sftpgo/httpd/middleware.go

package httpd

import (
	"errors"
	"net/http"
	"runtime/debug"

	"github.com/go-chi/chi/v5/middleware"
	"github.com/go-chi/jwtauth/v5"
	"github.com/lestrrat-go/jwx/jwt"

	"github.com/drakkan/sftpgo/logger"
	"github.com/drakkan/sftpgo/utils"
)

var (
	forwardedProtoKey = &contextKey{"forwarded proto"}
	errInvalidToken   = errors.New("invalid JWT token")
)

type contextKey struct {
	name string
}

func (k *contextKey) String() string {
	return "context value " + k.name
}

func validateJWTToken(w http.ResponseWriter, r *http.Request, audience tokenAudience) error {
	token, _, err := jwtauth.FromContext(r.Context())

	var redirectPath string
	if audience == tokenAudienceWebAdmin {
		redirectPath = webLoginPath
	} else {
		redirectPath = webClientLoginPath
	}

	isAPIToken := (audience == tokenAudienceAPI || audience == tokenAudienceAPIUser)

	if err != nil || token == nil {
		logger.Debug(logSender, "", "error getting jwt token: %v", err)
		if isAPIToken {
			sendAPIResponse(w, r, err, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
		} else {
			http.Redirect(w, r, redirectPath, http.StatusFound)
		}
		return errInvalidToken
	}

	err = jwt.Validate(token)
	if err != nil {
		logger.Debug(logSender, "", "error validating jwt token: %v", err)
		if isAPIToken {
			sendAPIResponse(w, r, err, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
		} else {
			http.Redirect(w, r, redirectPath, http.StatusFound)
		}
		return errInvalidToken
	}
	if !utils.IsStringInSlice(audience, token.Audience()) {
		logger.Debug(logSender, "", "the token is not valid for audience %#v", audience)
		if isAPIToken {
			sendAPIResponse(w, r, nil, "Your token audience is not valid", http.StatusUnauthorized)
		} else {
			http.Redirect(w, r, redirectPath, http.StatusFound)
		}
		return errInvalidToken
	}
	if isTokenInvalidated(r) {
		logger.Debug(logSender, "", "the token has been invalidated")
		if isAPIToken {
			sendAPIResponse(w, r, nil, "Your token is no longer valid", http.StatusUnauthorized)
		} else {
			http.Redirect(w, r, redirectPath, http.StatusFound)
		}
		return errInvalidToken
	}
	return nil
}

func jwtAuthenticatorAPI(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if err := validateJWTToken(w, r, tokenAudienceAPI); err != nil {
			return
		}

		// Token is authenticated, pass it through
		next.ServeHTTP(w, r)
	})
}

func jwtAuthenticatorAPIUser(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if err := validateJWTToken(w, r, tokenAudienceAPIUser); err != nil {
			return
		}

		// Token is authenticated, pass it through
		next.ServeHTTP(w, r)
	})
}

func jwtAuthenticatorWebAdmin(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if err := validateJWTToken(w, r, tokenAudienceWebAdmin); err != nil {
			return
		}

		// Token is authenticated, pass it through
		next.ServeHTTP(w, r)
	})
}

func jwtAuthenticatorWebClient(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if err := validateJWTToken(w, r, tokenAudienceWebClient); err != nil {
			return
		}

		// Token is authenticated, pass it through
		next.ServeHTTP(w, r)
	})
}

//nolint:unparam
func checkHTTPUserPerm(perm string) func(next http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			_, claims, err := jwtauth.FromContext(r.Context())
			if err != nil {
				if isWebRequest(r) {
					renderClientBadRequestPage(w, r, err)
				} else {
					sendAPIResponse(w, r, err, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
				}
				return
			}
			tokenClaims := jwtTokenClaims{}
			tokenClaims.Decode(claims)
			// for web client perms are negated and not granted
			if tokenClaims.hasPerm(perm) {
				if isWebRequest(r) {
					renderClientForbiddenPage(w, r, "You don't have permission for this action")
				} else {
					sendAPIResponse(w, r, nil, http.StatusText(http.StatusForbidden), http.StatusForbidden)
				}
				return
			}

			next.ServeHTTP(w, r)
		})
	}
}

func checkPerm(perm string) func(next http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			_, claims, err := jwtauth.FromContext(r.Context())
			if err != nil {
				if isWebRequest(r) {
					renderBadRequestPage(w, r, err)
				} else {
					sendAPIResponse(w, r, err, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
				}
				return
			}
			tokenClaims := jwtTokenClaims{}
			tokenClaims.Decode(claims)

			if !tokenClaims.hasPerm(perm) {
				if isWebRequest(r) {
					renderForbiddenPage(w, r, "You don't have permission for this action")
				} else {
					sendAPIResponse(w, r, nil, http.StatusText(http.StatusForbidden), http.StatusForbidden)
				}
				return
			}

			next.ServeHTTP(w, r)
		})
	}
}

func verifyCSRFHeader(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		tokenString := r.Header.Get(csrfHeaderToken)
		token, err := jwtauth.VerifyToken(csrfTokenAuth, tokenString)
		if err != nil || token == nil {
			logger.Debug(logSender, "", "error validating CSRF header: %v", err)
			sendAPIResponse(w, r, err, "Invalid token", http.StatusForbidden)
			return
		}

		if !utils.IsStringInSlice(tokenAudienceCSRF, token.Audience()) {
			logger.Debug(logSender, "", "error validating CSRF header audience")
			sendAPIResponse(w, r, errors.New("the token is not valid"), "", http.StatusForbidden)
			return
		}

		next.ServeHTTP(w, r)
	})
}

func recoverer(next http.Handler) http.Handler {
	fn := func(w http.ResponseWriter, r *http.Request) {
		defer func() {
			if rvr := recover(); rvr != nil {
				if rvr == http.ErrAbortHandler {
					panic(rvr)
				}

				logEntry := middleware.GetLogEntry(r)
				if logEntry != nil {
					logEntry.Panic(rvr, debug.Stack())
				} else {
					middleware.PrintPrettyStack(rvr)
				}

				w.WriteHeader(http.StatusInternalServerError)
			}
		}()

		next.ServeHTTP(w, r)
	}

	return http.HandlerFunc(fn)
}
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00			`package httpd`

			`import (`
web admin: add CSRF 2021-02-03 07:55:28 +00:00			`"errors"`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00			`"net/http"`
webclient: allow to download multiple files as zip 2021-05-30 21:07:46 +00:00			`"runtime/debug"`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00
webclient: allow to download multiple files as zip 2021-05-30 21:07:46 +00:00			`"github.com/go-chi/chi/v5/middleware"`
update jwtauth to v5 2021-03-05 17:50:45 +00:00			`"github.com/go-chi/jwtauth/v5"`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00			`"github.com/lestrrat-go/jwx/jwt"`

			`"github.com/drakkan/sftpgo/logger"`
JWT: add token audience a token released for API audience cannot be used for web pages and vice-versa 2021-02-02 08:14:10 +00:00			`"github.com/drakkan/sftpgo/utils"`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00			`)`

add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`var (`
httpd/webdav: add a list of hosts allowed to send proxy headers X-Forwarded-For, X-Real-IP and X-Forwarded-Proto headers will be ignored for hosts not included in this list. This is a backward incompatible change, before the proxy headers were always used 2021-05-11 04:54:06 +00:00			`forwardedProtoKey = &contextKey{"forwarded proto"}`
			`errInvalidToken = errors.New("invalid JWT token")`
add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`)`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00
web admin: add CSRF 2021-02-03 07:55:28 +00:00			`type contextKey struct {`
			`name string`
			`}`

			`func (k *contextKey) String() string {`
			`return "context value " + k.name`
			`}`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00
add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`func validateJWTToken(w http.ResponseWriter, r *http.Request, audience tokenAudience) error {`
			`token, _, err := jwtauth.FromContext(r.Context())`

			`var redirectPath string`
			`if audience == tokenAudienceWebAdmin {`
			`redirectPath = webLoginPath`
			`} else {`
			`redirectPath = webClientLoginPath`
			`}`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00
OpenAPI: add users API These new APIs match the web client features. I'm aware that some API do not follow REST best practises. I want to avoid things likes "/user/folders/<path>" where "path" must be encoded and making it optional create issues, so I defined resources as query parameters instead of path parameters 2021-06-05 14:07:09 +00:00			`isAPIToken := (audience == tokenAudienceAPI \|\| audience == tokenAudienceAPIUser)`

add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`if err != nil \|\| token == nil {`
			`logger.Debug(logSender, "", "error getting jwt token: %v", err)`
OpenAPI: add users API These new APIs match the web client features. I'm aware that some API do not follow REST best practises. I want to avoid things likes "/user/folders/<path>" where "path" must be encoded and making it optional create issues, so I defined resources as query parameters instead of path parameters 2021-06-05 14:07:09 +00:00			`if isAPIToken {`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00			`sendAPIResponse(w, r, err, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)`
add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`} else {`
			`http.Redirect(w, r, redirectPath, http.StatusFound)`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00			`}`
add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`return errInvalidToken`
			`}`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00
add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`err = jwt.Validate(token)`
			`if err != nil {`
			`logger.Debug(logSender, "", "error validating jwt token: %v", err)`
OpenAPI: add users API These new APIs match the web client features. I'm aware that some API do not follow REST best practises. I want to avoid things likes "/user/folders/<path>" where "path" must be encoded and making it optional create issues, so I defined resources as query parameters instead of path parameters 2021-06-05 14:07:09 +00:00			`if isAPIToken {`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00			`sendAPIResponse(w, r, err, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)`
add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`} else {`
			`http.Redirect(w, r, redirectPath, http.StatusFound)`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00			`}`
add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`return errInvalidToken`
			`}`
			`if !utils.IsStringInSlice(audience, token.Audience()) {`
			`logger.Debug(logSender, "", "the token is not valid for audience %#v", audience)`
OpenAPI: add users API These new APIs match the web client features. I'm aware that some API do not follow REST best practises. I want to avoid things likes "/user/folders/<path>" where "path" must be encoded and making it optional create issues, so I defined resources as query parameters instead of path parameters 2021-06-05 14:07:09 +00:00			`if isAPIToken {`
JWT: add token audience a token released for API audience cannot be used for web pages and vice-versa 2021-02-02 08:14:10 +00:00			`sendAPIResponse(w, r, nil, "Your token audience is not valid", http.StatusUnauthorized)`
add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`} else {`
			`http.Redirect(w, r, redirectPath, http.StatusFound)`
JWT: add token audience a token released for API audience cannot be used for web pages and vice-versa 2021-02-02 08:14:10 +00:00			`}`
add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`return errInvalidToken`
			`}`
			`if isTokenInvalidated(r) {`
			`logger.Debug(logSender, "", "the token has been invalidated")`
OpenAPI: add users API These new APIs match the web client features. I'm aware that some API do not follow REST best practises. I want to avoid things likes "/user/folders/<path>" where "path" must be encoded and making it optional create issues, so I defined resources as query parameters instead of path parameters 2021-06-05 14:07:09 +00:00			`if isAPIToken {`
REST API: add logout and store invalidated token 2021-01-26 21:35:36 +00:00			`sendAPIResponse(w, r, nil, "Your token is no longer valid", http.StatusUnauthorized)`
add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`} else {`
			`http.Redirect(w, r, redirectPath, http.StatusFound)`
			`}`
			`return errInvalidToken`
			`}`
			`return nil`
			`}`

			`func jwtAuthenticatorAPI(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`if err := validateJWTToken(w, r, tokenAudienceAPI); err != nil {`
REST API: add logout and store invalidated token 2021-01-26 21:35:36 +00:00			`return`
			`}`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00
			`// Token is authenticated, pass it through`
			`next.ServeHTTP(w, r)`
			`})`
			`}`

OpenAPI: add users API These new APIs match the web client features. I'm aware that some API do not follow REST best practises. I want to avoid things likes "/user/folders/<path>" where "path" must be encoded and making it optional create issues, so I defined resources as query parameters instead of path parameters 2021-06-05 14:07:09 +00:00			`func jwtAuthenticatorAPIUser(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`if err := validateJWTToken(w, r, tokenAudienceAPIUser); err != nil {`
			`return`
			`}`

			`// Token is authenticated, pass it through`
			`next.ServeHTTP(w, r)`
			`})`
			`}`

add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`func jwtAuthenticatorWebAdmin(next http.Handler) http.Handler {`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`if err := validateJWTToken(w, r, tokenAudienceWebAdmin); err != nil {`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00			`return`
			`}`

add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`// Token is authenticated, pass it through`
			`next.ServeHTTP(w, r)`
			`})`
			`}`

			`func jwtAuthenticatorWebClient(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`if err := validateJWTToken(w, r, tokenAudienceWebClient); err != nil {`
REST API: add logout and store invalidated token 2021-01-26 21:35:36 +00:00			`return`
			`}`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00
			`// Token is authenticated, pass it through`
			`next.ServeHTTP(w, r)`
			`})`
			`}`

OpenAPI: add users API These new APIs match the web client features. I'm aware that some API do not follow REST best practises. I want to avoid things likes "/user/folders/<path>" where "path" must be encoded and making it optional create issues, so I defined resources as query parameters instead of path parameters 2021-06-05 14:07:09 +00:00			`//nolint:unparam`
			`func checkHTTPUserPerm(perm string) func(next http.Handler) http.Handler {`
add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`_, claims, err := jwtauth.FromContext(r.Context())`
			`if err != nil {`
OpenAPI: add users API These new APIs match the web client features. I'm aware that some API do not follow REST best practises. I want to avoid things likes "/user/folders/<path>" where "path" must be encoded and making it optional create issues, so I defined resources as query parameters instead of path parameters 2021-06-05 14:07:09 +00:00			`if isWebRequest(r) {`
			`renderClientBadRequestPage(w, r, err)`
			`} else {`
			`sendAPIResponse(w, r, err, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)`
			`}`
add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`return`
			`}`
			`tokenClaims := jwtTokenClaims{}`
			`tokenClaims.Decode(claims)`
			`// for web client perms are negated and not granted`
			`if tokenClaims.hasPerm(perm) {`
OpenAPI: add users API These new APIs match the web client features. I'm aware that some API do not follow REST best practises. I want to avoid things likes "/user/folders/<path>" where "path" must be encoded and making it optional create issues, so I defined resources as query parameters instead of path parameters 2021-06-05 14:07:09 +00:00			`if isWebRequest(r) {`
			`renderClientForbiddenPage(w, r, "You don't have permission for this action")`
			`} else {`
			`sendAPIResponse(w, r, nil, http.StatusText(http.StatusForbidden), http.StatusForbidden)`
			`}`
add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`return`
			`}`

			`next.ServeHTTP(w, r)`
			`})`
			`}`
			`}`

REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00			`func checkPerm(perm string) func(next http.Handler) http.Handler {`
			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`_, claims, err := jwtauth.FromContext(r.Context())`
			`if err != nil {`
add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`if isWebRequest(r) {`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00			`renderBadRequestPage(w, r, err)`
			`} else {`
			`sendAPIResponse(w, r, err, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)`
			`}`
			`return`
			`}`
			`tokenClaims := jwtTokenClaims{}`
			`tokenClaims.Decode(claims)`

			`if !tokenClaims.hasPerm(perm) {`
add a basic front-end web interface for end-users Fixes #339 #321 #398 2021-05-06 19:35:43 +00:00			`if isWebRequest(r) {`
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197 2021-01-17 21:29:08 +00:00			`renderForbiddenPage(w, r, "You don't have permission for this action")`
			`} else {`
			`sendAPIResponse(w, r, nil, http.StatusText(http.StatusForbidden), http.StatusForbidden)`
			`}`
			`return`
			`}`

			`next.ServeHTTP(w, r)`
			`})`
			`}`
			`}`
web admin: add CSRF 2021-02-03 07:55:28 +00:00
			`func verifyCSRFHeader(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`tokenString := r.Header.Get(csrfHeaderToken)`
			`token, err := jwtauth.VerifyToken(csrfTokenAuth, tokenString)`
			`if err != nil \|\| token == nil {`
			`logger.Debug(logSender, "", "error validating CSRF header: %v", err)`
			`sendAPIResponse(w, r, err, "Invalid token", http.StatusForbidden)`
			`return`
			`}`

			`if !utils.IsStringInSlice(tokenAudienceCSRF, token.Audience()) {`
			`logger.Debug(logSender, "", "error validating CSRF header audience")`
extend virtual folders support to all storage backends Fixes #241 2021-03-21 18:15:47 +00:00			`sendAPIResponse(w, r, errors.New("the token is not valid"), "", http.StatusForbidden)`
web admin: add CSRF 2021-02-03 07:55:28 +00:00			`return`
			`}`

			`next.ServeHTTP(w, r)`
			`})`
			`}`
webclient: allow to download multiple files as zip 2021-05-30 21:07:46 +00:00
			`func recoverer(next http.Handler) http.Handler {`
			`fn := func(w http.ResponseWriter, r *http.Request) {`
			`defer func() {`
			`if rvr := recover(); rvr != nil {`
			`if rvr == http.ErrAbortHandler {`
			`panic(rvr)`
			`}`

			`logEntry := middleware.GetLogEntry(r)`
			`if logEntry != nil {`
			`logEntry.Panic(rvr, debug.Stack())`
			`} else {`
			`middleware.PrintPrettyStack(rvr)`
			`}`

			`w.WriteHeader(http.StatusInternalServerError)`
			`}`
			`}()`

			`next.ServeHTTP(w, r)`
			`}`

			`return http.HandlerFunc(fn)`
			`}`