add filestash for file browsing of syncthing files

Author: Loosetooth

.gitignore

@@ -7,4 +7,4 @@ users
 .env.*
 .env
 
-filestash
+/filestash

README.md

@@ -49,6 +49,13 @@ This project provides a simple web interface and backend for managing multiple S
     PORT=3001 npm start
     ```
 
+- `NEXT_PUBLIC_ENABLE_FILE_STASH` (optional):
+  - Set this to `true` to enable the File Stash integration, allowing users to upload and manage files through the web interface.
+  - Defaults to `true` if not set.
+
+- `FILESTASH_CONTAINER_TAG` (optional):
+  - Set this to specify the tag/version of the File Stash container image used (default: `latest`).
+  - The container used is [`machines/filestash`](https://hub.docker.com/r/machines/filestash).
 
 ## Usage
 

app/filestash/[[...path]]/route.tsx

@@ -0,0 +1,9 @@
+import { handleFilestashProxy } from "@/lib/handleFilestashProxy";
+
+export const GET = handleFilestashProxy;
+export const POST = handleFilestashProxy;
+export const PUT = handleFilestashProxy;
+export const PATCH = handleFilestashProxy;
+export const DELETE = handleFilestashProxy;
+export const OPTIONS = handleFilestashProxy;
+export const HEAD = handleFilestashProxy;

app/lib/awaitFileExists.ts

@@ -0,0 +1,17 @@
+import fs from 'fs';
+
+/**
+ * Waits for a file to exist, retrying with increasing timeouts.
+ * @param filePath The path to the file to check.
+ * @param waitTimesMs Array of wait times in milliseconds for each retry (default: [5000, 10000, 15000]).
+ * @throws If the file does not exist after all retries.
+ */
+export async function waitForFileExists(filePath: string, waitTimesMs: number[] = [5000, 10000, 15000]): Promise<void> {
+  const waitTimes = [...waitTimesMs];
+  while (!fs.existsSync(filePath)) {
+    if (waitTimes.length === 0) {
+      throw new Error(`File does not exist after multiple attempts: ${filePath}`);
+    }
+    await new Promise(resolve => setTimeout(resolve, waitTimes.shift()));
+  }
+}

app/lib/constants.shared.ts

@@ -0,0 +1,7 @@
+// Enable File Stash by default unless explicitly disabled
+export const enableFileStash =
+  process.env.NEXT_PUBLIC_ENABLE_FILE_STASH === 'true'
+    ? true
+    : process.env.NEXT_PUBLIC_ENABLE_FILE_STASH === 'false'
+      ? false
+      : true;

app/lib/constants.ts

@@ -1,2 +1,3 @@
 
-export const syncthingContainerTag = process.env.SYNCTHING_CONTAINER_TAG || '2.0.1';
+export const syncthingContainerTag = process.env.SYNCTHING_CONTAINER_TAG || '2.0.3';
+export const fileStashContainerTag = process.env.FILESTASH_CONTAINER_TAG || 'latest';

app/lib/filestash/crypto.test.ts

@@ -0,0 +1,98 @@
+import { bufferToBase64url, base64urlToBuffer } from './crypto';
+import { describe, it, expect } from 'vitest';
+import { encryptFilestashConfig, decryptFilestashConfig, generateFilestashSecretKey } from './crypto';
+
+const secretKey = 'vIbdVeu77i1dtX2l';
+const encrypted = '6HoBc1zE4iysloguKSWk5op6kAj-j_N7loY4KfvDIltZXW6JyqVxWjvnOX3mWYGyhYIVZHe-4lOWYHLrvoPIx5nQlMQ=';
+const decryptedValue = '{"strategy":"password_only"}';
+
+describe('Filestash crypto helpers', () => {
+  it('decrypts a known value', () => {
+    const decrypted = decryptFilestashConfig(secretKey, encrypted);
+    expect(decrypted).toBe(decryptedValue);
+  });
+
+  it('encrypts and decrypts round-trip', () => {
+    const reEncrypted = encryptFilestashConfig(secretKey, decryptedValue);
+    const roundTrip = decryptFilestashConfig(secretKey, reEncrypted);
+    expect(roundTrip).toBe(decryptedValue);
+  });
+
+  it('generates a valid secret key', () => {
+    const key = generateFilestashSecretKey();
+    expect(key).toMatch(/^[a-zA-Z0-9]{16}$/);
+  });
+
+  it('encrypts to a different value each time', () => {
+    const enc1 = encryptFilestashConfig(secretKey, decryptedValue);
+    const enc2 = encryptFilestashConfig(secretKey, decryptedValue);
+    expect(enc1).not.toBe(enc2);
+    // Both should decrypt to the same value
+    expect(decryptFilestashConfig(secretKey, enc1)).toBe(decryptedValue);
+    expect(decryptFilestashConfig(secretKey, enc2)).toBe(decryptedValue);
+  });
+
+  it('produces values compatible with another filestash config', () => {
+    // Test with actual values from the config.json file  
+    const actualSecretKey = 'vIbdVeu77i1dtX2l';
+    const actualEncryptedParams = '6HoBc1zE4iysloguKSWk5op6kAj-j_N7loY4KfvDIltZXW6JyqVxWjvnOX3mWYGyhYIVZHe-4lOWYHLrvoPIx5nQlMQ=';
+    const expectedDecrypted = '{"strategy":"password_only"}';
+    
+    // First verify we can decrypt the actual filestash value
+    const decrypted = decryptFilestashConfig(actualSecretKey, actualEncryptedParams);
+    expect(decrypted).toBe(expectedDecrypted);
+    
+    // Now encrypt the same value and verify it decrypts correctly
+    const ourEncrypted = encryptFilestashConfig(actualSecretKey, expectedDecrypted);
+    const roundTrip = decryptFilestashConfig(actualSecretKey, ourEncrypted);
+    expect(roundTrip).toBe(expectedDecrypted);
+  });
+
+  it('encodes and decodes ascii string correctly', () => {
+    const input = 'hello world!';
+    const buf = Buffer.from(input, 'utf-8');
+    const encoded = bufferToBase64url(buf);
+    const decoded = base64urlToBuffer(encoded);
+    expect(decoded.toString('utf-8')).toBe(input);
+  });
+  
+  it('encodes and decodes binary data correctly', () => {
+    const input = Buffer.from([0, 255, 100, 200, 50, 0, 1, 2, 3, 4, 5]);
+    const encoded = bufferToBase64url(input);
+    const decoded = base64urlToBuffer(encoded);
+    expect(decoded.equals(input)).toBe(true);
+  });
+  
+  it('decodes Go base64.URLEncoding output', () => {
+    // This is base64.URLEncoding of 'hello world!'
+    const goEncoded = 'aGVsbG8gd29ybGQh';
+    const decoded = base64urlToBuffer(goEncoded);
+    expect(decoded.toString('utf-8')).toBe('hello world!');
+  });
+  
+  it('handles padding and no padding', () => {
+    const padded = 'aGVsbG8='; // 'hello' with padding
+    const unpadded = 'aGVsbG8'; // 'hello' without padding
+    expect(base64urlToBuffer(padded).toString('utf-8')).toBe('hello');
+    expect(base64urlToBuffer(unpadded).toString('utf-8')).toBe('hello');
+  });
+
+  it('bufferToBase64url output is always padded to a multiple of 4', () => {
+    const inputs = [
+      Buffer.from('hello'),
+      Buffer.from('hello world!'),
+      Buffer.from([0, 1, 2, 3, 4, 5, 6, 7, 8, 9]),
+      Buffer.from('a'.repeat(15)),
+      Buffer.from('a'.repeat(16)),
+      Buffer.from('a'.repeat(17)),
+    ];
+    for (const buf of inputs) {
+      const encoded = bufferToBase64url(buf);
+      expect(encoded.length % 4).toBe(0);
+      // If not empty, should end with 0-2 '='
+      if (encoded.length > 0) {
+        expect(encoded.endsWith('=') || encoded.endsWith('==') || !encoded.includes('=')).toBe(true);
+      }
+    }
+  });
+});

app/lib/filestash/crypto.ts

@@ -0,0 +1,142 @@
+
+import {
+  randomInt,
+  createHash,
+  randomBytes,
+  createCipheriv,
+  createDecipheriv
+} from "crypto";
+import * as zlib from "zlib";
+
+/**
+ * Generates a cryptographically secure random 16-character alphanumeric string (a-zA-Z0-9),
+ * matching Filestash's secret_key requirements.
+ */
+export function generateFilestashSecretKey(): string {
+  const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
+  let result = '';
+  for (let i = 0; i < 16; i++) {
+    const idx = randomInt(chars.length);
+    result += chars[idx];
+  }
+  return result;
+}
+
+
+// --- Filestash custom Hash function (base62 encoding of SHA256 digest) ---
+const LETTERS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".split("");
+
+export type FilestashDerivedKeys = {
+  proof: string;
+  admin: string;
+  user: string;
+  hash: string;
+  signature: string;
+};
+
+/**
+ * Derives all Filestash key variants from a secret key, matching Go's InitSecretDerivate.
+ */
+export function deriveFilestashKeys(secretKey: string): FilestashDerivedKeys {
+  return {
+    proof: filestashHash("PROOF_" + secretKey, secretKey.length),
+    admin: filestashHash("ADMIN_" + secretKey, secretKey.length),
+    user: filestashHash("USER_" + secretKey, secretKey.length),
+    hash: filestashHash("HASH_" + secretKey, secretKey.length),
+    signature: filestashHash("SGN_" + secretKey, secretKey.length),
+  };
+}
+
+function reversedBaseChange(alphabet: string[], i: number): string {
+  let str = "";
+  do {
+    str += alphabet[i % alphabet.length];
+    i = Math.floor(i / alphabet.length);
+  } while (i > 0);
+  return str;
+}
+
+function hashSize(b: Buffer, n: number): string {
+  let h = "";
+  for (let i = 0; i < b.length; i++) {
+    if (n > 0 && h.length >= n) break;
+    h += reversedBaseChange(LETTERS, b[i]);
+  }
+  if (h.length > n) {
+    return h.slice(0, n);
+  }
+  return h;
+}
+
+function filestashHash(str: string, n: number): string {
+  const hash = createHash("sha256").update(str).digest();
+  return hashSize(hash, n);
+}
+
+function getAesKey(secretKey: string): Buffer {
+  const derivedKeys = deriveFilestashKeys(secretKey);
+  const aesKeyStr = filestashHash(derivedKeys.proof, 16);
+  let key = Buffer.alloc(16);
+  Buffer.from(aesKeyStr, "utf-8").copy(key);
+  return key;
+}
+
+export function base64urlToBuffer(str: string): Buffer {
+  return Buffer.from(str, "base64url");
+}
+
+export function bufferToBase64url(buf: Buffer): string {
+  // Use base64, then replace chars, but keep padding
+  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_");
+}
+
+function compressZlib(data: Buffer): Buffer {
+  return zlib.deflateSync(data);
+}
+
+function decompressZlib(data: Buffer): Buffer {
+  return zlib.inflateSync(data);
+}
+
+function encryptAESGCM(key: Buffer, data: Buffer): Buffer {
+  const nonceSize = 12;
+  const nonce = randomBytes(nonceSize);
+  const cipher = createCipheriv("aes-128-gcm", key, nonce);
+  const enc = Buffer.concat([cipher.update(data), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([nonce, enc, tag]);
+}
+
+function decryptAESGCM(key: Buffer, data: Buffer): Buffer {
+  const nonceSize = 12;
+  const nonce = data.subarray(0, nonceSize);
+  const ciphertext = data.subarray(nonceSize);
+  const tag = ciphertext.subarray(ciphertext.length - 16);
+  const enc = ciphertext.subarray(0, ciphertext.length - 16);
+  const decipher = createDecipheriv("aes-128-gcm", key, nonce);
+  (decipher as any).setAuthTag(tag);
+  return Buffer.concat([decipher.update(enc), decipher.final()]);
+}
+
+/**
+ * Encrypts a string using Filestash's config encryption logic.
+ * Returns a base64url-encoded string.
+ */
+export function encryptFilestashConfig(secretKey: string, plaintext: string): string {
+  const key = getAesKey(secretKey);
+  const compressed = compressZlib(Buffer.from(plaintext, "utf-8"));
+  const encrypted = encryptAESGCM(key, compressed);
+  return bufferToBase64url(encrypted);
+}
+
+/**
+ * Decrypts a Filestash config value using the secret key.
+ * Returns the decrypted string.
+ */
+export function decryptFilestashConfig(secretKey: string, encrypted: string): string {
+  const key = getAesKey(secretKey);
+  const encryptedBuf = base64urlToBuffer(encrypted);
+  const decrypted = decryptAESGCM(key, encryptedBuf);
+  const decompressed = decompressZlib(decrypted);
+  return decompressed.toString("utf-8");
+}