joachim/FileRise
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(admin): modal bugs; chore(api): update ReDoc SRI; docs(openapi): add annotations + spec

Browse Source
This commit is contained in:
Ryan
2025-10-20 00:38:35 -04:00
committed by GitHub
parent 327eea2835
commit af9887e651
67 changed files with 5072 additions and 2870 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
src/controllers/AdminController.php
View File

@@ -5,51 +5,7 @@ require_once __DIR__ . '/../../config/config.php';
require_once PROJECT_ROOT . '/src/models/AdminModel.php';
class AdminController
{
/**
* @OA\Get(
* path="/api/admin/getConfig.php",
* summary="Retrieve admin configuration",
* description="Returns the admin configuration settings, decrypting the configuration file and providing default values if not set.",
* operationId="getAdminConfig",
* tags={"Admin"},
* @OA\Response(
* response=200,
* description="Configuration retrieved successfully",
* @OA\JsonContent(
* type="object",
* @OA\Property(property="header_title", type="string", example="FileRise"),
* @OA\Property(
* property="oidc",
* type="object",
* @OA\Property(property="providerUrl", type="string", example="https://your-oidc-provider.com"),
* @OA\Property(property="clientId", type="string", example="YOUR_CLIENT_ID"),
* @OA\Property(property="clientSecret", type="string", example="YOUR_CLIENT_SECRET"),
* @OA\Property(property="redirectUri", type="string", example="https://yourdomain.com/auth.php?oidc=callback")
* ),
* @OA\Property(
* property="loginOptions",
* type="object",
* @OA\Property(property="disableFormLogin", type="boolean", example=false),
* @OA\Property(property="disableBasicAuth", type="boolean", example=false),
* @OA\Property(property="disableOIDCLogin", type="boolean", example=false)
* ),
* @OA\Property(property="globalOtpauthUrl", type="string", example=""),
* @OA\Property(property="enableWebDAV", type="boolean", example=false),
* @OA\Property(property="sharedMaxUploadSize", type="integer", example=52428800)
* )
* ),
* @OA\Response(
* response=500,
* description="Failed to decrypt configuration or server error"
* )
* )
*
* Retrieves the admin configuration settings.
*
* @return void Outputs a JSON response with configuration data.
*/
{
public function getConfig(): void
{
header('Content-Type: application/json');
@@ -100,64 +56,6 @@ class AdminController
echo json_encode($public);
}
/**
* @OA\Put(
* path="/api/admin/updateConfig.php",
* summary="Update admin configuration",
* description="Updates the admin configuration settings. Requires admin privileges and a valid CSRF token.",
* operationId="updateAdminConfig",
* tags={"Admin"},
* @OA\RequestBody(
* required=true,
* @OA\JsonContent(
* required={"header_title", "oidc", "loginOptions"},
* @OA\Property(property="header_title", type="string", example="FileRise"),
* @OA\Property(
* property="oidc",
* type="object",
* @OA\Property(property="providerUrl", type="string", example="https://your-oidc-provider.com"),
* @OA\Property(property="clientId", type="string", example="YOUR_CLIENT_ID"),
* @OA\Property(property="clientSecret", type="string", example="YOUR_CLIENT_SECRET"),
* @OA\Property(property="redirectUri", type="string", example="https://yourdomain.com/api/auth/auth.php?oidc=callback")
* ),
* @OA\Property(
* property="loginOptions",
* type="object",
* @OA\Property(property="disableFormLogin", type="boolean", example=false),
* @OA\Property(property="disableBasicAuth", type="boolean", example=false),
* @OA\Property(property="disableOIDCLogin", type="boolean", example=false)
* ),
* @OA\Property(property="globalOtpauthUrl", type="string", example=""),
* @OA\Property(property="enableWebDAV", type="boolean", example=false),
* @OA\Property(property="sharedMaxUploadSize", type="integer", example=52428800)
* )
* ),
* @OA\Response(
* response=200,
* description="Configuration updated successfully",
* @OA\JsonContent(
* type="object",
* @OA\Property(property="success", type="string", example="Configuration updated successfully.")
* )
* ),
* @OA\Response(
* response=400,
* description="Bad Request (e.g., invalid input, incomplete OIDC configuration)"
* ),
* @OA\Response(
* response=403,
* description="Unauthorized (user not admin or invalid CSRF token)"
* ),
* @OA\Response(
* response=500,
* description="Server error (failed to write configuration file)"
* )
* )
*
* Updates the admin configuration settings.
*
* @return void Outputs a JSON response indicating success or failure.
*/
public function updateConfig(): void
{
header('Content-Type: application/json');

149
src/controllers/AuthController.php
View File

@@ -13,53 +13,6 @@ use Jumbojett\OpenIDConnectClient;
class AuthController
{
/**
* @OA\Post(
* path="/api/auth/auth.php",
* summary="Authenticate user",
* description="Handles user authentication via OIDC or form-based credentials. For OIDC flows, processes callbacks; otherwise, performs standard authentication with optional TOTP verification.",
* operationId="authUser",
* tags={"Auth"},
* @OA\RequestBody(
* required=true,
* @OA\JsonContent(
* required={"username", "password"},
* @OA\Property(property="username", type="string", example="johndoe"),
* @OA\Property(property="password", type="string", example="secretpassword"),
* @OA\Property(property="remember_me", type="boolean", example=true),
* @OA\Property(property="totp_code", type="string", example="123456")
* )
* ),
* @OA\Response(
* response=200,
* description="Login successful; returns user info and status",
* @OA\JsonContent(
* @OA\Property(property="status", type="string", example="ok"),
* @OA\Property(property="success", type="string", example="Login successful"),
* @OA\Property(property="username", type="string", example="johndoe"),
* @OA\Property(property="isAdmin", type="boolean", example=true)
* )
* ),
* @OA\Response(
* response=400,
* description="Bad Request (e.g., missing credentials)"
* ),
* @OA\Response(
* response=401,
* description="Unauthorized (e.g., invalid credentials, too many attempts)"
* ),
* @OA\Response(
* response=429,
* description="Too many failed login attempts"
* )
* )
*
* Handles user authentication via OIDC or form-based login.
*
* @return void Redirects on success or outputs JSON error.
*/
// in src/controllers/AuthController.php
public function auth(): void
{
header('Content-Type: application/json');
@@ -307,40 +260,6 @@ class AuthController
exit();
}
/**
* @OA\Get(
* path="/api/auth/checkAuth.php",
* summary="Check authentication status",
* description="Checks if the current session is authenticated. If the users file is missing or empty, returns a setup flag. Also returns information about admin privileges, TOTP status, and folder-only access.",
* operationId="checkAuth",
* tags={"Auth"},
* @OA\Response(
* response=200,
* description="Returns authentication status and user details",
* @OA\JsonContent(
* type="object",
* @OA\Property(property="authenticated", type="boolean", example=true),
* @OA\Property(property="isAdmin", type="boolean", example=true),
* @OA\Property(property="totp_enabled", type="boolean", example=false),
* @OA\Property(property="username", type="string", example="johndoe"),
* @OA\Property(property="folderOnly", type="boolean", example=false)
* )
* ),
* @OA\Response(
* response=200,
* description="Setup mode (if the users file is missing or empty)",
* @OA\JsonContent(
* type="object",
* @OA\Property(property="setup", type="boolean", example=true)
* )
* )
* )
*
* Checks whether the user is authenticated or if the system is in setup mode.
*
* @return void Outputs a JSON response with authentication details.
*/
public function checkAuth(): void
{
@@ -427,28 +346,6 @@ class AuthController
exit();
}
/**
* @OA\Get(
* path="/api/auth/token.php",
* summary="Retrieve CSRF token and share URL",
* description="Returns the current CSRF token along with the configured share URL.",
* operationId="getToken",
* tags={"Auth"},
* @OA\Response(
* response=200,
* description="CSRF token and share URL",
* @OA\JsonContent(
* type="object",
* @OA\Property(property="csrf_token", type="string", example="0123456789abcdef..."),
* @OA\Property(property="share_url", type="string", example="https://yourdomain.com/share.php")
* )
* )
* )
*
* Returns the CSRF token and share URL.
*
* @return void Outputs the JSON response.
*/
public function getToken(): void
{
// 1) Ensure session and CSRF token exist
@@ -468,31 +365,6 @@ class AuthController
exit;
}
/**
* @OA\Get(
* path="/api/auth/login_basic.php",
* summary="Authenticate using HTTP Basic Authentication",
* description="Performs HTTP Basic authentication. If credentials are missing, sends a 401 response prompting for Basic auth. On valid credentials, optionally handles TOTP verification and finalizes session login.",
* operationId="loginBasic",
* tags={"Auth"},
* @OA\Response(
* response=200,
* description="Login successful; redirects to index.html",
* @OA\JsonContent(
* type="object",
* @OA\Property(property="success", type="string", example="Login successful")
* )
* ),
* @OA\Response(
* response=401,
* description="Unauthorized due to missing credentials or invalid credentials."
* )
* )
*
* Handles HTTP Basic authentication (with optional TOTP) and logs the user in.
*
* @return void Redirects on success or sends a 401 header.
*/
public function loginBasic(): void
{
// Set header for plain-text or JSON as needed.
@@ -550,27 +422,6 @@ class AuthController
exit;
}
/**
* @OA\Post(
* path="/api/auth/logout.php",
* summary="Logout user",
* description="Clears the session, removes persistent login tokens, and redirects the user to the login page.",
* operationId="logoutUser",
* tags={"Auth"},
* @OA\Response(
* response=302,
* description="Redirects to the login page with a logout flag."
* ),
* @OA\Response(
* response=401,
* description="Unauthorized"
* )
* )
*
* Logs the user out by clearing session data, removing persistent tokens, and destroying the session.
*
* @return void Redirects to index.html with a logout flag.
*/
public function logout(): void
{
// Retrieve headers and check CSRF token.

102
src/controllers/UploadController.php
View File

@@ -7,70 +7,6 @@ require_once PROJECT_ROOT . '/src/models/UploadModel.php';
class UploadController {
/**
* @OA\Post(
* path="/api/upload/upload.php",
* summary="Handle file upload",
* description="Handles file uploads for both chunked and non-chunked (full) uploads. Validates CSRF, user authentication, and permissions, and processes file uploads accordingly. On success, returns a JSON status for chunked uploads or redirects for full uploads.",
* operationId="handleUpload",
* tags={"Uploads"},
* @OA\RequestBody(
* required=true,
* description="Multipart form data for file upload. For chunked uploads, include fields like 'resumableChunkNumber', 'resumableTotalChunks', 'resumableIdentifier', 'resumableFilename', etc.",
* @OA\MediaType(
* mediaType="multipart/form-data",
* @OA\Schema(
* required={"token", "fileToUpload"},
* @OA\Property(property="token", type="string", description="Share token or upload token."),
* @OA\Property(
* property="fileToUpload",
* type="string",
* format="binary",
* description="The file to upload."
* ),
* @OA\Property(property="resumableChunkNumber", type="integer", description="Chunk number for chunked uploads."),
* @OA\Property(property="resumableTotalChunks", type="integer", description="Total number of chunks."),
* @OA\Property(property="resumableFilename", type="string", description="Original filename."),
* @OA\Property(property="folder", type="string", description="Target folder (default 'root').")
* )
* )
* ),
* @OA\Response(
* response=200,
* description="File uploaded successfully (or chunk uploaded status).",
* @OA\JsonContent(
* type="object",
* @OA\Property(property="success", type="string", example="File uploaded successfully"),
* @OA\Property(property="newFilename", type="string", example="5f2d7c123a_example.png"),
* @OA\Property(property="status", type="string", example="chunk uploaded")
* )
* ),
* @OA\Response(
* response=302,
* description="Redirection on full upload success."
* ),
* @OA\Response(
* response=400,
* description="Bad Request (e.g., missing file, invalid parameters)"
* ),
* @OA\Response(
* response=401,
* description="Unauthorized"
* ),
* @OA\Response(
* response=403,
* description="Forbidden (e.g., invalid CSRF token, upload disabled)"
* ),
* @OA\Response(
* response=500,
* description="Server error during file processing"
* )
* )
*
* Handles file uploads, both chunked and full, and redirects upon success.
*
* @return void Outputs JSON response (for chunked uploads) or redirects on successful full upload.
*/
public function handleUpload(): void {
header('Content-Type: application/json');
@@ -148,43 +84,7 @@ class UploadController {
'newFilename' => $result['newFilename'] ?? null
]);
}
/**
* @OA\Post(
* path="/api/upload/removeChunks.php",
* summary="Remove chunked upload temporary directory",
* description="Removes the temporary directory used for chunked uploads, given a folder name matching the expected resumable pattern.",
* operationId="removeChunks",
* tags={"Uploads"},
* @OA\RequestBody(
* required=true,
* @OA\JsonContent(
* required={"folder"},
* @OA\Property(property="folder", type="string", example="resumable_myupload123")
* )
* ),
* @OA\Response(
* response=200,
* description="Temporary folder removed successfully",
* @OA\JsonContent(
* @OA\Property(property="success", type="boolean", example=true),
* @OA\Property(property="message", type="string", example="Temporary folder removed.")
* )
* ),
* @OA\Response(
* response=400,
* description="Invalid input (e.g., missing folder or invalid folder name)"
* ),
* @OA\Response(
* response=403,
* description="Invalid CSRF token"
* )
* )
*
* Removes the temporary upload folder for chunked uploads.
*
* @return void Outputs a JSON response.
*/
public function removeChunks(): void {
header('Content-Type: application/json');

381
src/controllers/UserController.php
View File

@@ -122,31 +122,6 @@ class UserController
/* ------------------------- End helpers -------------------------- */
/**
* @OA\Get(
* path="/api/getUsers.php",
* summary="Retrieve a list of users",
* description="Returns a JSON array of users. Only available to authenticated admin users.",
* operationId="getUsers",
* tags={"Users"},
* @OA\Response(
* response=200,
* description="Successful response with an array of users",
* @OA\JsonContent(
* type="array",
* @OA\Items(
* type="object",
* @OA\Property(property="username", type="string", example="johndoe"),
* @OA\Property(property="role", type="string", example="admin")
* )
* )
* ),
* @OA\Response(
* response=401,
* description="Unauthorized: the user is not authenticated or is not an admin"
* )
* )
*/
public function getUsers()
{
self::jsonHeaders();
@@ -158,39 +133,6 @@ class UserController
exit;
}
/**
* @OA\Post(
* path="/api/addUser.php",
* summary="Add a new user",
* description="Adds a new user to the system. In setup mode, the new user is automatically made admin.",
* operationId="addUser",
* tags={"Users"},
* @OA\RequestBody(
* required=true,
* @OA\JsonContent(
* required={"username", "password"},
* @OA\Property(property="username", type="string", example="johndoe"),
* @OA\Property(property="password", type="string", example="securepassword"),
* @OA\Property(property="isAdmin", type="boolean", example=true)
* )
* ),
* @OA\Response(
* response=200,
* description="User added successfully",
* @OA\JsonContent(
* @OA\Property(property="success", type="string", example="User added successfully")
* )
* ),
* @OA\Response(
* response=400,
* description="Bad Request"
* ),
* @OA\Response(
* response=401,
* description="Unauthorized"
* )
* )
*/
public function addUser()
{
self::jsonHeaders();
@@ -258,41 +200,6 @@ class UserController
exit;
}
/**
* @OA\Delete(
* path="/api/removeUser.php",
* summary="Remove a user",
* description="Removes the specified user from the system. Cannot remove the currently logged-in user.",
* operationId="removeUser",
* tags={"Users"},
* @OA\RequestBody(
* required=true,
* @OA\JsonContent(
* required={"username"},
* @OA\Property(property="username", type="string", example="johndoe")
* )
* ),
* @OA\Response(
* response=200,
* description="User removed successfully",
* @OA\JsonContent(
* @OA\Property(property="success", type="string", example="User removed successfully")
* )
* ),
* @OA\Response(
* response=400,
* description="Bad Request"
* ),
* @OA\Response(
* response=401,
* description="Unauthorized"
* ),
* @OA\Response(
* response=403,
* description="Invalid CSRF token"
* )
* )
*/
public function removeUser()
{
self::jsonHeaders();
@@ -322,24 +229,6 @@ class UserController
exit;
}
/**
* @OA\Get(
* path="/api/getUserPermissions.php",
* summary="Retrieve user permissions",
* description="Returns the permissions for the current user, or all permissions if the user is an admin.",
* operationId="getUserPermissions",
* tags={"Users"},
* @OA\Response(
* response=200,
* description="Successful response with user permissions",
* @OA\JsonContent(type="object")
* ),
* @OA\Response(
* response=401,
* description="Unauthorized"
* )
* )
*/
public function getUserPermissions()
{
self::jsonHeaders();
@@ -350,51 +239,6 @@ class UserController
exit;
}
/**
* @OA\Put(
* path="/api/updateUserPermissions.php",
* summary="Update user permissions",
* description="Updates permissions for users. Only available to authenticated admin users.",
* operationId="updateUserPermissions",
* tags={"Users"},
* @OA\RequestBody(
* required=true,
* @OA\JsonContent(
* required={"permissions"},
* @OA\Property(
* property="permissions",
* type="array",
* @OA\Items(
* type="object",
* @OA\Property(property="username", type="string", example="johndoe"),
* @OA\Property(property="folderOnly", type="boolean", example=true),
* @OA\Property(property="readOnly", type="boolean", example=false),
* @OA\Property(property="disableUpload", type="boolean", example=false)
* )
* )
* )
* ),
* @OA\Response(
* response=200,
* description="User permissions updated successfully",
* @OA\JsonContent(
* @OA\Property(property="success", type="string", example="User permissions updated successfully.")
* )
* ),
* @OA\Response(
* response=401,
* description="Unauthorized"
* ),
* @OA\Response(
* response=403,
* description="Invalid CSRF token"
* ),
* @OA\Response(
* response=400,
* description="Bad Request"
* )
* )
*/
public function updateUserPermissions()
{
self::jsonHeaders();
@@ -415,43 +259,6 @@ class UserController
exit;
}
/**
* @OA\Post(
* path="/api/changePassword.php",
* summary="Change user password",
* description="Allows an authenticated user to change their password by verifying the old password and updating to a new one.",
* operationId="changePassword",
* tags={"Users"},
* @OA\RequestBody(
* required=true,
* @OA\JsonContent(
* required={"oldPassword", "newPassword", "confirmPassword"},
* @OA\Property(property="oldPassword", type="string", example="oldpass123"),
* @OA\Property(property="newPassword", type="string", example="newpass456"),
* @OA\Property(property="confirmPassword", type="string", example="newpass456")
* )
* ),
* @OA\Response(
* response=200,
* description="Password updated successfully",
* @OA\JsonContent(
* @OA\Property(property="success", type="string", example="Password updated successfully.")
* )
* ),
* @OA\Response(
* response=400,
* description="Bad Request"
* ),
* @OA\Response(
* response=401,
* description="Unauthorized"
* ),
* @OA\Response(
* response=403,
* description="Invalid CSRF token"
* )
* )
*/
public function changePassword()
{
self::jsonHeaders();
@@ -488,41 +295,6 @@ class UserController
exit;
}
/**
* @OA\Put(
* path="/api/updateUserPanel.php",
* summary="Update user panel settings",
* description="Updates user panel settings by disabling TOTP when not enabled. Accessible to authenticated users.",
* operationId="updateUserPanel",
* tags={"Users"},
* @OA\RequestBody(
* required=true,
* @OA\JsonContent(
* required={"totp_enabled"},
* @OA\Property(property="totp_enabled", type="boolean", example=false)
* )
* ),
* @OA\Response(
* response=200,
* description="User panel updated successfully",
* @OA\JsonContent(
* @OA\Property(property="success", type="string", example="User panel updated: TOTP disabled")
* )
* ),
* @OA\Response(
* response=401,
* description="Unauthorized"
* ),
* @OA\Response(
* response=403,
* description="Invalid CSRF token"
* ),
* @OA\Response(
* response=400,
* description="Bad Request"
* )
* )
*/
public function updateUserPanel()
{
self::jsonHeaders();
@@ -551,31 +323,6 @@ class UserController
exit;
}
/**
* @OA\Put(
* path="/api/totp_disable.php",
* summary="Disable TOTP for the authenticated user",
* description="Clears the TOTP secret from the users file for the current user.",
* operationId="disableTOTP",
* tags={"TOTP"},
* @OA\Response(
* response=200,
* description="TOTP disabled successfully",
* @OA\JsonContent(
* @OA\Property(property="success", type="boolean", example=true),
* @OA\Property(property="message", type="string", example="TOTP disabled successfully.")
* )
* ),
* @OA\Response(
* response=403,
* description="Not authenticated or invalid CSRF token"
* ),
* @OA\Response(
* response=500,
* description="Failed to disable TOTP"
* )
* )
*/
public function disableTOTP()
{
self::jsonHeaders();
@@ -601,45 +348,6 @@ class UserController
exit;
}
/**
* @OA\Post(
* path="/api/totp_recover.php",
* summary="Recover TOTP",
* description="Verifies a recovery code to disable TOTP and finalize login.",
* operationId="recoverTOTP",
* tags={"TOTP"},
* @OA\RequestBody(
* required=true,
* @OA\JsonContent(
* required={"recovery_code"},
* @OA\Property(property="recovery_code", type="string", example="ABC123DEF456")
* )
* ),
* @OA\Response(
* response=200,
* description="Recovery successful",
* @OA\JsonContent(
* @OA\Property(property="status", type="string", example="ok")
* )
* ),
* @OA\Response(
* response=400,
* description="Invalid input or recovery code"
* ),
* @OA\Response(
* response=403,
* description="Invalid CSRF token"
* ),
* @OA\Response(
* response=405,
* description="Method not allowed"
* ),
* @OA\Response(
* response=429,
* description="Too many attempts"
* )
* )
*/
public function recoverTOTP()
{
self::jsonHeaders();
@@ -681,35 +389,6 @@ class UserController
exit;
}
/**
* @OA\Post(
* path="/api/totp_saveCode.php",
* summary="Generate and save a new TOTP recovery code",
* description="Generates a new TOTP recovery code for the authenticated user, stores its hash, and returns the plain text recovery code.",
* operationId="totpSaveCode",
* tags={"TOTP"},
* @OA\Response(
* response=200,
* description="Recovery code generated successfully",
* @OA\JsonContent(
* @OA\Property(property="status", type="string", example="ok"),
* @OA\Property(property="recoveryCode", type="string", example="ABC123DEF456")
* )
* ),
* @OA\Response(
* response=400,
* description="Bad Request"
* ),
* @OA\Response(
* response=403,
* description="Invalid CSRF token or unauthorized"
* ),
* @OA\Response(
* response=405,
* description="Method not allowed"
* )
* )
*/
public function saveTOTPRecoveryCode()
{
self::jsonHeaders();
@@ -739,30 +418,6 @@ class UserController
exit;
}
/**
* @OA\Get(
* path="/api/totp_setup.php",
* summary="Set up TOTP and generate a QR code",
* description="Generates (or retrieves) the TOTP secret for the user and builds a QR code image for scanning.",
* operationId="setupTOTP",
* tags={"TOTP"},
* @OA\Response(
* response=200,
* description="QR code image for TOTP setup",
* @OA\MediaType(
* mediaType="image/png"
* )
* ),
* @OA\Response(
* response=403,
* description="Unauthorized or invalid CSRF token"
* ),
* @OA\Response(
* response=500,
* description="Server error"
* )
* )
*/
public function setupTOTP()
{
// Allow access if authenticated OR pending TOTP
@@ -799,42 +454,6 @@ class UserController
exit;
}
/**
* @OA\Post(
* path="/api/totp_verify.php",
* summary="Verify TOTP code",
* description="Verifies a TOTP code and completes login for pending users or validates TOTP for setup verification.",
* operationId="verifyTOTP",
* tags={"TOTP"},
* @OA\RequestBody(
* required=true,
* @OA\JsonContent(
* required={"totp_code"},
* @OA\Property(property="totp_code", type="string", example="123456")
* )
* ),
* @OA\Response(
* response=200,
* description="TOTP successfully verified",
* @OA\JsonContent(
* @OA\Property(property="status", type="string", example="ok"),
* @OA\Property(property="message", type="string", example="Login successful")
* )
* ),
* @OA\Response(
* response=400,
* description="Bad Request (e.g., invalid input)"
* ),
* @OA\Response(
* response=403,
* description="Not authenticated or invalid CSRF token"
* ),
* @OA\Response(
* response=429,
* description="Too many attempts. Try again later."
* )
* )
*/
public function verifyTOTP()
{
header('Content-Type: application/json');