Passwords for files

code/app.py

@@ -8,13 +8,14 @@ from flask import (
     render_template,
     jsonify,
     request,
+    url_for,
+    redirect,
     send_from_directory,
+    session,
 )
 from werkzeug.utils import secure_filename
 from revprox import ReverseProxied
-from utils.misc import (
-    random_token,
-)
+from utils.misc import random_token, hash_password, verify_password
 from utils.files import (
     db_store_file,
     file_details,
@@ -53,6 +54,7 @@ def upload():
         -H "Name: my.file.ext" \
         -H "Max-Downloads: 4000" \
         -H "Expires-Days: 14" \
+        -H "Password: mypass" \
         -H "Secret: dff789f0bbe8183d32542" \
         "$FLASK_PUBLIC_URL"/upload
 
@@ -87,12 +89,17 @@ def upload():
         )
     if "Expires-hours" in request.headers:
         expires = int(time.time()) + 3600 * int(request.headers.get("Expires-hours"))
+    password = None
+    if "Password" in request.headers:
+        if request.headers["Password"] != "":
+            password = hash_password(request.headers["Password"])
 
     while True:
         token = random_token()
         folder = os.path.join(app.config["DATAFOLDER"], token)
         if not os.path.exists(folder):
             break
+
     filename = file_full_path(token, safe_filename)
     os.mkdir(folder)
 
@@ -112,7 +119,7 @@ def upload():
                     break
                 f.write(chunk)
 
-    db_store_file(token, safe_filename, expires, max_dl)
+    db_store_file(token, safe_filename, expires, max_dl, password)
     download_url = file_full_url(token, safe_filename)
     return "File uploaded\n%s\n" % (download_url,), 200
 
@@ -190,6 +197,10 @@ def download(name, token):
     """
     Download a file
     """
+
+    if "Password" in request.headers:
+        session[token] = request.headers["Password"]
+
     return download_file(token, name)
 
 
@@ -206,6 +217,26 @@ def script_mfl():
     )
 
 
+@app.route("/login", methods=["GET", "POST"])
+def login():
+    if request.method == "POST":
+        session[request.form["token"]] = request.form["password"]
+        return redirect(request.form["redirect"])
+
+    return render_template(
+        "login.html",
+        filename=session["name"],
+        redirect=session["redirect"],
+        token=session["token"],
+    )
+
+
+@app.route("/logout", methods=["GET"])
+def logout():
+    session.clear()
+    return "OK", 200
+
+
 def download_file(token, name):
     """
     check for file expiry, and send file if allowed
@@ -215,13 +246,22 @@ def download_file(token, name):
         return "Error", 404
     db_stat = db_get_file(token, name)
     if db_stat:
-        added, expires, downloads, max_dl = db_stat
+        added, expires, downloads, max_dl, password_hash = db_stat
     else:
         return "Error", 404
     if downloads >= max_dl and max_dl > -1:
         return "Expired", 401
     if expires < time.time():
         return "Expired", 401
+    if password_hash:
+        if verify_password(session.get(token, ""), password_hash):
+            pass
+        else:
+            session["token"] = token
+            session["name"] = name
+            session["redirect"] = url_for("download", name=name, token=token)
+            return redirect(url_for("login"))
+
     db_add_download(token, name)
     return send_from_directory(
         directory=os.path.join(app.config["DATAFOLDER"], token), path=name