Hi, would it be possible to add a fourth button to be able to copy the direct link to a non image file? This would make it easier to download files in a console. I currently create the link manually with https://host.tld/downloadFile?id=<ID>.

It does not necessarily have to be another button, but a possibility in general to copy the above link in the frontend. On that note, you could also add DownloadUrl to the json response when uploading via the api, so custom upload scripts can use it as well.

Hello.

Storing files and sessions inside config is not great idea for several reasons:

1. It's not secure, because read-only access for configs in Linux is a common practice.
2. It's not good for performance beacuse full rewrite required.
3. It's, in general, bad practice.

What do you think about adding new backend. Sqlite will be the simplest one, which can be used for existing configs, mostly, inplace (for example, another .sqlite file in config folder). Also supporting sqlite may lead to supporting normal DBs like Postrgres or MariaDB.

Benefits:

1. May increase performance and stability with low-end devices with bad IO which is may relevant for this application.
2. May increase performance for instances with a lot of files, because config rewrite is not required (adding 1 file to 10000 existing is not a problem)
3. State isolation is a good technique in general. Many self-hosted application can store almost full state in DB, except user data. And one DB backup script is enough for server backup, but another procedure is required for gokapi

What do you think? I also can help with this if you wish.

Regards.

Would prevent time outs and solve the 100MB limit for cloudflare

When trying to use a hotlink URL after the file has been deleted from the server (max download 1), it shows a page of this:

If you use the regular file URL for the same file, it redirects to /error with "Sorry, this file cannot be found. Either the link has expired or it has been downloaded already".

Hi,
I'm trying run gokapi in docker on Synology NAS and neither after maybe tens attempts i'm don't have any success.
Can you help me with settings please?
I'm runnig many other containers but with this....i don't know.

My container minimal settings:
{ "cap_add" : null, "cap_drop" : null, "cmd" : "/app/gokapi", "cpu_priority" : 50, "devices" : null, "enable_publish_all_ports" : false, "enable_restart_policy" : false, "enabled" : true, "env_variables" : [ { "key" : "PATH", "value" : "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" }, { "key" : "GOKAPI_PASSWORD", "value" : "xxxxxxxxxxxxxxxxxx" }, { "key" : "GOKAPI_USERNAME", "value" : "myName" } ], "exporting" : false, "id" : "2379bc3ac01d530858f539bc131313d61cf54dbe0ea20b90694e015ad338875f", "image" : "f0rc3/gokapi:latest", "is_ddsm" : false, "is_package" : false, "links" : [], "memory_limit" : 0, "name" : "f0rc3-gokapi1", "network" : [ { "driver" : "bridge", "name" : "bridge" } ], "network_mode" : "bridge", "port_bindings" : [ { "container_port" : 53842, "host_port" : 0, "type" : "tcp" } ], "privileged" : false, "shortcut" : { "enable_shortcut" : false }, "use_host_network" : false, "volume_bindings" : [] }

Result:

Sorry for my bad eglish.

My system is configured to use an S3 bucket. When I press "delete", it deletes the file from S3 without an issue, but if the file is downloaded it doesn't automatically delete.

Is there a configuration piece I missed, or is this a bug with the AWS configuration?

Environment

Files with insecure permissions

Also, suggestion to set more secure permissions on log and uploaded content

./data/log.txt
as well uploaded blobs (filenames as hashes) should have permissions 600 instead of 644

If you experience this problem, please switch back to the original remote storage with --reconfigure and delete the files first.

I'm using docker. When I run this:

sudo docker run -v gokapi-data:/app/data -v gokapi-config:/app/config -p 53842:53842 f0rc3/gokapi:latest

it gives me the setup & and I can walk through it. However, when it asks me to pick the storage location, Cloud isn't an option because I didn't build it with that?

I was able to run this instead to build it with the cloud part set up:

sudo docker run -d --restart always -it -v gokapi-data:/app/data -v gokapi-config:/app/config -p 53842:53842
-e GOKAPI_AWS_BUCKET={hiddenBucketName}
-e GOKAPI_AWS_REGION=us-west-2
-e GOKAPI_AWS_KEY={hiddenKey}
-e GOKAPI_AWS_KEY_SECRET={hiddenSecretKey}
f0rc3/gokapi:latest

That boots everything up and lets me upload files. The files go into my S3 bucket. But, I can't download them. I set the CORS value to:

[
{
"AllowedHeaders": [
""
],
"AllowedMethods": [
"GET",
"PUT",
"POST",
"DELETE",
"HEAD"
],
"AllowedOrigins": [
"https://{domain}",
"https://{domain}/"
],
"ExposeHeaders": []
}
]

But when I try to download, the button just turns dark grey and nothing happens.

This tool is awesome and mostly works for me. During uploading a larger file I noticed, my docker system almost running out of space.
I have set the data dir to a folder on my docker host, so this is unexpected.
Only after fully uploading the file, does it get transfered from within the docker container to that external folder.

This should not be happening:

I am using the latest-dev branch as I needed passwords to work through the API. When I tried to customize the pages, I copied the templates folder to my own location. After loading the container with the local templates folder, the API link on the admin page would lead to an error 403.

In the templates folder, I found out the issue is that in the file html_header.tmpl, the link for the API goes to ./api. It should be linking to ./apiKeys. It was an easy fix but still something I wanted to bring to your attention.

Synopsis

When running Gokapi v1.3.1 using Docker template customization according to the documentation is broken. Browsing the login page works fine (and changes are visible), but when attempting login an error is thrown.

How to reproduce

1. Clone project
2. cp -r Gokapi/internal/webserver/web/templates .
3. Change a template file, for example templates/data/templates/string_constants.tmpl
4. Launch the following docker-compose.yml:

version: '3.7'
services:
  gokapi:
    image: f0rc3/gokapi:latest
    container_name: gokapi
    ports:
      - 53842:53842
    environment:
      - GOKAPI_USERNAME=admin
      - GOKAPI_PASSWORD=admin
    volumes:
      - ./data:/app/data
      - ./config:/app/config
      - ./templates:/app/templates

Stacktrace

gokapi  | 2022/01/24 10:48:39 http: panic serving x.x.x.x:XXXX: template: html_header.tmpl:48:18: executing "header" at <.IsLogoutAvailable>: can't evaluate field IsLogoutAvailable in type *webserver.UploadView
gokapi  | goroutine 41 [running]:
gokapi  | net/http.(*conn).serve.func1(0xc000308500)
gokapi  |       /usr/local/go/src/net/http/server.go:1824 +0x153
gokapi  | panic(0xb2f080, 0xc00032a180)
gokapi  |       /usr/local/go/src/runtime/panic.go:971 +0x499
gokapi  | Gokapi/internal/helper.Check(...)
gokapi  |       /compile/internal/helper/OS.go:61
gokapi  | Gokapi/internal/webserver.showAdminMenu(0x17bf070, 0xc000348380, 0xc000336600)
gokapi  |       /compile/internal/webserver/Webserver.go:335 +0x14a
gokapi  | net/http.HandlerFunc.ServeHTTP(0x1689a18, 0x17bf070, 0xc000348380, 0xc000336600)
gokapi  |       /usr/local/go/src/net/http/server.go:2069 +0x44
gokapi  | net/http.(*ServeMux).ServeHTTP(0x1b3f6e0, 0x17bf070, 0xc000348380, 0xc000336600)
gokapi  |       /usr/local/go/src/net/http/server.go:2448 +0x1ad
gokapi  | net/http.serverHandler.ServeHTTP(0xc0002a2000, 0x17bf070, 0xc000348380, 0xc000336600)
gokapi  |       /usr/local/go/src/net/http/server.go:2887 +0xa3
gokapi  | net/http.(*conn).serve(0xc000308500, 0x17c1dc0, 0xc000320480)
gokapi  |       /usr/local/go/src/net/http/server.go:1952 +0x8cd
gokapi  | created by net/http.(*Server).Serve
gokapi  |       /usr/local/go/src/net/http/server.go:3013 +0x39b

Performing the initial startup of the Docker image, it appears that it expects a configuration file to already exist or it is prompting the user, but with Docker we don't have that prompt presented.

Might just be a documentation update to show to do that.

In the future the Json output for the file object should be better:

• Remove unnecessary values, e.g. extensive encryption details
• Add values, e.g. direct link for hotlinks instead of only the hotlink ID

From what I can tell you either need to provide an allowedDownloads value when uploading via the add API or it will default to the last value from the web interface. Though the web interface you can turn off the allowed downloads to allow unlimited downloads, but you can't do the same thing through the API.

Could allowedDownloads take a value like 0 or -1 to indicate unlimited downloads?

Would it be possible to change that the Docker container runs as root in case of container escapes?

I gave it a quick try to run it as nobody, but the setup fails to complete and logs show:

"http: panic serving my_ip:61273: mkdir config: permission denied"

If you are running 1.5.X and use the encryption feature, all encrypted files will not be able to download after rerunning the setup. Please refrain from changing the configuration if you have encrypted files, backup your files first or update to the latest dev image.

To reproduce:

• Have a running server with encryption enabled (e.g. Level 2)
• Run setup
• Do not change encryption and save
• An already encrypted file will not be able to be downloaded if the server is not restarted afterwards (cipher: message authentication failed)
• A new file can still be downloaded after a server restart

Trying to install Gokapi in docker on an oracle ampere server I get the following error (as usual on arm64...):

docker: no matching manifest for linux/arm64/v8 in the manifest list entries.

Any workarround?

It would be quite helpful if I could see the number of downloads for files without download limits. Since just putting the number of downloads into the "Downloads remaining" column wouldn't make much sense, I was thinking that a sensable change would be to rename the column to something like "Downloads/Limit" and change each row to "x/limit" for files with download restrictions or "x/Unlimited" for files without restrictions. Thank you!

Reported by @acourter27 in #49

Would it be possible to set maybe 0 as either/both download limit / expiry date, or would that break the idea of the project too much? Not knowing the possible downloads would be possible use case. As alternative to no expiry date, a datepicker like selection for expiry date would be a neat idea as well.

On another note, is it intended, that a changed download/expiry will also be written to the config?

Docker install as per Documentation.

Tested first with a 53mb file > No issues, works as expected.

Testing with a 4gb windows.iso > Below error is shown. Same error in Firefox & Google Chrome.

Hi. I just ran gokapi on a Debian 10 box with apache already installed and it works fine when using the internal IP address to connect, however, when I use my domain to try and connect to it, it changes my connection from being an HTTP connection to an HTTPS connection and FireFox throws the error: SSL_ERROR_RX_RECORD_TOO_LONG
I'm not sure whats wrong here, as it runs perfectly fine when using my internal IP, however, this defeats the purpose of using it to share files with others. All of the settings are default except it is not bound only to localhost and I'm not using a reverse proxy. Port 53842 is port forwarded.

The url /logout already works, however in the admin menu there should be a logout button in the top right corner. This could be integrated with a hamburger menu for API access (#6)

I am not very experienced with HTML/CSS, if anyone is able to add a button and still having the title centered, I would appreciate a PR! :)

Hello sir, I face a problem, when I deploy your elegant App on my VPS, I found this question, when I upload some file to gokapi app, I always face a error: "Server respond with a 404 error code", I check alll my settings, but I can not found the cause;

platform: debian 10 + docker 19.03.12;
web server: caddy v2.1.1
reverse proxy set:

route /gokapi/* {
                uri strip_prefix /gokapi
                reverse_proxy 127.0.0.1:53842
        }

I can viste the web page normally, but only when I upload file, the error appear;
If you need more log, please tell me, thank you very much, thank you for your elegant app;

Feature Request

Hi, it would be nice to have a TOTP secret in the admin so the user has to enter the correct 6-digit code to download the file.

Use case

MeshCentral has an Assistant feature which allows users to download a file that connects to your server so you can connect to their computer for assistance. The process to invitee a user to download and run the software is not intuitive. Also, as a personal preference, I don't want to host the file in the same system that the agent connects to.

Ideally, if they go to help.example.com, they can see a general help page with instructions for downloading/running the agent. When they click the link, it will take them to Gokapi at which point it will ask for a static password. Since this password never changes, anyone with the password can revisit the page and download the software. If the password rotates, like with TOTP, they won't know the code to download the software. A rotating password also helps protect against brute force.

It would be really helpful if AWS S3 could be used as the storage backend for this.

I stood up your docker container with the following environment variables via the following docker-compose. From there I tried generating an api key and using python requests, the built in api test, and your curl example to upload a file. All of which resulted in default values being used and a file being accessible with 1 download and no password prompt at all.

version: '3.9'
services:
  gokapi:
    build:
      context: .
      dockerfile: "Dockerfile"
      - GOKAPI_AWS_BUCKET=X
      - GOKAPI_AWS_KEY=Y
      - GOKAPI_AWS_KEY_SECRET=Z
      - GOKAPI_AWS_REGION=us-west-2
      - GOKAPI_DISABLE_LOGIN=false
      - GOKAPI_EXTERNAL_URL=https://files.poisoned.site
      - GOKAPI_LOCALHOST=false
      - GOKAPI_PASSWORD=J
      - GOKAPI_PORT=8080
      - GOKAPI_REDIRECT_URL=https://www.poisoned.site
      - GOKAPI_SALT_FILES=true
      - GOKAPI_USERNAME=admin
      - GOKAPI_USE_SSL=false
      - GOKAPI_MAX_FILESIZE=2048
    ports:
      - "8080:8080"

Here is my curl test. Notice I specify 8 downloads and it returns with 1 download remaining.

$ curl -X POST "http://files.poisoned.site:8080/api/files/add" -H "accept: application/json" -H "apikey: S5U2jWeG5KuCvEJcX5hap3kiw0vXe8" -H "Content-Type: multipart/form-data" -F "allowedDownloads=8" -F "expiryDays=5" -F "password=abc123" -F "[email protected]"

{"Result":"OK","FileInfo":{"Id":"G8GyfnrIe7CVvrY","Name":"go.sum","Size":"4.9 kB","SHA256":"fad229ca87506edfb269ec58495b4b1729752d14","ExpireAt":1640299509,"ExpireAtString":"2021-12-23 22:45","DownloadsRemaining":1,"PasswordHash":"","HotlinkId":"","ContentType":"application/octet-stream","AwsBucket":"gokapi-s3"},"Url":"https://files.poisoned.site/d?id=","HotlinkUrl":"https://files.poisoned.site/hotlink/"}%                                                           
                                                  

I made a python requests thing that does the same thing:

$ ./gclient.py -v upload -g http://files.poisoned.site:8080 -k Z -p abcd1234 -f go.mod
Namespace(verbose=True, command='upload', file='go.mod', key='S5U2jWeG5KuCvEJcX5hap3kiw0vXe8', ghost='http://files.poisoned.site:8080', days=1, clicks=7, password='abcd1234')
go.mod
DEBUG: http://files.poisoned.site:8080/api/files/add
DEBUG: Z
DEBUG: HEADERS
DEBUG: {'accept': 'application/json', 'apikey': 'Z'}
DEBUG: FILES
DEBUG: {'allowedDownloads': 7, 'expiryDays': 1, 'password': 'abcd1234', 'file': ('go.mod', <_io.BufferedReader name='go.mod'>)}
================
External Links
================
  File_URL: https://files.poisoned.site/d?id=eyjbVnCkBmuuEbo
  Direct_download: https://files.poisoned.site/downloadFile?id=eyjbVnCkBmuuEbo

================
Internal Links
================
  File_URL: https://localhost:8080/d?id=eyjbVnCkBmuuEbo
  Direct_download: https://localhost:8080/downloadFile?id=eyjbVnCkBmuuEbo

The same is true for the internal apidocumentation/ link as well.

I'd like to have the option of seeing the IP addresses / User-Agents / etc of users who downloaded files. Thanks

Currently, Gokapi requires a 4 character minimum username. Can this be decreased to 3 or less?
"Username needs to be at least 4 characters long".

Thanks!

main

I might be too dumb and not understand but it would be great if instead of creating a user and static credentials to instead allow inheriting ephemeral credentials from an I am profile from an ec2 instance. Sorry if this is already possible. I tried to figure this out and couldn't get it to work.

It seems like the upload bar progresses far quicker than the actual upload progress
This is the current state of my upload according to the admin panel

and this is a the current uploaded file size:

Hello,

it would be very nice to have the possibilites to add new user that can access the admin board

And : remove a user, edit user passwords could be cool too

Thanks !

I'm running Gokapi behind Authentik, so only logged-in users can access it.

Users need to know the admin username/password if they want to upload files. Could I disable authentication or use basic-auth (user/password JS prompt) or header based authentication to login as admin?

Hi, I was tryting to setup gokapi with docker-compose, but wasn't able to get everything up and running. Starting with docker-compose works fine and it creates a config file, but trying to access gokapi from a different machine does not work at all. Trying to access it with curl on the machine its running on does not work (curl: (7) Failed to connect to 127.0.0.1 port 8084: Verbindungsaufbau abgelehnt).
I then tried to run everything with the provided command from the readme with docker run -it -v /home/gokapi/data:/app/data -v /home/gokapi/config:/app/config -p 8084:53842 f0rc3/gokapi:latest with the same result. Config file is the same both ways but I cannot access the sever, neither with an apache reverse proxy nor with ip:port (or on the machine itself). I also tried to run gokapi with the default ports, but same result again.

Additionally I saw, the LengthId in the config is always 0, despite me setting it in the environment. The created config will never use use my value or the default 15. This happens with both docker run... and docker-compose btw.

Am I missing something?

docker-compose.yml:

version: "3"
services:
  gokapi:
    image: f0rc3/gokapi:latest
    container_name: gokapi
    restart: unless-stopped
    environment:
      - GOKAPI_USERNAME=Jisagi
      - GOKAPI_PASSWORD=XXXXXX
      - GOKAPI_LENGTH_ID=20
    ports:
      - "8084:53842"
    volumes:
      - /home/gokapi/data:/app/data
      - /home/gokapi/config:/app/config

created config:

{
    "Port": "127.0.0.1:53842",
    "AdminName": "Jisagi",
    "AdminPassword": "XXXXXXXXXXXXXXXXX",
    "ServerUrl": "http://127.0.0.1:53842/",
    "DefaultDownloads": 1,
    "DefaultExpiry": 14,
    "DefaultPassword": "",
    "RedirectUrl": "https://github.com/Forceu/Gokapi/",
    "Sessions": {},
    "Files": {},
    "Hotlinks": {},
    "ConfigVersion": 4,
    "SaltAdmin": "zsYecQPNEbPxhInpa62nOvWrICDyVCfoDOxotOW",
    "SaltFiles": "2z8CH4B6mkE3YoVHcXLUUg1j8lcVEuNclFe6Umq9",
    "LengthId": 0,
    "DataDir": "data"
}

Would be useful to either copypaste text or at least show text files content.

Sort of what linx-server does.

Would be cool to have a config option, to let everybody who knows the url upload files. Maybe with a maximum file size.

So the admin can upload unlimited files and delete files and everybody else can uplaod files up to x MB.

It's already possible to upload images in batches, but each image is saved as its own upload.

Would be great if they could be saved together and displayed on one page.

It'd be cool to be able to create a temporary "upload zone" or "drop zone" link that you could send to someone and have them upload a file. Ideally you'd still be able to set the criteria up front (days, downloads, password) so that the user couldn't change them.

That way, you could send a link to someone, have them drop a file, but you're the only one who knows the password so only you can receive the file. That would still keep the system secure and not open, but would allow a quick way for someone to send you a file.