Merge pull request #4 from andrecrjr/fix-security

Fix security

Author: andrecrjr

app/api/action/route.ts

@@ -41,13 +41,22 @@ function getDecryptedPw(req: NextRequest): string | null {
   return decrypt(enc)
 }
 
+function isDemoMode(serverUrl: string | null): boolean {
+  return serverUrl?.startsWith("demo://") || false
+}
+
 export async function GET(req: NextRequest) {
   const { searchParams } = new URL(req.url)
   const op = searchParams.get("op") || "ls"
   const serverUrl = searchParams.get("serverUrl")
   const path = searchParams.get("path") || "/"
-  const pw = getDecryptedPw(req)
 
+  // Check for demo mode first
+  if (isDemoMode(serverUrl)) {
+    return NextResponse.json({ error: "Operation not allowed in demo mode" }, { status: 403, headers: { "Cache-Control": "no-store, max-age=0" } })
+  }
+
+  const pw = getDecryptedPw(req)
   if (!serverUrl) return NextResponse.json({ error: "Missing serverUrl" }, { status: 400, headers: { "Cache-Control": "no-store, max-age=0" } })
   if (!pw) return NextResponse.json({ error: "Unauthorized" }, { status: 401, headers: { "Cache-Control": "no-store, max-age=0" } })
 
@@ -92,6 +101,13 @@ export async function GET(req: NextRequest) {
 export async function POST(req: NextRequest) {
   const { searchParams } = new URL(req.url)
   const op = searchParams.get("op") || "upload"
+  const serverUrl = searchParams.get("serverUrl")
+
+  // Check for demo mode first
+  if (isDemoMode(serverUrl)) {
+    // Block all operations in demo mode
+    return NextResponse.json({ error: "Operation not allowed in demo mode" }, { status: 403, headers: { "Cache-Control": "no-store, max-age=0" } })
+  }
 
   if (op === "login") {
     const body = await req.json()
@@ -185,6 +201,7 @@ export async function POST(req: NextRequest) {
 export async function DELETE(req: NextRequest) {
   const { searchParams } = new URL(req.url)
   const op = searchParams.get("op") || "delete"
+  const serverUrl = searchParams.get("serverUrl")
 
   if (op === "logout") {
     const res = NextResponse.json({ ok: true }, { status: 200 })
@@ -201,7 +218,27 @@ export async function DELETE(req: NextRequest) {
     return res
   }
 
-  const serverUrl = searchParams.get("serverUrl")
+  // Check for demo mode
+  if (isDemoMode(serverUrl)) {
+    // Block all operations in demo mode except logout
+    if (op === "logout") {
+      const res = NextResponse.json({ ok: true }, { status: 200 })
+      res.cookies.set({
+        name: COOKIE_NAME,
+        value: "",
+        httpOnly: true,
+        secure: isSecure(req),
+        sameSite: "lax",
+        expires: new Date(0),
+        path: "/",
+      })
+      res.headers.set("Cache-Control", "no-store, max-age=0")
+      return res
+    } else {
+      return NextResponse.json({ error: "Operation not allowed in demo mode" }, { status: 403, headers: { "Cache-Control": "no-store, max-age=0" } })
+    }
+  }
+
   const path = searchParams.get("path") || "/"
   const pw = getDecryptedPw(req)
 

app/app/demo/page.tsx

@@ -18,7 +18,7 @@ export default function DemoPage() {
     taglist: [],
     srvinf: "demo",
     acct: "demo",
-    perms: ["read", "write", "delete"],
+    perms: ["read"], // Only read permissions in demo mode
     cfg: {
       idx: true,
       itag: false,

app/app/page.tsx

@@ -76,7 +76,7 @@ export default function AppPage() {
       taglist: [],
       srvinf: "demo",
       acct: "demo",
-      perms: ["read", "write", "delete"],
+      perms: ["read"], // Only read permissions in demo mode
       cfg: {
         idx: true,
         itag: false,

components/file-manager.tsx

@@ -44,8 +44,8 @@ export function FileManager({ serverUrl, onLogout, initialData }: FileManagerPro
   }
 
   const isDemo = serverUrl.startsWith("demo://")
-  const hasWritePermission = !isDemo && (data?.perms.includes("write") || false)
-  const hasDeletePermission = !isDemo && (data?.perms.includes("delete") || false)
+  const hasWritePermission = data?.perms.includes("write") || false
+  const hasDeletePermission = data?.perms.includes("delete") || false
 
   const fetchDirectory = async (path: string) => {
     setIsLoading(true)
@@ -59,7 +59,7 @@ export function FileManager({ serverUrl, onLogout, initialData }: FileManagerPro
         taglist: [],
         srvinf: "demo",
         acct: "demo",
-        perms: ["read"],
+        perms: ["read"], // Only read permissions in demo mode
         cfg: {
           idx: true,
           itag: false,
@@ -312,9 +312,16 @@ export function FileManager({ serverUrl, onLogout, initialData }: FileManagerPro
 
       {/* Main Content */}
       <main className="container mx-auto px-3 sm:px-4 py-4 sm:py-6 safe-px">
-        <Button variant="default" onClick={() => setShowUpload(true)}
-            className="cursor-pointer rounded-full gap-2 w-14 h-14 absolute 
-            right-10 bottom-10 shadow-md">
+        <Button variant="default" onClick={() => {
+            if (isDemo) {
+              alert("Demo mode: uploads are disabled.");
+              return;
+            }
+            setShowUpload(true);
+          }}
+            className="cursor-pointer rounded-full gap-2 w-14 h-14 absolute
+            right-10 bottom-10 shadow-md"
+            disabled={isDemo}>
           <UploadIcon className="h-5 w-5 sm:h-6 sm:w-6" />
         </Button>
         {/* Breadcrumbs and Actions */}
@@ -351,7 +358,7 @@ export function FileManager({ serverUrl, onLogout, initialData }: FileManagerPro
             </div>
           </div>
 
-          {hasWritePermission && (
+          {(hasWritePermission && !isDemo) && (
             <div className="flex flex-col sm:flex-row gap-3">
               <div className="relative flex-1">
                 <Input
@@ -368,6 +375,24 @@ export function FileManager({ serverUrl, onLogout, initialData }: FileManagerPro
               </div>
             </div>
           )}
+          {isDemo && (
+            <div className="flex flex-col sm:flex-row gap-3">
+              <div className="relative flex-1">
+                <Input
+                  placeholder="New folder name"
+                  value=""
+                  onChange={() => {}}
+                  disabled
+                />
+              </div>
+              <div className="flex items-center gap-2">
+                <Button onClick={() => alert("Demo mode: creating folders is disabled.")} className="gap-2" disabled>
+                  <FolderPlusIcon className="h-4 w-4" />
+                  Create folder
+                </Button>
+              </div>
+            </div>
+          )}
         </div>
 
         {/* File List */}
@@ -381,8 +406,8 @@ export function FileManager({ serverUrl, onLogout, initialData }: FileManagerPro
                 files={data.files.filter((f) => f.href.toLowerCase().includes(searchQuery.toLowerCase()))}
                 onNavigate={(href: string) => handleNavigate(href)}
                 onDownload={handleDownload}
-                onDelete={hasDeletePermission ? handleDelete : undefined}
-                onRename={hasWritePermission ? handleRename : undefined}
+                onDelete={hasDeletePermission && !isDemo ? handleDelete : undefined}
+                onRename={hasWritePermission && !isDemo ? handleRename : undefined}
                 currentPath={currentPath}
                 serverUrl={serverUrl}
               />
@@ -392,8 +417,8 @@ export function FileManager({ serverUrl, onLogout, initialData }: FileManagerPro
                 files={data.files.filter((f) => f.href.toLowerCase().includes(searchQuery.toLowerCase()))}
                 onNavigate={(href: string) => handleNavigate(href)}
                 onDownload={handleDownload}
-                onDelete={hasDeletePermission ? handleDelete : undefined}
-                onRename={hasWritePermission ? handleRename : undefined}
+                onDelete={hasDeletePermission && !isDemo ? handleDelete : undefined}
+                onRename={hasWritePermission && !isDemo ? handleRename : undefined}
                 currentPath={currentPath}
                 serverUrl={serverUrl}
               />

components/file-upload.tsx

@@ -35,7 +35,11 @@ export function FileUpload({ serverUrl, currentPath, onUploadComplete, onClose }
   const hasActive = hasUploading || hasFinalizing
 
   const handleFileSelect = (files: FileList | null) => {
-    if (!files || isDemo) return
+    if (!files) return
+    if (isDemo) {
+      alert("Demo mode: uploads are disabled.")
+      return
+    }
 
     const newFiles: UploadFile[] = Array.from(files).map((file) => ({
       file,
@@ -200,7 +204,10 @@ export function FileUpload({ serverUrl, currentPath, onUploadComplete, onClose }
             onDrop={(e) => {
               e.preventDefault()
               setIsDragging(false)
-              if (isDemo) return
+              if (isDemo) {
+                alert("Demo mode: uploads are disabled.")
+                return
+              }
               handleFileSelect(e.dataTransfer.files)
             }}
           >