| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
Does this run in a thread?
|
| |
|
|
|
|
|
|
|
| |
Behavior change: It becomes up to the authorization module whether to
allow requests. The default, mod_authz_internal, will allow users on the
*parent* host only, breaking use by some components.
Remaining question is whether to deprecate the `http_file_share_access`
setting or leave as a way to complement/bypass access control?
|
| | |
|
| |
|
|
|
|
|
| |
Many of these fall into a few categories:
- util.cache size, must be >= 1
- byte or item counts that logically can't be negative
- port numbers that should be in 1..0xffff
|
| |
|
|
| |
Improves readability ("1 day" vs 86400) and centralizes validation.
|
| |
|
|
|
|
| |
Removed in 536055476912 because it was not used anywhere else in the
file, but per the documentation it is meant to inform external upload
services of the expiry time of the upload itself.
|
| |
|
|
|
|
| |
Overrides the util.jwt default of 1h with the intended TTL of 10
minutes. Because util.jwt now has its own expiry checks, so the 'expiry'
field is no longer used and can thus be removed.
|
| |
|
|
|
|
| |
Updated by Zash, the original patch by Jonas had put the duration
parsing function in util.datetime but MattJ later did the same thing but
differently in f4d7fe919969
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Some changes/improvements in this commit:
- Default token lifetime is now 3600s (from 300s)
- Tokens are only validated once per upload
- "iat"/"exp" are handled automatically by util.jwt
|
| |
|
|
|
|
|
|
|
| |
The same-origin policy enforced by browsers is a security measure that should
only be turned off when it is safe to do so. It is safe to do so in Prosody's
default modules, but people may load third-party modules that are unsafe.
Therefore we have flipped the default, so that modules must explicitly opt in
to having CORS headers added on their requests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Lua string.format %q doesn't behave correctly for all characters
that should be escaped in a quoted-string. And who knows what effects
higher Unicode might have here.
Applying percent-encoding of filenames seems like the safest way to deal
with filenames, as well as being easier than implementing the actual
quoted-string transform, which seems complicated and I'm not even sure
it covers every possible character.
Filenames can safely be assumed to be UTF-8 since they are passed in an
attribute in the query without any escaping.
|
| |
|
|
|
|
|
|
|
|
|
| |
Metrics available or not depending on configuration is weird, even tho
it might be expensive to calculate and it's only really needed when
there is a global quota.
Default quota is set to infinity, which is essentially what it was.
Reports NaN if there is an error, which should count as over the
infinite default quota.
|
| |
|
|
| |
It was lost in 6f4790b8deec when switching to mod_cron.
|
| |
|
|
|
| |
Prefer 'prune' over 'delete' since it more strongly implies removal of
excess.
|
| | |
|
| |
|
|
|
| |
Before aa60f4353001 each loop had its own counter, seems incrementing of
one of them was lost. But only one is needed anyhow.
|
| | |
|
| |
|
|
|
|
| |
Before mod_cron this job ran less frequently than the upload removal
job. Running them at the same frequency seems wasteful somehow, plus the
total should not drift away from the true value that fast.
|
| |
|
|
|
| |
The value needs to be known in order to determine if additional uploads
can be accepted.
|
| |
|
|
| |
Passing nil to the metrics system causes errors later.
|
| |
|
|
|
| |
Merging those loops removes the miscounting that would occur in case a
file could not be deleted, so no need to limit it to that case.
|
| |
|
|
|
|
|
|
| |
Not sure what the benefit of two separate loops was, perhaps reduced
memory usage by allowing archive query state to be garbage collected
before moving on to deleting files. Never measured so probably not so.
This simplifies a bit.
|
| |
|
|
|
|
| |
This is probably a bad idea, as files that could not be deleted for some
reason will not be tried again. I was just thinking of what the 'task'
argument could be used for.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
If the request fails in the middle then the file~ could be left behind
because no code was invoked to delete it then. This gets rid of it when
the request is removed. It may still be left in case of an unclean
shutdown.
|
| |
|
|
|
|
| |
Can't find anything saying anything on whether this is needed or not.
kawaii reported that both Chrome and Firefox complained unless the
header was added to the list of allowed headers.
|
| |
|
|
|
|
|
| |
This is as per the HTTP standards [1]. Thankfully, the REQUIRED
www-authenticate header is already generated by the code.
[1]: https://datatracker.ietf.org/doc/html/rfc7235#section-3.1
|
| | |
|
| |
|
|
|
| |
In order to allow monitoring. Especially as there's not much in the way
of hard numbers on how much space gets used.
|
| |
|
|
|
| |
Error in util.human.units.format because of B(nil) when the global quota
is unset.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before, maximum storage usage (assuming all users upload as much as they
could) would depend on the quota, retention period and number of users.
Since number of users can vary, this makes it hard to know how much
storage will be needed.
Adding a limit to the total overall storage use solves this, making it
simple to set it to some number based on what storage is actually
available.
Summary job run less often than the prune job since it touches the
entire archive; and started before the prune job since it's needed
before the first upload.
|
| |
|
|
|
|
|
|
|
| |
X-Frame-Options was replaced by the Content-Security-Policy
'frame-ancestors' directive, but Internet Explorer does not support that
part of CSP.
Since it's just one line it doesn't hurt to keep until some future
spring cleaning event :)
|
| |
|
|
|
| |
Creates buckets up to the configured size limit or 1TB, whichever is
smaller, e.g. {1K, 4K, 16K, ... 4M, 16M}
|
| |
|
|
|
|
|
| |
Turns out you can seek past the end of the file without getting an
error.
Also rejects empty range instead of sending the whole file.
|
| |
|
|
|
|
|
|
| |
Only a starting point is supported due to the way response:send_file()
sends everything it gets from the provided file handle but does not have
any way to specify how much to read.
This matches what Conversations appears to be doing.
|
| |
|
|
|
|
| |
Lets an external upload service know this so it can do expiry itself.
Could possibly have been calculated based on the token expiry or
issuance time, explicit > implicit.
|
| |
|
|
|
| |
In case an external upload service wants to have the original creation
time, or calculate the token expiry itself.
|
| | |
|
| |
|
|
| |
util.error.coerce() doesn't work well with iolib
|
| |
|
|
| |
It's annoying that Lua interpolates the filename into the error message.
|
| |
|
|
| |
Maybe the original idea was that you would measure storage separately?
|
| |
|
|
|
|
| |
Background: Found a few files in my store that did not match the size
recorded in the slot, so I needed a way to check which which those were.
As it was a bit too much to type into the shell I added it here instead.
|
| |
|
|
|
|
|
| |
This just gave an unhelpful 500 error.
It would be nice to have some wrapper code that could untangle the
embedded filename in the io libs errors.
|
| |
|
|
|
|
| |
This is neat, O(1) reporting, why don't we do this everywhere?
Gives you an idea of how much stuff is in the caches, which may help
inform decisions on whether the size is appropriate.
|
| |
|
|
|
| |
In case none of the expired files could be deleted then it's a waste of
an API call to try to remove any of the metadata at all.
|
