cloudreve/pkg/auth/auth.go

package auth

import (
	"bytes"
	"context"
	"fmt"
	"io"
	"net/http"
	"net/url"
	"regexp"
	"sort"
	"strings"
	"time"

	"github.com/cloudreve/Cloudreve/v4/application/constants"
	"github.com/cloudreve/Cloudreve/v4/pkg/serializer"
)

var (
	ErrAuthFailed        = serializer.NewError(serializer.CodeInvalidSign, "invalid sign", nil)
	ErrAuthHeaderMissing = serializer.NewError(serializer.CodeNoPermissionErr, "authorization header is missing", nil)
	ErrExpiresMissing    = serializer.NewError(serializer.CodeNoPermissionErr, "expire timestamp is missing", nil)
	ErrExpired           = serializer.NewError(serializer.CodeSignExpired, "signature expired", nil)
)

const (
	TokenHeaderPrefixCr = "Bearer Cr "
)

// General 通用的认证接口
// Deprecated
var General Auth

type (
	// Auth 鉴权认证
	Auth interface {
		// 对给定Body进行签名,expires为0表示永不过期
		Sign(body string, expires int64) string
		// 对给定Body和Sign进行检查
		Check(body string, sign string) error
	}
)

// SignRequest 对PUT\POST等复杂HTTP请求签名，只会对URI部分、
// 请求正文、`X-Cr-`开头的header进行签名
func SignRequest(ctx context.Context, instance Auth, r *http.Request, expires *time.Time) *http.Request {
	// 处理有效期
	expireTime := int64(0)
	if expires != nil {
		expireTime = expires.Unix()
	}

	// 生成签名
	sign := instance.Sign(getSignContent(ctx, r), expireTime)

	// 将签名加到请求Header中
	r.Header["Authorization"] = []string{TokenHeaderPrefixCr + sign}
	return r
}

// SignRequestDeprecated 对PUT\POST等复杂HTTP请求签名，只会对URI部分、
// 请求正文、`X-Cr-`开头的header进行签名
func SignRequestDeprecated(instance Auth, r *http.Request, expires int64) *http.Request {
	// 处理有效期
	if expires > 0 {
		expires += time.Now().Unix()
	}

	// 生成签名
	sign := instance.Sign(getSignContent(context.Background(), r), expires)

	// 将签名加到请求Header中
	r.Header["Authorization"] = []string{TokenHeaderPrefixCr + sign}
	return r
}

// CheckRequest 对复杂请求进行签名验证
func CheckRequest(ctx context.Context, instance Auth, r *http.Request) error {
	var (
		sign []string
		ok   bool
	)
	if sign, ok = r.Header["Authorization"]; !ok || len(sign) == 0 {
		return ErrAuthHeaderMissing
	}
	sign[0] = strings.TrimPrefix(sign[0], TokenHeaderPrefixCr)

	return instance.Check(getSignContent(ctx, r), sign[0])
}

func isUploadDataRequest(r *http.Request) bool {
	return strings.Contains(r.URL.Path, constants.APIPrefix+"/slave/upload/") && r.Method != http.MethodPut

}

// getSignContent 签名请求 path、正文、以`X-`开头的 Header. 如果请求 path 为从机上传 API，
// 则不对正文签名。返回待签名/验证的字符串
func getSignContent(ctx context.Context, r *http.Request) (rawSignString string) {
	// 读取所有body正文
	var body = []byte{}
	if !isUploadDataRequest(r) {
		if r.Body != nil {
			body, _ = io.ReadAll(r.Body)
			_ = r.Body.Close()
			r.Body = io.NopCloser(bytes.NewReader(body))
		}
	}

	// 决定要签名的header
	var signedHeader []string
	for k, _ := range r.Header {
		if strings.HasPrefix(k, constants.CrHeaderPrefix) && k != constants.CrHeaderPrefix+"Filename" {
			signedHeader = append(signedHeader, fmt.Sprintf("%s=%s", k, r.Header.Get(k)))
		}
	}
	sort.Strings(signedHeader)

	// 读取所有待签名Header
	rawSignString = serializer.NewRequestSignString(getUrlSignContent(ctx, r.URL), strings.Join(signedHeader, "&"), string(body))

	return rawSignString
}

// SignURI 对URI进行签名
func SignURI(ctx context.Context, instance Auth, uri string, expires *time.Time) (*url.URL, error) {
	// 处理有效期
	expireTime := int64(0)
	if expires != nil {
		expireTime = expires.Unix()
	}

	base, err := url.Parse(uri)
	if err != nil {
		return nil, err
	}

	// 生成签名
	sign := instance.Sign(getUrlSignContent(ctx, base), expireTime)

	// 将签名加到URI中
	queries := base.Query()
	queries.Set("sign", sign)
	base.RawQuery = queries.Encode()

	return base, nil
}

// SignURIDeprecated 对URI进行签名,签名只针对Path部分，query部分不做验证
// Deprecated
func SignURIDeprecated(instance Auth, uri string, expires int64) (*url.URL, error) {
	// 处理有效期
	if expires != 0 {
		expires += time.Now().Unix()
	}

	base, err := url.Parse(uri)
	if err != nil {
		return nil, err
	}

	// 生成签名
	sign := instance.Sign(base.Path, expires)

	// 将签名加到URI中
	queries := base.Query()
	queries.Set("sign", sign)
	base.RawQuery = queries.Encode()

	return base, nil
}

// CheckURI 对URI进行鉴权
func CheckURI(ctx context.Context, instance Auth, url *url.URL) error {
	//获取待验证的签名正文
	queries := url.Query()
	sign := queries.Get("sign")
	queries.Del("sign")
	url.RawQuery = queries.Encode()

	return instance.Check(getUrlSignContent(ctx, url), sign)
}

func RedactSensitiveValues(errorMessage string) string {
	// Regular expression to match URLs
	urlRegex := regexp.MustCompile(`https?://[^\s]+`)
	// Find all URLs in the error message
	urls := urlRegex.FindAllString(errorMessage, -1)

	for _, urlStr := range urls {
		// Parse the URL
		parsedURL, err := url.Parse(urlStr)
		if err != nil {
			continue
		}

		// Get the query parameters
		queryParams := parsedURL.Query()

		// Redact the 'sign' parameter if it exists
		if _, exists := queryParams["sign"]; exists {
			queryParams.Set("sign", "REDACTED")
			parsedURL.RawQuery = queryParams.Encode()
		}

		// Replace the original URL with the redacted one in the error message
		errorMessage = strings.Replace(errorMessage, urlStr, parsedURL.String(), -1)
	}

	return errorMessage
}

func getUrlSignContent(ctx context.Context, url *url.URL) string {
	// host := url.Host
	// if host == "" {
	// 	reqInfo := requestinfo.RequestInfoFromContext(ctx)
	// 	if reqInfo != nil {
	// 		host = reqInfo.Host
	// 	}
	// }
	// host = strings.TrimSuffix(host, "/")
	// // remove port if it exists
	// host = strings.Split(host, ":")[0]
	if url.Path == "" {
		return "/"
	}
	return url.Path
}
-												Feat: HMAC auth and check

											
										
										
											2019-12-10 11:13:33 +08:00
+								package auth
 								import (
-												Feat: auth middleware for complex request

											
										
										
											2019-12-24 11:42:23 +08:00
+									"bytes"
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+									"context"
-												Feat: aria2 download and transfer in slave node (#1040)

* Feat: retrieve nodes from data table

* Feat: master node ping slave node in REST API

* Feat: master send scheduled ping request

* Feat: inactive nodes recover loop

* Modify: remove database operations from aria2 RPC caller implementation

* Feat: init aria2 client in master node

* Feat: Round Robin load balancer

* Feat: create and monitor aria2 task in master node

* Feat: salve receive and handle heartbeat

* Fix: Node ID will be 0 in download record generated in older version

* Feat: sign request headers with all `X-` prefix

* Feat: API call to slave node will carry meta data in headers

* Feat: call slave aria2 rpc method from master

* Feat: get slave aria2 task status
Feat: encode slave response data using gob

* Feat: aria2 callback to master node / cancel or select task to slave node

* Fix: use dummy aria2 client when caller initialize failed in master node

* Feat: slave aria2 status event callback / salve RPC auth

* Feat: prototype for slave driven filesystem

* Feat: retry for init aria2 client in master node

* Feat: init request client with global options

* Feat: slave receive async task from master

* Fix: competition write in request header

* Refactor: dependency initialize order

* Feat: generic message queue implementation

* Feat: message queue implementation

* Feat: master waiting slave transfer result

* Feat: slave transfer file in stateless policy

* Feat: slave transfer file in slave policy

* Feat: slave transfer file in local policy

* Feat: slave transfer file in OneDrive policy

* Fix: failed to initialize update checker http client

* Feat: list slave nodes for dashboard

* Feat: test aria2 rpc connection in slave

* Feat: add and save node

* Feat: add and delete node in node pool

* Fix: temp file cannot be removed when aria2 task fails

* Fix: delete node in admin panel

* Feat: edit node and get node info

* Modify: delete unused settings
											
										
										
											2021-10-31 09:41:56 +08:00
+									"fmt"
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+									"io"
-												Feat: sign http request / read running mode from config file

											
										
										
											2019-12-23 13:27:18 +08:00
+									"net/http"
-												Feat: sign file source url

											
										
										
											2019-12-10 17:10:34 +08:00
+									"net/url"
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+									"regexp"
-												Feat: aria2 download and transfer in slave node (#1040)

* Feat: retrieve nodes from data table

* Feat: master node ping slave node in REST API

* Feat: master send scheduled ping request

* Feat: inactive nodes recover loop

* Modify: remove database operations from aria2 RPC caller implementation

* Feat: init aria2 client in master node

* Feat: Round Robin load balancer

* Feat: create and monitor aria2 task in master node

* Feat: salve receive and handle heartbeat

* Fix: Node ID will be 0 in download record generated in older version

* Feat: sign request headers with all `X-` prefix

* Feat: API call to slave node will carry meta data in headers

* Feat: call slave aria2 rpc method from master

* Feat: get slave aria2 task status
Feat: encode slave response data using gob

* Feat: aria2 callback to master node / cancel or select task to slave node

* Fix: use dummy aria2 client when caller initialize failed in master node

* Feat: slave aria2 status event callback / salve RPC auth

* Feat: prototype for slave driven filesystem

* Feat: retry for init aria2 client in master node

* Feat: init request client with global options

* Feat: slave receive async task from master

* Fix: competition write in request header

* Refactor: dependency initialize order

* Feat: generic message queue implementation

* Feat: message queue implementation

* Feat: master waiting slave transfer result

* Feat: slave transfer file in stateless policy

* Feat: slave transfer file in slave policy

* Feat: slave transfer file in local policy

* Feat: slave transfer file in OneDrive policy

* Fix: failed to initialize update checker http client

* Feat: list slave nodes for dashboard

* Feat: test aria2 rpc connection in slave

* Feat: add and save node

* Feat: add and delete node in node pool

* Fix: temp file cannot be removed when aria2 task fails

* Fix: delete node in admin panel

* Feat: edit node and get node info

* Modify: delete unused settings
											
										
										
											2021-10-31 09:41:56 +08:00
+									"sort"
-												Feat: auth middleware for complex request

											
										
										
											2019-12-24 11:42:23 +08:00
+									"strings"
-												Modify: add time.Now for expiration inside signing function

											
										
										
											2020-01-02 13:41:57 +08:00
+									"time"
-												Comply with Golang semantic import versioning (#630)

* Code: compatible with semantic import versioning

* Tools & Docs: compatible with semantic import versioning

* Clean go.mod & go.sum
											
										
										
											2020-11-21 17:34:55 +08:00
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+									"github.com/cloudreve/Cloudreve/v4/application/constants"
 									"github.com/cloudreve/Cloudreve/v4/pkg/serializer"
-												Feat: HMAC auth and check

											
										
										
											2019-12-10 11:13:33 +08:00
+								)
 								var (
-												i18n: logs in aria2/auth/cache/cluster/serializer

											
										
										
											2022-09-29 17:40:56 +08:00
+									ErrAuthFailed        = serializer.NewError(serializer.CodeInvalidSign, "invalid sign", nil)
-												Test: balancer / auth / controller in pkg

											
										
										
											2021-11-11 20:56:16 +08:00
+									ErrAuthHeaderMissing = serializer.NewError(serializer.CodeNoPermissionErr, "authorization header is missing", nil)
 									ErrExpiresMissing    = serializer.NewError(serializer.CodeNoPermissionErr, "expire timestamp is missing", nil)
-												i18n: logs in aria2/auth/cache/cluster/serializer

											
										
										
											2022-09-29 17:40:56 +08:00
+									ErrExpired           = serializer.NewError(serializer.CodeSignExpired, "signature expired", nil)
-												Feat: HMAC auth and check

											
										
										
											2019-12-10 11:13:33 +08:00
+								)
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+								const (
 									TokenHeaderPrefixCr = "Bearer Cr "
 								)
-												Feat: creating upload session and credential from master server

											
										
										
											2022-02-28 17:52:59 +08:00
-												Feat: HMAC auth and check

											
										
										
											2019-12-10 11:13:33 +08:00
+								// General 通用的认证接口
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+								// Deprecated
-												Feat: HMAC auth and check

											
										
										
											2019-12-10 11:13:33 +08:00
+								var General Auth
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+								type (
 									// Auth 鉴权认证
 									Auth interface {
 										// 对给定Body进行签名,expires为0表示永不过期
 										Sign(body string, expires int64) string
 										// 对给定Body和Sign进行检查
 										Check(body string, sign string) error
 									}
 								)
-												Feat: HMAC auth and check

											
										
										
											2019-12-10 11:13:33 +08:00
-												Feat: aria2 download and transfer in slave node (#1040)

* Feat: retrieve nodes from data table

* Feat: master node ping slave node in REST API

* Feat: master send scheduled ping request

* Feat: inactive nodes recover loop

* Modify: remove database operations from aria2 RPC caller implementation

* Feat: init aria2 client in master node

* Feat: Round Robin load balancer

* Feat: create and monitor aria2 task in master node

* Feat: salve receive and handle heartbeat

* Fix: Node ID will be 0 in download record generated in older version

* Feat: sign request headers with all `X-` prefix

* Feat: API call to slave node will carry meta data in headers

* Feat: call slave aria2 rpc method from master

* Feat: get slave aria2 task status
Feat: encode slave response data using gob

* Feat: aria2 callback to master node / cancel or select task to slave node

* Fix: use dummy aria2 client when caller initialize failed in master node

* Feat: slave aria2 status event callback / salve RPC auth

* Feat: prototype for slave driven filesystem

* Feat: retry for init aria2 client in master node

* Feat: init request client with global options

* Feat: slave receive async task from master

* Fix: competition write in request header

* Refactor: dependency initialize order

* Feat: generic message queue implementation

* Feat: message queue implementation

* Feat: master waiting slave transfer result

* Feat: slave transfer file in stateless policy

* Feat: slave transfer file in slave policy

* Feat: slave transfer file in local policy

* Feat: slave transfer file in OneDrive policy

* Fix: failed to initialize update checker http client

* Feat: list slave nodes for dashboard

* Feat: test aria2 rpc connection in slave

* Feat: add and save node

* Feat: add and delete node in node pool

* Fix: temp file cannot be removed when aria2 task fails

* Fix: delete node in admin panel

* Feat: edit node and get node info

* Modify: delete unused settings
											
										
										
											2021-10-31 09:41:56 +08:00
+								// SignRequest 对PUT\POST等复杂HTTP请求签名，只会对URI部分、
-												Fix: use `X-Cr-` as custom header prefix

											
										
										
											2021-11-23 21:22:23 +08:00
+								// 请求正文、`X-Cr-`开头的header进行签名
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+								func SignRequest(ctx context.Context, instance Auth, r *http.Request, expires *time.Time) *http.Request {
 									// 处理有效期
 									expireTime := int64(0)
 									if expires != nil {
 										expireTime = expires.Unix()
 									}
 									// 生成签名
 									sign := instance.Sign(getSignContent(ctx, r), expireTime)
 									// 将签名加到请求Header中
 									r.Header["Authorization"] = []string{TokenHeaderPrefixCr + sign}
 									return r
 								}
 								// SignRequestDeprecated 对PUT\POST等复杂HTTP请求签名，只会对URI部分、
 								// 请求正文、`X-Cr-`开头的header进行签名
 								func SignRequestDeprecated(instance Auth, r *http.Request, expires int64) *http.Request {
-												Modify: add time.Now for expiration inside signing function

											
										
										
											2020-01-02 13:41:57 +08:00
+									// 处理有效期
 									if expires > 0 {
 										expires += time.Now().Unix()
 									}
-												Feat: auth middleware for complex request

											
										
										
											2019-12-24 11:42:23 +08:00
+									// 生成签名
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+									sign := instance.Sign(getSignContent(context.Background(), r), expires)
-												Feat: auth middleware for complex request

											
										
										
											2019-12-24 11:42:23 +08:00
 									// 将签名加到请求Header中
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+									r.Header["Authorization"] = []string{TokenHeaderPrefixCr + sign}
-												Feat: auth middleware for complex request

											
										
										
											2019-12-24 11:42:23 +08:00
+									return r
 								}
 								// CheckRequest 对复杂请求进行签名验证
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+								func CheckRequest(ctx context.Context, instance Auth, r *http.Request) error {
-												Feat: auth middleware for complex request

											
										
										
											2019-12-24 11:42:23 +08:00
+									var (
 										sign []string
 										ok   bool
 									)
 									if sign, ok = r.Header["Authorization"]; !ok || len(sign) == 0 {
-												Test: balancer / auth / controller in pkg

											
										
										
											2021-11-11 20:56:16 +08:00
+										return ErrAuthHeaderMissing
-												Feat: auth middleware for complex request

											
										
										
											2019-12-24 11:42:23 +08:00
+									}
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+									sign[0] = strings.TrimPrefix(sign[0], TokenHeaderPrefixCr)
 									return instance.Check(getSignContent(ctx, r), sign[0])
 								}
 								func isUploadDataRequest(r *http.Request) bool {
 									return strings.Contains(r.URL.Path, constants.APIPrefix+"/slave/upload/") && r.Method != http.MethodPut
-												Feat: auth middleware for complex request

											
										
										
											2019-12-24 11:42:23 +08:00
 								}
-												Feat: truncate file if uploaded chunk is overlapped

											
										
										
											2022-02-28 17:47:57 +08:00
+								// getSignContent 签名请求 path、正文、以`X-`开头的 Header. 如果请求 path 为从机上传 API，
-												Feat: aria2 download and transfer in slave node (#1040)

* Feat: retrieve nodes from data table

* Feat: master node ping slave node in REST API

* Feat: master send scheduled ping request

* Feat: inactive nodes recover loop

* Modify: remove database operations from aria2 RPC caller implementation

* Feat: init aria2 client in master node

* Feat: Round Robin load balancer

* Feat: create and monitor aria2 task in master node

* Feat: salve receive and handle heartbeat

* Fix: Node ID will be 0 in download record generated in older version

* Feat: sign request headers with all `X-` prefix

* Feat: API call to slave node will carry meta data in headers

* Feat: call slave aria2 rpc method from master

* Feat: get slave aria2 task status
Feat: encode slave response data using gob

* Feat: aria2 callback to master node / cancel or select task to slave node

* Fix: use dummy aria2 client when caller initialize failed in master node

* Feat: slave aria2 status event callback / salve RPC auth

* Feat: prototype for slave driven filesystem

* Feat: retry for init aria2 client in master node

* Feat: init request client with global options

* Feat: slave receive async task from master

* Fix: competition write in request header

* Refactor: dependency initialize order

* Feat: generic message queue implementation

* Feat: message queue implementation

* Feat: master waiting slave transfer result

* Feat: slave transfer file in stateless policy

* Feat: slave transfer file in slave policy

* Feat: slave transfer file in local policy

* Feat: slave transfer file in OneDrive policy

* Fix: failed to initialize update checker http client

* Feat: list slave nodes for dashboard

* Feat: test aria2 rpc connection in slave

* Feat: add and save node

* Feat: add and delete node in node pool

* Fix: temp file cannot be removed when aria2 task fails

* Fix: delete node in admin panel

* Feat: edit node and get node info

* Modify: delete unused settings
											
										
										
											2021-10-31 09:41:56 +08:00
+								// 则不对正文签名。返回待签名/验证的字符串
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+								func getSignContent(ctx context.Context, r *http.Request) (rawSignString string) {
-												Feat: aria2 download and transfer in slave node (#1040)

* Feat: retrieve nodes from data table

* Feat: master node ping slave node in REST API

* Feat: master send scheduled ping request

* Feat: inactive nodes recover loop

* Modify: remove database operations from aria2 RPC caller implementation

* Feat: init aria2 client in master node

* Feat: Round Robin load balancer

* Feat: create and monitor aria2 task in master node

* Feat: salve receive and handle heartbeat

* Fix: Node ID will be 0 in download record generated in older version

* Feat: sign request headers with all `X-` prefix

* Feat: API call to slave node will carry meta data in headers

* Feat: call slave aria2 rpc method from master

* Feat: get slave aria2 task status
Feat: encode slave response data using gob

* Feat: aria2 callback to master node / cancel or select task to slave node

* Fix: use dummy aria2 client when caller initialize failed in master node

* Feat: slave aria2 status event callback / salve RPC auth

* Feat: prototype for slave driven filesystem

* Feat: retry for init aria2 client in master node

* Feat: init request client with global options

* Feat: slave receive async task from master

* Fix: competition write in request header

* Refactor: dependency initialize order

* Feat: generic message queue implementation

* Feat: message queue implementation

* Feat: master waiting slave transfer result

* Feat: slave transfer file in stateless policy

* Feat: slave transfer file in slave policy

* Feat: slave transfer file in local policy

* Feat: slave transfer file in OneDrive policy

* Fix: failed to initialize update checker http client

* Feat: list slave nodes for dashboard

* Feat: test aria2 rpc connection in slave

* Feat: add and save node

* Feat: add and delete node in node pool

* Fix: temp file cannot be removed when aria2 task fails

* Fix: delete node in admin panel

* Feat: edit node and get node info

* Modify: delete unused settings
											
										
										
											2021-10-31 09:41:56 +08:00
+									// 读取所有body正文
 									var body = []byte{}
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+									if !isUploadDataRequest(r) {
-												Test: remote callback auth

											
										
										
											2019-12-30 19:56:01 +08:00
+										if r.Body != nil {
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+											body, _ = io.ReadAll(r.Body)
-												Test: remote callback auth

											
										
										
											2019-12-30 19:56:01 +08:00
+											_ = r.Body.Close()
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+											r.Body = io.NopCloser(bytes.NewReader(body))
-												Test: remote callback auth

											
										
										
											2019-12-30 19:56:01 +08:00
+										}
-												Feat: sign http request / read running mode from config file

											
										
										
											2019-12-23 13:27:18 +08:00
+									}
-												Feat: aria2 download and transfer in slave node (#1040)

* Feat: retrieve nodes from data table

* Feat: master node ping slave node in REST API

* Feat: master send scheduled ping request

* Feat: inactive nodes recover loop

* Modify: remove database operations from aria2 RPC caller implementation

* Feat: init aria2 client in master node

* Feat: Round Robin load balancer

* Feat: create and monitor aria2 task in master node

* Feat: salve receive and handle heartbeat

* Fix: Node ID will be 0 in download record generated in older version

* Feat: sign request headers with all `X-` prefix

* Feat: API call to slave node will carry meta data in headers

* Feat: call slave aria2 rpc method from master

* Feat: get slave aria2 task status
Feat: encode slave response data using gob

* Feat: aria2 callback to master node / cancel or select task to slave node

* Fix: use dummy aria2 client when caller initialize failed in master node

* Feat: slave aria2 status event callback / salve RPC auth

* Feat: prototype for slave driven filesystem

* Feat: retry for init aria2 client in master node

* Feat: init request client with global options

* Feat: slave receive async task from master

* Fix: competition write in request header

* Refactor: dependency initialize order

* Feat: generic message queue implementation

* Feat: message queue implementation

* Feat: master waiting slave transfer result

* Feat: slave transfer file in stateless policy

* Feat: slave transfer file in slave policy

* Feat: slave transfer file in local policy

* Feat: slave transfer file in OneDrive policy

* Fix: failed to initialize update checker http client

* Feat: list slave nodes for dashboard

* Feat: test aria2 rpc connection in slave

* Feat: add and save node

* Feat: add and delete node in node pool

* Fix: temp file cannot be removed when aria2 task fails

* Fix: delete node in admin panel

* Feat: edit node and get node info

* Modify: delete unused settings
											
										
										
											2021-10-31 09:41:56 +08:00
 									// 决定要签名的header
 									var signedHeader []string
 									for k, _ := range r.Header {
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+										if strings.HasPrefix(k, constants.CrHeaderPrefix) && k != constants.CrHeaderPrefix+"Filename" {
-												Feat: aria2 download and transfer in slave node (#1040)

* Feat: retrieve nodes from data table

* Feat: master node ping slave node in REST API

* Feat: master send scheduled ping request

* Feat: inactive nodes recover loop

* Modify: remove database operations from aria2 RPC caller implementation

* Feat: init aria2 client in master node

* Feat: Round Robin load balancer

* Feat: create and monitor aria2 task in master node

* Feat: salve receive and handle heartbeat

* Fix: Node ID will be 0 in download record generated in older version

* Feat: sign request headers with all `X-` prefix

* Feat: API call to slave node will carry meta data in headers

* Feat: call slave aria2 rpc method from master

* Feat: get slave aria2 task status
Feat: encode slave response data using gob

* Feat: aria2 callback to master node / cancel or select task to slave node

* Fix: use dummy aria2 client when caller initialize failed in master node

* Feat: slave aria2 status event callback / salve RPC auth

* Feat: prototype for slave driven filesystem

* Feat: retry for init aria2 client in master node

* Feat: init request client with global options

* Feat: slave receive async task from master

* Fix: competition write in request header

* Refactor: dependency initialize order

* Feat: generic message queue implementation

* Feat: message queue implementation

* Feat: master waiting slave transfer result

* Feat: slave transfer file in stateless policy

* Feat: slave transfer file in slave policy

* Feat: slave transfer file in local policy

* Feat: slave transfer file in OneDrive policy

* Fix: failed to initialize update checker http client

* Feat: list slave nodes for dashboard

* Feat: test aria2 rpc connection in slave

* Feat: add and save node

* Feat: add and delete node in node pool

* Fix: temp file cannot be removed when aria2 task fails

* Fix: delete node in admin panel

* Feat: edit node and get node info

* Modify: delete unused settings
											
										
										
											2021-10-31 09:41:56 +08:00
+											signedHeader = append(signedHeader, fmt.Sprintf("%s=%s", k, r.Header.Get(k)))
 										}
 									}
 									sort.Strings(signedHeader)
 									// 读取所有待签名Header
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+									rawSignString = serializer.NewRequestSignString(getUrlSignContent(ctx, r.URL), strings.Join(signedHeader, "&"), string(body))
-												Feat: aria2 download and transfer in slave node (#1040)

* Feat: retrieve nodes from data table

* Feat: master node ping slave node in REST API

* Feat: master send scheduled ping request

* Feat: inactive nodes recover loop

* Modify: remove database operations from aria2 RPC caller implementation

* Feat: init aria2 client in master node

* Feat: Round Robin load balancer

* Feat: create and monitor aria2 task in master node

* Feat: salve receive and handle heartbeat

* Fix: Node ID will be 0 in download record generated in older version

* Feat: sign request headers with all `X-` prefix

* Feat: API call to slave node will carry meta data in headers

* Feat: call slave aria2 rpc method from master

* Feat: get slave aria2 task status
Feat: encode slave response data using gob

* Feat: aria2 callback to master node / cancel or select task to slave node

* Fix: use dummy aria2 client when caller initialize failed in master node

* Feat: slave aria2 status event callback / salve RPC auth

* Feat: prototype for slave driven filesystem

* Feat: retry for init aria2 client in master node

* Feat: init request client with global options

* Feat: slave receive async task from master

* Fix: competition write in request header

* Refactor: dependency initialize order

* Feat: generic message queue implementation

* Feat: message queue implementation

* Feat: master waiting slave transfer result

* Feat: slave transfer file in stateless policy

* Feat: slave transfer file in slave policy

* Feat: slave transfer file in local policy

* Feat: slave transfer file in OneDrive policy

* Fix: failed to initialize update checker http client

* Feat: list slave nodes for dashboard

* Feat: test aria2 rpc connection in slave

* Feat: add and save node

* Feat: add and delete node in node pool

* Fix: temp file cannot be removed when aria2 task fails

* Fix: delete node in admin panel

* Feat: edit node and get node info

* Modify: delete unused settings
											
										
										
											2021-10-31 09:41:56 +08:00
-												Feat: auth middleware for complex request

											
										
										
											2019-12-24 11:42:23 +08:00
+									return rawSignString
-												Feat: sign http request / read running mode from config file

											
										
										
											2019-12-23 13:27:18 +08:00
+								}
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+								// SignURI 对URI进行签名
 								func SignURI(ctx context.Context, instance Auth, uri string, expires *time.Time) (*url.URL, error) {
 									// 处理有效期
 									expireTime := int64(0)
 									if expires != nil {
 										expireTime = expires.Unix()
 									}
 									base, err := url.Parse(uri)
 									if err != nil {
 										return nil, err
 									}
 									// 生成签名
 									sign := instance.Sign(getUrlSignContent(ctx, base), expireTime)
 									// 将签名加到URI中
 									queries := base.Query()
 									queries.Set("sign", sign)
 									base.RawQuery = queries.Encode()
 									return base, nil
 								}
 								// SignURIDeprecated 对URI进行签名,签名只针对Path部分，query部分不做验证
 								// Deprecated
 								func SignURIDeprecated(instance Auth, uri string, expires int64) (*url.URL, error) {
-												Modify: add time.Now for expiration inside signing function

											
										
										
											2020-01-02 13:41:57 +08:00
+									// 处理有效期
 									if expires != 0 {
 										expires += time.Now().Unix()
 									}
-												Feat: sign file source url

											
										
										
											2019-12-10 17:10:34 +08:00
+									base, err := url.Parse(uri)
 									if err != nil {
 										return nil, err
 									}
-												Test: signRequired middleware

											
										
										
											2019-12-10 21:26:19 +08:00
 									// 生成签名
-												Modify: auth instance as first param in SignURI/Request

											
										
										
											2019-12-29 13:50:23 +08:00
+									sign := instance.Sign(base.Path, expires)
-												Test: signRequired middleware

											
										
										
											2019-12-10 21:26:19 +08:00
 									// 将签名加到URI中
-												Feat: sign file source url

											
										
										
											2019-12-10 17:10:34 +08:00
+									queries := base.Query()
 									queries.Set("sign", sign)
 									base.RawQuery = queries.Encode()
 									return base, nil
 								}
-												Feat: sign auth middleware

											
										
										
											2019-12-10 20:17:21 +08:00
+								// CheckURI 对URI进行鉴权
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+								func CheckURI(ctx context.Context, instance Auth, url *url.URL) error {
-												Feat: sign auth middleware

											
										
										
											2019-12-10 20:17:21 +08:00
+									//获取待验证的签名正文
 									queries := url.Query()
 									sign := queries.Get("sign")
 									queries.Del("sign")
 									url.RawQuery = queries.Encode()
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+									return instance.Check(getUrlSignContent(ctx, url), sign)
-												Feat: sign auth middleware

											
										
										
											2019-12-10 20:17:21 +08:00
+								}
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+								func RedactSensitiveValues(errorMessage string) string {
 									// Regular expression to match URLs
 									urlRegex := regexp.MustCompile(`https?://[^\s]+`)
 									// Find all URLs in the error message
 									urls := urlRegex.FindAllString(errorMessage, -1)
 									for _, urlStr := range urls {
 										// Parse the URL
 										parsedURL, err := url.Parse(urlStr)
 										if err != nil {
 											continue
-												Feat: sign http request / read running mode from config file

											
										
										
											2019-12-23 13:27:18 +08:00
+										}
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
 										// Get the query parameters
 										queryParams := parsedURL.Query()
 										// Redact the 'sign' parameter if it exists
 										if _, exists := queryParams["sign"]; exists {
 											queryParams.Set("sign", "REDACTED")
 											parsedURL.RawQuery = queryParams.Encode()
 										}
 										// Replace the original URL with the redacted one in the error message
 										errorMessage = strings.Replace(errorMessage, urlStr, parsedURL.String(), -1)
-												Feat: sign http request / read running mode from config file

											
										
										
											2019-12-23 13:27:18 +08:00
+									}
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
 									return errorMessage
 								}
 								func getUrlSignContent(ctx context.Context, url *url.URL) string {
 									// host := url.Host
 									// if host == "" {
 									// 	reqInfo := requestinfo.RequestInfoFromContext(ctx)
 									// 	if reqInfo != nil {
 									// 		host = reqInfo.Host
 									// 	}
 									// }
 									// host = strings.TrimSuffix(host, "/")
 									// // remove port if it exists
 									// host = strings.Split(host, ":")[0]
-												fix(auth): unified empty path for sign content (#2616)

											
										
										
											2025-07-05 10:05:09 +08:00
+									if url.Path == "" {
 										return "/"
 									}
-												Init V4 community edition (#2265)

* Init V4 community edition

* Init V4 community edition
											
										
										
											2025-04-20 17:31:25 +08:00
+									return url.Path
-												Feat: HMAC auth and check

											
										
										
											2019-12-10 11:13:33 +08:00
+								}