remove docker linux-x32

Specifically, this will always follow symlinks when they lead to a path
below the dufs root, and will follow other symlinks when
`--allow-symlink` is set.

I refactored some common functionality out of `zip_dir` and
`handle_search_dir` as well.

.github/workflows/release.yaml

@@ -38,14 +38,6 @@ jobs:
           os: ubuntu-latest
           use-cross: true
           cargo-flags: ""
-        - target: i686-unknown-linux-musl
-          os: ubuntu-latest
-          use-cross: true
-          cargo-flags: ""
-        - target: i686-pc-windows-msvc
-          os: windows-latest
-          use-cross: true
-          cargo-flags: ""
         - target: armv7-unknown-linux-musleabihf
           os: ubuntu-latest
           use-cross: true
@@ -170,7 +162,6 @@ jobs:
           platforms: |
             linux/amd64
             linux/arm64
-            linux/386
             linux/arm/v7
           push: ${{ needs.release.outputs.rc == 'false' }}
           tags: ${{ github.repository }}:latest, ${{ github.repository }}:${{ github.ref_name }}

CHANGELOG.md

@@ -2,6 +2,82 @@
 
 All notable changes to this project will be documented in this file.
 
+## [0.46.0] - 2026-03-04
+
+### Bug Fixes
+
+- Some search results missing due to broken symlinks ([#665](https://github.com/sigoden/dufs/issues/665))
+- Escape filename in ?simple output ([#669](https://github.com/sigoden/dufs/issues/669))
+- Ensure symlink inside serve root ([#670](https://github.com/sigoden/dufs/issues/670))
+
+### Features
+
+- Add option --allow-hash to allow/disallow file hashing ([#657](https://github.com/sigoden/dufs/issues/657))
+
+### Refactor
+
+- Update deps ([#655](https://github.com/sigoden/dufs/issues/655))
+- Improve UI button titles ([#656](https://github.com/sigoden/dufs/issues/656))
+
+## [0.45.0] - 2025-09-03
+
+### Bug Fixes
+
+- Perms on `dufs -A -a @/:ro` ([#619](https://github.com/sigoden/dufs/issues/619))
+- Login btn does not work for readonly anonymous ([#620](https://github.com/sigoden/dufs/issues/620))
+- Verify token length ([#627](https://github.com/sigoden/dufs/issues/627))
+
+### Features
+
+- Make dir urls inherit `?noscript` params ([#614](https://github.com/sigoden/dufs/issues/614))
+- Log decoded uri ([#615](https://github.com/sigoden/dufs/issues/615))
+
+## [0.44.0] - 2025-08-02
+
+### Bug Fixes
+
+- No authentication check if no auth users ([#497](https://github.com/sigoden/dufs/issues/497))
+- Webui can't handle hash property of URL well ([#515](https://github.com/sigoden/dufs/issues/515))
+- Incorrect dir size due to hidden files ([#529](https://github.com/sigoden/dufs/issues/529))
+- Webui formatDirSize ([#568](https://github.com/sigoden/dufs/issues/568))
+- Follow symlinks when searching/archiving ([#572](https://github.com/sigoden/dufs/issues/572))
+- Incorrect separator for zip archives under windows ([#577](https://github.com/sigoden/dufs/issues/577))
+- Unexpected public auth asking for login info ([#583](https://github.com/sigoden/dufs/issues/583))
+
+### Features
+
+- Higher perm auth path shadows lower one ([#521](https://github.com/sigoden/dufs/issues/521))
+- Add cache-control:no-cache while sending file and index ([#528](https://github.com/sigoden/dufs/issues/528))
+- Support multipart ranges ([#535](https://github.com/sigoden/dufs/issues/535))
+- Limit sub directory item counting ([#556](https://github.com/sigoden/dufs/issues/556))
+- Tolerate the absence of mtime ([#559](https://github.com/sigoden/dufs/issues/559))
+- Support noscript fallback ([#602](https://github.com/sigoden/dufs/issues/602))
+- Support  downloading via token auth ([#603](https://github.com/sigoden/dufs/issues/603))
+
+### Refactor
+
+- Change description for `--allow-archive` ([#511](https://github.com/sigoden/dufs/issues/511))
+- Removes clippy warnings ([#601](https://github.com/sigoden/dufs/issues/601))
+- Update deps ([#604](https://github.com/sigoden/dufs/issues/604))
+- Fix typos ([#605](https://github.com/sigoden/dufs/issues/605))
+
+## [0.43.0] - 2024-11-04
+
+### Bug Fixes
+
+- Auth failed if password contains `:` ([#449](https://github.com/sigoden/dufs/issues/449))
+- Resolve speed bottleneck in 10G network ([#451](https://github.com/sigoden/dufs/issues/451))
+
+### Features
+
+- Webui displays subdirectory items ([#457](https://github.com/sigoden/dufs/issues/457))
+- Support binding abstract unix socket ([#468](https://github.com/sigoden/dufs/issues/468))
+- Provide healthcheck API ([#474](https://github.com/sigoden/dufs/issues/474))
+
+### Refactor
+
+- Do not show size for Dir ([#447](https://github.com/sigoden/dufs/issues/447))
+
 ## [0.42.0] - 2024-09-01
 
 ### Bug Fixes

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "dufs"
-version = "0.42.0"
+version = "0.46.0"
 edition = "2021"
 authors = ["sigoden <sigoden@gmail.com>"]
 description = "Dufs is a distinctive utility file server"
@@ -14,26 +14,25 @@ keywords = ["static", "file", "server", "webdav", "cli"]
 clap = { version = "4.5", features = ["wrap_help", "env"] }
 clap_complete = "4.5"
 chrono = { version = "0.4", default-features = false, features = ["clock"] }
-tokio = { version = "1", features = ["rt-multi-thread", "macros", "fs", "io-util", "signal"]}
+tokio = { version = "1", features = ["rt-multi-thread", "macros", "fs", "io-util", "signal", "net"]}
 tokio-util = { version = "0.7",  features = ["io-util", "compat"] }
 hyper = { version = "1", features = ["http1", "server"] }
 percent-encoding = "2.3"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 futures-util = { version = "0.3", default-features = false, features = ["alloc"] }
-async_zip = { version = "0.0.17", default-features = false, features = ["deflate", "bzip2", "xz", "chrono", "tokio"] }
+async_zip = { version = "0.0.18", default-features = false, features = ["deflate", "bzip2", "xz", "chrono", "tokio"] }
 headers = "0.4"
 mime_guess = "2.0"
-if-addrs = "0.13"
+if-addrs = "0.15"
-rustls-pemfile = { version = "2.0", optional = true }
+tokio-rustls = { version = "0.26", optional = true }
-tokio-rustls = { version = "0.26", optional = true, default-features = false, features = ["ring", "tls12"]}
+md5 = "0.8"
-md5 = "0.7"
 lazy_static = "1.4"
 uuid = { version = "1.7", features = ["v4", "fast-rng"] }
 urlencoding = "2.1"
-xml-rs = "0.8"
+xml-rs = "1.0.0"
 log = { version = "0.4", features = ["std"] }
-socket2 = "0.5"
+socket2 = "0.6"
 async-stream = "0.3"
 walkdir = "2.3"
 form_urlencoded = "1.2"
@@ -53,17 +52,19 @@ http-body-util = "0.1"
 bytes = "1.5"
 pin-project-lite = "0.2"
 sha2 = "0.10.8"
+ed25519-dalek = "2.2.0"
+hex = "0.4.3"
 
 [features]
 default = ["tls"]
-tls = ["rustls-pemfile", "tokio-rustls"]
+tls = ["tokio-rustls"]
 
 [dev-dependencies]
 assert_cmd = "2"
-reqwest = { version = "0.12", features = ["blocking", "multipart", "rustls-tls"], default-features = false }
+reqwest = { version = "0.13", features = ["blocking", "multipart", "rustls"], default-features = false }
 assert_fs = "1"
-port_check = "0.2"
+port_check = "0.3"
-rstest = "0.22"
+rstest = "0.26.1"
 regex = "1"
 url = "2"
 predicates = "3"

Dockerfile-release

@@ -4,8 +4,6 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
         TARGET="x86_64-unknown-linux-musl"; \
     elif [  "$TARGETPLATFORM" = "linux/arm64" ]; then \
         TARGET="aarch64-unknown-linux-musl"; \
-    elif [  "$TARGETPLATFORM" = "linux/386" ]; then \
-        TARGET="i686-unknown-linux-musl"; \
     elif [  "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
         TARGET="armv7-unknown-linux-musleabihf"; \
     fi && \

README.md

@@ -66,7 +66,8 @@ Options:
       --allow-delete         Allow delete files/folders
       --allow-search         Allow search files/folders
       --allow-symlink        Allow symlink to files/folders outside root directory
-      --allow-archive        Allow zip archive generation
+      --allow-archive        Allow download folders as archive file
+      --allow-hash           Allow ?hash query to get file sha256 hash
       --enable-cors          Enable CORS, sets `Access-Control-Allow-Origin: *`
       --render-index         Serve index.html when requesting a directory, returns 404 if not found index.html
       --render-try-index     Serve index.html when requesting a directory, returns directory listing if not found index.html
@@ -216,8 +217,14 @@ dd skip=$upload_offset if=file status=none ibs=1 | \
   curl -X PATCH -H "X-Update-Range: append" --data-binary @- http://127.0.0.1:5000/file
 ```
 
+Health checks
+
+```sh
+curl http://127.0.0.1:5000/__dufs__/health
+```
+
 <details>
-<summary><h2>Advanced topics</h2></summary>
+<summary><h2>Advanced Topics</h2></summary>
 
 ### Access Control
 
@@ -238,24 +245,25 @@ dufs -a user:pass@/:rw,/dir1 -a @/
 - `-a user:pass@/:rw,/dir1`: `user` has read-write permissions for `/*`, has read-only permissions for `/dir1/*`.
 - `-a @/`: All paths is publicly accessible, everyone can view/download it.
 
-> There are no restrictions on using ':' and '@' characters in a password. For example, `user:pa:ss@1@/:rw` is valid, the password is `pa:ss@1`.
+**Auth permissions are restricted by dufs global permissions.** If dufs does not enable upload permissions via `--allow-upload`, then the account will not have upload permissions even if it is granted `read-write`(`:rw`) permissions.
 
 #### Hashed Password
 
 DUFS supports the use of sha-512 hashed password.
 
-Create hashed password
+Create hashed password:
 
-```
+```sh
-$ mkpasswd  -m sha-512 -s
+$ openssl passwd -6 123456 # or `mkpasswd -m sha-512 123456`
-Password: 123456 
 $6$tWMB51u6Kb2ui3wd$5gVHP92V9kZcMwQeKTjyTRgySsYJu471Jb1I6iHQ8iZ6s07GgCIO69KcPBRuwPE5tDq05xMAzye0NxVKuJdYs/
 ```
 
-Use hashed password
+Use hashed password:
-```
+
+```sh
 dufs -a 'admin:$6$tWMB51u6Kb2ui3wd$5gVHP92V9kZcMwQeKTjyTRgySsYJu471Jb1I6iHQ8iZ6s07GgCIO69KcPBRuwPE5tDq05xMAzye0NxVKuJdYs/@/:rw'
 ```
+> The hashed password contains `$6`, which can expand to a variable in some shells, so you have to use **single quotes** to wrap it.
 
 Two important things for hashed passwords:
 
@@ -339,6 +347,7 @@ All options can be set using environment variables prefixed with `DUFS_`.
     --allow-search          DUFS_ALLOW_SEARCH=true
     --allow-symlink         DUFS_ALLOW_SYMLINK=true
     --allow-archive         DUFS_ALLOW_ARCHIVE=true
+    --allow-hash            DUFS_ALLOW_HASH=true
     --enable-cors           DUFS_ENABLE_CORS=true
     --render-index          DUFS_RENDER_INDEX=true
     --render-try-index      DUFS_RENDER_TRY_INDEX=true
@@ -376,6 +385,7 @@ allow-delete: true
 allow-search: true
 allow-symlink: true
 allow-archive: true
+allow-hash: true
 enable-cors: true
 render-index: true
 render-try-index: true
@@ -396,6 +406,8 @@ Dufs allows users to customize the UI with your own assets.
 dufs --assets my-assets-dir/
 ```
 
+> If you only need to make slight adjustments to the current UI, you copy dufs's [assets](https://github.com/sigoden/dufs/tree/main/assets) directory and modify it accordingly. The current UI doesn't use any frameworks, just plain HTML/JS/CSS. As long as you have some basic knowledge of web development, it shouldn't be difficult to modify.
+
 Your assets folder must contains a `index.html` file.
 
 `index.html` can use the following placeholder variables to retrieve internal data.

assets/index.html

@@ -4,6 +4,9 @@
 <head>
   <meta charset="utf-8" />
   <meta name="viewport" content="width=device-width" />
+  <noscript>
+    <meta http-equiv="refresh" content="0; url=?noscript">
+  </noscript>
   <link rel="icon" type="image/x-icon" href="__ASSETS_PREFIX__favicon.ico">
   <link rel="stylesheet" href="__ASSETS_PREFIX__index.css">
 </head>
@@ -20,7 +23,7 @@
             d="M7.646 11.854a.5.5 0 0 0 .708 0l3-3a.5.5 0 0 0-.708-.708L8.5 10.293V1.5a.5.5 0 0 0-1 0v8.793L5.354 8.146a.5.5 0 1 0-.708.708l3 3z" />
         </svg>
       </a>
-      <div class="control move-file hidden" title="Move to new path">
+      <div class="control move-file hidden" title="Move & Rename">
         <svg class="icon-move" width="16" height="16" viewBox="0 0 16 16">
           <path fill-rule="evenodd"
             d="M1.5 1.5A.5.5 0 0 0 1 2v4.8a2.5 2.5 0 0 0 2.5 2.5h9.793l-3.347 3.346a.5.5 0 0 0 .708.708l4.2-4.2a.5.5 0 0 0 0-.708l-4-4a.5.5 0 0 0-.708.708L13.293 8.3H3.5A1.5 1.5 0 0 1 2 6.8V2a.5.5 0 0 0-.5-.5z">
@@ -35,7 +38,7 @@
             d="M14 14V4.5L9.5 0H4a2 2 0 0 0-2 2v12a2 2 0 0 0 2 2h8a2 2 0 0 0 2-2zM9.5 3A1.5 1.5 0 0 0 11 4.5h2V14a1 1 0 0 1-1 1H4a1 1 0 0 1-1-1V2a1 1 0 0 1 1-1h5.5v2z" />
         </svg>
       </div>
-      <div class="control upload-file hidden" title="Upload files">
+      <div class="control upload-file hidden" title="Upload files/folders">
         <label for="file">
           <svg width="16" height="16" viewBox="0 0 16 16">
             <path
@@ -44,7 +47,7 @@
               d="M7.646 1.146a.5.5 0 0 1 .708 0l3 3a.5.5 0 0 1-.708.708L8.5 2.707V11.5a.5.5 0 0 1-1 0V2.707L5.354 4.854a.5.5 0 1 1-.708-.708l3-3z" />
           </svg>
         </label>
-        <input type="file" id="file" title="Upload files" name="file" multiple>
+        <input type="file" id="file" title="Upload files/folders" name="file" multiple>
       </div>
       <div class="control new-folder hidden" title="New folder">
         <svg width="16" height="16" viewBox="0 0 16 16">

assets/index.js

@@ -50,6 +50,8 @@ const IFRAME_FORMATS = [
   ".mp3", ".ogg", ".wav", ".m4a",
 ];
 
+const MAX_SUBPATHS_COUNT = 1000;
+
 const ICONS = {
   dir: `<svg height="16" viewBox="0 0 14 16" width="14"><path fill-rule="evenodd" d="M13 4H7V3c0-.66-.31-1-1-1H1c-.55 0-1 .45-1 1v10c0 .55.45 1 1 1h12c.55 0 1-.45 1-1V5c0-.55-.45-1-1-1zM6 4H1V3h5v1z"></path></svg>`,
   symlinkFile: `<svg height="16" viewBox="0 0 12 16" width="12"><path fill-rule="evenodd" d="M8.5 1H1c-.55 0-1 .45-1 1v12c0 .55.45 1 1 1h10c.55 0 1-.45 1-1V4.5L8.5 1zM11 14H1V2h7l3 3v9zM6 4.5l4 3-4 3v-2c-.98-.02-1.84.22-2.55.7-.71.48-1.19 1.25-1.45 2.3.02-1.64.39-2.88 1.13-3.73.73-.84 1.69-1.27 2.88-1.27v-2H6z"></path></svg>`,
@@ -248,7 +250,7 @@ class Uploader {
   progress(event) {
     const now = Date.now();
     const speed = (event.loaded - this.uploaded) / (now - this.lastUptime) * 1000;
-    const [speedValue, speedUnit] = formatSize(speed);
+    const [speedValue, speedUnit] = formatFileSize(speed);
     const speedText = `${speedValue} ${speedUnit}/s`;
     const progress = formatPercent(((event.loaded + this.uploadOffset) / this.file.size) * 100);
     const duration = formatDuration((event.total - event.loaded) / speed);
@@ -345,6 +347,7 @@ async function setupIndexPage() {
     const $download = document.querySelector(".download");
     $download.href = baseUrl() + "?zip";
     $download.title = "Download folder as a .zip file";
+    $download.classList.add("dlwt");
     $download.classList.remove("hidden");
   }
 
@@ -365,6 +368,10 @@ async function setupIndexPage() {
 
   renderPathsTableHead();
   renderPathsTableBody();
+
+  if (DATA.user) {
+    setupDownloadWithToken();
+  }
 }
 
 /**
@@ -447,18 +454,18 @@ function addPath(file, index) {
     if (DATA.allow_archive) {
       actionDownload = `
       <div class="action-btn">
-        <a href="${url}?zip" title="Download folder as a .zip file">${ICONS.download}</a>
+        <a class="dlwt" href="${url}?zip" title="Download folder as a .zip file" download>${ICONS.download}</a>
       </div>`;
     }
   } else {
     actionDownload = `
     <div class="action-btn" >
-      <a href="${url}" title="Download file" download>${ICONS.download}</a>
+      <a class="dlwt" href="${url}" title="Download file" download>${ICONS.download}</a>
     </div>`;
   }
   if (DATA.allow_delete) {
     if (DATA.allow_upload) {
-      actionMove = `<div onclick="movePath(${index})" class="action-btn" id="moveBtn${index}" title="Move to new path">${ICONS.move}</div>`;
+      actionMove = `<div onclick="movePath(${index})" class="action-btn" id="moveBtn${index}" title="Move & Rename">${ICONS.move}</div>`;
       if (!isDir) {
         actionEdit = `<a class="action-btn" title="Edit file" target="_blank" href="${url}?edit">${ICONS.edit}</a>`;
       }
@@ -478,6 +485,8 @@ function addPath(file, index) {
     ${actionEdit}
   </td>`;
 
+  let sizeDisplay = isDir ? formatDirSize(file.size) : formatFileSize(file.size).join(" ");
+
   $pathsTableBody.insertAdjacentHTML("beforeend", `
 <tr id="addPath${index}">
   <td class="path cell-icon">
@@ -487,7 +496,7 @@ function addPath(file, index) {
     <a href="${url}" ${isDir ? "" : `target="_blank"`}>${encodedName}</a>
   </td>
   <td class="cell-mtime">${formatMtime(file.mtime)}</td>
-  <td class="cell-size">${formatSize(file.size).join(" ")}</td>
+  <td class="cell-size">${sizeDisplay}</td>
   ${actionCell}
 </tr>`);
 }
@@ -525,13 +534,40 @@ async function setupAuth() {
     $loginBtn.classList.remove("hidden");
     $loginBtn.addEventListener("click", async () => {
       try {
-        await checkAuth();
+        await checkAuth("login");
-      } catch {}
+      } catch { }
       location.reload();
     });
   }
 }
 
+function setupDownloadWithToken() {
+  document.querySelectorAll("a.dlwt").forEach(link => {
+    link.addEventListener("click", async e => {
+      e.preventDefault();
+      try {
+        const link = e.currentTarget || e.target;
+        const originalHref = link.getAttribute("href");
+        const tokengenUrl = new URL(originalHref);
+        tokengenUrl.searchParams.set("tokengen", "");
+        const res = await fetch(tokengenUrl);
+        if (!res.ok) throw new Error("Failed to fetch token");
+        const token = await res.text();
+        const downloadUrl = new URL(originalHref);
+        downloadUrl.searchParams.set("token", token);
+        const tempA = document.createElement("a");
+        tempA.href = downloadUrl.toString();
+        tempA.download = "";
+        document.body.appendChild(tempA);
+        tempA.click();
+        document.body.removeChild(tempA);
+      } catch (err) {
+        alert(`Failed to download, ${err.message}`);
+      }
+    });
+  });
+}
+
 function setupSearch() {
   const $searchbar = document.querySelector(".searchbar");
   $searchbar.classList.remove("hidden");
@@ -642,7 +678,7 @@ async function setupEditorPage() {
       $editor.value = decoder.decode(dataView);
     }
   } catch (err) {
-    alert(`Failed get file, ${err.message}`);
+    alert(`Failed to get file, ${err.message}`);
   }
 }
 
@@ -746,9 +782,10 @@ async function saveChange() {
   }
 }
 
-async function checkAuth() {
+async function checkAuth(variant) {
   if (!DATA.auth) return;
-  const res = await fetch(baseUrl(), {
+  const qs = variant ? `?${variant}` : "";
+  const res = await fetch(baseUrl() + qs, {
     method: "CHECKAUTH",
   });
   await assertResOK(res);
@@ -831,7 +868,7 @@ function newUrl(name) {
 }
 
 function baseUrl() {
-  return location.href.split('?')[0];
+  return location.href.split(/[?#]/)[0];
 }
 
 function baseName(url) {
@@ -876,7 +913,13 @@ function padZero(value, size) {
   return ("0".repeat(size) + value).slice(-1 * size);
 }
 
-function formatSize(size) {
+function formatDirSize(size) {
+  const unit = size === 1 ? "item" : "items";
+  const num = size >= MAX_SUBPATHS_COUNT ? `>${MAX_SUBPATHS_COUNT - 1}` : `${size}`;
+  return ` ${num} ${unit}`;
+}
+
+function formatFileSize(size) {
   if (size == null) return [0, "B"];
   const sizes = ['B', 'KB', 'MB', 'GB', 'TB'];
   if (size == 0) return [0, "B"];

src/args.rs

@@ -146,7 +146,15 @@ pub fn build_cli() -> Command {
 				.hide_env(true)
                 .long("allow-archive")
                 .action(ArgAction::SetTrue)
-                .help("Allow zip archive generation"),
+                .help("Allow download folders as archive file"),
+        )
+        .arg(
+            Arg::new("allow-hash")
+                .env("DUFS_ALLOW_HASH")
+                .hide_env(true)
+                .long("allow-hash")
+                .action(ArgAction::SetTrue)
+                .help("Allow ?hash query to get file sha256 hash"),
         )
         .arg(
             Arg::new("enable-cors")
@@ -281,6 +289,7 @@ pub struct Args {
     pub allow_search: bool,
     pub allow_symlink: bool,
     pub allow_archive: bool,
+    pub allow_hash: bool,
     pub render_index: bool,
     pub render_spa: bool,
     pub render_try_index: bool,
@@ -375,6 +384,9 @@ impl Args {
         if !args.allow_symlink {
             args.allow_symlink = allow_all || matches.get_flag("allow-symlink");
         }
+        if !args.allow_hash {
+            args.allow_hash = allow_all || matches.get_flag("allow-hash");
+        }
         if !args.allow_archive {
             args.allow_archive = allow_all || matches.get_flag("allow-archive");
         }
@@ -461,28 +473,30 @@ impl Args {
 
 #[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord)]
 pub enum BindAddr {
-    Address(IpAddr),
+    IpAddr(IpAddr),
-    Path(PathBuf),
+    #[cfg(unix)]
+    SocketPath(String),
 }
 
 impl BindAddr {
     fn parse_addrs(addrs: &[&str]) -> Result<Vec<Self>> {
         let mut bind_addrs = vec![];
+        #[cfg(not(unix))]
         let mut invalid_addrs = vec![];
         for addr in addrs {
             match addr.parse::<IpAddr>() {
                 Ok(v) => {
-                    bind_addrs.push(BindAddr::Address(v));
+                    bind_addrs.push(BindAddr::IpAddr(v));
                 }
                 Err(_) => {
-                    if cfg!(unix) {
+                    #[cfg(unix)]
-                        bind_addrs.push(BindAddr::Path(PathBuf::from(addr)));
+                    bind_addrs.push(BindAddr::SocketPath(addr.to_string()));
-                    } else {
+                    #[cfg(not(unix))]
                     invalid_addrs.push(*addr);
                 }
             }
         }
-        }
+        #[cfg(not(unix))]
         if !invalid_addrs.is_empty() {
             bail!("Invalid bind address `{}`", invalid_addrs.join(","));
         }
@@ -490,21 +504,16 @@ impl BindAddr {
     }
 }
 
-#[derive(Debug, Clone, Copy, PartialEq, Deserialize)]
+#[derive(Debug, Clone, Copy, PartialEq, Deserialize, Default)]
 #[serde(rename_all = "lowercase")]
 pub enum Compress {
     None,
+    #[default]
     Low,
     Medium,
     High,
 }
 
-impl Default for Compress {
-    fn default() -> Self {
-        Self::Low
-    }
-}
-
 impl ValueEnum for Compress {
     fn value_variants<'a>() -> &'a [Self] {
         &[Self::None, Self::Low, Self::Medium, Self::High]
@@ -710,7 +719,7 @@ hidden: tmp,*.log,*.lock
         assert_eq!(args.serve_path, Args::sanitize_path(&tmpdir).unwrap());
         assert_eq!(
             args.addrs,
-            vec![BindAddr::Address("0.0.0.0".parse().unwrap())]
+            vec![BindAddr::IpAddr("0.0.0.0".parse().unwrap())]
         );
         assert_eq!(args.hidden, ["tmp", "*.log", "*.lock"]);
         assert_eq!(args.port, 3000);
@@ -740,8 +749,8 @@ hidden:
         assert_eq!(
             args.addrs,
             vec![
-                BindAddr::Address("127.0.0.1".parse().unwrap()),
+                BindAddr::IpAddr("127.0.0.1".parse().unwrap()),
-                BindAddr::Address("192.168.8.10".parse().unwrap())
+                BindAddr::IpAddr("192.168.8.10".parse().unwrap())
             ]
         );
         assert_eq!(args.hidden, ["tmp", "*.log", "*.lock"]);

src/auth.rs

@@ -2,11 +2,13 @@ use crate::{args::Args, server::Response, utils::unix_now};
 
 use anyhow::{anyhow, bail, Result};
 use base64::{engine::general_purpose::STANDARD, Engine as _};
+use ed25519_dalek::{ed25519::signature::SignerMut, Signature, SigningKey};
 use headers::HeaderValue;
 use hyper::{header::WWW_AUTHENTICATE, Method};
 use indexmap::IndexMap;
 use lazy_static::lazy_static;
 use md5::Context;
+use sha2::{Digest, Sha256};
 use std::{
     collections::HashMap,
     path::{Path, PathBuf},
@@ -14,7 +16,8 @@ use std::{
 use uuid::Uuid;
 
 const REALM: &str = "DUFS";
-const DIGEST_AUTH_TIMEOUT: u32 = 604800; // 7 days
+const DIGEST_AUTH_TIMEOUT: u32 = 60 * 60 * 24 * 7; // 7 days
+const TOKEN_EXPIRATION: u64 = 1000 * 60 * 60 * 24 * 3; // 3 days
 
 lazy_static! {
     static ref NONCESTARTHASH: Context = {
@@ -27,6 +30,7 @@ lazy_static! {
 
 #[derive(Debug, Clone, PartialEq)]
 pub struct AccessControl {
+    empty: bool,
     use_hashed_password: bool,
     users: IndexMap<String, (String, AccessPaths)>,
     anonymous: Option<AccessPaths>,
@@ -35,6 +39,7 @@ pub struct AccessControl {
 impl Default for AccessControl {
     fn default() -> Self {
         AccessControl {
+            empty: true,
             use_hashed_password: false,
             users: IndexMap::new(),
             anonymous: Some(AccessPaths::new(AccessPerm::ReadWrite)),
@@ -45,7 +50,7 @@ impl Default for AccessControl {
 impl AccessControl {
     pub fn new(raw_rules: &[&str]) -> Result<Self> {
         if raw_rules.is_empty() {
-            return Ok(Default::default());
+            return Ok(Self::default());
         }
         let new_raw_rules = split_rules(raw_rules);
         let mut use_hashed_password = false;
@@ -69,15 +74,20 @@ impl AccessControl {
         let mut anonymous = None;
         if let Some(paths) = annoy_paths {
             let mut access_paths = AccessPaths::default();
-            access_paths.merge(paths);
+            access_paths
+                .merge(paths)
+                .ok_or_else(|| anyhow!("Invalid auth value `@{paths}"))?;
             anonymous = Some(access_paths);
         }
         let mut users = IndexMap::new();
         for (user, pass, paths) in account_paths_pairs.into_iter() {
-            let mut access_paths = anonymous.clone().unwrap_or_default();
+            let mut access_paths = AccessPaths::default();
             access_paths
                 .merge(paths)
-                .ok_or_else(|| anyhow!("Invalid auth `{user}:{pass}@{paths}"))?;
+                .ok_or_else(|| anyhow!("Invalid auth value `{user}:{pass}@{paths}"))?;
+            if let Some(paths) = annoy_paths {
+                access_paths.merge(paths);
+            }
             if pass.starts_with("$6$") {
                 use_hashed_password = true;
             }
@@ -85,13 +95,14 @@ impl AccessControl {
         }
 
         Ok(Self {
+            empty: false,
             use_hashed_password,
             users,
             anonymous,
         })
     }
 
-    pub fn exist(&self) -> bool {
+    pub fn has_users(&self) -> bool {
         !self.users.is_empty()
     }
 
@@ -100,16 +111,29 @@ impl AccessControl {
         path: &str,
         method: &Method,
         authorization: Option<&HeaderValue>,
+        token: Option<&String>,
         guard_options: bool,
     ) -> (Option<String>, Option<AccessPaths>) {
+        if self.empty {
+            return (None, Some(AccessPaths::new(AccessPerm::ReadWrite)));
+        }
+
+        if method == Method::GET {
+            if let Some(token) = token {
+                if let Ok((user, ap)) = self.verify_token(token, path) {
+                    return (Some(user), ap.guard(path, method));
+                }
+            }
+        }
+
         if let Some(authorization) = authorization {
             if let Some(user) = get_auth_user(authorization) {
-                if let Some((pass, paths)) = self.users.get(&user) {
+                if let Some((pass, ap)) = self.users.get(&user) {
                     if method == Method::OPTIONS {
                         return (Some(user), Some(AccessPaths::new(AccessPerm::ReadOnly)));
                     }
                     if check_auth(authorization, method.as_str(), &user, pass).is_some() {
-                        return (Some(user), paths.find(path, !is_readonly_method(method)));
+                        return (Some(user), ap.guard(path, method));
                     }
                 }
             }
@@ -121,12 +145,59 @@ impl AccessControl {
             return (None, Some(AccessPaths::new(AccessPerm::ReadOnly)));
         }
 
-        if let Some(paths) = self.anonymous.as_ref() {
+        if let Some(ap) = self.anonymous.as_ref() {
-            return (None, paths.find(path, !is_readonly_method(method)));
+            return (None, ap.guard(path, method));
         }
 
         (None, None)
     }
+
+    pub fn generate_token(&self, path: &str, user: &str) -> Result<String> {
+        let (pass, _) = self
+            .users
+            .get(user)
+            .ok_or_else(|| anyhow!("Not found user '{user}'"))?;
+        let exp = unix_now().as_millis() as u64 + TOKEN_EXPIRATION;
+        let message = format!("{path}:{exp}");
+        let mut signing_key = derive_secret_key(user, pass);
+        let sig = signing_key.sign(message.as_bytes()).to_bytes();
+
+        let mut raw = Vec::with_capacity(64 + 8 + user.len());
+        raw.extend_from_slice(&sig);
+        raw.extend_from_slice(&exp.to_be_bytes());
+        raw.extend_from_slice(user.as_bytes());
+
+        Ok(hex::encode(raw))
+    }
+
+    fn verify_token<'a>(&'a self, token: &str, path: &str) -> Result<(String, &'a AccessPaths)> {
+        let raw = hex::decode(token)?;
+
+        if raw.len() < 72 {
+            bail!("Invalid token");
+        }
+
+        let sig_bytes = &raw[..64];
+        let exp_bytes = &raw[64..72];
+        let user_bytes = &raw[72..];
+
+        let exp = u64::from_be_bytes(exp_bytes.try_into()?);
+        if unix_now().as_millis() as u64 > exp {
+            bail!("Token expired");
+        }
+
+        let user = std::str::from_utf8(user_bytes)?;
+        let (pass, ap) = self
+            .users
+            .get(user)
+            .ok_or_else(|| anyhow!("Not found user '{user}'"))?;
+
+        let sig = Signature::from_bytes(&<[u8; 64]>::try_from(sig_bytes)?);
+
+        let message = format!("{path}:{exp}");
+        derive_secret_key(user, pass).verify(message.as_bytes(), &sig)?;
+        Ok((user.to_string(), ap))
+    }
 }
 
 #[derive(Debug, Default, Clone, PartialEq, Eq)]
@@ -148,8 +219,9 @@ impl AccessPaths {
     }
 
     pub fn set_perm(&mut self, perm: AccessPerm) {
-        if !perm.indexonly() {
+        if self.perm < perm {
             self.perm = perm;
+            self.recursively_purge_children(perm);
         }
     }
 
@@ -166,6 +238,25 @@ impl AccessPaths {
         Some(())
     }
 
+    pub fn guard(&self, path: &str, method: &Method) -> Option<Self> {
+        let target = self.find(path)?;
+        if !is_readonly_method(method) && !target.perm().readwrite() {
+            return None;
+        }
+        Some(target)
+    }
+
+    fn recursively_purge_children(&mut self, perm: AccessPerm) {
+        self.children.retain(|_, child| {
+            if child.perm <= perm {
+                false
+            } else {
+                child.recursively_purge_children(perm);
+                true
+            }
+        });
+    }
+
     fn add(&mut self, path: &str, perm: AccessPerm) {
         let path = path.trim_matches('/');
         if path.is_empty() {
@@ -182,21 +273,20 @@ impl AccessPaths {
             self.set_perm(perm);
             return;
         }
+        if self.perm >= perm {
+            return;
+        }
         let child = self.children.entry(parts[0].to_string()).or_default();
         child.add_impl(&parts[1..], perm)
     }
 
-    pub fn find(&self, path: &str, writable: bool) -> Option<AccessPaths> {
+    pub fn find(&self, path: &str) -> Option<AccessPaths> {
         let parts: Vec<&str> = path
             .trim_matches('/')
             .split('/')
             .filter(|v| !v.is_empty())
             .collect();
-        let target = self.find_impl(&parts, self.perm)?;
+        self.find_impl(&parts, self.perm)
-        if writable && !target.perm().readwrite() {
-            return None;
-        }
-        Some(target)
     }
 
     fn find_impl(&self, parts: &[&str], perm: AccessPerm) -> Option<AccessPaths> {
@@ -229,20 +319,20 @@ impl AccessPaths {
         self.children.keys().collect()
     }
 
-    pub fn child_paths(&self, base: &Path) -> Vec<PathBuf> {
+    pub fn entry_paths(&self, base: &Path) -> Vec<PathBuf> {
         if !self.perm().indexonly() {
             return vec![base.to_path_buf()];
         }
         let mut output = vec![];
-        self.child_paths_impl(&mut output, base);
+        self.entry_paths_impl(&mut output, base);
         output
     }
 
-    fn child_paths_impl(&self, output: &mut Vec<PathBuf>, base: &Path) {
+    fn entry_paths_impl(&self, output: &mut Vec<PathBuf>, base: &Path) {
         for (name, child) in self.children.iter() {
             let base = base.join(name);
             if child.perm().indexonly() {
-                child.child_paths_impl(output, &base);
+                child.entry_paths_impl(output, &base);
             } else {
                 output.push(base)
             }
@@ -270,15 +360,14 @@ impl AccessPerm {
 
 pub fn www_authenticate(res: &mut Response, args: &Args) -> Result<()> {
     if args.auth.use_hashed_password {
-        let basic = HeaderValue::from_str(&format!("Basic realm=\"{}\"", REALM))?;
+        let basic = HeaderValue::from_str(&format!("Basic realm=\"{REALM}\""))?;
         res.headers_mut().insert(WWW_AUTHENTICATE, basic);
     } else {
         let nonce = create_nonce()?;
         let digest = HeaderValue::from_str(&format!(
-            "Digest realm=\"{}\", nonce=\"{}\", qop=\"auth\"",
+            "Digest realm=\"{REALM}\", nonce=\"{nonce}\", qop=\"auth\""
-            REALM, nonce
         ))?;
-        let basic = HeaderValue::from_str(&format!("Basic realm=\"{}\"", REALM))?;
+        let basic = HeaderValue::from_str(&format!("Basic realm=\"{REALM}\""))?;
         res.headers_mut().append(WWW_AUTHENTICATE, digest);
         res.headers_mut().append(WWW_AUTHENTICATE, basic);
     }
@@ -307,17 +396,17 @@ pub fn check_auth(
 ) -> Option<()> {
     if let Some(value) = strip_prefix(authorization.as_bytes(), b"Basic ") {
         let value: Vec<u8> = STANDARD.decode(value).ok()?;
-        let parts: Vec<&str> = std::str::from_utf8(&value).ok()?.split(':').collect();
+        let (user, pass) = std::str::from_utf8(&value).ok()?.split_once(':')?;
 
-        if parts[0] != auth_user {
+        if user != auth_user {
             return None;
         }
 
         if auth_pass.starts_with("$6$") {
-            if let Ok(()) = sha_crypt::sha512_check(parts[1], auth_pass) {
+            if let Ok(()) = sha_crypt::sha512_check(pass, auth_pass) {
                 return Some(());
             }
-        } else if parts[1] == auth_pass {
+        } else if pass == auth_pass {
             return Some(());
         }
 
@@ -340,8 +429,8 @@ pub fn check_auth(
             }
 
             let mut h = Context::new();
-            h.consume(format!("{}:{}:{}", auth_user, REALM, auth_pass).as_bytes());
+            h.consume(format!("{auth_user}:{REALM}:{auth_pass}").as_bytes());
-            let auth_pass = format!("{:x}", h.compute());
+            let auth_pass = format!("{:x}", h.finalize());
 
             let mut ha = Context::new();
             ha.consume(method);
@@ -349,7 +438,7 @@ pub fn check_auth(
             if let Some(uri) = digest_map.get(b"uri".as_ref()) {
                 ha.consume(uri);
             }
-            let ha = format!("{:x}", ha.compute());
+            let ha = format!("{:x}", ha.finalize());
             let mut correct_response = None;
             if let Some(qop) = digest_map.get(b"qop".as_ref()) {
                 if qop == &b"auth".as_ref() || qop == &b"auth-int".as_ref() {
@@ -370,7 +459,7 @@ pub fn check_auth(
                         c.consume(qop);
                         c.consume(b":");
                         c.consume(&*ha);
-                        format!("{:x}", c.compute())
+                        format!("{:x}", c.finalize())
                     });
                 }
             }
@@ -383,7 +472,7 @@ pub fn check_auth(
                     c.consume(nonce);
                     c.consume(b":");
                     c.consume(&*ha);
-                    format!("{:x}", c.compute())
+                    format!("{:x}", c.finalize())
                 }
             };
             if correct_response.as_bytes() == *user_response {
@@ -396,6 +485,13 @@ pub fn check_auth(
     }
 }
 
+fn derive_secret_key(user: &str, pass: &str) -> SigningKey {
+    let mut hasher = Sha256::new();
+    hasher.update(format!("{user}:{pass}").as_bytes());
+    let hash = hasher.finalize();
+    SigningKey::from_bytes(&hash.into())
+}
+
 /// Check if a nonce is still valid.
 /// Return an error if it was never valid
 fn validate_nonce(nonce: &[u8]) -> Result<bool> {
@@ -407,14 +503,14 @@ fn validate_nonce(nonce: &[u8]) -> Result<bool> {
         //get time
         if let Ok(secs_nonce) = u32::from_str_radix(&n[..8], 16) {
             //check time
-            let now = unix_now()?;
+            let now = unix_now();
             let secs_now = now.as_secs() as u32;
 
             if let Some(dur) = secs_now.checked_sub(secs_nonce) {
                 //check hash
                 let mut h = NONCESTARTHASH.clone();
                 h.consume(secs_nonce.to_be_bytes());
-                let h = format!("{:x}", h.compute());
+                let h = format!("{:x}", h.finalize());
                 if h[..26] == n[8..34] {
                     return Ok(dur < DIGEST_AUTH_TIMEOUT);
                 }
@@ -487,12 +583,12 @@ fn to_headermap(header: &[u8]) -> Result<HashMap<&[u8], &[u8]>, ()> {
 }
 
 fn create_nonce() -> Result<String> {
-    let now = unix_now()?;
+    let now = unix_now();
     let secs = now.as_secs() as u32;
     let mut h = NONCESTARTHASH.clone();
     h.consume(secs.to_be_bytes());
 
-    let n = format!("{:08x}{:032x}", secs, h.compute());
+    let n = format!("{:08x}{:032x}", secs, h.finalize());
     Ok(n[..34].to_string())
 }
 
@@ -574,7 +670,7 @@ mod tests {
         paths.add("/dir2/dir22/dir221", AccessPerm::ReadWrite);
         paths.add("/dir2/dir23/dir231", AccessPerm::ReadWrite);
         assert_eq!(
-            paths.child_paths(Path::new("/tmp")),
+            paths.entry_paths(Path::new("/tmp")),
             [
                 "/tmp/dir1",
                 "/tmp/dir2/dir21",
@@ -587,8 +683,8 @@ mod tests {
         );
         assert_eq!(
             paths
-                .find("dir2", false)
+                .find("dir2")
-                .map(|v| v.child_paths(Path::new("/tmp/dir2"))),
+                .map(|v| v.entry_paths(Path::new("/tmp/dir2"))),
             Some(
                 [
                     "/tmp/dir2/dir21",
@@ -600,19 +696,30 @@ mod tests {
                 .collect::<Vec<_>>()
             )
         );
-        assert_eq!(paths.find("dir2", true), None);
         assert_eq!(
-            paths.find("dir1/file", true),
+            paths.find("dir1/file"),
             Some(AccessPaths::new(AccessPerm::ReadWrite))
         );
         assert_eq!(
-            paths.find("dir2/dir21/file", true),
+            paths.find("dir2/dir21/file"),
             Some(AccessPaths::new(AccessPerm::ReadWrite))
         );
         assert_eq!(
-            paths.find("dir2/dir21/dir211/file", false),
+            paths.find("dir2/dir21/dir211/file"),
+            Some(AccessPaths::new(AccessPerm::ReadWrite))
+        );
+        assert_eq!(
+            paths.find("dir2/dir22/file"),
             Some(AccessPaths::new(AccessPerm::ReadOnly))
         );
-        assert_eq!(paths.find("dir2/dir21/dir211/file", true), None);
+        assert_eq!(
+            paths.find("dir2/dir22/dir221/file"),
+            Some(AccessPaths::new(AccessPerm::ReadWrite))
+        );
+        assert_eq!(paths.find("dir2/dir23/file"), None);
+        assert_eq!(
+            paths.find("dir2/dir23//dir231/file"),
+            Some(AccessPaths::new(AccessPerm::ReadWrite))
+        );
     }
 }

src/http_logger.rs

@@ -1,6 +1,6 @@
 use std::{collections::HashMap, str::FromStr};
 
-use crate::{auth::get_auth_user, server::Request};
+use crate::{auth::get_auth_user, server::Request, utils::decode_uri};
 
 pub const DEFAULT_LOG_FORMAT: &str = r#"$remote_addr "$request" $status"#;
 
@@ -29,7 +29,9 @@ impl HttpLogger {
             match element {
                 LogElement::Variable(name) => match name.as_str() {
                     "request" => {
-                        data.insert(name.to_string(), format!("{} {}", req.method(), req.uri()));
+                        let uri = req.uri().to_string();
+                        let uri = decode_uri(&uri).map(|s| s.to_string()).unwrap_or(uri);
+                        data.insert(name.to_string(), format!("{} {uri}", req.method()));
                     }
                     "remote_user" => {
                         if let Some(user) =
@@ -50,6 +52,7 @@ impl HttpLogger {
         }
         data
     }
+
     pub fn log(&self, data: &HashMap<String, String>, err: Option<String>) {
         if self.elements.is_empty() {
             return;
@@ -64,8 +67,8 @@ impl HttpLogger {
             }
         }
         match err {
-            Some(err) => error!("{} {}", output, err),
+            Some(err) => error!("{output} {err}"),
-            None => info!("{}", output),
+            None => info!("{output}"),
         }
     }
 }

src/main.rs

@@ -3,6 +3,7 @@ mod auth;
 mod http_logger;
 mod http_utils;
 mod logger;
+mod noscript;
 mod server;
 mod utils;
 
@@ -57,7 +58,7 @@ async fn main() -> Result<()> {
         ret = join_all(handles) => {
             for r in ret {
                 if let Err(e) = r {
-                    error!("{}", e);
+                    error!("{e}");
                 }
             }
             Ok(())
@@ -78,7 +79,7 @@ fn serve(args: Args, running: Arc<AtomicBool>) -> Result<Vec<JoinHandle<()>>> {
     for bind_addr in addrs.iter() {
         let server_handle = server_handle.clone();
         match bind_addr {
-            BindAddr::Address(ip) => {
+            BindAddr::IpAddr(ip) => {
                 let listener = create_listener(SocketAddr::new(*ip, port))
                     .with_context(|| format!("Failed to bind `{ip}:{port}`"))?;
 
@@ -140,14 +141,21 @@ fn serve(args: Args, running: Arc<AtomicBool>) -> Result<Vec<JoinHandle<()>>> {
                     }
                 };
             }
-            BindAddr::Path(path) => {
-                if path.exists() {
-                    std::fs::remove_file(path)?;
-                }
             #[cfg(unix)]
+            BindAddr::SocketPath(path) => {
+                let socket_path = if path.starts_with("@")
+                    && cfg!(any(target_os = "linux", target_os = "android"))
                 {
-                    let listener = tokio::net::UnixListener::bind(path)
+                    let mut path_buf = path.as_bytes().to_vec();
-                        .with_context(|| format!("Failed to bind `{}`", path.display()))?;
+                    path_buf[0] = b'\0';
+                    unsafe { std::ffi::OsStr::from_encoded_bytes_unchecked(&path_buf) }
+                        .to_os_string()
+                } else {
+                    let _ = std::fs::remove_file(path);
+                    path.into()
+                };
+                let listener = tokio::net::UnixListener::bind(socket_path)
+                    .with_context(|| format!("Failed to bind `{path}`"))?;
                 let handle = tokio::spawn(async move {
                     loop {
                         let Ok((stream, _addr)) = listener.accept().await else {
@@ -162,7 +170,6 @@ fn serve(args: Args, running: Arc<AtomicBool>) -> Result<Vec<JoinHandle<()>>> {
             }
         }
     }
-    }
     Ok(handles)
 }
 
@@ -207,7 +214,7 @@ fn check_addrs(args: &Args) -> Result<(Vec<BindAddr>, Vec<BindAddr>)> {
     let (ipv4_addrs, ipv6_addrs) = interface_addrs()?;
     for bind_addr in args.addrs.iter() {
         match bind_addr {
-            BindAddr::Address(ip) => match &ip {
+            BindAddr::IpAddr(ip) => match &ip {
                 IpAddr::V4(_) => {
                     if !ipv4_addrs.is_empty() {
                         new_addrs.push(bind_addr.clone());
@@ -229,6 +236,7 @@ fn check_addrs(args: &Args) -> Result<(Vec<BindAddr>, Vec<BindAddr>)> {
                     }
                 }
             },
+            #[cfg(unix)]
             _ => {
                 new_addrs.push(bind_addr.clone());
                 print_addrs.push(bind_addr.clone())
@@ -246,10 +254,10 @@ fn interface_addrs() -> Result<(Vec<BindAddr>, Vec<BindAddr>)> {
     for iface in ifaces.into_iter() {
         let ip = iface.ip();
         if ip.is_ipv4() {
-            ipv4_addrs.push(BindAddr::Address(ip))
+            ipv4_addrs.push(BindAddr::IpAddr(ip))
         }
         if ip.is_ipv6() {
-            ipv6_addrs.push(BindAddr::Address(ip))
+            ipv6_addrs.push(BindAddr::IpAddr(ip))
         }
     }
     Ok((ipv4_addrs, ipv6_addrs))
@@ -260,7 +268,7 @@ fn print_listening(args: &Args, print_addrs: &[BindAddr]) -> Result<String> {
     let urls = print_addrs
         .iter()
         .map(|bind_addr| match bind_addr {
-            BindAddr::Address(addr) => {
+            BindAddr::IpAddr(addr) => {
                 let addr = match addr {
                     IpAddr::V4(_) => format!("{}:{}", addr, args.port),
                     IpAddr::V6(_) => format!("[{}]:{}", addr, args.port),
@@ -272,7 +280,8 @@ fn print_listening(args: &Args, print_addrs: &[BindAddr]) -> Result<String> {
                 };
                 format!("{}://{}{}", protocol, addr, args.uri_prefix)
             }
-            BindAddr::Path(path) => path.display().to_string(),
+            #[cfg(unix)]
+            BindAddr::SocketPath(path) => path.to_string(),
         })
         .collect::<Vec<_>>();
 

src/noscript.rs

@@ -0,0 +1,103 @@
+use crate::{
+    server::{IndexData, PathItem, PathType, MAX_SUBPATHS_COUNT},
+    utils::encode_uri,
+};
+
+use anyhow::Result;
+use chrono::{DateTime, Utc};
+use xml::escape::escape_str_pcdata;
+
+pub fn detect_noscript(user_agent: &str) -> bool {
+    [
+        "lynx/", "w3m/", "links ", "elinks/", "curl/", "wget/", "httpie/", "aria2/",
+    ]
+    .iter()
+    .any(|v| user_agent.starts_with(v))
+}
+
+pub fn generate_noscript_html(data: &IndexData) -> Result<String> {
+    let mut html = String::new();
+
+    let title = format!("Index of {}", escape_str_pcdata(&data.href));
+
+    html.push_str("<html>\n");
+    html.push_str("<head>\n");
+    html.push_str(&format!("<title>{title}</title>\n"));
+    html.push_str(
+        r#"<style>
+  td {
+    padding: 0.2rem;
+    text-align: left;
+  }
+  td:nth-child(3) {
+    text-align: right;
+  }
+</style>
+"#,
+    );
+    html.push_str("</head>\n");
+    html.push_str("<body>\n");
+    html.push_str(&format!("<h1>{title}</h1>\n"));
+    html.push_str("<table>\n");
+    html.push_str("  <tbody>\n");
+    html.push_str(&format!("    {}\n", render_parent()));
+
+    for path in &data.paths {
+        html.push_str(&format!("    {}\n", render_path_item(path)));
+    }
+
+    html.push_str("  </tbody>\n");
+    html.push_str("</table>\n");
+    html.push_str("</body>\n");
+
+    Ok(html)
+}
+
+fn render_parent() -> String {
+    let value = "../";
+    format!("<tr><td><a href=\"{value}?noscript\">{value}</a></td><td></td><td></td></tr>")
+}
+
+fn render_path_item(path: &PathItem) -> String {
+    let mut href = encode_uri(&path.name);
+    let mut name = escape_str_pcdata(&path.name).to_string();
+    if path.path_type.is_dir() {
+        href.push_str("/?noscript");
+        name.push('/');
+    };
+    let mtime = format_mtime(path.mtime).unwrap_or_default();
+    let size = format_size(path.size, path.path_type);
+
+    format!("<tr><td><a href=\"{href}\">{name}</a></td><td>{mtime}</td><td>{size}</td></tr>")
+}
+
+fn format_mtime(mtime: u64) -> Option<String> {
+    let datetime = DateTime::<Utc>::from_timestamp_millis(mtime as _)?;
+    Some(datetime.format("%Y-%m-%dT%H:%M:%S.%3fZ").to_string())
+}
+
+fn format_size(size: u64, path_type: PathType) -> String {
+    if path_type.is_dir() {
+        let unit = if size == 1 { "item" } else { "items" };
+        let num = match size >= MAX_SUBPATHS_COUNT {
+            true => format!(">{}", MAX_SUBPATHS_COUNT - 1),
+            false => size.to_string(),
+        };
+        format!("{num} {unit}")
+    } else {
+        if size == 0 {
+            return "0 B".to_string();
+        }
+        const UNITS: [&str; 5] = ["B", "KB", "MB", "GB", "TB"];
+        let i = (size as f64).log2() / 10.0;
+        let i = i.floor() as usize;
+
+        if i >= UNITS.len() {
+            // Handle extremely large numbers beyond Terabytes
+            return format!("{:.2} PB", size as f64 / 1024.0f64.powi(5));
+        }
+
+        let size = size as f64 / 1024.0f64.powi(i as i32);
+        format!("{:.2} {}", size, UNITS[i])
+    }
+}

src/server.rs

@@ -2,6 +2,7 @@
 
 use crate::auth::{www_authenticate, AccessPaths, AccessPerm};
 use crate::http_utils::{body_full, IncomingStream, LengthLimitedStream};
+use crate::noscript::{detect_noscript, generate_noscript_html};
 use crate::utils::{
     decode_uri, encode_uri, get_file_mtime_and_mode, get_file_name, glob, parse_range,
     try_get_file_name,
@@ -37,7 +38,7 @@ use std::collections::HashMap;
 use std::fs::Metadata;
 use std::io::SeekFrom;
 use std::net::SocketAddr;
-use std::path::{Component, Path, PathBuf};
+use std::path::{Component, Path, PathBuf, MAIN_SEPARATOR};
 use std::sync::atomic::{self, AtomicBool};
 use std::sync::Arc;
 use std::time::SystemTime;
@@ -48,7 +49,7 @@ use tokio::{fs, io};
 use tokio_util::compat::FuturesAsyncWriteCompatExt;
 use tokio_util::io::{ReaderStream, StreamReader};
 use uuid::Uuid;
-use walkdir::WalkDir;
+use walkdir::{DirEntry, WalkDir};
 use xml::escape::escape_str_pcdata;
 
 pub type Request = hyper::Request<Incoming>;
@@ -62,6 +63,8 @@ const INDEX_NAME: &str = "index.html";
 const BUF_SIZE: usize = 65536;
 const EDITABLE_TEXT_MAX_SIZE: u64 = 4194304; // 4M
 const RESUMABLE_UPLOAD_MIN_SIZE: u64 = 20971520; // 20M
+const HEALTH_CHECK_PATH: &str = "__dufs__/health";
+pub const MAX_SUBPATHS_COUNT: u64 = 1000;
 
 pub struct Server {
     args: Args,
@@ -108,18 +111,12 @@ impl Server {
         let uri = req.uri().clone();
         let assets_prefix = &self.assets_prefix;
         let enable_cors = self.args.enable_cors;
-        let is_microsoft_webdav = req
-            .headers()
-            .get("user-agent")
-            .and_then(|v| v.to_str().ok())
-            .map(|v| v.starts_with("Microsoft-WebDAV-MiniRedir/"))
-            .unwrap_or_default();
         let mut http_log_data = self.args.http_logger.data(&req);
         if let Some(addr) = addr {
             http_log_data.insert("remote_addr".to_string(), addr.ip().to_string());
         }
 
-        let mut res = match self.clone().handle(req, is_microsoft_webdav).await {
+        let mut res = match self.clone().handle(req).await {
             Ok(res) => {
                 http_log_data.insert("status".to_string(), res.status().as_u16().to_string());
                 if !uri.path().starts_with(assets_prefix) {
@@ -139,22 +136,13 @@ impl Server {
             }
         };
 
-        if is_microsoft_webdav {
-            // microsoft webdav requires this.
-            res.headers_mut()
-                .insert(CONNECTION, HeaderValue::from_static("close"));
-        }
         if enable_cors {
             add_cors(&mut res);
         }
         Ok(res)
     }
 
-    pub async fn handle(
+    pub async fn handle(self: Arc<Self>, req: Request) -> Result<Response> {
-        self: Arc<Self>,
-        req: Request,
-        is_microsoft_webdav: bool,
-    ) -> Result<Response> {
         let mut res = Response::default();
 
         let req_path = req.uri().path();
@@ -171,17 +159,40 @@ impl Server {
 
         if method == Method::GET
             && self
-                .handle_assets(&relative_path, headers, &mut res)
+                .handle_internal(&relative_path, headers, &mut res)
                 .await?
         {
             return Ok(res);
         }
 
+        let user_agent = headers
+            .get("user-agent")
+            .and_then(|v| v.to_str().ok())
+            .map(|v| v.to_lowercase())
+            .unwrap_or_default();
+
+        let is_microsoft_webdav = user_agent.starts_with("microsoft-webdav-miniredir/");
+
+        if is_microsoft_webdav {
+            // microsoft webdav requires this.
+            res.headers_mut()
+                .insert(CONNECTION, HeaderValue::from_static("close"));
+        }
+
         let authorization = headers.get(AUTHORIZATION);
-        let guard =
+
-            self.args
+        let query = req.uri().query().unwrap_or_default();
-                .auth
+        let mut query_params: HashMap<String, String> = form_urlencoded::parse(query.as_bytes())
-                .guard(&relative_path, &method, authorization, is_microsoft_webdav);
+            .map(|(k, v)| (k.to_string(), v.to_string()))
+            .collect();
+
+        let guard = self.args.auth.guard(
+            &relative_path,
+            &method,
+            authorization,
+            query_params.get("token"),
+            is_microsoft_webdav,
+        );
 
         let (user, access_paths) = match guard {
             (None, None) => {
@@ -195,17 +206,22 @@ impl Server {
             (x, Some(y)) => (x, y),
         };
 
-        let query = req.uri().query().unwrap_or_default();
+        if detect_noscript(&user_agent) {
-        let query_params: HashMap<String, String> = form_urlencoded::parse(query.as_bytes())
+            query_params.insert("noscript".to_string(), String::new());
-            .map(|(k, v)| (k.to_string(), v.to_string()))
+        }
-            .collect();
 
         if method.as_str() == "CHECKAUTH" {
             match user.clone() {
                 Some(user) => {
                     *res.body_mut() = body_full(user);
                 }
-                None => self.auth_reject(&mut res)?,
+                None => {
+                    if has_query_flag(&query_params, "login") || !access_paths.perm().readwrite() {
+                        self.auth_reject(&mut res)?
+                    } else {
+                        *res.body_mut() = body_full("");
+                    }
+                }
             }
             return Ok(res);
         } else if method.as_str() == "LOGOUT" {
@@ -213,6 +229,11 @@ impl Server {
             return Ok(res);
         }
 
+        if has_query_flag(&query_params, "tokengen") {
+            self.handle_tokengen(&relative_path, user, &mut res).await?;
+            return Ok(res);
+        }
+
         let head_only = method == Method::HEAD;
 
         if self.args.path_is_file {
@@ -251,7 +272,7 @@ impl Server {
         let render_spa = self.args.render_spa;
         let render_try_index = self.args.render_try_index;
 
-        if !self.args.allow_symlink && !is_miss && !self.is_root_contained(path).await {
+        if self.guard_root_contained(path).await {
             status_not_found(&mut res);
             return Ok(res);
         }
@@ -337,7 +358,11 @@ impl Server {
                         self.handle_edit_file(path, DataKind::View, head_only, user, &mut res)
                             .await?;
                     } else if has_query_flag(&query_params, "hash") {
+                        if self.args.allow_hash {
                             self.handle_hash_file(path, head_only, &mut res).await?;
+                        } else {
+                            status_forbid(&mut res);
+                        }
                     } else {
                         self.handle_send_file(path, headers, head_only, &mut res)
                             .await?;
@@ -505,7 +530,7 @@ impl Server {
         };
         let stream = IncomingStream::new(req.into_body());
 
-        let body_with_io_error = stream.map_err(|err| io::Error::new(io::ErrorKind::Other, err));
+        let body_with_io_error = stream.map_err(io::Error::other);
         let body_reader = StreamReader::new(body_with_io_error);
 
         pin_mut!(body_reader);
@@ -590,47 +615,20 @@ impl Server {
         } else {
             let path_buf = path.to_path_buf();
             let hidden = Arc::new(self.args.hidden.to_vec());
-            let hidden = hidden.clone();
+            let search = search.clone();
-            let running = self.running.clone();
+
             let access_paths = access_paths.clone();
-            let search_paths = tokio::task::spawn_blocking(move || {
+            let search_paths = tokio::spawn(collect_dir_entries(
-                let mut paths: Vec<PathBuf> = vec![];
+                access_paths,
-                for dir in access_paths.child_paths(&path_buf) {
+                self.running.clone(),
-                    let mut it = WalkDir::new(&dir).into_iter();
+                path_buf,
-                    it.next();
+                hidden,
-                    while let Some(Ok(entry)) = it.next() {
+                self.args.allow_symlink,
-                        if !running.load(atomic::Ordering::SeqCst) {
+                self.args.serve_path.clone(),
-                            break;
+                move |x| get_file_name(x.path()).to_lowercase().contains(&search),
-                        }
+            ))
-                        let entry_path = entry.path();
-                        let base_name = get_file_name(entry_path);
-                        let file_type = entry.file_type();
-                        let mut is_dir_type: bool = file_type.is_dir();
-                        if file_type.is_symlink() {
-                            match std::fs::symlink_metadata(entry_path) {
-                                Ok(meta) => {
-                                    is_dir_type = meta.is_dir();
-                                }
-                                Err(_) => {
-                                    continue;
-                                }
-                            }
-                        }
-                        if is_hidden(&hidden, base_name, is_dir_type) {
-                            if file_type.is_dir() {
-                                it.skip_current_dir();
-                            }
-                            continue;
-                        }
-                        if !base_name.to_lowercase().contains(&search) {
-                            continue;
-                        }
-                        paths.push(entry_path.to_path_buf());
-                    }
-                }
-                paths
-            })
             .await?;
+
             for search_path in search_paths.into_iter() {
                 if let Ok(Some(item)) = self.to_pathitem(search_path, path.to_path_buf()).await {
                     paths.push(item);
@@ -658,7 +656,7 @@ impl Server {
     ) -> Result<()> {
         let (mut writer, reader) = tokio::io::duplex(BUF_SIZE);
         let filename = try_get_file_name(path)?;
-        set_content_disposition(res, false, &format!("{}.zip", filename))?;
+        set_content_disposition(res, false, &format!("{filename}.zip"))?;
         res.headers_mut()
             .insert("content-type", HeaderValue::from_static("application/zip"));
         if head_only {
@@ -668,6 +666,8 @@ impl Server {
         let hidden = self.args.hidden.clone();
         let running = self.running.clone();
         let compression = self.args.compress.to_compression();
+        let follow_symlinks = self.args.allow_symlink;
+        let serve_path = self.args.serve_path.clone();
         tokio::spawn(async move {
             if let Err(e) = zip_dir(
                 &mut writer,
@@ -675,14 +675,16 @@ impl Server {
                 access_paths,
                 &hidden,
                 compression,
+                follow_symlinks,
+                serve_path,
                 running,
             )
             .await
             {
-                error!("Failed to zip {}, {}", path.display(), e);
+                error!("Failed to zip {}, {e}", path.display());
             }
         });
-        let reader_stream = ReaderStream::new(reader);
+        let reader_stream = ReaderStream::with_capacity(reader, BUF_SIZE);
         let stream_body = StreamBody::new(
             reader_stream
                 .map_ok(Frame::data)
@@ -738,7 +740,7 @@ impl Server {
         Ok(())
     }
 
-    async fn handle_assets(
+    async fn handle_internal(
         &self,
         req_path: &str,
         headers: &HeaderMap<HeaderValue>,
@@ -789,6 +791,12 @@ impl Server {
                 HeaderValue::from_static("nosniff"),
             );
             Ok(true)
+        } else if req_path == HEALTH_CHECK_PATH {
+            res.headers_mut()
+                .typed_insert(ContentType::from(mime_guess::mime::APPLICATION_JSON));
+
+            *res.body_mut() = body_full(r#"{"status":"OK"}"#);
+            Ok(true)
         } else {
             Ok(false)
         }
@@ -831,6 +839,8 @@ impl Server {
                 }
             }
 
+            res.headers_mut()
+                .typed_insert(CacheControl::new().with_no_cache());
             res.headers_mut().typed_insert(last_modified);
             res.headers_mut().typed_insert(etag.clone());
 
@@ -845,7 +855,7 @@ impl Server {
             }
         }
 
-        let range = if use_range {
+        let ranges = if use_range {
             headers.get(RANGE).map(|range| {
                 range
                     .to_str()
@@ -866,12 +876,14 @@ impl Server {
 
         res.headers_mut().typed_insert(AcceptRanges::bytes());
 
-        if let Some(range) = range {
+        if let Some(ranges) = ranges {
-            if let Some((start, end)) = range {
+            if let Some(ranges) = ranges {
+                if ranges.len() == 1 {
+                    let (start, end) = ranges[0];
                     file.seek(SeekFrom::Start(start)).await?;
                     let range_size = end - start + 1;
                     *res.status_mut() = StatusCode::PARTIAL_CONTENT;
-                let content_range = format!("bytes {}-{}/{}", start, end, size);
+                    let content_range = format!("bytes {start}-{end}/{size}");
                     res.headers_mut()
                         .insert(CONTENT_RANGE, content_range.parse()?);
                     res.headers_mut()
@@ -887,6 +899,36 @@ impl Server {
                     );
                     let boxed_body = stream_body.boxed();
                     *res.body_mut() = boxed_body;
+                } else {
+                    *res.status_mut() = StatusCode::PARTIAL_CONTENT;
+                    let boundary = Uuid::new_v4();
+                    let mut body = Vec::new();
+                    let content_type = get_content_type(path).await?;
+                    for (start, end) in ranges {
+                        file.seek(SeekFrom::Start(start)).await?;
+                        let range_size = end - start + 1;
+                        let content_range = format!("bytes {start}-{end}/{size}");
+                        let part_header = format!(
+                            "--{boundary}\r\nContent-Type: {content_type}\r\nContent-Range: {content_range}\r\n\r\n",
+                        );
+                        body.extend_from_slice(part_header.as_bytes());
+                        let mut buffer = vec![0; range_size as usize];
+                        file.read_exact(&mut buffer).await?;
+                        body.extend_from_slice(&buffer);
+                        body.extend_from_slice(b"\r\n");
+                    }
+                    body.extend_from_slice(format!("--{boundary}--\r\n").as_bytes());
+                    res.headers_mut().insert(
+                        CONTENT_TYPE,
+                        format!("multipart/byteranges; boundary={boundary}").parse()?,
+                    );
+                    res.headers_mut()
+                        .insert(CONTENT_LENGTH, format!("{}", body.len()).parse()?);
+                    if head_only {
+                        return Ok(());
+                    }
+                    *res.body_mut() = body_full(body);
+                }
             } else {
                 *res.status_mut() = StatusCode::RANGE_NOT_SATISFIABLE;
                 res.headers_mut()
@@ -899,7 +941,7 @@ impl Server {
                 return Ok(());
             }
 
-            let reader_stream = ReaderStream::new(file);
+            let reader_stream = ReaderStream::with_capacity(file, BUF_SIZE);
             let stream_body = StreamBody::new(
                 reader_stream
                     .map_ok(Frame::data)
@@ -935,7 +977,7 @@ impl Server {
             uri_prefix: self.args.uri_prefix.clone(),
             allow_upload: self.args.allow_upload,
             allow_delete: self.args.allow_delete,
-            auth: self.args.auth.exist(),
+            auth: self.args.auth.has_users(),
             user,
             editable,
         };
@@ -950,7 +992,9 @@ impl Server {
             )
             .replace("__INDEX_DATA__", &index_data);
         res.headers_mut()
-            .typed_insert(ContentLength(output.as_bytes().len() as u64));
+            .typed_insert(ContentLength(output.len() as u64));
+        res.headers_mut()
+            .typed_insert(CacheControl::new().with_no_cache());
         if head_only {
             return Ok(());
         }
@@ -968,7 +1012,7 @@ impl Server {
         res.headers_mut()
             .typed_insert(ContentType::from(mime_guess::mime::TEXT_HTML_UTF_8));
         res.headers_mut()
-            .typed_insert(ContentLength(output.as_bytes().len() as u64));
+            .typed_insert(ContentLength(output.len() as u64));
         if head_only {
             return Ok(());
         }
@@ -976,6 +1020,24 @@ impl Server {
         Ok(())
     }
 
+    async fn handle_tokengen(
+        &self,
+        relative_path: &str,
+        user: Option<String>,
+        res: &mut Response,
+    ) -> Result<()> {
+        let output = self
+            .args
+            .auth
+            .generate_token(relative_path, &user.unwrap_or_default())?;
+        res.headers_mut()
+            .typed_insert(ContentType::from(mime_guess::mime::TEXT_PLAIN_UTF_8));
+        res.headers_mut()
+            .typed_insert(ContentLength(output.len() as u64));
+        *res.body_mut() = body_full(output);
+        Ok(())
+    }
+
     async fn handle_propfind_dir(
         &self,
         path: &Path,
@@ -1052,6 +1114,11 @@ impl Server {
 
         ensure_path_parent(&dest).await?;
 
+        if self.guard_root_contained(&dest).await {
+            status_bad_request(res, "Invalid Destination");
+            return Ok(());
+        }
+
         fs::copy(path, &dest).await?;
 
         status_no_content(res);
@@ -1068,6 +1135,11 @@ impl Server {
 
         ensure_path_parent(&dest).await?;
 
+        if self.guard_root_contained(&dest).await {
+            status_bad_request(res, "Invalid Destination");
+            return Ok(());
+        }
+
         fs::rename(path, &dest).await?;
 
         status_no_content(res);
@@ -1147,10 +1219,11 @@ impl Server {
             let output = paths
                 .into_iter()
                 .map(|v| {
+                    let displayname = escape_str_pcdata(&v.name);
                     if v.is_dir() {
-                        format!("{}/\n", v.name)
+                        format!("{}/\n", displayname)
                     } else {
-                        format!("{}\n", v.name)
+                        format!("{}\n", displayname)
                     }
                 })
                 .collect::<Vec<String>>()
@@ -1158,7 +1231,7 @@ impl Server {
             res.headers_mut()
                 .typed_insert(ContentType::from(mime_guess::mime::TEXT_HTML_UTF_8));
             res.headers_mut()
-                .typed_insert(ContentLength(output.as_bytes().len() as u64));
+                .typed_insert(ContentLength(output.len() as u64));
             *res.body_mut() = body_full(output);
             if head_only {
                 return Ok(());
@@ -1179,7 +1252,7 @@ impl Server {
             allow_search: self.args.allow_search,
             allow_archive: self.args.allow_archive,
             dir_exists: exist,
-            auth: self.args.auth.exist(),
+            auth: self.args.auth.has_users(),
             user,
             paths,
         };
@@ -1187,6 +1260,10 @@ impl Server {
             res.headers_mut()
                 .typed_insert(ContentType::from(mime_guess::mime::APPLICATION_JSON));
             serde_json::to_string_pretty(&data)?
+        } else if has_query_flag(query_params, "noscript") {
+            res.headers_mut()
+                .typed_insert(ContentType::from(mime_guess::mime::TEXT_HTML_UTF_8));
+            generate_noscript_html(&data)?
         } else {
             res.headers_mut()
                 .typed_insert(ContentType::from(mime_guess::mime::TEXT_HTML_UTF_8));
@@ -1200,7 +1277,7 @@ impl Server {
                 .replace("__INDEX_DATA__", &index_data)
         };
         res.headers_mut()
-            .typed_insert(ContentLength(output.as_bytes().len() as u64));
+            .typed_insert(ContentLength(output.len() as u64));
         res.headers_mut()
             .typed_insert(CacheControl::new().with_no_cache());
         res.headers_mut().insert(
@@ -1222,6 +1299,21 @@ impl Server {
         Ok(())
     }
 
+    async fn guard_root_contained(&self, path: &Path) -> bool {
+        if self.args.allow_symlink {
+            return false;
+        }
+        let path = if !fs::try_exists(path).await.unwrap_or_default() {
+            match path.parent() {
+                Some(parent) => parent.to_path_buf(),
+                None => return true,
+            }
+        } else {
+            path.to_path_buf()
+        };
+        !self.is_root_contained(path.as_path()).await
+    }
+
     async fn is_root_contained(&self, path: &Path) -> bool {
         fs::canonicalize(path)
             .await
@@ -1247,7 +1339,7 @@ impl Server {
         let guard = self
             .args
             .auth
-            .guard(&dest_path, req.method(), authorization, false);
+            .guard(&dest_path, req.method(), authorization, None, false);
 
         match guard {
             (_, Some(_)) => {}
@@ -1361,10 +1453,33 @@ impl Server {
             (true, false) => PathType::SymlinkFile,
             (false, false) => PathType::File,
         };
-        let mtime = to_timestamp(&meta.modified()?);
+        let mtime = match meta.modified().ok().or_else(|| meta.created().ok()) {
+            Some(v) => to_timestamp(&v),
+            None => 0,
+        };
         let size = match path_type {
-            PathType::Dir | PathType::SymlinkDir => None,
+            PathType::Dir | PathType::SymlinkDir => {
-            PathType::File | PathType::SymlinkFile => Some(meta.len()),
+                let mut count = 0;
+                let mut entries = tokio::fs::read_dir(&path).await?;
+                while let Some(entry) = entries.next_entry().await? {
+                    let entry_path = entry.path();
+                    let base_name = get_file_name(&entry_path);
+                    let is_dir = entry
+                        .file_type()
+                        .await
+                        .map(|v| v.is_dir())
+                        .unwrap_or_default();
+                    if is_hidden(&self.args.hidden, base_name, is_dir) {
+                        continue;
+                    }
+                    count += 1;
+                    if count >= MAX_SUBPATHS_COUNT {
+                        break;
+                    }
+                }
+                count
+            }
+            PathType::File | PathType::SymlinkFile => meta.len(),
         };
         let rel_path = path.strip_prefix(base_path)?;
         let name = normalize_path(rel_path);
@@ -1378,45 +1493,33 @@ impl Server {
 }
 
 #[derive(Debug, Serialize, PartialEq)]
-enum DataKind {
+pub enum DataKind {
     Index,
     Edit,
     View,
 }
 
 #[derive(Debug, Serialize)]
-struct IndexData {
+pub struct IndexData {
-    href: String,
+    pub href: String,
-    kind: DataKind,
+    pub kind: DataKind,
-    uri_prefix: String,
+    pub uri_prefix: String,
-    allow_upload: bool,
+    pub allow_upload: bool,
-    allow_delete: bool,
+    pub allow_delete: bool,
-    allow_search: bool,
+    pub allow_search: bool,
-    allow_archive: bool,
+    pub allow_archive: bool,
-    dir_exists: bool,
+    pub dir_exists: bool,
-    auth: bool,
+    pub auth: bool,
-    user: Option<String>,
+    pub user: Option<String>,
-    paths: Vec<PathItem>,
+    pub paths: Vec<PathItem>,
-}
-
-#[derive(Debug, Serialize)]
-struct EditData {
-    href: String,
-    kind: DataKind,
-    uri_prefix: String,
-    allow_upload: bool,
-    allow_delete: bool,
-    auth: bool,
-    user: Option<String>,
-    editable: bool,
 }
 
 #[derive(Debug, Serialize, Eq, PartialEq, Ord, PartialOrd)]
-struct PathItem {
+pub struct PathItem {
-    path_type: PathType,
+    pub path_type: PathType,
-    name: String,
+    pub name: String,
-    mtime: u64,
+    pub mtime: u64,
-    size: Option<u64>,
+    pub size: u64,
 }
 
 impl PathItem {
@@ -1450,27 +1553,24 @@ impl PathItem {
             ),
             PathType::File | PathType::SymlinkFile => format!(
                 r#"<D:response>
-<D:href>{}</D:href>
+<D:href>{href}</D:href>
 <D:propstat>
 <D:prop>
-<D:displayname>{}</D:displayname>
+<D:displayname>{displayname}</D:displayname>
 <D:getcontentlength>{}</D:getcontentlength>
-<D:getlastmodified>{}</D:getlastmodified>
+<D:getlastmodified>{mtime}</D:getlastmodified>
 <D:resourcetype></D:resourcetype>
 </D:prop>
 <D:status>HTTP/1.1 200 OK</D:status>
 </D:propstat>
 </D:response>"#,
-                href,
+                self.size
-                displayname,
-                self.size.unwrap_or_default(),
-                mtime
             ),
         }
     }
 
     pub fn base_name(&self) -> &str {
-        self.name.split('/').last().unwrap_or_default()
+        self.name.split('/').next_back().unwrap_or_default()
     }
 
     pub fn sort_by_name(&self, other: &Self) -> Ordering {
@@ -1491,29 +1591,26 @@ impl PathItem {
 
     pub fn sort_by_size(&self, other: &Self) -> Ordering {
         match self.path_type.cmp(&other.path_type) {
-            Ordering::Equal => {
+            Ordering::Equal => self.size.cmp(&other.size),
-                if self.is_dir() {
-                    alphanumeric_sort::compare_str(
-                        self.name.to_lowercase(),
-                        other.name.to_lowercase(),
-                    )
-                } else {
-                    self.size.unwrap_or(0).cmp(&other.size.unwrap_or(0))
-                }
-            }
             v => v,
         }
     }
 }
 
-#[derive(Debug, Serialize, Eq, PartialEq)]
+#[derive(Debug, Serialize, Clone, Copy, Eq, PartialEq)]
-enum PathType {
+pub enum PathType {
     Dir,
     SymlinkDir,
     File,
     SymlinkFile,
 }
 
+impl PathType {
+    pub fn is_dir(&self) -> bool {
+        matches!(self, Self::Dir | Self::SymlinkDir)
+    }
+}
+
 impl Ord for PathType {
     fn cmp(&self, other: &Self) -> Ordering {
         let to_value = |t: &Self| -> u8 {
@@ -1532,6 +1629,18 @@ impl PartialOrd for PathType {
     }
 }
 
+#[derive(Debug, Serialize)]
+struct EditData {
+    href: String,
+    kind: DataKind,
+    uri_prefix: String,
+    allow_upload: bool,
+    allow_delete: bool,
+    auth: bool,
+    user: Option<String>,
+    editable: bool,
+}
+
 fn to_timestamp(time: &SystemTime) -> u64 {
     time.duration_since(SystemTime::UNIX_EPOCH)
         .unwrap_or_default()
@@ -1595,54 +1704,29 @@ async fn zip_dir<W: AsyncWrite + Unpin>(
     access_paths: AccessPaths,
     hidden: &[String],
     compression: Compression,
+    follow_symlinks: bool,
+    serve_path: PathBuf,
     running: Arc<AtomicBool>,
 ) -> Result<()> {
     let mut writer = ZipFileWriter::with_tokio(writer);
     let hidden = Arc::new(hidden.to_vec());
-    let dir_clone = dir.to_path_buf();
+    let zip_paths = tokio::task::spawn(collect_dir_entries(
-    let zip_paths = tokio::task::spawn_blocking(move || {
+        access_paths,
-        let mut paths: Vec<PathBuf> = vec![];
+        running,
-        for dir in access_paths.child_paths(&dir_clone) {
+        dir.to_path_buf(),
-            let mut it = WalkDir::new(&dir).into_iter();
+        hidden,
-            it.next();
+        follow_symlinks,
-            while let Some(Ok(entry)) = it.next() {
+        serve_path,
-                if !running.load(atomic::Ordering::SeqCst) {
+        move |x| x.path().symlink_metadata().is_ok() && x.file_type().is_file(),
-                    break;
+    ))
-                }
-                let entry_path = entry.path();
-                let base_name = get_file_name(entry_path);
-                let file_type = entry.file_type();
-                let mut is_dir_type: bool = file_type.is_dir();
-                if file_type.is_symlink() {
-                    match std::fs::symlink_metadata(entry_path) {
-                        Ok(meta) => {
-                            is_dir_type = meta.is_dir();
-                        }
-                        Err(_) => {
-                            continue;
-                        }
-                    }
-                }
-                if is_hidden(&hidden, base_name, is_dir_type) {
-                    if file_type.is_dir() {
-                        it.skip_current_dir();
-                    }
-                    continue;
-                }
-                if entry.path().symlink_metadata().is_err() {
-                    continue;
-                }
-                if !file_type.is_file() {
-                    continue;
-                }
-                paths.push(entry_path.to_path_buf());
-            }
-        }
-        paths
-    })
     .await?;
     for zip_path in zip_paths.into_iter() {
-        let filename = match zip_path.strip_prefix(dir).ok().and_then(|v| v.to_str()) {
+        let filename = match zip_path
+            .strip_prefix(dir)
+            .ok()
+            .and_then(|v| v.to_str())
+            .map(|v| v.replace(MAIN_SEPARATOR, "/"))
+        {
             Some(v) => v,
             None => continue,
         };
@@ -1660,7 +1744,7 @@ async fn zip_dir<W: AsyncWrite + Unpin>(
 }
 
 fn extract_cache_headers(meta: &Metadata) -> Option<(ETag, LastModified)> {
-    let mtime = meta.modified().ok()?;
+    let mtime = meta.modified().ok().or_else(|| meta.created().ok())?;
     let timestamp = to_timestamp(&mtime);
     let size = meta.len();
     let etag = format!(r#""{timestamp}-{size}""#).parse::<ETag>().ok()?;
@@ -1702,7 +1786,7 @@ fn set_content_disposition(res: &mut Response, inline: bool, filename: &str) ->
         })
         .collect();
     let value = if filename.is_ascii() {
-        HeaderValue::from_str(&format!("{kind}; filename=\"{}\"", filename,))?
+        HeaderValue::from_str(&format!("{kind}; filename=\"{filename}\"",))?
     } else {
         HeaderValue::from_str(&format!(
             "{kind}; filename=\"{}\"; filename*=UTF-8''{}",
@@ -1714,9 +1798,9 @@ fn set_content_disposition(res: &mut Response, inline: bool, filename: &str) ->
     Ok(())
 }
 
-fn is_hidden(hidden: &[String], file_name: &str, is_dir_type: bool) -> bool {
+fn is_hidden(hidden: &[String], file_name: &str, is_dir: bool) -> bool {
     hidden.iter().any(|v| {
-        if is_dir_type {
+        if is_dir {
             if let Some(x) = v.strip_suffix('/') {
                 return glob(x, file_name);
             }
@@ -1777,8 +1861,10 @@ fn parse_upload_offset(headers: &HeaderMap<HeaderValue>, size: u64) -> Result<Op
     if value == "append" {
         return Ok(Some(size));
     }
-    let (start, _) = parse_range(value, size).ok_or_else(err)?;
+    // use the first range
-    Ok(Some(start))
+    let ranges = parse_range(value, size).ok_or_else(err)?;
+    let (start, _) = ranges.first().ok_or_else(err)?;
+    Ok(Some(*start))
 }
 
 async fn sha256_file(path: &Path) -> Result<String> {
@@ -1795,7 +1881,7 @@ async fn sha256_file(path: &Path) -> Result<String> {
     }
 
     let result = hasher.finalize();
-    Ok(format!("{:x}", result))
+    Ok(format!("{result:x}"))
 }
 
 fn has_query_flag(query_params: &HashMap<String, String>, name: &str) -> bool {
@@ -1804,3 +1890,61 @@ fn has_query_flag(query_params: &HashMap<String, String>, name: &str) -> bool {
         .map(|v| v.is_empty())
         .unwrap_or_default()
 }
+
+async fn collect_dir_entries<F>(
+    access_paths: AccessPaths,
+    running: Arc<AtomicBool>,
+    path: PathBuf,
+    hidden: Arc<Vec<String>>,
+    follow_symlinks: bool,
+    serve_path: PathBuf,
+    include_entry: F,
+) -> Vec<PathBuf>
+where
+    F: Fn(&DirEntry) -> bool,
+{
+    let mut paths: Vec<PathBuf> = vec![];
+    for dir in access_paths.entry_paths(&path) {
+        let mut it = WalkDir::new(&dir).follow_links(true).into_iter();
+        it.next();
+        while let Some(entry) = it.next() {
+            if !running.load(atomic::Ordering::SeqCst) {
+                break;
+            }
+            let entry = match entry {
+                Ok(v) => v,
+                Err(_) => continue,
+            };
+            let entry_path = entry.path();
+            let base_name = get_file_name(entry_path);
+            let is_dir = entry.file_type().is_dir();
+            if is_hidden(&hidden, base_name, is_dir) {
+                if is_dir {
+                    it.skip_current_dir();
+                }
+                continue;
+            }
+
+            if !follow_symlinks
+                && !fs::canonicalize(entry_path)
+                    .await
+                    .ok()
+                    .map(|v| v.starts_with(&serve_path))
+                    .unwrap_or_default()
+            {
+                // We walked outside the server's root. This could only have
+                // happened if we followed a symlink, and hence we only allow it
+                // if allow_symlink is enabled, otherwise we skip this entry.
+                if is_dir {
+                    it.skip_current_dir();
+                }
+                continue;
+            }
+            if !include_entry(&entry) {
+                continue;
+            }
+            paths.push(entry_path.to_path_buf());
+        }
+    }
+    paths
+}

src/utils.rs

@@ -1,17 +1,17 @@
 use anyhow::{anyhow, Context, Result};
 use chrono::{DateTime, Utc};
 #[cfg(feature = "tls")]
-use rustls_pki_types::{CertificateDer, PrivateKeyDer};
+use rustls_pki_types::{pem::PemObject, CertificateDer, PrivateKeyDer};
 use std::{
     borrow::Cow,
     path::Path,
     time::{Duration, SystemTime, UNIX_EPOCH},
 };
 
-pub fn unix_now() -> Result<Duration> {
+pub fn unix_now() -> Duration {
     SystemTime::now()
         .duration_since(UNIX_EPOCH)
-        .with_context(|| "Invalid system time")
+        .expect("Unable to get unix epoch time")
 }
 
 pub fn encode_uri(v: &str) -> String {
@@ -19,7 +19,7 @@ pub fn encode_uri(v: &str) -> String {
     parts.join("/")
 }
 
-pub fn decode_uri(v: &str) -> Option<Cow<str>> {
+pub fn decode_uri(v: &str) -> Option<Cow<'_, str>> {
     percent_encoding::percent_decode(v.as_bytes())
         .decode_utf8()
         .ok()
@@ -62,74 +62,78 @@ pub fn glob(pattern: &str, target: &str) -> bool {
 
 // Load public certificate from file.
 #[cfg(feature = "tls")]
-pub fn load_certs<T: AsRef<Path>>(filename: T) -> Result<Vec<CertificateDer<'static>>> {
+pub fn load_certs<T: AsRef<Path>>(file_name: T) -> Result<Vec<CertificateDer<'static>>> {
-    // Open certificate file.
-    let cert_file = std::fs::File::open(filename.as_ref())
-        .with_context(|| format!("Failed to access `{}`", filename.as_ref().display()))?;
-    let mut reader = std::io::BufReader::new(cert_file);
-
-    // Load and return certificate.
     let mut certs = vec![];
-    for cert in rustls_pemfile::certs(&mut reader) {
+    for cert in CertificateDer::pem_file_iter(file_name.as_ref()).with_context(|| {
-        let cert = cert.with_context(|| "Failed to load certificate")?;
+        format!(
+            "Failed to load cert file at `{}`",
+            file_name.as_ref().display()
+        )
+    })? {
+        let cert = cert.with_context(|| {
+            format!(
+                "Invalid certificate data in file `{}`",
+                file_name.as_ref().display()
+            )
+        })?;
         certs.push(cert)
     }
     if certs.is_empty() {
-        anyhow::bail!("No supported certificate in file");
+        anyhow::bail!(
+            "No supported certificate in file `{}`",
+            file_name.as_ref().display()
+        );
     }
     Ok(certs)
 }
 
 // Load private key from file.
 #[cfg(feature = "tls")]
-pub fn load_private_key<T: AsRef<Path>>(filename: T) -> Result<PrivateKeyDer<'static>> {
+pub fn load_private_key<T: AsRef<Path>>(file_name: T) -> Result<PrivateKeyDer<'static>> {
-    let key_file = std::fs::File::open(filename.as_ref())
+    PrivateKeyDer::from_pem_file(file_name.as_ref()).with_context(|| {
-        .with_context(|| format!("Failed to access `{}`", filename.as_ref().display()))?;
+        format!(
-    let mut reader = std::io::BufReader::new(key_file);
+            "Failed to load key file at `{}`",
-
+            file_name.as_ref().display()
-    // Load and return a single private key.
+        )
-    for key in rustls_pemfile::read_all(&mut reader) {
+    })
-        let key = key.with_context(|| "There was a problem with reading private key")?;
-        match key {
-            rustls_pemfile::Item::Pkcs1Key(key) => return Ok(PrivateKeyDer::Pkcs1(key)),
-            rustls_pemfile::Item::Pkcs8Key(key) => return Ok(PrivateKeyDer::Pkcs8(key)),
-            rustls_pemfile::Item::Sec1Key(key) => return Ok(PrivateKeyDer::Sec1(key)),
-            _ => {}
-        }
-    }
-    anyhow::bail!("No supported private key in file");
 }
 
-pub fn parse_range(range: &str, size: u64) -> Option<(u64, u64)> {
+pub fn parse_range(range: &str, size: u64) -> Option<Vec<(u64, u64)>> {
-    let (unit, range) = range.split_once('=')?;
+    let (unit, ranges) = range.split_once('=')?;
-    if unit != "bytes" || range.contains(',') {
+    if unit != "bytes" {
         return None;
     }
-    let (start, end) = range.split_once('-')?;
+
+    let mut result = Vec::new();
+    for range in ranges.split(',') {
+        let (start, end) = range.trim().split_once('-')?;
         if start.is_empty() {
             let offset = end.parse::<u64>().ok()?;
             if offset <= size {
-            Some((size - offset, size - 1))
+                result.push((size - offset, size - 1));
             } else {
-            None
+                return None;
             }
         } else {
             let start = start.parse::<u64>().ok()?;
             if start < size {
                 if end.is_empty() {
-                Some((start, size - 1))
+                    result.push((start, size - 1));
                 } else {
                     let end = end.parse::<u64>().ok()?;
                     if end < size {
-                    Some((start, end))
+                        result.push((start, end));
                     } else {
-                    None
+                        return None;
                     }
                 }
             } else {
-            None
+                return None;
             }
         }
+    }
+
+    Some(result)
 }
 
 #[cfg(test)]
@@ -162,13 +166,19 @@ mod tests {
 
     #[test]
     fn test_parse_range() {
-        assert_eq!(parse_range("bytes=0-499", 500), Some((0, 499)));
+        assert_eq!(parse_range("bytes=0-499", 500), Some(vec![(0, 499)]));
-        assert_eq!(parse_range("bytes=0-", 500), Some((0, 499)));
+        assert_eq!(parse_range("bytes=0-", 500), Some(vec![(0, 499)]));
-        assert_eq!(parse_range("bytes=299-", 500), Some((299, 499)));
+        assert_eq!(parse_range("bytes=299-", 500), Some(vec![(299, 499)]));
-        assert_eq!(parse_range("bytes=-500", 500), Some((0, 499)));
+        assert_eq!(parse_range("bytes=-500", 500), Some(vec![(0, 499)]));
-        assert_eq!(parse_range("bytes=-300", 500), Some((200, 499)));
+        assert_eq!(parse_range("bytes=-300", 500), Some(vec![(200, 499)]));
+        assert_eq!(
+            parse_range("bytes=0-199, 100-399, 400-, -200", 500),
+            Some(vec![(0, 199), (100, 399), (400, 499), (300, 499)])
+        );
         assert_eq!(parse_range("bytes=500-", 500), None);
         assert_eq!(parse_range("bytes=-501", 500), None);
         assert_eq!(parse_range("bytes=0-500", 500), None);
+        assert_eq!(parse_range("bytes=0-199,", 500), None);
+        assert_eq!(parse_range("bytes=0-199, 500-", 500), None);
     }
 }

tests/assets.rs

@@ -1,7 +1,6 @@
 mod fixtures;
 mod utils;
 
-use assert_cmd::prelude::*;
 use assert_fs::fixture::TempDir;
 use fixtures::{port, server, tmpdir, wait_for_port, Error, TestServer, DIR_ASSETS};
 use rstest::rstest;
@@ -101,7 +100,7 @@ fn asset_js_with_prefix(
 
 #[rstest]
 fn assets_override(tmpdir: TempDir, port: u16) -> Result<(), Error> {
-    let mut child = Command::cargo_bin("dufs")?
+    let mut child = Command::new(assert_cmd::cargo::cargo_bin!())
         .arg(tmpdir.path())
         .arg("-p")
         .arg(port.to_string())

tests/auth.rs

@@ -57,17 +57,18 @@ fn invalid_auth(
     Ok(())
 }
 
-const HASHED_PASSWORD_AUTH: &str =  "user:$6$gQxZwKyWn/ZmWEA2$4uV7KKMnSUnET2BtWTj/9T5.Jq3h/MdkOlnIl5hdlTxDZ4MZKmJ.kl6C.NL9xnNPqC4lVHC1vuI0E5cLpTJX81@/:rw"; // user:pass
-
 #[rstest]
+#[case(server(&["--auth", "user:$6$gQxZwKyWn/ZmWEA2$4uV7KKMnSUnET2BtWTj/9T5.Jq3h/MdkOlnIl5hdlTxDZ4MZKmJ.kl6C.NL9xnNPqC4lVHC1vuI0E5cLpTJX81@/:rw", "-A"]), "user", "pass")]
+#[case(server(&["--auth", "user:$6$YV1J6OHZAAgbzCbS$V55ZEgvJ6JFdz1nLO4AD696PRHAJYhfQf.Gy2HafrCz5itnbgNTtTgfUSqZrt4BJ7FcpRfSt/QZzAan68pido0@/:rw", "-A"]), "user", "pa:ss@1")]
 fn auth_hashed_password(
-    #[with(&["--auth", HASHED_PASSWORD_AUTH, "-A"])] server: TestServer,
+    #[case] server: TestServer,
+    #[case] user: &str,
+    #[case] pass: &str,
 ) -> Result<(), Error> {
     let url = format!("{}file1", server.url());
     let resp = fetch!(b"PUT", &url).body(b"abc".to_vec()).send()?;
     assert_eq!(resp.status(), 401);
-    if let Err(err) =
+    if let Err(err) = send_with_digest_auth(fetch!(b"PUT", &url).body(b"abc".to_vec()), user, pass)
-        send_with_digest_auth(fetch!(b"PUT", &url).body(b"abc".to_vec()), "user", "pass")
     {
         assert_eq!(
             err.to_string(),
@@ -76,7 +77,7 @@ fn auth_hashed_password(
     }
     let resp = fetch!(b"PUT", &url)
         .body(b"abc".to_vec())
-        .basic_auth("user", Some("pass"))
+        .basic_auth(user, Some(pass))
         .send()?;
     assert_eq!(resp.status(), 201);
     Ok(())
@@ -114,11 +115,39 @@ fn auth_skip_on_options_method(
     Ok(())
 }
 
+#[rstest]
+fn auth_skip_if_no_auth_user(server: TestServer) -> Result<(), Error> {
+    let url = format!("{}index.html", server.url());
+    let resp = fetch!(b"GET", &url)
+        .basic_auth("user", Some("pass"))
+        .send()?;
+    assert_eq!(resp.status(), 200);
+    Ok(())
+}
+
+#[rstest]
+fn auth_no_skip_if_anonymous(
+    #[with(&["--auth", "@/:ro"])] server: TestServer,
+) -> Result<(), Error> {
+    let url = format!("{}index.html", server.url());
+    let resp = fetch!(b"GET", &url)
+        .basic_auth("user", Some("pass"))
+        .send()?;
+    assert_eq!(resp.status(), 401);
+    let resp = fetch!(b"GET", &url).send()?;
+    assert_eq!(resp.status(), 200);
+    let resp = fetch!(b"DELETE", &url)
+        .basic_auth("user", Some("pass"))
+        .send()?;
+    assert_eq!(resp.status(), 401);
+    Ok(())
+}
+
 #[rstest]
 fn auth_check(
     #[with(&["--auth", "user:pass@/:rw", "--auth", "user2:pass2@/", "-A"])] server: TestServer,
 ) -> Result<(), Error> {
-    let url = format!("{}index.html", server.url());
+    let url = format!("{}", server.url());
     let resp = fetch!(b"CHECKAUTH", &url).send()?;
     assert_eq!(resp.status(), 401);
     let resp = send_with_digest_auth(fetch!(b"CHECKAUTH", &url), "user", "pass")?;
@@ -132,7 +161,7 @@ fn auth_check(
 fn auth_check2(
     #[with(&["--auth", "user:pass@/:rw|user2:pass2@/", "-A"])] server: TestServer,
 ) -> Result<(), Error> {
-    let url = format!("{}index.html", server.url());
+    let url = format!("{}", server.url());
     let resp = fetch!(b"CHECKAUTH", &url).send()?;
     assert_eq!(resp.status(), 401);
     let resp = send_with_digest_auth(fetch!(b"CHECKAUTH", &url), "user", "pass")?;
@@ -142,6 +171,18 @@ fn auth_check2(
     Ok(())
 }
 
+#[rstest]
+fn auth_check3(
+    #[with(&["--auth", "user:pass@/:rw", "--auth", "@/dir1:rw", "-A"])] server: TestServer,
+) -> Result<(), Error> {
+    let url = format!("{}dir1/", server.url());
+    let resp = fetch!(b"CHECKAUTH", &url).send()?;
+    assert_eq!(resp.status(), 200);
+    let resp = fetch!(b"CHECKAUTH", format!("{url}?login")).send()?;
+    assert_eq!(resp.status(), 401);
+    Ok(())
+}
+
 #[rstest]
 fn auth_logout(
     #[with(&["--auth", "user:pass@/:rw", "-A"])] server: TestServer,
@@ -325,16 +366,31 @@ fn auth_data(
 }
 
 #[rstest]
-fn auth_precedence(
+fn auth_shadow(
-    #[with(&["--auth", "user:pass@/dir1:rw,/dir1/test.txt", "-A"])] server: TestServer,
+    #[with(&["--auth", "user:pass@/:rw", "-a", "@/dir1", "-A"])] server: TestServer,
 ) -> Result<(), Error> {
     let url = format!("{}dir1/test.txt", server.url());
-    let resp = send_with_digest_auth(fetch!(b"PUT", &url).body(b"abc".to_vec()), "user", "pass")?;
+    let resp = fetch!(b"PUT", &url).body(b"abc".to_vec()).send()?;
-    assert_eq!(resp.status(), 403);
+    assert_eq!(resp.status(), 401);
 
-    let url = format!("{}dir1/file1", server.url());
     let resp = send_with_digest_auth(fetch!(b"PUT", &url).body(b"abc".to_vec()), "user", "pass")?;
     assert_eq!(resp.status(), 201);
 
     Ok(())
 }
+
+#[rstest]
+fn token_auth(#[with(&["-a", "user:pass@/"])] server: TestServer) -> Result<(), Error> {
+    let url = format!("{}index.html", server.url());
+    let resp = fetch!(b"GET", &url).send()?;
+    assert_eq!(resp.status(), 401);
+    let url = format!("{}index.html?tokengen", server.url());
+    let resp = fetch!(b"GET", &url)
+        .basic_auth("user", Some("pass"))
+        .send()?;
+    let token = resp.text()?;
+    let url = format!("{}index.html?token={token}", server.url());
+    let resp = fetch!(b"GET", &url).send()?;
+    assert_eq!(resp.status(), 200);
+    Ok(())
+}

tests/bind.rs

@@ -12,7 +12,7 @@ use std::process::{Command, Stdio};
 #[rstest]
 #[case(&["-b", "20.205.243.166"])]
 fn bind_fails(tmpdir: TempDir, port: u16, #[case] args: &[&str]) -> Result<(), Error> {
-    Command::cargo_bin("dufs")?
+    Command::new(assert_cmd::cargo::cargo_bin!())
         .arg(tmpdir.path())
         .arg("-p")
         .arg(port.to_string())
@@ -49,7 +49,7 @@ fn bind_ipv4_ipv6(
 #[case(&[] as &[&str])]
 #[case(&["--path-prefix", "/prefix"])]
 fn validate_printed_urls(tmpdir: TempDir, port: u16, #[case] args: &[&str]) -> Result<(), Error> {
-    let mut child = Command::cargo_bin("dufs")?
+    let mut child = Command::new(assert_cmd::cargo::cargo_bin!())
         .arg(tmpdir.path())
         .arg("-p")
         .arg(port.to_string())

tests/cache.rs

@@ -49,7 +49,7 @@ fn same_etag(etag: &str) -> String {
 }
 
 fn different_etag(etag: &str) -> String {
-    format!("{}1234", etag)
+    format!("{etag}1234")
 }
 
 #[rstest]

tests/cli.rs

@@ -11,7 +11,10 @@ use std::process::Command;
 #[test]
 /// Show help and exit.
 fn help_shows() -> Result<(), Error> {
-    Command::cargo_bin("dufs")?.arg("-h").assert().success();
+    Command::new(assert_cmd::cargo::cargo_bin!())
+        .arg("-h")
+        .assert()
+        .success();
 
     Ok(())
 }
@@ -21,7 +24,7 @@ fn help_shows() -> Result<(), Error> {
 fn print_completions() -> Result<(), Error> {
     // let shell_enums = EnumValueParser::<Shell>::new();
     for shell in Shell::value_variants() {
-        Command::cargo_bin("dufs")?
+        Command::new(assert_cmd::cargo::cargo_bin!())
             .arg("--completions")
             .arg(shell.to_string())
             .assert()

tests/config.rs

@@ -2,7 +2,6 @@ mod digest_auth_util;
 mod fixtures;
 mod utils;
 
-use assert_cmd::prelude::*;
 use assert_fs::TempDir;
 use digest_auth_util::send_with_digest_auth;
 use fixtures::{port, tmpdir, wait_for_port, Error};
@@ -13,7 +12,7 @@ use std::process::{Command, Stdio};
 #[rstest]
 fn use_config_file(tmpdir: TempDir, port: u16) -> Result<(), Error> {
     let config_path = get_config_path().display().to_string();
-    let mut child = Command::cargo_bin("dufs")?
+    let mut child = Command::new(assert_cmd::cargo::cargo_bin!())
         .arg(tmpdir.path())
         .arg("-p")
         .arg(port.to_string())

tests/fixtures.rs

@@ -1,4 +1,3 @@
-use assert_cmd::prelude::*;
 use assert_fs::fixture::TempDir;
 use assert_fs::prelude::*;
 use port_check::free_local_port;
@@ -129,8 +128,7 @@ where
 {
     let port = port();
     let tmpdir = tmpdir();
-    let child = Command::cargo_bin("dufs")
+    let child = Command::new(assert_cmd::cargo::cargo_bin!())
-        .expect("Couldn't find test binary")
         .arg(tmpdir.path())
         .arg("-p")
         .arg(port.to_string())
@@ -146,14 +144,14 @@ where
     TestServer::new(port, tmpdir, child, is_tls)
 }
 
-/// Wait a max of 1s for the port to become available.
+/// Wait a max of 2s for the port to become available.
 pub fn wait_for_port(port: u16) {
     let start_wait = Instant::now();
 
     while !port_check::is_port_reachable(format!("localhost:{port}")) {
-        sleep(Duration::from_millis(100));
+        sleep(Duration::from_millis(250));
 
-        if start_wait.elapsed().as_secs() > 1 {
+        if start_wait.elapsed().as_secs() > 2 {
             panic!("timeout waiting for port {port}");
         }
     }

tests/health.rs

@@ -0,0 +1,31 @@
+mod fixtures;
+mod utils;
+
+use fixtures::{server, Error, TestServer};
+use rstest::rstest;
+
+const HEALTH_CHECK_PATH: &str = "__dufs__/health";
+const HEALTH_CHECK_RESPONSE: &str = r#"{"status":"OK"}"#;
+
+#[rstest]
+fn normal_health(server: TestServer) -> Result<(), Error> {
+    let resp = reqwest::blocking::get(format!("{}{HEALTH_CHECK_PATH}", server.url()))?;
+    assert_eq!(resp.text()?, HEALTH_CHECK_RESPONSE);
+    Ok(())
+}
+
+#[rstest]
+fn auth_health(
+    #[with(&["--auth", "user:pass@/:rw", "-A"])] server: TestServer,
+) -> Result<(), Error> {
+    let resp = reqwest::blocking::get(format!("{}{HEALTH_CHECK_PATH}", server.url()))?;
+    assert_eq!(resp.text()?, HEALTH_CHECK_RESPONSE);
+    Ok(())
+}
+
+#[rstest]
+fn path_prefix_health(#[with(&["--path-prefix", "xyz"])] server: TestServer) -> Result<(), Error> {
+    let resp = reqwest::blocking::get(format!("{}xyz/{HEALTH_CHECK_PATH}", server.url()))?;
+    assert_eq!(resp.text()?, HEALTH_CHECK_RESPONSE);
+    Ok(())
+}

tests/http.rs

@@ -82,6 +82,19 @@ fn get_dir_simple(#[with(&["-A"])] server: TestServer) -> Result<(), Error> {
     Ok(())
 }
 
+#[rstest]
+fn get_dir_noscript(#[with(&["-A"])] server: TestServer) -> Result<(), Error> {
+    let resp = reqwest::blocking::get(format!("{}?noscript", server.url()))?;
+    assert_eq!(resp.status(), 200);
+    assert_eq!(
+        resp.headers().get("content-type").unwrap(),
+        "text/html; charset=utf-8"
+    );
+    let text = resp.text().unwrap();
+    assert!(text.contains(r#"<td><a href="index.html">index.html</a></td>"#));
+    Ok(())
+}
+
 #[rstest]
 fn head_dir_zip(#[with(&["-A"])] server: TestServer) -> Result<(), Error> {
     let resp = fetch!(b"HEAD", format!("{}?zip", server.url())).send()?;
@@ -190,7 +203,7 @@ fn head_file(server: TestServer) -> Result<(), Error> {
 }
 
 #[rstest]
-fn hash_file(server: TestServer) -> Result<(), Error> {
+fn hash_file(#[with(&["--allow-hash"])] server: TestServer) -> Result<(), Error> {
     let resp = reqwest::blocking::get(format!("{}index.html?hash", server.url()))?;
     assert_eq!(
         resp.headers().get("content-type").unwrap(),
@@ -204,6 +217,13 @@ fn hash_file(server: TestServer) -> Result<(), Error> {
     Ok(())
 }
 
+#[rstest]
+fn no_hash_file(server: TestServer) -> Result<(), Error> {
+    let resp = reqwest::blocking::get(format!("{}index.html?hash", server.url()))?;
+    assert_eq!(resp.status(), 403);
+    Ok(())
+}
+
 #[rstest]
 fn get_file_404(server: TestServer) -> Result<(), Error> {
     let resp = reqwest::blocking::get(format!("{}404", server.url()))?;

tests/http_logger.rs

@@ -5,7 +5,6 @@ mod utils;
 use digest_auth_util::send_with_digest_auth;
 use fixtures::{port, tmpdir, wait_for_port, Error};
 
-use assert_cmd::prelude::*;
 use assert_fs::fixture::TempDir;
 use rstest::rstest;
 use std::io::Read;
@@ -20,7 +19,7 @@ fn log_remote_user(
     #[case] args: &[&str],
     #[case] is_basic: bool,
 ) -> Result<(), Error> {
-    let mut child = Command::cargo_bin("dufs")?
+    let mut child = Command::new(assert_cmd::cargo::cargo_bin!())
         .arg(tmpdir.path())
         .arg("-p")
         .arg(port.to_string())
@@ -55,7 +54,7 @@ fn log_remote_user(
 #[rstest]
 #[case(&["--log-format", ""])]
 fn no_log(tmpdir: TempDir, port: u16, #[case] args: &[&str]) -> Result<(), Error> {
-    let mut child = Command::cargo_bin("dufs")?
+    let mut child = Command::new(assert_cmd::cargo::cargo_bin!())
         .arg(tmpdir.path())
         .arg("-p")
         .arg(port.to_string())

tests/range.rs

@@ -2,7 +2,7 @@ mod fixtures;
 mod utils;
 
 use fixtures::{server, Error, TestServer};
-use reqwest::header::HeaderValue;
+use reqwest::header::{HeaderMap, HeaderName, HeaderValue};
 use rstest::rstest;
 
 #[rstest]
@@ -39,3 +39,68 @@ fn get_file_range_invalid(server: TestServer) -> Result<(), Error> {
     assert_eq!(resp.headers().get("content-range").unwrap(), "bytes */18");
     Ok(())
 }
+
+fn parse_multipart_body<'a>(body: &'a str, boundary: &str) -> Vec<(HeaderMap, &'a str)> {
+    body.split(&format!("--{boundary}"))
+        .filter(|part| !part.is_empty() && *part != "--\r\n")
+        .map(|part| {
+            let (head, body) = part.trim_ascii().split_once("\r\n\r\n").unwrap();
+            let headers = head
+                .split("\r\n")
+                .fold(HeaderMap::new(), |mut headers, header| {
+                    let (key, value) = header.split_once(":").unwrap();
+                    let key = HeaderName::from_bytes(key.as_bytes()).unwrap();
+                    let value = HeaderValue::from_str(value.trim_ascii_start()).unwrap();
+                    headers.insert(key, value);
+                    headers
+                });
+            (headers, body)
+        })
+        .collect()
+}
+
+#[rstest]
+fn get_file_multipart_range(server: TestServer) -> Result<(), Error> {
+    let resp = fetch!(b"GET", format!("{}index.html", server.url()))
+        .header("range", HeaderValue::from_static("bytes=0-11, 6-17"))
+        .send()?;
+    assert_eq!(resp.status(), 206);
+    assert_eq!(resp.headers().get("accept-ranges").unwrap(), "bytes");
+
+    let content_type = resp
+        .headers()
+        .get("content-type")
+        .unwrap()
+        .to_str()?
+        .to_string();
+    assert!(content_type.starts_with("multipart/byteranges; boundary="));
+
+    let boundary = content_type.split_once('=').unwrap().1.trim_ascii_start();
+    assert!(!boundary.is_empty());
+
+    let body = resp.text()?;
+    let parts = parse_multipart_body(&body, boundary);
+    assert_eq!(parts.len(), 2);
+
+    let (headers, body) = &parts[0];
+    assert_eq!(headers.get("content-range").unwrap(), "bytes 0-11/18");
+    assert_eq!(*body, "This is inde");
+
+    let (headers, body) = &parts[1];
+    assert_eq!(headers.get("content-range").unwrap(), "bytes 6-17/18");
+    assert_eq!(*body, "s index.html");
+
+    Ok(())
+}
+
+#[rstest]
+fn get_file_multipart_range_invalid(server: TestServer) -> Result<(), Error> {
+    let resp = fetch!(b"GET", format!("{}index.html", server.url()))
+        .header("range", HeaderValue::from_static("bytes=0-6, 20-30"))
+        .send()?;
+    assert_eq!(resp.status(), 416);
+    assert_eq!(resp.headers().get("content-range").unwrap(), "bytes */18");
+    assert_eq!(resp.headers().get("accept-ranges").unwrap(), "bytes");
+    assert_eq!(resp.headers().get("content-length").unwrap(), "0");
+    Ok(())
+}

tests/single_file.rs

@@ -3,7 +3,6 @@
 mod fixtures;
 mod utils;
 
-use assert_cmd::prelude::*;
 use assert_fs::fixture::TempDir;
 use fixtures::{port, tmpdir, wait_for_port, Error};
 use rstest::rstest;
@@ -12,7 +11,7 @@ use std::process::{Command, Stdio};
 #[rstest]
 #[case("index.html")]
 fn single_file(tmpdir: TempDir, port: u16, #[case] file: &str) -> Result<(), Error> {
-    let mut child = Command::cargo_bin("dufs")?
+    let mut child = Command::new(assert_cmd::cargo::cargo_bin!())
         .arg(tmpdir.path().join(file))
         .arg("-p")
         .arg(port.to_string())
@@ -35,7 +34,7 @@ fn single_file(tmpdir: TempDir, port: u16, #[case] file: &str) -> Result<(), Err
 #[rstest]
 #[case("index.html")]
 fn path_prefix_single_file(tmpdir: TempDir, port: u16, #[case] file: &str) -> Result<(), Error> {
-    let mut child = Command::cargo_bin("dufs")?
+    let mut child = Command::new(assert_cmd::cargo::cargo_bin!())
         .arg(tmpdir.path().join(file))
         .arg("-p")
         .arg(port.to_string())

tests/tls.rs

@@ -1,7 +1,6 @@
 mod fixtures;
 mod utils;
 
-use assert_cmd::Command;
 use fixtures::{server, Error, TestServer};
 use predicates::str::contains;
 use reqwest::blocking::ClientBuilder;
@@ -25,7 +24,7 @@ use crate::fixtures::port;
 ]))]
 fn tls_works(#[case] server: TestServer) -> Result<(), Error> {
     let client = ClientBuilder::new()
-        .danger_accept_invalid_certs(true)
+        .tls_danger_accept_invalid_certs(true)
         .build()?;
     let resp = client.get(server.url()).send()?.error_for_status()?;
     assert_resp_paths!(resp);
@@ -36,7 +35,7 @@ fn tls_works(#[case] server: TestServer) -> Result<(), Error> {
 #[rstest]
 fn wrong_path_cert() -> Result<(), Error> {
     let port = port().to_string();
-    Command::cargo_bin("dufs")?
+    assert_cmd::cargo::cargo_bin_cmd!()
         .args([
             "--tls-cert",
             "wrong",
@@ -47,7 +46,7 @@ fn wrong_path_cert() -> Result<(), Error> {
         ])
         .assert()
         .failure()
-        .stderr(contains("Failed to access `wrong`"));
+        .stderr(contains("Failed to load cert file at `wrong`"));
 
     Ok(())
 }
@@ -56,7 +55,7 @@ fn wrong_path_cert() -> Result<(), Error> {
 #[rstest]
 fn wrong_path_key() -> Result<(), Error> {
     let port = port().to_string();
-    Command::cargo_bin("dufs")?
+    assert_cmd::cargo::cargo_bin_cmd!()
         .args([
             "--tls-cert",
             "tests/data/cert.pem",
@@ -67,7 +66,7 @@ fn wrong_path_key() -> Result<(), Error> {
         ])
         .assert()
         .failure()
-        .stderr(contains("Failed to access `wrong`"));
+        .stderr(contains("Failed to load key file at `wrong`"));
 
     Ok(())
 }