Public File Sharing (#72)

* Public File Sharing This implements public file sharing (read-only) with and without passwords (#57). It also fixes a problem with filenames including special characters like `#` not working properly (#71). You can share a directory or a single file, by using the new share icon on the right of the directories/files, and click on it to manage an existing file share (setting a new password, or deleting the file share). There is some other minor cleanup and other copy updates in the README. Closes #57 Fixes #71 * Hide UI elements when sharing isn't allowed
2025-06-20 12:04:16 +01:00
parent c7d6b8077b
commit 7fac7febcf
29 changed files with 1541 additions and 155 deletions
--- a/routes/api/files/create-share.tsx
+++ b/routes/api/files/create-share.tsx
@@ -0,0 +1,86 @@
+import { Handlers } from 'fresh/server.ts';
+
+import { Directory, DirectoryFile, FileShare, FreshContextState } from '/lib/types.ts';
+import { DirectoryModel, FileModel, FileShareModel, getPathInfo } from '/lib/models/files.ts';
+import { generateHash } from '/lib/utils/misc.ts';
+import { PASSWORD_SALT } from '/lib/auth.ts';
+import { AppConfig } from '/lib/config.ts';
+
+interface Data {}
+
+export interface RequestBody {
+  pathInView: string;
+  filePath: string;
+  password?: string;
+}
+
+export interface ResponseBody {
+  success: boolean;
+  newFiles: DirectoryFile[];
+  newDirectories: Directory[];
+  createdFileShareId: string;
+}
+
+export const handler: Handlers<Data, FreshContextState> = {
+  async POST(request, context) {
+    if (!context.state.user) {
+      return new Response('Unauthorized', { status: 401 });
+    }
+
+    const isPublicFileSharingAllowed = await AppConfig.isPublicFileSharingAllowed();
+
+    if (!isPublicFileSharingAllowed) {
+      return new Response('Forbidden', { status: 403 });
+    }
+
+    const requestBody = await request.clone().json() as RequestBody;
+
+    if (
+      !requestBody.filePath || !requestBody.pathInView || !requestBody.filePath.trim() ||
+      !requestBody.pathInView.trim() || !requestBody.filePath.startsWith('/') ||
+      requestBody.filePath.includes('../') || !requestBody.pathInView.startsWith('/') ||
+      requestBody.pathInView.includes('../')
+    ) {
+      return new Response('Bad Request', { status: 400 });
+    }
+
+    // Confirm the file path belongs to the user
+    const { isDirectory, isFile } = await getPathInfo(
+      context.state.user.id,
+      requestBody.filePath,
+    );
+
+    // Confirm the file path ends with a / if it's a directory, and doesn't end with a / if it's a file
+    if (isDirectory && !requestBody.filePath.endsWith('/')) {
+      requestBody.filePath = `${requestBody.filePath}/`;
+    } else if (isFile && requestBody.filePath.endsWith('/')) {
+      requestBody.filePath = requestBody.filePath.slice(0, -1);
+    }
+
+    const extra: FileShare['extra'] = {};
+
+    if (requestBody.password) {
+      extra.hashed_password = await generateHash(`${requestBody.password}:${PASSWORD_SALT}`, 'SHA-256');
+    }
+
+    const fileShare: Omit<FileShare, 'id' | 'created_at'> = {
+      user_id: context.state.user.id,
+      file_path: requestBody.filePath,
+      extra,
+    };
+
+    const createdFileShare = await FileShareModel.create(fileShare);
+
+    const newFiles = await FileModel.list(context.state.user.id, requestBody.pathInView);
+    const newDirectories = await DirectoryModel.list(context.state.user.id, requestBody.pathInView);
+
+    const responseBody: ResponseBody = {
+      success: true,
+      newFiles,
+      newDirectories,
+      createdFileShareId: createdFileShare.id,
+    };
+
+    return new Response(JSON.stringify(responseBody));
+  },
+};
--- a/routes/api/files/delete-share.tsx
+++ b/routes/api/files/delete-share.tsx
@@ -0,0 +1,56 @@
+import { Handlers } from 'fresh/server.ts';
+
+import { Directory, DirectoryFile, FreshContextState } from '/lib/types.ts';
+import { DirectoryModel, FileModel, FileShareModel } from '/lib/models/files.ts';
+import { AppConfig } from '/lib/config.ts';
+
+interface Data {}
+
+export interface RequestBody {
+  pathInView: string;
+  fileShareId: string;
+}
+
+export interface ResponseBody {
+  success: boolean;
+  newFiles: DirectoryFile[];
+  newDirectories: Directory[];
+}
+
+export const handler: Handlers<Data, FreshContextState> = {
+  async POST(request, context) {
+    if (!context.state.user) {
+      return new Response('Unauthorized', { status: 401 });
+    }
+
+    const isPublicFileSharingAllowed = await AppConfig.isPublicFileSharingAllowed();
+
+    if (!isPublicFileSharingAllowed) {
+      return new Response('Forbidden', { status: 403 });
+    }
+
+    const requestBody = await request.clone().json() as RequestBody;
+
+    if (
+      !requestBody.fileShareId || !requestBody.pathInView || !requestBody.pathInView.trim() ||
+      !requestBody.pathInView.startsWith('/') || requestBody.pathInView.includes('../')
+    ) {
+      return new Response('Bad Request', { status: 400 });
+    }
+
+    const fileShare = await FileShareModel.getById(requestBody.fileShareId);
+
+    if (!fileShare || fileShare.user_id !== context.state.user.id) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    await FileShareModel.delete(requestBody.fileShareId);
+
+    const newFiles = await FileModel.list(context.state.user.id, requestBody.pathInView);
+    const newDirectories = await DirectoryModel.list(context.state.user.id, requestBody.pathInView);
+
+    const responseBody: ResponseBody = { success: true, newFiles, newDirectories };
+
+    return new Response(JSON.stringify(responseBody));
+  },
+};
--- a/routes/api/files/get-share.tsx
+++ b/routes/api/files/get-share.tsx
@@ -0,0 +1,46 @@
+import { Handlers } from 'fresh/server.ts';
+
+import { FileShare, FreshContextState } from '/lib/types.ts';
+import { FileShareModel } from '/lib/models/files.ts';
+import { AppConfig } from '/lib/config.ts';
+
+interface Data {}
+
+export interface RequestBody {
+  fileShareId: string;
+}
+
+export interface ResponseBody {
+  success: boolean;
+  fileShare: FileShare;
+}
+
+export const handler: Handlers<Data, FreshContextState> = {
+  async POST(request, context) {
+    if (!context.state.user) {
+      return new Response('Unauthorized', { status: 401 });
+    }
+
+    const isPublicFileSharingAllowed = await AppConfig.isPublicFileSharingAllowed();
+
+    if (!isPublicFileSharingAllowed) {
+      return new Response('Forbidden', { status: 403 });
+    }
+
+    const requestBody = await request.clone().json() as RequestBody;
+
+    if (!requestBody.fileShareId) {
+      return new Response('Bad Request', { status: 400 });
+    }
+
+    const fileShare = await FileShareModel.getById(requestBody.fileShareId);
+
+    if (!fileShare || fileShare.user_id !== context.state.user.id) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    const responseBody: ResponseBody = { success: true, fileShare };
+
+    return new Response(JSON.stringify(responseBody));
+  },
+};
--- a/routes/api/files/update-share.tsx
+++ b/routes/api/files/update-share.tsx
@@ -0,0 +1,65 @@
+import { Handlers } from 'fresh/server.ts';
+
+import { Directory, DirectoryFile, FreshContextState } from '/lib/types.ts';
+import { DirectoryModel, FileModel, FileShareModel } from '/lib/models/files.ts';
+import { generateHash } from '/lib/utils/misc.ts';
+import { PASSWORD_SALT } from '/lib/auth.ts';
+import { AppConfig } from '/lib/config.ts';
+
+interface Data {}
+
+export interface RequestBody {
+  pathInView: string;
+  fileShareId: string;
+  password?: string;
+}
+
+export interface ResponseBody {
+  success: boolean;
+  newFiles: DirectoryFile[];
+  newDirectories: Directory[];
+}
+
+export const handler: Handlers<Data, FreshContextState> = {
+  async POST(request, context) {
+    if (!context.state.user) {
+      return new Response('Unauthorized', { status: 401 });
+    }
+
+    const isPublicFileSharingAllowed = await AppConfig.isPublicFileSharingAllowed();
+
+    if (!isPublicFileSharingAllowed) {
+      return new Response('Forbidden', { status: 403 });
+    }
+
+    const requestBody = await request.clone().json() as RequestBody;
+
+    if (
+      !requestBody.fileShareId || !requestBody.pathInView || !requestBody.pathInView.trim() ||
+      !requestBody.pathInView.startsWith('/') || requestBody.pathInView.includes('../')
+    ) {
+      return new Response('Bad Request', { status: 400 });
+    }
+
+    const fileShare = await FileShareModel.getById(requestBody.fileShareId);
+
+    if (!fileShare || fileShare.user_id !== context.state.user.id) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    if (requestBody.password) {
+      fileShare.extra.hashed_password = await generateHash(`${requestBody.password}:${PASSWORD_SALT}`, 'SHA-256');
+    } else {
+      delete fileShare.extra.hashed_password;
+    }
+
+    await FileShareModel.update(fileShare);
+
+    const newFiles = await FileModel.list(context.state.user.id, requestBody.pathInView);
+    const newDirectories = await DirectoryModel.list(context.state.user.id, requestBody.pathInView);
+
+    const responseBody: ResponseBody = { success: true, newFiles, newDirectories };
+
+    return new Response(JSON.stringify(responseBody));
+  },
+};
--- a/routes/file-share/[fileShareId].tsx
+++ b/routes/file-share/[fileShareId].tsx
@@ -0,0 +1,133 @@
+import { Handlers, PageProps } from 'fresh/server.ts';
+import { join } from 'std/path/join.ts';
+
+import { Directory, DirectoryFile, FreshContextState } from '/lib/types.ts';
+import {
+  DirectoryModel,
+  ensureFileSharePathIsValidAndSecurelyAccessible,
+  FileModel,
+  FileShareModel,
+} from '/lib/models/files.ts';
+import { AppConfig } from '/lib/config.ts';
+import FilesWrapper from '/islands/files/FilesWrapper.tsx';
+
+interface Data {
+  shareDirectories: Directory[];
+  shareFiles: DirectoryFile[];
+  currentPath: string;
+  baseUrl: string;
+  fileShareId?: string;
+}
+
+export const handler: Handlers<Data, FreshContextState> = {
+  async GET(request, context) {
+    const { fileShareId } = context.params;
+
+    if (!fileShareId) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    const isPublicFileSharingAllowed = await AppConfig.isPublicFileSharingAllowed();
+
+    if (!isPublicFileSharingAllowed) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    const baseUrl = (await AppConfig.getConfig()).auth.baseUrl;
+
+    const fileShare = await FileShareModel.getById(fileShareId);
+
+    if (!fileShare) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    const searchParams = new URL(request.url).searchParams;
+
+    let currentPath = searchParams.get('path') || '/';
+
+    // Send invalid paths back to root
+    if (!currentPath.startsWith('/') || currentPath.includes('../')) {
+      currentPath = '/';
+    }
+
+    // Always append a trailing slash
+    if (!currentPath.endsWith('/')) {
+      currentPath = `${currentPath}/`;
+    }
+
+    // Confirm that currentPath is not _outside_ the fileShare.file_path
+    await ensureFileSharePathIsValidAndSecurelyAccessible(fileShare.user_id, fileShare.file_path, currentPath);
+
+    const isFileSharePathDirectory = fileShare.file_path.endsWith('/');
+
+    currentPath = isFileSharePathDirectory ? join(fileShare.file_path, currentPath) : fileShare.file_path;
+
+    const isFilePathDirectory = currentPath.endsWith('/');
+
+    const fileSharePathDirectory = isFileSharePathDirectory
+      ? fileShare.file_path
+      : `${fileShare.file_path.split('/').slice(0, -1).join('/')}/`;
+
+    const filePathDirectory = isFilePathDirectory ? currentPath : `${currentPath.split('/').slice(0, -1).join('/')}/`;
+
+    // Does the file share require a password? If so, redirect to the verification page
+    if (fileShare.extra.hashed_password) {
+      const { fileShareId: fileShareIdFromSession, hashedPassword: hashedPasswordFromSession } =
+        (await FileShareModel.getDataFromRequest(request)) || {};
+
+      if (
+        !fileShareIdFromSession || fileShareIdFromSession !== fileShareId ||
+        hashedPasswordFromSession !== fileShare.extra.hashed_password
+      ) {
+        return new Response('Redirect', { status: 303, headers: { 'Location': `/file-share/${fileShareId}/verify` } });
+      }
+    }
+
+    let shareDirectories = await DirectoryModel.list(
+      fileShare.user_id,
+      isFilePathDirectory ? currentPath : filePathDirectory,
+    );
+
+    let shareFiles = await FileModel.list(fileShare.user_id, isFilePathDirectory ? currentPath : filePathDirectory);
+
+    if (!isFileSharePathDirectory) {
+      shareDirectories = shareDirectories.filter((directory) =>
+        directory.directory_name === currentPath.split('/').pop()
+      );
+      shareFiles = shareFiles.filter((file) => file.file_name === currentPath.split('/').pop());
+    }
+
+    // Remove the filePathDirectory from the directories' paths, and set has_write_access to false
+    shareDirectories = shareDirectories.map((directory) => ({
+      ...directory,
+      has_write_access: false,
+      parent_path: directory.parent_path.replace(fileSharePathDirectory, '/'),
+    }));
+
+    // Remove the filePathDirectory from the files' paths, and set has_write_access to false
+    shareFiles = shareFiles.map((file) => ({
+      ...file,
+      has_write_access: false,
+      parent_path: file.parent_path.replace(fileSharePathDirectory, '/'),
+    }));
+
+    const publicCurrentPath = currentPath.replace(fileShare.file_path, '/');
+
+    return await context.render({ shareDirectories, shareFiles, currentPath: publicCurrentPath, baseUrl, fileShareId });
+  },
+};
+
+export default function FilesPage({ data }: PageProps<Data, FreshContextState>) {
+  return (
+    <main>
+      <FilesWrapper
+        initialDirectories={data.shareDirectories}
+        initialFiles={data.shareFiles}
+        initialPath={data.currentPath}
+        baseUrl={data.baseUrl}
+        isFileSharingAllowed
+        fileShareId={data.fileShareId}
+      />
+    </main>
+  );
+}
--- a/routes/file-share/[fileShareId]/open/[fileName].tsx
+++ b/routes/file-share/[fileShareId]/open/[fileName].tsx
@@ -0,0 +1,82 @@
+import { Handlers } from 'fresh/server.ts';
+import { join } from 'std/path/join.ts';
+
+import { FreshContextState } from '/lib/types.ts';
+import { ensureFileSharePathIsValidAndSecurelyAccessible, FileModel, FileShareModel } from '/lib/models/files.ts';
+import { AppConfig } from '/lib/config.ts';
+
+interface Data {}
+
+export const handler: Handlers<Data, FreshContextState> = {
+  async GET(request, context) {
+    const { fileShareId, fileName } = context.params;
+
+    if (!fileShareId || !fileName) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    const isPublicFileSharingAllowed = await AppConfig.isPublicFileSharingAllowed();
+
+    if (!isPublicFileSharingAllowed) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    const fileShare = await FileShareModel.getById(fileShareId);
+
+    if (!fileShare) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    if (fileShare.extra.hashed_password) {
+      const { fileShareId: fileShareIdFromSession, hashedPassword: hashedPasswordFromSession } =
+        (await FileShareModel.getDataFromRequest(request)) || {};
+
+      if (
+        !fileShareIdFromSession || fileShareIdFromSession !== fileShareId ||
+        hashedPasswordFromSession !== fileShare.extra.hashed_password
+      ) {
+        return new Response('Redirect', { status: 303, headers: { 'Location': `/file-share/${fileShareId}/verify` } });
+      }
+    }
+
+    const searchParams = new URL(request.url).searchParams;
+
+    let currentPath = searchParams.get('path') || '/';
+
+    // Send invalid paths back to root
+    if (!currentPath.startsWith('/') || currentPath.includes('../')) {
+      currentPath = '/';
+    }
+
+    // Always append a trailing slash
+    if (!currentPath.endsWith('/')) {
+      currentPath = `${currentPath}/`;
+    }
+
+    // Confirm that currentPath is not _outside_ the fileShare.file_path
+    await ensureFileSharePathIsValidAndSecurelyAccessible(fileShare.user_id, fileShare.file_path, currentPath);
+
+    const isFileSharePathDirectory = fileShare.file_path.endsWith('/');
+
+    const fileSharePathDirectory = isFileSharePathDirectory
+      ? fileShare.file_path
+      : `${fileShare.file_path.split('/').slice(0, -1).join('/')}/`;
+
+    currentPath = isFileSharePathDirectory ? join(fileShare.file_path, currentPath) : fileSharePathDirectory;
+
+    const fileResult = await FileModel.get(fileShare.user_id, currentPath, decodeURIComponent(fileName));
+
+    if (!fileResult.success) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    return new Response(fileResult.contents!, {
+      status: 200,
+      headers: {
+        'cache-control': 'no-cache, no-store, must-revalidate',
+        'content-type': fileResult.contentType!,
+        'content-length': fileResult.byteSize!.toString(),
+      },
+    });
+  },
+};
--- a/routes/file-share/[fileShareId]/verify.tsx
+++ b/routes/file-share/[fileShareId]/verify.tsx
@@ -0,0 +1,107 @@
+import { Handlers, PageProps } from 'fresh/server.ts';
+
+import { FreshContextState } from '/lib/types.ts';
+import { getFormDataField } from '/lib/form-utils.tsx';
+import { AppConfig } from '/lib/config.ts';
+import { FileShareModel } from '/lib/models/files.ts';
+import { generateHash } from '/lib/utils/misc.ts';
+import { PASSWORD_SALT } from '/lib/auth.ts';
+import ShareVerifyForm from '/components/files/ShareVerifyForm.tsx';
+
+interface Data {
+  error?: {
+    title: string;
+    message: string;
+  };
+}
+
+export const handler: Handlers<Data, FreshContextState> = {
+  async GET(request, context) {
+    const { fileShareId } = context.params;
+
+    if (!fileShareId) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    const isPublicFileSharingAllowed = await AppConfig.isPublicFileSharingAllowed();
+
+    if (!isPublicFileSharingAllowed) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    const fileShare = await FileShareModel.getById(fileShareId);
+
+    if (!fileShare) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    if (!fileShare.extra.hashed_password) {
+      return new Response('Redirect', { status: 303, headers: { 'Location': `/file-share/${fileShareId}` } });
+    }
+
+    return await context.render({});
+  },
+  async POST(request, context) {
+    const { fileShareId } = context.params;
+
+    if (!fileShareId) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    const isPublicFileSharingAllowed = await AppConfig.isPublicFileSharingAllowed();
+
+    if (!isPublicFileSharingAllowed) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    const fileShare = await FileShareModel.getById(fileShareId);
+
+    if (!fileShare) {
+      return new Response('Not Found', { status: 404 });
+    }
+
+    if (!fileShare.extra.hashed_password) {
+      return new Response('Redirect', { status: 303, headers: { 'Location': `/file-share/${fileShareId}` } });
+    }
+
+    try {
+      const formData = await request.formData();
+      const password = getFormDataField(formData, 'password');
+
+      if (!password) {
+        throw new Error('Password is required');
+      }
+
+      const hashedPassword = await generateHash(`${password}:${PASSWORD_SALT}`, 'SHA-256');
+
+      if (hashedPassword !== fileShare.extra.hashed_password) {
+        throw new Error('Invalid password');
+      }
+
+      const response = new Response('Redirect', { status: 303, headers: { 'Location': `/file-share/${fileShareId}` } });
+
+      return await FileShareModel.createSessionCookie(request, response, fileShareId, hashedPassword);
+    } catch (error) {
+      console.error('File share verification error:', error);
+
+      return await context.render({
+        error: {
+          title: 'Verification Failed',
+          message: (error as Error).message,
+        },
+      });
+    }
+  },
+};
+
+export default function ShareVerifyPage({ data }: PageProps<Data, FreshContextState>) {
+  return (
+    <main>
+      <section class='max-w-screen-md mx-auto flex flex-col items-center justify-center'>
+        <ShareVerifyForm
+          error={data.error}
+        />
+      </section>
+    </main>
+  );
+}
--- a/routes/files.tsx
+++ b/routes/files.tsx
@@ -10,6 +10,7 @@ interface Data {
  userFiles: DirectoryFile[];
  currentPath: string;
  baseUrl: string;
+  isFileSharingAllowed: boolean;
 }

 export const handler: Handlers<Data, FreshContextState> = {
@@ -38,7 +39,15 @@ export const handler: Handlers<Data, FreshContextState> = {

    const userFiles = await FileModel.list(context.state.user.id, currentPath);

-    return await context.render({ userDirectories, userFiles, currentPath, baseUrl });
+    const isPublicFileSharingAllowed = await AppConfig.isPublicFileSharingAllowed();
+
+    return await context.render({
+      userDirectories,
+      userFiles,
+      currentPath,
+      baseUrl,
+      isFileSharingAllowed: isPublicFileSharingAllowed,
+    });
  },
 };

@@ -50,6 +59,7 @@ export default function FilesPage({ data }: PageProps<Data, FreshContextState>)
        initialFiles={data.userFiles}
        initialPath={data.currentPath}
        baseUrl={data.baseUrl}
+        isFileSharingAllowed={data.isFileSharingAllowed}
      />
    </main>
  );