WebClient shares: add a logout button

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>

internal/httpd/api_shares.go

@@ -425,35 +425,43 @@ func (s *httpdServer) uploadFilesToShare(w http.ResponseWriter, r *http.Request)
 	}
 }
 
+func (s *httpdServer) getShareClaims(r *http.Request, shareID string) (*jwtTokenClaims, error) {
+	token, err := jwtauth.VerifyRequest(s.tokenAuth, r, jwtauth.TokenFromCookie)
+	if err != nil || token == nil {
+		return nil, errInvalidToken
+	}
+	tokenString := jwtauth.TokenFromCookie(r)
+	if tokenString == "" || invalidatedJWTTokens.Get(tokenString) {
+		return nil, errInvalidToken
+	}
+	if !util.Contains(token.Audience(), tokenAudienceWebShare) {
+		logger.Debug(logSender, "", "invalid token audience for share %q", shareID)
+		return nil, errInvalidToken
+	}
+	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
+	if err := validateIPForToken(token, ipAddr); err != nil {
+		logger.Debug(logSender, "", "token for share %q is not valid for the ip address %q", shareID, ipAddr)
+		return nil, err
+	}
+	ctx := jwtauth.NewContext(r.Context(), token, nil)
+	claims, err := getTokenClaims(r.WithContext(ctx))
+	if err != nil || claims.Username != shareID {
+		logger.Debug(logSender, "", "token not valid for share %q", shareID)
+		return nil, errInvalidToken
+	}
+	return &claims, nil
+}
+
 func (s *httpdServer) checkWebClientShareCredentials(w http.ResponseWriter, r *http.Request, share *dataprovider.Share) error {
 	doRedirect := func() {
 		redirectURL := path.Join(webClientPubSharesPath, share.ShareID, fmt.Sprintf("login?next=%s", url.QueryEscape(r.RequestURI)))
 		http.Redirect(w, r, redirectURL, http.StatusFound)
 	}
 
-	token, err := jwtauth.VerifyRequest(s.tokenAuth, r, jwtauth.TokenFromCookie)
+	if _, err := s.getShareClaims(r, share.ShareID); err != nil {
-	if err != nil || token == nil {
-		doRedirect()
-		return errInvalidToken
-	}
-	if !util.Contains(token.Audience(), tokenAudienceWebShare) {
-		logger.Debug(logSender, "", "invalid token audience for share %q", share.ShareID)
-		doRedirect()
-		return errInvalidToken
-	}
-	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
-	if err := validateIPForToken(token, ipAddr); err != nil {
-		logger.Debug(logSender, "", "token for share %q is not valid for the ip address %q", share.ShareID, ipAddr)
 		doRedirect()
 		return err
 	}
-	ctx := jwtauth.NewContext(r.Context(), token, nil)
-	claims, err := getTokenClaims(r.WithContext(ctx))
-	if err != nil || claims.Username != share.ShareID {
-		logger.Debug(logSender, "", "token not valid for share %q", share.ShareID)
-		doRedirect()
-		return errInvalidToken
-	}
 	return nil
 }
 

internal/httpd/httpd_test.go

@@ -14431,6 +14431,30 @@ func TestWebClientShareCredentials(t *testing.T) {
 	req.RemoteAddr = "1.2.3.4:1234"
 	rr = executeRequest(req)
 	checkResponseCode(t, http.StatusFound, rr)
+	// logout to a different share, the cookie is not valid.
+	req, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, shareWriteID, "logout"), nil)
+	assert.NoError(t, err)
+	req.RequestURI = uri
+	setJWTCookieForReq(req, cookie)
+	rr = executeRequest(req)
+	checkResponseCode(t, http.StatusForbidden, rr)
+	assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
+	// logout
+	req, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, shareReadID, "logout"), nil)
+	assert.NoError(t, err)
+	req.RequestURI = uri
+	setJWTCookieForReq(req, cookie)
+	rr = executeRequest(req)
+	checkResponseCode(t, http.StatusFound, rr)
+	// the cookie is no longer valid
+	req, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, shareReadID, "download?b=c"), nil)
+	assert.NoError(t, err)
+	req.RequestURI = uri
+	setJWTCookieForReq(req, cookie)
+	rr = executeRequest(req)
+	checkResponseCode(t, http.StatusFound, rr)
+	assert.Contains(t, rr.Header().Get("Location"), "/login")
+
 	// try to login with invalid credentials
 	loginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)
 	assert.NoError(t, err)

internal/httpd/server.go

@@ -1551,6 +1551,7 @@ func (s *httpdServer) setupWebClientRoutes() {
 		s.router.Get(webClientPubSharesPath+"/{id}/login", s.handleClientShareLoginGet)
 		s.router.With(jwtauth.Verify(s.csrfTokenAuth, jwtauth.TokenFromCookie)).
 			Post(webClientPubSharesPath+"/{id}/login", s.handleClientShareLoginPost)
+		s.router.Get(webClientPubSharesPath+"/{id}/logout", s.handleClientShareLogout)
 		s.router.Get(webClientPubSharesPath+"/{id}", s.downloadFromShare)
 		s.router.Post(webClientPubSharesPath+"/{id}/partial", s.handleClientSharePartialDownload)
 		s.router.Get(webClientPubSharesPath+"/{id}/browse", s.handleShareGetFiles)

internal/httpd/webadmin.go

@@ -151,6 +151,7 @@ type basePage struct {
 	HasSearcher         bool
 	HasExternalLogin    bool
 	LoggedUser          *dataprovider.Admin
+	IsLoggedToShare     bool
 	Branding            UIBranding
 }
 

internal/httpd/webclient.go

@@ -95,6 +95,7 @@ type baseClientPage struct {
 	MFAURL          string
 	CSRFToken       string
 	LoggedUser      *dataprovider.User
+	IsLoggedToShare bool
 	Branding        UIBranding
 }
 
@@ -544,6 +545,7 @@ func (s *httpdServer) getBaseClientPageData(title, currentURL string, w http.Res
 		MFAURL:          webClientMFAPath,
 		CSRFToken:       csrfToken,
 		LoggedUser:      getUserFromToken(r),
+		IsLoggedToShare: false,
 		Branding:        s.binding.Branding.WebClient,
 	}
 	if !strings.HasPrefix(r.RequestURI, webClientPubSharesPath) {
@@ -739,6 +741,8 @@ func (s *httpdServer) renderSharedFilesPage(w http.ResponseWriter, r *http.Reque
 	baseData := s.getBaseClientPageData(util.I18nSharedFilesTitle, currentURL, w, r)
 	baseData.FilesURL = currentURL
 	baseSharePath := path.Join(webClientPubSharesPath, share.ShareID)
+	baseData.LogoutURL = path.Join(webClientPubSharesPath, share.ShareID, "logout")
+	baseData.IsLoggedToShare = share.Password != ""
 
 	data := filesPage{
 		baseClientPage: baseData,
@@ -766,21 +770,32 @@ func (s *httpdServer) renderSharedFilesPage(w http.ResponseWriter, r *http.Reque
 	renderClientTemplate(w, templateClientFiles, data)
 }
 
-func (s *httpdServer) renderShareDownloadPage(w http.ResponseWriter, r *http.Request, downloadLink string) {
+func (s *httpdServer) renderShareDownloadPage(w http.ResponseWriter, r *http.Request, share *dataprovider.Share,
+	downloadLink string,
+) {
 	data := shareDownloadPage{
 		baseClientPage: s.getBaseClientPageData(util.I18nShareDownloadTitle, "", w, r),
 		DownloadLink:   downloadLink,
 	}
+	data.LogoutURL = ""
+	if share.Password != "" {
+		data.LogoutURL = path.Join(webClientPubSharesPath, share.ShareID, "logout")
+	}
+
 	renderClientTemplate(w, templateShareDownload, data)
 }
 
-func (s *httpdServer) renderUploadToSharePage(w http.ResponseWriter, r *http.Request, share dataprovider.Share) {
+func (s *httpdServer) renderUploadToSharePage(w http.ResponseWriter, r *http.Request, share *dataprovider.Share) {
 	currentURL := path.Join(webClientPubSharesPath, share.ShareID, "upload")
 	data := shareUploadPage{
 		baseClientPage: s.getBaseClientPageData(util.I18nShareUploadTitle, currentURL, w, r),
-		Share:          &share,
+		Share:          share,
 		UploadBasePath: path.Join(webClientPubSharesPath, share.ShareID),
 	}
+	data.LogoutURL = ""
+	if share.Password != "" {
+		data.LogoutURL = path.Join(webClientPubSharesPath, share.ShareID, "logout")
+	}
 	renderClientTemplate(w, templateUploadToShare, data)
 }
 
@@ -1022,7 +1037,7 @@ func (s *httpdServer) handleClientUploadToShare(w http.ResponseWriter, r *http.R
 		http.Redirect(w, r, path.Join(webClientPubSharesPath, share.ShareID, "browse"), http.StatusFound)
 		return
 	}
-	s.renderUploadToSharePage(w, r, share)
+	s.renderUploadToSharePage(w, r, &share)
 }
 
 func (s *httpdServer) handleShareGetFiles(w http.ResponseWriter, r *http.Request) {
@@ -1877,17 +1892,20 @@ func (s *httpdServer) handleClientShareLoginPost(w http.ResponseWriter, r *http.
 		s.renderShareLoginPage(w, r, util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))
 		return
 	}
+	next := path.Clean(r.URL.Query().Get("next"))
+	baseShareURL := path.Join(webClientPubSharesPath, share.ShareID)
+	isRedirect, redirectTo := checkShareRedirectURL(next, baseShareURL)
 	c := jwtTokenClaims{
 		Username: shareID,
 	}
+	if isRedirect {
+		c.Ref = next
+	}
 	err = c.createAndSetCookie(w, r, s.tokenAuth, tokenAudienceWebShare, ipAddr)
 	if err != nil {
 		s.renderShareLoginPage(w, r, util.NewI18nError(err, util.I18nError500Message))
 		return
 	}
-	next := path.Clean(r.URL.Query().Get("next"))
-	baseShareURL := path.Join(webClientPubSharesPath, share.ShareID)
-	isRedirect, redirectTo := checkShareRedirectURL(next, baseShareURL)
 	if isRedirect {
 		http.Redirect(w, r, redirectTo, http.StatusFound)
 		return
@@ -1895,6 +1913,22 @@ func (s *httpdServer) handleClientShareLoginPost(w http.ResponseWriter, r *http.
 	s.renderClientMessagePage(w, r, util.I18nSharedFilesTitle, http.StatusOK, nil, util.I18nShareLoginOK)
 }
 
+func (s *httpdServer) handleClientShareLogout(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)
+
+	shareID := getURLParam(r, "id")
+	claims, err := s.getShareClaims(r, shareID)
+	if err != nil {
+		s.renderClientMessagePage(w, r, util.I18nShareAccessErrorTitle, http.StatusForbidden,
+			util.NewI18nError(err, util.I18nErrorInvalidToken), "")
+		return
+	}
+	removeCookie(w, r, webBaseClientPath)
+
+	redirectURL := path.Join(webClientPubSharesPath, shareID, fmt.Sprintf("login?next=%s", url.QueryEscape(claims.Ref)))
+	http.Redirect(w, r, redirectURL, http.StatusFound)
+}
+
 func (s *httpdServer) handleClientSharedFile(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
 	validScopes := []dataprovider.ShareScope{dataprovider.ShareScopeRead}
@@ -1906,7 +1940,7 @@ func (s *httpdServer) handleClientSharedFile(w http.ResponseWriter, r *http.Requ
 	if r.URL.RawQuery != "" {
 		query = "?" + r.URL.RawQuery
 	}
-	s.renderShareDownloadPage(w, r, path.Join(webClientPubSharesPath, share.ShareID)+query)
+	s.renderShareDownloadPage(w, r, &share, path.Join(webClientPubSharesPath, share.ShareID)+query)
 }
 
 func (s *httpdServer) handleClientCheckExist(w http.ResponseWriter, r *http.Request) {

templates/common/base.html

@@ -845,6 +845,17 @@ explicit grant from the SFTPGo Team (support@sftpgo.com).
                         </div>
                     </div>
                 </div>
+                {{- else if .IsLoggedToShare}}
+                <div class="app-container container-fluid d-flex mt-5">
+                    <div class="d-flex align-items-center d-block ms-3">
+                        <img alt="Logo" src="{{.StaticURL}}{{.Branding.LogoPath}}" class="h-50px" />
+                    </div>
+                    <div class="flex-grow-1">
+                        <div class="d-flex justify-content-end">
+                            {{- template "navitems" .}}
+                        </div>
+                    </div>
+                </div>
                 {{- end}}
                 <div class="{{- if .LoggedUser.Username}}app-wrapper{{- end}} flex-column flex-row-fluid " id="kt_app_wrapper">
                     {{- if .LoggedUser.Username}}

templates/webclient/base.html

@@ -26,6 +26,7 @@ explicit grant from the SFTPGo Team (support@sftpgo.com).
         </i>
     </div>
     <div class="menu menu-sub menu-sub-dropdown menu-column menu-rounded menu-title-gray-700 menu-icon-gray-500 menu-active-bg menu-state-color fw-semibold py-4 w-250px" data-kt-menu="true">
+        {{- if not .IsLoggedToShare }}
         <div class="menu-item px-3 my-0">
             <div class="menu-content d-flex align-items-center px-3 py-2">
                 <div class="me-5">
@@ -54,6 +55,7 @@ explicit grant from the SFTPGo Team (support@sftpgo.com).
             </a>
         </div>
         {{- end}}
+        {{- end}}
         <div class="menu-item px-3 my-0">
             <a id="id_logout_link" href="#" class="menu-link px-3 py-2">
                 <span data-i18n="login.signout" class="menu-title">Sign out</span>

templates/webclient/sharedownload.html

@@ -25,9 +25,16 @@ explicit grant from the SFTPGo Team (support@sftpgo.com).
 		    {{.Branding.ShortName}}
         </span>
     </div>
-    <div class="card shadow-sm w-lg-600px">
+    <div class="card shadow-sm w-lg-600px w-md-450px">
         <div class="card-header bg-light">
             <h3 data-i18n="fs.download_ready" class="card-title section-title">Your download is ready</h3>
+            {{- if .LogoutURL}}
+            <div class="card-toolbar">
+                <a id="id_logout_link" href="#" class="btn btn-light-primary">
+                    <span data-i18n="login.signout">Sign out</span>
+                </a>
+            </div>
+            {{- end}}
         </div>
         <div class="card-body">
             <div>

templates/webclient/shareupload.html

@@ -25,9 +25,16 @@ explicit grant from the SFTPGo Team (support@sftpgo.com).
 		    {{.Branding.ShortName}}
         </span>
     </div>
-    <div class="card shadow-sm w-lg-600px">
+    <div class="card shadow-sm w-lg-600px w-md-450px">
         <div class="card-header bg-light">
             <h3 data-i18n="title.upload_to_share" class="card-title section-title">Upload one or more files to share</h3>
+            {{- if .LogoutURL}}
+            <div class="card-toolbar">
+                <a id="id_logout_link" href="#" class="btn btn-light-primary">
+                    <span data-i18n="login.signout">Sign out</span>
+                </a>
+            </div>
+            {{- end}}
         </div>
         <div class="card-body">
             {{- template "errmsg" ""}}