fix --shr with pw-hash; closes #162

--ah-alg now also applies to password-protected shares
2025-08-17 09:02:15 -06:00 · 2025-05-11 20:10:00 +02:00 · 2025-05-11 20:10:00 +02:00 · c3ef3fdc1f
parent b9ba783c1c
commit c3ef3fdc1f
2 changed files with 4 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -918,6 +918,7 @@ semi-intentional limitations:

 * cleanup of expired shares only works when global option `e2d` is set, and/or at least one volume on the server has volflag `e2d`
 * only folders from the same volume are shared; if you are sharing a folder which contains other volumes, then the contents of those volumes will not be available
+* if you change [password hashing](#password-hashing) settings after creating a password-protected share, then that share will stop working
 * related to [IdP volumes being forgotten on shutdown](https://github.com/9001/copyparty/blob/hovudstraum/docs/idp.md#idp-volumes-are-forgotten-on-shutdown), any shares pointing into a user's IdP volume will be unavailable until that user makes their first request after a restart
 * no option to "delete after first access" because tricky
  * when linking something to discord (for example) it'll get accessed by their scraper and that would count as a hit
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@ -2931,6 +2931,7 @@ class HttpCli(object):
        self.parser.drop()

        self.log("logout " + self.uname)
+        if not self.uname.startswith("s_"):
            self.asrv.forget_session(self.conn.hsrv.broker, self.uname)
        self.get_pwd_cookie("x")

@ -5504,6 +5505,7 @@ class HttpCli(object):
                raise Pebkac(400, "selected file not found on disk: [%s]" % (fn,))

        pw = req.get("pw") or ""
+        pw = self.asrv.ah.hash(pw)
        now = int(time.time())
        sexp = req["exp"]
        exp = int(sexp) if sexp else 0