alist/internal/model/user.go

package model

import (
	"fmt"

	"github.com/alist-org/alist/v3/internal/errs"
	"github.com/alist-org/alist/v3/pkg/utils"
	"github.com/alist-org/alist/v3/pkg/utils/random"
	"github.com/pkg/errors"
)

const (
	GENERAL = iota
	GUEST   // only one exists
	ADMIN
)

const StaticHashSalt = "https://github.com/alist-org/alist"

type User struct {
	ID       uint   `json:"id" gorm:"primaryKey"`                      // unique key
	Username string `json:"username" gorm:"unique" binding:"required"` // username
	PwdHash  string `json:"-"`                                         // password hash
	Salt     string // unique salt
	Password string `json:"password"`  // password
	BasePath string `json:"base_path"` // base path
	Role     int    `json:"role"`      // user's role
	Disabled bool   `json:"disabled"`
	// Determine permissions by bit
	//   0: can see hidden files
	//   1: can access without password
	//   2: can add aria2 tasks
	//   3: can mkdir and upload
	//   4: can rename
	//   5: can move
	//   6: can copy
	//   7: can remove
	//   8: webdav read
	//   9: webdav write
	//  10: can add qbittorrent tasks
	Permission int32  `json:"permission"`
	OtpSecret  string `json:"-"`
	SsoID      string `json:"sso_id"` // unique by sso platform
}

func (u *User) IsGuest() bool {
	return u.Role == GUEST
}

func (u *User) IsAdmin() bool {
	return u.Role == ADMIN
}

func (u *User) ValidateRawPassword(password string) error {
	return u.ValidatePwdStaticHash(StaticHash(password))
}

func (u *User) ValidatePwdStaticHash(pwdStaticHash string) error {
	if pwdStaticHash == "" {
		return errors.WithStack(errs.EmptyPassword)
	}
	if u.PwdHash != HashPwd(pwdStaticHash, u.Salt) {
		return errors.WithStack(errs.WrongPassword)
	}
	return nil
}

func (u *User) SetPassword(pwd string) *User {
	u.Salt = random.String(16)
	u.PwdHash = TwoHashPwd(pwd, u.Salt)
	return u
}

func (u *User) CanSeeHides() bool {
	return u.IsAdmin() || u.Permission&1 == 1
}

func (u *User) CanAccessWithoutPassword() bool {
	return u.IsAdmin() || (u.Permission>>1)&1 == 1
}

func (u *User) CanAddAria2Tasks() bool {
	return u.IsAdmin() || (u.Permission>>2)&1 == 1
}

func (u *User) CanWrite() bool {
	return u.IsAdmin() || (u.Permission>>3)&1 == 1
}

func (u *User) CanRename() bool {
	return u.IsAdmin() || (u.Permission>>4)&1 == 1
}

func (u *User) CanMove() bool {
	return u.IsAdmin() || (u.Permission>>5)&1 == 1
}

func (u *User) CanCopy() bool {
	return u.IsAdmin() || (u.Permission>>6)&1 == 1
}

func (u *User) CanRemove() bool {
	return u.IsAdmin() || (u.Permission>>7)&1 == 1
}

func (u *User) CanWebdavRead() bool {
	return u.IsAdmin() || (u.Permission>>8)&1 == 1
}

func (u *User) CanWebdavManage() bool {
	return u.IsAdmin() || (u.Permission>>9)&1 == 1
}

func (u *User) CanAddQbittorrentTasks() bool {
	return u.IsAdmin() || (u.Permission>>10)&1 == 1
}

func (u *User) JoinPath(reqPath string) (string, error) {
	return utils.JoinBasePath(u.BasePath, reqPath)
}

func StaticHash(password string) string {
	return utils.GetSHA256Encode([]byte(fmt.Sprintf("%s-%s", password, StaticHashSalt)))
}

func HashPwd(static string, salt string) string {
	return utils.GetSHA256Encode([]byte(fmt.Sprintf("%s-%s", static, salt)))
}

func TwoHashPwd(password string, salt string) string {
	return HashPwd(StaticHash(password), salt)
}
feat: add user model 2022-06-16 08:06:10 +00:00			`package model`

chore: init users 2022-06-25 14:05:02 +00:00			`import (`
perf: sha256 for user's password (close #3552) 2023-08-06 14:09:17 +00:00			`"fmt"`

chore: init users 2022-06-25 14:05:02 +00:00			`"github.com/alist-org/alist/v3/internal/errs"`
fix: check if the req path is relative path (close #2531) 2022-11-30 13:38:00 +00:00			`"github.com/alist-org/alist/v3/pkg/utils"`
feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`"github.com/alist-org/alist/v3/pkg/utils/random"`
chore: init users 2022-06-25 14:05:02 +00:00			`"github.com/pkg/errors"`
			`)`
feat: user jwt login 2022-06-25 13:34:44 +00:00
feat: add user model 2022-06-16 08:06:10 +00:00			`const (`
			`GENERAL = iota`
			`GUEST // only one exists`
			`ADMIN`
			`)`

feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`const StaticHashSalt = "https://github.com/alist-org/alist"`
perf: sha256 for user's password (close #3552) 2023-08-06 14:09:17 +00:00
feat: add user model 2022-06-16 08:06:10 +00:00			`type User struct {`
chore: user permissions 2022-06-29 10:03:12 +00:00			ID uint `json:"id" gorm:"primaryKey"` // unique key
			Username string `json:"username" gorm:"unique" binding:"required"` // username
perf: sha256 for user's password (close #3552) 2023-08-06 14:09:17 +00:00			PwdHash string `json:"-"` // password hash
feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`Salt string // unique salt`
fix: missed update user's password 2023-08-07 10:51:54 +00:00			Password string `json:"password"` // password
feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			BasePath string `json:"base_path"` // base path
			Role int `json:"role"` // user's role
feat!: allow disable user (close #3241) From this commit, the guest user will be disabled by default 2023-02-04 03:44:17 +00:00			Disabled bool `json:"disabled"`
chore: user permissions 2022-06-29 10:03:12 +00:00			`// Determine permissions by bit`
feat: support qbittorrent (close #3087 in #3333) * feat(qbittorrent): authorization and logging in support * feat(qbittorrent/client): support `AddFromLink` * refactor(qbittorrent/client): check authorization when getting a new client * feat(qbittorrent/client): support `GetInfo` * test(qbittorrent/client): update test cases * feat(qbittorrent): init qbittorrent client on bootstrap * feat(qbittorrent): support setting webui url via gin * feat(qbittorrent/client): support deleting * feat(qbittorrent/client): parse `TorrentStatus` enum when unmarshalling json in `GetInfo()` * feat(qbittorrent/client): support getting files by id * feat(qbittorrent): support adding qbittorrent tasks via gin * refactor(qbittorrent/client): return a `Client` interface in `New()` instead of `client` refactor: task handle * chore: fix typo * chore: change path --------- Co-authored-by: Andy Hsu <i@nn.ci> 2023-02-14 07:20:45 +00:00			`// 0: can see hidden files`
			`// 1: can access without password`
			`// 2: can add aria2 tasks`
			`// 3: can mkdir and upload`
			`// 4: can rename`
			`// 5: can move`
			`// 6: can copy`
			`// 7: can remove`
			`// 8: webdav read`
			`// 9: webdav write`
			`// 10: can add qbittorrent tasks`
chore: ignore opt_secret while marshal 2022-08-08 08:29:56 +00:00			Permission int32 `json:"permission"`
			OtpSecret string `json:"-"`
feat: SSO auto register (close #4692 in #4795) Co-authored-by: Andy Hsu <i@nn.ci> 2023-07-20 08:30:30 +00:00			SsoID string `json:"sso_id"` // unique by sso platform
feat: add user model 2022-06-16 08:06:10 +00:00			`}`

feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func (u *User) IsGuest() bool {`
feat: add user model 2022-06-16 08:06:10 +00:00			`return u.Role == GUEST`
			`}`

feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func (u *User) IsAdmin() bool {`
feat: add user model 2022-06-16 08:06:10 +00:00			`return u.Role == ADMIN`
			`}`
feat: user jwt login 2022-06-25 13:34:44 +00:00
feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func (u *User) ValidateRawPassword(password string) error {`
			`return u.ValidatePwdStaticHash(StaticHash(password))`
perf: sha256 for user's password (close #3552) 2023-08-06 14:09:17 +00:00			`}`

feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func (u *User) ValidatePwdStaticHash(pwdStaticHash string) error {`
			`if pwdStaticHash == "" {`
chore: init users 2022-06-25 14:05:02 +00:00			`return errors.WithStack(errs.EmptyPassword)`
feat: user jwt login 2022-06-25 13:34:44 +00:00			`}`
feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`if u.PwdHash != HashPwd(pwdStaticHash, u.Salt) {`
chore: init users 2022-06-25 14:05:02 +00:00			`return errors.WithStack(errs.WrongPassword)`
feat: user jwt login 2022-06-25 13:34:44 +00:00			`}`
			`return nil`
			`}`
chore: change permission check 2022-06-29 09:08:31 +00:00
feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func (u User) SetPassword(pwd string) User {`
			`u.Salt = random.String(16)`
			`u.PwdHash = TwoHashPwd(pwd, u.Salt)`
			`return u`
			`}`

			`func (u *User) CanSeeHides() bool {`
chore: user permissions 2022-06-29 10:03:12 +00:00			`return u.IsAdmin() \|\| u.Permission&1 == 1`
			`}`

feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func (u *User) CanAccessWithoutPassword() bool {`
chore: user permissions 2022-06-29 10:03:12 +00:00			`return u.IsAdmin() \|\| (u.Permission>>1)&1 == 1`
			`}`

feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func (u *User) CanAddAria2Tasks() bool {`
chore: user permissions 2022-06-29 10:03:12 +00:00			`return u.IsAdmin() \|\| (u.Permission>>2)&1 == 1`
			`}`

feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func (u *User) CanWrite() bool {`
chore: user permissions 2022-06-29 10:03:12 +00:00			`return u.IsAdmin() \|\| (u.Permission>>3)&1 == 1`
			`}`

feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func (u *User) CanRename() bool {`
feat: add write field to list resp 2022-06-30 07:53:57 +00:00			`return u.IsAdmin() \|\| (u.Permission>>4)&1 == 1`
chore: user permissions 2022-06-29 10:03:12 +00:00			`}`

feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func (u *User) CanMove() bool {`
feat: add write field to list resp 2022-06-30 07:53:57 +00:00			`return u.IsAdmin() \|\| (u.Permission>>5)&1 == 1`
chore: user permissions 2022-06-29 10:03:12 +00:00			`}`

feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func (u *User) CanCopy() bool {`
feat: add write field to list resp 2022-06-30 07:53:57 +00:00			`return u.IsAdmin() \|\| (u.Permission>>6)&1 == 1`
chore: user permissions 2022-06-29 10:03:12 +00:00			`}`

feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func (u *User) CanRemove() bool {`
feat: add write field to list resp 2022-06-30 07:53:57 +00:00			`return u.IsAdmin() \|\| (u.Permission>>7)&1 == 1`
chore: user permissions 2022-06-29 10:03:12 +00:00			`}`

feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func (u *User) CanWebdavRead() bool {`
feat: add write field to list resp 2022-06-30 07:53:57 +00:00			`return u.IsAdmin() \|\| (u.Permission>>8)&1 == 1`
chore: user permissions 2022-06-29 10:03:12 +00:00			`}`

feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func (u *User) CanWebdavManage() bool {`
feat: add write field to list resp 2022-06-30 07:53:57 +00:00			`return u.IsAdmin() \|\| (u.Permission>>9)&1 == 1`
chore: change permission check 2022-06-29 09:08:31 +00:00			`}`
fix: check if the req path is relative path (close #2531) 2022-11-30 13:38:00 +00:00
feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func (u *User) CanAddQbittorrentTasks() bool {`
feat: support qbittorrent (close #3087 in #3333) * feat(qbittorrent): authorization and logging in support * feat(qbittorrent/client): support `AddFromLink` * refactor(qbittorrent/client): check authorization when getting a new client * feat(qbittorrent/client): support `GetInfo` * test(qbittorrent/client): update test cases * feat(qbittorrent): init qbittorrent client on bootstrap * feat(qbittorrent): support setting webui url via gin * feat(qbittorrent/client): support deleting * feat(qbittorrent/client): parse `TorrentStatus` enum when unmarshalling json in `GetInfo()` * feat(qbittorrent/client): support getting files by id * feat(qbittorrent): support adding qbittorrent tasks via gin * refactor(qbittorrent/client): return a `Client` interface in `New()` instead of `client` refactor: task handle * chore: fix typo * chore: change path --------- Co-authored-by: Andy Hsu <i@nn.ci> 2023-02-14 07:20:45 +00:00			`return u.IsAdmin() \|\| (u.Permission>>10)&1 == 1`
			`}`

feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func (u *User) JoinPath(reqPath string) (string, error) {`
fix: check if the req path is relative path (close #2531) 2022-11-30 13:38:00 +00:00			`return utils.JoinBasePath(u.BasePath, reqPath)`
			`}`
perf: sha256 for user's password (close #3552) 2023-08-06 14:09:17 +00:00
feat: rehash password with a unique salt for each user 2023-08-07 07:46:19 +00:00			`func StaticHash(password string) string {`
			`return utils.GetSHA256Encode([]byte(fmt.Sprintf("%s-%s", password, StaticHashSalt)))`
			`}`

			`func HashPwd(static string, salt string) string {`
			`return utils.GetSHA256Encode([]byte(fmt.Sprintf("%s-%s", static, salt)))`
			`}`

			`func TwoHashPwd(password string, salt string) string {`
			`return HashPwd(StaticHash(password), salt)`
perf: sha256 for user's password (close #3552) 2023-08-06 14:09:17 +00:00			`}`