feat(auth): add mechanism to auth for specified user

Author: marjune163

src/serverHandler/aliasHandler.go

@@ -40,9 +40,11 @@ type aliasHandler struct {
 	dirIndexes []string
 	aliases    aliases
 
-	globalAuth bool
-	authUrls   []string
-	authDirs   []string
+	globalAuth    bool
+	authUrls      []string
+	authUrlsUsers pathIntsList
+	authDirs      []string
+	authDirsUsers pathIntsList
 
 	globalRestrictAccess []string
 	restrictAccessUrls   pathStringsList

src/serverHandler/archive.go

@@ -47,13 +47,13 @@ func matchSelection(info os.FileInfo, selections []string) (match bool, childSel
 
 func (h *aliasHandler) visitTreeNode(
 	r *http.Request,
-	rawReqPath, fsPath, relPath string,
+	urlPath, fsPath, relPath string,
 	statNode bool,
 	childSelections []string,
 	archiveCallback archiveCallback,
 ) {
-	if needAuth, _ := h.needAuth("", rawReqPath, fsPath); needAuth {
-		if _, _, err := h.verifyAuth(r, needAuth); err != nil {
+	if needAuth, _ := h.needAuth("", urlPath, fsPath); needAuth {
+		if _, _, err := h.verifyAuth(r, needAuth, urlPath, fsPath); err != nil {
 			return
 		}
 	}
@@ -105,7 +105,7 @@ func (h *aliasHandler) visitTreeNode(
 	}
 
 	if fInfo.IsDir() {
-		childInfos, _, _ := h.mergeAlias(rawReqPath, fInfo, childInfos, true)
+		childInfos, _, _ := h.mergeAlias(urlPath, fInfo, childInfos, true)
 		childInfos = h.FilterItems(childInfos)
 
 		// childInfo can be regular dir/file, or aliased item that shadows regular dir/file
@@ -117,7 +117,7 @@ func (h *aliasHandler) visitTreeNode(
 
 			childPath := "/" + childInfo.Name()
 			childFsPath := fsPath + childPath
-			childRawReqPath := util.CleanUrlPath(rawReqPath + childPath)
+			childRawReqPath := util.CleanUrlPath(urlPath + childPath)
 			childRelPath := relPath + childPath
 
 			if childAlias, hasChildAlias := h.aliases.byUrlPath(childRawReqPath); hasChildAlias {

src/serverHandler/auth.go

@@ -9,7 +9,7 @@ import (
 
 const authQueryParam = "auth"
 
-func (h *aliasHandler) needAuth(rawQuery, rawReqPath, reqFsPath string) (needAuth, requestAuth bool) {
+func (h *aliasHandler) needAuth(rawQuery, vhostReqPath, reqFsPath string) (needAuth, requestAuth bool) {
 	if strings.HasPrefix(rawQuery, authQueryParam) {
 		return true, true
 	}
@@ -18,19 +18,33 @@ func (h *aliasHandler) needAuth(rawQuery, rawReqPath, reqFsPath string) (needAut
 		return true, false
 	}
 
-	return hasUrlOrDirPrefix(h.authUrls, rawReqPath, h.authDirs, reqFsPath), false
+	if hasUrlOrDirPrefix(h.authUrls, vhostReqPath, h.authDirs, reqFsPath) {
+		return true, false
+	}
+
+	if matchPath, _ := hasUrlOrDirPrefixUsers(h.authUrlsUsers, vhostReqPath, h.authDirsUsers, reqFsPath, -1); matchPath {
+		return true, false
+	}
+
+	return false, false
 }
 
 func (h *aliasHandler) notifyAuth(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("WWW-Authenticate", "Basic realm=\"files\"")
 }
 
-func (h *aliasHandler) verifyAuth(r *http.Request, needAuth bool) (userid int, username string, err error) {
+func (h *aliasHandler) verifyAuth(r *http.Request, needAuth bool, vhostReqPath, reqFsPath string) (userid int, username string, err error) {
 	user, pass, hasAuthReq := r.BasicAuth()
 
 	if hasAuthReq {
 		var success bool
-		if userid, username, success = h.users.Auth(user, pass); success {
+		userid, username, success = h.users.Auth(user, pass)
+		if success && userid >= 0 && (len(h.authUrlsUsers) > 0 || len(h.authDirsUsers) > 0) {
+			if matchPrefix, match := hasUrlOrDirPrefixUsers(h.authUrlsUsers, vhostReqPath, h.authDirsUsers, reqFsPath, userid); matchPrefix {
+				success = match
+			}
+		}
+		if success {
 			return
 		}
 	}

src/serverHandler/perm.go

@@ -21,6 +21,42 @@ func hasUrlOrDirPrefix(urls []string, reqUrl string, dirs []string, reqDir strin
 	return false
 }
 
+func hasUrlOrDirPrefixUsers(urlsUsers pathIntsList, reqUrl string, dirsUsers pathIntsList, reqDir string, userId int) (matchPrefix, match bool) {
+	for i := range urlsUsers {
+		if !util.HasUrlPrefixDir(reqUrl, urlsUsers[i].path) {
+			continue
+		}
+		matchPrefix = true
+		if userId < 0 {
+			continue
+		}
+		for _, uid := range urlsUsers[i].ints {
+			if uid == userId {
+				match = true
+				return
+			}
+		}
+	}
+
+	for i := range dirsUsers {
+		if !util.HasFsPrefixDir(reqDir, dirsUsers[i].path) {
+			continue
+		}
+		matchPrefix = true
+		if userId < 0 {
+			continue
+		}
+		for _, uid := range dirsUsers[i].ints {
+			if uid == userId {
+				match = true
+				return
+			}
+		}
+	}
+
+	return
+}
+
 func (h *aliasHandler) getCanUpload(info os.FileInfo, rawReqPath, reqFsPath string) bool {
 	if info == nil || !info.IsDir() {
 		return false

src/serverHandler/sessionData.go

@@ -335,7 +335,7 @@ func (h *aliasHandler) getSessionData(r *http.Request) (session *sessionContext,
 	status := http.StatusOK
 
 	needAuth, requestAuth := h.needAuth(rawQuery, vhostReqPath, fsPath)
-	authUserId, authUserName, _authErr := h.verifyAuth(r, needAuth)
+	authUserId, authUserName, _authErr := h.verifyAuth(r, needAuth, vhostReqPath, fsPath)
 	authSuccess := _authErr == nil
 	if needAuth && !authSuccess {
 		errs = append(errs, _authErr)