feat: auth flags, FS features, Web UI polish, Vite 5

- Add -auth user:pass and -auth-scope write|all; remove legacy -user/-pass
- Basic Auth: write-only by default when auth is set; scope=all protects reads
- FS: batch upload, mkdir, optional delete, path hardening tests
- Web: MUI theme, layout, breadcrumbs, mobile-friendly tables, empty state
- Build: Vite 5, cross-env for clean NODE_OPTIONS, Makefile yarn build fix
- Docs and README updates for API and curl examples

Made-with: Cursor

Author: Tian Xiaoqiang

.github/workflows/release.yml

@@ -16,7 +16,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.23'
+          go-version: '1.24'
 
       - uses: actions/setup-node@v4
         with:
@@ -26,7 +26,7 @@ jobs:
         run: yarn install --registry https://registry.npmmirror.com
 
       - name: Build frontend
-        run: yarn build web
+        run: yarn build
 
       - name: Build binaries
         run: |
@@ -46,7 +46,7 @@ jobs:
           for target in "${targets[@]}"; do
             os="${target%/*}"
             arch="${target#*/}"
-            output="dist/fileserver-${VERSION}-${os}-${arch}"
+            output="dist/fileserver-${os}-${arch}"
             if [ "$os" = "windows" ]; then
               output="${output}.exe"
             fi

Makefile

@@ -1,5 +1,5 @@
 build-web:
-	@yarn && yarn build web
+	@yarn && yarn build
 
 build-server:
 	@go build -o ./tmp/fileserver .

README.md

@@ -7,6 +7,7 @@ The `fileserver` can be used as a static file server to share your file and also
 - File download
 - File upload (batch upload supported)
 - Directory creation
+- File/directory deletion (opt-in via `-allow-delete`)
 - HTTPS supported
 - Basic Auth
 - Web UI
@@ -20,14 +21,20 @@ The `fileserver` can be used as a static file server to share your file and also
 # Basic usage
 ./fileserver -port 8880 -basedir /path/to/files
 
-# With basic auth
-./fileserver -port 8880 -basedir /path/to/files -user admin -pass secret
+# With Basic Auth (default: only uploads / mkdir / delete need credentials; browsing is public)
+./fileserver -port 8880 -basedir /path/to/files -auth "admin:secret"
+
+# Require Basic Auth for every request (including reads)
+./fileserver -port 8880 -basedir /path/to/files -auth "admin:secret" -auth-scope all
 
 # With TLS
 ./fileserver -port 8443 -basedir /path/to/files -tls-cert cert.pem -tls-key key.pem
 
-# With TLS and basic auth
-./fileserver -port 8443 -basedir /path/to/files -tls-cert cert.pem -tls-key key.pem -user admin -pass secret
+# With TLS and Basic Auth
+./fileserver -port 8443 -basedir /path/to/files -tls-cert cert.pem -tls-key key.pem -auth "admin:secret"
+
+# Enable deletion
+./fileserver -port 8880 -basedir /path/to/files -allow-delete
 ```
 
 #### Flags
@@ -38,14 +45,13 @@ The `fileserver` can be used as a static file server to share your file and also
 | `-basedir` | `.`     | Which directory to serve     |
 | `-tls-cert`| `""`    | TLS cert file location       |
 | `-tls-key` | `""`    | TLS key file location        |
-| `-user`    | `""`    | Basic auth username          |
-| `-pass`    | `""`    | Basic auth password          |
-
-> When `-user` and `-pass` are both set, all requests (WebUI and API) require HTTP Basic Authentication.
+| `-auth`    | `""`    | Basic auth as `username:password` (password may contain `:`). Empty disables Basic auth |
+| `-auth-scope` | `write` | With `-auth`: `write` = only POST/PUT/PATCH/DELETE need auth; `all` = every request needs auth |
+| `-allow-delete` | `false` | Enable file/directory deletion |
 
 ### API usage
 
-When basic auth is enabled, add `-u user:pass` to all curl commands.
+When Basic Auth is enabled, add `-u user:pass` to curl for requests that require credentials. With the default `-auth-scope write`, **GET/HEAD** (download, JSON listing) are usually anonymous; **POST** (upload, mkdir), **PUT**, and **DELETE** need `-u`. With `-auth-scope all`, add `-u` to every request.
 
 **File upload - Using default file name**
 
@@ -55,7 +61,7 @@ Following command will upload the `img.png` to the directory `/image/a/b/c/` on
  $ # or
  $ curl -F 'file=@img.png' http://localhost:8880/image/a/b/c/
 
- # With basic auth
+ # With Basic Auth (upload is a write)
  $ curl -u admin:secret -T img.png http://localhost:8880/image/a/b/c/
  ```
 
@@ -76,24 +82,33 @@ Following command will upload the `img.png` to the directory `/image/a/b/c/` on
 ```bash
 $ curl -X POST 'http://localhost:8880/path/to/?action=mkdir&name=new-folder'
 
-# With basic auth
+# With Basic Auth
 $ curl -u admin:secret -X POST 'http://localhost:8880/path/to/?action=mkdir&name=new-folder'
 ```
 
 **File download**
 ```bash
 $ curl http://localhost:8880/image/a/b/c/another.png
 
-# With basic auth
-$ curl -u admin:secret http://localhost:8880/image/a/b/c/another.png
+# Only needed if `-auth-scope all`; with default `write`, download is anonymous
+$ curl http://localhost:8880/image/a/b/c/another.png
+```
+
+**Delete file or directory** (requires `-allow-delete`; with Basic Auth, DELETE is a write — add `-u` when `-auth` is set)
+```bash
+# Delete a file
+$ curl -u admin:secret -X DELETE http://localhost:8880/path/to/file.txt
+
+# Delete a directory (recursively)
+$ curl -u admin:secret -X DELETE http://localhost:8880/path/to/dir/
 ```
 
 **List directory (JSON)**
 ```bash
 $ curl http://localhost:8880/path/to/dir/
 
-# With basic auth
-$ curl -u admin:secret http://localhost:8880/path/to/dir/
+# Only needed if `-auth-scope all`; with default `write`, JSON listing is anonymous
+$ curl http://localhost:8880/path/to/dir/
 ```
 
 ### UI usage

go.mod

@@ -1,3 +1,3 @@
 module github.com/aix3/fileserver
 
-go 1.17
+go 1.24

main.go

@@ -3,55 +3,109 @@ package main
 import (
 	"flag"
 	"fmt"
+	"log"
 	"net/http"
 	"runtime/debug"
+	"strings"
 
 	"github.com/aix3/fileserver/server"
 )
 
 type config struct {
-	port     int
-	basedir  string
-	certFile string
-	keyFile  string
-	username string
-	password string
+	port          int
+	basedir       string
+	certFile      string
+	keyFile       string
+	username      string
+	password      string
+	authWriteOnly bool
+	allowDelete   bool
 }
 
 var defaultConfig = config{
-	port:     8880,
-	basedir:  ".",
-	certFile: "",
-	keyFile:  "",
-	username: "",
-	password: "",
+	port:          8880,
+	basedir:       ".",
+	certFile:      "",
+	keyFile:       "",
+	username:      "",
+	password:      "",
+	authWriteOnly: true,
+	allowDelete:   false,
 }
 
+var (
+	flagAuth      string
+	flagAuthScope string
+)
+
 func init() {
 	flag.IntVar(&defaultConfig.port, "port", defaultConfig.port, "which port to listen on")
 	flag.StringVar(&defaultConfig.basedir, "basedir", defaultConfig.basedir, "which directory to serve on")
 	flag.StringVar(&defaultConfig.certFile, "tls-cert", defaultConfig.certFile, "TLS cert file location")
 	flag.StringVar(&defaultConfig.keyFile, "tls-key", defaultConfig.keyFile, "TLS key file location")
-	flag.StringVar(&defaultConfig.username, "user", defaultConfig.username, "basic auth username")
-	flag.StringVar(&defaultConfig.password, "pass", defaultConfig.password, "basic auth password")
+
+	flag.StringVar(&flagAuth, "auth", "", `HTTP Basic credentials as "username:password" (password may contain ":"). Empty disables Basic auth`)
+	flag.StringVar(&flagAuthScope, "auth-scope", "write", `with -auth: "write" = only mutations need Basic Auth (default); "all" = every request needs Basic Auth`)
+
+	flag.BoolVar(&defaultConfig.allowDelete, "allow-delete", defaultConfig.allowDelete, "enable file/directory deletion")
+}
+
+func applyAuthFlags() {
+	auth := strings.TrimSpace(flagAuth)
+	scope := strings.TrimSpace(flagAuthScope)
+	if scope == "" {
+		scope = "write"
+	}
+
+	if auth != "" {
+		user, pass, err := parseAuthPair(auth)
+		if err != nil {
+			log.Fatal(err)
+		}
+		if user == "" {
+			log.Fatal(`-auth: username must not be empty (use "username:password")`)
+		}
+		defaultConfig.username = user
+		defaultConfig.password = pass
+		switch strings.ToLower(scope) {
+		case "write":
+			defaultConfig.authWriteOnly = true
+		case "all":
+			defaultConfig.authWriteOnly = false
+		default:
+			log.Fatalf(`-auth-scope: want "write" or "all", got %q`, scope)
+		}
+	}
+}
+
+// parseAuthPair splits on the first ":" only so the password may contain colons.
+func parseAuthPair(s string) (user, pass string, err error) {
+	i := strings.IndexByte(s, ':')
+	if i < 0 {
+		return "", "", fmt.Errorf(`-auth: expected "username:password"`)
+	}
+	return s[:i], s[i+1:], nil
 }
 
 func main() {
 	flag.Parse()
+	applyAuthFlags()
 
 	mux := http.NewServeMux()
 
 	fs := &server.FSHandler{
-		Basedir: defaultConfig.basedir,
+		Basedir:     defaultConfig.basedir,
+		AllowDelete: defaultConfig.allowDelete,
 	}
 	ui := &server.UIHandler{
 		Fs: fs,
 	}
 
 	handler := &server.BasicAuthHandler{
-		Username: defaultConfig.username,
-		Password: defaultConfig.password,
-		Next:     server.NewCompHandler(ui, fs),
+		Username:      defaultConfig.username,
+		Password:      defaultConfig.password,
+		AuthWriteOnly: defaultConfig.authWriteOnly,
+		Next:          server.NewCompHandler(ui, fs),
 	}
 	mux.Handle("/", handler)
 

main_test.go

@@ -0,0 +1,33 @@
+package main
+
+import "testing"
+
+func Test_parseAuthPair(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		in       string
+		wantUser string
+		wantPass string
+		wantErr  bool
+	}{
+		{"admin:secret", "admin", "secret", false},
+		{"a:b:c:d", "a", "b:c:d", false},
+		{"user:", "user", "", false},
+		{"u", "", "", true},
+	}
+	for _, tc := range cases {
+		u, p, err := parseAuthPair(tc.in)
+		if tc.wantErr {
+			if err == nil {
+				t.Fatalf("parseAuthPair(%q): want error", tc.in)
+			}
+			continue
+		}
+		if err != nil {
+			t.Fatalf("parseAuthPair(%q): %v", tc.in, err)
+		}
+		if u != tc.wantUser || p != tc.wantPass {
+			t.Fatalf("parseAuthPair(%q) = (%q,%q), want (%q,%q)", tc.in, u, p, tc.wantUser, tc.wantPass)
+		}
+	}
+}

package.json

@@ -2,10 +2,14 @@
   "name": "fileserver",
   "version": "1.0.0",
   "private": true,
+  "engines": {
+    "node": ">=18"
+  },
+  "type": "module",
   "scripts": {
-    "dev": "vite web",
-    "build": "vite build web",
-    "serve": "vite preview web"
+    "dev": "cross-env NODE_OPTIONS= vite web",
+    "build": "cross-env NODE_OPTIONS= vite build web",
+    "serve": "cross-env NODE_OPTIONS= vite preview web"
   },
   "dependencies": {
     "@emotion/react": "^11.9.0",
@@ -15,15 +19,17 @@
     "@mui/material": "^5.6.0",
     "axios": "^0.26.1",
     "humanize": "^0.0.9",
-    "react-dropzone": "^12.0.5",
     "react": "^17.0.2",
-    "react-dom": "^17.0.2"
+    "react-dom": "^17.0.2",
+    "react-dropzone": "^12.0.5"
   },
   "devDependencies": {
+    "@types/react": "^17.0.0",
     "@types/react-dom": "^17.0.2",
-    "@vitejs/plugin-react": "^1.3.0",
+    "@vitejs/plugin-react": "^4.3.4",
+    "cross-env": "^7.0.3",
     "less": "^4.1.2",
     "rollup-plugin-visualizer": "^5.6.0",
-    "vite": "^2.9.1"
+    "vite": "^5.4.21"
   }
 }

server/auth.go

@@ -5,14 +5,33 @@ import (
 	"net/http"
 )
 
+// BasicAuthHandler enforces HTTP Basic authentication when Username is set
+// (Password may be empty). When AuthWriteOnly is true, only state-changing
+// methods require a valid Authorization header; GET/HEAD (and other reads)
+// are allowed without credentials.
 type BasicAuthHandler struct {
-	Username string
-	Password string
-	Next     http.Handler
+	Username      string
+	Password      string
+	AuthWriteOnly bool
+	Next          http.Handler
+}
+
+func writeLikeRequest(r *http.Request) bool {
+	switch r.Method {
+	case http.MethodPost, http.MethodPut, http.MethodPatch, http.MethodDelete:
+		return true
+	default:
+		return false
+	}
 }
 
 func (h *BasicAuthHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if h.Username == "" && h.Password == "" {
+	if h.Username == "" {
+		h.Next.ServeHTTP(w, r)
+		return
+	}
+
+	if h.AuthWriteOnly && !writeLikeRequest(r) {
 		h.Next.ServeHTTP(w, r)
 		return
 	}