Upload 21 files

auth.py

@@ -0,0 +1,110 @@
+"""
+Auth dependencies for the Space backend.
+
+Verifies JWT tokens by calling the Admin Worker's /auth/me endpoint.
+Results are cached in-memory (TTL-based) to avoid hitting the Worker on every request.
+No JWT_SECRET needed on the Space side.
+"""
+
+import time
+from dataclasses import dataclass
+
+import httpx
+from fastapi import Request, WebSocket, HTTPException
+
+from config import ADMIN_API_URL
+
+
+@dataclass
+class AuthUser:
+    """Authenticated user extracted from JWT."""
+    sub: str        # user ID
+    username: str
+    role: str       # "admin" or "user"
+
+
+# ── Token verification cache ──
+# Maps token -> (AuthUser, expiry_timestamp)
+_token_cache: dict[str, tuple[AuthUser, float]] = {}
+_CACHE_TTL = 300  # 5 minutes
+
+
+def _cleanup_cache():
+    """Remove expired entries from cache."""
+    now = time.time()
+    expired = [k for k, (_, exp) in _token_cache.items() if exp < now]
+    for k in expired:
+        del _token_cache[k]
+
+
+def verify_token(token: str) -> AuthUser | None:
+    """Verify a token by calling Worker /auth/me, with caching."""
+    if not token or not ADMIN_API_URL:
+        return None
+
+    # Check cache first
+    now = time.time()
+    cached = _token_cache.get(token)
+    if cached:
+        user, expiry = cached
+        if expiry > now:
+            return user
+        else:
+            del _token_cache[token]
+
+    # Call Worker to verify
+    try:
+        resp = httpx.get(
+            f"{ADMIN_API_URL}/auth/me",
+            headers={"Authorization": f"Bearer {token}"},
+            timeout=10,
+        )
+        if resp.status_code != 200:
+            return None
+
+        data = resp.json()
+        user_data = data.get("user")
+        if not user_data:
+            return None
+
+        user = AuthUser(
+            sub=user_data.get("id", ""),
+            username=user_data.get("username", ""),
+            role=user_data.get("role", "user"),
+        )
+
+        if not user.sub or not user.username:
+            return None
+
+        # Cache the result
+        _token_cache[token] = (user, now + _CACHE_TTL)
+
+        # Periodic cleanup
+        if len(_token_cache) > 100:
+            _cleanup_cache()
+
+        return user
+
+    except Exception:
+        return None
+
+
+def get_current_user(request: Request) -> AuthUser:
+    """FastAPI dependency: extract and verify JWT from Authorization header."""
+    auth_header = request.headers.get("Authorization", "")
+    if not auth_header.startswith("Bearer "):
+        raise HTTPException(401, "Chưa đăng nhập")
+
+    token = auth_header[7:]
+    user = verify_token(token)
+    if not user:
+        raise HTTPException(401, "Token không hợp lệ hoặc đã hết hạn")
+    return user
+
+
+def get_ws_user(websocket: WebSocket) -> AuthUser | None:
+    """Extract and verify JWT from WebSocket query parameter ?token=..."""
+    token = websocket.query_params.get("token", "")
+    if not token:
+        return None
+    return verify_token(token)

routers/files.py

@@ -10,17 +10,24 @@ import shutil
 from datetime import datetime
 from pathlib import Path
 
-from fastapi import APIRouter, Form, File, UploadFile, Query, HTTPException
+from fastapi import APIRouter, Depends, Form, File, UploadFile, Query, HTTPException
 from fastapi.responses import FileResponse
 
-from storage import get_zone_path, safe_path
+from auth import AuthUser, get_current_user
+from storage import get_zone_path, safe_path, check_zone_owner
 
 router = APIRouter(prefix="/api/zones/{zone_name}/files", tags=["files"])
 
 
+def _check_access(zone_name: str, user: AuthUser):
+    """Validate zone access for the current user."""
+    check_zone_owner(zone_name, user.sub, user.role)
+
+
 @router.get("")
-def list_files(zone_name: str, path: str = Query("")):
+def list_files(zone_name: str, path: str = Query(""), user: AuthUser = Depends(get_current_user)):
     try:
+        _check_access(zone_name, user)
         zone_path = get_zone_path(zone_name)
         target = safe_path(zone_path, path)
         if not target.is_dir():
@@ -39,8 +46,9 @@ def list_files(zone_name: str, path: str = Query("")):
 
 
 @router.get("/read")
-def read_file(zone_name: str, path: str = Query(...)):
+def read_file(zone_name: str, path: str = Query(...), user: AuthUser = Depends(get_current_user)):
     try:
+        _check_access(zone_name, user)
         zone_path = get_zone_path(zone_name)
         target = safe_path(zone_path, path)
         if not target.is_file():
@@ -51,8 +59,9 @@ def read_file(zone_name: str, path: str = Query(...)):
 
 
 @router.get("/download")
-def download_file(zone_name: str, path: str = Query(...)):
+def download_file(zone_name: str, path: str = Query(...), user: AuthUser = Depends(get_current_user)):
     try:
+        _check_access(zone_name, user)
         zone_path = get_zone_path(zone_name)
         target = safe_path(zone_path, path)
         if not target.is_file():
@@ -63,8 +72,9 @@ def download_file(zone_name: str, path: str = Query(...)):
 
 
 @router.post("/write")
-def write_file(zone_name: str, path: str = Form(...), content: str = Form(...)):
+def write_file(zone_name: str, path: str = Form(...), content: str = Form(...), user: AuthUser = Depends(get_current_user)):
     try:
+        _check_access(zone_name, user)
         zone_path = get_zone_path(zone_name)
         target = safe_path(zone_path, path)
         target.parent.mkdir(parents=True, exist_ok=True)
@@ -75,8 +85,9 @@ def write_file(zone_name: str, path: str = Form(...), content: str = Form(...)):
 
 
 @router.post("/mkdir")
-def create_folder(zone_name: str, path: str = Form(...)):
+def create_folder(zone_name: str, path: str = Form(...), user: AuthUser = Depends(get_current_user)):
     try:
+        _check_access(zone_name, user)
         zone_path = get_zone_path(zone_name)
         target = safe_path(zone_path, path)
         target.mkdir(parents=True, exist_ok=True)
@@ -86,8 +97,9 @@ def create_folder(zone_name: str, path: str = Form(...)):
 
 
 @router.post("/upload")
-async def upload_file(zone_name: str, path: str = Form(""), file: UploadFile = File(...)):
+async def upload_file(zone_name: str, path: str = Form(""), file: UploadFile = File(...), user: AuthUser = Depends(get_current_user)):
     try:
+        _check_access(zone_name, user)
         zone_path = get_zone_path(zone_name)
         dest = safe_path(zone_path, os.path.join(path, file.filename))
         dest.parent.mkdir(parents=True, exist_ok=True)
@@ -99,8 +111,9 @@ async def upload_file(zone_name: str, path: str = Form(""), file: UploadFile = F
 
 
 @router.delete("")
-def delete_file(zone_name: str, path: str = Query(...)):
+def delete_file(zone_name: str, path: str = Query(...), user: AuthUser = Depends(get_current_user)):
     try:
+        _check_access(zone_name, user)
         zone_path = get_zone_path(zone_name)
         target = safe_path(zone_path, path)
         if target == zone_path.resolve():
@@ -117,8 +130,9 @@ def delete_file(zone_name: str, path: str = Query(...)):
 
 
 @router.post("/rename")
-def rename_file(zone_name: str, old_path: str = Form(...), new_name: str = Form(...)):
+def rename_file(zone_name: str, old_path: str = Form(...), new_name: str = Form(...), user: AuthUser = Depends(get_current_user)):
     try:
+        _check_access(zone_name, user)
         zone_path = get_zone_path(zone_name)
         source = safe_path(zone_path, old_path)
         if not source.exists():

routers/ports.py

@@ -5,10 +5,11 @@ Single Responsibility: only handles port CRUD for zones.
 Reverse proxy logic is in proxy.py — separate reason to change.
 """
 
-from fastapi import APIRouter, Form, HTTPException
+from fastapi import APIRouter, Depends, Form, HTTPException
 
+from auth import AuthUser, get_current_user
 from config import MIN_PORT, MAX_PORT
-from storage import load_meta, save_meta
+from storage import load_meta, save_meta, check_zone_owner
 
 router = APIRouter(prefix="/api/zones/{zone_name}/ports", tags=["ports"])
 
@@ -24,8 +25,9 @@ def _validate_zone(meta: dict, zone_name: str):
 
 
 @router.get("")
-def list_ports(zone_name: str):
+def list_ports(zone_name: str, user: AuthUser = Depends(get_current_user)):
     try:
+        check_zone_owner(zone_name, user.sub, user.role)
         meta = load_meta()
         _validate_zone(meta, zone_name)
         return meta[zone_name].get("ports", [])
@@ -34,9 +36,10 @@ def list_ports(zone_name: str):
 
 
 @router.post("")
-def add_port(zone_name: str, port: int = Form(...), label: str = Form("")):
+def add_port(zone_name: str, port: int = Form(...), label: str = Form(""), user: AuthUser = Depends(get_current_user)):
     try:
         _validate_port(port)
+        check_zone_owner(zone_name, user.sub, user.role)
         meta = load_meta()
         _validate_zone(meta, zone_name)
 
@@ -54,8 +57,9 @@ def add_port(zone_name: str, port: int = Form(...), label: str = Form("")):
 
 
 @router.delete("/{port}")
-def remove_port(zone_name: str, port: int):
+def remove_port(zone_name: str, port: int, user: AuthUser = Depends(get_current_user)):
     try:
+        check_zone_owner(zone_name, user.sub, user.role)
         meta = load_meta()
         _validate_zone(meta, zone_name)
 

routers/proxy.py

@@ -9,11 +9,12 @@ import asyncio
 import json
 
 import httpx
-from fastapi import APIRouter, Request, WebSocket, WebSocketDisconnect
+from fastapi import APIRouter, Depends, Request, WebSocket, WebSocketDisconnect
 from fastapi.responses import Response
 
+from auth import AuthUser, get_current_user, get_ws_user
 from config import MIN_PORT, MAX_PORT
-from storage import load_meta
+from storage import load_meta, check_zone_owner
 
 router = APIRouter(tags=["proxy"])
 
@@ -56,9 +57,10 @@ def _validate_proxy_access(zone_name: str, port: int):
     "/port/{zone_name}/{port}/{subpath:path}",
     methods=["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD"],
 )
-async def proxy_http(request: Request, zone_name: str, port: int, subpath: str = ""):
+async def proxy_http(request: Request, zone_name: str, port: int, subpath: str = "", user: AuthUser = Depends(get_current_user)):
     try:
         _validate_proxy_access(zone_name, port)
+        check_zone_owner(zone_name, user.sub, user.role)
     except ValueError:
         return Response(content="Port not mapped", status_code=404)
 
@@ -101,8 +103,15 @@ async def proxy_http(request: Request, zone_name: str, port: int, subpath: str =
 
 @router.websocket("/port/{zone_name}/{port}/ws/{subpath:path}")
 async def proxy_ws(websocket: WebSocket, zone_name: str, port: int, subpath: str = ""):
+    # Authenticate via query parameter
+    user = get_ws_user(websocket)
+    if not user:
+        await websocket.close(code=4001, reason="Chưa đăng nhập")
+        return
+
     try:
         _validate_proxy_access(zone_name, port)
+        check_zone_owner(zone_name, user.sub, user.role)
     except ValueError:
         await websocket.close(code=4004, reason="Port not mapped")
         return

routers/terminal.py

@@ -18,7 +18,8 @@ import termios
 from fastapi import APIRouter, WebSocket, WebSocketDisconnect
 
 from config import SCROLLBACK_SIZE
-from storage import get_zone_path
+from storage import get_zone_path, check_zone_owner
+from auth import get_ws_user
 
 router = APIRouter(tags=["terminal"])
 
@@ -132,6 +133,19 @@ def kill_terminal(zone_name: str):
 
 @router.websocket("/ws/terminal/{zone_name}")
 async def terminal_ws(websocket: WebSocket, zone_name: str):
+    # Authenticate via query parameter
+    user = get_ws_user(websocket)
+    if not user:
+        await websocket.close(code=4001, reason="Chưa đăng nhập")
+        return
+
+    # Check zone ownership
+    try:
+        check_zone_owner(zone_name, user.sub, user.role)
+    except ValueError as e:
+        await websocket.close(code=4003, reason=str(e))
+        return
+
     await websocket.accept()
 
     try:

routers/zones.py

@@ -9,10 +9,11 @@ import shutil
 from datetime import datetime
 
 import httpx
-from fastapi import APIRouter, Form, HTTPException
+from fastapi import APIRouter, Depends, Form, HTTPException
 
+from auth import AuthUser, get_current_user
 from config import DATA_DIR, ADMIN_API_URL
-from storage import load_meta, save_meta, validate_zone_name
+from storage import load_meta, save_meta, validate_zone_name, check_zone_owner
 from routers.terminal import kill_terminal
 
 router = APIRouter(prefix="/api/zones", tags=["zones"])
@@ -32,7 +33,7 @@ def _get_max_zones() -> int:
 
 
 @router.get("")
-def list_zones():
+def list_zones(user: AuthUser = Depends(get_current_user)):
     meta = load_meta()
     return [
         {
@@ -42,22 +43,24 @@ def list_zones():
             "exists": (DATA_DIR / name).is_dir(),
         }
         for name, info in meta.items()
+        if user.role == "admin" or info.get("owner_id") == user.sub
     ]
 
 
 @router.post("")
-def create_zone(name: str = Form(...), description: str = Form("")):
+def create_zone(name: str = Form(...), description: str = Form(""), user: AuthUser = Depends(get_current_user)):
     try:
         validate_zone_name(name)
         zone_path = DATA_DIR / name
         if zone_path.exists():
             raise ValueError(f"Zone '{name}' đã tồn tại")
 
-        # Check zone limit
+        # Check zone limit (per-user for non-admin)
         max_zones = _get_max_zones()
         if max_zones > 0:
             meta = load_meta()
-            if len(meta) >= max_zones:
+            user_zones = [n for n, info in meta.items() if info.get("owner_id") == user.sub]
+            if len(user_zones) >= max_zones:
                 raise ValueError(f"Đã đạt giới hạn {max_zones} zones")
 
         zone_path.mkdir(parents=True)
@@ -66,7 +69,12 @@ def create_zone(name: str = Form(...), description: str = Form("")):
         )
 
         meta = load_meta()
-        meta[name] = {"created": datetime.now().isoformat(), "description": description}
+        meta[name] = {
+            "created": datetime.now().isoformat(),
+            "description": description,
+            "owner_id": user.sub,
+            "owner_name": user.username,
+        }
         save_meta(meta)
         return {"name": name, "path": str(zone_path)}
     except ValueError as e:
@@ -74,9 +82,11 @@ def create_zone(name: str = Form(...), description: str = Form("")):
 
 
 @router.delete("/{zone_name}")
-def delete_zone(zone_name: str):
+def delete_zone(zone_name: str, user: AuthUser = Depends(get_current_user)):
     try:
         validate_zone_name(zone_name)
+        check_zone_owner(zone_name, user.sub, user.role)
+
         zone_path = DATA_DIR / zone_name
         if not zone_path.exists():
             raise ValueError(f"Zone '{zone_name}' không tồn tại")

static/app.js

@@ -178,8 +178,8 @@ function hugpanel() {
     async api(url, options = {}) {
       try {
         const headers = options.headers || {};
-        // Add JWT token for backup API calls (proxied to Worker)
-        if (this.token && url.startsWith('/api/backup')) {
+        // Add JWT token to all API calls
+        if (this.token) {
           headers['Authorization'] = `Bearer ${this.token}`;
         }
         const resp = await fetch(url, { ...options, headers: { ...headers, ...options.headers } });
@@ -451,11 +451,23 @@ function hugpanel() {
       } catch {}
     },
 
-    downloadFile(path, name) {
-      const a = document.createElement('a');
-      a.href = `/api/zones/${this.currentZone}/files/download?path=${encodeURIComponent(path)}`;
-      a.download = name;
-      a.click();
+    async downloadFile(path, name) {
+      try {
+        const resp = await fetch(
+          `/api/zones/${this.currentZone}/files/download?path=${encodeURIComponent(path)}`,
+          { headers: this.token ? { 'Authorization': `Bearer ${this.token}` } : {} }
+        );
+        if (!resp.ok) throw new Error('Download failed');
+        const blob = await resp.blob();
+        const url = URL.createObjectURL(blob);
+        const a = document.createElement('a');
+        a.href = url;
+        a.download = name;
+        a.click();
+        URL.revokeObjectURL(url);
+      } catch (err) {
+        this.notify(err.message, 'error');
+      }
     },
 
     startRename(file) {
@@ -543,7 +555,7 @@ function hugpanel() {
 
       // WebSocket
       const proto = location.protocol === 'https:' ? 'wss:' : 'ws:';
-      const wsUrl = `${proto}//${location.host}/ws/terminal/${this.currentZone}`;
+      const wsUrl = `${proto}//${location.host}/ws/terminal/${this.currentZone}?token=${encodeURIComponent(this.token || '')}`;
       this.termWs = new WebSocket(wsUrl);
       this.termWs.binaryType = 'arraybuffer';
 

storage.py

@@ -46,3 +46,15 @@ def safe_path(zone_path: Path, rel_path: str) -> Path:
     if target != zone_resolved and not str(target).startswith(str(zone_resolved) + os.sep):
         raise ValueError("Truy cập ngoài zone không được phép")
     return target
+
+
+def check_zone_owner(zone_name: str, user_sub: str, user_role: str):
+    """Check that the user owns the zone. Admins can access all zones."""
+    if user_role == "admin":
+        return
+    meta = load_meta()
+    info = meta.get(zone_name)
+    if not info:
+        raise ValueError(f"Zone '{zone_name}' không tồn tại")
+    if info.get("owner_id") != user_sub:
+        raise ValueError("Bạn không có quyền truy cập zone này")