !isFolder : (!onlyFolders || isFolder))
@@ -359,7 +362,7 @@ async function* walkNode(parent, { ctx, depth = Infinity, prefixPath = '', requi
             finally {
                 await childrenWorking;
                 for (const [item, name] of visitLater)
-                    for await (const x of walkNode(item, { depth: depth - 1, prefixPath: name + '/', ctx, requiredPerm, onlyFolders, parallelizeRecursion }))
+                    for await (const x of walkNode(item, { depth: depth - 1, prefixPath: name + '/', ctx, requiredPerm, onlyFolders, onlyFiles, parallelizeRecursion }))
                         stream.push(x);
                 stream.push(null);
             }
@@ -383,26 +386,40 @@ async function* walkNode(parent, { ctx, depth = Infinity, prefixPath = '', requi
 function masksCouldGivePermission(masks, perm) {
     return masks !== undefined && Object.values(masks).some(props => props[perm] || masksCouldGivePermission(props.masks, perm));
 }
-function parentMaskApplier(parent) {
+function parentMaskApplier(parent, pathBased = false) {
     // rules are met in the parent.masks object from nearest to farthest, but since we finally apply with _.defaults, the nearest has precedence in the final result
-    const matchers = (0, misc_1.onlyTruthy)(lodash_1.default.map(parent.masks, (mods, k) => {
+    const matchers = (0, misc_1.onlyTruthy)(lodash_1.default.map(parent.masks, (mods, mask) => {
         if (!mods)
             return;
         const mustBeFolder = (() => {
-            if (k.at(-1) !== '|')
+            if (mask.at(-1) !== '|')
                 return; // parse special flag syntax as suffix |FLAG| inside the key. This allows specifying different flags with the same mask using separate keys. To avoid syntax conflicts with the rest of the file-mask, we look for an ending pipe, as it has no practical use. Ending-pipe was preferred over starting-pipe to leave the rest of the logic (inheritMasks) untouched.
-            const i = k.lastIndexOf('|', k.length - 2);
+            const i = mask.lastIndexOf('|', mask.length - 2);
             if (i < 0)
                 return;
-            const type = k.slice(i + 1, -1);
-            k = k.slice(0, i); // remove
+            const type = mask.slice(i + 1, -1);
+            mask = mask.slice(0, i); // remove
             return type === 'folders';
         })();
-        const m = /^(!?)\*\*\//.exec(k); // ** globstar matches also zero subfolders, so this mask must be applied here too
-        k = m ? m[1] + k.slice(m[0].length) : !k.includes('/') ? k : '';
-        return k && { mods, matcher: (0, misc_1.makeMatcher)(k), mustBeFolder };
+        if (pathBased) {
+            if (!mask.includes('/'))
+                return;
+            // avoid evaluating twice masks like **/*.png because parentMaskApplier already handles them by basename
+            const m = /^(!?)\*\*\//.exec(mask);
+            // this keeps the fast basename path as source-of-truth for patterns that collapse to a filename after **/
+            if (m && !mask.slice(m[0].length).includes('/'))
+                return;
+        }
+        else {
+            const m = /^(!?)\*\*\//.exec(mask); // ** globstar matches also zero subfolders, so this mask must be applied here too
+            mask = m ? m[1] + mask.slice(m[0].length) : !mask.includes('/') ? mask : '';
+            if (!mask)
+                return;
+        }
+        return mask && { matcher: (0, misc_1.makeMatcher)(mask), mods, mustBeFolder };
     }));
-    return async (item, virtualBasename = (0, path_1.basename)(getNodeName(item))) => {
+    return async (item, virtualName = (pathBased ? lodash_1.default.identity : path_1.basename)(getNodeName(item))) => {
+        // depth traversal passes full relative paths, while node traversal still matches only basenames
         let isFolder = undefined;
         for (const { matcher, mods, mustBeFolder } of matchers) {
             if (mustBeFolder !== undefined) {
@@ -410,13 +427,14 @@ function parentMaskApplier(parent) {
                 if (mustBeFolder !== isFolder)
                     continue;
             }
-            if (!matcher(virtualBasename))
+            if (!matcher(virtualName))
                 continue;
             item.masks &&= lodash_1.default.merge(lodash_1.default.cloneDeep(mods.masks), item.masks); // item.masks must take precedence
             lodash_1.default.defaults(item, mods);
         }
     };
 }
+// propagates masks, don't apply
 function inheritMasks(item, parent, virtualBasename = getNodeName(item)) {
     const { masks } = parent;
     if (!masks)

package/src/webdav.js

@@ -1,6 +1,10 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.handledWebdav = handledWebdav;
+const consumers_1 = require("node:stream/consumers");
 const vfs_1 = require("./vfs");
 const cross_1 = require("./cross");
 const stream_1 = require("stream");
@@ -14,14 +18,19 @@ const child_process_1 = require("child_process");
 const auth_1 = require("./auth");
 const config_1 = require("./config");
 const expiringCache_1 = require("./expiringCache");
+const fast_xml_parser_1 = require("fast-xml-parser");
+const lodash_1 = __importDefault(require("lodash"));
 const forceWebdavLogin = (0, config_1.defineConfig)(cross_1.CFG.force_webdav_login, true, compileWebdavAgentRegex);
 const webdavInitialAuth = (0, config_1.defineConfig)(cross_1.CFG.webdav_initial_auth, 'WebDAVFS', compileWebdavAgentRegex);
 const webdavPrompted = (0, expiringCache_1.expiringCache)(cross_1.DAY);
-const webdavDetectedAgents = new Set();
+const webdavDetectedAgents = (0, expiringCache_1.expiringCache)(cross_1.DAY);
 const TOKEN_HEADER = 'lock-token';
-const WEBDAV_METHODS = new Set(['PROPFIND', 'PROPPATCH', 'MKCOL', 'MOVE', 'LOCK', 'UNLOCK']);
+const WEBDAV_METHODS = new Set(['PROPFIND', 'MKCOL', 'MOVE', 'LOCK', 'UNLOCK']);
 const WEBDAV_HINT_HEADERS = ['depth', 'destination', 'overwrite', 'translate', 'if', TOKEN_HEADER, 'x-expected-entity-length'];
 const KNOWN_UA = /webdav|miniredir|davclnt/i;
+const LOCK_DEFAULT_SECONDS = 3600;
+const LOCK_MAX_SECONDS = cross_1.DAY / 1000;
+const xmlParser = new fast_xml_parser_1.XMLParser({ ignoreAttributes: false, removeNSPrefix: true, trimValues: true });
 const canOverwrite = new Set();
 const locks = new Map();
 function isLocked(path, ctx) {
@@ -41,17 +50,16 @@ function hasToken(header, token) {
     return header.includes(`<${token}>`) || header.split(/[,;\s]+/).includes(token);
 }
 async function handledWebdav(ctx) {
-    const { path } = ctx;
-    const isWebdavAuthRequest = WEBDAV_METHODS.has(ctx.method) || WEBDAV_HINT_HEADERS.some(h => !!ctx.get(h));
+    let { path } = ctx;
+    path = path.replace(/^\/+/, '/'); // double-slash is causing empty listing in filezilla-pro
     const ua = ctx.get('user-agent');
-    if (isWebdavAuthRequest && (0, auth_1.getCurrentUsername)(ctx)) {
-        if (ua)
-            webdavDetectedAgents.add(ua);
-    }
-    if (ctx.path.includes('/._') && ua?.startsWith('WebDAVFS')) { // too much spam from Finder for these files that can contain metas
+    if (path.includes('/._') && ua?.startsWith('WebDAVFS')) { // too much spam from Finder for these files that can contain metas
         ctx.state.dontLog = true;
         return ctx.status = cross_1.HTTP_FORBIDDEN;
     }
+    const isWebdavAuthRequest = WEBDAV_METHODS.has(ctx.method) || WEBDAV_HINT_HEADERS.some(h => ctx.get(h));
+    if (isWebdavAuthRequest && ua && (0, auth_1.getCurrentUsername)(ctx))
+        webdavDetectedAgents.try(webdavAgentKey(ctx, ua), () => true);
     if (ctx.method === 'OPTIONS') {
         if (ctx.get('Access-Control-Request-Method'))
             return; // it's a preflight cors request, not webdav
@@ -78,7 +86,7 @@ async function handledWebdav(ctx) {
         }
         if (x && ctx.length === undefined) // missing length can make PUT fail
             ctx.req.headers['content-length'] = x;
-        if (KNOWN_UA.test(ua) || webdavDetectedAgents.has(ua))
+        if (KNOWN_UA.test(ua) || webdavDetectedAgents.has(webdavAgentKey(ctx, ua)))
             ctx.query.existing ??= 'overwrite'; // with webdav this is our default
         return; // default handling
     }
@@ -157,22 +165,60 @@ async function handledWebdav(ctx) {
     }
     if (ctx.method === 'LOCK') {
         setWebdavHeaders();
+        const body = ctx.length || ctx.get('content-length') || ctx.get('transfer-encoding') ? await (0, consumers_1.text)(ctx.req) : '';
+        const token = getProvidedLockToken(ctx);
+        let seconds = Number(ctx.get('timeout').split(',').find(x => /^Second-\d+$/i.test(x.trim()))?.trim().split('-', 2)[1]);
+        seconds = lodash_1.default.clamp(seconds || LOCK_DEFAULT_SECONDS, 1, LOCK_MAX_SECONDS);
+        if (!body) {
+            // Finder and similar clients refresh an existing lock by sending LOCK without a body
+            if (!token)
+                return ctx.status = cross_1.HTTP_BAD_REQUEST;
+            const lock = locks.get(path);
+            if (token !== lock?.token)
+                return ctx.status = cross_1.HTTP_PRECONDITION_FAILED;
+            // refresh lock – keep the same token on refresh so clients can continue using the lock they already hold
+            clearTimeout(lock.timeout);
+            lock.timeout = setTimeout(() => locks.delete(path), seconds * 1000);
+            lock.seconds = seconds;
+            locks.set(path, lock);
+            ctx.set(TOKEN_HEADER, lock.token);
+            ctx.body = renderLockResponse(lock.token, lock.seconds);
+            return true;
+        }
+        const lockinfo = (0, cross_1.try_)(() => xmlParser.parse(body).lockinfo);
+        const scope = lodash_1.default.keys(lockinfo?.lockscope)[0];
+        const type = lodash_1.default.keys(lockinfo?.locktype)[0];
+        if (!scope || !type)
+            return ctx.status = cross_1.HTTP_BAD_REQUEST;
+        if (ctx.get('depth') && ctx.get('depth') !== '0')
+            return ctx.status = cross_1.HTTP_CONFLICT;
+        if (scope !== 'exclusive' || type !== 'write')
+            return ctx.status = cross_1.HTTP_CONFLICT;
         if (locks.has(path))
-            return ctx.status = 423;
-        const token = 'urn:uuid:' + (0, node_crypto_1.randomUUID)();
-        ctx.set(TOKEN_HEADER, token);
-        const seconds = 3600;
+            return ctx.status = cross_1.HTTP_LOCKED;
+        const newToken = 'urn:uuid:' + (0, node_crypto_1.randomUUID)();
         const timeout = setTimeout(() => locks.delete(path), seconds * 1000);
-        locks.set(path, { token, timeout });
-        ctx.body = `<?xml version="1.0" encoding="utf-8"?><prop xmlns="DAV:"><lockdiscovery><activelock>
-            <locktype><write/></locktype>
-            <lockscope><exclusive/></lockscope>
-            <locktoken><href>${token}</href></locktoken>
-            <lockroot><href>${path}</href></lockroot>
-            <depth>0</depth>
-            <timeout>Second-${seconds}</timeout>
-        </activelock></lockdiscovery></prop>`;
+        locks.set(path, { token: newToken, timeout, seconds });
+        ctx.set(TOKEN_HEADER, newToken);
+        ctx.body = renderLockResponse(newToken, seconds);
         return true;
+        function getProvidedLockToken(ctx) {
+            const direct = ctx.get(TOKEN_HEADER).replace(/[<>]/g, '');
+            if (direct)
+                return direct;
+            const ifHeader = ctx.get('If');
+            return /<([^>]+)>/.exec(ifHeader)?.[1] || '';
+        }
+        function renderLockResponse(token, seconds) {
+            return `<?xml version="1.0" encoding="utf-8"?><prop xmlns="DAV:"><lockdiscovery><activelock>
+                <locktype><write/></locktype>
+                <lockscope><exclusive/></lockscope>
+                <locktoken><href>${token}</href></locktoken>
+                <lockroot><href>${path}</href></lockroot>
+                <depth>0</depth>
+                <timeout>Second-${seconds}</timeout>
+            </activelock></lockdiscovery></prop>`;
+        }
     }
     if (ctx.method === 'PROPFIND') {
         setWebdavHeaders();
@@ -189,7 +235,7 @@ async function handledWebdav(ctx) {
         }
         ctx.type = 'xml';
         ctx.status = 207;
-        const pathSlash = (0, cross_1.enforceFinal)('/', path);
+        const outPath = (0, cross_1.enforceFinal)('/', path.slice(Math.max(0, (ctx.state.root?.length ?? 0) - 1)), true);
         const res = ctx.body = new stream_1.PassThrough({ encoding: 'utf8' });
         res.write(`<?xml version="1.0" encoding="utf-8" ?><multistatus xmlns="DAV:">`);
         await sendEntry(node);
@@ -208,7 +254,7 @@ async function handledWebdav(ctx) {
             const isDir = await (0, vfs_1.nodeIsFolder)(node);
             const st = await (0, vfs_1.nodeStats)(node);
             res.write(`<response>
-              <href>${pathSlash + (append ? (0, cross_1.pathEncode)(name, true) + (isDir ? '/' : '') : '')}</href>
+              <href>${outPath + (append ? (0, cross_1.pathEncode)(name, true) + (isDir ? '/' : '') : '')}</href>
               <propstat>
                 <status>HTTP/1.1 200 OK</status>
                 <prop>
@@ -224,34 +270,12 @@ async function handledWebdav(ctx) {
     }
     if (ctx.method === 'PROPPATCH') {
         setWebdavHeaders();
-        if (isLocked(path, ctx))
-            return true;
-        const node = await (0, vfs_1.urlToNode)(path, ctx);
-        if (!node)
-            return;
-        if ((0, vfs_1.statusCodeForMissingPerm)(node, 'can_see', ctx)) {
-            if (ctx.status === cross_1.HTTP_UNAUTHORIZED)
-                setWebdavHeaders(true);
-            return true;
-        }
-        ctx.type = 'xml';
-        ctx.status = 207;
-        ctx.body = `<?xml version="1.0" encoding="utf-8"?>
-            <multistatus xmlns="DAV:">
-              <response>
-                <href>${path}</href>
-                <propstat>
-                  <status>HTTP/1.1 200 OK</status>
-                  <prop/>
-                </propstat>
-              </response>
-            </multistatus>`;
-        return true;
+        return ctx.status = cross_1.HTTP_METHOD_NOT_ALLOWED;
     }
     function setWebdavHeaders(authenticate = false) {
         ctx.set('DAV', '1,2');
         ctx.set('MS-Author-Via', 'DAV');
-        ctx.set('Allow', 'PROPFIND,PROPPATCH,OPTIONS,DELETE,MOVE,LOCK,UNLOCK,MKCOL,PUT');
+        ctx.set('Allow', 'PROPFIND,OPTIONS,DELETE,MOVE,LOCK,UNLOCK,MKCOL,PUT');
         if (authenticate)
             ctx.set('WWW-Authenticate', `Basic realm="HFS WebDAV"`); // keep a dedicated realm for WebDAV so Windows credential cache is isolated from other basic-auth flows
     }
@@ -280,6 +304,10 @@ async function handledWebdav(ctx) {
 function compileWebdavAgentRegex(v) {
     return !v ? null : v === true ? /.*/ : new RegExp(v.trim(), 'i');
 }
+function webdavAgentKey(ctx, ua) {
+    // tying detection to source IP avoids promoting one spoofed UA to global WebDAV behavior
+    return `${ctx.ip}|${ua}`;
+}
 // Finder will upload special attributes as files with name ._* that can be merged using system utility "dot_clean"
 const cleaners = {};
 function dotClean(path) {