feat: allow to password protect shares (#1252)

This changes allows to password protect shares. It works by: * Allowing to optionally pass a password when creating a share * If set, the password + salt that is configured via a new flag will be hashed via bcrypt and the hash stored together with the rest of the share * Additionally, a random 96 byte long token gets generated and stored as part of the share * When the backend retrieves an unauthenticated request for a share that has authentication configured, it will return a http 401 * The frontend detects this and will show a login prompt * The actual download links are protected via an url arg that contains the previously generated token. This allows us to avoid buffering the download in the browser and allows pasting the link without breaking it
2026-01-23 02:35:10 +00:00 · 2021-03-02 06:00:18 -05:00 · 2021-03-02 06:00:18 -05:00 · d8f415f8ab
commit d8f415f8ab
parent 977ec33918
22 changed files with 340 additions and 41 deletions
--- a/http/data.go
+++ b/http/data.go
@ -51,7 +51,7 @@ func handle(fn handleFunc, prefix string, store *storage.Storage, server *settin
 	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		settings, err := store.Settings.Get()
 		if err != nil {
-			log.Fatalln("ERROR: couldn't get settings")
+			log.Fatalf("ERROR: couldn't get settings: %v\n", err)
 			return
 		}

--- a/http/public.go
+++ b/http/public.go
@ -1,14 +1,17 @@
 package http

 import (
+	"errors"
 	"net/http"
 	"path"
 	"path/filepath"
 	"strings"

 	"github.com/spf13/afero"
+	"golang.org/x/crypto/bcrypt"

 	"github.com/filebrowser/filebrowser/v2/files"
+	"github.com/filebrowser/filebrowser/v2/share"
 )

 var withHashFile = func(fn handleFunc) handleFunc {
@ -19,6 +22,11 @@ var withHashFile = func(fn handleFunc) handleFunc {
 			return errToStatus(err), err
 		}

+		status, err := authenticateShareRequest(r, link)
+		if status != 0 || err != nil {
+			return status, err
+		}
+
 		user, err := d.store.Users.Get(d.server.Root, link.UserID)
 		if err != nil {
 			return errToStatus(err), err
@ -33,6 +41,7 @@ var withHashFile = func(fn handleFunc) handleFunc {
 			Expand:     true,
 			ReadHeader: d.server.TypeDetectionByHeader,
 			Checker:    d,
+			Token:      link.Token,
 		})
 		if err != nil {
 			return errToStatus(err), err
@ -48,6 +57,7 @@ var withHashFile = func(fn handleFunc) handleFunc {
 				Modify:  d.user.Perm.Modify,
 				Expand:  true,
 				Checker: d,
+				Token:   link.Token,
 			})
 			if err != nil {
 				return errToStatus(err), err
@ -94,3 +104,26 @@ var publicDlHandler = withHashFile(func(w http.ResponseWriter, r *http.Request,

 	return rawDirHandler(w, r, d, file)
 })
+
+func authenticateShareRequest(r *http.Request, l *share.Link) (int, error) {
+	if l.PasswordHash == "" {
+		return 0, nil
+	}
+
+	if r.URL.Query().Get("token") == l.Token {
+		return 0, nil
+	}
+
+	password := r.Header.Get("X-SHARE-PASSWORD")
+	if password == "" {
+		return http.StatusUnauthorized, nil
+	}
+	if err := bcrypt.CompareHashAndPassword([]byte(l.PasswordHash), []byte(password)); err != nil {
+		if errors.Is(err, bcrypt.ErrMismatchedHashAndPassword) {
+			return http.StatusUnauthorized, nil
+		}
+		return 0, err
+	}
+
+	return 0, nil
+}
--- a/http/public_test.go
+++ b/http/public_test.go
@ -0,0 +1,136 @@
+package http
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"path/filepath"
+	"testing"
+
+	"github.com/asdine/storm"
+	"github.com/spf13/afero"
+
+	"github.com/filebrowser/filebrowser/v2/settings"
+	"github.com/filebrowser/filebrowser/v2/share"
+	"github.com/filebrowser/filebrowser/v2/storage/bolt"
+	"github.com/filebrowser/filebrowser/v2/users"
+)
+
+func TestPublicShareHandlerAuthentication(t *testing.T) {
+	t.Parallel()
+
+	const passwordBcrypt = "$2y$10$TFAmdCbyd/mEZDe5fUeZJu.MaJQXRTwdqb/IQV.eTn6dWrF58gCSe" //nolint:gosec
+	testCases := map[string]struct {
+		share              *share.Link
+		req                *http.Request
+		expectedStatusCode int
+	}{
+		"Public share, no auth required": {
+			share:              &share.Link{Hash: "h", UserID: 1},
+			req:                newHTTPRequest(t),
+			expectedStatusCode: 200,
+		},
+		"Private share, no auth provided, 401": {
+			share:              &share.Link{Hash: "h", UserID: 1, PasswordHash: passwordBcrypt, Token: "123"},
+			req:                newHTTPRequest(t),
+			expectedStatusCode: 401,
+		},
+		"Private share, authentication via token": {
+			share:              &share.Link{Hash: "h", UserID: 1, PasswordHash: passwordBcrypt, Token: "123"},
+			req:                newHTTPRequest(t, func(r *http.Request) { r.URL.RawQuery = "token=123" }),
+			expectedStatusCode: 200,
+		},
+		"Private share, authentication via invalid token, 401": {
+			share:              &share.Link{Hash: "h", UserID: 1, PasswordHash: passwordBcrypt, Token: "123"},
+			req:                newHTTPRequest(t, func(r *http.Request) { r.URL.RawQuery = "token=1234" }),
+			expectedStatusCode: 401,
+		},
+		"Private share, authentication via password": {
+			share:              &share.Link{Hash: "h", UserID: 1, PasswordHash: passwordBcrypt, Token: "123"},
+			req:                newHTTPRequest(t, func(r *http.Request) { r.Header.Set("X-SHARE-PASSWORD", "password") }),
+			expectedStatusCode: 200,
+		},
+		"Private share, authentication via invalid password, 401": {
+			share:              &share.Link{Hash: "h", UserID: 1, PasswordHash: passwordBcrypt, Token: "123"},
+			req:                newHTTPRequest(t, func(r *http.Request) { r.Header.Set("X-SHARE-PASSWORD", "wrong-password") }),
+			expectedStatusCode: 401,
+		},
+	}
+
+	for name, tc := range testCases {
+		for handlerName, handler := range map[string]handleFunc{"public share handler": publicShareHandler, "public dl handler": publicDlHandler} {
+			name, tc, handlerName, handler := name, tc, handlerName, handler
+			t.Run(fmt.Sprintf("%s: %s", handlerName, name), func(t *testing.T) {
+				t.Parallel()
+
+				dbPath := filepath.Join(t.TempDir(), "db")
+				db, err := storm.Open(dbPath)
+				if err != nil {
+					t.Fatalf("failed to open db: %v", err)
+				}
+
+				t.Cleanup(func() {
+					if err := db.Close(); err != nil { //nolint:shadow
+						t.Errorf("failed to close db: %v", err)
+					}
+				})
+
+				storage, err := bolt.NewStorage(db)
+				if err != nil {
+					t.Fatalf("failed to get storage: %v", err)
+				}
+				if err := storage.Share.Save(tc.share); err != nil {
+					t.Fatalf("failed to save share: %v", err)
+				}
+				if err := storage.Users.Save(&users.User{Username: "username", Password: "pw"}); err != nil {
+					t.Fatalf("failed to save user: %v", err)
+				}
+				if err := storage.Settings.Save(&settings.Settings{Key: []byte("key")}); err != nil {
+					t.Fatalf("failed to save settings: %v", err)
+				}
+
+				storage.Users = &customFSUser{
+					Store: storage.Users,
+					fs:    &afero.MemMapFs{},
+				}
+
+				recorder := httptest.NewRecorder()
+				handler := handle(handler, "", storage, &settings.Server{})
+
+				handler.ServeHTTP(recorder, tc.req)
+				result := recorder.Result()
+				defer result.Body.Close()
+				if result.StatusCode != tc.expectedStatusCode {
+					t.Errorf("expected status code %d, got status code %d", tc.expectedStatusCode, result.StatusCode)
+				}
+			})
+		}
+	}
+}
+
+func newHTTPRequest(t *testing.T, requestModifiers ...func(*http.Request)) *http.Request {
+	t.Helper()
+	r, err := http.NewRequest(http.MethodGet, "h", nil)
+	if err != nil {
+		t.Fatalf("failed to construct request: %v", err)
+	}
+	for _, modify := range requestModifiers {
+		modify(r)
+	}
+	return r
+}
+
+type customFSUser struct {
+	users.Store
+	fs afero.Fs
+}
+
+func (cu *customFSUser) Get(baseScope string, id interface{}) (*users.User, error) {
+	user, err := cu.Store.Get(baseScope, id)
+	if err != nil {
+		return nil, err
+	}
+	user.Fs = cu.fs
+
+	return user, nil
+}
--- a/http/share.go
+++ b/http/share.go
@ -3,6 +3,8 @@ package http
 import (
 	"crypto/rand"
 	"encoding/base64"
+	"encoding/json"
+	"fmt"
 	"net/http"
 	"path"
 	"sort"
@ -10,6 +12,8 @@ import (
 	"strings"
 	"time"

+	"golang.org/x/crypto/bcrypt"
+
 	"github.com/filebrowser/filebrowser/v2/errors"
 	"github.com/filebrowser/filebrowser/v2/share"
 )
@ -79,10 +83,15 @@ var shareDeleteHandler = withPermShare(func(w http.ResponseWriter, r *http.Reque

 var sharePostHandler = withPermShare(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
 	var s *share.Link
-	rawExpire := r.URL.Query().Get("expires")
-	unit := r.URL.Query().Get("unit")
+	var body share.CreateBody
+	if r.Body != nil {
+		if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+			return http.StatusBadRequest, fmt.Errorf("failed to decode body: %w", err)
+		}
+		defer r.Body.Close()
+	}

-	if rawExpire == "" {
+	if body.Expires == "" {
 		var err error
 		s, err = d.store.Share.GetPermanent(r.URL.Path, d.user.ID)
 		if err == nil {
@ -103,14 +112,15 @@ var sharePostHandler = withPermShare(func(w http.ResponseWriter, r *http.Request

 	var expire int64 = 0

-	if rawExpire != "" {
-		num, err := strconv.Atoi(rawExpire)
+	if body.Expires != "" {
+		//nolint:govet
+		num, err := strconv.Atoi(body.Expires)
 		if err != nil {
 			return http.StatusInternalServerError, err
 		}

 		var add time.Duration
-		switch unit {
+		switch body.Unit {
 		case "seconds":
 			add = time.Second * time.Duration(num)
 		case "minutes":
@ -124,11 +134,27 @@ var sharePostHandler = withPermShare(func(w http.ResponseWriter, r *http.Request
 		expire = time.Now().Add(add).Unix()
 	}

+	hash, status, err := getSharePasswordHash(body)
+	if err != nil {
+		return status, err
+	}
+
+	var token string
+	if len(hash) > 0 {
+		tokenBuffer := make([]byte, 96)
+		if _, err := rand.Read(tokenBuffer); err != nil {
+			return http.StatusInternalServerError, err
+		}
+		token = base64.URLEncoding.EncodeToString(tokenBuffer)
+	}
+
 	s = &share.Link{
-		Path:   r.URL.Path,
-		Hash:   str,
-		Expire: expire,
-		UserID: d.user.ID,
+		Path:         r.URL.Path,
+		Hash:         str,
+		Expire:       expire,
+		UserID:       d.user.ID,
+		PasswordHash: string(hash),
+		Token:        token,
 	}

 	if err := d.store.Share.Save(s); err != nil {
@ -137,3 +163,16 @@ var sharePostHandler = withPermShare(func(w http.ResponseWriter, r *http.Request

 	return renderJSON(w, r, s)
 })
+
+func getSharePasswordHash(body share.CreateBody) (data []byte, statuscode int, err error) {
+	if body.Password == "" {
+		return nil, 0, nil
+	}
+
+	hash, err := bcrypt.GenerateFromPassword([]byte(body.Password), bcrypt.DefaultCost)
+	if err != nil {
+		return nil, http.StatusInternalServerError, fmt.Errorf("failed to hash password: %w", err)
+	}
+
+	return hash, 0, nil
+}