unfortunately to capture multipart errors, we have to wrap the entire
callback function with try-catch block
but it appears overall processing is still slightly faster than
expressjs + multer
this should have better lifecycle and use less memory over time, since
we can define max items in cache
at the moment hard-coded to 10 cached pages (inclusive of nojs version
if ever generated)
we used to store number directly into the string size field, and
during the conversion it seemed to always add ".0" at the final string,
probably because the driver or sqlite3 itself assumes float
please run yarn migrate after pulling this commit
if you skip converting the DB, file duplicates check will fail to
function
and in the future im planning to do size statistics in bigint, which
will also fail if not converted
this will display all information recorded from the specified file, but
only to the users that own them (it requires token)
this page also has a delete file button, allowing us to provide link to
this page for sharex deletion url option
once again, this is only for authenticated users, and will only show
file that the users own, unless said user is a moderator or higher
db is now initiated via utilsController, and gets re-used by main
lolisafe.js script and the other controllers
this should now make sure we only have 1 active db connection pool ever
this is a pretty big refactor due to how we used to reference db,
but it should functionally be identical
this should properly dispose of unfinished write & hasher streams on
any errors if they have been initiated
also do content-length header check a bit more early
first layer is via sending HEAD request to the url to determine its size
via content-length header
however not all hosts properly set the header, so we ignore it if
it isn't a valid number
next via size option in fetch(), which supposedly limits response body
size during the request itself (?)
lastly via checking actual bytes written to physical file as reported by
fs.createWriteStream()
this supersedes the old temporaryUploadAges, while maintaining full
backwards-compatibility.
please consult config.sample.js if you want to start using this
only usergroup and file extension bypass
real file size can't be determined before passthrough scan,
so there's no bypass by max file size
please read the comments in sample config file
refactored utils.clamscan into utils.scan
Replaced all Array.concat() with spread operator and/or push().
Fixed some faulty search logics when using exclusion filters.
Fixed capitalization of mac font in _variables.scss. Stylelint somehow
fricked up again in my previous commit.
I wasn't aware ShareX wouldn't do a basic GET request to the delete URL,
but would instead open your browser to it.
Unfortunately, due to the structure of lolisafe auth setting token
through HTTP header, which had always been done by JS as it has to get
the value from local storage, just visiting the API from browser will
merely respond with "No token provided".
We'd need cookie-based auth, which I do not want to add.
The old me that added deletion API long ago might have been aware of
this fact, but the me of a few hours ago already forgot..
I'll give this further thoughts at a later date, as ShareX isn't really
a priority to me.
Bumped v1 version string and rebuilt client assets.
For registered users only!
This requires adding a basic GET API for file deletion, so that I did.
Configs which guests download will not include pattern for delete URL,
so they won't get notified of unusable delete URL or anything like that.
dev: Improved logger.debug() to support specifying options for node's
Util.inspect() if an object is set as its last param
(assuming >1 params).
Default options now also includes enabling colors.
src/js/utils.js: Simplified dynamic ShareX config generator.
Among other things, it will now use JSON.stringify().
I don't even remember why we didn't use that in the first place..
Some logic improvements in src/js/home.js.
Bumped v1 version string and rebuilt client assets.
The service will now automatically clean up any leftover data from any
inactive & unfinished chunked upload attempts.
Updated config.sample.js for updated description and new sub-option
for chunkSize option.
Inspired by our recent switch to using blake3 for file hashing, chunks
will now be written to a tmp file directly as they're uploaded.
So no more waiting so long for "rebuilding chunks".
There will still be some delay on every following attempts of uploading
each chunks. I'm not sure the specifics, as we're already reusing the
write stream.
For admins, preference for your personal uploads list and Manage uploads
aren't shared, just like thumbs/lists toggle.
Non-keyed keywords for filtering will now apply to original names too.
Added a new fontello icon for this button.
Various other things I'm too lazy to write.
Resolves#194.
Added pagination for Manage your albums page.
Albums sidebar will now only list 9 albums at most.
Use Manage your albums page to view the rest.
Albums in the list will now have View uploads button after all.
Delete album button for albums renamed to Disable album.
Since techincally the server would've always been disabling the albums
instead of deleting them.
It was something upstream dev's decided, and I haven't bothered changing
its behavior.
I'll work on actual Delete album feature some other days.
As the title says, added Manage albums admin page.
Viewing uploads of an album will hook into albumid: filter key.
I'll work on filter and bulk operations some other days.
Updated styling for disabled albums and users.
Instead of havine a line through them, they will be greyed out.
Disable public page of albums will still use line through however.
Links to album's disabled public page are now clickable.
Added a new button styling is-dangerish.
It'll be orange.
Renamed /api/albums/delete to /api/albums/disable.
For backwards compatibility, /api/albums/delete will still work
but automatically re-routed to /api/albums/disable.
/api/uploads/list will no longer print SQLite errors for moderators
or higher when encountering them.
It was originally used to inform moderators of non-existing colum names
when used for sorting.
But on one of the recent commits, I had added a check for allowed colum
names.
Improved some caching in dashboard page.
Added new entries to cookie policy.
Some other small things.
Bumped v1 version string and rebuilt client assets.
UPDATE YOUR CONFIG FILE IF YOU USE CHUNKED UPLOADS!
Read more about this at the end.
Added new dependency: blake3
Hashes will be created as the uploads are being written to disk.
With exception for chunked uploads!
For them specifically, their hashes will be created as they're being
rebuilt into a single file.
Should still be a lot better than the previous case where it had to
re-read the already written files.
To support that feature, added a new file
controllers/multerStorageController.js.
It's just a custom storage engine for Multer.
chunkSize option now allows setting max chunk size from config file.
Previously it was hardcoded to 95MB, but assuming you have paid
Cloudflare plans, you can actually have up to 500MB.
Also moved the option to be after maxSize and before urlMaxSize.
Made a lot more sense to me this way, as chunked uploads only work on
regular uploads.
Updated v1 version string and rebuilt client assets.
Fixed browser's timezone offset not being sent with the proper header
name ("minOffset" -> "minoffset").
Server will now actually think client is on UTC timezone if "minoffset"
header is unset.
Stricter "all" header check for uploads list API endpoint.
It will now only accept the header if set to "1" (string).
Fixed server error when either date: or expiry: keys get parsed as
empty strings.
"minoffset" header when listing uploads will now only be sent if
date: or expiry: keys are properly used (i.e. match expected patterns).
Updated filters help message about wrapping with double quotes when
specifying both date and time (since there will be a space in between).
Filters input will now have some automatic clean ups other than trims.
- Replace all tabs with whitespaces.
- Remove whitespaces after "<key>:".
Bumped v1 version string and rebuilt client assets.
This works when listing all uploads as well, but Album column will only
be shown when albumid key is used in the filters.
I plan to someday add Manage Albums menu, which will use "View uploads"
buttons, just like the ones in Manage Users.
Updated ESLint's ECMA version to 9 (2018).
I'll need to use some lookbehind regex directives from now on.
It's supported since Node 10, which is the oldest version I'll support.
Refactored "can not" -> "cannot".
Filtering for regular users is still work in progress.
Some features aren't working as expected yet.
e.g. -1 means last page, -2 means the 2nd from last, and so on
will only accept up to -N where N is the amount of pages
anything lower will alwasy return the first page
this works for both list uploads and list users APIs
fixed some Object.assign in dashboard.js
added bottom control buttons in manage users
Renamed "orderby" key to "sort" (for sorting uploads).
Fixed non-keyed keyword exclusions not working as expected when
more than one are used at the same time.
Support not specifying "from" date when filtering with range keys
(date and expiry).
Proper logic for NULL values inclusion/exclusion when filtering with
user and/or ip keys.
Improved Help? prompt again!!
Also clarify about timezone differences.
Added logger.debug() function.
Basically a shorthand for console.log(require('util').inspect()).
Rebuilt client asssets and bumped v1 version string.
Please consult the Help? button again to learn all the syntax changes!
The prompt will now also have its width expanded!
Updated dependency, knex: 0.20.13 -> 0.20.15.
Added new dependency: search-query-parser.
Updated all sub-dependencies.
Critical? Admins-only API /users/edit will no longer return NEW password
salt of the user when randomizing their password.
Added page.escape() function to js/misc/utils.js.
This will be used to escape input in upload filters input box.
The same function used in utilsController.js.
Pretty dates will now use / instead of - for date separator.
This is due to the fact that date range key for filtering uploads
can not accepts dates with - separator.
To avoid inconsistency, we will now use / separator.
Caching system of album public pages will now be disabled during
development (yarn develop).
Cleaned up domClick() function in js/dashboard.js.
If using date or expiry range keys when filtering uploads, attach
client's timezone offset to the API requets.
This will be used by the server to calculate timezone differences.
Success prompt when changing token will now auto-close.
Removed ID column from Manage Users.
Improved success prompt when editing users.
This will properly list all of the edited fields at once,
excluding user group change.
Success message for user group change will require a bit more changes
on the API endpoint, which is a bit annoying.
Rebuilt client-side assets and bumped v1 version string.
Filters input in Manage Uploads will now display error if it's filled
with invalid filter/sort keys.
SQLITE_ERROR will also now be forwarded to users if they're moderators.
The expectation is to only display it when used through Manage Uploads.
This adds support for a new key named 'orderby'.
The key needs to be used with internal column names used in the db.
The key can be used more than once.
Help message in Dashboard's Manage Uploads have been updated to include
examples using the said key.
... and optionally videos using ffmpeg (still experimental).
Users can choose whether to strip tags of their uploads or not from
the home uploader's Config tab (safe.fiery.me will have it disabled
by default).
The behavior will also be applied to the downloadable ShareX config.
Server owners can choose to force either behavior.
Make sure to add the new config from config.sample.js.
---
Fixed all instances of "e.i." to "e.g.".
My English sucks okay.
Bumped v1 version string.
This doesn't use the server's built-in ability to accept multiple URLs
per API request.
It behaves the same as regular uploads, in that it executes one API call
per file, simultaneously.
I figured this is a better implementation to shift queues faster.
---
Fetch error from URL uploads due to exceeding size limit will no longer
be logged in server's console.
Clients will also see better formatted error message for URL uploads'
file size limit errors.
---
Bumped dependencies:
knex: 0.20.2 -> 0.20.3
systeminformation: 4.15.3 -> 4.16.0
Bumped v1 version string
Replaced all instances of DB .whereRaw with their much safer equivalent
methods.
All previous usages of .whereRaw were vulnerable to SQL injections,
cause we were passing the data directly.
Fortunately, they were only used in API routes that required staff
(moderators included) accounts.
---
Updated dependency:
helmet: 3.21.1 -> 3.21.2
* Changed colorscheme to black (experimental).
* Fixed ClamAV failing to report names of dirty files.
* Removed built-in support for Google site verification (globals.njk).
Just use HTML verification with public directory,
or manually edit home.njk.
* Bumped v1 version string.
Updated controllers to use Promise.all (concurrent processing) wherever
applicable.
Added 2 new entries to todo.md.
Don't check "Select all" checkbox in dashboard when there are no
uploads.
Bumped v1 version string.
Reduced album title max length from 280 to 70.
Existing albums with longer titles will have their titles truncated in
their public pages, but the original titles will still remain in db.
"Load images for preview" will now properly display its saved value.
Increased max parallel uploads to 10.
"yarn develop" will now also restart safe if some Nunjuck templates are
edited (_globals.njk, _layout.njk, and album.njk).
Better meta tags generation.
Bumped v1 version string.
Updated some dev dependencies.
---
Gulp will now build CSS/JS files during development into dist-dev
directory, to prevent IDE's Git from unnecessarily building diff's.
Added dist-dev to ignore files.
---
The entire config fille will now be passed to Nunjuck templates for ease
of access of config values.
Root domain for use in Nunjuck templates will now be parsed from config.
Better page titles.
Updated help message for "Uploads history order" option in
homepage's config tab.
Added "Load images for preview" option to homepage's config tab.
Setting this to false will now prevent image uploads from loading
themselves for previews.
Uploads' original names in homepage's uploads history are now
selectable.
Min/max length for user/pass are now enforced in auth's front-end.
Improved performance of album public pages.
Their generated HTML pages will now be cached into memory.
Unfortunately, No-JS version of their pages will be cached separately,
so each album may take up to double the memory space.
File names in thumbnails no longer have their full URLs as tooltips.
I saw no point in that behavior.
Added video icons.
Homepage's uploads history will now display video icons for videos.
"View thumbnail" button in Dashboard is now renamed to "Show preview".
Their icons will also be changed depending on their file types.
Added max length for albums' title & description.
These will be enforced both in front-end and back-end.
Existing albums that have surpassed the limits will not be enforced.
A few other small improvements.
Client-side CSS & JS files will now be processed with Gulp.
Gulp tasks are configured in gulpfile.js file.
CSS files will be optimized with postcss-preset-env, which will
auto-add vendor prefixes and convert any parts necessary for browsers
compatibility.
Afterwards they will be minified with cssnano.
JS files will be optimized with bublé,
likewise for browsers compatibility.
Afterwards they will be minified with terser.
Unprocessed CSS & JS files will now be located at src directory, while
the processed results will be located at dist directory.
Due to bublé, the JS files should now be compatible up to IE 11
at the minimum.
Previously the safe would not work in IE 11 due to extensive usage of
template literals.
Due to that as well, JS files in src directory will now extensively use
arrow functions for my personal comfort (as they will be converted too).
The server will use the processed files at dist directory by default.
If you want to rebuild the files by your own, you can run "yarn build".
Gulp is a development dependency, so make sure you have installed all
development dependencies (e.i. NOT using "yarn install --production").
---
yarn lint -> gulp lint
yarn build -> gulp default
yarn watch -> gulp watch
yarn develop -> env NODE_ENV=development yarn watch
---
Fixed not being able to demote staff into normal users.
/api/token/verify will no longer respond with 401 HTTP error code,
unless an error occurred (which will be 500 HTTP error code).
Fixed /nojs route not displaying file's original name when a duplicate
is found on the server.
Removed is-breeze CSS class name, in favor of Bulma's is-info.
Removed custom styling from auth page, in favor of global styling.
Removed all usage of style HTML attribute in favor of CSS classes.
Renamed js/s/ to js/misc/.
Use loading spinners on dashboard's sidebar menus.
Disable all other sidebar menus when something is loading.
Changed title HTML attribute of disabled control buttons in
uploads & users list.
Hid checkboxes and WIP controls from users list.
Better error messages handling.
Especially homepage will now support CF's HTTP error codes.
Updated various icons.
Also, added fontello config file at public/libs/fontello/config.json.
This should let you edit them more easily with fontello.
Use Gatsby icon for my blog's link in homepage's footer.
A bunch of other improvements here & there.
Improved performance of /api/users/:id (admin's manage users).
Promisify fs.writeFile.
Improved performance of /api/stats.
By a lot in Linux, cause uploads size will be deferred to "du" binary.
In addition, total usage of whichever disk uploads path resides on will
also be queried using "df" binary.
Non-Linux will have to rely on manual calculation by querying DB
for each upload's size.
But logics related to uploads stats were also improved to be almost
twice as fast as before.
Improved parsing of /api/stats results on dashboard.js.
This allows ease of extending server's response by not having to update
dashboard.js by much, if at all.
Improved codes relating to item menus in dashboard's sidebar.
Finally much cleaner now 👍
No longer use /api/upload/delete API route from dashboard.
Single file deletion and bulk files deletion, both from uploads list or
by names, will now properly use a single function that will use
/api/upload/bulkdelete API route.
/api/upload/delete will still be kept indefinitely for backward support.
Fixed oddities with Select all checkbox.
Replaced all instances of modifying HTML element's style attribute with
adding/removing is-hidden CSS helper class.
Rephrased all instances of "files" to "uploads" in any display strings.
Fixed notice message when server is on private mode.
A few other improvements.