fix!: bug where it was possible to send text unauthenticated

These aren't needed anymore because we started embedding `static` and
`templates` directly into the binary, so that makes it easier to:

1. Distribute
2. Setup
3. Run

Dockerfile

@@ -3,7 +3,10 @@ FROM golang:1.23 AS builder
 WORKDIR /app
 
 COPY go.mod go.sum ./
-COPY go.mod ./
+
+# this is needed because we embed these files into the binary
+COPY static/ ./static/
+COPY templates/ ./templates
 
 RUN go mod download
 

README.md

@@ -1,22 +1,45 @@
 # abyss
 
-abyss is a basic (mostly) single user http server made for uploading files (logs, images) and then sharing them to the internet
+abyss is a basic and mostly single user http server written in go made for uploading files (logs, images) and then sharing them to the internet
 
-note: this is a project made for learning purposes, you should use other more mature projects if running in production. probably.
+<figure>
+ <img src="https://github.com/user-attachments/assets/eae42368-d8b5-4c42-ac8a-0e1486fcd0d4" alt="homepage"/>
+ <figcaption>this is abyss' default home page<figcaption/>
+</figure>
 
 ## table of contents
 
+- [features](#features)
 - [running abyss](#running)
   - [installing with docker](#docker)
-  - [installing manually](#manual)
+  - [installing manually](#directly)
 - [uploading files](#uploading)
 - [theming](#theming)
 - [docs](#docs)
 - [todo list](#todo)
+- [more pictures](#pictures)
 
-## running:
+## features
 
-- run `./generate_config.sh` to setup the necessary environment variables
+- **file uploads**: supports uploading various file types, including images, videos, and documents.
+- **flexible media display**: automatically renders uploaded files on a webpage based on their type (images, pdfs, videos, or plain text).
+- **easily customizable interface**: allows for easy modification of color schemes and layout to suit specific design needs.
+- **syntax highlighting for code**: syntax highlighting available by default for code files, with support for multiple programming languages. (can be tweaked/changed and even removed)
+- **security considerations**: as it is single user, it's mostly secure but there are still some edges to sharpen
+- **easy and fast setup**: assets files are baked into the binary, so setting it up is as easy as compiling/grabbing a binary from gh actions and running it!
+
+## running
+
+#### (recommended) setting it up
+
+- clone the repository and cd into it:
+
+  ```bash
+  git clone https://github.com/jabuxas/abyss.git --depth 1 && cd abyss
+  ```
+
+- then run `./generate_config.sh` to setup the necessary environment variables
+- after that, you can use either docker or run it directly
 
 ### docker
 
@@ -28,24 +51,35 @@ docker compose up -d # might be docker-compose depending on distro
 
 - you can optionally use the [docker image](https://git.jabuxas.xyz/jabuxas/-/packages/container/abyss/latest) directly and set it up how you want
 
-### manual
+### directly
 
-- to run it manually, build it with `go build -o abyss` and run:
+- to run it manually, build it with `go build -o abyss` or grab a binary from github actions and run:
 
   ```bash
   ./abyss
   ```
 
+- you will need to either:
+  - create a `.env` file in `$(pwd)` and set up the necessary variables as in [docs](#docs)
+  - run it with the variables prepended: `AUTH_USERNAME=admin AUTH_PASSWORD=admin ./abyss` (example)
+- and then (hopefully) create a service that does that automatically and runs `abyss`
+
 ## uploading
 
 #### with curl
 
-- to upload your files with curl:
+- you can upload both with the main key and with jwt tokens
+
+##### main key
+
+- to upload your files with main key:
 
   ```bash
   curl -F "file=@/path/to/file" -H "X-Auth: "$(cat /path/to/.key) http://localhost:3235/
   ```
 
+- it is also possible to add a `-Fsecret=` to your POST to make filenames bigger and harder to guess.
+
 - you should probably create an `alias` or a `function` to do this automatically for you.
   <details>
   <summary>click for an example for bash/zsh:</summary>
@@ -64,7 +98,7 @@ pst() {
       return 1
     fi
 
-  curl -F "file=@$file" -H "X-Auth: $(cat ~/.key)" https://paste.jabuxas.xyz
+    curl -F "file=@$file" -H "X-Auth: $(cat ~/.key)" http://localhost:3235/
 
     if [[ -p /dev/stdin ]]; then
       rm "$file"
@@ -88,7 +122,7 @@ function pst
           set file "$argv[1]"
       end
 
-    curl -F "file=@$file" -H "X-Auth: $(cat ~/.key)" https://paste.jabuxas.xyz
+      curl -F "file=@$file" -H "X-Auth: $(cat ~/.key)" http://localhost:3235/
 
       if command test -p /dev/stdin
           rm "$file"
@@ -98,6 +132,22 @@ end
 
   </details>
 
+##### with jwt tokens
+
+- you first need to generate them:
+
+  ```bash
+  curl -u admin http://localhost:3235/token # you can also access the url in the browser directly
+  ```
+
+- the user will be the value of `$AUTH_USERNAME` and password the value of `$AUTH_PASSWORD`
+
+- then you use the token in place of the main key:
+
+  ```bash
+  curl -F"file=@/path/to/file.jpg" -H "X-Auth: your-token" http://localhost:3235/
+  ```
+
 #### through the browser
 
 - you can only upload text through the browser, to do so, simply write text in the form in the default webpage and click upload.
@@ -118,15 +168,29 @@ end
 - `UPLOAD_KEY`: this is key checked when uploading files. if the key doesn't match with server's one, then it refuses uploading.
 - `ABYSS_FILEDIR`: this points to the directory where abyss will save the uploads to. defaults to `./files`
 - `ABYSS_PORT`: this is the port the server will run on. safe to leave empty. defaults to 3235
-- `SHOULD_AUTH`: if it is `yes`, then to upload text through the browser you will need authentication (same auth as `/tree`), any value other than that and upload is auth-less
+- `SHOULD_AUTH`: if it is `yes`, then to upload text you will need authentication (same auth as `/tree`), any value other than that and upload is authless
 
 ## todo:
 
 - [x] add upload of logs funcionality (like 0x0.st)
 - [x] add docker easy setup
-- ~~add db for tracking of file names~~ (dont need that)
 - [x] add file browser (like file://)
 - [x] add file extension in its name
 - [x] login prompt when accessing /tree
 - [x] home page
-- [ ] add rate limits
+- [x] custom file displaying!!
+- [x] syntax highlighting
+- [ ] create example services (openrc/systemd)
+- [ ] distribute it in some distros
+
+## pictures
+
+<figure>
+  <img src="https://github.com/user-attachments/assets/32ce9b3a-8c0f-4bb5-bdcf-3a602e0c81e6"/>
+  <figcaption>this is abyss' default directory list<figcaption/>
+</figure>
+
+<figure>
+<img src="https://github.com/user-attachments/assets/e842e481-13ee-464b-be43-5ba0f4bb43ec"/>
+  <figcaption>this is abyss' default file presentation<figcaption/>
+</figure>

abyss.go

@@ -11,7 +11,25 @@ import (
 )
 
 func main() {
-	app := new(Application)
+	err := godotenv.Load()
+	if err != nil {
+		slog.Warn("no .env file detected, getting env from running process")
+	}
+
+	app := &Application{
+		auth: struct {
+			username string
+			password string
+		}{
+			username: os.Getenv("AUTH_USERNAME"),
+			password: os.Getenv("AUTH_PASSWORD"),
+		},
+		url:        os.Getenv("ABYSS_URL"),
+		key:        os.Getenv("UPLOAD_KEY"),
+		filesDir:   os.Getenv("ABYSS_FILEDIR"),
+		port:       os.Getenv("ABYSS_PORT"),
+		authUpload: os.Getenv("SHOULD_AUTH"),
+	}
 
 	parseEnv(app)
 
@@ -35,20 +53,6 @@ func main() {
 }
 
 func parseEnv(app *Application) {
-	err := godotenv.Load()
-	if err != nil {
-		slog.Warn("no .env file detected, getting env from running process")
-	}
-
-	app.auth.username = os.Getenv("AUTH_USERNAME")
-	app.auth.password = os.Getenv("AUTH_PASSWORD")
-	app.url = os.Getenv("ABYSS_URL")
-	app.key = os.Getenv("UPLOAD_KEY")
-	app.filesDir = os.Getenv("ABYSS_FILEDIR")
-	app.port = os.Getenv("ABYSS_PORT")
-
-	app.authText = os.Getenv("SHOULD_AUTH")
-
 	if app.auth.username == "" {
 		log.Fatal("basic auth username must be provided")
 	}
@@ -87,17 +91,13 @@ func setupHandlers(mux *http.ServeMux, app *Application) {
 		"/tree/",
 		http.StripPrefix(
 			"/tree",
-			app.basicAuth(app.fileListingHandler),
+			BasicAuth(app.fileListingHandler, app),
 		),
 	)
 
 	mux.HandleFunc("/last", app.lastUploadedHandler)
 
-	if app.authText == "yes" {
+	mux.HandleFunc("/token", BasicAuth(app.createTokenHandler, app))
-		mux.HandleFunc("/upload", app.basicAuth(app.uploadHandler))
+
-		slog.Warn("text uploading through the browser will be restricted")
+	mux.HandleFunc("/files/", app.fileHandler)
-	} else {
-		mux.HandleFunc("/upload", app.uploadHandler)
-		slog.Warn("text uploading through the browser will NOT be restricted")
-	}
 }

docker-compose.yml

@@ -5,8 +5,8 @@ services:
       - "3235:3235"
     volumes:
       - ./files:/files
-      - ./dev/home:/static:ro
+      # - ./dev/home:/static:ro
-      - ./dev/templates:/templates:ro
+      # - ./dev/templates:/templates:ro
     env_file:
       - .env
     tmpfs:

file_display.go

@@ -0,0 +1,75 @@
+package main
+
+import (
+	"embed"
+	"html/template"
+	"log/slog"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+var extensions = map[string]string{
+	".mp4": "video", ".mkv": "video", ".webm": "video",
+
+	".pdf": "pdf",
+
+	".png": "image", ".jpg": "image", ".jpeg": "image", ".webp": "image",
+
+	".mp3": "audio", ".aac": "audio", ".wav": "audio", ".flac": "audio", ".ogg": "audio",
+
+	".sh": "text", ".bash": "text", ".zsh": "text",
+	".bat": "text", ".cmd": "text", ".ps1": "text",
+	".ini": "text", ".cfg": "text", ".conf": "text",
+	".toml": "text", ".yml": "text", ".yaml": "text",
+	".c": "text", ".cpp": "text", ".h": "text",
+	".go": "text", ".py": "text", ".js": "text",
+	".ts": "text", ".html": "text", ".htm": "text",
+	".xml": "text", ".css": "text", ".java": "text",
+	".rs": "text", ".rb": "text", ".php": "text",
+	".pl": "text", ".sql": "text", ".md": "text",
+	".log": "text", ".txt": "text", ".csv": "text",
+	".json": "text", ".env": "text", ".sum": "text",
+	".gitignore": "text", ".dockerfile": "text", ".Makefile": "text",
+	".rst": "text", ".el": "text", ".fish": "text",
+}
+
+//go:embed templates/files.html
+var filesTemplate embed.FS
+
+func DisplayFile(app *Application, file string, w http.ResponseWriter) {
+	var tmpl *template.Template
+
+	if _, err := os.Stat("./templates/dirlist.html"); err == nil {
+		tmpl = template.Must(template.ParseFiles("templates/files.html"))
+	} else {
+		tmpl = template.Must(template.ParseFS(filesTemplate, "templates/files.html"))
+	}
+
+	fileStat, _ := os.Stat("." + file)
+	fileContent, _ := os.ReadFile("." + file)
+
+	fileInfo := FileInfo{
+		Name:    file,
+		Path:    filepath.Join(app.url, file),
+		Type:    getType(file),
+		Content: string(fileContent),
+		TimeUploaded: fileStat.ModTime().
+			UTC().
+			Format("2006-01-02 15:04:05 UTC"),
+	}
+
+	if err := tmpl.Execute(w, fileInfo); err != nil {
+		slog.Warn(err.Error())
+	}
+}
+
+func getType(file string) string {
+	extension := strings.ToLower(filepath.Ext(file))
+
+	if fileType, exists := extensions[extension]; exists {
+		return fileType
+	}
+	return "unknown"
+}

generate_config.sh

@@ -43,7 +43,7 @@ AUTH_USERNAME=$AUTH_USERNAME
 # This is the password of the user for accessing /tree
 AUTH_PASSWORD=$AUTH_PASSWORD
 
-# This is whether you need a password to upload text through the browser
+# This is whether you need a password to upload text (through browser or curl)
 SHOULD_AUTH=$SHOULD_AUTH
 
 # This is the key needed to make uploads. Include it as X-Auth in curl.

go.mod

@@ -3,3 +3,5 @@ module github.com/jabuxas/abyss
 go 1.22.6
 
 require github.com/joho/godotenv v1.5.1
+
+require github.com/golang-jwt/jwt/v5 v5.2.1 // indirect

go.sum

@@ -1,2 +1,4 @@
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=

handlers.go

@@ -1,16 +1,19 @@
 package main
 
 import (
-	"crypto/sha256"
+	"embed"
-	"crypto/subtle"
 	"fmt"
 	"html/template"
 	"io"
+	"io/fs"
 	"log/slog"
 	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
 )
 
 type Application struct {
@@ -22,21 +25,15 @@ type Application struct {
 	key              string
 	filesDir         string
 	port             string
-	authText         string
+	authUpload       string
 	lastUploadedFile string
 }
 
-type FileInfo struct {
+//go:embed static/**
-	Name          string
+var static embed.FS
-	Path          string
-	Size          int64
-	FormattedSize string
-}
 
-type TemplateData struct {
+//go:embed templates/dirlist.html
-	Files []FileInfo
+var treeTemplate embed.FS
-	URL   string
-}
 
 func (app *Application) fileListingHandler(w http.ResponseWriter, r *http.Request) {
 	dir := app.filesDir + r.URL.Path
@@ -61,10 +58,19 @@ func (app *Application) fileListingHandler(w http.ResponseWriter, r *http.Reques
 			Path:          filepath.Join(r.URL.Path, file.Name()),
 			Size:          info.Size(),
 			FormattedSize: FormatFileSize(info.Size()),
+			TimeUploaded: info.ModTime().
+				UTC().
+				Format("2006-01-02 15:04:05 UTC"),
 		})
 	}
 
-	tmpl := template.Must(template.ParseFiles("templates/dirlist.html"))
+	var tmpl *template.Template
+
+	if _, err := os.Stat("./templates/dirlist.html"); err == nil {
+		tmpl = template.Must(template.ParseFiles("templates/dirlist.html"))
+	} else {
+		tmpl = template.Must(template.ParseFS(treeTemplate, "templates/dirlist.html"))
+	}
 	templateData := TemplateData{
 		Files: fileInfos,
 		URL:   app.url,
@@ -74,7 +80,27 @@ func (app *Application) fileListingHandler(w http.ResponseWriter, r *http.Reques
 	}
 }
 
+func (app *Application) fileHandler(w http.ResponseWriter, r *http.Request) {
+	path := fmt.Sprintf(".%s", filepath.Clean(r.URL.Path))
+
+	if !filepath.IsLocal(path) {
+		http.Error(w, "Wrong url", http.StatusBadRequest)
+		return
+	}
+
+	if fileInfo, err := os.Stat(path); err == nil && !fileInfo.IsDir() {
+		http.ServeFile(w, r, path)
+		return
+	}
+}
+
 func (app *Application) indexHandler(w http.ResponseWriter, r *http.Request) {
+	if _, err := os.Stat(app.filesDir); err != nil {
+		if err := os.Mkdir(app.filesDir, 0750); err != nil {
+			http.Error(w, "Error creating storage directory", http.StatusInternalServerError)
+		}
+	}
+
 	if r.Method == http.MethodPost {
 		app.uploadHandler(w, r)
 		return
@@ -89,42 +115,16 @@ func (app *Application) indexHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if fileInfo, err := os.Stat(path); err == nil && !fileInfo.IsDir() {
-		ext := filepath.Ext(path)
+		DisplayFile(app, "/"+path, w)
-
-		textExtensions := map[string]bool{
-			".sh": true, ".bash": true, ".zsh": true,
-			".bat": true, ".cmd": true, ".ps1": true,
-			".ini": true, ".cfg": true, ".conf": true,
-			".toml": true, ".yml": true, ".yaml": true,
-			".c": true, ".cpp": true, ".h": true,
-			".go": true, ".py": true, ".js": true,
-			".ts": true, ".html": true, ".htm": true,
-			".xml": true, ".css": true, ".java": true,
-			".rs": true, ".rb": true, ".php": true,
-			".pl": true, ".sql": true, ".md": true,
-			".log": true, ".txt": true, ".csv": true,
-			".json": true, ".env": true, ".sum": true,
-			".gitignore": true, ".dockerfile": true, ".Makefile": true,
-			".rst": true,
-		}
-
-		videoExtensions := map[string]bool{
-			".mkv": true,
-		}
-
-		if textExtensions[ext] {
-			w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		}
-
-		if videoExtensions[ext] {
-			w.Header().Set("Content-Type", "video/mp4")
-		}
-
-		http.ServeFile(w, r, path)
 		return
 	}
 
+	if _, err := os.Stat("./static"); err == nil {
 		http.StripPrefix("/", http.FileServer(http.Dir("./static"))).ServeHTTP(w, r)
+	} else {
+		fs, _ := fs.Sub(static, "static")
+		http.StripPrefix("/", http.FileServer(http.FS(fs))).ServeHTTP(w, r)
+	}
 }
 
 func (app *Application) lastUploadedHandler(w http.ResponseWriter, r *http.Request) {
@@ -132,17 +132,16 @@ func (app *Application) lastUploadedHandler(w http.ResponseWriter, r *http.Reque
 		http.Error(w, "No new files uploaded yet", http.StatusNotFound)
 		return
 	}
-	http.ServeFile(w, r, app.lastUploadedFile)
+	DisplayFile(app, "/"+app.lastUploadedFile, w)
 }
 
 func (app *Application) uploadHandler(w http.ResponseWriter, r *http.Request) {
-	if _, err := os.Stat(app.filesDir); err != nil {
-		if err := os.Mkdir(app.filesDir, 0750); err != nil {
-			http.Error(w, "Error creating storage directory", http.StatusInternalServerError)
-		}
-	}
 	if contentType := r.Header.Get("Content-Type"); contentType == "application/x-www-form-urlencoded" {
+		if app.authUpload == "yes" {
+			BasicAuth(app.formHandler, app)(w, r)
+		} else {
 			app.formHandler(w, r)
+		}
 	} else if strings.Split(contentType, ";")[0] == "multipart/form-data" {
 		app.curlHandler(w, r)
 	} else {
@@ -150,33 +149,6 @@ func (app *Application) uploadHandler(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func (app *Application) basicAuth(next http.HandlerFunc) http.HandlerFunc {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		username, password, ok := r.BasicAuth()
-		if ok {
-			// hash password received
-			usernameHash := sha256.Sum256([]byte(username))
-			passwordHash := sha256.Sum256([]byte(password))
-
-			// hash our password
-			expectedUsernameHash := sha256.Sum256([]byte(app.auth.username))
-			expectedPasswordHash := sha256.Sum256([]byte(app.auth.password))
-
-			// compare hashes
-			usernameMatch := (subtle.ConstantTimeCompare(usernameHash[:], expectedUsernameHash[:]) == 1)
-			passwordMatch := (subtle.ConstantTimeCompare(passwordHash[:], expectedPasswordHash[:]) == 1)
-
-			if usernameMatch && passwordMatch {
-				next.ServeHTTP(w, r)
-				return
-			}
-		}
-
-		w.Header().Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8`)
-		http.Error(w, "Unauthorized", http.StatusUnauthorized)
-	})
-}
-
 func (app *Application) formHandler(w http.ResponseWriter, r *http.Request) {
 	content := r.FormValue("content")
 
@@ -190,7 +162,11 @@ func (app *Application) formHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	defer file.Close()
 
-	filename := app.publicURL(file, ".txt")
+	full := true
+	if len(r.Form["secret"]) == 0 {
+		full = false
+	}
+	filename := app.publicURL(file, ".txt", full)
 
 	// reopening file because hash consumes it
 	file, err = os.Open("/tmp/file.txt")
@@ -204,7 +180,7 @@ func (app *Application) formHandler(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprintf(w, "Error parsing file: %s", err.Error())
 	}
 
-	fmt.Fprintf(w, "%s", fmt.Sprintf("http://%s/%s\n", app.url, filename))
+	ResponseURLHandler(w, app.url, filename)
 }
 
 func (app *Application) curlHandler(w http.ResponseWriter, r *http.Request) {
@@ -226,7 +202,11 @@ func (app *Application) curlHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	defer file.Close()
 
-	filename := app.publicURL(file, filepath.Ext(handler.Filename))
+	full := true
+	if len(r.Form["secret"]) == 0 {
+		full = false
+	}
+	filename := app.publicURL(file, filepath.Ext(handler.Filename), full)
 
 	// reopen the file for copying, as the hash process consumed the file reader
 	file, _, err = r.FormFile("file")
@@ -236,16 +216,15 @@ func (app *Application) curlHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	defer file.Close()
 
-	err = SaveFile(app.lastUploadedFile, file)
+	if err = SaveFile(app.lastUploadedFile, file); err != nil {
-	if err != nil {
 		fmt.Fprintf(w, "Error parsing file: %s", err.Error())
 	}
 
-	fmt.Fprintf(w, "%s", fmt.Sprintf("http://%s/%s\n", app.url, filename))
+	ResponseURLHandler(w, app.url, filename)
 }
 
-func (app *Application) publicURL(file io.Reader, extension string) string {
+func (app *Application) publicURL(file io.Reader, extension string, full bool) string {
-	filename, _ := HashFile(file, extension)
+	filename, _ := HashFile(file, extension, full)
 
 	filepath := filepath.Join(app.filesDir, filename)
 
@@ -253,3 +232,17 @@ func (app *Application) publicURL(file io.Reader, extension string) string {
 
 	return filename
 }
+
+func (app *Application) createTokenHandler(w http.ResponseWriter, r *http.Request) {
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+		"exp": time.Now().Add(time.Hour * 2).Unix(),
+	})
+
+	tokenString, err := token.SignedString([]byte(app.key))
+	if err != nil {
+		http.Error(w, "Error generating token", http.StatusInternalServerError)
+		return
+	}
+
+	fmt.Fprintf(w, "%s", tokenString)
+}

helpers.go

@@ -2,15 +2,59 @@ package main
 
 import (
 	"crypto/md5"
+	"crypto/sha256"
+	"crypto/subtle"
 	"encoding/hex"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v5"
 )
 
+type FileInfo struct {
+	Name          string
+	Path          string
+	Size          int64
+	FormattedSize string
+	Type          string
+	Content       string
+	TimeUploaded  string
+}
+
+type TemplateData struct {
+	Files []FileInfo
+	URL   string
+}
+
 func CheckAuth(r *http.Request, key string) bool {
-	return r.Header.Get("X-Auth") == key
+	receivedKey := r.Header.Get("X-Auth")
+	if receivedKey == key {
+		return true
+	} else if err := validateToken(receivedKey, key); err == nil {
+		return true
+	}
+	return false
+}
+
+func validateToken(tokenString, key string) error {
+	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+		return []byte(key), nil
+	})
+	if err != nil {
+		return err
+	}
+
+	if _, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
+		return nil
+	} else {
+		return fmt.Errorf("invalid token")
+	}
 }
 
 func FormatFileSize(size int64) string {
@@ -24,17 +68,19 @@ func FormatFileSize(size int64) string {
 	return fmt.Sprintf("%.2f GB", float64(size)/(1024*1024*1024))
 }
 
-func HashFile(file io.Reader, extension string) (string, error) {
+func HashFile(file io.Reader, extension string, full bool) (string, error) {
 	hasher := md5.New()
 	if _, err := io.Copy(hasher, file); err != nil {
 		return "", err
 	}
 
-	sha1Hash := hex.EncodeToString(hasher.Sum(nil))[:8]
+	sha1Hash := strings.ToUpper(hex.EncodeToString(hasher.Sum(nil)))
-
 	filename := fmt.Sprintf("%s%s", sha1Hash, extension)
-
+	if full {
 		return filename, nil
+	} else {
+		return fmt.Sprintf("%s%s", sha1Hash[:5], extension), nil
+	}
 }
 
 func SaveFile(name string, file io.Reader) error {
@@ -49,3 +95,40 @@ func SaveFile(name string, file io.Reader) error {
 	}
 	return nil
 }
+
+func BasicAuth(next http.HandlerFunc, app *Application) http.HandlerFunc {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		username, password, ok := r.BasicAuth()
+		if ok {
+			// hash password received
+			usernameHash := sha256.Sum256([]byte(username))
+			passwordHash := sha256.Sum256([]byte(password))
+
+			// hash our password
+			expectedUsernameHash := sha256.Sum256([]byte(app.auth.username))
+			expectedPasswordHash := sha256.Sum256([]byte(app.auth.password))
+
+			// compare hashes
+			usernameMatch := (subtle.ConstantTimeCompare(usernameHash[:], expectedUsernameHash[:]) == 1)
+			passwordMatch := (subtle.ConstantTimeCompare(passwordHash[:], expectedPasswordHash[:]) == 1)
+
+			if usernameMatch && passwordMatch {
+				next.ServeHTTP(w, r)
+				return
+			}
+		}
+
+		w.Header().Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8`)
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+	})
+}
+
+func ResponseURLHandler(w http.ResponseWriter, url, filename string) {
+	pasteURL := fmt.Sprintf("http://%s/%s\n", url, filename)
+
+	w.Header().Set("Location", pasteURL)
+
+	w.WriteHeader(http.StatusCreated)
+
+	fmt.Fprintf(w, "%s", pasteURL)
+}

static/index.html

@@ -20,8 +20,9 @@
         </a>
     </div>
 
-    <form action="/upload" method="POST">
+    <form action="/" method="POST">
-        <textarea name="content" placeholder="Enter your content here..."></textarea><br />
+        <textarea name="content" placeholder="Enter your content here..."></textarea>
+        <br />
         <button type="submit">upload</button>
     </form>
 

templates/dirlist.html

@@ -68,6 +68,7 @@
         <thead>
             <tr>
                 <th>Name</th>
+                <th>Time Uploaded</th>
                 <th>Size</th>
             </tr>
         </thead>
@@ -77,6 +78,7 @@
                 <td>
                     <a href="{{.Path}}">{{.Name}}</a>
                 </td>
+                <td>{{.TimeUploaded}}</td>
                 <td>{{.FormattedSize}}</td>
             </tr>
             {{end}}

templates/files.html

@@ -0,0 +1,228 @@
+<!doctype html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>abyss paste</title>
+
+    {{if eq .Type "text"}}
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.9.0/highlight.min.js"></script>
+    <script>
+        window.onload = function () {
+            var allPre, i, j;
+            allPre = document.getElementsByTagName("pre");
+            for (i = 0, j = allPre.length; i < j; i++) {
+                hljs.highlightBlock(allPre[i]);
+            }
+        };
+    </script>
+    <style>
+        pre.hljs {
+            display: block;
+            overflow-x: auto;
+            padding: 1em;
+        }
+
+        .hljs {
+            color: #ffffff;
+        }
+
+        .hljs-comment {
+            color: #7d7d7d;
+        }
+
+        .hljs-punctuation,
+        .hljs-tag {
+            color: #dcdcdc;
+        }
+
+        .hljs-tag .hljs-attr,
+        .hljs-tag .hljs-name {
+            color: #f1f1f1;
+        }
+
+        .hljs-attribute,
+        .hljs-doctag,
+        .hljs-keyword,
+        .hljs-meta .hljs-keyword,
+        .hljs-name,
+        .hljs-selector-tag {
+            font-weight: bold;
+            color: #ff9d00;
+        }
+
+        .hljs-deletion,
+        .hljs-number,
+        .hljs-quote,
+        .hljs-selector-class,
+        .hljs-selector-id,
+        .hljs-string,
+        .hljs-template-tag,
+        .hljs-type {
+            color: #d19a66;
+        }
+
+        .hljs-section,
+        .hljs-title {
+            color: #61afef;
+            font-weight: bold;
+        }
+
+        .hljs-link,
+        .hljs-operator,
+        .hljs-regexp,
+        .hljs-selector-attr,
+        .hljs-selector-pseudo,
+        .hljs-symbol,
+        .hljs-template-variable,
+        .hljs-variable {
+            color: #c678dd;
+        }
+
+        .hljs-literal {
+            color: #dcaeea;
+        }
+
+        .hljs-addition,
+        .hljs-built_in,
+        .hljs-bullet,
+        .hljs-code {
+            color: #98c379;
+        }
+
+        .hljs-meta {
+            color: #56b6c2;
+        }
+
+        .hljs-meta .hljs-string {
+            color: #e5c07b;
+        }
+
+        .hljs-emphasis {
+            font-style: italic;
+        }
+
+        .hljs-strong {
+            font-weight: bold;
+        }
+    </style>
+    {{end}}
+
+    <style>
+        body {
+            margin: 0;
+            padding: 0;
+            background-color: #1d1f21;
+            color: #c5c6c7;
+            font-family: "Arial", sans-serif;
+            display: flex;
+            flex-direction: column;
+            height: 100vh;
+        }
+
+        header,
+        footer {
+            background-color: #2e2e2e;
+            text-align: center;
+            font-size: 1rem;
+            font-weight: bold;
+            position: sticky;
+            top: 0;
+            z-index: 10;
+            padding: 10px;
+        }
+
+        .content {
+            flex-grow: 1;
+            display: flex;
+            justify-content: center;
+            align-items: center;
+            padding: 10px;
+        }
+
+        img,
+        video,
+        embed,
+        iframe {
+            max-width: 100%;
+            max-height: 100%;
+            border-radius: 8px;
+            box-shadow: 0 4px 8px rgba(0, 0, 0, 0.2);
+        }
+
+        video {
+            background-color: #000;
+        }
+
+        .pdf-embed {
+            width: 100%;
+            height: 100%;
+            border: none;
+        }
+
+        pre {
+            flex: 1;
+            width: 100%;
+            height: 100%;
+            white-space: pre;
+            font-family: monospace;
+            font-size: 1rem;
+            background-color: #2e2e2e;
+            padding: 10px;
+            border-radius: 8px;
+            overflow: auto;
+            scrollbar-width: thin;
+            scrollbar-color: #686868 #2e2e2e;
+            box-sizing: border-box;
+        }
+
+        pre::-webkit-scrollbar {
+            width: 12px;
+        }
+
+        pre::-webkit-scrollbar-track {
+            background: #2e2e2e;
+            border-radius: 10px;
+        }
+
+        pre::-webkit-scrollbar-thumb {
+            background-color: #686868;
+            border-radius: 10px;
+            border: 3px solid #2e2e2e;
+        }
+
+        a {
+            color: #0288d1;
+            text-decoration: none;
+        }
+    </style>
+</head>
+
+<body>
+    <header>{{.Path}}</header>
+    <div class="content">
+        {{if eq .Type "text"}}
+        <pre>{{.Content}}</pre>
+        {{else if eq .Type "image"}}
+        <img src="{{.Name}}" alt="Image" />
+        {{else if eq .Type "pdf"}}
+        <embed src="{{.Name}}" type="application/pdf" class="pdf-embed" />
+        {{else if eq .Type "video"}}
+        <video controls>
+            <source src="{{.Name}}" type="video/mp4" />
+            Your browser does not support the video tag.
+        </video>
+        {{else if eq .Type "audio"}}
+        <audio controls src="{{.Name}}"><audio />
+            {{else}}
+            <p>
+                Couldn't detect file from extension, visit
+                <a href="http://{{.Path}}">this link</a> to see/download your file.
+            </p>
+            {{end}}
+    </div>
+    <footer>file uploaded in {{.TimeUploaded}}</footer>
+</body>
+
+</html>