add a basic front-end web interface for end-users

Fixes #339 #321 #398

README.md

@@ -47,6 +47,7 @@ Several storage backends are supported: local filesystem, encrypted local filesy
 - Support for HAProxy PROXY protocol: you can proxy and/or load balance the SFTP/SCP/FTP/WebDAV service without losing the information about the client's address.
 - [REST API](./docs/rest-api.md) for users and folders management, backup, restore and real time reports of the active connections with possibility of forcibly closing a connection.
 - [Web based administration interface](./docs/web-admin.md) to easily manage users, folders and connections.
+- [Web client interface](./docs/web-client.md) so that end users can change their credentials and browse their files.
 - Easy [migration](./examples/convertusers) from Linux system user accounts.
 - [Portable mode](./docs/portable-mode.md): a convenient way to share a single directory on demand.
 - [SFTP subsystem mode](./docs/sftp-subsystem.md): you can use SFTPGo as OpenSSH's SFTP subsystem.

common/common.go

@@ -104,7 +104,7 @@ var (
 	QuotaScans            ActiveScans
 	idleTimeoutTicker     *time.Ticker
 	idleTimeoutTickerDone chan bool
-	supportedProtocols    = []string{ProtocolSFTP, ProtocolSCP, ProtocolSSH, ProtocolFTP, ProtocolWebDAV}
+	supportedProtocols    = []string{ProtocolSFTP, ProtocolSCP, ProtocolSSH, ProtocolFTP, ProtocolWebDAV, ProtocolHTTP}
 	// the map key is the protocol, for each protocol we can have multiple rate limiters
 	rateLimiters map[string][]*rateLimiter
 )

common/connection.go

@@ -1029,7 +1029,7 @@ func (c *BaseConnection) GetPermissionDeniedError() error {
 	switch c.protocol {
 	case ProtocolSFTP:
 		return sftp.ErrSSHFxPermissionDenied
-	case ProtocolWebDAV, ProtocolFTP:
+	case ProtocolWebDAV, ProtocolFTP, ProtocolHTTP:
 		return os.ErrPermission
 	default:
 		return ErrPermissionDenied
@@ -1041,7 +1041,7 @@ func (c *BaseConnection) GetNotExistError() error {
 	switch c.protocol {
 	case ProtocolSFTP:
 		return sftp.ErrSSHFxNoSuchFile
-	case ProtocolWebDAV, ProtocolFTP:
+	case ProtocolWebDAV, ProtocolFTP, ProtocolHTTP:
 		return os.ErrNotExist
 	default:
 		return ErrNotExist

common/connection_test.go

@@ -224,7 +224,7 @@ func TestErrorsMapping(t *testing.T) {
 		err := conn.GetFsError(fs, os.ErrNotExist)
 		if protocol == ProtocolSFTP {
 			assert.EqualError(t, err, sftp.ErrSSHFxNoSuchFile.Error())
-		} else if protocol == ProtocolWebDAV || protocol == ProtocolFTP {
+		} else if protocol == ProtocolWebDAV || protocol == ProtocolFTP || protocol == ProtocolHTTP {
 			assert.EqualError(t, err, os.ErrNotExist.Error())
 		} else {
 			assert.EqualError(t, err, ErrNotExist.Error())

config/config.go

@@ -65,6 +65,7 @@ var (
 		Address:         "127.0.0.1",
 		Port:            8080,
 		EnableWebAdmin:  true,
+		EnableWebClient: true,
 		EnableHTTPS:     false,
 		ClientAuthType:  0,
 		TLSCipherSuites: nil,
@@ -236,7 +237,7 @@ func Init() {
 			TemplatesPath:      "templates",
 			StaticFilesPath:    "static",
 			BackupsPath:        "backups",
-			WebAdminRoot:       "",
+			WebRoot:            "",
 			CertificateFile:    "",
 			CertificateKeyFile: "",
 			CACertificates:     nil,
@@ -807,6 +808,12 @@ func getHTTPDBindingFromEnv(idx int) {
 		isSet = true
 	}
 
+	enableWebClient, ok := lookupBoolFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__ENABLE_WEB_CLIENT", idx))
+	if ok {
+		binding.EnableWebClient = enableWebClient
+		isSet = true
+	}
+
 	enableHTTPS, ok := lookupBoolFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__ENABLE_HTTPS", idx))
 	if ok {
 		binding.EnableHTTPS = enableHTTPS
@@ -952,7 +959,7 @@ func setViperDefaults() {
 	viper.SetDefault("httpd.templates_path", globalConf.HTTPDConfig.TemplatesPath)
 	viper.SetDefault("httpd.static_files_path", globalConf.HTTPDConfig.StaticFilesPath)
 	viper.SetDefault("httpd.backups_path", globalConf.HTTPDConfig.BackupsPath)
-	viper.SetDefault("httpd.web_admin_root", globalConf.HTTPDConfig.WebAdminRoot)
+	viper.SetDefault("httpd.web_root", globalConf.HTTPDConfig.WebRoot)
 	viper.SetDefault("httpd.certificate_file", globalConf.HTTPDConfig.CertificateFile)
 	viper.SetDefault("httpd.certificate_key_file", globalConf.HTTPDConfig.CertificateKeyFile)
 	viper.SetDefault("httpd.ca_certificates", globalConf.HTTPDConfig.CACertificates)

config/config_test.go

@@ -626,9 +626,11 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__1__PORT", "8000")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__1__ENABLE_HTTPS", "0")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__1__ENABLE_WEB_ADMIN", "1")
+	os.Setenv("SFTPGO_HTTPD__BINDINGS__1__ENABLE_WEB_CLIENT", "1")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ADDRESS", "127.0.1.1")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__PORT", "9000")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_ADMIN", "0")
+	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_CLIENT", "0")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_HTTPS", "1")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_AUTH_TYPE", "1")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__TLS_CIPHER_SUITES", " TLS_AES_256_GCM_SHA384 , TLS_CHACHA20_POLY1305_SHA256")
@@ -640,10 +642,12 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__1__PORT")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__1__ENABLE_HTTPS")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__1__ENABLE_WEB_ADMIN")
+		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__1__ENABLE_WEB_CLIENT")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ADDRESS")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__PORT")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_HTTPS")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_ADMIN")
+		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_CLIENT")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_AUTH_TYPE")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__TLS_CIPHER_SUITES")
 	})
@@ -657,18 +661,21 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 	require.Equal(t, sockPath, bindings[0].Address)
 	require.False(t, bindings[0].EnableHTTPS)
 	require.True(t, bindings[0].EnableWebAdmin)
+	require.True(t, bindings[0].EnableWebClient)
 	require.Len(t, bindings[0].TLSCipherSuites, 1)
 	require.Equal(t, "TLS_AES_128_GCM_SHA256", bindings[0].TLSCipherSuites[0])
 	require.Equal(t, 8000, bindings[1].Port)
 	require.Equal(t, "127.0.0.1", bindings[1].Address)
 	require.False(t, bindings[1].EnableHTTPS)
 	require.True(t, bindings[1].EnableWebAdmin)
+	require.True(t, bindings[1].EnableWebClient)
 	require.Nil(t, bindings[1].TLSCipherSuites)
 
 	require.Equal(t, 9000, bindings[2].Port)
 	require.Equal(t, "127.0.1.1", bindings[2].Address)
 	require.True(t, bindings[2].EnableHTTPS)
 	require.False(t, bindings[2].EnableWebAdmin)
+	require.False(t, bindings[2].EnableWebClient)
 	require.Equal(t, 1, bindings[2].ClientAuthType)
 	require.Len(t, bindings[2].TLSCipherSuites, 2)
 	require.Equal(t, "TLS_AES_256_GCM_SHA384", bindings[2].TLSCipherSuites[0])

dataprovider/bolt.go

@@ -111,7 +111,7 @@ func (p *BoltProvider) validateUserAndTLSCert(username, protocol string, tlsCert
 	user, err := p.userExists(username)
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
-		return user, ErrInvalidCredentials
+		return user, err
 	}
 	return checkUserAndTLSCertificate(&user, protocol, tlsCert)
 }
@@ -124,7 +124,7 @@ func (p *BoltProvider) validateUserAndPass(username, password, ip, protocol stri
 	user, err := p.userExists(username)
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
-		return user, ErrInvalidCredentials
+		return user, err
 	}
 	return checkUserAndPass(&user, password, ip, protocol)
 }
@@ -147,7 +147,7 @@ func (p *BoltProvider) validateUserAndPubKey(username string, pubKey []byte) (Us
 	user, err := p.userExists(username)
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
-		return user, "", ErrInvalidCredentials
+		return user, "", err
 	}
 	return checkUserAndPubKey(&user, pubKey)
 }

dataprovider/dataprovider.go

@@ -112,7 +112,7 @@ var (
 	// ErrNoAuthTryed defines the error for connection closed before authentication
 	ErrNoAuthTryed = errors.New("no auth tryed")
 	// ValidProtocols defines all the valid protcols
-	ValidProtocols = []string{"SSH", "FTP", "DAV"}
+	ValidProtocols = []string{"SSH", "FTP", "DAV", "HTTP"}
 	// ErrNoInitRequired defines the error returned by InitProvider if no inizialization/update is required
 	ErrNoInitRequired = errors.New("the data provider is up to date")
 	// ErrInvalidCredentials defines the error to return if the supplied credentials are invalid
@@ -1387,6 +1387,11 @@ func validateFilters(user *User) error {
 			return &ValidationError{err: fmt.Sprintf("invalid TLS username: %#v", user.Filters.TLSUsername)}
 		}
 	}
+	for _, opts := range user.Filters.WebClient {
+		if !utils.IsStringInSlice(opts, WebClientOptions) {
+			return &ValidationError{err: fmt.Sprintf("invalid web client options %#v", opts)}
+		}
+	}
 	return validateFileFilters(user)
 }
 

dataprovider/memory.go

@@ -96,7 +96,7 @@ func (p *MemoryProvider) validateUserAndTLSCert(username, protocol string, tlsCe
 	user, err := p.userExists(username)
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
-		return user, ErrInvalidCredentials
+		return user, err
 	}
 	return checkUserAndTLSCertificate(&user, protocol, tlsCert)
 }
@@ -109,7 +109,7 @@ func (p *MemoryProvider) validateUserAndPass(username, password, ip, protocol st
 	user, err := p.userExists(username)
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
-		return user, ErrInvalidCredentials
+		return user, err
 	}
 	return checkUserAndPass(&user, password, ip, protocol)
 }
@@ -122,7 +122,7 @@ func (p *MemoryProvider) validateUserAndPubKey(username string, pubKey []byte) (
 	user, err := p.userExists(username)
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
-		return user, "", ErrInvalidCredentials
+		return user, "", err
 	}
 	return checkUserAndPubKey(&user, pubKey)
 }

dataprovider/sqlcommon.go

@@ -224,7 +224,7 @@ func sqlCommonValidateUserAndPass(username, password, ip, protocol string, dbHan
 	user, err := sqlCommonGetUserByUsername(username, dbHandle)
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
-		return user, ErrInvalidCredentials
+		return user, err
 	}
 	return checkUserAndPass(&user, password, ip, protocol)
 }
@@ -237,7 +237,7 @@ func sqlCommonValidateUserAndTLSCertificate(username, protocol string, tlsCert *
 	user, err := sqlCommonGetUserByUsername(username, dbHandle)
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
-		return user, ErrInvalidCredentials
+		return user, err
 	}
 	return checkUserAndTLSCertificate(&user, protocol, tlsCert)
 }
@@ -250,7 +250,7 @@ func sqlCommonValidateUserAndPubKey(username string, pubKey []byte, dbHandle *sq
 	user, err := sqlCommonGetUserByUsername(username, dbHandle)
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
-		return user, "", ErrInvalidCredentials
+		return user, "", err
 	}
 	return checkUserAndPubKey(&user, pubKey)
 }

dataprovider/user.go

@@ -1,6 +1,8 @@
 package dataprovider
 
 import (
+	"crypto/sha256"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -48,6 +50,16 @@ const (
 	PermChtimes = "chtimes"
 )
 
+// Web Client restrictions
+const (
+	WebClientPubKeyChangeDisabled = "publickey-change-disabled"
+)
+
+var (
+	// WebClientOptions defines the available options for the web client interface
+	WebClientOptions = []string{WebClientPubKeyChangeDisabled}
+)
+
 // Available login methods
 const (
 	LoginMethodNoAuthTryed            = "no_auth_tryed"
@@ -160,6 +172,8 @@ type UserFilters struct {
 	// these checks will speed up login.
 	// You could, for example, disable these checks after the first login
 	DisableFsChecks bool `json:"disable_fs_checks,omitempty"`
+	// WebClient related configuration options
+	WebClient []string `json:"web_client,omitempty"`
 }
 
 // User defines a SFTPGo user
@@ -839,6 +853,21 @@ func (u *User) isFilePatternAllowed(virtualPath string) bool {
 	return true
 }
 
+// CanManahePublicKeys return true if this user is allowed to manage public keys
+// from the web client
+func (u *User) CanManahePublicKeys() bool {
+	return !utils.IsStringInSlice(WebClientPubKeyChangeDisabled, u.Filters.WebClient)
+}
+
+// GetSignature returns a signature for this admin.
+// It could change after an update
+func (u *User) GetSignature() string {
+	data := []byte(fmt.Sprintf("%v_%v_%v", u.Username, u.Status, u.ExpirationDate))
+	data = append(data, []byte(u.Password)...)
+	signature := sha256.Sum256(data)
+	return base64.StdEncoding.EncodeToString(signature[:])
+}
+
 // IsLoginFromAddrAllowed returns true if the login is allowed from the specified remoteAddr.
 // If AllowedIP is defined only the specified IP/Mask can login.
 // If DeniedIP is defined the specified IP/Mask cannot login.
@@ -1094,6 +1123,8 @@ func (u *User) getACopy() User {
 	filters.Hooks.PreLoginDisabled = u.Filters.Hooks.PreLoginDisabled
 	filters.Hooks.CheckPasswordDisabled = u.Filters.Hooks.CheckPasswordDisabled
 	filters.DisableFsChecks = u.Filters.DisableFsChecks
+	filters.WebClient = make([]string, len(u.Filters.WebClient))
+	copy(filters.WebClient, u.Filters.WebClient)
 
 	return User{
 		ID:                u.ID,

docs/check-password-hook.md

@@ -16,7 +16,7 @@ If the hook defines an external program it can read the following environment va
 - `SFTPGO_AUTHD_USERNAME`
 - `SFTPGO_AUTHD_PASSWORD`
 - `SFTPGO_AUTHD_IP`
-- `SFTPGO_AUTHD_PROTOCOL`, possible values are `SSH`, `FTP`, `DAV`
+- `SFTPGO_AUTHD_PROTOCOL`, possible values are `SSH`, `FTP`, `DAV`, `HTTP`
 
 Previous global environment variables aren't cleared when the script is called. The content of these variables is _not_ quoted. They may contain special characters. They are under the control of a possibly malicious remote user.
 

docs/dynamic-user-mod.md

@@ -8,7 +8,7 @@ The external program can read the following environment variables to get info ab
 - `SFTPGO_LOGIND_USER`, it contains the user trying to login serialized as JSON. A JSON serialized user id equal to zero means the user does not exist inside SFTPGo
 - `SFTPGO_LOGIND_METHOD`, possible values are: `password`, `publickey`, `keyboard-interactive`, `TLSCertificate`
 - `SFTPGO_LOGIND_IP`, ip address of the user trying to login
-- `SFTPGO_LOGIND_PROTOCOL`, possible values are `SSH`, `FTP`, `DAV`
+- `SFTPGO_LOGIND_PROTOCOL`, possible values are `SSH`, `FTP`, `DAV`, `HTTP`
 
 The program must write, on its standard output:
 

docs/external-auth.md

@@ -7,7 +7,7 @@ The external program can read the following environment variables to get info ab
 - `SFTPGO_AUTHD_USERNAME`
 - `SFTPGO_AUTHD_USER`, STPGo user serialized as JSON, empty if the user does not exist within the data provider
 - `SFTPGO_AUTHD_IP`
-- `SFTPGO_AUTHD_PROTOCOL`, possible values are `SSH`, `FTP`, `DAV`
+- `SFTPGO_AUTHD_PROTOCOL`, possible values are `SSH`, `FTP`, `DAV`, `HTTP`
 - `SFTPGO_AUTHD_PASSWORD`, not empty for password authentication
 - `SFTPGO_AUTHD_PUBLIC_KEY`, not empty for public key authentication
 - `SFTPGO_AUTHD_KEYBOARD_INTERACTIVE`, not empty for keyboard interactive authentication
@@ -26,7 +26,7 @@ If the hook is an HTTP URL then it will be invoked as HTTP POST. The request bod
 - `username`
 - `ip`
 - `user`, STPGo user serialized as JSON, omitted if the user does not exist within the data provider
-- `protocol`, possible values are `SSH`, `FTP`, `DAV`
+- `protocol`, possible values are `SSH`, `FTP`, `DAV`, `HTTP`
 - `password`, not empty for password authentication
 - `public_key`, not empty for public key authentication
 - `keyboard_interactive`, not empty for keyboard interactive authentication

docs/full-configuration.md

@@ -210,7 +210,8 @@ The configuration file contains the following sections:
   - `bindings`, list of structs. Each struct has the following fields:
     - `port`, integer. The port used for serving HTTP requests. Default: 8080.
     - `address`, string. Leave blank to listen on all available network interfaces. On *NIX you can specify an absolute path to listen on a Unix-domain socket Default: "127.0.0.1".
-    - `enable_web_admin`, boolean. Set to `false` to disable the built-in web admin for this binding. You also need to define `templates_path` and `static_files_path` to enable the built-in web admin interface. Default `true`.
+    - `enable_web_admin`, boolean. Set to `false` to disable the built-in web admin for this binding. You also need to define `templates_path` and `static_files_path` to use the built-in web admin interface. Default `true`.
+    - `enable_web_client`, boolean. Set to `false` to disable the built-in web client for this binding. You also need to define `templates_path` and `static_files_path` to use the built-in web client interface. Default `true`.
     - `enable_https`, boolean. Set to `true` and provide both a certificate and a key file to enable HTTPS connection for this binding. Default `false`.
     - `client_auth_type`, integer. Set to `1` to require client certificate authentication in addition to JWT/Web authentication. You need to define at least a certificate authority for this to work. Default: 0.
     - `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: empty.
@@ -219,7 +220,7 @@ The configuration file contains the following sections:
   - `templates_path`, string. Path to the HTML web templates. This can be an absolute path or a path relative to the config dir
   - `static_files_path`, string. Path to the static files for the web interface. This can be an absolute path or a path relative to the config dir. If both `templates_path` and `static_files_path` are empty the built-in web interface will be disabled
   - `backups_path`, string. Path to the backup directory. This can be an absolute path or a path relative to the config dir. We don't allow backups in arbitrary paths for security reasons
-  - `web_admin_root`, string.  Defines a base URL for the web admin. If empty web admin resources will be available at the root ("/") URI. If defined it must be an absolute URI or it will be ignored
+  - `web_root`, string.  Defines a base URL for the web admin and client interfaces. If empty web admin and client resources will be available at the root ("/") URI. If defined it must be an absolute URI or it will be ignored
   - `certificate_file`, string. Certificate for HTTPS. This can be an absolute path or a path relative to the config dir.
   - `certificate_key_file`, string. Private key matching the above certificate. This can be an absolute path or a path relative to the config dir. If both the certificate and the private key are provided, the server will expect HTTPS connections. Certificate and key files can be reloaded on demand sending a `SIGHUP` signal on Unix based systems and a `paramchange` request to the running service on Windows.
   - `ca_certificates`, list of strings. Set of root certificate authorities to be used to verify client certificates.

docs/howto/postgresql-s3.md

@@ -200,7 +200,7 @@ sudo systemctl restart sftpgo
 
 So now open the Web Admin URL.
 
-[http://127.0.0.1:8080/web](http://127.0.0.1:8080/web)
+[http://127.0.0.1:8080/web/admin](http://127.0.0.1:8080/web/admin)
 
 Click `Add` and fill the user details, the minimum required parameters are:
 

docs/post-login-hook.md

@@ -12,7 +12,7 @@ If the hook defines an external program it can reads the following environment v
 - `SFTPGO_LOGIND_IP`
 - `SFTPGO_LOGIND_METHOD`, possible values are `publickey`, `password`, `keyboard-interactive`, `publickey+password`, `publickey+keyboard-interactive`, `TLSCertificate`, `TLSCertificate+password` or `no_auth_tryed`
 - `SFTPGO_LOGIND_STATUS`, 1 means login OK, 0 login KO
-- `SFTPGO_LOGIND_PROTOCOL`, possible values are `SSH`, `FTP`, `DAV`
+- `SFTPGO_LOGIND_PROTOCOL`, possible values are `SSH`, `FTP`, `DAV`, `HTTP`
 
 Previous global environment variables aren't cleared when the script is called.
 The program must finish within 20 seconds.

docs/web-admin.md

@@ -3,7 +3,7 @@
 You can easily build your own interface using the exposed [REST API](./rest-api.md). Anyway, SFTPGo also provides a basic built-in web interface that allows you to manage users, virtual folders, admins and connections.
 With the default `httpd` configuration, the web admin is available at the following URL:
 
-[http://127.0.0.1:8080/web](http://127.0.0.1:8080/web)
+[http://127.0.0.1:8080/web/admin](http://127.0.0.1:8080/web/admin)
 
 The default credentials are:
 

docs/web-client.md

@@ -0,0 +1,10 @@
+# Web Client
+
+SFTPGo provides a basic front-end web interface for your users. It allows end-users to browse and download their files and change their credentials.
+
+The web interface can be globally disabled within the `httpd` configuration via the `enable_web_client` key or on a per-user basis by adding `HTTP` to the denied protocols.
+Public keys management can be disabled, per-user, using a specific permission.
+
+With the default `httpd` configuration, the web admin is available at the following URL:
+
+[http://127.0.0.1:8080/web/client](http://127.0.0.1:8080/web/client)

ftpd/cryptfs_test.go

@@ -1,6 +1,10 @@
 package ftpd_test
 
 import (
+	"crypto/sha256"
+	"fmt"
+	"hash"
+	"io"
 	"net/http"
 	"os"
 	"path"
@@ -200,12 +204,45 @@ func TestResumeCryptFs(t *testing.T) {
 			assert.NoError(t, err)
 			assert.Equal(t, data, readed)
 		}
+		// now test a download resume using a bigger file
+		testFileSize := int64(655352)
+		err = createTestFile(testFilePath, testFileSize)
+		assert.NoError(t, err)
+		initialHash, err := computeHashForFile(sha256.New(), testFilePath)
+		assert.NoError(t, err)
+		err = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)
+		assert.NoError(t, err)
+		err = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)
+		assert.NoError(t, err)
+		downloadHash, err := computeHashForFile(sha256.New(), localDownloadPath)
+		assert.NoError(t, err)
+		assert.Equal(t, initialHash, downloadHash)
+		err = os.Truncate(localDownloadPath, 32767)
+		assert.NoError(t, err)
+		err = ftpDownloadFile(testFileName, localDownloadPath+"_partial", testFileSize-32767, client, 32767)
+		assert.NoError(t, err)
+		file, err := os.OpenFile(localDownloadPath, os.O_APPEND|os.O_WRONLY, os.ModePerm)
+		assert.NoError(t, err)
+		file1, err := os.Open(localDownloadPath + "_partial")
+		assert.NoError(t, err)
+		_, err = io.Copy(file, file1)
+		assert.NoError(t, err)
+		err = file.Close()
+		assert.NoError(t, err)
+		err = file1.Close()
+		assert.NoError(t, err)
+		downloadHash, err = computeHashForFile(sha256.New(), localDownloadPath)
+		assert.NoError(t, err)
+		assert.Equal(t, initialHash, downloadHash)
+
 		err = client.Quit()
 		assert.NoError(t, err)
 		err = os.Remove(testFilePath)
 		assert.NoError(t, err)
 		err = os.Remove(localDownloadPath)
 		assert.NoError(t, err)
+		err = os.Remove(localDownloadPath + "_partial")
+		assert.NoError(t, err)
 	}
 	_, err = httpdtest.RemoveUser(user, http.StatusOK)
 	assert.NoError(t, err)
@@ -224,3 +261,17 @@ func getEncryptedFileSize(size int64) (int64, error) {
 	encSize, err := sio.EncryptedSize(uint64(size))
 	return int64(encSize) + 33, err
 }
+
+func computeHashForFile(hasher hash.Hash, path string) (string, error) {
+	hash := ""
+	f, err := os.Open(path)
+	if err != nil {
+		return hash, err
+	}
+	defer f.Close()
+	_, err = io.Copy(hasher, f)
+	if err == nil {
+		hash = fmt.Sprintf("%x", hasher.Sum(nil))
+	}
+	return hash, err
+}

ftpd/server.go

@@ -181,7 +181,7 @@ func (s *Server) AuthUser(cc ftpserver.ClientContext, username, password string)
 	if err != nil {
 		user.Username = username
 		updateLoginMetrics(&user, ipAddr, loginMethod, err)
-		return nil, err
+		return nil, dataprovider.ErrInvalidCredentials
 	}
 
 	connection, err := s.validateUser(user, cc, loginMethod)
@@ -211,7 +211,7 @@ func (s *Server) VerifyConnection(cc ftpserver.ClientContext, user string, tlsCo
 			if err != nil {
 				dbUser.Username = user
 				updateLoginMetrics(&dbUser, ipAddr, dataprovider.LoginMethodTLSCertificate, err)
-				return nil, err
+				return nil, dataprovider.ErrInvalidCredentials
 			}
 			if dbUser.IsTLSUsernameVerificationEnabled() {
 				dbUser, err = dataprovider.CheckUserAndTLSCert(user, ipAddr, common.ProtocolFTP, state.PeerCertificates[0])

go.mod

@@ -8,18 +8,18 @@ require (
 	github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962
 	github.com/StackExchange/wmi v0.0.0-20210224194228-fe8f1750fd46 // indirect
 	github.com/alexedwards/argon2id v0.0.0-20210326052512-e2135f7c9c77
-	github.com/aws/aws-sdk-go v1.38.30
+	github.com/aws/aws-sdk-go v1.38.35
 	github.com/cockroachdb/cockroach-go/v2 v2.1.1
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf // indirect
 	github.com/eikenb/pipeat v0.0.0-20200430215831-470df5986b6d
 	github.com/fclairamb/ftpserverlib v0.13.1
-	github.com/frankban/quicktest v1.12.0 // indirect
+	github.com/frankban/quicktest v1.12.1 // indirect
 	github.com/go-chi/chi/v5 v5.0.3
 	github.com/go-chi/jwtauth/v5 v5.0.1
 	github.com/go-chi/render v1.0.1
 	github.com/go-ole/go-ole v1.2.5 // indirect
 	github.com/go-sql-driver/mysql v1.6.0
-	github.com/goccy/go-json v0.4.13 // indirect
+	github.com/goccy/go-json v0.4.14 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/snappy v0.0.3 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
@@ -45,7 +45,7 @@ require (
 	github.com/pires/go-proxyproto v0.5.0
 	github.com/pkg/sftp v1.13.0
 	github.com/prometheus/client_golang v1.10.0
-	github.com/prometheus/common v0.21.0 // indirect
+	github.com/prometheus/common v0.23.0 // indirect
 	github.com/rs/cors v1.7.1-0.20200626170627-8b4a00bd362b
 	github.com/rs/xid v1.3.0
 	github.com/rs/zerolog v1.21.0
@@ -57,18 +57,19 @@ require (
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/viper v1.7.1
 	github.com/stretchr/testify v1.7.0
-	github.com/studio-b12/gowebdav v0.0.0-20210203212356-8244b5a5f51a
+	github.com/studio-b12/gowebdav v0.0.0-20210427212133-86f8378cf140
 	github.com/yl2chen/cidranger v1.0.2
 	go.etcd.io/bbolt v1.3.5
 	go.uber.org/automaxprocs v1.4.0
 	gocloud.dev v0.22.0
 	gocloud.dev/secrets/hashivault v0.22.0
-	golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b
+	golang.org/x/crypto v0.0.0-20210506145944-38f3c27a63bf
 	golang.org/x/mod v0.4.2 // indirect
-	golang.org/x/net v0.0.0-20210423184538-5f58ad60dda6
-	golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7
+	golang.org/x/net v0.0.0-20210505214959-0714010a04ed
+	golang.org/x/sys v0.0.0-20210503173754-0981d6026fa6
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
-	google.golang.org/api v0.45.0
+	google.golang.org/api v0.46.0
+	google.golang.org/genproto v0.0.0-20210506142907-4a47615972c2 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
@@ -76,6 +77,6 @@ require (
 
 replace (
 	github.com/jlaffaye/ftp => github.com/drakkan/ftp v0.0.0-20201114075148-9b9adce499a9
-	golang.org/x/crypto => github.com/drakkan/crypto v0.0.0-20210425150317-089e67b931c9
-	golang.org/x/net => github.com/drakkan/net v0.0.0-20210425150243-76901d0d25a8
+	golang.org/x/crypto => github.com/drakkan/crypto v0.0.0-20210506192352-d548717d8e01
+	golang.org/x/net => github.com/drakkan/net v0.0.0-20210506192712-36fee9de0f7d
 )

go.sum

@@ -127,8 +127,8 @@ github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi
 github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.30.27/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.36.1/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
-github.com/aws/aws-sdk-go v1.38.30 h1:X+JDSwkpSQfoLqH4fBLmS0rou8W/cdCCCD5lntTk9Vs=
-github.com/aws/aws-sdk-go v1.38.30/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
+github.com/aws/aws-sdk-go v1.38.35 h1:7AlAO0FC+8nFjxiGKEmq0QLpiA8/XFr6eIxgRTwkdTg=
+github.com/aws/aws-sdk-go v1.38.35/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -203,12 +203,12 @@ github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4Kfc
 github.com/docker/docker v1.4.2-0.20200319182547-c7ad2b866182/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/drakkan/crypto v0.0.0-20210425150317-089e67b931c9 h1:YbA8/6NJyj8440KNCDlEKEWfzjqjPcJj3Pwb5NGen0Q=
-github.com/drakkan/crypto v0.0.0-20210425150317-089e67b931c9/go.mod h1:L66LXwR5jyrcyKbWcx1/J/356ka7Lqn6zsxuVf6JhiI=
+github.com/drakkan/crypto v0.0.0-20210506192352-d548717d8e01 h1:OBfr3EGq6DjnxhskpY5Q5TYoMUyJexusO9153DaFad0=
+github.com/drakkan/crypto v0.0.0-20210506192352-d548717d8e01/go.mod h1:M1JpE4lvRI5LLrE7yTCWfhbsy5rx3oZVjGZad4XMwWc=
 github.com/drakkan/ftp v0.0.0-20201114075148-9b9adce499a9 h1:LPH1dEblAOO/LoG7yHPMtBLXhQmjaga91/DDjWk9jWA=
 github.com/drakkan/ftp v0.0.0-20201114075148-9b9adce499a9/go.mod h1:2lmrmq866uF2tnje75wQHzmPXhmSWUt7Gyx2vgK1RCU=
-github.com/drakkan/net v0.0.0-20210425150243-76901d0d25a8 h1:ENgPnm7K0a6nQbS/i+o/CvrTr2VRxN/r/he71GkT1+8=
-github.com/drakkan/net v0.0.0-20210425150243-76901d0d25a8/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
+github.com/drakkan/net v0.0.0-20210506192712-36fee9de0f7d h1:DUoPZEMoXDONtqVGBv8sGpYqZ0HgpWtdM3v9g2+dZAI=
+github.com/drakkan/net v0.0.0-20210506192712-36fee9de0f7d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
 github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
@@ -235,8 +235,8 @@ github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHqu
 github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4=
 github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20=
 github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq9vcPtJmFl7Y=
-github.com/frankban/quicktest v1.12.0 h1:qlT496aO6ryji0l8Of/hVQCRkqNVyIbJtUZ1zDp6xyw=
-github.com/frankban/quicktest v1.12.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU=
+github.com/frankban/quicktest v1.12.1 h1:P6vQcHwZYgVGIpUzKB5DXzkEeYJppJOStPLuh9aB89c=
+github.com/frankban/quicktest v1.12.1/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
@@ -288,8 +288,8 @@ github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22
 github.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
 github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM=
 github.com/goccy/go-json v0.4.8/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
-github.com/goccy/go-json v0.4.13 h1:ZclJ9a9KEbGUxWkqPkh7ZscnnPAsGIinyg/dJlIph1Y=
-github.com/goccy/go-json v0.4.13/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/goccy/go-json v0.4.14 h1:RR3AVWMEfVW0Z/DbfhxiLrv5mYlwlUmCK8jMtyCcSls=
+github.com/goccy/go-json v0.4.14/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
 github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s=
@@ -751,8 +751,8 @@ github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt2
 github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4=
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.18.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s=
-github.com/prometheus/common v0.21.0 h1:SMvI2JVldvfUvRVlP64jkIJEC6WiGHJcN2e5tB+ztF8=
-github.com/prometheus/common v0.21.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s=
+github.com/prometheus/common v0.23.0 h1:GXWvPYuTUenIa+BhOq/x+L/QZzCqASkVRny5KTlPDGM=
+github.com/prometheus/common v0.23.0/go.mod h1:H6QK/N6XVT42whUeIdI3dp36w49c+/iMDk7UAI2qm7Q=
 github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
@@ -840,8 +840,8 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/studio-b12/gowebdav v0.0.0-20210203212356-8244b5a5f51a h1:Zq18I/ONL/ynTg+mhn78lyh14vNjOqaWfLKVZDwFUk4=
-github.com/studio-b12/gowebdav v0.0.0-20210203212356-8244b5a5f51a/go.mod h1:gCcfDlA1Y7GqOaeEKw5l9dOGx1VLdc/HuQSlQAaZ30s=
+github.com/studio-b12/gowebdav v0.0.0-20210427212133-86f8378cf140 h1:JCSn/2k3AQ0aJGs5Yx2xv6qrW0CAULc1E+xtSxeeQ/E=
+github.com/studio-b12/gowebdav v0.0.0-20210427212133-86f8378cf140/go.mod h1:gCcfDlA1Y7GqOaeEKw5l9dOGx1VLdc/HuQSlQAaZ30s=
 github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tklauser/go-sysconf v0.3.4/go.mod h1:Cl2c8ZRWfHD5IrfHo9VN+FX9kCFjIOyVklgXycLB6ek=
@@ -943,8 +943,9 @@ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210413134643-5e61552d6c78 h1:rPRtHfUb0UKZeZ6GH4K4Nt4YRbE9V1u+QZX5upZXqJQ=
 golang.org/x/oauth2 v0.0.0-20210413134643-5e61552d6c78/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c h1:SgVl/sCtkicsS7psKkje4H9YtjdEl3xsYh7N+5TDHqY=
+golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1023,8 +1024,9 @@ golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210412220455-f1c623a9e750/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7 h1:iGu644GcxtEcrInvDsQRCwJjtCIOlT2V7IRt6ah2Whw=
-golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210503080704-8803ae5d1324/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210503173754-0981d6026fa6 h1:cdsMqa2nXzqlgs183pHxtvoVwU7CyzaCTAUOg94af4c=
+golang.org/x/sys v0.0.0-20210503173754-0981d6026fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1145,8 +1147,9 @@ google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34q
 google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
 google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
 google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
-google.golang.org/api v0.45.0 h1:pqMffJFLBVUDIoYsHcqtxgQVTsmxMDpYLOc5MT4Jrww=
 google.golang.org/api v0.45.0/go.mod h1:ISLIJCedJolbZvDfAk+Ctuq5hf+aJ33WgtUsfyFoLXA=
+google.golang.org/api v0.46.0 h1:jkDWHOBIoNSD0OQpq4rtBVu+Rh325MPjXG1rakAp8JU=
+google.golang.org/api v0.46.0/go.mod h1:ceL4oozhkAiTID8XMmJBsIxID/9wMXJVVFXPg4ylg3I=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -1204,8 +1207,10 @@ google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
 google.golang.org/genproto v0.0.0-20210413151531-c14fb6ef47c3/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
-google.golang.org/genproto v0.0.0-20210420162539-3c870d7478d2 h1:g2sJMUGCpeHZqTx8p3wsAWRS64nFq20i4dvJWcKGqvY=
 google.golang.org/genproto v0.0.0-20210420162539-3c870d7478d2/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
+google.golang.org/genproto v0.0.0-20210429181445-86c259c2b4ab/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
+google.golang.org/genproto v0.0.0-20210506142907-4a47615972c2 h1:pl8qT5D+48655f14yDURpIZwSPvMWuuekfAP+gxtjvk=
+google.golang.org/genproto v0.0.0-20210506142907-4a47615972c2/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
 google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=

httpd/auth_utils.go

@@ -18,9 +18,10 @@ import (
 type tokenAudience = string
 
 const (
-	tokenAudienceWeb  tokenAudience = "Web"
-	tokenAudienceAPI  tokenAudience = "API"
-	tokenAudienceCSRF tokenAudience = "CSRF"
+	tokenAudienceWebAdmin  tokenAudience = "WebAdmin"
+	tokenAudienceWebClient tokenAudience = "WebClient"
+	tokenAudienceAPI       tokenAudience = "API"
+	tokenAudienceCSRF      tokenAudience = "CSRF"
 )
 
 const (
@@ -119,15 +120,21 @@ func (c *jwtTokenClaims) createTokenResponse(tokenAuth *jwtauth.JWTAuth, audienc
 	return response, nil
 }
 
-func (c *jwtTokenClaims) createAndSetCookie(w http.ResponseWriter, r *http.Request, tokenAuth *jwtauth.JWTAuth) error {
-	resp, err := c.createTokenResponse(tokenAuth, tokenAudienceWeb)
+func (c *jwtTokenClaims) createAndSetCookie(w http.ResponseWriter, r *http.Request, tokenAuth *jwtauth.JWTAuth, audience tokenAudience) error {
+	resp, err := c.createTokenResponse(tokenAuth, audience)
 	if err != nil {
 		return err
 	}
+	var basePath string
+	if audience == tokenAudienceWebAdmin {
+		basePath = webBaseAdminPath
+	} else {
+		basePath = webBaseClientPath
+	}
 	http.SetCookie(w, &http.Cookie{
 		Name:     "jwt",
 		Value:    resp["access_token"].(string),
-		Path:     webBasePath,
+		Path:     basePath,
 		Expires:  time.Now().Add(tokenDuration),
 		HttpOnly: true,
 		Secure:   r.TLS != nil,
@@ -178,6 +185,19 @@ func invalidateToken(r *http.Request) {
 	}
 }
 
+func getUserFromToken(r *http.Request) *dataprovider.User {
+	user := &dataprovider.User{}
+	_, claims, err := jwtauth.FromContext(r.Context())
+	if err != nil {
+		return user
+	}
+	tokenClaims := jwtTokenClaims{}
+	tokenClaims.Decode(claims)
+	user.Username = tokenClaims.Username
+	user.Filters.WebClient = tokenClaims.Permissions
+	return user
+}
+
 func getAdminFromToken(r *http.Request) *dataprovider.Admin {
 	admin := &dataprovider.Admin{}
 	_, claims, err := jwtauth.FromContext(r.Context())

httpd/file.go

@@ -0,0 +1,87 @@
+package httpd
+
+import (
+	"errors"
+	"io"
+	"sync/atomic"
+
+	"github.com/eikenb/pipeat"
+
+	"github.com/drakkan/sftpgo/common"
+)
+
+var errTransferAborted = errors.New("transfer aborted")
+
+type httpdFile struct {
+	*common.BaseTransfer
+	reader     io.ReadCloser
+	isFinished bool
+}
+
+func newHTTPDFile(baseTransfer *common.BaseTransfer, pipeReader *pipeat.PipeReaderAt) *httpdFile {
+	var reader io.ReadCloser
+	if baseTransfer.File != nil {
+		reader = baseTransfer.File
+	} else if pipeReader != nil {
+		reader = pipeReader
+	}
+	return &httpdFile{
+		BaseTransfer: baseTransfer,
+		reader:       reader,
+		isFinished:   false,
+	}
+}
+
+// Read reads the contents to downloads.
+func (f *httpdFile) Read(p []byte) (n int, err error) {
+	if atomic.LoadInt32(&f.AbortTransfer) == 1 {
+		return 0, errTransferAborted
+	}
+
+	f.Connection.UpdateLastActivity()
+
+	n, err = f.reader.Read(p)
+	atomic.AddInt64(&f.BytesSent, int64(n))
+
+	if err != nil && err != io.EOF {
+		f.TransferError(err)
+		return
+	}
+	f.HandleThrottle()
+	return
+}
+
+// Close closes the current transfer
+func (f *httpdFile) Close() error {
+	if err := f.setFinished(); err != nil {
+		return err
+	}
+	err := f.closeIO()
+	errBaseClose := f.BaseTransfer.Close()
+	if errBaseClose != nil {
+		err = errBaseClose
+	}
+
+	return f.Connection.GetFsError(f.Fs, err)
+}
+
+func (f *httpdFile) closeIO() error {
+	var err error
+	if f.File != nil {
+		err = f.File.Close()
+	} else if f.reader != nil {
+		err = f.reader.Close()
+	}
+	return err
+}
+
+func (f *httpdFile) setFinished() error {
+	f.Lock()
+	defer f.Unlock()
+
+	if f.isFinished {
+		return common.ErrTransferClosed
+	}
+	f.isFinished = true
+	return nil
+}

httpd/handler.go

@@ -0,0 +1,104 @@
+package httpd
+
+import (
+	"io"
+	"net/http"
+	"os"
+	"path"
+	"strings"
+
+	"github.com/drakkan/sftpgo/common"
+	"github.com/drakkan/sftpgo/dataprovider"
+	"github.com/drakkan/sftpgo/logger"
+	"github.com/drakkan/sftpgo/utils"
+)
+
+// Connection details for a HTTP connection used to inteact with an SFTPGo filesystem
+type Connection struct {
+	*common.BaseConnection
+	request *http.Request
+}
+
+// GetClientVersion returns the connected client's version.
+func (c *Connection) GetClientVersion() string {
+	if c.request != nil {
+		return c.request.UserAgent()
+	}
+	return ""
+}
+
+// GetRemoteAddress return the connected client's address
+func (c *Connection) GetRemoteAddress() string {
+	if c.request != nil {
+		return c.request.RemoteAddr
+	}
+	return ""
+}
+
+// Disconnect closes the active transfer
+func (c *Connection) Disconnect() (err error) {
+	return c.SignalTransfersAbort()
+}
+
+// GetCommand returns the request method
+func (c *Connection) GetCommand() string {
+	if c.request != nil {
+		return strings.ToUpper(c.request.Method)
+	}
+	return ""
+}
+
+// Stat returns a FileInfo describing the named file/directory, or an error,
+// if any happens
+func (c *Connection) Stat(name string, mode int) (os.FileInfo, error) {
+	c.UpdateLastActivity()
+
+	name = utils.CleanPath(name)
+	if !c.User.HasPerm(dataprovider.PermListItems, path.Dir(name)) {
+		return nil, c.GetPermissionDeniedError()
+	}
+
+	fi, err := c.DoStat(name, mode)
+	if err != nil {
+		c.Log(logger.LevelDebug, "error running stat on path %#v: %+v", name, err)
+		return nil, err
+	}
+	return fi, err
+}
+
+// ReadDir returns a list of directory entries
+func (c *Connection) ReadDir(name string) ([]os.FileInfo, error) {
+	c.UpdateLastActivity()
+
+	name = utils.CleanPath(name)
+	return c.ListDir(name)
+}
+
+func (c *Connection) getFileReader(name string, offset int64) (io.ReadCloser, error) {
+	c.UpdateLastActivity()
+
+	name = utils.CleanPath(name)
+	if !c.User.HasPerm(dataprovider.PermDownload, path.Dir(name)) {
+		return nil, os.ErrPermission
+	}
+
+	if !c.User.IsFileAllowed(name) {
+		c.Log(logger.LevelWarn, "reading file %#v is not allowed", name)
+		return nil, os.ErrPermission
+	}
+
+	fs, p, err := c.GetFsAndResolvedPath(name)
+	if err != nil {
+		return nil, err
+	}
+
+	file, r, cancelFn, err := fs.Open(p, offset)
+	if err != nil {
+		c.Log(logger.LevelWarn, "could not open file %#v for reading: %+v", p, err)
+		return nil, c.GetFsError(fs, err)
+	}
+
+	baseTransfer := common.NewBaseTransfer(file, c.BaseConnection, cancelFn, p, name, common.TransferDownload,
+		0, 0, 0, false, fs)
+	return newHTTPDFile(baseTransfer, r), nil
+}

httpd/httpd.go

@@ -29,47 +29,55 @@ import (
 )
 
 const (
-	logSender                    = "httpd"
-	tokenPath                    = "/api/v2/token"
-	logoutPath                   = "/api/v2/logout"
-	activeConnectionsPath        = "/api/v2/connections"
-	quotaScanPath                = "/api/v2/quota-scans"
-	quotaScanVFolderPath         = "/api/v2/folder-quota-scans"
-	userPath                     = "/api/v2/users"
-	versionPath                  = "/api/v2/version"
-	folderPath                   = "/api/v2/folders"
-	serverStatusPath             = "/api/v2/status"
-	dumpDataPath                 = "/api/v2/dumpdata"
-	loadDataPath                 = "/api/v2/loaddata"
-	updateUsedQuotaPath          = "/api/v2/quota-update"
-	updateFolderUsedQuotaPath    = "/api/v2/folder-quota-update"
-	defenderBanTime              = "/api/v2/defender/bantime"
-	defenderUnban                = "/api/v2/defender/unban"
-	defenderScore                = "/api/v2/defender/score"
-	adminPath                    = "/api/v2/admins"
-	adminPwdPath                 = "/api/v2/changepwd/admin"
-	healthzPath                  = "/healthz"
-	webRootPathDefault           = "/"
-	webBasePathDefault           = "/web"
-	webLoginPathDefault          = "/web/login"
-	webLogoutPathDefault         = "/web/logout"
-	webUsersPathDefault          = "/web/users"
-	webUserPathDefault           = "/web/user"
-	webConnectionsPathDefault    = "/web/connections"
-	webFoldersPathDefault        = "/web/folders"
-	webFolderPathDefault         = "/web/folder"
-	webStatusPathDefault         = "/web/status"
-	webAdminsPathDefault         = "/web/admins"
-	webAdminPathDefault          = "/web/admin"
-	webMaintenancePathDefault    = "/web/maintenance"
-	webBackupPathDefault         = "/web/backup"
-	webRestorePathDefault        = "/web/restore"
-	webScanVFolderPathDefault    = "/web/folder-quota-scans"
-	webQuotaScanPathDefault      = "/web/quota-scans"
-	webChangeAdminPwdPathDefault = "/web/changepwd/admin"
-	webTemplateUserDefault       = "/web/template/user"
-	webTemplateFolderDefault     = "/web/template/folder"
-	webStaticFilesPathDefault    = "/static"
+	logSender                       = "httpd"
+	tokenPath                       = "/api/v2/token"
+	logoutPath                      = "/api/v2/logout"
+	activeConnectionsPath           = "/api/v2/connections"
+	quotaScanPath                   = "/api/v2/quota-scans"
+	quotaScanVFolderPath            = "/api/v2/folder-quota-scans"
+	userPath                        = "/api/v2/users"
+	versionPath                     = "/api/v2/version"
+	folderPath                      = "/api/v2/folders"
+	serverStatusPath                = "/api/v2/status"
+	dumpDataPath                    = "/api/v2/dumpdata"
+	loadDataPath                    = "/api/v2/loaddata"
+	updateUsedQuotaPath             = "/api/v2/quota-update"
+	updateFolderUsedQuotaPath       = "/api/v2/folder-quota-update"
+	defenderBanTime                 = "/api/v2/defender/bantime"
+	defenderUnban                   = "/api/v2/defender/unban"
+	defenderScore                   = "/api/v2/defender/score"
+	adminPath                       = "/api/v2/admins"
+	adminPwdPath                    = "/api/v2/changepwd/admin"
+	healthzPath                     = "/healthz"
+	webRootPathDefault              = "/"
+	webBasePathDefault              = "/web"
+	webBasePathAdminDefault         = "/web/admin"
+	webBasePathClientDefault        = "/web/client"
+	webLoginPathDefault             = "/web/admin/login"
+	webLogoutPathDefault            = "/web/admin/logout"
+	webUsersPathDefault             = "/web/admin/users"
+	webUserPathDefault              = "/web/admin/user"
+	webConnectionsPathDefault       = "/web/admin/connections"
+	webFoldersPathDefault           = "/web/admin/folders"
+	webFolderPathDefault            = "/web/admin/folder"
+	webStatusPathDefault            = "/web/admin/status"
+	webAdminsPathDefault            = "/web/admin/managers"
+	webAdminPathDefault             = "/web/admin/manager"
+	webMaintenancePathDefault       = "/web/admin/maintenance"
+	webBackupPathDefault            = "/web/admin/backup"
+	webRestorePathDefault           = "/web/admin/restore"
+	webScanVFolderPathDefault       = "/web/admin/folder-quota-scans"
+	webQuotaScanPathDefault         = "/web/admin/quota-scans"
+	webChangeAdminPwdPathDefault    = "/web/admin/changepwd"
+	webTemplateUserDefault          = "/web/admin/template/user"
+	webTemplateFolderDefault        = "/web/admin/template/folder"
+	webClientLoginPathDefault       = "/web/client/login"
+	webClientFilesPathDefault       = "/web/client/files"
+	webClientCredentialsPathDefault = "/web/client/credentials"
+	webChangeClientPwdPathDefault   = "/web/client/changepwd"
+	webChangeClientKeysPathDefault  = "/web/client/managekeys"
+	webClientLogoutPathDefault      = "/web/client/logout"
+	webStaticFilesPathDefault       = "/static"
 	// MaxRestoreSize defines the max size for the loaddata input file
 	MaxRestoreSize = 10485760 // 10 MB
 	maxRequestSize = 1048576  // 1MB
@@ -77,37 +85,46 @@ const (
 )
 
 var (
-	backupsPath            string
-	certMgr                *common.CertManager
-	jwtTokensCleanupTicker *time.Ticker
-	jwtTokensCleanupDone   chan bool
-	invalidatedJWTTokens   sync.Map
-	csrfTokenAuth          *jwtauth.JWTAuth
-	webRootPath            string
-	webBasePath            string
-	webLoginPath           string
-	webLogoutPath          string
-	webUsersPath           string
-	webUserPath            string
-	webConnectionsPath     string
-	webFoldersPath         string
-	webFolderPath          string
-	webStatusPath          string
-	webAdminsPath          string
-	webAdminPath           string
-	webMaintenancePath     string
-	webBackupPath          string
-	webRestorePath         string
-	webScanVFolderPath     string
-	webQuotaScanPath       string
-	webChangeAdminPwdPath  string
-	webTemplateUser        string
-	webTemplateFolder      string
-	webStaticFilesPath     string
+	backupsPath              string
+	certMgr                  *common.CertManager
+	jwtTokensCleanupTicker   *time.Ticker
+	jwtTokensCleanupDone     chan bool
+	invalidatedJWTTokens     sync.Map
+	csrfTokenAuth            *jwtauth.JWTAuth
+	webRootPath              string
+	webBasePath              string
+	webBaseAdminPath         string
+	webBaseClientPath        string
+	webLoginPath             string
+	webLogoutPath            string
+	webUsersPath             string
+	webUserPath              string
+	webConnectionsPath       string
+	webFoldersPath           string
+	webFolderPath            string
+	webStatusPath            string
+	webAdminsPath            string
+	webAdminPath             string
+	webMaintenancePath       string
+	webBackupPath            string
+	webRestorePath           string
+	webScanVFolderPath       string
+	webQuotaScanPath         string
+	webChangeAdminPwdPath    string
+	webTemplateUser          string
+	webTemplateFolder        string
+	webClientLoginPath       string
+	webClientFilesPath       string
+	webClientCredentialsPath string
+	webChangeClientPwdPath   string
+	webChangeClientKeysPath  string
+	webClientLogoutPath      string
+	webStaticFilesPath       string
 )
 
 func init() {
 	updateWebAdminURLs("")
+	updateWebClientURLs("")
 }
 
 // Binding defines the configuration for a network listener
@@ -119,6 +136,9 @@ type Binding struct {
 	// Enable the built-in admin interface.
 	// You have to define TemplatesPath and StaticFilesPath for this to work
 	EnableWebAdmin bool `json:"enable_web_admin" mapstructure:"enable_web_admin"`
+	// Enable the built-in client interface.
+	// You have to define TemplatesPath and StaticFilesPath for this to work
+	EnableWebClient bool `json:"enable_web_client" mapstructure:"enable_web_client"`
 	// you also need to provide a certificate for enabling HTTPS
 	EnableHTTPS bool `json:"enable_https" mapstructure:"enable_https"`
 	// set to 1 to require client certificate authentication in addition to basic auth.
@@ -181,9 +201,9 @@ type Conf struct {
 	StaticFilesPath string `json:"static_files_path" mapstructure:"static_files_path"`
 	// Path to the backup directory. This can be an absolute path or a path relative to the config dir
 	BackupsPath string `json:"backups_path" mapstructure:"backups_path"`
-	// Defines a base URL for the web admin. If empty web admin resources will be available at the
-	// root ("/") URI. If defined it must be an absolute URI or it will be ignored.
-	WebAdminRoot string `json:"web_admin_root" mapstructure:"web_admin_root"`
+	// Defines a base URL for the web admin and client interfaces. If empty web admin and client resources will
+	// be available at the root ("/") URI. If defined it must be an absolute URI or it will be ignored.
+	WebRoot string `json:"web_root" mapstructure:"web_root"`
 	// If files containing a certificate and matching private key for the server are provided the server will expect
 	// HTTPS connections.
 	// Certificate and key files can be reloaded on demand sending a "SIGHUP" signal on Unix based systems and a
@@ -213,27 +233,50 @@ func (c *Conf) ShouldBind() bool {
 	return false
 }
 
+func (c *Conf) isWebAdminEnabled() bool {
+	for _, binding := range c.Bindings {
+		if binding.EnableWebAdmin {
+			return true
+		}
+	}
+	return false
+}
+
+func (c *Conf) isWebClientEnabled() bool {
+	for _, binding := range c.Bindings {
+		if binding.EnableWebClient {
+			return true
+		}
+	}
+	return false
+}
+
 // Initialize configures and starts the HTTP server
 func (c *Conf) Initialize(configDir string) error {
 	logger.Debug(logSender, "", "initializing HTTP server with config %+v", c)
 	backupsPath = getConfigPath(c.BackupsPath, configDir)
 	staticFilesPath := getConfigPath(c.StaticFilesPath, configDir)
 	templatesPath := getConfigPath(c.TemplatesPath, configDir)
-	enableWebAdmin := staticFilesPath != "" || templatesPath != ""
 	if backupsPath == "" {
 		return fmt.Errorf("required directory is invalid, backup path %#v", backupsPath)
 	}
-	if enableWebAdmin && (staticFilesPath == "" || templatesPath == "") {
+	if (c.isWebAdminEnabled() || c.isWebClientEnabled()) && (staticFilesPath == "" || templatesPath == "") {
 		return fmt.Errorf("required directory is invalid, static file path: %#v template path: %#v",
 			staticFilesPath, templatesPath)
 	}
 	certificateFile := getConfigPath(c.CertificateFile, configDir)
 	certificateKeyFile := getConfigPath(c.CertificateKeyFile, configDir)
-	if enableWebAdmin {
-		updateWebAdminURLs(c.WebAdminRoot)
-		loadTemplates(templatesPath)
+	if c.isWebAdminEnabled() {
+		updateWebAdminURLs(c.WebRoot)
+		loadAdminTemplates(templatesPath)
+	} else {
+		logger.Info(logSender, "", "built-in web admin interface disabled")
+	}
+	if c.isWebClientEnabled() {
+		updateWebClientURLs(c.WebRoot)
+		loadClientTemplates(templatesPath)
 	} else {
-		logger.Info(logSender, "", "built-in web interface disabled, please set templates_path and static_files_path to enable it")
+		logger.Info(logSender, "", "built-in web client interface disabled")
 	}
 	if certificateFile != "" && certificateKeyFile != "" {
 		mgr, err := common.NewCertManager(certificateFile, certificateKeyFile, configDir, logSender)
@@ -261,7 +304,7 @@ func (c *Conf) Initialize(configDir string) error {
 		}
 
 		go func(b Binding) {
-			server := newHttpdServer(b, staticFilesPath, enableWebAdmin)
+			server := newHttpdServer(b, staticFilesPath)
 
 			exitChannel <- server.listenAndServe()
 		}(binding)
@@ -271,10 +314,14 @@ func (c *Conf) Initialize(configDir string) error {
 	return <-exitChannel
 }
 
-func isWebAdminRequest(r *http.Request) bool {
+func isWebRequest(r *http.Request) bool {
 	return strings.HasPrefix(r.RequestURI, webBasePath+"/")
 }
 
+func isWebClientRequest(r *http.Request) bool {
+	return strings.HasPrefix(r.RequestURI, webBaseClientPath+"/")
+}
+
 // ReloadCertificateMgr reloads the certificate manager
 func ReloadCertificateMgr() error {
 	if certMgr != nil {
@@ -330,12 +377,28 @@ func fileServer(r chi.Router, path string, root http.FileSystem) {
 	})
 }
 
+func updateWebClientURLs(baseURL string) {
+	if !path.IsAbs(baseURL) {
+		baseURL = "/"
+	}
+	webRootPath = path.Join(baseURL, webRootPathDefault)
+	webBasePath = path.Join(baseURL, webBasePathDefault)
+	webBaseClientPath = path.Join(baseURL, webBasePathClientDefault)
+	webClientLoginPath = path.Join(baseURL, webClientLoginPathDefault)
+	webClientFilesPath = path.Join(baseURL, webClientFilesPathDefault)
+	webClientCredentialsPath = path.Join(baseURL, webClientCredentialsPathDefault)
+	webChangeClientPwdPath = path.Join(baseURL, webChangeClientPwdPathDefault)
+	webChangeClientKeysPath = path.Join(baseURL, webChangeClientKeysPathDefault)
+	webClientLogoutPath = path.Join(baseURL, webClientLogoutPathDefault)
+}
+
 func updateWebAdminURLs(baseURL string) {
 	if !path.IsAbs(baseURL) {
 		baseURL = "/"
 	}
 	webRootPath = path.Join(baseURL, webRootPathDefault)
 	webBasePath = path.Join(baseURL, webBasePathDefault)
+	webBaseAdminPath = path.Join(baseURL, webBasePathAdminDefault)
 	webLoginPath = path.Join(baseURL, webLoginPathDefault)
 	webLogoutPath = path.Join(baseURL, webLogoutPathDefault)
 	webUsersPath = path.Join(baseURL, webUsersPathDefault)
@@ -360,11 +423,12 @@ func updateWebAdminURLs(baseURL string) {
 // GetHTTPRouter returns an HTTP handler suitable to use for test cases
 func GetHTTPRouter() http.Handler {
 	b := Binding{
-		Address:        "",
-		Port:           8080,
-		EnableWebAdmin: true,
+		Address:         "",
+		Port:            8080,
+		EnableWebAdmin:  true,
+		EnableWebClient: true,
 	}
-	server := newHttpdServer(b, "../static", true)
+	server := newHttpdServer(b, "../static")
 	server.initializeRouter()
 	return server.router
 }

httpd/internal_test.go

@@ -353,7 +353,7 @@ func TestUpdateWebAdminInvalidClaims(t *testing.T) {
 		Permissions: admin.Permissions,
 		Signature:   admin.GetSignature(),
 	}
-	token, err := c.createTokenResponse(server.tokenAuth, tokenAudienceWeb)
+	token, err := c.createTokenResponse(server.tokenAuth, tokenAudienceWebAdmin)
 	assert.NoError(t, err)
 
 	form := make(url.Values)
@@ -435,18 +435,18 @@ func TestCreateTokenError(t *testing.T) {
 	req, _ = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode())))
 	req.RemoteAddr = "127.0.0.1:1234"
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-	server.handleWebLoginPost(rr, req)
+	server.handleWebAdminLoginPost(rr, req)
 	assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
 	// req with no content type
 	req, _ = http.NewRequest(http.MethodPost, webLoginPath, nil)
 	rr = httptest.NewRecorder()
-	server.handleWebLoginPost(rr, req)
+	server.handleWebAdminLoginPost(rr, req)
 	assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
 	// req with no POST body
 	req, _ = http.NewRequest(http.MethodGet, webLoginPath+"?a=a%C3%AO%GG", nil)
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	rr = httptest.NewRecorder()
-	server.handleWebLoginPost(rr, req)
+	server.handleWebAdminLoginPost(rr, req)
 	assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
 	req, _ = http.NewRequest(http.MethodGet, webLoginPath+"?a=a%C3%A1%G2", nil)
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -458,6 +458,51 @@ func TestCreateTokenError(t *testing.T) {
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	_, err := getAdminFromPostFields(req)
 	assert.Error(t, err)
+
+	req, _ = http.NewRequest(http.MethodPost, webClientLoginPath+"?a=a%C3%AO%GG", bytes.NewBuffer([]byte(form.Encode())))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	rr = httptest.NewRecorder()
+	server.handleWebClientLoginPost(rr, req)
+	assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
+
+	req, _ = http.NewRequest(http.MethodPost, webChangeClientPwdPath+"?a=a%C3%AO%GA", bytes.NewBuffer([]byte(form.Encode())))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	rr = httptest.NewRecorder()
+	handleWebClientChangePwdPost(rr, req)
+	assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())
+
+	req, _ = http.NewRequest(http.MethodPost, webChangeClientKeysPath+"?a=a%C3%AO%GB", bytes.NewBuffer([]byte(form.Encode())))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	rr = httptest.NewRecorder()
+	handleWebClientManageKeysPost(rr, req)
+	assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())
+
+	username := "webclientuser"
+	user := dataprovider.User{
+		Username:    username,
+		Password:    "clientpwd",
+		HomeDir:     filepath.Join(os.TempDir(), username),
+		Status:      1,
+		Description: "test user",
+	}
+	user.Permissions = make(map[string][]string)
+	user.Permissions["/"] = []string{"*"}
+	err = dataprovider.AddUser(&user)
+	assert.NoError(t, err)
+
+	rr = httptest.NewRecorder()
+	form = make(url.Values)
+	form.Set("username", user.Username)
+	form.Set("password", "clientpwd")
+	form.Set(csrfFormToken, createCSRFToken())
+	req, _ = http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))
+	req.RemoteAddr = "127.0.0.1:4567"
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	server.handleWebClientLoginPost(rr, req)
+	assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
+
+	err = dataprovider.DeleteUser(username)
+	assert.NoError(t, err)
 }
 
 func TestJWTTokenValidation(t *testing.T) {
@@ -469,20 +514,28 @@ func TestJWTTokenValidation(t *testing.T) {
 	assert.NoError(t, err)
 
 	r := GetHTTPRouter()
-	fn := jwtAuthenticator(r)
+	fn := jwtAuthenticatorAPI(r)
 	rr := httptest.NewRecorder()
 	req, _ := http.NewRequest(http.MethodGet, userPath, nil)
 	ctx := jwtauth.NewContext(req.Context(), token, nil)
 	fn.ServeHTTP(rr, req.WithContext(ctx))
 	assert.Equal(t, http.StatusUnauthorized, rr.Code)
 
-	fn = jwtAuthenticatorWeb(r)
+	fn = jwtAuthenticatorWebAdmin(r)
 	rr = httptest.NewRecorder()
 	req, _ = http.NewRequest(http.MethodGet, webUserPath, nil)
 	ctx = jwtauth.NewContext(req.Context(), token, nil)
+	fn.ServeHTTP(rr, req.WithContext(ctx))
+	assert.Equal(t, http.StatusFound, rr.Code)
+	assert.Equal(t, webLoginPath, rr.Header().Get("Location"))
 
+	fn = jwtAuthenticatorWebClient(r)
+	rr = httptest.NewRecorder()
+	req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
+	ctx = jwtauth.NewContext(req.Context(), token, nil)
 	fn.ServeHTTP(rr, req.WithContext(ctx))
 	assert.Equal(t, http.StatusFound, rr.Code)
+	assert.Equal(t, webClientLoginPath, rr.Header().Get("Location"))
 
 	errTest := errors.New("test error")
 	permFn := checkPerm(dataprovider.PermAdminAny)
@@ -501,6 +554,15 @@ func TestJWTTokenValidation(t *testing.T) {
 	ctx = jwtauth.NewContext(req.Context(), token, errTest)
 	fn.ServeHTTP(rr, req.WithContext(ctx))
 	assert.Equal(t, http.StatusBadRequest, rr.Code)
+
+	permClientFn := checkClientPerm(dataprovider.WebClientPubKeyChangeDisabled)
+	fn = permClientFn(r)
+	rr = httptest.NewRecorder()
+	req, _ = http.NewRequest(http.MethodPost, webChangeClientKeysPath, nil)
+	req.RequestURI = webChangeClientKeysPath
+	ctx = jwtauth.NewContext(req.Context(), token, errTest)
+	fn.ServeHTTP(rr, req.WithContext(ctx))
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
 }
 
 func TestAdminAllowListConnAddr(t *testing.T) {
@@ -565,6 +627,7 @@ func TestCookieExpiration(t *testing.T) {
 	claims[claimPermissionsKey] = admin.Permissions
 	claims[jwt.SubjectKey] = admin.GetSignature()
 	claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
+	claims[jwt.AudienceKey] = tokenAudienceAPI
 	token, _, err = server.tokenAuth.Encode(claims)
 	assert.NoError(t, err)
 	req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
@@ -599,6 +662,7 @@ func TestCookieExpiration(t *testing.T) {
 	claims[claimPermissionsKey] = admin.Permissions
 	claims[jwt.SubjectKey] = admin.GetSignature()
 	claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
+	claims[jwt.AudienceKey] = tokenAudienceAPI
 	token, _, err = server.tokenAuth.Encode(claims)
 	assert.NoError(t, err)
 	req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
@@ -625,6 +689,82 @@ func TestCookieExpiration(t *testing.T) {
 
 	err = dataprovider.DeleteAdmin(admin.Username)
 	assert.NoError(t, err)
+	// now check client cookie expiration
+	username := "client"
+	user := dataprovider.User{
+		Username:    username,
+		Password:    "clientpwd",
+		HomeDir:     filepath.Join(os.TempDir(), username),
+		Status:      1,
+		Description: "test user",
+	}
+	user.Permissions = make(map[string][]string)
+	user.Permissions["/"] = []string{"*"}
+
+	claims = make(map[string]interface{})
+	claims[claimUsernameKey] = user.Username
+	claims[claimPermissionsKey] = user.Filters.WebClient
+	claims[jwt.SubjectKey] = user.GetSignature()
+	claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
+	claims[jwt.AudienceKey] = tokenAudienceWebClient
+	token, _, err = server.tokenAuth.Encode(claims)
+	assert.NoError(t, err)
+
+	rr = httptest.NewRecorder()
+	req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
+	ctx = jwtauth.NewContext(req.Context(), token, nil)
+	server.checkCookieExpiration(rr, req.WithContext(ctx))
+	cookie = rr.Header().Get("Set-Cookie")
+	assert.Empty(t, cookie)
+	// the password will be hashed and so the signature will change
+	err = dataprovider.AddUser(&user)
+	assert.NoError(t, err)
+	req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
+	ctx = jwtauth.NewContext(req.Context(), token, nil)
+	server.checkCookieExpiration(rr, req.WithContext(ctx))
+	cookie = rr.Header().Get("Set-Cookie")
+	assert.Empty(t, cookie)
+
+	user, err = dataprovider.UserExists(user.Username)
+	assert.NoError(t, err)
+	user.Filters.AllowedIP = []string{"172.16.4.0/24"}
+	err = dataprovider.UpdateUser(&user)
+	assert.NoError(t, err)
+
+	user, err = dataprovider.UserExists(user.Username)
+	assert.NoError(t, err)
+	claims = make(map[string]interface{})
+	claims[claimUsernameKey] = user.Username
+	claims[claimPermissionsKey] = user.Filters.WebClient
+	claims[jwt.SubjectKey] = user.GetSignature()
+	claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
+	claims[jwt.AudienceKey] = tokenAudienceWebClient
+	token, _, err = server.tokenAuth.Encode(claims)
+	assert.NoError(t, err)
+
+	req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
+	req.RemoteAddr = "172.16.3.12:4567"
+	ctx = jwtauth.NewContext(req.Context(), token, nil)
+	server.checkCookieExpiration(rr, req.WithContext(ctx))
+	cookie = rr.Header().Get("Set-Cookie")
+	assert.Empty(t, cookie)
+
+	req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
+	req.RemoteAddr = "172.16.4.12:4567"
+	ctx = jwtauth.NewContext(req.Context(), token, nil)
+	server.checkCookieExpiration(rr, req.WithContext(context.WithValue(ctx, connAddrKey, "172.16.0.1:4567")))
+	cookie = rr.Header().Get("Set-Cookie")
+	assert.Empty(t, cookie)
+
+	req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
+	req.RemoteAddr = "172.16.4.16:4567"
+	ctx = jwtauth.NewContext(req.Context(), token, nil)
+	server.checkCookieExpiration(rr, req.WithContext(context.WithValue(ctx, connAddrKey, "172.16.4.18:4567")))
+	cookie = rr.Header().Get("Set-Cookie")
+	assert.NotEmpty(t, cookie)
+
+	err = dataprovider.DeleteUser(user.Username)
+	assert.NoError(t, err)
 }
 
 func TestGetURLParam(t *testing.T) {
@@ -672,9 +812,13 @@ func TestCloseConnectionHandler(t *testing.T) {
 func TestRenderInvalidTemplate(t *testing.T) {
 	tmpl, err := template.New("test").Parse("{{.Count}}")
 	if assert.NoError(t, err) {
-		templates["no_match"] = tmpl
+		noMatchTmpl := "no_match"
+		adminTemplates[noMatchTmpl] = tmpl
 		rw := httptest.NewRecorder()
-		renderTemplate(rw, "no_match", map[string]string{})
+		renderAdminTemplate(rw, noMatchTmpl, map[string]string{})
+		assert.Equal(t, http.StatusInternalServerError, rw.Code)
+		clientTemplates[noMatchTmpl] = tmpl
+		renderClientTemplate(rw, noMatchTmpl, map[string]string{})
 		assert.Equal(t, http.StatusInternalServerError, rw.Code)
 	}
 }
@@ -869,3 +1013,296 @@ func TestJWTTokenCleanup(t *testing.T) {
 	assert.Eventually(t, func() bool { return !isTokenInvalidated(req) }, 1*time.Second, 200*time.Millisecond)
 	stopJWTTokensCleanupTicker()
 }
+
+func TestWebAdminRedirect(t *testing.T) {
+	b := Binding{
+		Address:         "",
+		Port:            8080,
+		EnableWebAdmin:  true,
+		EnableWebClient: false,
+	}
+	server := newHttpdServer(b, "../static")
+	server.initializeRouter()
+	testServer := httptest.NewServer(server.router)
+	defer testServer.Close()
+
+	req, err := http.NewRequest(http.MethodGet, webRootPath, nil)
+	assert.NoError(t, err)
+	rr := httptest.NewRecorder()
+	testServer.Config.Handler.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusMovedPermanently, rr.Code, rr.Body.String())
+	assert.Equal(t, webLoginPath, rr.Header().Get("Location"))
+
+	req, err = http.NewRequest(http.MethodGet, webBasePath, nil)
+	assert.NoError(t, err)
+	rr = httptest.NewRecorder()
+	testServer.Config.Handler.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusMovedPermanently, rr.Code, rr.Body.String())
+	assert.Equal(t, webLoginPath, rr.Header().Get("Location"))
+}
+
+func TestParseRangeRequests(t *testing.T) {
+	// curl --verbose  "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=24-24"
+	fileSize := int64(169740)
+	rangeHeader := "bytes=24-24"
+	offset, size, err := parseRangeRequest(rangeHeader[6:], fileSize)
+	require.NoError(t, err)
+	resp := fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
+	assert.Equal(t, "bytes 24-24/169740", resp)
+	require.Equal(t, int64(1), size)
+	// curl --verbose  "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=24-"
+	rangeHeader = "bytes=24-"
+	offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
+	require.NoError(t, err)
+	resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
+	assert.Equal(t, "bytes 24-169739/169740", resp)
+	require.Equal(t, int64(169716), size)
+	// curl --verbose  "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=-1"
+	rangeHeader = "bytes=-1"
+	offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
+	require.NoError(t, err)
+	resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
+	assert.Equal(t, "bytes 169739-169739/169740", resp)
+	require.Equal(t, int64(1), size)
+	// curl --verbose  "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=-100"
+	rangeHeader = "bytes=-100"
+	offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
+	require.NoError(t, err)
+	resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
+	assert.Equal(t, "bytes 169640-169739/169740", resp)
+	require.Equal(t, int64(100), size)
+	// curl --verbose  "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-30"
+	rangeHeader = "bytes=20-30"
+	offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
+	require.NoError(t, err)
+	resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
+	assert.Equal(t, "bytes 20-30/169740", resp)
+	require.Equal(t, int64(11), size)
+	// curl --verbose  "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-169739"
+	rangeHeader = "bytes=20-169739"
+	offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
+	require.NoError(t, err)
+	resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
+	assert.Equal(t, "bytes 20-169739/169740", resp)
+	require.Equal(t, int64(169720), size)
+	// curl --verbose  "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-169740"
+	rangeHeader = "bytes=20-169740"
+	offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
+	require.NoError(t, err)
+	resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
+	assert.Equal(t, "bytes 20-169739/169740", resp)
+	require.Equal(t, int64(169720), size)
+	// curl --verbose  "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-169741"
+	rangeHeader = "bytes=20-169741"
+	offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
+	require.NoError(t, err)
+	resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
+	assert.Equal(t, "bytes 20-169739/169740", resp)
+	require.Equal(t, int64(169720), size)
+	//curl --verbose  "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=0-" > /dev/null
+	rangeHeader = "bytes=0-"
+	offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
+	require.NoError(t, err)
+	resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
+	assert.Equal(t, "bytes 0-169739/169740", resp)
+	require.Equal(t, int64(169740), size)
+	// now test errors
+	rangeHeader = "bytes=0-a"
+	_, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
+	require.Error(t, err)
+	rangeHeader = "bytes="
+	_, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
+	require.Error(t, err)
+	rangeHeader = "bytes=-"
+	_, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
+	require.Error(t, err)
+	rangeHeader = "bytes=500-300"
+	_, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
+	require.Error(t, err)
+	rangeHeader = "bytes=5000000"
+	_, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
+	require.Error(t, err)
+}
+
+func TestRequestHeaderErrors(t *testing.T) {
+	req, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil)
+	req.Header.Set("If-Unmodified-Since", "not a date")
+	res := checkIfUnmodifiedSince(req, time.Now())
+	assert.Equal(t, condNone, res)
+
+	req, _ = http.NewRequest(http.MethodPost, webClientFilesPath, nil)
+	res = checkIfModifiedSince(req, time.Now())
+	assert.Equal(t, condNone, res)
+
+	req, _ = http.NewRequest(http.MethodPost, webClientFilesPath, nil)
+	res = checkIfRange(req, time.Now())
+	assert.Equal(t, condNone, res)
+
+	req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
+	req.Header.Set("If-Modified-Since", "not a date")
+	res = checkIfModifiedSince(req, time.Now())
+	assert.Equal(t, condNone, res)
+
+	req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
+	req.Header.Set("If-Range", time.Now().Format(http.TimeFormat))
+	res = checkIfRange(req, time.Time{})
+	assert.Equal(t, condFalse, res)
+
+	req.Header.Set("If-Range", "invalid if range date")
+	res = checkIfRange(req, time.Now())
+	assert.Equal(t, condFalse, res)
+	modTime := getFileObjectModTime(time.Time{})
+	assert.Empty(t, modTime)
+}
+
+func TestConnection(t *testing.T) {
+	user := dataprovider.User{
+		Username: "test_httpd_user",
+		HomeDir:  filepath.Clean(os.TempDir()),
+		FsConfig: vfs.Filesystem{
+			Provider: vfs.GCSFilesystemProvider,
+			GCSConfig: vfs.GCSFsConfig{
+				Bucket:      "test_bucket_name",
+				Credentials: kms.NewPlainSecret("invalid JSON payload"),
+			},
+		},
+	}
+	user.Permissions = make(map[string][]string)
+	user.Permissions["/"] = []string{dataprovider.PermAny}
+	connection := &Connection{
+		BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, user),
+		request:        nil,
+	}
+	assert.Empty(t, connection.GetClientVersion())
+	assert.Empty(t, connection.GetRemoteAddress())
+	assert.Empty(t, connection.GetCommand())
+	name := "missing file name"
+	_, err := connection.getFileReader(name, 0)
+	assert.Error(t, err)
+	connection.User.FsConfig.Provider = vfs.LocalFilesystemProvider
+	_, err = connection.getFileReader(name, 0)
+	assert.ErrorIs(t, err, os.ErrNotExist)
+}
+
+func TestRenderDirError(t *testing.T) {
+	user := dataprovider.User{
+		Username: "test_httpd_user",
+		HomeDir:  filepath.Clean(os.TempDir()),
+	}
+	user.Permissions = make(map[string][]string)
+	user.Permissions["/"] = []string{dataprovider.PermAny}
+	connection := &Connection{
+		BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, user),
+		request:        nil,
+	}
+
+	rr := httptest.NewRecorder()
+	req, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil)
+	renderDirContents(rr, req, connection, "missing dir")
+	assert.Equal(t, http.StatusOK, rr.Code)
+	assert.Contains(t, rr.Body.String(), "text-form-error")
+}
+
+func TestHTTPDFile(t *testing.T) {
+	user := dataprovider.User{
+		Username: "test_httpd_user",
+		HomeDir:  filepath.Clean(os.TempDir()),
+	}
+	user.Permissions = make(map[string][]string)
+	user.Permissions["/"] = []string{dataprovider.PermAny}
+	connection := &Connection{
+		BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, user),
+		request:        nil,
+	}
+
+	fs, err := user.GetFilesystem("")
+	assert.NoError(t, err)
+
+	name := "fileName"
+	p := filepath.Join(os.TempDir(), name)
+	err = os.WriteFile(p, []byte("contents"), os.ModePerm)
+	assert.NoError(t, err)
+	file, err := os.Open(p)
+	assert.NoError(t, err)
+	err = file.Close()
+	assert.NoError(t, err)
+
+	baseTransfer := common.NewBaseTransfer(file, connection.BaseConnection, nil, p, name, common.TransferDownload,
+		0, 0, 0, false, fs)
+	httpdFile := newHTTPDFile(baseTransfer, nil)
+	// the file is closed, read should fail
+	buf := make([]byte, 100)
+	_, err = httpdFile.Read(buf)
+	assert.Error(t, err)
+	err = httpdFile.Close()
+	assert.Error(t, err)
+	err = httpdFile.Close()
+	assert.ErrorIs(t, err, common.ErrTransferClosed)
+}
+
+func TestChangeUserPwd(t *testing.T) {
+	req, _ := http.NewRequest(http.MethodPost, webChangeClientPwdPath, nil)
+	err := doChangeUserPassword(req, "", "", "")
+	if assert.Error(t, err) {
+		assert.Contains(t, err.Error(), "please provide the current password and the new one two times")
+	}
+	err = doChangeUserPassword(req, "a", "b", "c")
+	if assert.Error(t, err) {
+		assert.Contains(t, err.Error(), "the two password fields do not match")
+	}
+	err = doChangeUserPassword(req, "a", "b", "b")
+	if assert.Error(t, err) {
+		assert.Contains(t, err.Error(), "invalid token claims")
+	}
+}
+
+func TestGetFilesInvalidClaims(t *testing.T) {
+	server := httpdServer{}
+	server.initializeRouter()
+
+	rr := httptest.NewRecorder()
+	user := dataprovider.User{
+		Username: "",
+		Password: "pwd",
+	}
+	c := jwtTokenClaims{
+		Username:    user.Username,
+		Permissions: nil,
+		Signature:   user.GetSignature(),
+	}
+	token, err := c.createTokenResponse(server.tokenAuth, tokenAudienceWebClient)
+	assert.NoError(t, err)
+
+	req, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil)
+	req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
+	handleClientGetFiles(rr, req)
+	assert.Equal(t, http.StatusForbidden, rr.Code)
+	assert.Contains(t, rr.Body.String(), "Invalid token claims")
+}
+
+func TestManageKeysInvalidClaims(t *testing.T) {
+	server := httpdServer{}
+	server.initializeRouter()
+
+	rr := httptest.NewRecorder()
+	user := dataprovider.User{
+		Username: "",
+		Password: "pwd",
+	}
+	c := jwtTokenClaims{
+		Username:    user.Username,
+		Permissions: nil,
+		Signature:   user.GetSignature(),
+	}
+	token, err := c.createTokenResponse(server.tokenAuth, tokenAudienceWebClient)
+	assert.NoError(t, err)
+	form := make(url.Values)
+	form.Set(csrfFormToken, createCSRFToken())
+	form.Set("public_keys", "")
+	req, _ := http.NewRequest(http.MethodPost, webChangeClientKeysPath, bytes.NewBuffer([]byte(form.Encode())))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
+	handleWebClientManageKeysPost(rr, req)
+	assert.Equal(t, http.StatusInternalServerError, rr.Code)
+	assert.Contains(t, rr.Body.String(), "Invalid token claims")
+}

httpd/middleware.go

@@ -15,7 +15,10 @@ import (
 	"github.com/drakkan/sftpgo/utils"
 )
 
-var connAddrKey = &contextKey{"connection address"}
+var (
+	connAddrKey     = &contextKey{"connection address"}
+	errInvalidToken = errors.New("invalid JWT token")
+)
 
 type contextKey struct {
 	name string
@@ -32,30 +35,60 @@ func saveConnectionAddress(next http.Handler) http.Handler {
 	})
 }
 
-func jwtAuthenticator(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		token, _, err := jwtauth.FromContext(r.Context())
+func validateJWTToken(w http.ResponseWriter, r *http.Request, audience tokenAudience) error {
+	token, _, err := jwtauth.FromContext(r.Context())
 
-		if err != nil || token == nil {
-			logger.Debug(logSender, "", "error getting jwt token: %v", err)
+	var redirectPath string
+	if audience == tokenAudienceWebAdmin {
+		redirectPath = webLoginPath
+	} else {
+		redirectPath = webClientLoginPath
+	}
+
+	if err != nil || token == nil {
+		logger.Debug(logSender, "", "error getting jwt token: %v", err)
+		if audience == tokenAudienceAPI {
 			sendAPIResponse(w, r, err, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
-			return
+		} else {
+			http.Redirect(w, r, redirectPath, http.StatusFound)
 		}
+		return errInvalidToken
+	}
 
-		err = jwt.Validate(token)
-		if err != nil {
-			logger.Debug(logSender, "", "error validating jwt token: %v", err)
+	err = jwt.Validate(token)
+	if err != nil {
+		logger.Debug(logSender, "", "error validating jwt token: %v", err)
+		if audience == tokenAudienceAPI {
 			sendAPIResponse(w, r, err, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
-			return
+		} else {
+			http.Redirect(w, r, redirectPath, http.StatusFound)
 		}
-		if !utils.IsStringInSlice(tokenAudienceAPI, token.Audience()) {
-			logger.Debug(logSender, "", "the token audience is not valid for API usage")
+		return errInvalidToken
+	}
+	if !utils.IsStringInSlice(audience, token.Audience()) {
+		logger.Debug(logSender, "", "the token is not valid for audience %#v", audience)
+		if audience == tokenAudienceAPI {
 			sendAPIResponse(w, r, nil, "Your token audience is not valid", http.StatusUnauthorized)
-			return
+		} else {
+			http.Redirect(w, r, redirectPath, http.StatusFound)
 		}
-		if isTokenInvalidated(r) {
-			logger.Debug(logSender, "", "the token has been invalidated")
+		return errInvalidToken
+	}
+	if isTokenInvalidated(r) {
+		logger.Debug(logSender, "", "the token has been invalidated")
+		if audience == tokenAudienceAPI {
 			sendAPIResponse(w, r, nil, "Your token is no longer valid", http.StatusUnauthorized)
+		} else {
+			http.Redirect(w, r, redirectPath, http.StatusFound)
+		}
+		return errInvalidToken
+	}
+	return nil
+}
+
+func jwtAuthenticatorAPI(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if err := validateJWTToken(w, r, tokenAudienceAPI); err != nil {
 			return
 		}
 
@@ -64,30 +97,20 @@ func jwtAuthenticator(next http.Handler) http.Handler {
 	})
 }
 
-func jwtAuthenticatorWeb(next http.Handler) http.Handler {
+func jwtAuthenticatorWebAdmin(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		token, _, err := jwtauth.FromContext(r.Context())
-
-		if err != nil || token == nil {
-			logger.Debug(logSender, "", "error getting web jwt token: %v", err)
-			http.Redirect(w, r, webLoginPath, http.StatusFound)
+		if err := validateJWTToken(w, r, tokenAudienceWebAdmin); err != nil {
 			return
 		}
 
-		err = jwt.Validate(token)
-		if err != nil {
-			logger.Debug(logSender, "", "error validating web jwt token: %v", err)
-			http.Redirect(w, r, webLoginPath, http.StatusFound)
-			return
-		}
-		if !utils.IsStringInSlice(tokenAudienceWeb, token.Audience()) {
-			logger.Debug(logSender, "", "the token audience is not valid for Web usage")
-			http.Redirect(w, r, webLoginPath, http.StatusFound)
-			return
-		}
-		if isTokenInvalidated(r) {
-			logger.Debug(logSender, "", "the token has been invalidated")
-			http.Redirect(w, r, webLoginPath, http.StatusFound)
+		// Token is authenticated, pass it through
+		next.ServeHTTP(w, r)
+	})
+}
+
+func jwtAuthenticatorWebClient(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if err := validateJWTToken(w, r, tokenAudienceWebClient); err != nil {
 			return
 		}
 
@@ -96,12 +119,33 @@ func jwtAuthenticatorWeb(next http.Handler) http.Handler {
 	})
 }
 
+func checkClientPerm(perm string) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			_, claims, err := jwtauth.FromContext(r.Context())
+			if err != nil {
+				renderClientBadRequestPage(w, r, err)
+				return
+			}
+			tokenClaims := jwtTokenClaims{}
+			tokenClaims.Decode(claims)
+			// for web client perms are negated and not granted
+			if tokenClaims.hasPerm(perm) {
+				renderClientForbiddenPage(w, r, "You don't have permission for this action")
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
 func checkPerm(perm string) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			_, claims, err := jwtauth.FromContext(r.Context())
 			if err != nil {
-				if isWebAdminRequest(r) {
+				if isWebRequest(r) {
 					renderBadRequestPage(w, r, err)
 				} else {
 					sendAPIResponse(w, r, err, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
@@ -112,7 +156,7 @@ func checkPerm(perm string) func(next http.Handler) http.Handler {
 			tokenClaims.Decode(claims)
 
 			if !tokenClaims.hasPerm(perm) {
-				if isWebAdminRequest(r) {
+				if isWebRequest(r) {
 					renderForbiddenPage(w, r, "You don't have permission for this action")
 				} else {
 					sendAPIResponse(w, r, nil, http.StatusText(http.StatusForbidden), http.StatusForbidden)

httpd/schema/openapi.yaml

@@ -1375,11 +1375,20 @@ components:
         - SSH
         - FTP
         - DAV
+        - HTTP
       description: |
         Protocols:
           * `SSH` - includes both SFTP and SSH commands
           * `FTP` - plain FTP and FTPES/FTPS
           * `DAV` - WebDAV over HTTP/HTTPS
+          * `HTTP` - WebClient
+    WebClientOptions:
+      type: string
+      enum:
+        - publickey-change-disabled
+      description: |
+        Options:
+          * `publickey-change-disabled` - changing SSH public keys is not allowed
     PatternsFilter:
       type: object
       properties:
@@ -1492,7 +1501,12 @@ components:
           type: boolean
           example: false
           description: Disable checks for existence and automatic creation of home directory and virtual folders. SFTPGo requires that the user's home directory, virtual folder root, and intermediate paths to virtual folders exist to work properly. If you already know that the required directories exist, disabling these checks will speed up login. You could, for example, disable these checks after the first login
-      description: Additional user restrictions
+        web_client:
+          type: array
+          items:
+            $ref: '#/components/schemas/WebClientOptions'
+          description: WebClient related configuration options
+      description: Additional user options
     Secret:
       type: object
       properties:

httpd/server.go

@@ -14,6 +14,7 @@ import (
 	"github.com/go-chi/jwtauth/v5"
 	"github.com/go-chi/render"
 	"github.com/lestrrat-go/jwx/jwa"
+	"github.com/rs/xid"
 
 	"github.com/drakkan/sftpgo/common"
 	"github.com/drakkan/sftpgo/dataprovider"
@@ -28,27 +29,32 @@ type httpdServer struct {
 	binding         Binding
 	staticFilesPath string
 	enableWebAdmin  bool
+	enableWebClient bool
 	router          *chi.Mux
 	tokenAuth       *jwtauth.JWTAuth
 }
 
-func newHttpdServer(b Binding, staticFilesPath string, enableWebAdmin bool) *httpdServer {
+func newHttpdServer(b Binding, staticFilesPath string) *httpdServer {
 	return &httpdServer{
 		binding:         b,
 		staticFilesPath: staticFilesPath,
-		enableWebAdmin:  enableWebAdmin && b.EnableWebAdmin,
+		enableWebAdmin:  b.EnableWebAdmin,
+		enableWebClient: b.EnableWebClient,
 	}
 }
 
 func (s *httpdServer) listenAndServe() error {
 	s.initializeRouter()
 	httpServer := &http.Server{
-		Handler:        s.router,
-		ReadTimeout:    60 * time.Second,
-		WriteTimeout:   60 * time.Second,
-		IdleTimeout:    120 * time.Second,
-		MaxHeaderBytes: 1 << 16, // 64KB
-		ErrorLog:       log.New(&logger.StdLoggerWrapper{Sender: logSender}, "", 0),
+		Handler:           s.router,
+		ReadHeaderTimeout: 30 * time.Second,
+		IdleTimeout:       120 * time.Second,
+		MaxHeaderBytes:    1 << 16, // 64KB
+		ErrorLog:          log.New(&logger.StdLoggerWrapper{Sender: logSender}, "", 0),
+	}
+	if !s.binding.EnableWebClient {
+		httpServer.ReadTimeout = 60 * time.Second
+		httpServer.WriteTimeout = 90 * time.Second
 	}
 	if certMgr != nil && s.binding.EnableHTTPS {
 		config := &tls.Config{
@@ -104,7 +110,81 @@ func (s *httpdServer) refreshCookie(next http.Handler) http.Handler {
 	})
 }
 
-func (s *httpdServer) handleWebLoginPost(w http.ResponseWriter, r *http.Request) {
+func (s *httpdServer) handleWebClientLoginPost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	common.Connections.AddNetworkConnection()
+	defer common.Connections.RemoveNetworkConnection()
+
+	if err := r.ParseForm(); err != nil {
+		renderClientLoginPage(w, err.Error())
+		return
+	}
+	username := r.Form.Get("username")
+	password := r.Form.Get("password")
+	if username == "" || password == "" {
+		renderClientLoginPage(w, "Invalid credentials")
+		return
+	}
+	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
+		renderClientLoginPage(w, err.Error())
+		return
+	}
+
+	ipAddr := utils.GetIPFromRemoteAddress(r.RemoteAddr)
+	if !common.Connections.IsNewConnectionAllowed() {
+		logger.Log(logger.LevelDebug, common.ProtocolHTTP, "", "connection refused, configured limit reached")
+		renderClientLoginPage(w, "configured connections limit reached")
+		return
+	}
+	if common.IsBanned(ipAddr) {
+		renderClientLoginPage(w, "your IP address is banned")
+		return
+	}
+
+	if err := common.Config.ExecutePostConnectHook(ipAddr, common.ProtocolHTTP); err != nil {
+		renderClientLoginPage(w, fmt.Sprintf("access denied by post connect hook: %v", err))
+		return
+	}
+
+	user, err := dataprovider.CheckUserAndPass(username, password, ipAddr, common.ProtocolHTTP)
+	if err != nil {
+		updateLoginMetrics(&user, ipAddr, err)
+		renderClientLoginPage(w, dataprovider.ErrInvalidCredentials.Error())
+		return
+	}
+	connectionID := fmt.Sprintf("%v_%v", common.ProtocolHTTP, xid.New().String())
+	if err := checkWebClientUser(&user, r, connectionID); err != nil {
+		updateLoginMetrics(&user, ipAddr, err)
+		renderClientLoginPage(w, err.Error())
+		return
+	}
+
+	defer user.CloseFs() //nolint:errcheck
+	err = user.CheckFsRoot(connectionID)
+	if err != nil {
+		logger.Warn(logSender, connectionID, "unable to check fs root: %v", err)
+		updateLoginMetrics(&user, ipAddr, err)
+		renderClientLoginPage(w, err.Error())
+		return
+	}
+
+	c := jwtTokenClaims{
+		Username:    user.Username,
+		Permissions: user.Filters.WebClient,
+		Signature:   user.GetSignature(),
+	}
+
+	err = c.createAndSetCookie(w, r, s.tokenAuth, tokenAudienceWebClient)
+	if err != nil {
+		updateLoginMetrics(&user, ipAddr, err)
+		renderLoginPage(w, err.Error())
+		return
+	}
+	updateLoginMetrics(&user, ipAddr, err)
+	http.Redirect(w, r, webClientFilesPath, http.StatusFound)
+}
+
+func (s *httpdServer) handleWebAdminLoginPost(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
 	if err := r.ParseForm(); err != nil {
 		renderLoginPage(w, err.Error())
@@ -139,7 +219,7 @@ func (s *httpdServer) handleWebLoginPost(w http.ResponseWriter, r *http.Request)
 		Signature:   admin.GetSignature(),
 	}
 
-	err = c.createAndSetCookie(w, r, s.tokenAuth)
+	err = c.createAndSetCookie(w, r, s.tokenAuth, tokenAudienceWebAdmin)
 	if err != nil {
 		renderLoginPage(w, err.Error())
 		return
@@ -209,6 +289,32 @@ func (s *httpdServer) checkCookieExpiration(w http.ResponseWriter, r *http.Reque
 	if time.Until(token.Expiration()) > tokenRefreshMin {
 		return
 	}
+	if utils.IsStringInSlice(tokenAudienceWebClient, token.Audience()) {
+		s.refreshClientToken(w, r, tokenClaims)
+	} else {
+		s.refreshAdminToken(w, r, tokenClaims)
+	}
+}
+
+func (s *httpdServer) refreshClientToken(w http.ResponseWriter, r *http.Request, tokenClaims jwtTokenClaims) {
+	user, err := dataprovider.UserExists(tokenClaims.Username)
+	if err != nil {
+		return
+	}
+	if user.GetSignature() != tokenClaims.Signature {
+		logger.Debug(logSender, "", "signature mismatch for user %#v, unable to refresh cookie", user.Username)
+		return
+	}
+	if err := checkWebClientUser(&user, r, xid.New().String()); err != nil {
+		logger.Debug(logSender, "", "unable to refresh cookie for user %#v: %v", user.Username, err)
+		return
+	}
+
+	logger.Debug(logSender, "", "cookie refreshed for user %#v", user.Username)
+	tokenClaims.createAndSetCookie(w, r, s.tokenAuth, tokenAudienceWebClient) //nolint:errcheck
+}
+
+func (s *httpdServer) refreshAdminToken(w http.ResponseWriter, r *http.Request, tokenClaims jwtTokenClaims) {
 	admin, err := dataprovider.AdminExists(tokenClaims.Username)
 	if err != nil {
 		return
@@ -235,7 +341,7 @@ func (s *httpdServer) checkCookieExpiration(w http.ResponseWriter, r *http.Reque
 		}
 	}
 	logger.Debug(logSender, "", "cookie refreshed for admin %#v", admin.Username)
-	tokenClaims.createAndSetCookie(w, r, s.tokenAuth) //nolint:errcheck
+	tokenClaims.createAndSetCookie(w, r, s.tokenAuth, tokenAudienceWebAdmin) //nolint:errcheck
 }
 
 func (s *httpdServer) updateContextFromCookie(r *http.Request) *http.Request {
@@ -274,8 +380,12 @@ func (s *httpdServer) initializeRouter() {
 		router.Use(middleware.Recoverer)
 
 		router.NotFound(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if s.enableWebAdmin && isWebAdminRequest(r) {
+			if (s.enableWebAdmin || s.enableWebClient) && isWebRequest(r) {
 				r = s.updateContextFromCookie(r)
+				if s.enableWebClient && (isWebClientRequest(r) || !s.enableWebAdmin) {
+					renderClientNotFoundPage(w, r, nil)
+					return
+				}
 				renderNotFoundPage(w, r, nil)
 				return
 			}
@@ -286,7 +396,7 @@ func (s *httpdServer) initializeRouter() {
 
 		router.Group(func(router chi.Router) {
 			router.Use(jwtauth.Verify(s.tokenAuth, jwtauth.TokenFromHeader))
-			router.Use(jwtAuthenticator)
+			router.Use(jwtAuthenticatorAPI)
 
 			router.Get(versionPath, func(w http.ResponseWriter, r *http.Request) {
 				render.JSON(w, r, version.Get())
@@ -336,21 +446,58 @@ func (s *httpdServer) initializeRouter() {
 			router.With(checkPerm(dataprovider.PermAdminManageAdmins)).Delete(adminPath+"/{username}", deleteAdmin)
 		})
 
-		if s.enableWebAdmin {
-			router.Get(webRootPath, func(w http.ResponseWriter, r *http.Request) {
-				http.Redirect(w, r, webLoginPath, http.StatusMovedPermanently)
+		if s.enableWebAdmin || s.enableWebClient {
+			router.Group(func(router chi.Router) {
+				router.Use(compressor.Handler)
+				fileServer(router, webStaticFilesPath, http.Dir(s.staticFilesPath))
 			})
+			if s.enableWebClient {
+				router.Get(webRootPath, func(w http.ResponseWriter, r *http.Request) {
+					http.Redirect(w, r, webClientLoginPath, http.StatusMovedPermanently)
+				})
+				router.Get(webBasePath, func(w http.ResponseWriter, r *http.Request) {
+					http.Redirect(w, r, webClientLoginPath, http.StatusMovedPermanently)
+				})
+			} else {
+				router.Get(webRootPath, func(w http.ResponseWriter, r *http.Request) {
+					http.Redirect(w, r, webLoginPath, http.StatusMovedPermanently)
+				})
+				router.Get(webBasePath, func(w http.ResponseWriter, r *http.Request) {
+					http.Redirect(w, r, webLoginPath, http.StatusMovedPermanently)
+				})
+			}
+		}
 
-			router.Get(webBasePath, func(w http.ResponseWriter, r *http.Request) {
-				http.Redirect(w, r, webLoginPath, http.StatusMovedPermanently)
+		if s.enableWebClient {
+			router.Get(webBaseClientPath, func(w http.ResponseWriter, r *http.Request) {
+				http.Redirect(w, r, webClientLoginPath, http.StatusMovedPermanently)
+			})
+			router.Get(webClientLoginPath, handleClientWebLogin)
+			router.Post(webClientLoginPath, s.handleWebClientLoginPost)
+
+			router.Group(func(router chi.Router) {
+				router.Use(jwtauth.Verify(s.tokenAuth, jwtauth.TokenFromCookie))
+				router.Use(jwtAuthenticatorWebClient)
+
+				router.Get(webClientLogoutPath, handleWebClientLogout)
+				router.With(s.refreshCookie).Get(webClientFilesPath, handleClientGetFiles)
+				router.With(s.refreshCookie).Get(webClientCredentialsPath, handleClientGetCredentials)
+				router.Post(webChangeClientPwdPath, handleWebClientChangePwdPost)
+				router.With(checkClientPerm(dataprovider.WebClientPubKeyChangeDisabled)).
+					Post(webChangeClientKeysPath, handleWebClientManageKeysPost)
 			})
+		}
 
+		if s.enableWebAdmin {
+			router.Get(webBaseAdminPath, func(w http.ResponseWriter, r *http.Request) {
+				http.Redirect(w, r, webLoginPath, http.StatusMovedPermanently)
+			})
 			router.Get(webLoginPath, handleWebLogin)
-			router.Post(webLoginPath, s.handleWebLoginPost)
+			router.Post(webLoginPath, s.handleWebAdminLoginPost)
 
 			router.Group(func(router chi.Router) {
 				router.Use(jwtauth.Verify(s.tokenAuth, jwtauth.TokenFromCookie))
-				router.Use(jwtAuthenticatorWeb)
+				router.Use(jwtAuthenticatorWebAdmin)
 
 				router.Get(webLogoutPath, handleWebLogout)
 				router.With(s.refreshCookie).Get(webChangeAdminPwdPath, handleWebAdminChangePwd)
@@ -405,11 +552,6 @@ func (s *httpdServer) initializeRouter() {
 					Get(webTemplateFolder, handleWebTemplateFolderGet)
 				router.With(checkPerm(dataprovider.PermAdminManageSystem)).Post(webTemplateFolder, handleWebTemplateFolderPost)
 			})
-
-			router.Group(func(router chi.Router) {
-				router.Use(compressor.Handler)
-				fileServer(router, webStaticFilesPath, http.Dir(s.staticFilesPath))
-			})
 		}
 	})
 }

httpd/web.go

@@ -1,183 +1,25 @@
 package httpd
 
 import (
-	"errors"
-	"fmt"
-	"html/template"
-	"io"
-	"net/http"
-	"net/url"
 	"path"
-	"path/filepath"
-	"strconv"
 	"strings"
-	"time"
 
-	"github.com/go-chi/render"
-
-	"github.com/drakkan/sftpgo/common"
-	"github.com/drakkan/sftpgo/dataprovider"
-	"github.com/drakkan/sftpgo/kms"
 	"github.com/drakkan/sftpgo/utils"
-	"github.com/drakkan/sftpgo/version"
-	"github.com/drakkan/sftpgo/vfs"
 )
 
-type userPageMode int
-
 const (
-	userPageModeAdd userPageMode = iota + 1
-	userPageModeUpdate
-	userPageModeTemplate
+	page400Title      = "Bad request"
+	page403Title      = "Forbidden"
+	page404Title      = "Not found"
+	page404Body       = "The page you are looking for does not exist."
+	page500Title      = "Internal Server Error"
+	page500Body       = "The server is unable to fulfill your request."
+	webDateTimeFormat = "2006-01-02 15:04:05" // YYYY-MM-DD HH:MM:SS
+	redactedSecret    = "[**redacted**]"
+	csrfFormToken     = "_form_token"
+	csrfHeaderToken   = "X-CSRF-TOKEN"
 )
 
-type folderPageMode int
-
-const (
-	folderPageModeAdd folderPageMode = iota + 1
-	folderPageModeUpdate
-	folderPageModeTemplate
-)
-
-const (
-	templateBase         = "base.html"
-	templateFsConfig     = "fsconfig.html"
-	templateUsers        = "users.html"
-	templateUser         = "user.html"
-	templateAdmins       = "admins.html"
-	templateAdmin        = "admin.html"
-	templateConnections  = "connections.html"
-	templateFolders      = "folders.html"
-	templateFolder       = "folder.html"
-	templateMessage      = "message.html"
-	templateStatus       = "status.html"
-	templateLogin        = "login.html"
-	templateChangePwd    = "changepwd.html"
-	templateMaintenance  = "maintenance.html"
-	pageUsersTitle       = "Users"
-	pageAdminsTitle      = "Admins"
-	pageConnectionsTitle = "Connections"
-	pageStatusTitle      = "Status"
-	pageFoldersTitle     = "Folders"
-	pageChangePwdTitle   = "Change password"
-	pageMaintenanceTitle = "Maintenance"
-	page400Title         = "Bad request"
-	page403Title         = "Forbidden"
-	page404Title         = "Not found"
-	page404Body          = "The page you are looking for does not exist."
-	page500Title         = "Internal Server Error"
-	page500Body          = "The server is unable to fulfill your request."
-	defaultQueryLimit    = 500
-	webDateTimeFormat    = "2006-01-02 15:04:05" // YYYY-MM-DD HH:MM:SS
-	redactedSecret       = "[**redacted**]"
-	csrfFormToken        = "_form_token"
-	csrfHeaderToken      = "X-CSRF-TOKEN"
-)
-
-var (
-	templates = make(map[string]*template.Template)
-)
-
-type basePage struct {
-	Title              string
-	CurrentURL         string
-	UsersURL           string
-	UserURL            string
-	UserTemplateURL    string
-	AdminsURL          string
-	AdminURL           string
-	QuotaScanURL       string
-	ConnectionsURL     string
-	FoldersURL         string
-	FolderURL          string
-	FolderTemplateURL  string
-	LogoutURL          string
-	ChangeAdminPwdURL  string
-	FolderQuotaScanURL string
-	StatusURL          string
-	MaintenanceURL     string
-	StaticURL          string
-	UsersTitle         string
-	AdminsTitle        string
-	ConnectionsTitle   string
-	FoldersTitle       string
-	StatusTitle        string
-	MaintenanceTitle   string
-	Version            string
-	CSRFToken          string
-	LoggedAdmin        *dataprovider.Admin
-}
-
-type usersPage struct {
-	basePage
-	Users []dataprovider.User
-}
-
-type adminsPage struct {
-	basePage
-	Admins []dataprovider.Admin
-}
-
-type foldersPage struct {
-	basePage
-	Folders []vfs.BaseVirtualFolder
-}
-
-type connectionsPage struct {
-	basePage
-	Connections []*common.ConnectionStatus
-}
-
-type statusPage struct {
-	basePage
-	Status ServicesStatus
-}
-
-type userPage struct {
-	basePage
-	User              *dataprovider.User
-	RootPerms         []string
-	Error             string
-	ValidPerms        []string
-	ValidLoginMethods []string
-	ValidProtocols    []string
-	RootDirPerms      []string
-	RedactedSecret    string
-	Mode              userPageMode
-}
-
-type adminPage struct {
-	basePage
-	Admin *dataprovider.Admin
-	Error string
-	IsAdd bool
-}
-
-type changePwdPage struct {
-	basePage
-	Error string
-}
-
-type maintenancePage struct {
-	basePage
-	BackupPath  string
-	RestorePath string
-	Error       string
-}
-
-type folderPage struct {
-	basePage
-	Folder vfs.BaseVirtualFolder
-	Error  string
-	Mode   folderPageMode
-}
-
-type messagePage struct {
-	basePage
-	Error   string
-	Success string
-}
-
 type loginPage struct {
 	CurrentURL string
 	Version    string
@@ -186,364 +28,6 @@ type loginPage struct {
 	StaticURL  string
 }
 
-type userTemplateFields struct {
-	Username  string
-	Password  string
-	PublicKey string
-}
-
-func loadTemplates(templatesPath string) {
-	usersPaths := []string{
-		filepath.Join(templatesPath, templateBase),
-		filepath.Join(templatesPath, templateUsers),
-	}
-	userPaths := []string{
-		filepath.Join(templatesPath, templateBase),
-		filepath.Join(templatesPath, templateFsConfig),
-		filepath.Join(templatesPath, templateUser),
-	}
-	adminsPaths := []string{
-		filepath.Join(templatesPath, templateBase),
-		filepath.Join(templatesPath, templateAdmins),
-	}
-	adminPaths := []string{
-		filepath.Join(templatesPath, templateBase),
-		filepath.Join(templatesPath, templateAdmin),
-	}
-	changePwdPaths := []string{
-		filepath.Join(templatesPath, templateBase),
-		filepath.Join(templatesPath, templateChangePwd),
-	}
-	connectionsPaths := []string{
-		filepath.Join(templatesPath, templateBase),
-		filepath.Join(templatesPath, templateConnections),
-	}
-	messagePath := []string{
-		filepath.Join(templatesPath, templateBase),
-		filepath.Join(templatesPath, templateMessage),
-	}
-	foldersPath := []string{
-		filepath.Join(templatesPath, templateBase),
-		filepath.Join(templatesPath, templateFolders),
-	}
-	folderPath := []string{
-		filepath.Join(templatesPath, templateBase),
-		filepath.Join(templatesPath, templateFsConfig),
-		filepath.Join(templatesPath, templateFolder),
-	}
-	statusPath := []string{
-		filepath.Join(templatesPath, templateBase),
-		filepath.Join(templatesPath, templateStatus),
-	}
-	loginPath := []string{
-		filepath.Join(templatesPath, templateLogin),
-	}
-	maintenancePath := []string{
-		filepath.Join(templatesPath, templateBase),
-		filepath.Join(templatesPath, templateMaintenance),
-	}
-	usersTmpl := utils.LoadTemplate(template.ParseFiles(usersPaths...))
-	userTmpl := utils.LoadTemplate(template.ParseFiles(userPaths...))
-	adminsTmpl := utils.LoadTemplate(template.ParseFiles(adminsPaths...))
-	adminTmpl := utils.LoadTemplate(template.ParseFiles(adminPaths...))
-	connectionsTmpl := utils.LoadTemplate(template.ParseFiles(connectionsPaths...))
-	messageTmpl := utils.LoadTemplate(template.ParseFiles(messagePath...))
-	foldersTmpl := utils.LoadTemplate(template.ParseFiles(foldersPath...))
-	folderTmpl := utils.LoadTemplate(template.ParseFiles(folderPath...))
-	statusTmpl := utils.LoadTemplate(template.ParseFiles(statusPath...))
-	loginTmpl := utils.LoadTemplate(template.ParseFiles(loginPath...))
-	changePwdTmpl := utils.LoadTemplate(template.ParseFiles(changePwdPaths...))
-	maintenanceTmpl := utils.LoadTemplate(template.ParseFiles(maintenancePath...))
-
-	templates[templateUsers] = usersTmpl
-	templates[templateUser] = userTmpl
-	templates[templateAdmins] = adminsTmpl
-	templates[templateAdmin] = adminTmpl
-	templates[templateConnections] = connectionsTmpl
-	templates[templateMessage] = messageTmpl
-	templates[templateFolders] = foldersTmpl
-	templates[templateFolder] = folderTmpl
-	templates[templateStatus] = statusTmpl
-	templates[templateLogin] = loginTmpl
-	templates[templateChangePwd] = changePwdTmpl
-	templates[templateMaintenance] = maintenanceTmpl
-}
-
-func getBasePageData(title, currentURL string, r *http.Request) basePage {
-	var csrfToken string
-	if currentURL != "" {
-		csrfToken = createCSRFToken()
-	}
-	return basePage{
-		Title:              title,
-		CurrentURL:         currentURL,
-		UsersURL:           webUsersPath,
-		UserURL:            webUserPath,
-		UserTemplateURL:    webTemplateUser,
-		AdminsURL:          webAdminsPath,
-		AdminURL:           webAdminPath,
-		FoldersURL:         webFoldersPath,
-		FolderURL:          webFolderPath,
-		FolderTemplateURL:  webTemplateFolder,
-		LogoutURL:          webLogoutPath,
-		ChangeAdminPwdURL:  webChangeAdminPwdPath,
-		QuotaScanURL:       webQuotaScanPath,
-		ConnectionsURL:     webConnectionsPath,
-		StatusURL:          webStatusPath,
-		FolderQuotaScanURL: webScanVFolderPath,
-		MaintenanceURL:     webMaintenancePath,
-		StaticURL:          webStaticFilesPath,
-		UsersTitle:         pageUsersTitle,
-		AdminsTitle:        pageAdminsTitle,
-		ConnectionsTitle:   pageConnectionsTitle,
-		FoldersTitle:       pageFoldersTitle,
-		StatusTitle:        pageStatusTitle,
-		MaintenanceTitle:   pageMaintenanceTitle,
-		Version:            version.GetAsString(),
-		LoggedAdmin:        getAdminFromToken(r),
-		CSRFToken:          csrfToken,
-	}
-}
-
-func renderTemplate(w http.ResponseWriter, tmplName string, data interface{}) {
-	err := templates[tmplName].ExecuteTemplate(w, tmplName, data)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-	}
-}
-
-func renderMessagePage(w http.ResponseWriter, r *http.Request, title, body string, statusCode int, err error, message string) {
-	var errorString string
-	if body != "" {
-		errorString = body + " "
-	}
-	if err != nil {
-		errorString += err.Error()
-	}
-	data := messagePage{
-		basePage: getBasePageData(title, "", r),
-		Error:    errorString,
-		Success:  message,
-	}
-	w.WriteHeader(statusCode)
-	renderTemplate(w, templateMessage, data)
-}
-
-func renderInternalServerErrorPage(w http.ResponseWriter, r *http.Request, err error) {
-	renderMessagePage(w, r, page500Title, page500Body, http.StatusInternalServerError, err, "")
-}
-
-func renderBadRequestPage(w http.ResponseWriter, r *http.Request, err error) {
-	renderMessagePage(w, r, page400Title, "", http.StatusBadRequest, err, "")
-}
-
-func renderForbiddenPage(w http.ResponseWriter, r *http.Request, body string) {
-	renderMessagePage(w, r, page403Title, "", http.StatusForbidden, nil, body)
-}
-
-func renderNotFoundPage(w http.ResponseWriter, r *http.Request, err error) {
-	renderMessagePage(w, r, page404Title, page404Body, http.StatusNotFound, err, "")
-}
-
-func renderChangePwdPage(w http.ResponseWriter, r *http.Request, error string) {
-	data := changePwdPage{
-		basePage: getBasePageData(pageChangePwdTitle, webChangeAdminPwdPath, r),
-		Error:    error,
-	}
-
-	renderTemplate(w, templateChangePwd, data)
-}
-
-func renderMaintenancePage(w http.ResponseWriter, r *http.Request, error string) {
-	data := maintenancePage{
-		basePage:    getBasePageData(pageMaintenanceTitle, webMaintenancePath, r),
-		BackupPath:  webBackupPath,
-		RestorePath: webRestorePath,
-		Error:       error,
-	}
-
-	renderTemplate(w, templateMaintenance, data)
-}
-
-func renderAddUpdateAdminPage(w http.ResponseWriter, r *http.Request, admin *dataprovider.Admin,
-	error string, isAdd bool) {
-	currentURL := webAdminPath
-	if !isAdd {
-		currentURL = fmt.Sprintf("%v/%v", webAdminPath, url.PathEscape(admin.Username))
-	}
-	data := adminPage{
-		basePage: getBasePageData("Add a new user", currentURL, r),
-		Admin:    admin,
-		Error:    error,
-		IsAdd:    isAdd,
-	}
-
-	renderTemplate(w, templateAdmin, data)
-}
-
-func renderUserPage(w http.ResponseWriter, r *http.Request, user *dataprovider.User, mode userPageMode, error string) {
-	user.SetEmptySecretsIfNil()
-	var title, currentURL string
-	switch mode {
-	case userPageModeAdd:
-		title = "Add a new user"
-		currentURL = webUserPath
-	case userPageModeUpdate:
-		title = "Update user"
-		currentURL = fmt.Sprintf("%v/%v", webUserPath, url.PathEscape(user.Username))
-	case userPageModeTemplate:
-		title = "User template"
-		currentURL = webTemplateUser
-	}
-	if user.Password != "" && user.IsPasswordHashed() && mode == userPageModeUpdate {
-		user.Password = redactedSecret
-	}
-	user.FsConfig.RedactedSecret = redactedSecret
-	data := userPage{
-		basePage:          getBasePageData(title, currentURL, r),
-		Mode:              mode,
-		Error:             error,
-		User:              user,
-		ValidPerms:        dataprovider.ValidPerms,
-		ValidLoginMethods: dataprovider.ValidLoginMethods,
-		ValidProtocols:    dataprovider.ValidProtocols,
-		RootDirPerms:      user.GetPermissionsForPath("/"),
-	}
-	renderTemplate(w, templateUser, data)
-}
-
-func renderFolderPage(w http.ResponseWriter, r *http.Request, folder vfs.BaseVirtualFolder, mode folderPageMode, error string) {
-	var title, currentURL string
-	switch mode {
-	case folderPageModeAdd:
-		title = "Add a new folder"
-		currentURL = webFolderPath
-	case folderPageModeUpdate:
-		title = "Update folder"
-		currentURL = fmt.Sprintf("%v/%v", webFolderPath, url.PathEscape(folder.Name))
-	case folderPageModeTemplate:
-		title = "Folder template"
-		currentURL = webTemplateFolder
-	}
-	folder.FsConfig.RedactedSecret = redactedSecret
-	folder.FsConfig.SetEmptySecretsIfNil()
-
-	data := folderPage{
-		basePage: getBasePageData(title, currentURL, r),
-		Error:    error,
-		Folder:   folder,
-		Mode:     mode,
-	}
-	renderTemplate(w, templateFolder, data)
-}
-
-func getFoldersForTemplate(r *http.Request) []string {
-	var res []string
-	formValue := r.Form.Get("folders")
-	folders := make(map[string]bool)
-	for _, name := range getSliceFromDelimitedValues(formValue, "\n") {
-		if _, ok := folders[name]; ok {
-			continue
-		}
-		folders[name] = true
-		res = append(res, name)
-	}
-	return res
-}
-
-func getUsersForTemplate(r *http.Request) []userTemplateFields {
-	var res []userTemplateFields
-	formValue := r.Form.Get("users")
-	users := make(map[string]bool)
-	for _, cleaned := range getSliceFromDelimitedValues(formValue, "\n") {
-		if strings.Contains(cleaned, "::") {
-			mapping := strings.Split(cleaned, "::")
-			if len(mapping) > 1 {
-				username := strings.TrimSpace(mapping[0])
-				password := strings.TrimSpace(mapping[1])
-				var publicKey string
-				if len(mapping) > 2 {
-					publicKey = strings.TrimSpace(mapping[2])
-				}
-				if username == "" || (password == "" && publicKey == "") {
-					continue
-				}
-				if _, ok := users[username]; ok {
-					continue
-				}
-
-				users[username] = true
-				res = append(res, userTemplateFields{
-					Username:  username,
-					Password:  password,
-					PublicKey: publicKey,
-				})
-			}
-		}
-	}
-	return res
-}
-
-func getVirtualFoldersFromPostFields(r *http.Request) []vfs.VirtualFolder {
-	var virtualFolders []vfs.VirtualFolder
-	formValue := r.Form.Get("virtual_folders")
-	for _, cleaned := range getSliceFromDelimitedValues(formValue, "\n") {
-		if strings.Contains(cleaned, "::") {
-			mapping := strings.Split(cleaned, "::")
-			if len(mapping) > 1 {
-				vfolder := vfs.VirtualFolder{
-					BaseVirtualFolder: vfs.BaseVirtualFolder{
-						Name: strings.TrimSpace(mapping[1]),
-					},
-					VirtualPath: strings.TrimSpace(mapping[0]),
-					QuotaFiles:  -1,
-					QuotaSize:   -1,
-				}
-				if len(mapping) > 2 {
-					quotaFiles, err := strconv.Atoi(strings.TrimSpace(mapping[2]))
-					if err == nil {
-						vfolder.QuotaFiles = quotaFiles
-					}
-				}
-				if len(mapping) > 3 {
-					quotaSize, err := strconv.ParseInt(strings.TrimSpace(mapping[3]), 10, 64)
-					if err == nil {
-						vfolder.QuotaSize = quotaSize
-					}
-				}
-				virtualFolders = append(virtualFolders, vfolder)
-			}
-		}
-	}
-	return virtualFolders
-}
-
-func getUserPermissionsFromPostFields(r *http.Request) map[string][]string {
-	permissions := make(map[string][]string)
-	permissions["/"] = r.Form["permissions"]
-	subDirsPermsValue := r.Form.Get("sub_dirs_permissions")
-	for _, cleaned := range getSliceFromDelimitedValues(subDirsPermsValue, "\n") {
-		if strings.Contains(cleaned, "::") {
-			dirPerms := strings.Split(cleaned, "::")
-			if len(dirPerms) > 1 {
-				dir := dirPerms[0]
-				dir = strings.TrimSpace(dir)
-				perms := []string{}
-				for _, p := range strings.Split(dirPerms[1], ",") {
-					cleanedPerm := strings.TrimSpace(p)
-					if cleanedPerm != "" {
-						perms = append(perms, cleanedPerm)
-					}
-				}
-				if dir != "" {
-					permissions[dir] = perms
-				}
-			}
-		}
-	}
-	return permissions
-}
-
 func getSliceFromDelimitedValues(values, delimiter string) []string {
 	result := []string{}
 	for _, v := range strings.Split(values, delimiter) {
@@ -583,1032 +67,3 @@ func getListFromPostFields(value string) map[string][]string {
 	}
 	return result
 }
-
-func getFilePatternsFromPostField(valueAllowed, valuesDenied string) []dataprovider.PatternsFilter {
-	var result []dataprovider.PatternsFilter
-	allowedPatterns := getListFromPostFields(valueAllowed)
-	deniedPatterns := getListFromPostFields(valuesDenied)
-
-	for dirAllowed, allowPatterns := range allowedPatterns {
-		filter := dataprovider.PatternsFilter{
-			Path:            dirAllowed,
-			AllowedPatterns: allowPatterns,
-		}
-		for dirDenied, denPatterns := range deniedPatterns {
-			if dirAllowed == dirDenied {
-				filter.DeniedPatterns = denPatterns
-				break
-			}
-		}
-		result = append(result, filter)
-	}
-	for dirDenied, denPatterns := range deniedPatterns {
-		found := false
-		for _, res := range result {
-			if res.Path == dirDenied {
-				found = true
-				break
-			}
-		}
-		if !found {
-			result = append(result, dataprovider.PatternsFilter{
-				Path:           dirDenied,
-				DeniedPatterns: denPatterns,
-			})
-		}
-	}
-	return result
-}
-
-func getFileExtensionsFromPostField(valueAllowed, valuesDenied string) []dataprovider.ExtensionsFilter {
-	var result []dataprovider.ExtensionsFilter
-	allowedExtensions := getListFromPostFields(valueAllowed)
-	deniedExtensions := getListFromPostFields(valuesDenied)
-
-	for dirAllowed, allowedExts := range allowedExtensions {
-		filter := dataprovider.ExtensionsFilter{
-			Path:              dirAllowed,
-			AllowedExtensions: allowedExts,
-		}
-		for dirDenied, deniedExts := range deniedExtensions {
-			if dirAllowed == dirDenied {
-				filter.DeniedExtensions = deniedExts
-				break
-			}
-		}
-		result = append(result, filter)
-	}
-	for dirDenied, deniedExts := range deniedExtensions {
-		found := false
-		for _, res := range result {
-			if res.Path == dirDenied {
-				found = true
-				break
-			}
-		}
-		if !found {
-			result = append(result, dataprovider.ExtensionsFilter{
-				Path:             dirDenied,
-				DeniedExtensions: deniedExts,
-			})
-		}
-	}
-	return result
-}
-
-func getFiltersFromUserPostFields(r *http.Request) dataprovider.UserFilters {
-	var filters dataprovider.UserFilters
-	filters.AllowedIP = getSliceFromDelimitedValues(r.Form.Get("allowed_ip"), ",")
-	filters.DeniedIP = getSliceFromDelimitedValues(r.Form.Get("denied_ip"), ",")
-	filters.DeniedLoginMethods = r.Form["ssh_login_methods"]
-	filters.DeniedProtocols = r.Form["denied_protocols"]
-	filters.FileExtensions = getFileExtensionsFromPostField(r.Form.Get("allowed_extensions"), r.Form.Get("denied_extensions"))
-	filters.FilePatterns = getFilePatternsFromPostField(r.Form.Get("allowed_patterns"), r.Form.Get("denied_patterns"))
-	filters.TLSUsername = dataprovider.TLSUsername(r.Form.Get("tls_username"))
-	hooks := r.Form["hooks"]
-	if utils.IsStringInSlice("external_auth_disabled", hooks) {
-		filters.Hooks.ExternalAuthDisabled = true
-	}
-	if utils.IsStringInSlice("pre_login_disabled", hooks) {
-		filters.Hooks.PreLoginDisabled = true
-	}
-	if utils.IsStringInSlice("check_password_disabled", hooks) {
-		filters.Hooks.CheckPasswordDisabled = true
-	}
-	filters.DisableFsChecks = len(r.Form.Get("disable_fs_checks")) > 0
-	return filters
-}
-
-func getSecretFromFormField(r *http.Request, field string) *kms.Secret {
-	secret := kms.NewPlainSecret(r.Form.Get(field))
-	if strings.TrimSpace(secret.GetPayload()) == redactedSecret {
-		secret.SetStatus(kms.SecretStatusRedacted)
-	}
-	if strings.TrimSpace(secret.GetPayload()) == "" {
-		secret.SetStatus("")
-	}
-	return secret
-}
-
-func getS3Config(r *http.Request) (vfs.S3FsConfig, error) {
-	var err error
-	config := vfs.S3FsConfig{}
-	config.Bucket = r.Form.Get("s3_bucket")
-	config.Region = r.Form.Get("s3_region")
-	config.AccessKey = r.Form.Get("s3_access_key")
-	config.AccessSecret = getSecretFromFormField(r, "s3_access_secret")
-	config.Endpoint = r.Form.Get("s3_endpoint")
-	config.StorageClass = r.Form.Get("s3_storage_class")
-	config.KeyPrefix = r.Form.Get("s3_key_prefix")
-	config.UploadPartSize, err = strconv.ParseInt(r.Form.Get("s3_upload_part_size"), 10, 64)
-	if err != nil {
-		return config, err
-	}
-	config.UploadConcurrency, err = strconv.Atoi(r.Form.Get("s3_upload_concurrency"))
-	return config, err
-}
-
-func getGCSConfig(r *http.Request) (vfs.GCSFsConfig, error) {
-	var err error
-	config := vfs.GCSFsConfig{}
-
-	config.Bucket = r.Form.Get("gcs_bucket")
-	config.StorageClass = r.Form.Get("gcs_storage_class")
-	config.KeyPrefix = r.Form.Get("gcs_key_prefix")
-	autoCredentials := r.Form.Get("gcs_auto_credentials")
-	if autoCredentials != "" {
-		config.AutomaticCredentials = 1
-	} else {
-		config.AutomaticCredentials = 0
-	}
-	credentials, _, err := r.FormFile("gcs_credential_file")
-	if err == http.ErrMissingFile {
-		return config, nil
-	}
-	if err != nil {
-		return config, err
-	}
-	defer credentials.Close()
-	fileBytes, err := io.ReadAll(credentials)
-	if err != nil || len(fileBytes) == 0 {
-		if len(fileBytes) == 0 {
-			err = errors.New("credentials file size must be greater than 0")
-		}
-		return config, err
-	}
-	config.Credentials = kms.NewPlainSecret(string(fileBytes))
-	config.AutomaticCredentials = 0
-	return config, err
-}
-
-func getSFTPConfig(r *http.Request) (vfs.SFTPFsConfig, error) {
-	var err error
-	config := vfs.SFTPFsConfig{}
-	config.Endpoint = r.Form.Get("sftp_endpoint")
-	config.Username = r.Form.Get("sftp_username")
-	config.Password = getSecretFromFormField(r, "sftp_password")
-	config.PrivateKey = getSecretFromFormField(r, "sftp_private_key")
-	fingerprintsFormValue := r.Form.Get("sftp_fingerprints")
-	config.Fingerprints = getSliceFromDelimitedValues(fingerprintsFormValue, "\n")
-	config.Prefix = r.Form.Get("sftp_prefix")
-	config.DisableCouncurrentReads = len(r.Form.Get("sftp_disable_concurrent_reads")) > 0
-	config.BufferSize, err = strconv.ParseInt(r.Form.Get("sftp_buffer_size"), 10, 64)
-	return config, err
-}
-
-func getAzureConfig(r *http.Request) (vfs.AzBlobFsConfig, error) {
-	var err error
-	config := vfs.AzBlobFsConfig{}
-	config.Container = r.Form.Get("az_container")
-	config.AccountName = r.Form.Get("az_account_name")
-	config.AccountKey = getSecretFromFormField(r, "az_account_key")
-	config.SASURL = r.Form.Get("az_sas_url")
-	config.Endpoint = r.Form.Get("az_endpoint")
-	config.KeyPrefix = r.Form.Get("az_key_prefix")
-	config.AccessTier = r.Form.Get("az_access_tier")
-	config.UseEmulator = len(r.Form.Get("az_use_emulator")) > 0
-	config.UploadPartSize, err = strconv.ParseInt(r.Form.Get("az_upload_part_size"), 10, 64)
-	if err != nil {
-		return config, err
-	}
-	config.UploadConcurrency, err = strconv.Atoi(r.Form.Get("az_upload_concurrency"))
-	return config, err
-}
-
-func getFsConfigFromPostFields(r *http.Request) (vfs.Filesystem, error) {
-	var fs vfs.Filesystem
-	provider, err := strconv.Atoi(r.Form.Get("fs_provider"))
-	if err != nil {
-		provider = int(vfs.LocalFilesystemProvider)
-	}
-	fs.Provider = vfs.FilesystemProvider(provider)
-	switch fs.Provider {
-	case vfs.S3FilesystemProvider:
-		config, err := getS3Config(r)
-		if err != nil {
-			return fs, err
-		}
-		fs.S3Config = config
-	case vfs.AzureBlobFilesystemProvider:
-		config, err := getAzureConfig(r)
-		if err != nil {
-			return fs, err
-		}
-		fs.AzBlobConfig = config
-	case vfs.GCSFilesystemProvider:
-		config, err := getGCSConfig(r)
-		if err != nil {
-			return fs, err
-		}
-		fs.GCSConfig = config
-	case vfs.CryptedFilesystemProvider:
-		fs.CryptConfig.Passphrase = getSecretFromFormField(r, "crypt_passphrase")
-	case vfs.SFTPFilesystemProvider:
-		config, err := getSFTPConfig(r)
-		if err != nil {
-			return fs, err
-		}
-		fs.SFTPConfig = config
-	}
-	return fs, nil
-}
-
-func getAdminFromPostFields(r *http.Request) (dataprovider.Admin, error) {
-	var admin dataprovider.Admin
-	err := r.ParseForm()
-	if err != nil {
-		return admin, err
-	}
-	status, err := strconv.Atoi(r.Form.Get("status"))
-	if err != nil {
-		return admin, err
-	}
-	admin.Username = r.Form.Get("username")
-	admin.Password = r.Form.Get("password")
-	admin.Permissions = r.Form["permissions"]
-	admin.Email = r.Form.Get("email")
-	admin.Status = status
-	admin.Filters.AllowList = getSliceFromDelimitedValues(r.Form.Get("allowed_ip"), ",")
-	admin.AdditionalInfo = r.Form.Get("additional_info")
-	admin.Description = r.Form.Get("description")
-	return admin, nil
-}
-
-func replacePlaceholders(field string, replacements map[string]string) string {
-	for k, v := range replacements {
-		field = strings.ReplaceAll(field, k, v)
-	}
-	return field
-}
-
-func getFolderFromTemplate(folder vfs.BaseVirtualFolder, name string) vfs.BaseVirtualFolder {
-	folder.Name = name
-	replacements := make(map[string]string)
-	replacements["%name%"] = folder.Name
-
-	folder.MappedPath = replacePlaceholders(folder.MappedPath, replacements)
-	folder.Description = replacePlaceholders(folder.Description, replacements)
-	switch folder.FsConfig.Provider {
-	case vfs.CryptedFilesystemProvider:
-		folder.FsConfig.CryptConfig = getCryptFsFromTemplate(folder.FsConfig.CryptConfig, replacements)
-	case vfs.S3FilesystemProvider:
-		folder.FsConfig.S3Config = getS3FsFromTemplate(folder.FsConfig.S3Config, replacements)
-	case vfs.GCSFilesystemProvider:
-		folder.FsConfig.GCSConfig = getGCSFsFromTemplate(folder.FsConfig.GCSConfig, replacements)
-	case vfs.AzureBlobFilesystemProvider:
-		folder.FsConfig.AzBlobConfig = getAzBlobFsFromTemplate(folder.FsConfig.AzBlobConfig, replacements)
-	case vfs.SFTPFilesystemProvider:
-		folder.FsConfig.SFTPConfig = getSFTPFsFromTemplate(folder.FsConfig.SFTPConfig, replacements)
-	}
-
-	return folder
-}
-
-func getCryptFsFromTemplate(fsConfig vfs.CryptFsConfig, replacements map[string]string) vfs.CryptFsConfig {
-	if fsConfig.Passphrase != nil {
-		if fsConfig.Passphrase.IsPlain() {
-			payload := replacePlaceholders(fsConfig.Passphrase.GetPayload(), replacements)
-			fsConfig.Passphrase = kms.NewPlainSecret(payload)
-		}
-	}
-	return fsConfig
-}
-
-func getS3FsFromTemplate(fsConfig vfs.S3FsConfig, replacements map[string]string) vfs.S3FsConfig {
-	fsConfig.KeyPrefix = replacePlaceholders(fsConfig.KeyPrefix, replacements)
-	fsConfig.AccessKey = replacePlaceholders(fsConfig.AccessKey, replacements)
-	if fsConfig.AccessSecret != nil && fsConfig.AccessSecret.IsPlain() {
-		payload := replacePlaceholders(fsConfig.AccessSecret.GetPayload(), replacements)
-		fsConfig.AccessSecret = kms.NewPlainSecret(payload)
-	}
-	return fsConfig
-}
-
-func getGCSFsFromTemplate(fsConfig vfs.GCSFsConfig, replacements map[string]string) vfs.GCSFsConfig {
-	fsConfig.KeyPrefix = replacePlaceholders(fsConfig.KeyPrefix, replacements)
-	return fsConfig
-}
-
-func getAzBlobFsFromTemplate(fsConfig vfs.AzBlobFsConfig, replacements map[string]string) vfs.AzBlobFsConfig {
-	fsConfig.KeyPrefix = replacePlaceholders(fsConfig.KeyPrefix, replacements)
-	fsConfig.AccountName = replacePlaceholders(fsConfig.AccountName, replacements)
-	if fsConfig.AccountKey != nil && fsConfig.AccountKey.IsPlain() {
-		payload := replacePlaceholders(fsConfig.AccountKey.GetPayload(), replacements)
-		fsConfig.AccountKey = kms.NewPlainSecret(payload)
-	}
-	return fsConfig
-}
-
-func getSFTPFsFromTemplate(fsConfig vfs.SFTPFsConfig, replacements map[string]string) vfs.SFTPFsConfig {
-	fsConfig.Prefix = replacePlaceholders(fsConfig.Prefix, replacements)
-	fsConfig.Username = replacePlaceholders(fsConfig.Username, replacements)
-	if fsConfig.Password != nil && fsConfig.Password.IsPlain() {
-		payload := replacePlaceholders(fsConfig.Password.GetPayload(), replacements)
-		fsConfig.Password = kms.NewPlainSecret(payload)
-	}
-	return fsConfig
-}
-
-func getUserFromTemplate(user dataprovider.User, template userTemplateFields) dataprovider.User {
-	user.Username = template.Username
-	user.Password = template.Password
-	user.PublicKeys = nil
-	if template.PublicKey != "" {
-		user.PublicKeys = append(user.PublicKeys, template.PublicKey)
-	}
-	replacements := make(map[string]string)
-	replacements["%username%"] = user.Username
-	user.Password = replacePlaceholders(user.Password, replacements)
-	replacements["%password%"] = user.Password
-
-	user.HomeDir = replacePlaceholders(user.HomeDir, replacements)
-	var vfolders []vfs.VirtualFolder
-	for _, vfolder := range user.VirtualFolders {
-		vfolder.Name = replacePlaceholders(vfolder.Name, replacements)
-		vfolder.VirtualPath = replacePlaceholders(vfolder.VirtualPath, replacements)
-		vfolders = append(vfolders, vfolder)
-	}
-	user.VirtualFolders = vfolders
-	user.Description = replacePlaceholders(user.Description, replacements)
-	user.AdditionalInfo = replacePlaceholders(user.AdditionalInfo, replacements)
-
-	switch user.FsConfig.Provider {
-	case vfs.CryptedFilesystemProvider:
-		user.FsConfig.CryptConfig = getCryptFsFromTemplate(user.FsConfig.CryptConfig, replacements)
-	case vfs.S3FilesystemProvider:
-		user.FsConfig.S3Config = getS3FsFromTemplate(user.FsConfig.S3Config, replacements)
-	case vfs.GCSFilesystemProvider:
-		user.FsConfig.GCSConfig = getGCSFsFromTemplate(user.FsConfig.GCSConfig, replacements)
-	case vfs.AzureBlobFilesystemProvider:
-		user.FsConfig.AzBlobConfig = getAzBlobFsFromTemplate(user.FsConfig.AzBlobConfig, replacements)
-	case vfs.SFTPFilesystemProvider:
-		user.FsConfig.SFTPConfig = getSFTPFsFromTemplate(user.FsConfig.SFTPConfig, replacements)
-	}
-
-	return user
-}
-
-func getUserFromPostFields(r *http.Request) (dataprovider.User, error) {
-	var user dataprovider.User
-	err := r.ParseMultipartForm(maxRequestSize)
-	if err != nil {
-		return user, err
-	}
-	publicKeysFormValue := r.Form.Get("public_keys")
-	publicKeys := getSliceFromDelimitedValues(publicKeysFormValue, "\n")
-	uid, err := strconv.Atoi(r.Form.Get("uid"))
-	if err != nil {
-		return user, err
-	}
-	gid, err := strconv.Atoi(r.Form.Get("gid"))
-	if err != nil {
-		return user, err
-	}
-	maxSessions, err := strconv.Atoi(r.Form.Get("max_sessions"))
-	if err != nil {
-		return user, err
-	}
-	quotaSize, err := strconv.ParseInt(r.Form.Get("quota_size"), 10, 64)
-	if err != nil {
-		return user, err
-	}
-	quotaFiles, err := strconv.Atoi(r.Form.Get("quota_files"))
-	if err != nil {
-		return user, err
-	}
-	bandwidthUL, err := strconv.ParseInt(r.Form.Get("upload_bandwidth"), 10, 64)
-	if err != nil {
-		return user, err
-	}
-	bandwidthDL, err := strconv.ParseInt(r.Form.Get("download_bandwidth"), 10, 64)
-	if err != nil {
-		return user, err
-	}
-	status, err := strconv.Atoi(r.Form.Get("status"))
-	if err != nil {
-		return user, err
-	}
-	expirationDateMillis := int64(0)
-	expirationDateString := r.Form.Get("expiration_date")
-	if len(strings.TrimSpace(expirationDateString)) > 0 {
-		expirationDate, err := time.Parse(webDateTimeFormat, expirationDateString)
-		if err != nil {
-			return user, err
-		}
-		expirationDateMillis = utils.GetTimeAsMsSinceEpoch(expirationDate)
-	}
-	fsConfig, err := getFsConfigFromPostFields(r)
-	if err != nil {
-		return user, err
-	}
-	user = dataprovider.User{
-		Username:          r.Form.Get("username"),
-		Password:          r.Form.Get("password"),
-		PublicKeys:        publicKeys,
-		HomeDir:           r.Form.Get("home_dir"),
-		VirtualFolders:    getVirtualFoldersFromPostFields(r),
-		UID:               uid,
-		GID:               gid,
-		Permissions:       getUserPermissionsFromPostFields(r),
-		MaxSessions:       maxSessions,
-		QuotaSize:         quotaSize,
-		QuotaFiles:        quotaFiles,
-		UploadBandwidth:   bandwidthUL,
-		DownloadBandwidth: bandwidthDL,
-		Status:            status,
-		ExpirationDate:    expirationDateMillis,
-		Filters:           getFiltersFromUserPostFields(r),
-		FsConfig:          fsConfig,
-		AdditionalInfo:    r.Form.Get("additional_info"),
-		Description:       r.Form.Get("description"),
-	}
-	maxFileSize, err := strconv.ParseInt(r.Form.Get("max_upload_file_size"), 10, 64)
-	user.Filters.MaxUploadFileSize = maxFileSize
-	return user, err
-}
-
-func renderLoginPage(w http.ResponseWriter, error string) {
-	data := loginPage{
-		CurrentURL: webLoginPath,
-		Version:    version.Get().Version,
-		Error:      error,
-		CSRFToken:  createCSRFToken(),
-		StaticURL:  webStaticFilesPath,
-	}
-	renderTemplate(w, templateLogin, data)
-}
-
-func handleWebAdminChangePwd(w http.ResponseWriter, r *http.Request) {
-	renderChangePwdPage(w, r, "")
-}
-
-func handleWebAdminChangePwdPost(w http.ResponseWriter, r *http.Request) {
-	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
-	err := r.ParseForm()
-	if err != nil {
-		renderChangePwdPage(w, r, err.Error())
-		return
-	}
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
-		renderForbiddenPage(w, r, err.Error())
-		return
-	}
-	err = doChangeAdminPassword(r, r.Form.Get("current_password"), r.Form.Get("new_password1"),
-		r.Form.Get("new_password2"))
-	if err != nil {
-		renderChangePwdPage(w, r, err.Error())
-		return
-	}
-	handleWebLogout(w, r)
-}
-
-func handleWebLogout(w http.ResponseWriter, r *http.Request) {
-	c := jwtTokenClaims{}
-	c.removeCookie(w, r)
-
-	http.Redirect(w, r, webLoginPath, http.StatusFound)
-}
-
-func handleWebLogin(w http.ResponseWriter, r *http.Request) {
-	renderLoginPage(w, "")
-}
-
-func handleWebMaintenance(w http.ResponseWriter, r *http.Request) {
-	renderMaintenancePage(w, r, "")
-}
-
-func handleWebRestore(w http.ResponseWriter, r *http.Request) {
-	err := r.ParseMultipartForm(MaxRestoreSize)
-	if err != nil {
-		renderMaintenancePage(w, r, err.Error())
-		return
-	}
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
-		renderForbiddenPage(w, r, err.Error())
-		return
-	}
-	restoreMode, err := strconv.Atoi(r.Form.Get("mode"))
-	if err != nil {
-		renderMaintenancePage(w, r, err.Error())
-		return
-	}
-	scanQuota, err := strconv.Atoi(r.Form.Get("quota"))
-	if err != nil {
-		renderMaintenancePage(w, r, err.Error())
-		return
-	}
-	backupFile, _, err := r.FormFile("backup_file")
-	if err != nil {
-		renderMaintenancePage(w, r, err.Error())
-		return
-	}
-	defer backupFile.Close()
-
-	backupContent, err := io.ReadAll(backupFile)
-	if err != nil || len(backupContent) == 0 {
-		if len(backupContent) == 0 {
-			err = errors.New("backup file size must be greater than 0")
-		}
-		renderMaintenancePage(w, r, err.Error())
-		return
-	}
-
-	if err := restoreBackup(backupContent, "", scanQuota, restoreMode); err != nil {
-		renderMaintenancePage(w, r, err.Error())
-		return
-	}
-
-	renderMessagePage(w, r, "Data restored", "", http.StatusOK, nil, "Your backup was successfully restored")
-}
-
-func handleGetWebAdmins(w http.ResponseWriter, r *http.Request) {
-	limit := defaultQueryLimit
-	if _, ok := r.URL.Query()["qlimit"]; ok {
-		var err error
-		limit, err = strconv.Atoi(r.URL.Query().Get("qlimit"))
-		if err != nil {
-			limit = defaultQueryLimit
-		}
-	}
-	admins := make([]dataprovider.Admin, 0, limit)
-	for {
-		a, err := dataprovider.GetAdmins(limit, len(admins), dataprovider.OrderASC)
-		if err != nil {
-			renderInternalServerErrorPage(w, r, err)
-			return
-		}
-		admins = append(admins, a...)
-		if len(a) < limit {
-			break
-		}
-	}
-	data := adminsPage{
-		basePage: getBasePageData(pageAdminsTitle, webAdminsPath, r),
-		Admins:   admins,
-	}
-	renderTemplate(w, templateAdmins, data)
-}
-
-func handleWebAddAdminGet(w http.ResponseWriter, r *http.Request) {
-	admin := &dataprovider.Admin{Status: 1}
-	renderAddUpdateAdminPage(w, r, admin, "", true)
-}
-
-func handleWebUpdateAdminGet(w http.ResponseWriter, r *http.Request) {
-	username := getURLParam(r, "username")
-	admin, err := dataprovider.AdminExists(username)
-	if err == nil {
-		renderAddUpdateAdminPage(w, r, &admin, "", false)
-	} else if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
-		renderNotFoundPage(w, r, err)
-	} else {
-		renderInternalServerErrorPage(w, r, err)
-	}
-}
-
-func handleWebAddAdminPost(w http.ResponseWriter, r *http.Request) {
-	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
-	admin, err := getAdminFromPostFields(r)
-	if err != nil {
-		renderAddUpdateAdminPage(w, r, &admin, err.Error(), true)
-		return
-	}
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
-		renderForbiddenPage(w, r, err.Error())
-		return
-	}
-	err = dataprovider.AddAdmin(&admin)
-	if err != nil {
-		renderAddUpdateAdminPage(w, r, &admin, err.Error(), true)
-		return
-	}
-	http.Redirect(w, r, webAdminsPath, http.StatusSeeOther)
-}
-
-func handleWebUpdateAdminPost(w http.ResponseWriter, r *http.Request) {
-	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
-
-	username := getURLParam(r, "username")
-	admin, err := dataprovider.AdminExists(username)
-	if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
-		renderNotFoundPage(w, r, err)
-		return
-	} else if err != nil {
-		renderInternalServerErrorPage(w, r, err)
-		return
-	}
-
-	updatedAdmin, err := getAdminFromPostFields(r)
-	if err != nil {
-		renderAddUpdateAdminPage(w, r, &updatedAdmin, err.Error(), false)
-		return
-	}
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
-		renderForbiddenPage(w, r, err.Error())
-		return
-	}
-	updatedAdmin.ID = admin.ID
-	updatedAdmin.Username = admin.Username
-	if updatedAdmin.Password == "" {
-		updatedAdmin.Password = admin.Password
-	}
-	claims, err := getTokenClaims(r)
-	if err != nil || claims.Username == "" {
-		renderAddUpdateAdminPage(w, r, &updatedAdmin, fmt.Sprintf("Invalid token claims: %v", err), false)
-		return
-	}
-	if username == claims.Username {
-		if claims.isCriticalPermRemoved(updatedAdmin.Permissions) {
-			renderAddUpdateAdminPage(w, r, &updatedAdmin, "You cannot remove these permissions to yourself", false)
-			return
-		}
-		if updatedAdmin.Status == 0 {
-			renderAddUpdateAdminPage(w, r, &updatedAdmin, "You cannot disable yourself", false)
-			return
-		}
-	}
-	err = dataprovider.UpdateAdmin(&updatedAdmin)
-	if err != nil {
-		renderAddUpdateAdminPage(w, r, &admin, err.Error(), false)
-		return
-	}
-	http.Redirect(w, r, webAdminsPath, http.StatusSeeOther)
-}
-
-func handleGetWebUsers(w http.ResponseWriter, r *http.Request) {
-	limit := defaultQueryLimit
-	if _, ok := r.URL.Query()["qlimit"]; ok {
-		var err error
-		limit, err = strconv.Atoi(r.URL.Query().Get("qlimit"))
-		if err != nil {
-			limit = defaultQueryLimit
-		}
-	}
-	users := make([]dataprovider.User, 0, limit)
-	for {
-		u, err := dataprovider.GetUsers(limit, len(users), dataprovider.OrderASC)
-		if err != nil {
-			renderInternalServerErrorPage(w, r, err)
-			return
-		}
-		users = append(users, u...)
-		if len(u) < limit {
-			break
-		}
-	}
-	data := usersPage{
-		basePage: getBasePageData(pageUsersTitle, webUsersPath, r),
-		Users:    users,
-	}
-	renderTemplate(w, templateUsers, data)
-}
-
-func handleWebTemplateFolderGet(w http.ResponseWriter, r *http.Request) {
-	if r.URL.Query().Get("from") != "" {
-		name := r.URL.Query().Get("from")
-		folder, err := dataprovider.GetFolderByName(name)
-		if err == nil {
-			renderFolderPage(w, r, folder, folderPageModeTemplate, "")
-		} else if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
-			renderNotFoundPage(w, r, err)
-		} else {
-			renderInternalServerErrorPage(w, r, err)
-		}
-	} else {
-		folder := vfs.BaseVirtualFolder{}
-		renderFolderPage(w, r, folder, folderPageModeTemplate, "")
-	}
-}
-
-func handleWebTemplateFolderPost(w http.ResponseWriter, r *http.Request) {
-	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
-	templateFolder := vfs.BaseVirtualFolder{}
-	err := r.ParseForm()
-	if err != nil {
-		renderMessagePage(w, r, "Error parsing folders fields", "", http.StatusBadRequest, err, "")
-		return
-	}
-
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
-		renderForbiddenPage(w, r, err.Error())
-		return
-	}
-
-	templateFolder.MappedPath = r.Form.Get("mapped_path")
-	templateFolder.Description = r.Form.Get("description")
-	fsConfig, err := getFsConfigFromPostFields(r)
-	if err != nil {
-		renderMessagePage(w, r, "Error parsing folders fields", "", http.StatusBadRequest, err, "")
-		return
-	}
-	templateFolder.FsConfig = fsConfig
-
-	var dump dataprovider.BackupData
-	dump.Version = dataprovider.DumpVersion
-
-	foldersFields := getFoldersForTemplate(r)
-	for _, tmpl := range foldersFields {
-		f := getFolderFromTemplate(templateFolder, tmpl)
-		if err := dataprovider.ValidateFolder(&f); err != nil {
-			renderMessagePage(w, r, fmt.Sprintf("Error validating folder %#v", f.Name), "", http.StatusBadRequest, err, "")
-			return
-		}
-		dump.Folders = append(dump.Folders, f)
-	}
-
-	if len(dump.Folders) == 0 {
-		renderMessagePage(w, r, "No folders to export", "No valid folders found, export is not possible", http.StatusBadRequest, nil, "")
-		return
-	}
-
-	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=\"sftpgo-%v-folders-from-template.json\"", len(dump.Folders)))
-	render.JSON(w, r, dump)
-}
-
-func handleWebTemplateUserGet(w http.ResponseWriter, r *http.Request) {
-	if r.URL.Query().Get("from") != "" {
-		username := r.URL.Query().Get("from")
-		user, err := dataprovider.UserExists(username)
-		if err == nil {
-			user.SetEmptySecrets()
-			renderUserPage(w, r, &user, userPageModeTemplate, "")
-		} else if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
-			renderNotFoundPage(w, r, err)
-		} else {
-			renderInternalServerErrorPage(w, r, err)
-		}
-	} else {
-		user := dataprovider.User{Status: 1}
-		renderUserPage(w, r, &user, userPageModeTemplate, "")
-	}
-}
-
-func handleWebTemplateUserPost(w http.ResponseWriter, r *http.Request) {
-	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
-	templateUser, err := getUserFromPostFields(r)
-	if err != nil {
-		renderMessagePage(w, r, "Error parsing user fields", "", http.StatusBadRequest, err, "")
-		return
-	}
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
-		renderForbiddenPage(w, r, err.Error())
-		return
-	}
-
-	var dump dataprovider.BackupData
-	dump.Version = dataprovider.DumpVersion
-
-	userTmplFields := getUsersForTemplate(r)
-	for _, tmpl := range userTmplFields {
-		u := getUserFromTemplate(templateUser, tmpl)
-		if err := dataprovider.ValidateUser(&u); err != nil {
-			renderMessagePage(w, r, fmt.Sprintf("Error validating user %#v", u.Username), "", http.StatusBadRequest, err, "")
-			return
-		}
-		dump.Users = append(dump.Users, u)
-		for _, folder := range u.VirtualFolders {
-			if !dump.HasFolder(folder.Name) {
-				dump.Folders = append(dump.Folders, folder.BaseVirtualFolder)
-			}
-		}
-	}
-
-	if len(dump.Users) == 0 {
-		renderMessagePage(w, r, "No users to export", "No valid users found, export is not possible", http.StatusBadRequest, nil, "")
-		return
-	}
-
-	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=\"sftpgo-%v-users-from-template.json\"", len(dump.Users)))
-	render.JSON(w, r, dump)
-}
-
-func handleWebAddUserGet(w http.ResponseWriter, r *http.Request) {
-	if r.URL.Query().Get("clone-from") != "" {
-		username := r.URL.Query().Get("clone-from")
-		user, err := dataprovider.UserExists(username)
-		if err == nil {
-			user.ID = 0
-			user.Username = ""
-			user.Password = ""
-			user.SetEmptySecrets()
-			renderUserPage(w, r, &user, userPageModeAdd, "")
-		} else if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
-			renderNotFoundPage(w, r, err)
-		} else {
-			renderInternalServerErrorPage(w, r, err)
-		}
-	} else {
-		user := dataprovider.User{Status: 1}
-		renderUserPage(w, r, &user, userPageModeAdd, "")
-	}
-}
-
-func handleWebUpdateUserGet(w http.ResponseWriter, r *http.Request) {
-	username := getURLParam(r, "username")
-	user, err := dataprovider.UserExists(username)
-	if err == nil {
-		renderUserPage(w, r, &user, userPageModeUpdate, "")
-	} else if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
-		renderNotFoundPage(w, r, err)
-	} else {
-		renderInternalServerErrorPage(w, r, err)
-	}
-}
-
-func handleWebAddUserPost(w http.ResponseWriter, r *http.Request) {
-	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
-	user, err := getUserFromPostFields(r)
-	if err != nil {
-		renderUserPage(w, r, &user, userPageModeAdd, err.Error())
-		return
-	}
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
-		renderForbiddenPage(w, r, err.Error())
-		return
-	}
-	err = dataprovider.AddUser(&user)
-	if err == nil {
-		http.Redirect(w, r, webUsersPath, http.StatusSeeOther)
-	} else {
-		renderUserPage(w, r, &user, userPageModeAdd, err.Error())
-	}
-}
-
-func handleWebUpdateUserPost(w http.ResponseWriter, r *http.Request) {
-	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
-	username := getURLParam(r, "username")
-	user, err := dataprovider.UserExists(username)
-	if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
-		renderNotFoundPage(w, r, err)
-		return
-	} else if err != nil {
-		renderInternalServerErrorPage(w, r, err)
-		return
-	}
-	updatedUser, err := getUserFromPostFields(r)
-	if err != nil {
-		renderUserPage(w, r, &user, userPageModeUpdate, err.Error())
-		return
-	}
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
-		renderForbiddenPage(w, r, err.Error())
-		return
-	}
-	updatedUser.ID = user.ID
-	updatedUser.Username = user.Username
-	updatedUser.SetEmptySecretsIfNil()
-	if updatedUser.Password == redactedSecret {
-		updatedUser.Password = user.Password
-	}
-	updateEncryptedSecrets(&updatedUser.FsConfig, user.FsConfig.S3Config.AccessSecret, user.FsConfig.AzBlobConfig.AccountKey,
-		user.FsConfig.GCSConfig.Credentials, user.FsConfig.CryptConfig.Passphrase, user.FsConfig.SFTPConfig.Password,
-		user.FsConfig.SFTPConfig.PrivateKey)
-
-	err = dataprovider.UpdateUser(&updatedUser)
-	if err == nil {
-		if len(r.Form.Get("disconnect")) > 0 {
-			disconnectUser(user.Username)
-		}
-		http.Redirect(w, r, webUsersPath, http.StatusSeeOther)
-	} else {
-		renderUserPage(w, r, &user, userPageModeUpdate, err.Error())
-	}
-}
-
-func handleWebGetStatus(w http.ResponseWriter, r *http.Request) {
-	data := statusPage{
-		basePage: getBasePageData(pageStatusTitle, webStatusPath, r),
-		Status:   getServicesStatus(),
-	}
-	renderTemplate(w, templateStatus, data)
-}
-
-func handleWebGetConnections(w http.ResponseWriter, r *http.Request) {
-	connectionStats := common.Connections.GetStats()
-	data := connectionsPage{
-		basePage:    getBasePageData(pageConnectionsTitle, webConnectionsPath, r),
-		Connections: connectionStats,
-	}
-	renderTemplate(w, templateConnections, data)
-}
-
-func handleWebAddFolderGet(w http.ResponseWriter, r *http.Request) {
-	renderFolderPage(w, r, vfs.BaseVirtualFolder{}, folderPageModeAdd, "")
-}
-
-func handleWebAddFolderPost(w http.ResponseWriter, r *http.Request) {
-	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
-	folder := vfs.BaseVirtualFolder{}
-	err := r.ParseMultipartForm(maxRequestSize)
-	if err != nil {
-		renderFolderPage(w, r, folder, folderPageModeAdd, err.Error())
-		return
-	}
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
-		renderForbiddenPage(w, r, err.Error())
-		return
-	}
-	folder.MappedPath = r.Form.Get("mapped_path")
-	folder.Name = r.Form.Get("name")
-	folder.Description = r.Form.Get("description")
-	fsConfig, err := getFsConfigFromPostFields(r)
-	if err != nil {
-		renderFolderPage(w, r, folder, folderPageModeAdd, err.Error())
-		return
-	}
-	folder.FsConfig = fsConfig
-
-	err = dataprovider.AddFolder(&folder)
-	if err == nil {
-		http.Redirect(w, r, webFoldersPath, http.StatusSeeOther)
-	} else {
-		renderFolderPage(w, r, folder, folderPageModeAdd, err.Error())
-	}
-}
-
-func handleWebUpdateFolderGet(w http.ResponseWriter, r *http.Request) {
-	name := getURLParam(r, "name")
-	folder, err := dataprovider.GetFolderByName(name)
-	if err == nil {
-		renderFolderPage(w, r, folder, folderPageModeUpdate, "")
-	} else if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
-		renderNotFoundPage(w, r, err)
-	} else {
-		renderInternalServerErrorPage(w, r, err)
-	}
-}
-
-func handleWebUpdateFolderPost(w http.ResponseWriter, r *http.Request) {
-	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
-	name := getURLParam(r, "name")
-	folder, err := dataprovider.GetFolderByName(name)
-	if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
-		renderNotFoundPage(w, r, err)
-		return
-	} else if err != nil {
-		renderInternalServerErrorPage(w, r, err)
-		return
-	}
-
-	err = r.ParseMultipartForm(maxRequestSize)
-	if err != nil {
-		renderFolderPage(w, r, folder, folderPageModeUpdate, err.Error())
-		return
-	}
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
-		renderForbiddenPage(w, r, err.Error())
-		return
-	}
-	fsConfig, err := getFsConfigFromPostFields(r)
-	if err != nil {
-		renderFolderPage(w, r, folder, folderPageModeUpdate, err.Error())
-		return
-	}
-	updatedFolder := &vfs.BaseVirtualFolder{
-		MappedPath:  r.Form.Get("mapped_path"),
-		Description: r.Form.Get("description"),
-	}
-	updatedFolder.ID = folder.ID
-	updatedFolder.Name = folder.Name
-	updatedFolder.FsConfig = fsConfig
-	updatedFolder.FsConfig.SetEmptySecretsIfNil()
-	updateEncryptedSecrets(&updatedFolder.FsConfig, folder.FsConfig.S3Config.AccessSecret, folder.FsConfig.AzBlobConfig.AccountKey,
-		folder.FsConfig.GCSConfig.Credentials, folder.FsConfig.CryptConfig.Passphrase, folder.FsConfig.SFTPConfig.Password,
-		folder.FsConfig.SFTPConfig.PrivateKey)
-
-	err = dataprovider.UpdateFolder(updatedFolder, folder.Users)
-	if err != nil {
-		renderFolderPage(w, r, folder, folderPageModeUpdate, err.Error())
-		return
-	}
-	http.Redirect(w, r, webFoldersPath, http.StatusSeeOther)
-}
-
-func handleWebGetFolders(w http.ResponseWriter, r *http.Request) {
-	limit := defaultQueryLimit
-	if _, ok := r.URL.Query()["qlimit"]; ok {
-		var err error
-		limit, err = strconv.Atoi(r.URL.Query().Get("qlimit"))
-		if err != nil {
-			limit = defaultQueryLimit
-		}
-	}
-	folders := make([]vfs.BaseVirtualFolder, 0, limit)
-	for {
-		f, err := dataprovider.GetFolders(limit, len(folders), dataprovider.OrderASC)
-		if err != nil {
-			renderInternalServerErrorPage(w, r, err)
-			return
-		}
-		folders = append(folders, f...)
-		if len(f) < limit {
-			break
-		}
-	}
-
-	data := foldersPage{
-		basePage: getBasePageData(pageFoldersTitle, webFoldersPath, r),
-		Folders:  folders,
-	}
-	renderTemplate(w, templateFolders, data)
-}

httpd/webadmin.go

@@ -0,0 +1,1559 @@
+package httpd
+
+import (
+	"errors"
+	"fmt"
+	"html/template"
+	"io"
+	"net/http"
+	"net/url"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/go-chi/render"
+
+	"github.com/drakkan/sftpgo/common"
+	"github.com/drakkan/sftpgo/dataprovider"
+	"github.com/drakkan/sftpgo/kms"
+	"github.com/drakkan/sftpgo/utils"
+	"github.com/drakkan/sftpgo/version"
+	"github.com/drakkan/sftpgo/vfs"
+)
+
+type userPageMode int
+
+const (
+	userPageModeAdd userPageMode = iota + 1
+	userPageModeUpdate
+	userPageModeTemplate
+)
+
+type folderPageMode int
+
+const (
+	folderPageModeAdd folderPageMode = iota + 1
+	folderPageModeUpdate
+	folderPageModeTemplate
+)
+
+const (
+	templateAdminDir     = "webadmin"
+	templateBase         = "base.html"
+	templateFsConfig     = "fsconfig.html"
+	templateUsers        = "users.html"
+	templateUser         = "user.html"
+	templateAdmins       = "admins.html"
+	templateAdmin        = "admin.html"
+	templateConnections  = "connections.html"
+	templateFolders      = "folders.html"
+	templateFolder       = "folder.html"
+	templateMessage      = "message.html"
+	templateStatus       = "status.html"
+	templateLogin        = "login.html"
+	templateChangePwd    = "changepwd.html"
+	templateMaintenance  = "maintenance.html"
+	pageUsersTitle       = "Users"
+	pageAdminsTitle      = "Admins"
+	pageConnectionsTitle = "Connections"
+	pageStatusTitle      = "Status"
+	pageFoldersTitle     = "Folders"
+	pageChangePwdTitle   = "Change password"
+	pageMaintenanceTitle = "Maintenance"
+	defaultQueryLimit    = 500
+)
+
+var (
+	adminTemplates = make(map[string]*template.Template)
+)
+
+type basePage struct {
+	Title              string
+	CurrentURL         string
+	UsersURL           string
+	UserURL            string
+	UserTemplateURL    string
+	AdminsURL          string
+	AdminURL           string
+	QuotaScanURL       string
+	ConnectionsURL     string
+	FoldersURL         string
+	FolderURL          string
+	FolderTemplateURL  string
+	LogoutURL          string
+	ChangeAdminPwdURL  string
+	FolderQuotaScanURL string
+	StatusURL          string
+	MaintenanceURL     string
+	StaticURL          string
+	UsersTitle         string
+	AdminsTitle        string
+	ConnectionsTitle   string
+	FoldersTitle       string
+	StatusTitle        string
+	MaintenanceTitle   string
+	Version            string
+	CSRFToken          string
+	LoggedAdmin        *dataprovider.Admin
+}
+
+type usersPage struct {
+	basePage
+	Users []dataprovider.User
+}
+
+type adminsPage struct {
+	basePage
+	Admins []dataprovider.Admin
+}
+
+type foldersPage struct {
+	basePage
+	Folders []vfs.BaseVirtualFolder
+}
+
+type connectionsPage struct {
+	basePage
+	Connections []*common.ConnectionStatus
+}
+
+type statusPage struct {
+	basePage
+	Status ServicesStatus
+}
+
+type userPage struct {
+	basePage
+	User              *dataprovider.User
+	RootPerms         []string
+	Error             string
+	ValidPerms        []string
+	ValidLoginMethods []string
+	ValidProtocols    []string
+	WebClientOptions  []string
+	RootDirPerms      []string
+	RedactedSecret    string
+	Mode              userPageMode
+}
+
+type adminPage struct {
+	basePage
+	Admin *dataprovider.Admin
+	Error string
+	IsAdd bool
+}
+
+type changePwdPage struct {
+	basePage
+	Error string
+}
+
+type maintenancePage struct {
+	basePage
+	BackupPath  string
+	RestorePath string
+	Error       string
+}
+
+type folderPage struct {
+	basePage
+	Folder vfs.BaseVirtualFolder
+	Error  string
+	Mode   folderPageMode
+}
+
+type messagePage struct {
+	basePage
+	Error   string
+	Success string
+}
+
+type userTemplateFields struct {
+	Username  string
+	Password  string
+	PublicKey string
+}
+
+func loadAdminTemplates(templatesPath string) {
+	usersPaths := []string{
+		filepath.Join(templatesPath, templateAdminDir, templateBase),
+		filepath.Join(templatesPath, templateAdminDir, templateUsers),
+	}
+	userPaths := []string{
+		filepath.Join(templatesPath, templateAdminDir, templateBase),
+		filepath.Join(templatesPath, templateAdminDir, templateFsConfig),
+		filepath.Join(templatesPath, templateAdminDir, templateUser),
+	}
+	adminsPaths := []string{
+		filepath.Join(templatesPath, templateAdminDir, templateBase),
+		filepath.Join(templatesPath, templateAdminDir, templateAdmins),
+	}
+	adminPaths := []string{
+		filepath.Join(templatesPath, templateAdminDir, templateBase),
+		filepath.Join(templatesPath, templateAdminDir, templateAdmin),
+	}
+	changePwdPaths := []string{
+		filepath.Join(templatesPath, templateAdminDir, templateBase),
+		filepath.Join(templatesPath, templateAdminDir, templateChangePwd),
+	}
+	connectionsPaths := []string{
+		filepath.Join(templatesPath, templateAdminDir, templateBase),
+		filepath.Join(templatesPath, templateAdminDir, templateConnections),
+	}
+	messagePath := []string{
+		filepath.Join(templatesPath, templateAdminDir, templateBase),
+		filepath.Join(templatesPath, templateAdminDir, templateMessage),
+	}
+	foldersPath := []string{
+		filepath.Join(templatesPath, templateAdminDir, templateBase),
+		filepath.Join(templatesPath, templateAdminDir, templateFolders),
+	}
+	folderPath := []string{
+		filepath.Join(templatesPath, templateAdminDir, templateBase),
+		filepath.Join(templatesPath, templateAdminDir, templateFsConfig),
+		filepath.Join(templatesPath, templateAdminDir, templateFolder),
+	}
+	statusPath := []string{
+		filepath.Join(templatesPath, templateAdminDir, templateBase),
+		filepath.Join(templatesPath, templateAdminDir, templateStatus),
+	}
+	loginPath := []string{
+		filepath.Join(templatesPath, templateAdminDir, templateLogin),
+	}
+	maintenancePath := []string{
+		filepath.Join(templatesPath, templateAdminDir, templateBase),
+		filepath.Join(templatesPath, templateAdminDir, templateMaintenance),
+	}
+	usersTmpl := utils.LoadTemplate(template.ParseFiles(usersPaths...))
+	userTmpl := utils.LoadTemplate(template.ParseFiles(userPaths...))
+	adminsTmpl := utils.LoadTemplate(template.ParseFiles(adminsPaths...))
+	adminTmpl := utils.LoadTemplate(template.ParseFiles(adminPaths...))
+	connectionsTmpl := utils.LoadTemplate(template.ParseFiles(connectionsPaths...))
+	messageTmpl := utils.LoadTemplate(template.ParseFiles(messagePath...))
+	foldersTmpl := utils.LoadTemplate(template.ParseFiles(foldersPath...))
+	folderTmpl := utils.LoadTemplate(template.ParseFiles(folderPath...))
+	statusTmpl := utils.LoadTemplate(template.ParseFiles(statusPath...))
+	loginTmpl := utils.LoadTemplate(template.ParseFiles(loginPath...))
+	changePwdTmpl := utils.LoadTemplate(template.ParseFiles(changePwdPaths...))
+	maintenanceTmpl := utils.LoadTemplate(template.ParseFiles(maintenancePath...))
+
+	adminTemplates[templateUsers] = usersTmpl
+	adminTemplates[templateUser] = userTmpl
+	adminTemplates[templateAdmins] = adminsTmpl
+	adminTemplates[templateAdmin] = adminTmpl
+	adminTemplates[templateConnections] = connectionsTmpl
+	adminTemplates[templateMessage] = messageTmpl
+	adminTemplates[templateFolders] = foldersTmpl
+	adminTemplates[templateFolder] = folderTmpl
+	adminTemplates[templateStatus] = statusTmpl
+	adminTemplates[templateLogin] = loginTmpl
+	adminTemplates[templateChangePwd] = changePwdTmpl
+	adminTemplates[templateMaintenance] = maintenanceTmpl
+}
+
+func getBasePageData(title, currentURL string, r *http.Request) basePage {
+	var csrfToken string
+	if currentURL != "" {
+		csrfToken = createCSRFToken()
+	}
+	return basePage{
+		Title:              title,
+		CurrentURL:         currentURL,
+		UsersURL:           webUsersPath,
+		UserURL:            webUserPath,
+		UserTemplateURL:    webTemplateUser,
+		AdminsURL:          webAdminsPath,
+		AdminURL:           webAdminPath,
+		FoldersURL:         webFoldersPath,
+		FolderURL:          webFolderPath,
+		FolderTemplateURL:  webTemplateFolder,
+		LogoutURL:          webLogoutPath,
+		ChangeAdminPwdURL:  webChangeAdminPwdPath,
+		QuotaScanURL:       webQuotaScanPath,
+		ConnectionsURL:     webConnectionsPath,
+		StatusURL:          webStatusPath,
+		FolderQuotaScanURL: webScanVFolderPath,
+		MaintenanceURL:     webMaintenancePath,
+		StaticURL:          webStaticFilesPath,
+		UsersTitle:         pageUsersTitle,
+		AdminsTitle:        pageAdminsTitle,
+		ConnectionsTitle:   pageConnectionsTitle,
+		FoldersTitle:       pageFoldersTitle,
+		StatusTitle:        pageStatusTitle,
+		MaintenanceTitle:   pageMaintenanceTitle,
+		Version:            version.GetAsString(),
+		LoggedAdmin:        getAdminFromToken(r),
+		CSRFToken:          csrfToken,
+	}
+}
+
+func renderAdminTemplate(w http.ResponseWriter, tmplName string, data interface{}) {
+	err := adminTemplates[tmplName].ExecuteTemplate(w, tmplName, data)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+	}
+}
+
+func renderMessagePage(w http.ResponseWriter, r *http.Request, title, body string, statusCode int, err error, message string) {
+	var errorString string
+	if body != "" {
+		errorString = body + " "
+	}
+	if err != nil {
+		errorString += err.Error()
+	}
+	data := messagePage{
+		basePage: getBasePageData(title, "", r),
+		Error:    errorString,
+		Success:  message,
+	}
+	w.WriteHeader(statusCode)
+	renderAdminTemplate(w, templateMessage, data)
+}
+
+func renderInternalServerErrorPage(w http.ResponseWriter, r *http.Request, err error) {
+	renderMessagePage(w, r, page500Title, page500Body, http.StatusInternalServerError, err, "")
+}
+
+func renderBadRequestPage(w http.ResponseWriter, r *http.Request, err error) {
+	renderMessagePage(w, r, page400Title, "", http.StatusBadRequest, err, "")
+}
+
+func renderForbiddenPage(w http.ResponseWriter, r *http.Request, body string) {
+	renderMessagePage(w, r, page403Title, "", http.StatusForbidden, nil, body)
+}
+
+func renderNotFoundPage(w http.ResponseWriter, r *http.Request, err error) {
+	renderMessagePage(w, r, page404Title, page404Body, http.StatusNotFound, err, "")
+}
+
+func renderChangePwdPage(w http.ResponseWriter, r *http.Request, error string) {
+	data := changePwdPage{
+		basePage: getBasePageData(pageChangePwdTitle, webChangeAdminPwdPath, r),
+		Error:    error,
+	}
+
+	renderAdminTemplate(w, templateChangePwd, data)
+}
+
+func renderMaintenancePage(w http.ResponseWriter, r *http.Request, error string) {
+	data := maintenancePage{
+		basePage:    getBasePageData(pageMaintenanceTitle, webMaintenancePath, r),
+		BackupPath:  webBackupPath,
+		RestorePath: webRestorePath,
+		Error:       error,
+	}
+
+	renderAdminTemplate(w, templateMaintenance, data)
+}
+
+func renderAddUpdateAdminPage(w http.ResponseWriter, r *http.Request, admin *dataprovider.Admin,
+	error string, isAdd bool) {
+	currentURL := webAdminPath
+	if !isAdd {
+		currentURL = fmt.Sprintf("%v/%v", webAdminPath, url.PathEscape(admin.Username))
+	}
+	data := adminPage{
+		basePage: getBasePageData("Add a new user", currentURL, r),
+		Admin:    admin,
+		Error:    error,
+		IsAdd:    isAdd,
+	}
+
+	renderAdminTemplate(w, templateAdmin, data)
+}
+
+func renderUserPage(w http.ResponseWriter, r *http.Request, user *dataprovider.User, mode userPageMode, error string) {
+	user.SetEmptySecretsIfNil()
+	var title, currentURL string
+	switch mode {
+	case userPageModeAdd:
+		title = "Add a new user"
+		currentURL = webUserPath
+	case userPageModeUpdate:
+		title = "Update user"
+		currentURL = fmt.Sprintf("%v/%v", webUserPath, url.PathEscape(user.Username))
+	case userPageModeTemplate:
+		title = "User template"
+		currentURL = webTemplateUser
+	}
+	if user.Password != "" && user.IsPasswordHashed() && mode == userPageModeUpdate {
+		user.Password = redactedSecret
+	}
+	user.FsConfig.RedactedSecret = redactedSecret
+	data := userPage{
+		basePage:          getBasePageData(title, currentURL, r),
+		Mode:              mode,
+		Error:             error,
+		User:              user,
+		ValidPerms:        dataprovider.ValidPerms,
+		ValidLoginMethods: dataprovider.ValidLoginMethods,
+		ValidProtocols:    dataprovider.ValidProtocols,
+		WebClientOptions:  dataprovider.WebClientOptions,
+		RootDirPerms:      user.GetPermissionsForPath("/"),
+	}
+	renderAdminTemplate(w, templateUser, data)
+}
+
+func renderFolderPage(w http.ResponseWriter, r *http.Request, folder vfs.BaseVirtualFolder, mode folderPageMode, error string) {
+	var title, currentURL string
+	switch mode {
+	case folderPageModeAdd:
+		title = "Add a new folder"
+		currentURL = webFolderPath
+	case folderPageModeUpdate:
+		title = "Update folder"
+		currentURL = fmt.Sprintf("%v/%v", webFolderPath, url.PathEscape(folder.Name))
+	case folderPageModeTemplate:
+		title = "Folder template"
+		currentURL = webTemplateFolder
+	}
+	folder.FsConfig.RedactedSecret = redactedSecret
+	folder.FsConfig.SetEmptySecretsIfNil()
+
+	data := folderPage{
+		basePage: getBasePageData(title, currentURL, r),
+		Error:    error,
+		Folder:   folder,
+		Mode:     mode,
+	}
+	renderAdminTemplate(w, templateFolder, data)
+}
+
+func getFoldersForTemplate(r *http.Request) []string {
+	var res []string
+	formValue := r.Form.Get("folders")
+	folders := make(map[string]bool)
+	for _, name := range getSliceFromDelimitedValues(formValue, "\n") {
+		if _, ok := folders[name]; ok {
+			continue
+		}
+		folders[name] = true
+		res = append(res, name)
+	}
+	return res
+}
+
+func getUsersForTemplate(r *http.Request) []userTemplateFields {
+	var res []userTemplateFields
+	formValue := r.Form.Get("users")
+	users := make(map[string]bool)
+	for _, cleaned := range getSliceFromDelimitedValues(formValue, "\n") {
+		if strings.Contains(cleaned, "::") {
+			mapping := strings.Split(cleaned, "::")
+			if len(mapping) > 1 {
+				username := strings.TrimSpace(mapping[0])
+				password := strings.TrimSpace(mapping[1])
+				var publicKey string
+				if len(mapping) > 2 {
+					publicKey = strings.TrimSpace(mapping[2])
+				}
+				if username == "" || (password == "" && publicKey == "") {
+					continue
+				}
+				if _, ok := users[username]; ok {
+					continue
+				}
+
+				users[username] = true
+				res = append(res, userTemplateFields{
+					Username:  username,
+					Password:  password,
+					PublicKey: publicKey,
+				})
+			}
+		}
+	}
+	return res
+}
+
+func getVirtualFoldersFromPostFields(r *http.Request) []vfs.VirtualFolder {
+	var virtualFolders []vfs.VirtualFolder
+	formValue := r.Form.Get("virtual_folders")
+	for _, cleaned := range getSliceFromDelimitedValues(formValue, "\n") {
+		if strings.Contains(cleaned, "::") {
+			mapping := strings.Split(cleaned, "::")
+			if len(mapping) > 1 {
+				vfolder := vfs.VirtualFolder{
+					BaseVirtualFolder: vfs.BaseVirtualFolder{
+						Name: strings.TrimSpace(mapping[1]),
+					},
+					VirtualPath: strings.TrimSpace(mapping[0]),
+					QuotaFiles:  -1,
+					QuotaSize:   -1,
+				}
+				if len(mapping) > 2 {
+					quotaFiles, err := strconv.Atoi(strings.TrimSpace(mapping[2]))
+					if err == nil {
+						vfolder.QuotaFiles = quotaFiles
+					}
+				}
+				if len(mapping) > 3 {
+					quotaSize, err := strconv.ParseInt(strings.TrimSpace(mapping[3]), 10, 64)
+					if err == nil {
+						vfolder.QuotaSize = quotaSize
+					}
+				}
+				virtualFolders = append(virtualFolders, vfolder)
+			}
+		}
+	}
+	return virtualFolders
+}
+
+func getUserPermissionsFromPostFields(r *http.Request) map[string][]string {
+	permissions := make(map[string][]string)
+	permissions["/"] = r.Form["permissions"]
+	subDirsPermsValue := r.Form.Get("sub_dirs_permissions")
+	for _, cleaned := range getSliceFromDelimitedValues(subDirsPermsValue, "\n") {
+		if strings.Contains(cleaned, "::") {
+			dirPerms := strings.Split(cleaned, "::")
+			if len(dirPerms) > 1 {
+				dir := dirPerms[0]
+				dir = strings.TrimSpace(dir)
+				perms := []string{}
+				for _, p := range strings.Split(dirPerms[1], ",") {
+					cleanedPerm := strings.TrimSpace(p)
+					if cleanedPerm != "" {
+						perms = append(perms, cleanedPerm)
+					}
+				}
+				if dir != "" {
+					permissions[dir] = perms
+				}
+			}
+		}
+	}
+	return permissions
+}
+
+func getFilePatternsFromPostField(valueAllowed, valuesDenied string) []dataprovider.PatternsFilter {
+	var result []dataprovider.PatternsFilter
+	allowedPatterns := getListFromPostFields(valueAllowed)
+	deniedPatterns := getListFromPostFields(valuesDenied)
+
+	for dirAllowed, allowPatterns := range allowedPatterns {
+		filter := dataprovider.PatternsFilter{
+			Path:            dirAllowed,
+			AllowedPatterns: allowPatterns,
+		}
+		for dirDenied, denPatterns := range deniedPatterns {
+			if dirAllowed == dirDenied {
+				filter.DeniedPatterns = denPatterns
+				break
+			}
+		}
+		result = append(result, filter)
+	}
+	for dirDenied, denPatterns := range deniedPatterns {
+		found := false
+		for _, res := range result {
+			if res.Path == dirDenied {
+				found = true
+				break
+			}
+		}
+		if !found {
+			result = append(result, dataprovider.PatternsFilter{
+				Path:           dirDenied,
+				DeniedPatterns: denPatterns,
+			})
+		}
+	}
+	return result
+}
+
+func getFileExtensionsFromPostField(valueAllowed, valuesDenied string) []dataprovider.ExtensionsFilter {
+	var result []dataprovider.ExtensionsFilter
+	allowedExtensions := getListFromPostFields(valueAllowed)
+	deniedExtensions := getListFromPostFields(valuesDenied)
+
+	for dirAllowed, allowedExts := range allowedExtensions {
+		filter := dataprovider.ExtensionsFilter{
+			Path:              dirAllowed,
+			AllowedExtensions: allowedExts,
+		}
+		for dirDenied, deniedExts := range deniedExtensions {
+			if dirAllowed == dirDenied {
+				filter.DeniedExtensions = deniedExts
+				break
+			}
+		}
+		result = append(result, filter)
+	}
+	for dirDenied, deniedExts := range deniedExtensions {
+		found := false
+		for _, res := range result {
+			if res.Path == dirDenied {
+				found = true
+				break
+			}
+		}
+		if !found {
+			result = append(result, dataprovider.ExtensionsFilter{
+				Path:             dirDenied,
+				DeniedExtensions: deniedExts,
+			})
+		}
+	}
+	return result
+}
+
+func getFiltersFromUserPostFields(r *http.Request) dataprovider.UserFilters {
+	var filters dataprovider.UserFilters
+	filters.AllowedIP = getSliceFromDelimitedValues(r.Form.Get("allowed_ip"), ",")
+	filters.DeniedIP = getSliceFromDelimitedValues(r.Form.Get("denied_ip"), ",")
+	filters.DeniedLoginMethods = r.Form["ssh_login_methods"]
+	filters.DeniedProtocols = r.Form["denied_protocols"]
+	filters.FileExtensions = getFileExtensionsFromPostField(r.Form.Get("allowed_extensions"), r.Form.Get("denied_extensions"))
+	filters.FilePatterns = getFilePatternsFromPostField(r.Form.Get("allowed_patterns"), r.Form.Get("denied_patterns"))
+	filters.TLSUsername = dataprovider.TLSUsername(r.Form.Get("tls_username"))
+	filters.WebClient = r.Form["web_client_options"]
+	hooks := r.Form["hooks"]
+	if utils.IsStringInSlice("external_auth_disabled", hooks) {
+		filters.Hooks.ExternalAuthDisabled = true
+	}
+	if utils.IsStringInSlice("pre_login_disabled", hooks) {
+		filters.Hooks.PreLoginDisabled = true
+	}
+	if utils.IsStringInSlice("check_password_disabled", hooks) {
+		filters.Hooks.CheckPasswordDisabled = true
+	}
+	filters.DisableFsChecks = len(r.Form.Get("disable_fs_checks")) > 0
+	return filters
+}
+
+func getSecretFromFormField(r *http.Request, field string) *kms.Secret {
+	secret := kms.NewPlainSecret(r.Form.Get(field))
+	if strings.TrimSpace(secret.GetPayload()) == redactedSecret {
+		secret.SetStatus(kms.SecretStatusRedacted)
+	}
+	if strings.TrimSpace(secret.GetPayload()) == "" {
+		secret.SetStatus("")
+	}
+	return secret
+}
+
+func getS3Config(r *http.Request) (vfs.S3FsConfig, error) {
+	var err error
+	config := vfs.S3FsConfig{}
+	config.Bucket = r.Form.Get("s3_bucket")
+	config.Region = r.Form.Get("s3_region")
+	config.AccessKey = r.Form.Get("s3_access_key")
+	config.AccessSecret = getSecretFromFormField(r, "s3_access_secret")
+	config.Endpoint = r.Form.Get("s3_endpoint")
+	config.StorageClass = r.Form.Get("s3_storage_class")
+	config.KeyPrefix = r.Form.Get("s3_key_prefix")
+	config.UploadPartSize, err = strconv.ParseInt(r.Form.Get("s3_upload_part_size"), 10, 64)
+	if err != nil {
+		return config, err
+	}
+	config.UploadConcurrency, err = strconv.Atoi(r.Form.Get("s3_upload_concurrency"))
+	return config, err
+}
+
+func getGCSConfig(r *http.Request) (vfs.GCSFsConfig, error) {
+	var err error
+	config := vfs.GCSFsConfig{}
+
+	config.Bucket = r.Form.Get("gcs_bucket")
+	config.StorageClass = r.Form.Get("gcs_storage_class")
+	config.KeyPrefix = r.Form.Get("gcs_key_prefix")
+	autoCredentials := r.Form.Get("gcs_auto_credentials")
+	if autoCredentials != "" {
+		config.AutomaticCredentials = 1
+	} else {
+		config.AutomaticCredentials = 0
+	}
+	credentials, _, err := r.FormFile("gcs_credential_file")
+	if err == http.ErrMissingFile {
+		return config, nil
+	}
+	if err != nil {
+		return config, err
+	}
+	defer credentials.Close()
+	fileBytes, err := io.ReadAll(credentials)
+	if err != nil || len(fileBytes) == 0 {
+		if len(fileBytes) == 0 {
+			err = errors.New("credentials file size must be greater than 0")
+		}
+		return config, err
+	}
+	config.Credentials = kms.NewPlainSecret(string(fileBytes))
+	config.AutomaticCredentials = 0
+	return config, err
+}
+
+func getSFTPConfig(r *http.Request) (vfs.SFTPFsConfig, error) {
+	var err error
+	config := vfs.SFTPFsConfig{}
+	config.Endpoint = r.Form.Get("sftp_endpoint")
+	config.Username = r.Form.Get("sftp_username")
+	config.Password = getSecretFromFormField(r, "sftp_password")
+	config.PrivateKey = getSecretFromFormField(r, "sftp_private_key")
+	fingerprintsFormValue := r.Form.Get("sftp_fingerprints")
+	config.Fingerprints = getSliceFromDelimitedValues(fingerprintsFormValue, "\n")
+	config.Prefix = r.Form.Get("sftp_prefix")
+	config.DisableCouncurrentReads = len(r.Form.Get("sftp_disable_concurrent_reads")) > 0
+	config.BufferSize, err = strconv.ParseInt(r.Form.Get("sftp_buffer_size"), 10, 64)
+	return config, err
+}
+
+func getAzureConfig(r *http.Request) (vfs.AzBlobFsConfig, error) {
+	var err error
+	config := vfs.AzBlobFsConfig{}
+	config.Container = r.Form.Get("az_container")
+	config.AccountName = r.Form.Get("az_account_name")
+	config.AccountKey = getSecretFromFormField(r, "az_account_key")
+	config.SASURL = r.Form.Get("az_sas_url")
+	config.Endpoint = r.Form.Get("az_endpoint")
+	config.KeyPrefix = r.Form.Get("az_key_prefix")
+	config.AccessTier = r.Form.Get("az_access_tier")
+	config.UseEmulator = len(r.Form.Get("az_use_emulator")) > 0
+	config.UploadPartSize, err = strconv.ParseInt(r.Form.Get("az_upload_part_size"), 10, 64)
+	if err != nil {
+		return config, err
+	}
+	config.UploadConcurrency, err = strconv.Atoi(r.Form.Get("az_upload_concurrency"))
+	return config, err
+}
+
+func getFsConfigFromPostFields(r *http.Request) (vfs.Filesystem, error) {
+	var fs vfs.Filesystem
+	provider, err := strconv.Atoi(r.Form.Get("fs_provider"))
+	if err != nil {
+		provider = int(vfs.LocalFilesystemProvider)
+	}
+	fs.Provider = vfs.FilesystemProvider(provider)
+	switch fs.Provider {
+	case vfs.S3FilesystemProvider:
+		config, err := getS3Config(r)
+		if err != nil {
+			return fs, err
+		}
+		fs.S3Config = config
+	case vfs.AzureBlobFilesystemProvider:
+		config, err := getAzureConfig(r)
+		if err != nil {
+			return fs, err
+		}
+		fs.AzBlobConfig = config
+	case vfs.GCSFilesystemProvider:
+		config, err := getGCSConfig(r)
+		if err != nil {
+			return fs, err
+		}
+		fs.GCSConfig = config
+	case vfs.CryptedFilesystemProvider:
+		fs.CryptConfig.Passphrase = getSecretFromFormField(r, "crypt_passphrase")
+	case vfs.SFTPFilesystemProvider:
+		config, err := getSFTPConfig(r)
+		if err != nil {
+			return fs, err
+		}
+		fs.SFTPConfig = config
+	}
+	return fs, nil
+}
+
+func getAdminFromPostFields(r *http.Request) (dataprovider.Admin, error) {
+	var admin dataprovider.Admin
+	err := r.ParseForm()
+	if err != nil {
+		return admin, err
+	}
+	status, err := strconv.Atoi(r.Form.Get("status"))
+	if err != nil {
+		return admin, err
+	}
+	admin.Username = r.Form.Get("username")
+	admin.Password = r.Form.Get("password")
+	admin.Permissions = r.Form["permissions"]
+	admin.Email = r.Form.Get("email")
+	admin.Status = status
+	admin.Filters.AllowList = getSliceFromDelimitedValues(r.Form.Get("allowed_ip"), ",")
+	admin.AdditionalInfo = r.Form.Get("additional_info")
+	admin.Description = r.Form.Get("description")
+	return admin, nil
+}
+
+func replacePlaceholders(field string, replacements map[string]string) string {
+	for k, v := range replacements {
+		field = strings.ReplaceAll(field, k, v)
+	}
+	return field
+}
+
+func getFolderFromTemplate(folder vfs.BaseVirtualFolder, name string) vfs.BaseVirtualFolder {
+	folder.Name = name
+	replacements := make(map[string]string)
+	replacements["%name%"] = folder.Name
+
+	folder.MappedPath = replacePlaceholders(folder.MappedPath, replacements)
+	folder.Description = replacePlaceholders(folder.Description, replacements)
+	switch folder.FsConfig.Provider {
+	case vfs.CryptedFilesystemProvider:
+		folder.FsConfig.CryptConfig = getCryptFsFromTemplate(folder.FsConfig.CryptConfig, replacements)
+	case vfs.S3FilesystemProvider:
+		folder.FsConfig.S3Config = getS3FsFromTemplate(folder.FsConfig.S3Config, replacements)
+	case vfs.GCSFilesystemProvider:
+		folder.FsConfig.GCSConfig = getGCSFsFromTemplate(folder.FsConfig.GCSConfig, replacements)
+	case vfs.AzureBlobFilesystemProvider:
+		folder.FsConfig.AzBlobConfig = getAzBlobFsFromTemplate(folder.FsConfig.AzBlobConfig, replacements)
+	case vfs.SFTPFilesystemProvider:
+		folder.FsConfig.SFTPConfig = getSFTPFsFromTemplate(folder.FsConfig.SFTPConfig, replacements)
+	}
+
+	return folder
+}
+
+func getCryptFsFromTemplate(fsConfig vfs.CryptFsConfig, replacements map[string]string) vfs.CryptFsConfig {
+	if fsConfig.Passphrase != nil {
+		if fsConfig.Passphrase.IsPlain() {
+			payload := replacePlaceholders(fsConfig.Passphrase.GetPayload(), replacements)
+			fsConfig.Passphrase = kms.NewPlainSecret(payload)
+		}
+	}
+	return fsConfig
+}
+
+func getS3FsFromTemplate(fsConfig vfs.S3FsConfig, replacements map[string]string) vfs.S3FsConfig {
+	fsConfig.KeyPrefix = replacePlaceholders(fsConfig.KeyPrefix, replacements)
+	fsConfig.AccessKey = replacePlaceholders(fsConfig.AccessKey, replacements)
+	if fsConfig.AccessSecret != nil && fsConfig.AccessSecret.IsPlain() {
+		payload := replacePlaceholders(fsConfig.AccessSecret.GetPayload(), replacements)
+		fsConfig.AccessSecret = kms.NewPlainSecret(payload)
+	}
+	return fsConfig
+}
+
+func getGCSFsFromTemplate(fsConfig vfs.GCSFsConfig, replacements map[string]string) vfs.GCSFsConfig {
+	fsConfig.KeyPrefix = replacePlaceholders(fsConfig.KeyPrefix, replacements)
+	return fsConfig
+}
+
+func getAzBlobFsFromTemplate(fsConfig vfs.AzBlobFsConfig, replacements map[string]string) vfs.AzBlobFsConfig {
+	fsConfig.KeyPrefix = replacePlaceholders(fsConfig.KeyPrefix, replacements)
+	fsConfig.AccountName = replacePlaceholders(fsConfig.AccountName, replacements)
+	if fsConfig.AccountKey != nil && fsConfig.AccountKey.IsPlain() {
+		payload := replacePlaceholders(fsConfig.AccountKey.GetPayload(), replacements)
+		fsConfig.AccountKey = kms.NewPlainSecret(payload)
+	}
+	return fsConfig
+}
+
+func getSFTPFsFromTemplate(fsConfig vfs.SFTPFsConfig, replacements map[string]string) vfs.SFTPFsConfig {
+	fsConfig.Prefix = replacePlaceholders(fsConfig.Prefix, replacements)
+	fsConfig.Username = replacePlaceholders(fsConfig.Username, replacements)
+	if fsConfig.Password != nil && fsConfig.Password.IsPlain() {
+		payload := replacePlaceholders(fsConfig.Password.GetPayload(), replacements)
+		fsConfig.Password = kms.NewPlainSecret(payload)
+	}
+	return fsConfig
+}
+
+func getUserFromTemplate(user dataprovider.User, template userTemplateFields) dataprovider.User {
+	user.Username = template.Username
+	user.Password = template.Password
+	user.PublicKeys = nil
+	if template.PublicKey != "" {
+		user.PublicKeys = append(user.PublicKeys, template.PublicKey)
+	}
+	replacements := make(map[string]string)
+	replacements["%username%"] = user.Username
+	user.Password = replacePlaceholders(user.Password, replacements)
+	replacements["%password%"] = user.Password
+
+	user.HomeDir = replacePlaceholders(user.HomeDir, replacements)
+	var vfolders []vfs.VirtualFolder
+	for _, vfolder := range user.VirtualFolders {
+		vfolder.Name = replacePlaceholders(vfolder.Name, replacements)
+		vfolder.VirtualPath = replacePlaceholders(vfolder.VirtualPath, replacements)
+		vfolders = append(vfolders, vfolder)
+	}
+	user.VirtualFolders = vfolders
+	user.Description = replacePlaceholders(user.Description, replacements)
+	user.AdditionalInfo = replacePlaceholders(user.AdditionalInfo, replacements)
+
+	switch user.FsConfig.Provider {
+	case vfs.CryptedFilesystemProvider:
+		user.FsConfig.CryptConfig = getCryptFsFromTemplate(user.FsConfig.CryptConfig, replacements)
+	case vfs.S3FilesystemProvider:
+		user.FsConfig.S3Config = getS3FsFromTemplate(user.FsConfig.S3Config, replacements)
+	case vfs.GCSFilesystemProvider:
+		user.FsConfig.GCSConfig = getGCSFsFromTemplate(user.FsConfig.GCSConfig, replacements)
+	case vfs.AzureBlobFilesystemProvider:
+		user.FsConfig.AzBlobConfig = getAzBlobFsFromTemplate(user.FsConfig.AzBlobConfig, replacements)
+	case vfs.SFTPFilesystemProvider:
+		user.FsConfig.SFTPConfig = getSFTPFsFromTemplate(user.FsConfig.SFTPConfig, replacements)
+	}
+
+	return user
+}
+
+func getUserFromPostFields(r *http.Request) (dataprovider.User, error) {
+	var user dataprovider.User
+	err := r.ParseMultipartForm(maxRequestSize)
+	if err != nil {
+		return user, err
+	}
+	publicKeysFormValue := r.Form.Get("public_keys")
+	publicKeys := getSliceFromDelimitedValues(publicKeysFormValue, "\n")
+	uid, err := strconv.Atoi(r.Form.Get("uid"))
+	if err != nil {
+		return user, err
+	}
+	gid, err := strconv.Atoi(r.Form.Get("gid"))
+	if err != nil {
+		return user, err
+	}
+	maxSessions, err := strconv.Atoi(r.Form.Get("max_sessions"))
+	if err != nil {
+		return user, err
+	}
+	quotaSize, err := strconv.ParseInt(r.Form.Get("quota_size"), 10, 64)
+	if err != nil {
+		return user, err
+	}
+	quotaFiles, err := strconv.Atoi(r.Form.Get("quota_files"))
+	if err != nil {
+		return user, err
+	}
+	bandwidthUL, err := strconv.ParseInt(r.Form.Get("upload_bandwidth"), 10, 64)
+	if err != nil {
+		return user, err
+	}
+	bandwidthDL, err := strconv.ParseInt(r.Form.Get("download_bandwidth"), 10, 64)
+	if err != nil {
+		return user, err
+	}
+	status, err := strconv.Atoi(r.Form.Get("status"))
+	if err != nil {
+		return user, err
+	}
+	expirationDateMillis := int64(0)
+	expirationDateString := r.Form.Get("expiration_date")
+	if len(strings.TrimSpace(expirationDateString)) > 0 {
+		expirationDate, err := time.Parse(webDateTimeFormat, expirationDateString)
+		if err != nil {
+			return user, err
+		}
+		expirationDateMillis = utils.GetTimeAsMsSinceEpoch(expirationDate)
+	}
+	fsConfig, err := getFsConfigFromPostFields(r)
+	if err != nil {
+		return user, err
+	}
+	user = dataprovider.User{
+		Username:          r.Form.Get("username"),
+		Password:          r.Form.Get("password"),
+		PublicKeys:        publicKeys,
+		HomeDir:           r.Form.Get("home_dir"),
+		VirtualFolders:    getVirtualFoldersFromPostFields(r),
+		UID:               uid,
+		GID:               gid,
+		Permissions:       getUserPermissionsFromPostFields(r),
+		MaxSessions:       maxSessions,
+		QuotaSize:         quotaSize,
+		QuotaFiles:        quotaFiles,
+		UploadBandwidth:   bandwidthUL,
+		DownloadBandwidth: bandwidthDL,
+		Status:            status,
+		ExpirationDate:    expirationDateMillis,
+		Filters:           getFiltersFromUserPostFields(r),
+		FsConfig:          fsConfig,
+		AdditionalInfo:    r.Form.Get("additional_info"),
+		Description:       r.Form.Get("description"),
+	}
+	maxFileSize, err := strconv.ParseInt(r.Form.Get("max_upload_file_size"), 10, 64)
+	user.Filters.MaxUploadFileSize = maxFileSize
+	return user, err
+}
+
+func renderLoginPage(w http.ResponseWriter, error string) {
+	data := loginPage{
+		CurrentURL: webLoginPath,
+		Version:    version.Get().Version,
+		Error:      error,
+		CSRFToken:  createCSRFToken(),
+		StaticURL:  webStaticFilesPath,
+	}
+	renderAdminTemplate(w, templateLogin, data)
+}
+
+func handleWebAdminChangePwd(w http.ResponseWriter, r *http.Request) {
+	renderChangePwdPage(w, r, "")
+}
+
+func handleWebAdminChangePwdPost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	err := r.ParseForm()
+	if err != nil {
+		renderChangePwdPage(w, r, err.Error())
+		return
+	}
+	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
+		renderForbiddenPage(w, r, err.Error())
+		return
+	}
+	err = doChangeAdminPassword(r, r.Form.Get("current_password"), r.Form.Get("new_password1"),
+		r.Form.Get("new_password2"))
+	if err != nil {
+		renderChangePwdPage(w, r, err.Error())
+		return
+	}
+	handleWebLogout(w, r)
+}
+
+func handleWebLogout(w http.ResponseWriter, r *http.Request) {
+	c := jwtTokenClaims{}
+	c.removeCookie(w, r)
+
+	http.Redirect(w, r, webLoginPath, http.StatusFound)
+}
+
+func handleWebLogin(w http.ResponseWriter, r *http.Request) {
+	renderLoginPage(w, "")
+}
+
+func handleWebMaintenance(w http.ResponseWriter, r *http.Request) {
+	renderMaintenancePage(w, r, "")
+}
+
+func handleWebRestore(w http.ResponseWriter, r *http.Request) {
+	err := r.ParseMultipartForm(MaxRestoreSize)
+	if err != nil {
+		renderMaintenancePage(w, r, err.Error())
+		return
+	}
+	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
+		renderForbiddenPage(w, r, err.Error())
+		return
+	}
+	restoreMode, err := strconv.Atoi(r.Form.Get("mode"))
+	if err != nil {
+		renderMaintenancePage(w, r, err.Error())
+		return
+	}
+	scanQuota, err := strconv.Atoi(r.Form.Get("quota"))
+	if err != nil {
+		renderMaintenancePage(w, r, err.Error())
+		return
+	}
+	backupFile, _, err := r.FormFile("backup_file")
+	if err != nil {
+		renderMaintenancePage(w, r, err.Error())
+		return
+	}
+	defer backupFile.Close()
+
+	backupContent, err := io.ReadAll(backupFile)
+	if err != nil || len(backupContent) == 0 {
+		if len(backupContent) == 0 {
+			err = errors.New("backup file size must be greater than 0")
+		}
+		renderMaintenancePage(w, r, err.Error())
+		return
+	}
+
+	if err := restoreBackup(backupContent, "", scanQuota, restoreMode); err != nil {
+		renderMaintenancePage(w, r, err.Error())
+		return
+	}
+
+	renderMessagePage(w, r, "Data restored", "", http.StatusOK, nil, "Your backup was successfully restored")
+}
+
+func handleGetWebAdmins(w http.ResponseWriter, r *http.Request) {
+	limit := defaultQueryLimit
+	if _, ok := r.URL.Query()["qlimit"]; ok {
+		var err error
+		limit, err = strconv.Atoi(r.URL.Query().Get("qlimit"))
+		if err != nil {
+			limit = defaultQueryLimit
+		}
+	}
+	admins := make([]dataprovider.Admin, 0, limit)
+	for {
+		a, err := dataprovider.GetAdmins(limit, len(admins), dataprovider.OrderASC)
+		if err != nil {
+			renderInternalServerErrorPage(w, r, err)
+			return
+		}
+		admins = append(admins, a...)
+		if len(a) < limit {
+			break
+		}
+	}
+	data := adminsPage{
+		basePage: getBasePageData(pageAdminsTitle, webAdminsPath, r),
+		Admins:   admins,
+	}
+	renderAdminTemplate(w, templateAdmins, data)
+}
+
+func handleWebAddAdminGet(w http.ResponseWriter, r *http.Request) {
+	admin := &dataprovider.Admin{Status: 1}
+	renderAddUpdateAdminPage(w, r, admin, "", true)
+}
+
+func handleWebUpdateAdminGet(w http.ResponseWriter, r *http.Request) {
+	username := getURLParam(r, "username")
+	admin, err := dataprovider.AdminExists(username)
+	if err == nil {
+		renderAddUpdateAdminPage(w, r, &admin, "", false)
+	} else if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
+		renderNotFoundPage(w, r, err)
+	} else {
+		renderInternalServerErrorPage(w, r, err)
+	}
+}
+
+func handleWebAddAdminPost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	admin, err := getAdminFromPostFields(r)
+	if err != nil {
+		renderAddUpdateAdminPage(w, r, &admin, err.Error(), true)
+		return
+	}
+	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
+		renderForbiddenPage(w, r, err.Error())
+		return
+	}
+	err = dataprovider.AddAdmin(&admin)
+	if err != nil {
+		renderAddUpdateAdminPage(w, r, &admin, err.Error(), true)
+		return
+	}
+	http.Redirect(w, r, webAdminsPath, http.StatusSeeOther)
+}
+
+func handleWebUpdateAdminPost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+
+	username := getURLParam(r, "username")
+	admin, err := dataprovider.AdminExists(username)
+	if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
+		renderNotFoundPage(w, r, err)
+		return
+	} else if err != nil {
+		renderInternalServerErrorPage(w, r, err)
+		return
+	}
+
+	updatedAdmin, err := getAdminFromPostFields(r)
+	if err != nil {
+		renderAddUpdateAdminPage(w, r, &updatedAdmin, err.Error(), false)
+		return
+	}
+	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
+		renderForbiddenPage(w, r, err.Error())
+		return
+	}
+	updatedAdmin.ID = admin.ID
+	updatedAdmin.Username = admin.Username
+	if updatedAdmin.Password == "" {
+		updatedAdmin.Password = admin.Password
+	}
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		renderAddUpdateAdminPage(w, r, &updatedAdmin, fmt.Sprintf("Invalid token claims: %v", err), false)
+		return
+	}
+	if username == claims.Username {
+		if claims.isCriticalPermRemoved(updatedAdmin.Permissions) {
+			renderAddUpdateAdminPage(w, r, &updatedAdmin, "You cannot remove these permissions to yourself", false)
+			return
+		}
+		if updatedAdmin.Status == 0 {
+			renderAddUpdateAdminPage(w, r, &updatedAdmin, "You cannot disable yourself", false)
+			return
+		}
+	}
+	err = dataprovider.UpdateAdmin(&updatedAdmin)
+	if err != nil {
+		renderAddUpdateAdminPage(w, r, &admin, err.Error(), false)
+		return
+	}
+	http.Redirect(w, r, webAdminsPath, http.StatusSeeOther)
+}
+
+func handleGetWebUsers(w http.ResponseWriter, r *http.Request) {
+	limit := defaultQueryLimit
+	if _, ok := r.URL.Query()["qlimit"]; ok {
+		var err error
+		limit, err = strconv.Atoi(r.URL.Query().Get("qlimit"))
+		if err != nil {
+			limit = defaultQueryLimit
+		}
+	}
+	users := make([]dataprovider.User, 0, limit)
+	for {
+		u, err := dataprovider.GetUsers(limit, len(users), dataprovider.OrderASC)
+		if err != nil {
+			renderInternalServerErrorPage(w, r, err)
+			return
+		}
+		users = append(users, u...)
+		if len(u) < limit {
+			break
+		}
+	}
+	data := usersPage{
+		basePage: getBasePageData(pageUsersTitle, webUsersPath, r),
+		Users:    users,
+	}
+	renderAdminTemplate(w, templateUsers, data)
+}
+
+func handleWebTemplateFolderGet(w http.ResponseWriter, r *http.Request) {
+	if r.URL.Query().Get("from") != "" {
+		name := r.URL.Query().Get("from")
+		folder, err := dataprovider.GetFolderByName(name)
+		if err == nil {
+			renderFolderPage(w, r, folder, folderPageModeTemplate, "")
+		} else if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
+			renderNotFoundPage(w, r, err)
+		} else {
+			renderInternalServerErrorPage(w, r, err)
+		}
+	} else {
+		folder := vfs.BaseVirtualFolder{}
+		renderFolderPage(w, r, folder, folderPageModeTemplate, "")
+	}
+}
+
+func handleWebTemplateFolderPost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	templateFolder := vfs.BaseVirtualFolder{}
+	err := r.ParseForm()
+	if err != nil {
+		renderMessagePage(w, r, "Error parsing folders fields", "", http.StatusBadRequest, err, "")
+		return
+	}
+
+	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
+		renderForbiddenPage(w, r, err.Error())
+		return
+	}
+
+	templateFolder.MappedPath = r.Form.Get("mapped_path")
+	templateFolder.Description = r.Form.Get("description")
+	fsConfig, err := getFsConfigFromPostFields(r)
+	if err != nil {
+		renderMessagePage(w, r, "Error parsing folders fields", "", http.StatusBadRequest, err, "")
+		return
+	}
+	templateFolder.FsConfig = fsConfig
+
+	var dump dataprovider.BackupData
+	dump.Version = dataprovider.DumpVersion
+
+	foldersFields := getFoldersForTemplate(r)
+	for _, tmpl := range foldersFields {
+		f := getFolderFromTemplate(templateFolder, tmpl)
+		if err := dataprovider.ValidateFolder(&f); err != nil {
+			renderMessagePage(w, r, fmt.Sprintf("Error validating folder %#v", f.Name), "", http.StatusBadRequest, err, "")
+			return
+		}
+		dump.Folders = append(dump.Folders, f)
+	}
+
+	if len(dump.Folders) == 0 {
+		renderMessagePage(w, r, "No folders to export", "No valid folders found, export is not possible", http.StatusBadRequest, nil, "")
+		return
+	}
+
+	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=\"sftpgo-%v-folders-from-template.json\"", len(dump.Folders)))
+	render.JSON(w, r, dump)
+}
+
+func handleWebTemplateUserGet(w http.ResponseWriter, r *http.Request) {
+	if r.URL.Query().Get("from") != "" {
+		username := r.URL.Query().Get("from")
+		user, err := dataprovider.UserExists(username)
+		if err == nil {
+			user.SetEmptySecrets()
+			renderUserPage(w, r, &user, userPageModeTemplate, "")
+		} else if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
+			renderNotFoundPage(w, r, err)
+		} else {
+			renderInternalServerErrorPage(w, r, err)
+		}
+	} else {
+		user := dataprovider.User{Status: 1}
+		renderUserPage(w, r, &user, userPageModeTemplate, "")
+	}
+}
+
+func handleWebTemplateUserPost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	templateUser, err := getUserFromPostFields(r)
+	if err != nil {
+		renderMessagePage(w, r, "Error parsing user fields", "", http.StatusBadRequest, err, "")
+		return
+	}
+	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
+		renderForbiddenPage(w, r, err.Error())
+		return
+	}
+
+	var dump dataprovider.BackupData
+	dump.Version = dataprovider.DumpVersion
+
+	userTmplFields := getUsersForTemplate(r)
+	for _, tmpl := range userTmplFields {
+		u := getUserFromTemplate(templateUser, tmpl)
+		if err := dataprovider.ValidateUser(&u); err != nil {
+			renderMessagePage(w, r, fmt.Sprintf("Error validating user %#v", u.Username), "", http.StatusBadRequest, err, "")
+			return
+		}
+		dump.Users = append(dump.Users, u)
+		for _, folder := range u.VirtualFolders {
+			if !dump.HasFolder(folder.Name) {
+				dump.Folders = append(dump.Folders, folder.BaseVirtualFolder)
+			}
+		}
+	}
+
+	if len(dump.Users) == 0 {
+		renderMessagePage(w, r, "No users to export", "No valid users found, export is not possible", http.StatusBadRequest, nil, "")
+		return
+	}
+
+	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=\"sftpgo-%v-users-from-template.json\"", len(dump.Users)))
+	render.JSON(w, r, dump)
+}
+
+func handleWebAddUserGet(w http.ResponseWriter, r *http.Request) {
+	if r.URL.Query().Get("clone-from") != "" {
+		username := r.URL.Query().Get("clone-from")
+		user, err := dataprovider.UserExists(username)
+		if err == nil {
+			user.ID = 0
+			user.Username = ""
+			user.Password = ""
+			user.SetEmptySecrets()
+			renderUserPage(w, r, &user, userPageModeAdd, "")
+		} else if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
+			renderNotFoundPage(w, r, err)
+		} else {
+			renderInternalServerErrorPage(w, r, err)
+		}
+	} else {
+		user := dataprovider.User{Status: 1}
+		renderUserPage(w, r, &user, userPageModeAdd, "")
+	}
+}
+
+func handleWebUpdateUserGet(w http.ResponseWriter, r *http.Request) {
+	username := getURLParam(r, "username")
+	user, err := dataprovider.UserExists(username)
+	if err == nil {
+		renderUserPage(w, r, &user, userPageModeUpdate, "")
+	} else if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
+		renderNotFoundPage(w, r, err)
+	} else {
+		renderInternalServerErrorPage(w, r, err)
+	}
+}
+
+func handleWebAddUserPost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	user, err := getUserFromPostFields(r)
+	if err != nil {
+		renderUserPage(w, r, &user, userPageModeAdd, err.Error())
+		return
+	}
+	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
+		renderForbiddenPage(w, r, err.Error())
+		return
+	}
+	err = dataprovider.AddUser(&user)
+	if err == nil {
+		http.Redirect(w, r, webUsersPath, http.StatusSeeOther)
+	} else {
+		renderUserPage(w, r, &user, userPageModeAdd, err.Error())
+	}
+}
+
+func handleWebUpdateUserPost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	username := getURLParam(r, "username")
+	user, err := dataprovider.UserExists(username)
+	if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
+		renderNotFoundPage(w, r, err)
+		return
+	} else if err != nil {
+		renderInternalServerErrorPage(w, r, err)
+		return
+	}
+	updatedUser, err := getUserFromPostFields(r)
+	if err != nil {
+		renderUserPage(w, r, &user, userPageModeUpdate, err.Error())
+		return
+	}
+	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
+		renderForbiddenPage(w, r, err.Error())
+		return
+	}
+	updatedUser.ID = user.ID
+	updatedUser.Username = user.Username
+	updatedUser.SetEmptySecretsIfNil()
+	if updatedUser.Password == redactedSecret {
+		updatedUser.Password = user.Password
+	}
+	updateEncryptedSecrets(&updatedUser.FsConfig, user.FsConfig.S3Config.AccessSecret, user.FsConfig.AzBlobConfig.AccountKey,
+		user.FsConfig.GCSConfig.Credentials, user.FsConfig.CryptConfig.Passphrase, user.FsConfig.SFTPConfig.Password,
+		user.FsConfig.SFTPConfig.PrivateKey)
+
+	err = dataprovider.UpdateUser(&updatedUser)
+	if err == nil {
+		if len(r.Form.Get("disconnect")) > 0 {
+			disconnectUser(user.Username)
+		}
+		http.Redirect(w, r, webUsersPath, http.StatusSeeOther)
+	} else {
+		renderUserPage(w, r, &user, userPageModeUpdate, err.Error())
+	}
+}
+
+func handleWebGetStatus(w http.ResponseWriter, r *http.Request) {
+	data := statusPage{
+		basePage: getBasePageData(pageStatusTitle, webStatusPath, r),
+		Status:   getServicesStatus(),
+	}
+	renderAdminTemplate(w, templateStatus, data)
+}
+
+func handleWebGetConnections(w http.ResponseWriter, r *http.Request) {
+	connectionStats := common.Connections.GetStats()
+	data := connectionsPage{
+		basePage:    getBasePageData(pageConnectionsTitle, webConnectionsPath, r),
+		Connections: connectionStats,
+	}
+	renderAdminTemplate(w, templateConnections, data)
+}
+
+func handleWebAddFolderGet(w http.ResponseWriter, r *http.Request) {
+	renderFolderPage(w, r, vfs.BaseVirtualFolder{}, folderPageModeAdd, "")
+}
+
+func handleWebAddFolderPost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	folder := vfs.BaseVirtualFolder{}
+	err := r.ParseMultipartForm(maxRequestSize)
+	if err != nil {
+		renderFolderPage(w, r, folder, folderPageModeAdd, err.Error())
+		return
+	}
+	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
+		renderForbiddenPage(w, r, err.Error())
+		return
+	}
+	folder.MappedPath = r.Form.Get("mapped_path")
+	folder.Name = r.Form.Get("name")
+	folder.Description = r.Form.Get("description")
+	fsConfig, err := getFsConfigFromPostFields(r)
+	if err != nil {
+		renderFolderPage(w, r, folder, folderPageModeAdd, err.Error())
+		return
+	}
+	folder.FsConfig = fsConfig
+
+	err = dataprovider.AddFolder(&folder)
+	if err == nil {
+		http.Redirect(w, r, webFoldersPath, http.StatusSeeOther)
+	} else {
+		renderFolderPage(w, r, folder, folderPageModeAdd, err.Error())
+	}
+}
+
+func handleWebUpdateFolderGet(w http.ResponseWriter, r *http.Request) {
+	name := getURLParam(r, "name")
+	folder, err := dataprovider.GetFolderByName(name)
+	if err == nil {
+		renderFolderPage(w, r, folder, folderPageModeUpdate, "")
+	} else if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
+		renderNotFoundPage(w, r, err)
+	} else {
+		renderInternalServerErrorPage(w, r, err)
+	}
+}
+
+func handleWebUpdateFolderPost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	name := getURLParam(r, "name")
+	folder, err := dataprovider.GetFolderByName(name)
+	if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
+		renderNotFoundPage(w, r, err)
+		return
+	} else if err != nil {
+		renderInternalServerErrorPage(w, r, err)
+		return
+	}
+
+	err = r.ParseMultipartForm(maxRequestSize)
+	if err != nil {
+		renderFolderPage(w, r, folder, folderPageModeUpdate, err.Error())
+		return
+	}
+	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
+		renderForbiddenPage(w, r, err.Error())
+		return
+	}
+	fsConfig, err := getFsConfigFromPostFields(r)
+	if err != nil {
+		renderFolderPage(w, r, folder, folderPageModeUpdate, err.Error())
+		return
+	}
+	updatedFolder := &vfs.BaseVirtualFolder{
+		MappedPath:  r.Form.Get("mapped_path"),
+		Description: r.Form.Get("description"),
+	}
+	updatedFolder.ID = folder.ID
+	updatedFolder.Name = folder.Name
+	updatedFolder.FsConfig = fsConfig
+	updatedFolder.FsConfig.SetEmptySecretsIfNil()
+	updateEncryptedSecrets(&updatedFolder.FsConfig, folder.FsConfig.S3Config.AccessSecret, folder.FsConfig.AzBlobConfig.AccountKey,
+		folder.FsConfig.GCSConfig.Credentials, folder.FsConfig.CryptConfig.Passphrase, folder.FsConfig.SFTPConfig.Password,
+		folder.FsConfig.SFTPConfig.PrivateKey)
+
+	err = dataprovider.UpdateFolder(updatedFolder, folder.Users)
+	if err != nil {
+		renderFolderPage(w, r, folder, folderPageModeUpdate, err.Error())
+		return
+	}
+	http.Redirect(w, r, webFoldersPath, http.StatusSeeOther)
+}
+
+func handleWebGetFolders(w http.ResponseWriter, r *http.Request) {
+	limit := defaultQueryLimit
+	if _, ok := r.URL.Query()["qlimit"]; ok {
+		var err error
+		limit, err = strconv.Atoi(r.URL.Query().Get("qlimit"))
+		if err != nil {
+			limit = defaultQueryLimit
+		}
+	}
+	folders := make([]vfs.BaseVirtualFolder, 0, limit)
+	for {
+		f, err := dataprovider.GetFolders(limit, len(folders), dataprovider.OrderASC)
+		if err != nil {
+			renderInternalServerErrorPage(w, r, err)
+			return
+		}
+		folders = append(folders, f...)
+		if len(f) < limit {
+			break
+		}
+	}
+
+	data := foldersPage{
+		basePage: getBasePageData(pageFoldersTitle, webFoldersPath, r),
+		Folders:  folders,
+	}
+	renderAdminTemplate(w, templateFolders, data)
+}

httpd/webclient.go

@@ -0,0 +1,656 @@
+package httpd
+
+import (
+	"errors"
+	"fmt"
+	"html/template"
+	"io"
+	"mime"
+	"net/http"
+	"net/url"
+	"os"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/rs/xid"
+
+	"github.com/drakkan/sftpgo/common"
+	"github.com/drakkan/sftpgo/dataprovider"
+	"github.com/drakkan/sftpgo/logger"
+	"github.com/drakkan/sftpgo/metrics"
+	"github.com/drakkan/sftpgo/utils"
+	"github.com/drakkan/sftpgo/version"
+	"github.com/drakkan/sftpgo/vfs"
+)
+
+const (
+	templateClientDir          = "webclient"
+	templateClientBase         = "base.html"
+	templateClientLogin        = "login.html"
+	templateClientFiles        = "files.html"
+	templateClientMessage      = "message.html"
+	templateClientCredentials  = "credentials.html"
+	pageClientFilesTitle       = "My Files"
+	pageClientCredentialsTitle = "Credentials"
+)
+
+// condResult is the result of an HTTP request precondition check.
+// See https://tools.ietf.org/html/rfc7232 section 3.
+type condResult int
+
+const (
+	condNone condResult = iota
+	condTrue
+	condFalse
+)
+
+var (
+	clientTemplates = make(map[string]*template.Template)
+	unixEpochTime   = time.Unix(0, 0)
+)
+
+// isZeroTime reports whether t is obviously unspecified (either zero or Unix()=0).
+func isZeroTime(t time.Time) bool {
+	return t.IsZero() || t.Equal(unixEpochTime)
+}
+
+type baseClientPage struct {
+	Title            string
+	CurrentURL       string
+	FilesURL         string
+	CredentialsURL   string
+	StaticURL        string
+	LogoutURL        string
+	FilesTitle       string
+	CredentialsTitle string
+	Version          string
+	CSRFToken        string
+	LoggedUser       *dataprovider.User
+}
+
+type dirMapping struct {
+	DirName string
+	Href    string
+}
+
+type filesPage struct {
+	baseClientPage
+	CurrentDir   string
+	Files        []os.FileInfo
+	Error        string
+	Paths        []dirMapping
+	FormatTime   func(time.Time) string
+	GetObjectURL func(string, string) string
+	GetSize      func(int64) string
+	IsLink       func(os.FileInfo) bool
+}
+
+type clientMessagePage struct {
+	baseClientPage
+	Error   string
+	Success string
+}
+
+type credentialsPage struct {
+	baseClientPage
+	PublicKeys    []string
+	ChangePwdURL  string
+	ManageKeysURL string
+	PwdError      string
+	KeyError      string
+}
+
+func getFileObjectURL(baseDir, name string) string {
+	return fmt.Sprintf("%v?path=%v", webClientFilesPath, url.QueryEscape(path.Join(baseDir, name)))
+}
+
+func getFileObjectModTime(t time.Time) string {
+	if isZeroTime(t) {
+		return ""
+	}
+	return t.Format("2006-01-02 15:04")
+}
+
+func isFileObjectLink(info os.FileInfo) bool {
+	return info.Mode()&os.ModeSymlink != 0
+}
+
+func loadClientTemplates(templatesPath string) {
+	filesPaths := []string{
+		filepath.Join(templatesPath, templateClientDir, templateClientBase),
+		filepath.Join(templatesPath, templateClientDir, templateClientFiles),
+	}
+	credentialsPaths := []string{
+		filepath.Join(templatesPath, templateClientDir, templateClientBase),
+		filepath.Join(templatesPath, templateClientDir, templateClientCredentials),
+	}
+	loginPath := []string{
+		filepath.Join(templatesPath, templateClientDir, templateClientLogin),
+	}
+	messagePath := []string{
+		filepath.Join(templatesPath, templateClientDir, templateClientBase),
+		filepath.Join(templatesPath, templateClientDir, templateClientMessage),
+	}
+
+	filesTmpl := utils.LoadTemplate(template.ParseFiles(filesPaths...))
+	credentialsTmpl := utils.LoadTemplate(template.ParseFiles(credentialsPaths...))
+	loginTmpl := utils.LoadTemplate(template.ParseFiles(loginPath...))
+	messageTmpl := utils.LoadTemplate(template.ParseFiles(messagePath...))
+
+	clientTemplates[templateClientFiles] = filesTmpl
+	clientTemplates[templateClientCredentials] = credentialsTmpl
+	clientTemplates[templateClientLogin] = loginTmpl
+	clientTemplates[templateClientMessage] = messageTmpl
+}
+
+func getBaseClientPageData(title, currentURL string, r *http.Request) baseClientPage {
+	var csrfToken string
+	if currentURL != "" {
+		csrfToken = createCSRFToken()
+	}
+	v := version.Get()
+
+	return baseClientPage{
+		Title:            title,
+		CurrentURL:       currentURL,
+		FilesURL:         webClientFilesPath,
+		CredentialsURL:   webClientCredentialsPath,
+		StaticURL:        webStaticFilesPath,
+		LogoutURL:        webClientLogoutPath,
+		FilesTitle:       pageClientFilesTitle,
+		CredentialsTitle: pageClientCredentialsTitle,
+		Version:          fmt.Sprintf("%v-%v", v.Version, v.CommitHash),
+		CSRFToken:        csrfToken,
+		LoggedUser:       getUserFromToken(r),
+	}
+}
+
+func renderClientTemplate(w http.ResponseWriter, tmplName string, data interface{}) {
+	err := clientTemplates[tmplName].ExecuteTemplate(w, tmplName, data)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+	}
+}
+
+func renderClientLoginPage(w http.ResponseWriter, error string) {
+	data := loginPage{
+		CurrentURL: webClientLoginPath,
+		Version:    version.Get().Version,
+		Error:      error,
+		CSRFToken:  createCSRFToken(),
+		StaticURL:  webStaticFilesPath,
+	}
+	renderClientTemplate(w, templateClientLogin, data)
+}
+
+func renderClientMessagePage(w http.ResponseWriter, r *http.Request, title, body string, statusCode int, err error, message string) {
+	var errorString string
+	if body != "" {
+		errorString = body + " "
+	}
+	if err != nil {
+		errorString += err.Error()
+	}
+	data := clientMessagePage{
+		baseClientPage: getBaseClientPageData(title, "", r),
+		Error:          errorString,
+		Success:        message,
+	}
+	w.WriteHeader(statusCode)
+	renderClientTemplate(w, templateClientMessage, data)
+}
+
+func renderClientInternalServerErrorPage(w http.ResponseWriter, r *http.Request, err error) {
+	renderClientMessagePage(w, r, page500Title, page500Body, http.StatusInternalServerError, err, "")
+}
+
+func renderClientBadRequestPage(w http.ResponseWriter, r *http.Request, err error) {
+	renderClientMessagePage(w, r, page400Title, "", http.StatusBadRequest, err, "")
+}
+
+func renderClientForbiddenPage(w http.ResponseWriter, r *http.Request, body string) {
+	renderClientMessagePage(w, r, page403Title, "", http.StatusForbidden, nil, body)
+}
+
+func renderClientNotFoundPage(w http.ResponseWriter, r *http.Request, err error) {
+	renderClientMessagePage(w, r, page404Title, page404Body, http.StatusNotFound, err, "")
+}
+
+func renderFilesPage(w http.ResponseWriter, r *http.Request, files []os.FileInfo, dirName, error string) {
+	data := filesPage{
+		baseClientPage: getBaseClientPageData(pageClientFilesTitle, webClientFilesPath, r),
+		Files:          files,
+		Error:          error,
+		CurrentDir:     dirName,
+		FormatTime:     getFileObjectModTime,
+		GetObjectURL:   getFileObjectURL,
+		GetSize:        utils.ByteCountIEC,
+		IsLink:         isFileObjectLink,
+	}
+	paths := []dirMapping{}
+	if dirName != "/" {
+		paths = append(paths, dirMapping{
+			DirName: path.Base(dirName),
+			Href:    "",
+		})
+		for {
+			dirName = path.Dir(dirName)
+			if dirName == "/" || dirName == "." {
+				break
+			}
+			paths = append([]dirMapping{{
+				DirName: path.Base(dirName),
+				Href:    getFileObjectURL("/", dirName)},
+			}, paths...)
+		}
+	}
+	data.Paths = paths
+	renderClientTemplate(w, templateClientFiles, data)
+}
+
+func renderCredentialsPage(w http.ResponseWriter, r *http.Request, pwdError string, keyError string) {
+	data := credentialsPage{
+		baseClientPage: getBaseClientPageData(pageClientCredentialsTitle, webClientCredentialsPath, r),
+		ChangePwdURL:   webChangeClientPwdPath,
+		ManageKeysURL:  webChangeClientKeysPath,
+		PwdError:       pwdError,
+		KeyError:       keyError,
+	}
+	user, err := dataprovider.UserExists(data.LoggedUser.Username)
+	if err != nil {
+		renderClientInternalServerErrorPage(w, r, err)
+	}
+	data.PublicKeys = user.PublicKeys
+	renderClientTemplate(w, templateClientCredentials, data)
+}
+
+func handleClientWebLogin(w http.ResponseWriter, r *http.Request) {
+	renderClientLoginPage(w, "")
+}
+
+func handleWebClientLogout(w http.ResponseWriter, r *http.Request) {
+	c := jwtTokenClaims{}
+	c.removeCookie(w, r)
+
+	http.Redirect(w, r, webClientLoginPath, http.StatusFound)
+}
+
+func handleClientGetFiles(w http.ResponseWriter, r *http.Request) {
+	common.Connections.AddNetworkConnection()
+	defer common.Connections.RemoveNetworkConnection()
+
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		renderClientForbiddenPage(w, r, "Invalid token claims")
+		return
+	}
+	if !common.Connections.IsNewConnectionAllowed() {
+		logger.Log(logger.LevelDebug, common.ProtocolHTTP, "", "connection refused, configured limit reached")
+		renderClientForbiddenPage(w, r, "configured connections limit reached")
+		return
+	}
+	ipAddr := utils.GetIPFromRemoteAddress(r.RemoteAddr)
+	if common.IsBanned(ipAddr) {
+		renderClientForbiddenPage(w, r, "your IP address is banned")
+		return
+	}
+
+	user, err := dataprovider.UserExists(claims.Username)
+	if err != nil {
+		renderClientInternalServerErrorPage(w, r, err)
+		return
+	}
+
+	connID := xid.New().String()
+	connectionID := fmt.Sprintf("%v_%v", common.ProtocolHTTP, connID)
+	if err := checkWebClientUser(&user, r, connectionID); err != nil {
+		renderClientForbiddenPage(w, r, err.Error())
+		return
+	}
+	connection := &Connection{
+		BaseConnection: common.NewBaseConnection(connID, common.ProtocolHTTP, user),
+		request:        r,
+	}
+	common.Connections.Add(connection)
+	defer common.Connections.Remove(connection.GetID())
+
+	name := "/"
+	if _, ok := r.URL.Query()["path"]; ok {
+		name = utils.CleanPath(r.URL.Query().Get("path"))
+	}
+	var info os.FileInfo
+	if name == "/" {
+		info = vfs.NewFileInfo(name, true, 0, time.Now(), false)
+	} else {
+		info, err = connection.Stat(name, 0)
+	}
+	if err != nil {
+		renderFilesPage(w, r, nil, name, fmt.Sprintf("unable to stat file %#v: %v", name, err))
+		return
+	}
+	if info.IsDir() {
+		renderDirContents(w, r, connection, name)
+		return
+	}
+	downloadFile(w, r, connection, name, info)
+}
+
+func handleClientGetCredentials(w http.ResponseWriter, r *http.Request) {
+	renderCredentialsPage(w, r, "", "")
+}
+
+func handleWebClientChangePwdPost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	err := r.ParseForm()
+	if err != nil {
+		renderCredentialsPage(w, r, err.Error(), "")
+		return
+	}
+	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
+		renderClientForbiddenPage(w, r, err.Error())
+		return
+	}
+	err = doChangeUserPassword(r, r.Form.Get("current_password"), r.Form.Get("new_password1"),
+		r.Form.Get("new_password2"))
+	if err != nil {
+		renderCredentialsPage(w, r, err.Error(), "")
+		return
+	}
+	handleWebClientLogout(w, r)
+}
+
+func handleWebClientManageKeysPost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	err := r.ParseForm()
+	if err != nil {
+		renderCredentialsPage(w, r, "", err.Error())
+		return
+	}
+	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
+		renderClientForbiddenPage(w, r, err.Error())
+		return
+	}
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		renderCredentialsPage(w, r, "", "Invalid token claims")
+		return
+	}
+	user, err := dataprovider.UserExists(claims.Username)
+	if err != nil {
+		renderCredentialsPage(w, r, "", err.Error())
+		return
+	}
+	publicKeysFormValue := r.Form.Get("public_keys")
+	publicKeys := getSliceFromDelimitedValues(publicKeysFormValue, "\n")
+	user.PublicKeys = publicKeys
+	err = dataprovider.UpdateUser(&user)
+	if err != nil {
+		renderCredentialsPage(w, r, "", err.Error())
+		return
+	}
+	renderClientMessagePage(w, r, "Public keys updated", "", http.StatusOK, nil, "Your public keys has been successfully updated")
+}
+
+func doChangeUserPassword(r *http.Request, currentPassword, newPassword, confirmNewPassword string) error {
+	if currentPassword == "" || newPassword == "" || confirmNewPassword == "" {
+		return dataprovider.NewValidationError("please provide the current password and the new one two times")
+	}
+	if newPassword != confirmNewPassword {
+		return dataprovider.NewValidationError("the two password fields do not match")
+	}
+	if currentPassword == newPassword {
+		return dataprovider.NewValidationError("the new password must be different from the current one")
+	}
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		return errors.New("invalid token claims")
+	}
+	user, err := dataprovider.CheckUserAndPass(claims.Username, currentPassword, utils.GetIPFromRemoteAddress(r.RemoteAddr),
+		common.ProtocolHTTP)
+	if err != nil {
+		return dataprovider.NewValidationError("current password does not match")
+	}
+	user.Password = newPassword
+
+	return dataprovider.UpdateUser(&user)
+}
+
+func renderDirContents(w http.ResponseWriter, r *http.Request, connection *Connection, name string) {
+	contents, err := connection.ReadDir(name)
+	if err != nil {
+		renderFilesPage(w, r, nil, name, fmt.Sprintf("unable to get contents for directory %#v: %v", name, err))
+		return
+	}
+	renderFilesPage(w, r, contents, name, "")
+}
+
+func downloadFile(w http.ResponseWriter, r *http.Request, connection *Connection, name string, info os.FileInfo) {
+	var err error
+	rangeHeader := r.Header.Get("Range")
+	if rangeHeader != "" && checkIfRange(r, info.ModTime()) == condFalse {
+		rangeHeader = ""
+	}
+	offset := int64(0)
+	size := info.Size()
+	responseStatus := http.StatusOK
+	if strings.HasPrefix(rangeHeader, "bytes=") {
+		if strings.Contains(rangeHeader, ",") {
+			http.Error(w, fmt.Sprintf("unsupported range %#v", rangeHeader), http.StatusRequestedRangeNotSatisfiable)
+			return
+		}
+		offset, size, err = parseRangeRequest(rangeHeader[6:], size)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusRequestedRangeNotSatisfiable)
+			return
+		}
+		responseStatus = http.StatusPartialContent
+	}
+	reader, err := connection.getFileReader(name, offset)
+	if err != nil {
+		renderFilesPage(w, r, nil, name, fmt.Sprintf("unable to read file %#v: %v", name, err))
+		return
+	}
+	defer reader.Close()
+
+	w.Header().Set("Last-Modified", info.ModTime().UTC().Format(http.TimeFormat))
+	if checkPreconditions(w, r, info.ModTime()) {
+		return
+	}
+	ctype := mime.TypeByExtension(path.Ext(name))
+	if ctype == "" {
+		ctype = "application/octet-stream"
+	}
+	if responseStatus == http.StatusPartialContent {
+		w.Header().Set("Content-Range", fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, info.Size()))
+	}
+	w.Header().Set("Content-Length", strconv.FormatInt(size, 10))
+	w.Header().Set("Content-Type", ctype)
+	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%#v", path.Base(name)))
+	w.Header().Set("Accept-Ranges", "bytes")
+	w.WriteHeader(responseStatus)
+	if r.Method != http.MethodHead {
+		io.CopyN(w, reader, size) //nolint:errcheck
+	}
+}
+
+func checkPreconditions(w http.ResponseWriter, r *http.Request, modtime time.Time) bool {
+	if checkIfUnmodifiedSince(r, modtime) == condFalse {
+		w.WriteHeader(http.StatusPreconditionFailed)
+		return true
+	}
+	if checkIfModifiedSince(r, modtime) == condFalse {
+		w.WriteHeader(http.StatusNotModified)
+		return true
+	}
+	return false
+}
+
+func checkIfUnmodifiedSince(r *http.Request, modtime time.Time) condResult {
+	ius := r.Header.Get("If-Unmodified-Since")
+	if ius == "" || isZeroTime(modtime) {
+		return condNone
+	}
+	t, err := http.ParseTime(ius)
+	if err != nil {
+		return condNone
+	}
+
+	// The Last-Modified header truncates sub-second precision so
+	// the modtime needs to be truncated too.
+	modtime = modtime.Truncate(time.Second)
+	if modtime.Before(t) || modtime.Equal(t) {
+		return condTrue
+	}
+	return condFalse
+}
+
+func checkIfModifiedSince(r *http.Request, modtime time.Time) condResult {
+	if r.Method != http.MethodGet && r.Method != http.MethodHead {
+		return condNone
+	}
+	ims := r.Header.Get("If-Modified-Since")
+	if ims == "" || isZeroTime(modtime) {
+		return condNone
+	}
+	t, err := http.ParseTime(ims)
+	if err != nil {
+		return condNone
+	}
+	// The Last-Modified header truncates sub-second precision so
+	// the modtime needs to be truncated too.
+	modtime = modtime.Truncate(time.Second)
+	if modtime.Before(t) || modtime.Equal(t) {
+		return condFalse
+	}
+	return condTrue
+}
+
+func checkIfRange(r *http.Request, modtime time.Time) condResult {
+	if r.Method != http.MethodGet && r.Method != http.MethodHead {
+		return condNone
+	}
+	ir := r.Header.Get("If-Range")
+	if ir == "" {
+		return condNone
+	}
+	if modtime.IsZero() {
+		return condFalse
+	}
+	t, err := http.ParseTime(ir)
+	if err != nil {
+		return condFalse
+	}
+	if modtime.Add(60 * time.Second).Before(t) {
+		return condTrue
+	}
+	return condFalse
+}
+
+func parseRangeRequest(bytesRange string, size int64) (int64, int64, error) {
+	var start, end int64
+	var err error
+
+	values := strings.Split(bytesRange, "-")
+	if values[0] == "" {
+		start = -1
+	} else {
+		start, err = strconv.ParseInt(values[0], 10, 64)
+		if err != nil {
+			return start, size, err
+		}
+	}
+	if len(values) >= 2 {
+		if values[1] != "" {
+			end, err = strconv.ParseInt(values[1], 10, 64)
+			if err != nil {
+				return start, size, err
+			}
+			if end >= size {
+				end = size - 1
+			}
+		}
+	}
+	if start == -1 && end == 0 {
+		return 0, 0, fmt.Errorf("unsupported range %#v", bytesRange)
+	}
+
+	if end > 0 {
+		if start == -1 {
+			// we have something like -500
+			start = size - end
+			size = end
+			// this can't happen, we did end = size -1 above
+			/*if start < 0 {
+				return 0, 0, fmt.Errorf("unacceptable range %#v", bytesRange)
+			}*/
+		} else {
+			// we have something like 500-600
+			size = end - start + 1
+			if size < 0 {
+				return 0, 0, fmt.Errorf("unacceptable range %#v", bytesRange)
+			}
+		}
+		return start, size, nil
+	}
+	/*if start == -1 {
+		return 0, 0, fmt.Errorf("unacceptable range %#v", bytesRange)
+	}*/
+	// we have something like 500-
+	size -= start
+	if size < 0 {
+		return 0, 0, fmt.Errorf("unacceptable range %#v", bytesRange)
+	}
+	return start, size, err
+}
+
+func updateLoginMetrics(user *dataprovider.User, ip string, err error) {
+	metrics.AddLoginAttempt(dataprovider.LoginMethodPassword)
+	if err != nil {
+		logger.ConnectionFailedLog(user.Username, ip, dataprovider.LoginMethodPassword, common.ProtocolHTTP, err.Error())
+		event := common.HostEventLoginFailed
+		if _, ok := err.(*dataprovider.RecordNotFoundError); ok {
+			event = common.HostEventUserNotFound
+		}
+		common.AddDefenderEvent(ip, event)
+	}
+	metrics.AddLoginResult(dataprovider.LoginMethodPassword, err)
+	dataprovider.ExecutePostLoginHook(user, dataprovider.LoginMethodPassword, ip, common.ProtocolHTTP, err)
+}
+
+func checkWebClientUser(user *dataprovider.User, r *http.Request, connectionID string) error {
+	if utils.IsStringInSlice(common.ProtocolHTTP, user.Filters.DeniedProtocols) {
+		logger.Debug(logSender, connectionID, "cannot login user %#v, protocol HTTP is not allowed", user.Username)
+		return fmt.Errorf("protocol HTTP is not allowed for user %#v", user.Username)
+	}
+	if !user.IsLoginMethodAllowed(dataprovider.LoginMethodPassword, nil) {
+		logger.Debug(logSender, connectionID, "cannot login user %#v, password login method is not allowed", user.Username)
+		return fmt.Errorf("login method password is not allowed for user %#v", user.Username)
+	}
+	if user.MaxSessions > 0 {
+		activeSessions := common.Connections.GetActiveSessions(user.Username)
+		if activeSessions >= user.MaxSessions {
+			logger.Debug(logSender, connectionID, "authentication refused for user: %#v, too many open sessions: %v/%v", user.Username,
+				activeSessions, user.MaxSessions)
+			return fmt.Errorf("too many open sessions: %v", activeSessions)
+		}
+	}
+	if !user.IsLoginFromAddrAllowed(r.RemoteAddr) {
+		logger.Debug(logSender, connectionID, "cannot login user %#v, remote address is not allowed: %v", user.Username, r.RemoteAddr)
+		return fmt.Errorf("login for user %#v is not allowed from this address: %v", user.Username, r.RemoteAddr)
+	}
+	if connAddr, ok := r.Context().Value(connAddrKey).(string); ok {
+		if connAddr != r.RemoteAddr {
+			connIPAddr := utils.GetIPFromRemoteAddress(connAddr)
+			if common.IsBanned(connIPAddr) {
+				return errors.New("your IP address is banned")
+			}
+			if !user.IsLoginFromAddrAllowed(connIPAddr) {
+				return fmt.Errorf("login from IP %v is not allowed", connIPAddr)
+			}
+		}
+	}
+	return nil
+}

httpdtest/httpdtest.go

@@ -1168,6 +1168,11 @@ func compareUserFilterSubStructs(expected *dataprovider.User, actual *dataprovid
 			return errors.New("denied protocols contents mismatch")
 		}
 	}
+	for _, options := range expected.Filters.WebClient {
+		if !utils.IsStringInSlice(options, actual.Filters.WebClient) {
+			return errors.New("web client options contents mismatch")
+		}
+	}
 	if expected.Filters.Hooks.ExternalAuthDisabled != actual.Filters.Hooks.ExternalAuthDisabled {
 		return errors.New("external_auth_disabled hook mismatch")
 	}
@@ -1202,6 +1207,9 @@ func compareUserFilters(expected *dataprovider.User, actual *dataprovider.User)
 	if expected.Filters.TLSUsername != actual.Filters.TLSUsername {
 		return errors.New("TLSUsername mismatch")
 	}
+	if len(expected.Filters.WebClient) != len(actual.Filters.WebClient) {
+		return errors.New("WebClient filter mismatch")
+	}
 	if err := compareUserFilterSubStructs(expected, actual); err != nil {
 		return err
 	}

pkgs/build.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-NFPM_VERSION=2.5.0
+NFPM_VERSION=2.5.1
 NFPM_ARCH=${NFPM_ARCH:-amd64}
 if [ -z ${SFTPGO_VERSION} ]
 then

sftpgo.json

@@ -181,6 +181,7 @@
         "port": 8080,
         "address": "127.0.0.1",
         "enable_web_admin": true,
+        "enable_web_client": true,
         "enable_https": false,
         "client_auth_type": 0,
         "tls_cipher_suites": []
@@ -189,7 +190,7 @@
     "templates_path": "templates",
     "static_files_path": "static",
     "backups_path": "backups",
-    "web_admin_root": "",
+    "web_root": "",
     "certificate_file": "",
     "certificate_key_file": "",
     "ca_certificates": [],

templates/admins.html → templates/webadmin/admins.html

@@ -26,7 +26,7 @@
     </div>
     <div class="card-body">
         <div class="table-responsive">
-            <table class="table table-striped table-bordered nowrap" id="dataTable" width="100%" cellspacing="0">
+            <table class="table table-hover nowrap" id="dataTable" width="100%" cellspacing="0">
                 <thead>
                     <tr>
                         <th>ID</th>
@@ -161,7 +161,10 @@
         };
 
         var table = $('#dataTable').DataTable({
-            "select": true,
+            "select": {
+                "style": "single",
+                "blurable": true
+            },
             "stateSave": true,
             "stateDuration": 3600,
             "buttons": [],
@@ -177,7 +180,7 @@
                 }
             ],
             "scrollX": false,
-            "scrollY": "50vh",
+            "scrollY": false,
             "responsive": true,
             "order": [[1, 'asc']]
         });

templates/connections.html → templates/webadmin/connections.html

@@ -21,7 +21,7 @@
     </div>
     <div class="card-body">
         <div class="table-responsive">
-            <table class="table table-striped table-bordered nowrap" id="dataTable" width="100%" cellspacing="0">
+            <table class="table table-hover nowrap" id="dataTable" width="100%" cellspacing="0">
                 <thead>
                     <tr>
                         <th>ID</th>
@@ -133,8 +133,12 @@
         };
 
         var table = $('#dataTable').DataTable({
-            "select": "true",
+            "select": {
+                "style": "single",
+                "blurable": true
+            },
             "buttons": [],
+            "lengthChange": false,
             "columnDefs": [
                 {
                     "targets": [0],
@@ -156,13 +160,13 @@
         {{if .LoggedAdmin.HasPermission "close_conns"}}
         table.button().add(0,'disconnect');
 
-        table.buttons().container().appendTo('#dataTable_wrapper .col-md-6:eq(0)');
-
         table.on('select deselect', function () {
             var selectedRows = table.rows({ selected: true }).count();
             table.button('disconnect:name').enable(selectedRows == 1);
         });
         {{end}}
+        table.button().add(0,'pageLength');
+        table.buttons().container().appendTo('#dataTable_wrapper .col-md-6:eq(0)');
 
     });
 </script>

templates/folders.html → templates/webadmin/folders.html

@@ -26,7 +26,7 @@
     </div>
     <div class="card-body">
         <div class="table-responsive">
-            <table class="table table-striped table-bordered nowrap" id="dataTable" width="100%" cellspacing="0">
+            <table class="table table-hover nowrap" id="dataTable" width="100%" cellspacing="0">
                 <thead>
                     <tr>
                         <th>Name</th>
@@ -220,7 +220,10 @@ function deleteAction() {
         };
 
         var table = $('#dataTable').DataTable({
-            "select": true,
+            "select": {
+                "style": "single",
+                "blurable": true
+            },
             "stateSave": true,
             "stateDuration": 3600,
             "buttons": [],

templates/user.html → templates/webadmin/user.html

@@ -176,6 +176,18 @@
                 </div>
             </div>
 
+            <div class="form-group row">
+                <label for="idWebClient" class="col-sm-2 col-form-label">Web client</label>
+                <div class="col-sm-10">
+                    <select class="form-control" id="idWebClient" name="web_client_options" multiple>
+                        {{range $option := .WebClientOptions}}
+                        <option value="{{$option}}" {{range $p :=$.User.Filters.WebClient }}{{if eq $p $option}}selected{{end}}{{end}}>{{$option}}
+                        </option>
+                        {{end}}
+                    </select>
+                </div>
+            </div>
+
             <div class="form-group row">
                 <label for="idHomeDir" class="col-sm-2 col-form-label">Home Dir</label>
                 <div class="col-sm-10">

templates/users.html → templates/webadmin/users.html

@@ -26,7 +26,7 @@
     </div>
     <div class="card-body">
         <div class="table-responsive">
-            <table class="table table-striped table-bordered nowrap" id="dataTable" width="100%" cellspacing="0">
+            <table class="table table-hover nowrap" id="dataTable" width="100%" cellspacing="0">
                 <thead>
                     <tr>
                         <th>ID</th>
@@ -240,7 +240,10 @@
         };
 
         var table = $('#dataTable').DataTable({
-            "select": true,
+            "select": {
+                "style": "single",
+                "blurable": true
+            },
             "stateSave": true,
             "stateDuration": 3600,
             "buttons": [],

templates/webclient/base.html

@@ -0,0 +1,217 @@
+{{define "base"}}
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+
+    <title>SFTPGo WebClient - {{template "title" .}}</title>
+
+    <link rel="shortcut icon" href="{{.StaticURL}}/favicon.ico" />
+
+    <!-- Custom fonts for this template-->
+    <link href="{{.StaticURL}}/vendor/fontawesome-free/css/fontawesome.min.css" rel="stylesheet" type="text/css">
+    <link href="{{.StaticURL}}/vendor/fontawesome-free/css/solid.min.css" rel="stylesheet" type="text/css">
+
+    <!-- Custom styles for this template-->
+    <link href="{{.StaticURL}}/css/sb-admin-2.min.css" rel="stylesheet">
+    <style>
+        @font-face {
+            font-family: 'Roboto';
+            src: url('{{.StaticURL}}/vendor/fonts/Roboto-Bold-webfont.woff');
+            font-weight: 700;
+            font-style: normal;
+        }
+
+        @font-face {
+            font-family: 'Roboto';
+            src: url('{{.StaticURL}}/vendor/fonts/Roboto-Regular-webfont.woff');
+            font-weight: 400;
+            font-style: normal;
+        }
+
+        @font-face {
+            font-family: 'Roboto';
+            src: url('{{.StaticURL}}/vendor/fonts/Roboto-Light-webfont.woff');
+            font-weight: 300;
+            font-style: normal;
+        }
+
+        div.dt-buttons {
+            margin-bottom: 1em;
+        }
+
+        .text-form-error {
+            color: var(--red) !important;
+        }
+    </style>
+    {{block "extra_css" .}}{{end}}
+
+</head>
+
+<body id="page-top">
+
+    <!-- Page Wrapper -->
+    <div id="wrapper">
+
+        {{if .LoggedUser.Username}}
+        <!-- Sidebar -->
+        <ul class="navbar-nav bg-gradient-primary sidebar sidebar-dark accordion" id="accordionSidebar">
+
+            <!-- Sidebar - Brand -->
+            <div class="sidebar-brand d-flex align-items-center justify-content-center">
+                <div style="text-transform: none;">SFTPGo WebClient</div>
+            </div>
+
+            <!-- Divider -->
+            <hr class="sidebar-divider my-0">
+
+            <li class="nav-item {{if eq .CurrentURL .FilesURL}}active{{end}}">
+                <a class="nav-link" href="{{.FilesURL}}">
+                    <i class="fas fa-folder-open"></i>
+                    <span>{{.FilesTitle}}</span>
+                </a>
+            </li>
+
+            <li class="nav-item {{if eq .CurrentURL .CredentialsURL}}active{{end}}">
+                <a class="nav-link" href="{{.CredentialsURL}}">
+                    <i class="fas fa-key"></i>
+                    <span>{{.CredentialsTitle}}</span></a>
+            </li>
+
+            <!-- Divider -->
+            <hr class="sidebar-divider d-none d-md-block">
+
+            <!-- Sidebar Toggler (Sidebar) -->
+            <div class="text-center d-none d-md-inline">
+                <button class="rounded-circle border-0" id="sidebarToggle"></button>
+            </div>
+
+        </ul>
+        <!-- End of Sidebar -->
+        {{end}}
+
+        <!-- Content Wrapper -->
+        <div id="content-wrapper" class="d-flex flex-column">
+
+            <!-- Main Content -->
+            <div id="content">
+
+                {{if .LoggedUser.Username}}
+                <!-- Topbar -->
+                <nav class="navbar navbar-expand navbar-light bg-white topbar mb-4 static-top shadow">
+
+                    <button id="sidebarToggleTop" class="btn btn-link d-md-none rounded-circle mr-3">
+                        <i class="fa fa-bars"></i>
+                    </button>
+
+                    <!-- Topbar Navbar -->
+                    <ul class="navbar-nav ml-auto">
+
+                        <!-- Nav Item - User Information -->
+                        <li class="nav-item dropdown no-arrow">
+                            <a class="nav-link dropdown-toggle" href="#" id="userDropdown" role="button" data-toggle="dropdown"
+                                aria-haspopup="true" aria-expanded="false">
+                                <span class="mr-2 d-none d-lg-inline text-gray-600 small">{{.LoggedUser.Username}}</span>
+                                <i class="fas fa-user fa-fw"></i>
+                            </a>
+                            <!-- Dropdown - User Information -->
+                            <div class="dropdown-menu dropdown-menu-right shadow animated--grow-in" aria-labelledby="userDropdown">
+                                <a class="dropdown-item" href="#" data-toggle="modal" data-target="#logoutModal">
+                                    <i class="fas fa-sign-out-alt fa-sm fa-fw mr-2 text-gray-400"></i>
+                                    Logout
+                                </a>
+                            </div>
+                        </li>
+
+                    </ul>
+
+                </nav>
+                <!-- End of Topbar -->
+                {{end}}
+
+                <!-- Begin Page Content -->
+                <div class="container-fluid">
+
+                    {{template "page_body" .}}
+
+                </div>
+                <!-- /.container-fluid -->
+
+            </div>
+            <!-- End of Main Content -->
+            {{if .LoggedUser.Username}}
+            <!-- Footer -->
+            <footer class="sticky-footer bg-white">
+                <div class="container my-auto">
+                    <div class="copyright text-center my-auto">
+                        <span>SFTPGo {{.Version}}</span>
+                    </div>
+                </div>
+            </footer>
+            <!-- End of Footer -->
+            {{end}}
+
+        </div>
+        <!-- End of Content Wrapper -->
+
+    </div>
+    <!-- End of Page Wrapper -->
+
+    <!-- Scroll to Top Button-->
+    <a class="scroll-to-top rounded" href="#page-top">
+        <i class="fas fa-angle-up"></i>
+    </a>
+
+    <!-- Logout Modal-->
+    <div class="modal fade" id="logoutModal" tabindex="-1" role="dialog" aria-labelledby="modalLabel"
+        aria-hidden="true">
+        <div class="modal-dialog" role="document">
+            <div class="modal-content">
+                <div class="modal-header">
+                    <h5 class="modal-title" id="modalLabel">Ready to Leave?</h5>
+                    <button class="close" type="button" data-dismiss="modal" aria-label="Close">
+                        <span aria-hidden="true">×</span>
+                    </button>
+                </div>
+                <div class="modal-body">Select "Logout" below if you are ready to end your current session.</div>
+                <div class="modal-footer">
+                    <button class="btn btn-secondary" type="button" data-dismiss="modal">Cancel</button>
+                    <a class="btn btn-primary" href="{{.LogoutURL}}">Logout</a>
+                </div>
+            </div>
+        </div>
+    </div>
+
+    {{block "dialog" .}}{{end}}
+
+    <!-- Bootstrap core JavaScript-->
+    <script src="{{.StaticURL}}/vendor/jquery/jquery.min.js"></script>
+    <script src="{{.StaticURL}}/vendor/bootstrap/js/bootstrap.bundle.min.js"></script>
+
+    <!-- Core plugin JavaScript-->
+    <script src="{{.StaticURL}}/vendor/jquery-easing/jquery.easing.min.js"></script>
+
+    <!-- Custom scripts for all pages-->
+    <script src="{{.StaticURL}}/js/sb-admin-2.min.js"></script>
+
+    <script type="text/javascript">
+        function fixedEncodeURIComponent(str) {
+            return encodeURIComponent(str).replace(/[!'()*]/g, function (c) {
+                return '%' + c.charCodeAt(0).toString(16);
+            });
+        }
+    </script>
+
+    <!-- Page level plugins -->
+    {{block "extra_js" .}}{{end}}
+
+</body>
+
+</html>
+{{end}}

templates/webclient/credentials.html

@@ -0,0 +1,74 @@
+{{template "base" .}}
+
+{{define "title"}}{{.Title}}{{end}}
+
+{{define "page_body"}}
+
+<div class="card shadow mb-4">
+    <div class="card-header py-3">
+        <h6 class="m-0 font-weight-bold text-primary">Change password</h6>
+    </div>
+    <div class="card-body">
+        {{if .PwdError}}
+        <div class="card mb-4 border-left-warning">
+            <div class="card-body text-form-error">{{.PwdError}}</div>
+        </div>
+        {{end}}
+        <form id="user_form" action="{{.ChangePwdURL}}" method="POST" autocomplete="off">
+            <div class="form-group row">
+                <label for="idCurrentPassword" class="col-sm-2 col-form-label">Current password</label>
+                <div class="col-sm-10">
+                    <input type="password" class="form-control" id="idCurrentPassword" name="current_password" required>
+                </div>
+            </div>
+
+            <div class="form-group row">
+                <label for="idNewPassword1" class="col-sm-2 col-form-label">New password</label>
+                <div class="col-sm-10">
+                    <input type="password" class="form-control" id="idNewPassword1" name="new_password1" required>
+                </div>
+            </div>
+
+            <div class="form-group row">
+                <label for="idNewPassword2" class="col-sm-2 col-form-label">Confirm password</label>
+                <div class="col-sm-10">
+                    <input type="password" class="form-control" id="idNewPassword2" name="new_password2" required>
+                </div>
+            </div>
+
+            <input type="hidden" name="_form_token" value="{{.CSRFToken}}">
+            <button type="submit" class="btn btn-primary float-right mt-3 px-5 px-3">Change my password</button>
+        </form>
+    </div>
+</div>
+{{if .LoggedUser.CanManahePublicKeys}}
+<div class="card shadow mb-4">
+    <div class="card-header py-3">
+        <h6 class="m-0 font-weight-bold text-primary">Manage public keys</h6>
+    </div>
+    <div class="card-body">
+        {{if .KeyError}}
+        <div class="card mb-4 border-left-warning">
+            <div class="card-body text-form-error">{{.KeyError}}</div>
+        </div>
+        {{end}}
+        <form id="key_form" action="{{.ManageKeysURL}}" method="POST">
+
+            <div class="form-group row">
+                <label for="idPublicKeys" class="col-sm-2 col-form-label">Keys</label>
+                <div class="col-sm-10">
+                    <textarea class="form-control" id="idPublicKeys" name="public_keys" rows="3"
+                        aria-describedby="pkHelpBlock">{{range .PublicKeys}}{{.}}&#10;{{end}}</textarea>
+                    <small id="pkHelpBlock" class="form-text text-muted">
+                        One public key per line
+                    </small>
+                </div>
+            </div>
+
+            <input type="hidden" name="_form_token" value="{{.CSRFToken}}">
+            <button type="submit" class="btn btn-primary float-right mt-3 px-5 px-3">Submit</button>
+        </form>
+    </div>
+</div>
+{{end}}
+{{end}}

templates/webclient/files.html

@@ -0,0 +1,125 @@
+{{template "base" .}}
+
+{{define "title"}}{{.Title}}{{end}}
+
+{{define "extra_css"}}
+<link href="{{.StaticURL}}/vendor/datatables/dataTables.bootstrap4.min.css" rel="stylesheet">
+<link href="{{.StaticURL}}/vendor/datatables/buttons.bootstrap4.min.css" rel="stylesheet">
+<link href="{{.StaticURL}}/vendor/datatables/fixedHeader.bootstrap4.min.css" rel="stylesheet">
+<link href="{{.StaticURL}}/vendor/datatables/responsive.bootstrap4.min.css" rel="stylesheet">
+<link href="{{.StaticURL}}/vendor/datatables/select.bootstrap4.min.css" rel="stylesheet">
+{{end}}
+
+{{define "page_body"}}
+
+<div class="card shadow mb-4">
+    <div class="card-header py-3">
+        <h6 class="m-0 font-weight-bold"><a href="{{.FilesURL}}?path=%2F"><i class="fas fa-home"></i>&nbsp;Home</a>&nbsp;{{range .Paths}}{{if eq .Href ""}}/{{.DirName}}{{else}}<a href="{{.Href}}">/{{.DirName}}</a>{{end}}{{end}}</h6>
+    </div>
+    <div class="card-body">
+        {{if .Error}}
+        <div class="card mb-4 border-left-warning">
+            <div class="card-body text-form-error">{{.Error}}</div>
+        </div>
+        {{end}}
+        <div class="table-responsive">
+            <table class="table table-hover nowrap" id="dataTable" width="100%" cellspacing="0">
+                <thead>
+                    <tr>
+                        <th>Type</th>
+                        <th>Name</th>
+                        <th>Size</th>
+                        <th>Last modified</th>
+                    </tr>
+                </thead>
+                <tbody>
+                    {{range .Files}}
+                    {{if .IsDir}}
+                    <tr>
+                        <td>1</td>
+                        <td><i class="fas fa-folder"></i>&nbsp;<a href="{{call $.GetObjectURL $.CurrentDir .Name}}">{{.Name}}</a></td>
+                        <td></td>
+                        <td>{{call $.FormatTime .ModTime}}</td>
+                    {{else}}
+                    <tr>
+                        <td>2</td>
+                        <td><i class="{{if call $.IsLink .}}fas fa-external-link-alt{{else}}fas fa-file{{end}}"></i>&nbsp;<a href="{{call $.GetObjectURL $.CurrentDir .Name}}">{{.Name}}</a></td>
+                        <td>{{if not (call $.IsLink .)}}{{call $.GetSize .Size}}{{end}}</td>
+                        <td>{{call $.FormatTime .ModTime}}</td>
+                    </tr>
+                    {{end}}
+                    {{end}}
+                </tbody>
+            </table>
+        </div>
+    </div>
+</div>
+{{end}}
+
+{{define "extra_js"}}
+<script src="{{.StaticURL}}/vendor/datatables/jquery.dataTables.min.js"></script>
+<script src="{{.StaticURL}}/vendor/datatables/dataTables.bootstrap4.min.js"></script>
+<script src="{{.StaticURL}}/vendor/datatables/dataTables.buttons.min.js"></script>
+<script src="{{.StaticURL}}/vendor/datatables/buttons.bootstrap4.min.js"></script>
+<script src="{{.StaticURL}}/vendor/datatables/dataTables.fixedHeader.min.js"></script>
+<script src="{{.StaticURL}}/vendor/datatables/dataTables.responsive.min.js"></script>
+<script src="{{.StaticURL}}/vendor/datatables/responsive.bootstrap4.min.js"></script>
+<script src="{{.StaticURL}}/vendor/datatables/dataTables.select.min.js"></script>
+<script type="text/javascript">
+    $(document).ready(function () {
+        $.fn.dataTable.ext.buttons.refresh = {
+            text: '<i class="fas fa-sync-alt"></i>',
+            name: 'refresh',
+            titleAttr: "Refresh",
+            action: function (e, dt, node, config) {
+                location.reload();
+            }
+        };
+
+        var table = $('#dataTable').DataTable({
+            "buttons": [],
+            "lengthChange": false,
+            "columnDefs": [
+                {
+                    "targets": [0],
+                    "visible": false,
+                    "searchable": false
+                },
+                {
+                    "targets": [2,3],
+                    "searchable": false
+                }
+            ],
+            "scrollX": false,
+            "scrollY": false,
+            "responsive": true,
+            "language": {
+                "emptyTable": "You have no files or folders"
+            },
+            /*"select": {
+                "style":    'single',
+                "blurable": true
+            },*/
+            "orderFixed": [ 0, 'asc' ],
+            "order": [[1, 'asc']]
+        });
+
+        new $.fn.dataTable.FixedHeader( table );
+
+        table.button().add(0,'refresh');
+        table.button().add(0,'pageLength');
+        table.buttons().container().appendTo('#dataTable_wrapper .col-md-6:eq(0)');
+
+        /*table.on('select', function (e, dt, type, indexes) {
+            if (type === 'row') {
+                var rows = table.rows(indexes).nodes().to$();
+                $.each(rows, function() {
+                    if ($(this).hasClass('ignoreselection')) table.row($(this)).deselect();
+                })
+            }
+        });*/
+
+    });
+</script>
+
+{{end}}

templates/webclient/login.html

@@ -0,0 +1,134 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+
+    <title>SFTPGo - Login</title>
+
+    <link rel="shortcut icon" href="{{.StaticURL}}/favicon.ico" />
+
+    <!-- Custom styles for this template-->
+    <link href="{{.StaticURL}}/css/sb-admin-2.min.css" rel="stylesheet">
+    <style>
+        @font-face {
+            font-family: 'Roboto';
+            src: url('{{.StaticURL}}/vendor/fonts/Roboto-Bold-webfont.woff');
+            font-weight: 700;
+            font-style: normal;
+        }
+
+        @font-face {
+            font-family: 'Roboto';
+            src: url('{{.StaticURL}}/vendor/fonts/Roboto-Regular-webfont.woff');
+            font-weight: 400;
+            font-style: normal;
+        }
+
+        @font-face {
+            font-family: 'Roboto';
+            src: url('{{.StaticURL}}/vendor/fonts/Roboto-Light-webfont.woff');
+            font-weight: 300;
+            font-style: normal;
+        }
+
+        div.dt-buttons {
+            margin-bottom: 1em;
+        }
+
+        .text-form-error {
+            color: var(--red) !important;
+        }
+
+        div.dt-buttons {
+            margin-bottom: 1em;
+        }
+
+        .text-form-error {
+            color: var(--red) !important;
+        }
+
+        form.user-custom .custom-checkbox.small label {
+            line-height: 1.5rem;
+        }
+
+        form.user-custom .form-control-user-custom {
+            font-size: 0.9rem;
+            border-radius: 10rem;
+            padding: 1.5rem 1rem;
+        }
+
+        form.user-custom .btn-user-custom {
+            font-size: 0.9rem;
+            border-radius: 10rem;
+            padding: 0.75rem 1rem;
+        }
+    </style>
+
+</head>
+
+<body class="bg-gradient-primary">
+
+    <div class="container">
+
+        <!-- Outer Row -->
+        <div class="row justify-content-center">
+
+            <div class="col-xl-6 col-lg-7 col-md-9">
+
+                <div class="card o-hidden border-0 shadow-lg my-5">
+                    <div class="card-body p-0">
+                        <!-- Nested Row within Card Body -->
+                        <div class="row">
+                            <div class="col-lg-12">
+                                <div class="p-5">
+                                    <div class="text-center">
+                                        <h1 class="h4 text-gray-900 mb-4">SFTPGo WebClient - {{.Version}}</h1>
+                                    </div>
+                                    {{if .Error}}
+                                    <div class="card mb-4 border-left-warning">
+                                        <div class="card-body text-form-error">{{.Error}}</div>
+                                    </div>
+                                    {{end}}
+                                    <form id="login_form" action="{{.CurrentURL}}" method="POST" autocomplete="off"
+                                        class="user-custom">
+                                        <div class="form-group">
+                                            <input type="text" class="form-control form-control-user-custom"
+                                                id="inputUsername" name="username" placeholder="Username">
+                                        </div>
+                                        <div class="form-group">
+                                            <input type="password" class="form-control form-control-user-custom"
+                                                id="inputPassword" name="password" placeholder="Password">
+                                        </div>
+                                        <input type="hidden" name="_form_token" value="{{.CSRFToken}}">
+                                        <button type="submit" class="btn btn-primary btn-user-custom btn-block">
+                                            Login
+                                        </button>
+                                    </form>
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+
+    <!-- Bootstrap core JavaScript-->
+    <script src="{{.StaticURL}}/vendor/jquery/jquery.min.js"></script>
+    <script src="{{.StaticURL}}/vendor/bootstrap/js/bootstrap.bundle.min.js"></script>
+
+    <!-- Core plugin JavaScript-->
+    <script src="{{.StaticURL}}/vendor/jquery-easing/jquery.easing.min.js"></script>
+
+    <!-- Custom scripts for all pages-->
+    <script src="{{.StaticURL}}/js/sb-admin-2.min.js"></script>
+
+</body>
+
+</html>

templates/webclient/message.html

@@ -0,0 +1,59 @@
+{{template "base" .}}
+
+{{define "title"}}{{.Title}}{{end}}
+
+{{define "page_body"}}
+
+{{if .LoggedUser.Username}}
+<div class="card shadow mb-4">
+    <div class="card-header py-3">
+        <h6 class="m-0 font-weight-bold text-primary">{{.Title}}</h6>
+    </div>
+    <div class="card-body">
+        {{if .Error}}
+        <div class="card mb-2 border-left-warning">
+            <div class="card-body text-form-error">{{.Error}}</div>
+        </div>
+        {{end}}
+
+        {{if .Success}}
+        <div class="card mb-2 border-left-success">
+            <div class="card-body">{{.Success}}</div>
+        </div>
+        {{end}}
+    </div>
+</div>
+{{else}}
+<div class="row justify-content-center">
+
+    <div class="col-xl-8 col-lg-9 col-md-9">
+
+        <div class="card o-hidden border-0 shadow-lg my-5">
+            <div class="card-body p-0">
+                <div class="row justify-content-center">
+                    <div class="col-lg-9">
+                        <div class="p-5">
+                            <div class="text-center">
+                                <h1 class="h4 text-gray-900 mb-4">{{.Title}}</h1>
+                            </div>
+                            {{if .Error}}
+                            <div class="card mb-4 border-left-warning">
+                                <div class="card-body text-form-error">{{.Error}}</div>
+                            </div>
+                            {{end}}
+
+                            {{if .Success}}
+                            <div class="card mb-4 border-left-success">
+                                <div class="card-body">{{.Success}}</div>
+                            </div>
+                            {{end}}
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+{{end}}
+
+{{end}}

utils/utils.go

@@ -40,8 +40,8 @@ const (
 
 // IsStringInSlice searches a string in a slice and returns true if the string is found
 func IsStringInSlice(obj string, list []string) bool {
-	for _, v := range list {
-		if v == obj {
+	for i := 0; i < len(list); i++ {
+		if list[i] == obj {
 			return true
 		}
 	}
@@ -51,8 +51,8 @@ func IsStringInSlice(obj string, list []string) bool {
 // IsStringPrefixInSlice searches a string prefix in a slice and returns true
 // if a matching prefix is found
 func IsStringPrefixInSlice(obj string, list []string) bool {
-	for _, v := range list {
-		if strings.HasPrefix(obj, v) {
+	for i := 0; i < len(list); i++ {
+		if strings.HasPrefix(obj, list[i]) {
 			return true
 		}
 	}

vfs/cryptfs.go

@@ -96,6 +96,7 @@ func (fs *CryptFs) Open(name string, offset int64) (File, *pipeat.PipeReaderAt,
 				finished := false
 				for !finished {
 					readed, err = readerAt.ReadAt(buf, offset)
+					offset += int64(readed)
 					if err != nil && err != io.EOF {
 						break
 					}

vfs/osfs.go

@@ -64,6 +64,16 @@ func (fs *OsFs) Lstat(name string) (os.FileInfo, error) {
 // Open opens the named file for reading
 func (*OsFs) Open(name string, offset int64) (File, *pipeat.PipeReaderAt, func(), error) {
 	f, err := os.Open(name)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	if offset > 0 {
+		_, err = f.Seek(offset, io.SeekStart)
+		if err != nil {
+			f.Close()
+			return nil, nil, nil, err
+		}
+	}
 	return f, nil, nil, err
 }
 

webdavd/file.go

@@ -323,6 +323,7 @@ func (f *webDavFile) closeIO() error {
 func (f *webDavFile) setFinished() error {
 	f.Lock()
 	defer f.Unlock()
+
 	if f.isFinished {
 		return common.ErrTransferClosed
 	}

webdavd/server.go

@@ -151,7 +151,7 @@ func (s *webDavServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	defer common.Connections.RemoveNetworkConnection()
 
 	if !common.Connections.IsNewConnectionAllowed() {
-		logger.Log(logger.LevelDebug, common.ProtocolFTP, "", "connection refused, configured limit reached")
+		logger.Log(logger.LevelDebug, common.ProtocolWebDAV, "", "connection refused, configured limit reached")
 		http.Error(w, common.ErrConnectionDenied.Error(), http.StatusServiceUnavailable)
 		return
 	}
@@ -281,7 +281,7 @@ func (s *webDavServer) authenticate(r *http.Request, ip string) (dataprovider.Us
 	if err != nil {
 		user.Username = username
 		updateLoginMetrics(&user, ip, loginMethod, err)
-		return user, false, nil, loginMethod, err
+		return user, false, nil, loginMethod, dataprovider.ErrInvalidCredentials
 	}
 	lockSystem := webdav.NewMemLS()
 	cachedUser = &dataprovider.CachedUser{

webdavd/webdavd_test.go

@@ -1979,7 +1979,7 @@ func TestWrongClientCertificate(t *testing.T) {
 		body, err := io.ReadAll(resp.Body)
 		assert.NoError(t, err)
 		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode, string(body))
-		assert.Contains(t, string(body), "CN \"client1\" does not match username \"client2\"")
+		assert.Contains(t, string(body), "invalid credentials")
 	}
 
 	_, err = httpdtest.RemoveUser(user, http.StatusOK)

windows-installer/sftpgo.iss

@@ -53,7 +53,8 @@ Name: "{commonappdata}\{#MyAppName}\backups"; Permissions: everyone-full
 Name: "{commonappdata}\{#MyAppName}\credentials"; Permissions: everyone-full
 
 [Icons]
-Name: "{group}\Web Admin"; Filename: "http://127.0.0.1:8080/web";
+Name: "{group}\Web Admin"; Filename: "http://127.0.0.1:8080/web/admin";
+Name: "{group}\Web Client"; Filename: "http://127.0.0.1:8080/web/client";
 Name: "{group}\Service Control";  WorkingDir: "{app}"; Filename: "powershell.exe"; Parameters: "-Command ""Start-Process cmd \""/k cd {app} & {#MyAppExeName} service --help\"" -Verb RunAs"; Comment: "Manage SFTPGo Service"
 Name: "{group}\Documentation"; Filename: "{#DocURL}";
 Name: "{group}\{cm:UninstallProgram,{#MyAppName}}"; Filename: "{uninstallexe}"