Add alternative link gen when served behind cloudflared

README.md

@@ -279,6 +279,7 @@ All environment variables can be defined in a file named `.env` at the root leve
 | YEETFILE_CACHE_MAX_FILE_SIZE | The maximum file size to cache | 0 | An int value of bytes |
 | YEETFILE_TLS_KEY | The SSL key to use for connections | | The string key contents (not a file path) |
 | YEETFILE_TLS_CERT | The SSL cert to use for connections | | The string cert contents (not a file path) |
+| YEETFILE_ALLOW_INSECURE_LINKS | Allows YeetFile Send links to include the key in a URL param | 0 | `0` (disabled) or `1` (enabled) |
 | YEETFILE_INSTANCE_ADMIN | The user ID or email of the user to set as admin | | A valid YeetFile email or account ID |
 | YEETFILE_LIMITER_SECONDS | The number of seconds to use in rate limiting repeated requests | 30 | Any number of seconds |
 | YEETFILE_LIMITER_ATTEMPTS | The number of attempts to allow before rate limiting | 6 | Any number of requests |

backend/config/config.go

@@ -17,31 +17,38 @@ import (
 // General configuration
 // =============================================================================
 
-const LocalStorage = "local"
-const B2Storage = "b2"
-
-var defaultSecret = []byte("yeetfile-debug-secret-key-123456")
-var storageType = utils.GetEnvVar("YEETFILE_STORAGE", LocalStorage)
-var domain = os.Getenv("YEETFILE_DOMAIN")
-var defaultUserMaxPasswords = utils.GetEnvVarInt("YEETFILE_DEFAULT_MAX_PASSWORDS", -1)
-var defaultUserStorage = utils.GetEnvVarInt64("YEETFILE_DEFAULT_USER_STORAGE", -1)
-var defaultUserSend = utils.GetEnvVarInt64("YEETFILE_DEFAULT_USER_SEND", -1)
-var maxNumUsers = utils.GetEnvVarInt("YEETFILE_MAX_NUM_USERS", -1)
-var password = []byte(utils.GetEnvVar("YEETFILE_SERVER_PASSWORD", ""))
-var secret = utils.GetEnvVarBytesB64("YEETFILE_SERVER_SECRET", defaultSecret)
-var fallbackWebSecret = utils.GetEnvVarBytesB64(
-	"YEETFILE_FALLBACK_WEB_SECRET",
-	securecookie.GenerateRandomKey(32))
-var limiterSeconds = utils.GetEnvVarInt("YEETFILE_LIMITER_SECONDS", 30)
-var limiterAttempts = utils.GetEnvVarInt("YEETFILE_LIMITER_ATTEMPTS", 6)
-
-var TLSCert = utils.GetEnvVar("YEETFILE_TLS_CERT", "")
-var TLSKey = utils.GetEnvVar("YEETFILE_TLS_KEY", "")
-
-var IsDebugMode = utils.GetEnvVarBool("YEETFILE_DEBUG", false)
-var IsLockedDown = utils.GetEnvVarBool("YEETFILE_LOCKDOWN", false)
-
-var InstanceAdmin = utils.GetEnvVar("YEETFILE_INSTANCE_ADMIN", "")
+const (
+	LocalStorage = "local"
+	B2Storage    = "b2"
+)
+
+var (
+	storageType             = utils.GetEnvVar("YEETFILE_STORAGE", LocalStorage)
+	domain                  = os.Getenv("YEETFILE_DOMAIN")
+	defaultUserMaxPasswords = utils.GetEnvVarInt("YEETFILE_DEFAULT_MAX_PASSWORDS", -1)
+	defaultUserStorage      = utils.GetEnvVarInt64("YEETFILE_DEFAULT_USER_STORAGE", -1)
+	defaultUserSend         = utils.GetEnvVarInt64("YEETFILE_DEFAULT_USER_SEND", -1)
+	maxNumUsers             = utils.GetEnvVarInt("YEETFILE_MAX_NUM_USERS", -1)
+	password                = []byte(utils.GetEnvVar("YEETFILE_SERVER_PASSWORD", ""))
+	allowInsecureLinks      = utils.GetEnvVarBool("YEETFILE_ALLOW_INSECURE_LINKS", false)
+
+	// Limiter config
+	limiterSeconds  = utils.GetEnvVarInt("YEETFILE_LIMITER_SECONDS", 30)
+	limiterAttempts = utils.GetEnvVarInt("YEETFILE_LIMITER_ATTEMPTS", 6)
+
+	defaultSecret     = []byte("yeetfile-debug-secret-key-123456")
+	secret            = utils.GetEnvVarBytesB64("YEETFILE_SERVER_SECRET", defaultSecret)
+	fallbackWebSecret = utils.GetEnvVarBytesB64(
+		"YEETFILE_FALLBACK_WEB_SECRET",
+		securecookie.GenerateRandomKey(32))
+
+	TLSCert = utils.GetEnvVar("YEETFILE_TLS_CERT", "")
+	TLSKey  = utils.GetEnvVar("YEETFILE_TLS_KEY", "")
+
+	IsDebugMode   = utils.GetEnvVarBool("YEETFILE_DEBUG", false)
+	IsLockedDown  = utils.GetEnvVarBool("YEETFILE_LOCKDOWN", false)
+	InstanceAdmin = utils.GetEnvVar("YEETFILE_INSTANCE_ADMIN", "")
+)
 
 // =============================================================================
 // Email configuration (used in account verification and billing reminders)
@@ -115,6 +122,7 @@ type ServerConfig struct {
 	PasswordHash        []byte
 	ServerSecret        []byte
 	FallbackWebSecret   []byte
+	AllowInsecureLinks  bool
 	LimiterSeconds      int
 	LimiterAttempts     int
 }
@@ -171,6 +179,7 @@ func init() {
 		PasswordHash:        passwordHash,
 		ServerSecret:        secret,
 		FallbackWebSecret:   fallbackWebSecret,
+		AllowInsecureLinks:  allowInsecureLinks,
 		LimiterSeconds:      limiterSeconds,
 		LimiterAttempts:     limiterAttempts,
 	}

backend/server/html/handlers.go

@@ -124,9 +124,10 @@ func SendPageHandler(w http.ResponseWriter, req *http.Request, _ string) {
 				Config:    config.HTMLConfig,
 				Endpoints: endpoints.HTMLPageEndpoints,
 			},
-			SendUsed:        sendUsed,
-			SendAvailable:   sendAvailable,
-			ShowUpgradeLink: showUpgradeLink,
+			SendUsed:           sendUsed,
+			SendAvailable:      sendAvailable,
+			ShowUpgradeLink:    showUpgradeLink,
+			AllowInsecureLinks: config.YeetFileConfig.AllowInsecureLinks,
 		},
 	)
 }

backend/server/html/templates/send.html

@@ -92,8 +92,21 @@ <h1>Send</h1>
                     <td><a data-testid="file-link" id="file-link" href=""></a></td>
                 </tr>
                 <tr>
-                    <td><button id="copy-link" class="accent-btn">Copy Link</button></td>
+                    <td>
+                        <button id="copy-link" class="accent-btn">Copy Link</button>
+                        {{ if .AllowInsecureLinks }}
+                        <button id="create-insecure-link">Create Insecure Link</button>
+                        {{ end }}
+                    </td>
                 </tr>
+                {{ if .AllowInsecureLinks }}
+                <tr>
+                    <td>
+                        <span class="small-text">Note: Insecure links make the file key visible to the server, but
+                            allow sharing the link from behind a proxy like Cloudflared.</span>
+                    </td>
+                </tr>
+                {{ end }}
             </table>
             <hr>
         </div>

backend/server/html/templates/templates.go

@@ -63,10 +63,11 @@ type LoginTemplate struct {
 }
 
 type SendTemplate struct {
-	Base            BaseTemplate
-	SendUsed        int64
-	SendAvailable   int64
-	ShowUpgradeLink bool
+	Base               BaseTemplate
+	SendUsed           int64
+	SendAvailable      int64
+	ShowUpgradeLink    bool
+	AllowInsecureLinks bool
 }
 
 type VaultTemplate struct {

web/ts/download.ts

@@ -27,7 +27,7 @@ const init = () => {
 
 const handleMetadata = async (download: interfaces.DownloadResponse) => {
     // Attempt to decrypt without a password first
-    let secret = location.hash.slice(1);
+    let secret = getSecret();
 
     let key = await crypto.importKey(fromURLSafeBase64(secret));
     decryptName(key, download.name).then(result => {
@@ -38,6 +38,16 @@ const handleMetadata = async (download: interfaces.DownloadResponse) => {
     });
 }
 
+const getSecret = (): string => {
+    let params = new URLSearchParams(document.location.search);
+    let secret = params.get("secret");
+    if (!secret) {
+        return location.hash.slice(1);
+    }
+
+    return secret;
+}
+
 const showDownload = (name, download, key) => {
     let downloadBtn = document.getElementById("download-nopass") as HTMLButtonElement;
 
@@ -167,7 +177,7 @@ const promptPassword = (download) => {
     let btn = document.getElementById("submit") as HTMLButtonElement;
 
     btn.addEventListener("click", async () => {
-        let secret = fromURLSafeBase64(location.hash.slice(1));
+        let secret = fromURLSafeBase64(getSecret());
 
         setFormEnabled(false);
         updatePasswordBtn("Validating", true);

web/ts/share.ts

@@ -16,6 +16,7 @@ type SendForm = {
 const init = () => {
     setupTypeToggles();
     setupCopyButton();
+    setupInsecureLinkButton();
     updateProgressBar();
 
     let usePasswordCB = document.getElementById("use-password") as HTMLInputElement;
@@ -493,6 +494,33 @@ const setupCopyButton = () => {
     })
 }
 
+const setupInsecureLinkButton = () => {
+    let insecureLinkBtn = document.getElementById("create-insecure-link") as HTMLButtonElement;
+    if (!insecureLinkBtn) {
+        return;
+    }
+
+    let link = document.getElementById("file-link") as HTMLAnchorElement;
+    insecureLinkBtn.addEventListener("click", event => {
+        event.preventDefault();
+
+        let linkArray = link.href.split("#");
+        if (linkArray.length <= 1) {
+            alert("Invalid link format");
+            return;
+        }
+
+        let baseLink = linkArray.slice(0, linkArray.length - 1);
+        let secret = linkArray[linkArray.length - 1];
+
+        let newLink = `${baseLink}?secret=${secret}`;
+        link.href = newLink;
+        link.innerText = newLink;
+
+        insecureLinkBtn.className = "hidden";
+    });
+}
+
 const setupTypeToggles = () => {
     let uploadTextBtn = document.getElementById("upload-text-btn");
     let uploadTextRow = document.getElementById("upload-text-row");