release(v1.7.3): lightweight boot pipeline, dramatically faster first paint, deduped /api writes, sturdier uploads/auth

2025-10-31 17:34:25 -04:00
parent a18a8df7af
commit d664a2f5d8
21 changed files with 2272 additions and 967 deletions
--- a/src/controllers/AdminController.php
+++ b/src/controllers/AdminController.php
@@ -7,55 +7,60 @@ require_once PROJECT_ROOT . '/src/models/AdminModel.php';
 class AdminController
 { 
    public function getConfig(): void
-{
-    header('Content-Type: application/json');
-
-    // Load raw config (no disclosure yet)
-    $config = AdminModel::getConfig();
-    if (isset($config['error'])) {
-        http_response_code(500);
-        echo json_encode(['error' => $config['error']]);
-        exit;
-    }
-
-    // Minimal, safe subset for all callers (unauth users and regular users)
-    $public = [
-        'header_title'        => $config['header_title'] ?? 'FileRise',
-        'loginOptions'        => [
-            // expose only what the login page / header needs
-            'disableFormLogin'  => (bool)($config['loginOptions']['disableFormLogin']  ?? false),
-            'disableBasicAuth'  => (bool)($config['loginOptions']['disableBasicAuth']  ?? false),
-            'disableOIDCLogin'  => (bool)($config['loginOptions']['disableOIDCLogin']  ?? false),
-        ],
-        'globalOtpauthUrl'    => $config['globalOtpauthUrl'] ?? '',
-        'enableWebDAV'        => (bool)($config['enableWebDAV'] ?? false),
-        'sharedMaxUploadSize' => (int)($config['sharedMaxUploadSize'] ?? 0),
-
-        'oidc' => [
-            'providerUrl' => (string)($config['oidc']['providerUrl'] ?? ''),
-            'redirectUri' => (string)($config['oidc']['redirectUri'] ?? ''),
-            // never expose clientId / clientSecret
-        ],
-    ];
-
-    $isAdmin = !empty($_SESSION['authenticated']) && !empty($_SESSION['isAdmin']);
-
-    if ($isAdmin) {
-        // Add admin-only fields (used by Admin Panel UI)
-        $adminExtra = [
-            'loginOptions' => array_merge($public['loginOptions'], [
-                'authBypass'     => (bool)($config['loginOptions']['authBypass']     ?? false),
-                'authHeaderName' => (string)($config['loginOptions']['authHeaderName'] ?? 'X-Remote-User'),
-            ]),
+    {
+        header('Content-Type: application/json; charset=utf-8');
+    
+        $config = AdminModel::getConfig();
+        if (isset($config['error'])) {
+            http_response_code(500);
+            header('Cache-Control: no-store');
+            echo json_encode(['error' => $config['error']], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+            return;
+        }
+    
+        // Whitelisted public subset only
+        $public = [
+            'header_title'        => (string)($config['header_title'] ?? 'FileRise'),
+            'loginOptions'        => [
+                'disableFormLogin' => (bool)($config['loginOptions']['disableFormLogin'] ?? false),
+                'disableBasicAuth' => (bool)($config['loginOptions']['disableBasicAuth'] ?? false),
+                'disableOIDCLogin' => (bool)($config['loginOptions']['disableOIDCLogin'] ?? false),
+            ],
+            'globalOtpauthUrl'    => (string)($config['globalOtpauthUrl'] ?? ''),
+            'enableWebDAV'        => (bool)($config['enableWebDAV'] ?? false),
+            'sharedMaxUploadSize' => (int)($config['sharedMaxUploadSize'] ?? 0),
+            'oidc' => [
+                'providerUrl' => (string)($config['oidc']['providerUrl'] ?? ''),
+                'redirectUri' => (string)($config['oidc']['redirectUri'] ?? ''),
+                // never include clientId/clientSecret
+            ],
        ];
-        echo json_encode(array_merge($public, $adminExtra));
+    
+        $isAdmin = !empty($_SESSION['authenticated']) && !empty($_SESSION['isAdmin']);
+    
+        if ($isAdmin) {
+            // admin-only extras: presence flags + proxy options
+            $adminExtra = [
+                'loginOptions' => array_merge($public['loginOptions'], [
+                    'authBypass'     => (bool)($config['loginOptions']['authBypass'] ?? false),
+                    'authHeaderName' => (string)($config['loginOptions']['authHeaderName'] ?? 'X-Remote-User'),
+                ]),
+                'oidc' => array_merge($public['oidc'], [
+                    'hasClientId'     => !empty($config['oidc']['clientId']),
+                    'hasClientSecret' => !empty($config['oidc']['clientSecret']),
+                ]),
+            ];
+            header('Cache-Control: no-store'); // don’t cache admin config
+            echo json_encode(array_merge($public, $adminExtra), JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+            return;
+        }
+    
+        // Non-admins / unauthenticated: only the public subset
+        header('Cache-Control: no-store');
+        echo json_encode($public, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
        return;
    }

-    // Non-admins / unauthenticated: only the public subset
-    echo json_encode($public);
-}
-
    public function updateConfig(): void
    {
        header('Content-Type: application/json');
--- a/src/controllers/AuthController.php
+++ b/src/controllers/AuthController.php
@@ -70,7 +70,10 @@ class AuthController
            if ($oidcAction === 'callback') {
                try {
                    $oidc->authenticate();
-                    $username = $oidc->requestUserInfo('preferred_username');
+                    $username =
+    $oidc->requestUserInfo('preferred_username')
+    ?: $oidc->requestUserInfo('email')
+    ?: $oidc->requestUserInfo('sub');

                    // check if this user has a TOTP secret
                    $totp_secret = null;
--- a/src/controllers/UploadController.php
+++ b/src/controllers/UploadController.php
@@ -52,57 +52,69 @@ class UploadController {
        }
    
        // ---- 3) Folder-level WRITE permission (ACL) ----
-        // Always require client to send the folder; fall back to GET if needed.
-        $folderParam   = isset($_POST['folder']) ? (string)$_POST['folder'] : (isset($_GET['folder']) ? (string)$_GET['folder'] : 'root');
-        $targetFolder  = ACL::normalizeFolder($folderParam);
-    
-        // Admins bypass folder canWrite checks
-        if (!$isAdmin && !ACL::canUpload($username, $userPerms, $targetFolder)) {
-            http_response_code(403);
-            echo json_encode(['error' => 'Forbidden: no write access to folder "'.$targetFolder.'".']);
-            return;
-        }
-    
-        // ---- 4) Delegate to model (actual file/chunk processing) ----
-        // (Optionally re-check in UploadModel before finalizing.)
-        $result = UploadModel::handleUpload($_POST, $_FILES);
-    
-        // ---- 5) Response ----
-        if (isset($result['error'])) {
-            http_response_code(400);
-            echo json_encode($result);
-            return;
-        }
-        if (isset($result['status'])) {
-            // e.g., {"status":"chunk uploaded"}
-            echo json_encode($result);
-            return;
-        }
-    
-        echo json_encode([
-            'success'     => 'File uploaded successfully',
-            'newFilename' => $result['newFilename'] ?? null
-        ]);
+    // Always require client to send the folder; fall back to GET if needed.
+    $folderParam = isset($_POST['folder'])
+        ? (string)$_POST['folder']
+        : (isset($_GET['folder']) ? (string)$_GET['folder'] : 'root');
+
+    // Decode %xx (e.g., "test%20folder") then normalize
+    $folderParam  = rawurldecode($folderParam);
+    $targetFolder = ACL::normalizeFolder($folderParam);
+
+    // Admins bypass folder canWrite checks
+    $username  = (string)($_SESSION['username'] ?? '');
+    $userPerms = loadUserPermissions($username) ?: [];
+    $isAdmin   = ACL::isAdmin($userPerms);
+
+    if (!$isAdmin && !ACL::canUpload($username, $userPerms, $targetFolder)) {
+        http_response_code(403);
+        echo json_encode(['error' => 'Forbidden: no write access to folder "'.$targetFolder.'".']);
+        return;
    }
+
+    // ---- 4) Delegate to model (force the sanitized folder) ----
+    $_POST['folder'] = $targetFolder; // in case model reads superglobal
+    $post = $_POST;
+    $post['folder'] = $targetFolder;
+
+    $result = UploadModel::handleUpload($post, $_FILES);
+
+    // ---- 5) Response (unchanged) ----
+    if (isset($result['error'])) {
+        http_response_code(400);
+        echo json_encode($result);
+        return;
+    }
+    if (isset($result['status'])) {
+        echo json_encode($result);
+        return;
+    }
+
+    echo json_encode([
+        'success'     => 'File uploaded successfully',
+        'newFilename' => $result['newFilename'] ?? null
+    ]);
+}
    
    public function removeChunks(): void {
-        header('Content-Type: application/json');
+    header('Content-Type: application/json');

-        $receivedToken = isset($_POST['csrf_token']) ? trim($_POST['csrf_token']) : '';
-        if ($receivedToken !== ($_SESSION['csrf_token'] ?? '')) {
-            http_response_code(403);
-            echo json_encode(['error' => 'Invalid CSRF token']);
-            return;
-        }
-
-        if (!isset($_POST['folder'])) {
-            http_response_code(400);
-            echo json_encode(['error' => 'No folder specified']);
-            return;
-        }
-
-        $folder = (string)$_POST['folder'];
-        $result = UploadModel::removeChunks($folder);
-        echo json_encode($result);
+    $receivedToken = isset($_POST['csrf_token']) ? trim($_POST['csrf_token']) : '';
+    if ($receivedToken !== ($_SESSION['csrf_token'] ?? '')) {
+        http_response_code(403);
+        echo json_encode(['error' => 'Invalid CSRF token']);
+        return;
    }
+
+    if (!isset($_POST['folder'])) {
+        http_response_code(400);
+        echo json_encode(['error' => 'No folder specified']);
+        return;
+    }
+
+    $folderRaw = (string)$_POST['folder'];
+    $folder    = ACL::normalizeFolder(rawurldecode($folderRaw));
+
+    echo json_encode(UploadModel::removeChunks($folder));
+}
 }