lfss 0.1.0__py3-none-any.whl → 0.2.3__py3-none-any.whl

lfss/src/server.py

@@ -1,4 +1,5 @@
 from typing import Optional
+from functools import wraps
 
 from fastapi import FastAPI, APIRouter, Depends, Request, Response
 from fastapi.exceptions import HTTPException 
@@ -10,10 +11,11 @@ import json
 import mimetypes
 from contextlib import asynccontextmanager
 
+from .error import *
 from .log import get_logger
 from .config import MAX_BUNDLE_BYTES
 from .utils import ensure_uri_compnents
-from .database import Database, DBUserRecord, DECOY_USER, FileReadPermission
+from .database import Database, DBUserRecord, DECOY_USER, FileDBRecord, check_user_permission, FileReadPermission
 
 logger = get_logger("server")
 conn = Database()
@@ -23,17 +25,48 @@ async def lifespan(app: FastAPI):
     global conn
     await conn.init()
     yield
+    await conn.commit()
     await conn.close()
 
-async def get_current_user(token: HTTPAuthorizationCredentials = Depends(HTTPBearer(auto_error=False))):
-    if not token:
-        return DECOY_USER
-    user = await conn.user.get_user_by_credential(token.credentials)
+def handle_exception(fn):
+    @wraps(fn)
+    async def wrapper(*args, **kwargs):
+        try:
+            return await fn(*args, **kwargs)
+        except Exception as e:
+            logger.error(f"Error in {fn.__name__}: {e}")
+            if isinstance(e, HTTPException): raise e
+            elif isinstance(e, StorageExceededError): raise HTTPException(status_code=413, detail=str(e))
+            elif isinstance(e, PermissionError): raise HTTPException(status_code=403, detail=str(e))
+            elif isinstance(e, InvalidPathError): raise HTTPException(status_code=400, detail=str(e))
+            elif isinstance(e, FileNotFoundError): raise HTTPException(status_code=404, detail=str(e))
+            elif isinstance(e, FileExistsError): raise HTTPException(status_code=409, detail=str(e))
+            else: raise HTTPException(status_code=500, detail=str(e))
+    return wrapper
+
+async def get_credential_from_params(request: Request):
+    return request.query_params.get("token")
+async def get_current_user(
+    token: HTTPAuthorizationCredentials = Depends(HTTPBearer(auto_error=False)), 
+    q_token: Optional[str] = Depends(get_credential_from_params)
+    ):
+    """
+    First try to get the user from the bearer token, 
+    if not found, try to get the user from the query parameter
+    """
+    if token:
+        user = await conn.user.get_user_by_credential(token.credentials)
+    else:
+        if not q_token:
+            return DECOY_USER
+        else:
+            user = await conn.user.get_user_by_credential(q_token)
+
     if not user:
         raise HTTPException(status_code=401, detail="Invalid token")
     return user
 
-app = FastAPI(docs_url=None, redoc_url=None, lifespan=lifespan)
+app = FastAPI(docs_url="/_docs", redoc_url=None, lifespan=lifespan)
 app.add_middleware(
     CORSMiddleware,
     allow_origins=["*"],
@@ -47,6 +80,8 @@ router_fs = APIRouter(prefix="")
 @router_fs.get("/{path:path}")
 async def get_file(path: str, asfile = False, user: DBUserRecord = Depends(get_current_user)):
     path = ensure_uri_compnents(path)
+
+    # handle directory query
     if path == "": path = "/"
     if path.endswith("/"):
         # return file under the path as json
@@ -67,23 +102,16 @@ async def get_file(path: str, asfile = False, user: DBUserRecord = Depends(get_c
             "dirs": dirs,
             "files": files
         }
-
+    
     file_record = await conn.file.get_file_record(path)
     if not file_record:
         raise HTTPException(status_code=404, detail="File not found")
-    
-    # permission check
-    perm = file_record.permission
-    if perm == FileReadPermission.PRIVATE:
-        if not user.is_admin and user.id != file_record.owner_id:
-            raise HTTPException(status_code=403, detail="Permission denied")
-        else:
-            assert path.startswith(f"{user.username}/")
-    elif perm == FileReadPermission.PROTECTED:
-        if user.id == 0:
-            raise HTTPException(status_code=403, detail="Permission denied")
-    else:
-        assert perm == FileReadPermission.PUBLIC
+
+    owner = await conn.user.get_user_by_id(file_record.owner_id)
+    assert owner is not None, "Owner not found"
+    allow_access, reason = check_user_permission(user, owner, file_record)
+    if not allow_access:
+        raise HTTPException(status_code=403, detail=reason)
     
     fname = path.split("/")[-1]
     async def send(media_type: Optional[str] = None, disposition = "attachment"):
@@ -110,7 +138,7 @@ async def put_file(request: Request, path: str, user: DBUserRecord = Depends(get
     path = ensure_uri_compnents(path)
     if user.id == 0:
         logger.debug("Reject put request from DECOY_USER")
-        raise HTTPException(status_code=403, detail="Permission denied")
+        raise HTTPException(status_code=401, detail="Permission denied")
     if not path.startswith(f"{user.username}/") and not user.is_admin:
         logger.debug(f"Reject put request from {user.username} to {path}")
         raise HTTPException(status_code=403, detail="Permission denied")
@@ -128,20 +156,20 @@ async def put_file(request: Request, path: str, user: DBUserRecord = Depends(get
     logger.debug(f"Content-Type: {content_type}")
     if content_type == "application/json":
         body = await request.json()
-        await conn.save_file(user.id, path, json.dumps(body).encode('utf-8'))
+        await handle_exception(conn.save_file)(user.id, path, json.dumps(body).encode('utf-8'))
     elif content_type == "application/x-www-form-urlencoded":
         # may not work...
         body = await request.form()
         file = body.get("file")
         if isinstance(file, str) or file is None:
             raise HTTPException(status_code=400, detail="Invalid form data, file required")
-        await conn.save_file(user.id, path, await file.read())
+        await handle_exception(conn.save_file)(user.id, path, await file.read())
     elif content_type == "application/octet-stream":
         body = await request.body()
-        await conn.save_file(user.id, path, body)
+        await handle_exception(conn.save_file)(user.id, path, body)
     else:
         body = await request.body()
-        await conn.save_file(user.id, path, body)
+        await handle_exception(conn.save_file)(user.id, path, body)
 
     # https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Methods/PUT
     if exists_flag:
@@ -157,7 +185,7 @@ async def put_file(request: Request, path: str, user: DBUserRecord = Depends(get
 async def delete_file(path: str, user: DBUserRecord = Depends(get_current_user)):
     path = ensure_uri_compnents(path)
     if user.id == 0:
-        raise HTTPException(status_code=403, detail="Permission denied")
+        raise HTTPException(status_code=401, detail="Permission denied")
     if not path.startswith(f"{user.username}/") and not user.is_admin:
         raise HTTPException(status_code=403, detail="Permission denied")
     
@@ -184,12 +212,24 @@ async def bundle_files(path: str, user: DBUserRecord = Depends(get_current_user)
     if not path == "" and path[0] == "/":   # adapt to both /path and path
         path = path[1:]
     
-    # TODO: maybe check permission here...
-
-    # return bundle of files
+    owner_records_cache = {}     # cache owner records, ID -> UserRecord
+    async def is_access_granted(file_record: FileDBRecord):
+        owner_id = file_record.owner_id
+        owner = owner_records_cache.get(owner_id, None)
+        if owner is None:
+            owner = await conn.user.get_user_by_id(owner_id)
+            assert owner is not None, f"File owner not found: id={owner_id}"
+            owner_records_cache[owner_id] = owner
+            
+        allow_access, _ = check_user_permission(user, owner, file_record)
+        return allow_access
+    
     files = await conn.file.list_path(path, flat = True)
+    files = [f for f in files if await is_access_granted(f)]
     if len(files) == 0:
         raise HTTPException(status_code=404, detail="No files found")
+
+    # return bundle of files
     total_size = sum([f.file_size for f in files])
     if total_size > MAX_BUNDLE_BYTES:
         raise HTTPException(status_code=400, detail="Too large to zip")
@@ -214,6 +254,47 @@ async def get_file_meta(path: str, user: DBUserRecord = Depends(get_current_user
         raise HTTPException(status_code=404, detail="File not found")
     return file_record
 
+@router_api.post("/fmeta")
+async def update_file_meta(
+    path: str, 
+    perm: Optional[int] = None, 
+    new_path: Optional[str] = None,
+    user: DBUserRecord = Depends(get_current_user)
+    ):
+    if user.id == 0:
+        raise HTTPException(status_code=401, detail="Permission denied")
+    path = ensure_uri_compnents(path)
+    file_record = await conn.file.get_file_record(path)
+    if not file_record:
+        logger.debug(f"Reject update meta request from {user.username} to {path}")
+        raise HTTPException(status_code=404, detail="File not found")
+    
+    if not (user.is_admin or user.id == file_record.owner_id):
+        logger.debug(f"Reject update meta request from {user.username} to {path}")
+        raise HTTPException(status_code=403, detail="Permission denied")
+    
+    if perm is not None:
+        logger.info(f"Update permission of {path} to {perm}")
+        await handle_exception(conn.file.set_file_record)(
+            url = file_record.url, 
+            permission = FileReadPermission(perm)
+        )
+    
+    if new_path is not None:
+        new_path = ensure_uri_compnents(new_path)
+        logger.info(f"Update path of {path} to {new_path}")
+        await handle_exception(conn.move_file)(path, new_path)
+
+    return Response(status_code=200, content="OK")
+    
+@router_api.get("/whoami")
+async def whoami(user: DBUserRecord = Depends(get_current_user)):
+    if user.id == 0:
+        raise HTTPException(status_code=401, detail="Login required")
+    user.credential = "__HIDDEN__"
+    return user
+
+
 # order matters
 app.include_router(router_api)
 app.include_router(router_fs)

{lfss-0.1.0.dist-info → lfss-0.2.3.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: lfss
-Version: 0.1.0
+Version: 0.2.3
 Summary: Lightweight file storage service
 Home-page: https://github.com/MenxLi/lfss
 Author: li, mengxun
@@ -18,6 +18,7 @@ Project-URL: Repository, https://github.com/MenxLi/lfss
 Description-Content-Type: text/markdown
 
 # Lightweight File Storage Service (LFSS)
+[![PyPI](https://img.shields.io/pypi/v/lfss)](https://pypi.org/project/lfss/)
 
 A lightweight file/object storage service!
 
@@ -28,15 +29,19 @@ lfss-user add <username> <password>
 lfss-serve
 ```
 
-By default, the data will be stored in the `.storage_data` directory, in a sqlite database.  
-The data storage can be set via environment variable `LFSS_DATA`.
+By default, the data will be stored in `.storage_data`. 
+You can change storage directory using the `LFSS_DATA` environment variable.
 
 I provide a simple client to interact with the service.  
-Just start a web server at `/frontend` and open `index.html` in your browser.
-
-Currently, there is no file access-control, anyone can access any file with `GET` request.  
-However, the path-listing is only available to the authenticated user (to their own files, under `<username>/`).  
+Just start a web server at `/frontend` and open `index.html` in your browser, or use:
+```sh
+lfss-panel
+```
 
 The API usage is simple, just `GET`, `PUT`, `DELETE` to the `/<username>/file/url` path.  
 Authentication is done via `Authorization` header, with the value `Bearer <token>`.  
-Please refer to `frontend` as an application example, and `frontend/api.js` for the API usage.
+You can refer to `frontend` as an application example, and `frontend/api.js` for the API usage.
+
+By default, the service exposes all files to the public for `GET` requests, 
+but file-listing is restricted to the user's own files.  
+Please refer to [docs/Permission.md](./docs/Permission.md) for more details on the permission system.

lfss-0.2.3.dist-info/RECORD

@@ -0,0 +1,24 @@
+Readme.md,sha256=HJTfAkTka7i9n8JaA_Sftn1RFOplCviJ16Rq4WsDOFc,1056
+docs/Known_issues.md,sha256=rfdG3j1OJF-59S9E06VPyn0nZKbW-ybPxkoZ7MEZWp8,81
+docs/Permission.md,sha256=EY1Y4tT5PDdHDb2pXsVgMAJXxkUihTZfPT0_z7Q53FA,1485
+frontend/api.js,sha256=D_MaQlmBGzzSR30a23Kh3DxPeF8MpKYe5uXSb9srRTU,7281
+frontend/index.html,sha256=2IOrJge3HmQLldKeqAI5Eqz2kkVr8NYlS434_9PwZ0I,2019
+frontend/popup.css,sha256=nbCHFZwt8XrCOODkxuYmLd14nKHAZsOZ5JLqUI6iTDQ,592
+frontend/popup.js,sha256=y4P1gaF05HwmhQZN-NRFYNbQ3zKBdoTXtTJpT3FTDQQ,2918
+frontend/scripts.js,sha256=L9lWhhprdAJOWSOCX9BywZzljm0yJ5PET5AaheCAGqg,16824
+frontend/styles.css,sha256=1klxag-IvfHm316Tj8CFHqJmhSCA3E6Pcdtj51mJMiY,3922
+frontend/utils.js,sha256=biE2te5ezswZyuwlDTYbHEt7VWKfCcUrusNt1lHjkLw,2263
+lfss/cli/panel.py,sha256=iGdVmdWYjA_7a78ZzWEB_3ggIOBeUKTzg6F5zLaB25c,1401
+lfss/cli/serve.py,sha256=bO3GT0kuylMGN-7bZWP4e71MlugGZ_lEMkYaYld_Ntg,985
+lfss/cli/user.py,sha256=906MIQO1mr4XXzPpT8Kfri1G61bWlgjDzIglxypQ7z0,3251
+lfss/src/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+lfss/src/config.py,sha256=rE2ZCpozSDqdFrVvpItfGb_O3wPh_ErotdLTZ1DA23s,280
+lfss/src/database.py,sha256=2ZgQGd6tDR6daXl3jOOBO1-mHEwNd809m16PopQ8DZg,27535
+lfss/src/error.py,sha256=S5ui3tJ0uKX4EZnt2Db-KbDmJXlECI_OY95cNMkuegc,218
+lfss/src/log.py,sha256=7mRHFwhx7GKtm_cRryoEIlRQhHTLQC3Qd-N81YsoKao,5174
+lfss/src/server.py,sha256=7fh2FLyyFeTgjgeM4GRtddVKUTb1qgzU0So0SOLcGB0,11488
+lfss/src/utils.py,sha256=MrjKc8W2Y7AbgVGadSNAA50tRMbGYWRrA4KUhOCwuUU,694
+lfss-0.2.3.dist-info/METADATA,sha256=YUcuXDq-7lTNFcMwMsxbp3uP3TcrjtDLBRUtDiackQQ,1715
+lfss-0.2.3.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+lfss-0.2.3.dist-info/entry_points.txt,sha256=nUIJhenyZbcymvPVhrzV7SAtRhd7O52DflbRrpQUC04,110
+lfss-0.2.3.dist-info/RECORD,,

{lfss-0.1.0.dist-info → lfss-0.2.3.dist-info}/entry_points.txt

@@ -1,4 +1,5 @@
 [console_scripts]
+lfss-panel=lfss.cli.panel:main
 lfss-serve=lfss.cli.serve:main
 lfss-user=lfss.cli.user:main
 

lfss-0.1.0.dist-info/RECORD

@@ -1,12 +0,0 @@
-lfss/cli/serve.py,sha256=bO3GT0kuylMGN-7bZWP4e71MlugGZ_lEMkYaYld_Ntg,985
-lfss/cli/user.py,sha256=asf5NTDoRJdBos_TnM0olzbpUZ3P3OXbW3eQmZkMnBg,2542
-lfss/src/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-lfss/src/config.py,sha256=rE2ZCpozSDqdFrVvpItfGb_O3wPh_ErotdLTZ1DA23s,280
-lfss/src/database.py,sha256=5ePxvTB4vDQjiwTaTLkzXI_ld3jrjSrJyaHgG7aPIkk,21054
-lfss/src/log.py,sha256=7mRHFwhx7GKtm_cRryoEIlRQhHTLQC3Qd-N81YsoKao,5174
-lfss/src/server.py,sha256=YsHPXl7O29EmE5adthL6wta7haXj_qL3LdZMqFyi4rc,8090
-lfss/src/utils.py,sha256=MrjKc8W2Y7AbgVGadSNAA50tRMbGYWRrA4KUhOCwuUU,694
-lfss-0.1.0.dist-info/METADATA,sha256=-p8KgLhqqlaX38vdIa-m1aWfNfqVT-3KMI5ICKjqDtM,1604
-lfss-0.1.0.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-lfss-0.1.0.dist-info/entry_points.txt,sha256=4OqcJpLk9bSW01R7AUeaE4j2CZkuNsgq1iZOYpkwxEA,79
-lfss-0.1.0.dist-info/RECORD,,