search

restic / rest-server

Rest Server is a high performance HTTP server that implements restic's REST backend API.
BSD 2-Clause "Simplified" License
981 stars 144 forks source link

Allow for alphanumeric characters in usernames #134

Closed elch86 closed 3 years ago

elch86 commented 3 years ago

Output of rest-server --version

rest-server 0.10.0-dev compiled with go1.11.6 on linux/amd64

What should rest-server do differently?

Apparently, usernames are restricted to letters only - which i think is not documented anywhere, but i may have overlooked the hint. Instead of letters only, restic/rest-server should at least allow alphanumeric characters to e.g. accomodate host names with number in it.

What are you trying to do? What is your use case?

trying to name the restic repo after the host's name. Hostname contains at least one number, which restic/rest-server refuses to accept: Jan 3 19:44:01 apu2d22 rest-server[17176]: Ignoring invalid username "wd40" in htpasswd, consists of characters other than letters

Did rest-server help you today? Did it make you happy in any way?

Not yet, this is my first repo.. already failing ;)

rawtaz commented 3 years ago

Which version of rest-server are you using?

elch86 commented 3 years ago

rest-server 0.10.0-dev compiled with go1.11.6 on linux/amd64. Not sure if the fix below would be sufficient, but i am currently giving it a try and will tell as soon as i hit a wall:

elch@apu2d22:~/rest-server$ git diff htpasswd.go
diff --git a/htpasswd.go b/htpasswd.go
index d319e05..55d5acb 100644
--- a/htpasswd.go
+++ b/htpasswd.go
@@ -100,7 +100,7 @@ func (h *HtpasswdFile) throttleTimer() {
        }
 }

-var validUsernameRegexp = regexp.MustCompile(`^[\p{L}@.-]+$`)
+var validUsernameRegexp = regexp.MustCompile(`^[\d\p{L}@.-]+$`)

 // Reload reloads the htpasswd file. If the reload fails, the Users map is not changed and the error is returned.
 func (h *HtpasswdFile) Reload() error {
MichaelEischer commented 3 years ago

@elch86 The diff looks fine, could you open a PR to make the change?

wojas commented 3 years ago

Fix suggested in duplicate #136:

The code contains a folderPathValid function that should be used to validate the username instead, so that the username check uses the same restrictions as the filesystem code.

I can PR that change.

elch86 commented 3 years ago

Thanks a lot @wojas !

wojas commented 3 years ago

Fixed in https://github.com/restic/rest-server/pull/137

I updated the regexp for now, just realized that folderPathValid is added in unmerged PR #112.