ea1ea366d2
This is motivated by the Android app: https://github.com/syncthing/syncthing-android/pull/1982#issuecomment-1752042554 The planned fix in response to basic auth behaviour changing in #8757 was to add the `Authorization` header when opening the WebView, but it turns out the function used only applies the header to the initial page load, not any subsequent script loads or AJAX calls. The `basicAuthAndSessionMiddleware` checks for no-auth exceptions before checking the `Authorization` header, so the header has no effect on the initial page load since the `/` path is a no-auth exception. Thus the Android app fails to log in when opening the WebView. This changes the order of checks in `basicAuthAndSessionMiddleware` so that the `Authorization` header is always checked if present, and a session cookie is set if it is valid. Only after that does the middleware fall back to checking for no-auth exceptions. `api_test.go` has been expanded with additional checks: - Check that a session cookie is set whenever correct basic auth is provided. - Check that a session cookie is not set when basic auth is incorrect. - Check that a session cookie is not set when authenticating with an API token (either via `X-Api-Key` or `Authorization: Bearer`). And an additional test case: - Check that requests to `/` always succeed, but receive a session cookie when correct basic auth is provided. I have manually verified that - The new assertions fail if the `createSession` call is removed in `basicAuthAndSessionMiddleware`. - The new test cases in e6e4df4d7034302b729ada6d91cff6e2b29678da fail before the change in 0e47d37e738d4c15736c496e01cd949afb372e71 is applied. |
||
|---|---|---|
| .github | ||
| assets | ||
| cmd | ||
| etc | ||
| gui | ||
| lib | ||
| man | ||
| meta | ||
| next-gen-gui | ||
| proto | ||
| script | ||
| test | ||
| .codecov.yml | ||
| .deepsource.toml | ||
| .gitattributes | ||
| .gitignore | ||
| .golangci.yml | ||
| .yamlfmt | ||
| AUTHORS | ||
| build.go | ||
| build.ps1 | ||
| build.sh | ||
| CONDUCT.md | ||
| CONTRIBUTING.md | ||
| Dockerfile | ||
| Dockerfile.builder | ||
| Dockerfile.stcrashreceiver | ||
| Dockerfile.stdiscosrv | ||
| Dockerfile.strelaypoolsrv | ||
| Dockerfile.strelaysrv | ||
| Dockerfile.stupgrades | ||
| go.mod | ||
| go.sum | ||
| GOALS.md | ||
| LICENSE | ||
| README-Docker.md | ||
| README.md | ||
| tools.go | ||
Goals
Syncthing is a continuous file synchronization program. It synchronizes files between two or more computers. We strive to fulfill the goals below. The goals are listed in order of importance, the most important ones first. This is the summary version of the goal list - for more commentary, see the full Goals document.
Syncthing should be:
-
Safe From Data Loss
Protecting the user's data is paramount. We take every reasonable precaution to avoid corrupting the user's files.
-
Secure Against Attackers
Again, protecting the user's data is paramount. Regardless of our other goals, we must never allow the user's data to be susceptible to eavesdropping or modification by unauthorized parties.
-
Easy to Use
Syncthing should be approachable, understandable, and inclusive.
-
Automatic
User interaction should be required only when absolutely necessary.
-
Universally Available
Syncthing should run on every common computer. We are mindful that the latest technology is not always available to every individual.
-
For Individuals
Syncthing is primarily about empowering the individual user with safe, secure, and easy to use file synchronization.
-
Everything Else
There are many things we care about that don't make it on to the list. It is fine to optimize for these values, as long as they are not in conflict with the stated goals above.
Getting Started
Take a look at the getting started guide.
There are a few examples for keeping Syncthing running in the background on your system in the etc directory. There are also several GUI implementations for Windows, Mac, and Linux.
Docker
To run Syncthing in Docker, see the Docker README.
Vote on features/bugs
We'd like to encourage you to vote on issues that matter to you. This helps the team understand what are the biggest pain points for our users, and could potentially influence what is being worked on next.
Getting in Touch
The first and best point of contact is the Forum. If you've found something that is clearly a bug, feel free to report it in the GitHub issue tracker.
If you believe that you’ve found a Syncthing-related security vulnerability, please report it by emailing security@syncthing.net. Do not report it in the Forum or issue tracker.
Building
Building Syncthing from source is easy. After extracting the source bundle from
a release or checking out git, you just need to run go run build.go and the
binaries are created in ./bin. There's a guide with more details on the
build process.
Signed Releases
As of v0.10.15 and onwards, release binaries are GPG signed with the key D26E6ED000654A3E, available from https://syncthing.net/security.html and most key servers.
There is also a built-in automatic upgrade mechanism (disabled in some distribution channels) which uses a compiled in ECDSA signature. macOS binaries are also properly code signed.
Documentation
Please see the Syncthing documentation site [source].
All code is licensed under the MPLv2 License.