package handler import ( "crypto/sha256" "encoding/hex" "encoding/json" "log/slog" "net/http" "os" "path/filepath" "strings" "codeberg.org/VARASYS/ZDDC/zddc/internal/apps" "codeberg.org/VARASYS/ZDDC/zddc/internal/config" appfs "codeberg.org/VARASYS/ZDDC/zddc/internal/fs" "codeberg.org/VARASYS/ZDDC/zddc/internal/policy" "codeberg.org/VARASYS/ZDDC/zddc/internal/zddc" ) // listingETag returns a hex-encoded SHA-256 prefix of the rendered JSON // listing body. Truncated to 16 chars (64 bits) — collisions on a // listing of any realistic size are vanishingly unlikely, and the short // header keeps the wire footprint trim. func listingETag(body []byte) string { h := sha256.Sum256(body) return hex.EncodeToString(h[:8]) } // safeJoin joins fsRoot and relPath, then verifies the result is under fsRoot. // Returns ("", false) if relPath would escape fsRoot. func safeJoin(fsRoot, relPath string) (string, bool) { abs := filepath.Join(fsRoot, filepath.FromSlash(relPath)) if !strings.HasPrefix(abs, fsRoot+string(filepath.Separator)) && abs != fsRoot { return "", false } return abs, true } // ServeDirectory handles a request for a directory path. // If Accept: application/json → return Caddy-compatible JSON listing. // Otherwise → return minimal HTML. func ServeDirectory(cfg config.Config, w http.ResponseWriter, r *http.Request) { urlPath := r.URL.Path if !strings.HasSuffix(urlPath, "/") { http.Redirect(w, r, urlPath+"/", http.StatusMovedPermanently) return } email := EmailFromContext(r) decider := DeciderFromContext(r) ctx := r.Context() // Compute relative dir path (no leading or trailing slash) dirPath := strings.TrimPrefix(urlPath, "/") dirPath = strings.TrimSuffix(dirPath, "/") // ACL check on this directory itself. // Bypassed at the root path: the landing page is a public project // picker. Per-project filtering inside fs.ListDirectory still hides // directories the caller can't reach. absDir, ok := safeJoin(cfg.Root, dirPath) if !ok { http.Error(w, "Not Found", http.StatusNotFound) return } chain, err := zddc.EffectivePolicy(cfg.Root, absDir) if err != nil { slog.Warn("ACL policy error", "path", absDir, "err", err) } isRoot := dirPath == "" if !isRoot { if allowed, _ := policy.AllowFromChain(ctx, decider, chain, email, urlPath); !allowed { http.Error(w, "Forbidden", http.StatusForbidden) return } } accept := r.Header.Get("Accept") // For HTML requests, serve index.html if present (landing page convention) if !strings.Contains(accept, "application/json") { indexPath := filepath.Join(absDir, "index.html") if info, err := os.Stat(indexPath); err == nil && !info.IsDir() { ServeFile(w, r, indexPath) return } } // Build base URL for listing entries baseURL := urlPath // relative URLs suffice for JSON listings entries, err := appfs.ListDirectory(ctx, decider, cfg.Root, dirPath, email, baseURL) if err != nil { if os.IsNotExist(err) { http.Error(w, "Not Found", http.StatusNotFound) } else { slog.Error("listing directory", "path", dirPath, "err", err) http.Error(w, "Internal Server Error", http.StatusInternalServerError) } return } // Vary: Accept is critical — the same URL serves either the JSON // listing or the embedded browse.html depending on the Accept // header. Without Vary, browsers/CDNs cache one response and // serve it for the other Accept value, breaking browse.html's // auto-detect (which fetches the same URL with Accept: JSON). w.Header().Set("Vary", "Accept") if strings.Contains(accept, "application/json") { // Content-hash ETag on the listing payload. Re-fetched on every // request (the cascade is walked, ACL filter applied, JSON // rendered, hashed) — that's the same server work the previous // no-cache version did. The win is on the *response*: identical // listings (e.g. the same vendor refreshing their archive page) // short-circuit to 304 with no body. // // Crucially, this scheme tolerates unreliable filesystem // watching (Azure SMB, network shares with delayed inotify): // the ETag is the actual response hash, not a watcher-derived // invalidation token, so it can never lie about content. body, err := json.Marshal(entries) if err != nil { slog.Error("encoding directory listing", "err", err) http.Error(w, "Internal Server Error", http.StatusInternalServerError) return } etag := `"` + listingETag(body) + `"` w.Header().Set("Content-Type", "application/json") w.Header().Set("ETag", etag) w.Header().Set("Cache-Control", "private, max-age=0, must-revalidate") if match := r.Header.Get("If-None-Match"); match != "" && match == etag { w.WriteHeader(http.StatusNotModified) return } _, _ = w.Write(body) return } // Browser HTML fallback: serve the embedded `browse` tool. It's a // single-file SPA whose autoDetectServerMode loads the JSON listing // for the current directory and renders it as a sortable, filterable // tree. Same bytes that get served at //browse.html — but at // the bare directory URL too, so any zddc-served folder presents a // usable file browser to anyone who navigates to it. body := apps.EmbeddedBytes("browse") if len(body) == 0 { // Bootstrap state: a fresh build hasn't populated browse.html // into the embed yet. Fall through to JSON for clients that // will still parse it. w.Header().Set("Content-Type", "application/json") w.Header().Set("Cache-Control", "no-cache") if err := json.NewEncoder(w).Encode(entries); err != nil { slog.Error("encoding directory listing (no-embed fallback)", "err", err) } return } // ETag + max-age=0 + must-revalidate: every request re-validates and // gets a 304 unless the binary has been redeployed (the ETag is a // content hash, computed once at startup and memoized in apps.embed). // Saves re-transmitting ~230 KB of browse.html on every page load // while still picking up redeploys immediately. etag := `"` + apps.EmbeddedETag("browse") + `"` w.Header().Set("ETag", etag) w.Header().Set("Cache-Control", "public, max-age=0, must-revalidate") w.Header().Set("Content-Type", "text/html; charset=utf-8") w.Header().Set("X-ZDDC-Source", "embedded:browse") if match := r.Header.Get("If-None-Match"); match != "" && match == etag { w.WriteHeader(http.StatusNotModified) return } _, _ = w.Write(body) }