mirror/syncthing
1
0
Fork 0
mirror of https://github.com/syncthing/syncthing.git synced 2026-05-14 01:56:31 -04:00
Code Issues Packages Projects Releases Wiki Activity
7,397 Commits 7 Branches 675 Tags
2f15670094146ecb326610b2ff5b165b70410f3e
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Emil Lundberg 2f15670094 lib/api: Extract session store (#9425) 
This is an extract from PR #9175, which can be reviewed in isolation to
reduce the volume of changes to review all at once in #9175. There are
about to be several services and API handlers that read and set cookies
and session state, so this abstraction will prove helpful.

In particular a motivating cause for this is that with the current
architecture in PR #9175, in `api.go` the [`webauthnService` needs to
access the
session](https://github.com/syncthing/syncthing/pull/9175/files#diff-e2e14f22d818b8e635572ef0ee7718dee875c365e07225d760a6faae8be7772dR309-R310)
for authentication purposes but needs to be instantiated before the
`configMuxBuilder` for config purposes, because the WebAuthn additions
to config management need to perform WebAuthn registration ceremonies,
but currently the session management is embedded in the
`basicAuthAndSessionMiddleware` which is [instantiated much
later](https://github.com/syncthing/syncthing/pull/9175/files#diff-e2e14f22d818b8e635572ef0ee7718dee875c365e07225d760a6faae8be7772dL371-R380)
and only if authentication is enabled in `guiCfg`. This refactorization
extracts the session management out from `basicAuthAndSessionMiddleware`
so that `basicAuthAndSessionMiddleware` and `webauthnService` can both
use the same shared session management service to perform session
management logic.

### Testing

This is a refactorization intended to not change any externally
observable behaviour, so existing tests (e.g., `api_auth_test.go`)
should cover this where appropriate. I have manually verified that:

- Appending `+ "foo"` to the cookie name in `createSession` causes
`TestHtmlFormLogin/invalid_URL_returns_403_before_auth_and_404_after_auth`
and `TestHtmlFormLogin/UTF-8_auth_works` to fail
- Inverting the return value of `hasValidSession` cases a whole bunch of
tests in `TestHTTPLogin` and `TestHtmlFormLogin` to fail
- (Fixed) Changing the cookie to `MaxAge: 1000` in `destroySession` does
NOT cause any tests to fail!
- Added tests `TestHtmlFormLogin/Logout_removes_the_session_cookie`,
`TestHTTPLogin/*/Logout_removes_the_session_cookie`,
`TestHtmlFormLogin/Session_cookie_is_invalid_after_logout` and
`TestHTTPLogin/200_path#01/Session_cookie_is_invalid_after_logout` to
cover this.
- Manually verified that these tests pass both before and after the
changes in this PR, and that changing the cookie to `MaxAge: 1000` or
not calling `m.tokens.Delete(cookie.Value)` in `destroySession` makes
the respective pair of tests fail.
2024-03-21 08:09:47 -04:00
.github
github: Convert issue templates into forms (fixes #9442)
2024-03-02 16:27:57 +01:00
assets
assets, gui: Losslessly compress all JPG, PNG, and PDF images (#6265)
2020-01-16 13:52:43 +01:00
cmd
all: Use own automaxprocs package that doesn't log (ref #9436) (#9437)
2024-02-27 13:05:19 +01:00
etc
etc/linux-desktop: use double dash for long options (#9301)
2023-12-23 11:16:47 +01:00
gui
gui, man, authors: Update docs, translations, and contributors
2024-03-18 03:45:22 +00:00
lib
lib/api: Extract session store (#9425)
2024-03-21 08:09:47 -04:00
man
gui, man, authors: Update docs, translations, and contributors
2024-03-18 03:45:22 +00:00
meta
build: Add more GitHub Actions
2023-02-22 10:56:55 +01:00
next-gen-gui
gui: Keep short deviceID length consistent + xrefs (fixes #9313) (#9314)
2024-01-02 17:31:57 +01:00
proto
lib/api: Save session & CSRF tokens to database, add option to stay logged in (fixes #9151) (#9284)
2024-01-04 10:07:12 +00:00
script
docker: Add support for setting umask (#9429)
2024-02-22 08:47:43 +00:00
test
lib/api: Remove remnants of CSRF tokens file mentions (ref #9284)
2024-01-23 12:07:58 +01:00
.codecov.yml
build: Add test coverage info (#7502)
2021-04-05 10:25:39 +02:00
.deepsource.toml
build: Fix deepsource test & exclude patterns (#7969)
2021-09-26 12:08:59 +02:00
.gitattributes
lib/protocol: Revert protobuf encoder changes in v0.14.17 (fixes #3855)
2017-01-01 17:19:00 +00:00
.gitignore
gitignore: All exe files, no editor configs (#9126)
2023-09-25 14:17:01 +00:00
.golangci.yml
golangci: Skip godox
2019-12-18 11:33:36 +01:00
.yamlfmt
build: Add more GitHub Actions
2023-02-22 10:56:55 +01:00
AUTHORS
gui, man, authors: Update docs, translations, and contributors
2024-03-18 03:45:22 +00:00
build.go
all: Use own automaxprocs package that doesn't log (ref #9436) (#9437)
2024-02-27 13:05:19 +01:00
build.ps1
build: Clean up build.sh, add build.ps1 (#6689)
2020-05-28 12:42:15 +02:00
build.sh
gui: Switch to Weblate for translations (#8777)
2023-02-07 12:22:08 +01:00
CONDUCT.md
conduct: Upgrade to Contributor Covenant
2018-06-20 23:53:06 +02:00
CONTRIBUTING.md
gui: Switch to Weblate for translations (#8777)
2023-02-07 12:22:08 +01:00
Dockerfile
build: Fixup Docker changes from previous (#9223)
2023-11-14 08:17:34 +01:00
Dockerfile.builder
build: Fixup Docker changes from previous (#9223)
2023-11-14 08:17:34 +01:00
Dockerfile.stcrashreceiver
build: Fixup Docker changes from previous (#9223)
2023-11-14 08:17:34 +01:00
Dockerfile.stdiscosrv
build: Fixup Docker changes from previous (#9223)
2023-11-14 08:17:34 +01:00
Dockerfile.strelaypoolsrv
build: Fixup Docker changes from previous (#9223)
2023-11-14 08:17:34 +01:00
Dockerfile.strelaysrv
build: Fixup Docker changes from previous (#9223)
2023-11-14 08:17:34 +01:00
Dockerfile.stupgrades
build: Fixup Docker changes from previous (#9223)
2023-11-14 08:17:34 +01:00
Dockerfile.ursrv
build: Ursrv image for infrastructure
2023-11-15 08:48:00 +01:00
go.mod
build: Update dependencies (#9448)
2024-03-04 20:39:43 +01:00
go.sum
build: Update dependencies (#9448)
2024-03-04 20:39:43 +01:00
GOALS.md
readme: Style fixes, add security note (#9136)
2023-09-28 11:55:48 +02:00
LICENSE
all: Update license url to https (ref #3976)
2017-02-09 08:04:16 +01:00
README-Docker.md
docker: Add support for setting umask (#9429)
2024-02-22 08:47:43 +00:00
README.md
Fix website security link in README.md (#9325)
2024-01-06 23:58:56 +01:00
tools.go
build: Update quic-go for Go 1.19 (#8483)
2022-08-03 15:43:26 +02:00

README.md

Syncthing

MPLv2 License CII Best Practices Go Report Card

Goals

Syncthing is a continuous file synchronization program. It synchronizes files between two or more computers. We strive to fulfill the goals below. The goals are listed in order of importance, the most important ones first. This is the summary version of the goal list - for more commentary, see the full Goals document.

Syncthing should be:

  1. Safe From Data Loss

    Protecting the user's data is paramount. We take every reasonable precaution to avoid corrupting the user's files.

  2. Secure Against Attackers

    Again, protecting the user's data is paramount. Regardless of our other goals, we must never allow the user's data to be susceptible to eavesdropping or modification by unauthorized parties.

  3. Easy to Use

    Syncthing should be approachable, understandable, and inclusive.

  4. Automatic

    User interaction should be required only when absolutely necessary.

  5. Universally Available

    Syncthing should run on every common computer. We are mindful that the latest technology is not always available to every individual.

  6. For Individuals

    Syncthing is primarily about empowering the individual user with safe, secure, and easy to use file synchronization.

  7. Everything Else

    There are many things we care about that don't make it on to the list. It is fine to optimize for these values, as long as they are not in conflict with the stated goals above.

Getting Started

Take a look at the getting started guide.

There are a few examples for keeping Syncthing running in the background on your system in the etc directory. There are also several GUI implementations for Windows, Mac, and Linux.

Docker

To run Syncthing in Docker, see the Docker README.

Vote on features/bugs

We'd like to encourage you to vote on issues that matter to you. This helps the team understand what are the biggest pain points for our users, and could potentially influence what is being worked on next.

Getting in Touch

The first and best point of contact is the Forum. If you've found something that is clearly a bug, feel free to report it in the GitHub issue tracker.

If you believe that youve found a Syncthing-related security vulnerability, please report it by emailing security@syncthing.net. Do not report it in the Forum or issue tracker.

Building

Building Syncthing from source is easy. After extracting the source bundle from a release or checking out git, you just need to run go run build.go and the binaries are created in ./bin. There's a guide with more details on the build process.

Signed Releases

As of v0.10.15 and onwards, release binaries are GPG signed with the key D26E6ED000654A3E, available from https://syncthing.net/security/ and most key servers.

There is also a built-in automatic upgrade mechanism (disabled in some distribution channels) which uses a compiled in ECDSA signature. macOS binaries are also properly code signed.

Documentation

Please see the Syncthing documentation site [source].

All code is licensed under the MPLv2 License.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme MPL-2.0 253 MiB
Languages
Go 84.5%
HTML 7.2%
JavaScript 5.7%
Shell 1.8%
CSS 0.7%