benbusby
diff --git a/‎README.md‎
Lines changed: 1 addition & 0 deletions b/‎README.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎backend/config/config.go‎
Lines changed: 12 additions & 3 deletions b/‎backend/config/config.go‎
Lines changed: 12 additions & 3 deletions
diff --git a/‎backend/db/invites.go‎
Lines changed: 74 additions & 0 deletions b/‎backend/db/invites.go‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎backend/db/scripts/migrations/7_create_invites_table.sql‎
Lines changed: 7 additions & 0 deletions b/‎backend/db/scripts/migrations/7_create_invites_table.sql‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎backend/mail/invite.go‎
Lines changed: 43 additions & 0 deletions b/‎backend/mail/invite.go‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎backend/server/admin/handlers.go‎
Lines changed: 23 additions & 0 deletions b/‎backend/server/admin/handlers.go‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎backend/server/admin/invite_actions.go‎
Lines changed: 53 additions & 0 deletions b/‎backend/server/admin/invite_actions.go‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎backend/server/auth/handlers.go‎
Lines changed: 24 additions & 1 deletion b/‎backend/server/auth/handlers.go‎
Lines changed: 24 additions & 1 deletion
diff --git a/‎backend/server/html/handlers.go‎
Lines changed: 20 additions & 1 deletion b/‎backend/server/html/handlers.go‎
Lines changed: 20 additions & 1 deletion
diff --git a/‎backend/server/html/templates/admin.html‎
Lines changed: 25 additions & 0 deletions b/‎backend/server/html/templates/admin.html‎
Lines changed: 25 additions & 0 deletions
@@ -325,6 +325,7 @@ All environment variables can be defined in a file named `.env` at the root leve
 | YEETFILE_LIMITER_ATTEMPTS | The number of attempts to allow before rate limiting | 6 | Any number of requests |
 | YEETFILE_LOCKDOWN | Disables anonymous (not logged in) interactions | 0 | `1` to enable lockdown, `0` to allow anonymous usage |
 | YEETFILE_PROFILING | Enables server profiling on http://localhost:6060 | 0 | `1` to enable, `0` to disable (default) |
+| YEETFILE_ALLOW_INVITES | Allows the YeetFile instance admin to send unique invite codes to email addresses -- must also set `YEETFILE_SERVER_PASSWORD` and setup outgoing email (see [Misc Environment Variables](#misc-environment-variables)) | 0 | `1` to enable, `0` to disable (default) |
 
 #### Backblaze Environment Variables
 
 
@@ -48,9 +48,10 @@ var (
 	TLSCert = utils.GetEnvVar("YEETFILE_TLS_CERT", "")
 	TLSKey  = utils.GetEnvVar("YEETFILE_TLS_KEY", "")
 
-	IsDebugMode   = utils.GetEnvVarBool("YEETFILE_DEBUG", false)
-	IsLockedDown  = utils.GetEnvVarBool("YEETFILE_LOCKDOWN", false)
-	InstanceAdmin = utils.GetEnvVar("YEETFILE_INSTANCE_ADMIN", "")
+	IsDebugMode    = utils.GetEnvVarBool("YEETFILE_DEBUG", false)
+	IsLockedDown   = utils.GetEnvVarBool("YEETFILE_LOCKDOWN", false)
+	InstanceAdmin  = utils.GetEnvVar("YEETFILE_INSTANCE_ADMIN", "")
+	InvitesAllowed = utils.GetEnvVarBool("YEETFILE_ALLOW_INVITES", false)
 )
 
 // =============================================================================
@@ -157,6 +158,14 @@ func init() {
 		if err != nil {
 			panic(err)
 		}
+	} else if InvitesAllowed {
+		log.Fatalf("ERROR: You must set YEETFILE_SERVER_PASSWORD if " +
+			"YEETFILE_ALLOW_INVITES is enabled.")
+	}
+
+	if InvitesAllowed && !email.Configured {
+		log.Fatal("ERROR: Email must be configured if " +
+			"YEETFILE_ALLOW_INVITES is enabled.")
 	}
 
 	if slices.Equal(secret, defaultSecret) {
 
@@ -0,0 +1,74 @@
+package db
+
+import (
+	"fmt"
+	"github.com/lib/pq"
+	"strings"
+)
+
+type Invite struct {
+	Email    string
+	Code     string
+	CodeHash []byte
+}
+
+func AddInviteCodeHashes(inviteCodes []Invite) error {
+	valueStrings := make([]string, 0, len(inviteCodes))
+	valueArgs := make([]interface{}, 0, len(inviteCodes)*2)
+
+	for i, inviteCode := range inviteCodes {
+		valueStrings = append(valueStrings, fmt.Sprintf("($%d, $%d)", i*2+1, i*2+2))
+		valueArgs = append(valueArgs, inviteCode.Email)
+		valueArgs = append(valueArgs, inviteCode.CodeHash)
+	}
+
+	stmt := fmt.Sprintf(
+		"INSERT INTO invites (email, code_hash) VALUES %s",
+		strings.Join(valueStrings, ","),
+	)
+
+	_, err := db.Exec(stmt, valueArgs...)
+	return err
+}
+
+func GetInviteCodeHash(email string) ([]byte, error) {
+	var codeHash []byte
+	s := `SELECT code_hash FROM invites WHERE email=$1`
+	err := db.QueryRow(s, email).Scan(&codeHash)
+	if err != nil {
+		return nil, err
+	}
+
+	return codeHash, nil
+}
+
+func GetInvitesList() ([]string, error) {
+	var emails []string
+	s := `SELECT email FROM invites`
+	rows, err := db.Query(s)
+	defer rows.Close()
+	if err != nil {
+		return nil, err
+	}
+
+	for rows.Next() {
+		var email string
+		err = rows.Scan(&email)
+		if err != nil {
+			return nil, err
+		}
+		emails = append(emails, email)
+	}
+
+	return emails, nil
+}
+
+func RemoveInvites(email []string) error {
+	s := `DELETE FROM invites WHERE email=any($1)`
+	_, err := db.Exec(s, pq.Array(email))
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
@@ -0,0 +1,7 @@
+create table if not exists invites
+(
+    email     text  not null
+        constraint invites_pk
+            primary key,
+    code_hash bytea not null
+);
@@ -0,0 +1,43 @@
+package mail
+
+import (
+	"bytes"
+	"text/template"
+	"yeetfile/shared/endpoints"
+)
+
+type InviteEmail struct {
+	Code     string
+	Email    string
+	Domain   string
+	Endpoint string
+}
+
+var inviteSubject = "YeetFile Invite"
+var inviteBodyTemplate = template.Must(template.New("").Parse(
+	"Hello,\n\nYou have been invited to join a YeetFile instance at this " +
+		"domain: {{.Domain}}\n\n" +
+		"YeetFile is an open source platform that allows encrypted file " +
+		"sharing and storage.\n\n" +
+		"To create an account, you can use the following link:\n\n" +
+		"{{.Domain}}{{.Endpoint}}?email={{.Email}}&code={{.Code}}"))
+
+func SendInviteEmail(code string, to string) error {
+	var buf bytes.Buffer
+
+	inviteEmail := InviteEmail{
+		Code:     code,
+		Email:    to,
+		Domain:   smtpConfig.CallbackDomain,
+		Endpoint: string(endpoints.HTMLSignup),
+	}
+
+	err := inviteBodyTemplate.Execute(&buf, inviteEmail)
+	if err != nil {
+		return err
+	}
+
+	body := buf.String()
+	go sendEmail(to, inviteSubject, body)
+	return nil
+}
@@ -101,5 +101,28 @@ func FileActionHandler(w http.ResponseWriter, req *http.Request, _ string) {
 
 		_ = json.NewEncoder(w).Encode(fileInfo)
 	}
+}
+
+func InviteActionsHandler(w http.ResponseWriter, req *http.Request, _ string) {
+	var inviteAction shared.AdminInviteAction
+	err := utils.LimitedJSONReader(w, req.Body).Decode(&inviteAction)
+	if err != nil || len(inviteAction.Emails) == 0 {
+		http.Error(w, "Invalid request", http.StatusBadRequest)
+		return
+	}
 
+	switch req.Method {
+	case http.MethodPost:
+		err = createInvites(inviteAction.Emails)
+		if err != nil {
+			http.Error(w, "Error generating invites", http.StatusInternalServerError)
+			return
+		}
+	case http.MethodDelete:
+		err = deleteInvites(inviteAction.Emails)
+		if err != nil {
+			http.Error(w, "Error deleting invites", http.StatusInternalServerError)
+			return
+		}
+	}
 }
@@ -0,0 +1,53 @@
+package admin
+
+import (
+	"golang.org/x/crypto/bcrypt"
+	"log"
+	"yeetfile/backend/db"
+	"yeetfile/backend/mail"
+	"yeetfile/shared"
+)
+
+func createInvites(emails []string) error {
+	var invites []db.Invite
+	for _, email := range emails {
+		code := shared.GenRandomString(12)
+		codeHash, err := bcrypt.GenerateFromPassword([]byte(code), 8)
+		if err != nil {
+			log.Printf("Error generating invite code: %v\n", err)
+			return err
+		}
+
+		invite := db.Invite{
+			Email:    email,
+			Code:     code,
+			CodeHash: codeHash,
+		}
+
+		invites = append(invites, invite)
+	}
+
+	err := db.AddInviteCodeHashes(invites)
+	if err != nil {
+		return err
+	}
+
+	for _, invite := range invites {
+		err = mail.SendInviteEmail(invite.Code, invite.Email)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func deleteInvites(emails []string) error {
+	err := db.RemoveInvites(emails)
+	if err != nil {
+		log.Printf("Error deleting invites: %v\n", err)
+		return err
+	}
+
+	return nil
+}
@@ -69,10 +69,25 @@ func SignupHandler(w http.ResponseWriter, req *http.Request) {
 		err := bcrypt.CompareHashAndPassword(
 			config.YeetFileConfig.PasswordHash,
 			[]byte(signupData.ServerPassword))
+		errMsg := "Missing or invalid server password"
+
+		if err != nil && config.InvitesAllowed && len(signupData.Identifier) > 0 {
+			// Check if the provided password is an invite code
+			codeHash, dbErr := db.GetInviteCodeHash(signupData.Identifier)
+			if dbErr == nil && len(codeHash) > 0 {
+				err = bcrypt.CompareHashAndPassword(
+					codeHash,
+					[]byte(signupData.ServerPassword))
+				errMsg = "Invalid invite code"
+			}
+		}
+
 		if err != nil {
 			w.WriteHeader(http.StatusForbidden)
-			_, _ = w.Write([]byte("Missing or invalid server password"))
+			_, _ = w.Write([]byte(errMsg))
 			return
+		} else if err != nil && config.InvitesAllowed {
+
 		}
 	} else {
 		signupData.ServerPassword = "-"
@@ -247,6 +262,14 @@ func VerifyEmailHandler(w http.ResponseWriter, req *http.Request) {
 		}
 	}
 
+	// Remove invite entry
+	if config.InvitesAllowed {
+		err = db.RemoveInvites([]string{verifyEmail.Email})
+		if err != nil {
+			log.Printf("Error removing invite: %v\n", err)
+		}
+	}
+
 	// Remove verification entry
 	_ = db.DeleteVerification(verifyEmail.Email)
 	_ = session.SetSession(id, w, req)
 
@@ -154,7 +154,10 @@ func DownloadPageHandler(w http.ResponseWriter, req *http.Request) {
 }
 
 // SignupPageHandler returns the HTML page for signing up for an account
-func SignupPageHandler(w http.ResponseWriter, _ *http.Request) {
+func SignupPageHandler(w http.ResponseWriter, req *http.Request) {
+	inviteEmail := req.URL.Query().Get("email")
+	inviteCode := req.URL.Query().Get("code")
+
 	_ = templates.ServeTemplate(
 		w,
 		templates.SignupHTML,
@@ -169,6 +172,8 @@ func SignupPageHandler(w http.ResponseWriter, _ *http.Request) {
 			},
 			ServerPasswordRequired: config.YeetFileConfig.PasswordHash != nil,
 			EmailConfigured:        config.YeetFileConfig.Email.Configured,
+			InviteEmail:            inviteEmail,
+			InviteCode:             inviteCode,
 		},
 	)
 }
@@ -486,6 +491,18 @@ func CheckoutCompleteHandler(w http.ResponseWriter, req *http.Request) {
 }
 
 func AdminPageHandler(w http.ResponseWriter, _ *http.Request, id string) {
+	var (
+		err            error
+		pendingInvites []string
+	)
+
+	if config.InvitesAllowed {
+		pendingInvites, err = db.GetInvitesList()
+		if err != nil {
+			log.Printf("Error fetching pending invites: %v\n", err)
+		}
+	}
+
 	_ = templates.ServeTemplate(
 		w,
 		templates.AdminHTML,
@@ -498,6 +515,8 @@ func AdminPageHandler(w http.ResponseWriter, _ *http.Request, id string) {
 				Config:     config.HTMLConfig,
 				Endpoints:  endpoints.HTMLPageEndpoints,
 			},
+			InvitesAllowed: config.InvitesAllowed,
+			PendingInvites: pendingInvites,
 		},
 	)
 }
 
@@ -5,6 +5,31 @@
     <h1>Admin</h1>
     <hr>
 
+    {{ if .InvitesAllowed }}
+    <h3>Invites</h3>
+    {{ if .PendingInvites }}
+    <div>
+        <label for="pending-invites">Pending Invites:</label><br>
+        <select id="pending-invites" multiple size="10">
+            {{ range $val := .PendingInvites }}
+            <option value="{{$val}}">{{$val}}</option>
+            {{ end }}
+        </select>
+        <br>
+        <button id="revoke-invites" class="red-button">Revoke Selected Invites</button>
+    </div>
+    <hr class="half-hr">
+    {{ end }}
+
+    <div>
+        <label for="invite-emails">Insert a comma-separated list of emails to invite:</label><br>
+        <textarea id="invite-emails"></textarea>
+        <br>
+        <button id="send-invites" class="accent-btn">Send Invites</button>
+    </div>
+    <hr>
+    {{ end }}
+
     <h3>User Search</h3>
     <label for="user-id">User ID or Email:</label>
     <input type="text" id="user-id" placeholder="[email protected]"><br>