better logic

fix basic auth
Upgrade aws-sdk-go to v2 (#559 )
2026-02-04 06:32:12 +00:00 · 2023-06-06 19:35:45 +09:00 · 2023-06-06 19:30:32 +09:00 · 2023-05-24 18:37:06 +09:00 · 2023-05-23 11:54:02 +09:00 · 2023-05-19 19:01:54 +09:00
15 changed files with 746 additions and 388 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -6,6 +6,7 @@ bin
 *.pyc
 *.egg-info
 .vagrant
+.git
 .tmp
 bower_components
 node_modules
--- a/15
+++ b/15
@@ -1,15 +1,17 @@
-# Default to Go 1.17
-ARG GO_VERSION=1.17
+# Default to Go 1.20
+ARG GO_VERSION=1.20
 FROM golang:${GO_VERSION}-alpine as build

 # Necessary to run 'go get' and to compile the linked binary
-RUN apk add git musl-dev
-
-ADD . /go/src/github.com/dutchcoders/transfer.sh
+RUN apk add git musl-dev mailcap

 WORKDIR /go/src/github.com/dutchcoders/transfer.sh

-ENV GO111MODULE=on
+COPY go.mod go.sum ./
+
+RUN go mod download
+
+COPY . .

 # build & install server
 RUN CGO_ENABLED=0 go build -tags netgo -ldflags "-X github.com/dutchcoders/transfer.sh/cmd.Version=$(git describe --tags) -a -s -w -extldflags '-static'" -o /go/bin/transfersh
@@ -29,6 +31,7 @@ FROM scratch AS final
 LABEL maintainer="Andrea Spacca <andrea.spacca@gmail.com>"
 ARG RUNAS

+COPY --from=build /etc/mime.types /etc/mime.types
 COPY --from=build /tmp/empty /tmp
 COPY --from=build /tmp/useradd/* /etc/
 COPY --from=build --chown=${RUNAS}  /go/bin/transfersh /go/bin/transfersh
--- a/README.md
+++ b/README.md
@@ -47,6 +47,18 @@ $ curl --upload-file ./hello.txt https://transfer.sh/hello.txt -H "Max-Downloads
 $ curl --upload-file ./hello.txt https://transfer.sh/hello.txt -H "Max-Days: 1" # Set the number of days before deletion
 ```

+### X-Encrypt-Password
+#### Beware, use this feature only on your self-hosted server: trusting a third-party service for server side encryption is at your own risk
+```bash
+$ curl --upload-file ./hello.txt https://your-transfersh-instance.tld/hello.txt -H "X-Encrypt-Password: test" # Encrypt the content sever side with AES265 using "test" as password
+```
+
+### X-Decrypt-Password
+#### Beware, use this feature only on your self-hosted server: trusting a third-party service for server side encryption is at your own risk
+```bash
+$ curl https://your-transfersh-instance.tld/BAYh0/hello.txt -H "X-Decrypt-Password: test" # Decrypt the content sever side with AES265 using "test" as password
+```
+
 ## Response Headers

 ### X-Url-Delete
@@ -74,50 +86,52 @@ https://transfer.sh/1lDau/test.txt --> https://transfer.sh/inline/1lDau/test.txt

 ## Usage

-Parameter | Description | Value | Env
--- | --- | --- | ---
-listener | port to use for http (:80) | | LISTENER |
-profile-listener | port to use for profiler (:6060) | | PROFILE_LISTENER |
-force-https | redirect to https | false | FORCE_HTTPS
-tls-listener | port to use for https (:443) | | TLS_LISTENER |
-tls-listener-only | flag to enable tls listener only | | TLS_LISTENER_ONLY |
-tls-cert-file | path to tls certificate | | TLS_CERT_FILE |
-tls-private-key | path to tls private key | | TLS_PRIVATE_KEY |
-http-auth-user | user for basic http auth on upload | | HTTP_AUTH_USER |
-http-auth-pass | pass for basic http auth on upload | | HTTP_AUTH_PASS |
-ip-whitelist | comma separated list of ips allowed to connect to the service | | IP_WHITELIST |
-ip-blacklist | comma separated list of ips not allowed to connect to the service | | IP_BLACKLIST |
-temp-path | path to temp folder | system temp | TEMP_PATH |
-web-path | path to static web files (for development or custom front end) | | WEB_PATH |
-proxy-path | path prefix when service is run behind a proxy | | PROXY_PATH |
-proxy-port | port of the proxy when the service is run behind a proxy | | PROXY_PORT |
-email-contact | email contact for the front end | | EMAIL_CONTACT |
-ga-key | google analytics key for the front end | | GA_KEY |
-provider | which storage provider to use | (s3, storj, gdrive or local) |
-uservoice-key | user voice key for the front end  | | USERVOICE_KEY |
-aws-access-key | aws access key | | AWS_ACCESS_KEY |
-aws-secret-key | aws access key | | AWS_SECRET_KEY |
-bucket | aws bucket | | BUCKET |
-s3-endpoint | Custom S3 endpoint. | | S3_ENDPOINT |
-s3-region | region of the s3 bucket | eu-west-1 | S3_REGION |
-s3-no-multipart | disables s3 multipart upload | false | S3_NO_MULTIPART |
-s3-path-style | Forces path style URLs, required for Minio. | false | S3_PATH_STYLE |
-storj-access | Access for the project | | STORJ_ACCESS |
-storj-bucket | Bucket to use within the project | | STORJ_BUCKET |
-basedir | path storage for local/gdrive provider | | BASEDIR |
-gdrive-client-json-filepath | path to oauth client json config for gdrive provider | | GDRIVE_CLIENT_JSON_FILEPATH |
-gdrive-local-config-path | path to store local transfer.sh config cache for gdrive provider| | GDRIVE_LOCAL_CONFIG_PATH |
-gdrive-chunk-size | chunk size for gdrive upload in megabytes, must be lower than available memory (8 MB) | | GDRIVE_CHUNK_SIZE |
-lets-encrypt-hosts | hosts to use for lets encrypt certificates (comma seperated) | | HOSTS |
-log | path to log file| | LOG |
-cors-domains | comma separated list of domains for CORS, setting it enable CORS | | CORS_DOMAINS |
-clamav-host | host for clamav feature  | | CLAMAV_HOST |
-perform-clamav-prescan | prescan every upload through clamav feature (clamav-host must be a local clamd unix socket) | | PERFORM_CLAMAV_PRESCAN |
-rate-limit | request per minute  | | RATE_LIMIT |
-max-upload-size | max upload size in kilobytes  | | MAX_UPLOAD_SIZE |
-purge-days | number of days after the uploads are purged automatically | | PURGE_DAYS |   
-purge-interval | interval in hours to run the automatic purge for (not applicable to S3 and Storj) | | PURGE_INTERVAL |   
-random-token-length | length of the random token for the upload path (double the size for delete path) | 6 | RANDOM_TOKEN_LENGTH |   
+Parameter | Description                                                                                 | Value                        | Env                         
+--- |---------------------------------------------------------------------------------------------|------------------------------|-----------------------------
+listener | port to use for http (:80)                                                                  |                              | LISTENER                    |
+profile-listener | port to use for profiler (:6060)                                                            |                              | PROFILE_LISTENER            |
+force-https | redirect to https                                                                           | false                        | FORCE_HTTPS                 
+tls-listener | port to use for https (:443)                                                                |                              | TLS_LISTENER                |
+tls-listener-only | flag to enable tls listener only                                                            |                              | TLS_LISTENER_ONLY           |
+tls-cert-file | path to tls certificate                                                                     |                              | TLS_CERT_FILE               |
+tls-private-key | path to tls private key                                                                     |                              | TLS_PRIVATE_KEY             |
+http-auth-user | user for basic http auth on upload                                                          |                              | HTTP_AUTH_USER              |
+http-auth-pass | pass for basic http auth on upload                                                          |                              | HTTP_AUTH_PASS              |
+http-auth-htpasswd | htpasswd file path for basic http auth on upload                                            |                              | HTTP_AUTH_HTPASSWD          |
+http-auth-ip-whitelist | comma separated list of ips allowed to upload without being challenged an http auth        |                              | HTTP_AUTH_IP_WHITELIST      |
+ip-whitelist | comma separated list of ips allowed to connect to the service                               |                              | IP_WHITELIST                |
+ip-blacklist | comma separated list of ips not allowed to connect to the service                           |                              | IP_BLACKLIST                |
+temp-path | path to temp folder                                                                         | system temp                  | TEMP_PATH                   |
+web-path | path to static web files (for development or custom front end)                              |                              | WEB_PATH                    |
+proxy-path | path prefix when service is run behind a proxy                                              |                              | PROXY_PATH                  |
+proxy-port | port of the proxy when the service is run behind a proxy                                    |                              | PROXY_PORT                  |
+email-contact | email contact for the front end                                                             |                              | EMAIL_CONTACT               |
+ga-key | google analytics key for the front end                                                      |                              | GA_KEY                      |
+provider | which storage provider to use                                                               | (s3, storj, gdrive or local) |
+uservoice-key | user voice key for the front end                                                            |                              | USERVOICE_KEY               |
+aws-access-key | aws access key                                                                              |                              | AWS_ACCESS_KEY              |
+aws-secret-key | aws access key                                                                              |                              | AWS_SECRET_KEY              |
+bucket | aws bucket                                                                                  |                              | BUCKET                      |
+s3-endpoint | Custom S3 endpoint.                                                                         |                              | S3_ENDPOINT                 |
+s3-region | region of the s3 bucket                                                                     | eu-west-1                    | S3_REGION                   |
+s3-no-multipart | disables s3 multipart upload                                                                | false                        | S3_NO_MULTIPART             |
+s3-path-style | Forces path style URLs, required for Minio.                                                 | false                        | S3_PATH_STYLE               |
+storj-access | Access for the project                                                                      |                              | STORJ_ACCESS                |
+storj-bucket | Bucket to use within the project                                                            |                              | STORJ_BUCKET                |
+basedir | path storage for local/gdrive provider                                                      |                              | BASEDIR                     |
+gdrive-client-json-filepath | path to oauth client json config for gdrive provider                                        |                              | GDRIVE_CLIENT_JSON_FILEPATH |
+gdrive-local-config-path | path to store local transfer.sh config cache for gdrive provider                            |                              | GDRIVE_LOCAL_CONFIG_PATH    |
+gdrive-chunk-size | chunk size for gdrive upload in megabytes, must be lower than available memory (8 MB)       |                              | GDRIVE_CHUNK_SIZE           |
+lets-encrypt-hosts | hosts to use for lets encrypt certificates (comma seperated)                                |                              | HOSTS                       |
+log | path to log file                                                                            |                              | LOG                         |
+cors-domains | comma separated list of domains for CORS, setting it enable CORS                            |                              | CORS_DOMAINS                |
+clamav-host | host for clamav feature                                                                     |                              | CLAMAV_HOST                 |
+perform-clamav-prescan | prescan every upload through clamav feature (clamav-host must be a local clamd unix socket) |                              | PERFORM_CLAMAV_PRESCAN      |
+rate-limit | request per minute                                                                          |                              | RATE_LIMIT                  |
+max-upload-size | max upload size in kilobytes                                                                |                              | MAX_UPLOAD_SIZE             |
+purge-days | number of days after the uploads are purged automatically                                   |                              | PURGE_DAYS                  |   
+purge-interval | interval in hours to run the automatic purge for (not applicable to S3 and Storj)           |                              | PURGE_INTERVAL              |   
+random-token-length | length of the random token for the upload path (double the size for delete path)            | 6                            | RANDOM_TOKEN_LENGTH         |   

 If you want to use TLS using lets encrypt certificates, set lets-encrypt-hosts to your domain, set tls-listener to :443 and enable force-https.

@@ -169,11 +183,11 @@ docker build -t transfer.sh-noroot --build-arg RUNAS=doesntmatter --build-arg PU
 ## S3 Usage

 For the usage with a AWS S3 Bucket, you just need to specify the following options:
- provider
- aws-access-key
- aws-secret-key
- bucket
- s3-region
+- provider `--provider s3`
+- aws-access-key _(either via flag or environment variable `AWS_ACCESS_KEY`)_
+- aws-secret-key _(either via flag or environment variable `AWS_SECRET_KEY`)_
+- bucket _(either via flag or environment variable `BUCKET`)_
+- s3-region _(either via flag or environment variable `S3_REGION`)_

 If you specify the s3-region, you don't need to set the endpoint URL since the correct endpoint will used automatically.

--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -1,15 +1,17 @@
 package cmd

 import (
+	"errors"
 	"fmt"
-	"github.com/dutchcoders/transfer.sh/server/storage"
 	"log"
 	"os"
 	"strings"

+	"github.com/dutchcoders/transfer.sh/server/storage"
+
 	"github.com/dutchcoders/transfer.sh/server"
 	"github.com/fatih/color"
-	"github.com/urfave/cli"
+	"github.com/urfave/cli/v2"
 	"google.golang.org/api/googleapi"
 )

@@ -35,263 +37,275 @@ VERSION:
 	`{{ "\n"}}`

 var globalFlags = []cli.Flag{
-	cli.StringFlag{
-		Name:   "listener",
-		Usage:  "127.0.0.1:8080",
-		Value:  "127.0.0.1:8080",
-		EnvVar: "LISTENER",
+	&cli.StringFlag{
+		Name:    "listener",
+		Usage:   "127.0.0.1:8080",
+		Value:   "127.0.0.1:8080",
+		EnvVars: []string{"LISTENER"},
 	},
 	// redirect to https?
 	// hostnames
-	cli.StringFlag{
-		Name:   "profile-listener",
-		Usage:  "127.0.0.1:6060",
-		Value:  "",
-		EnvVar: "PROFILE_LISTENER",
+	&cli.StringFlag{
+		Name:    "profile-listener",
+		Usage:   "127.0.0.1:6060",
+		Value:   "",
+		EnvVars: []string{"PROFILE_LISTENER"},
 	},
-	cli.BoolFlag{
-		Name:   "force-https",
-		Usage:  "",
-		EnvVar: "FORCE_HTTPS",
+	&cli.BoolFlag{
+		Name:    "force-https",
+		Usage:   "",
+		EnvVars: []string{"FORCE_HTTPS"},
 	},
-	cli.StringFlag{
-		Name:   "tls-listener",
-		Usage:  "127.0.0.1:8443",
-		Value:  "",
-		EnvVar: "TLS_LISTENER",
+	&cli.StringFlag{
+		Name:    "tls-listener",
+		Usage:   "127.0.0.1:8443",
+		Value:   "",
+		EnvVars: []string{"TLS_LISTENER"},
 	},
-	cli.BoolFlag{
-		Name:   "tls-listener-only",
-		Usage:  "",
-		EnvVar: "TLS_LISTENER_ONLY",
+	&cli.BoolFlag{
+		Name:    "tls-listener-only",
+		Usage:   "",
+		EnvVars: []string{"TLS_LISTENER_ONLY"},
 	},
-	cli.StringFlag{
-		Name:   "tls-cert-file",
-		Value:  "",
-		EnvVar: "TLS_CERT_FILE",
+	&cli.StringFlag{
+		Name:    "tls-cert-file",
+		Value:   "",
+		EnvVars: []string{"TLS_CERT_FILE"},
 	},
-	cli.StringFlag{
-		Name:   "tls-private-key",
-		Value:  "",
-		EnvVar: "TLS_PRIVATE_KEY",
+	&cli.StringFlag{
+		Name:    "tls-private-key",
+		Value:   "",
+		EnvVars: []string{"TLS_PRIVATE_KEY"},
 	},
-	cli.StringFlag{
-		Name:   "temp-path",
-		Usage:  "path to temp files",
-		Value:  os.TempDir(),
-		EnvVar: "TEMP_PATH",
+	&cli.StringFlag{
+		Name:    "temp-path",
+		Usage:   "path to temp files",
+		Value:   os.TempDir(),
+		EnvVars: []string{"TEMP_PATH"},
 	},
-	cli.StringFlag{
-		Name:   "web-path",
-		Usage:  "path to static web files",
-		Value:  "",
-		EnvVar: "WEB_PATH",
+	&cli.StringFlag{
+		Name:    "web-path",
+		Usage:   "path to static web files",
+		Value:   "",
+		EnvVars: []string{"WEB_PATH"},
 	},
-	cli.StringFlag{
-		Name:   "proxy-path",
-		Usage:  "path prefix when service is run behind a proxy",
-		Value:  "",
-		EnvVar: "PROXY_PATH",
+	&cli.StringFlag{
+		Name:    "proxy-path",
+		Usage:   "path prefix when service is run behind a proxy",
+		Value:   "",
+		EnvVars: []string{"PROXY_PATH"},
 	},
-	cli.StringFlag{
-		Name:   "proxy-port",
-		Usage:  "port of the proxy when the service is run behind a proxy",
-		Value:  "",
-		EnvVar: "PROXY_PORT",
+	&cli.StringFlag{
+		Name:    "proxy-port",
+		Usage:   "port of the proxy when the service is run behind a proxy",
+		Value:   "",
+		EnvVars: []string{"PROXY_PORT"},
 	},
-	cli.StringFlag{
-		Name:   "email-contact",
-		Usage:  "email address to link in Contact Us (front end)",
-		Value:  "",
-		EnvVar: "EMAIL_CONTACT",
+	&cli.StringFlag{
+		Name:    "email-contact",
+		Usage:   "email address to link in Contact Us (front end)",
+		Value:   "",
+		EnvVars: []string{"EMAIL_CONTACT"},
 	},
-	cli.StringFlag{
-		Name:   "ga-key",
-		Usage:  "key for google analytics (front end)",
-		Value:  "",
-		EnvVar: "GA_KEY",
+	&cli.StringFlag{
+		Name:    "ga-key",
+		Usage:   "key for google analytics (front end)",
+		Value:   "",
+		EnvVars: []string{"GA_KEY"},
 	},
-	cli.StringFlag{
-		Name:   "uservoice-key",
-		Usage:  "key for user voice (front end)",
-		Value:  "",
-		EnvVar: "USERVOICE_KEY",
+	&cli.StringFlag{
+		Name:    "uservoice-key",
+		Usage:   "key for user voice (front end)",
+		Value:   "",
+		EnvVars: []string{"USERVOICE_KEY"},
 	},
-	cli.StringFlag{
-		Name:   "provider",
-		Usage:  "s3|gdrive|local",
-		Value:  "",
-		EnvVar: "PROVIDER",
+	&cli.StringFlag{
+		Name:    "provider",
+		Usage:   "s3|gdrive|local",
+		Value:   "",
+		EnvVars: []string{"PROVIDER"},
 	},
-	cli.StringFlag{
-		Name:   "s3-endpoint",
-		Usage:  "",
-		Value:  "",
-		EnvVar: "S3_ENDPOINT",
+	&cli.StringFlag{
+		Name:    "s3-endpoint",
+		Usage:   "",
+		Value:   "",
+		EnvVars: []string{"S3_ENDPOINT"},
 	},
-	cli.StringFlag{
-		Name:   "s3-region",
-		Usage:  "",
-		Value:  "eu-west-1",
-		EnvVar: "S3_REGION",
+	&cli.StringFlag{
+		Name:    "s3-region",
+		Usage:   "",
+		Value:   "eu-west-1",
+		EnvVars: []string{"S3_REGION"},
 	},
-	cli.StringFlag{
-		Name:   "aws-access-key",
-		Usage:  "",
-		Value:  "",
-		EnvVar: "AWS_ACCESS_KEY",
+	&cli.StringFlag{
+		Name:    "aws-access-key",
+		Usage:   "",
+		Value:   "",
+		EnvVars: []string{"AWS_ACCESS_KEY"},
 	},
-	cli.StringFlag{
-		Name:   "aws-secret-key",
-		Usage:  "",
-		Value:  "",
-		EnvVar: "AWS_SECRET_KEY",
+	&cli.StringFlag{
+		Name:    "aws-secret-key",
+		Usage:   "",
+		Value:   "",
+		EnvVars: []string{"AWS_SECRET_KEY"},
 	},
-	cli.StringFlag{
-		Name:   "bucket",
-		Usage:  "",
-		Value:  "",
-		EnvVar: "BUCKET",
+	&cli.StringFlag{
+		Name:    "bucket",
+		Usage:   "",
+		Value:   "",
+		EnvVars: []string{"BUCKET"},
 	},
-	cli.BoolFlag{
-		Name:   "s3-no-multipart",
-		Usage:  "Disables S3 Multipart Puts",
-		EnvVar: "S3_NO_MULTIPART",
+	&cli.BoolFlag{
+		Name:    "s3-no-multipart",
+		Usage:   "Disables S3 Multipart Puts",
+		EnvVars: []string{"S3_NO_MULTIPART"},
 	},
-	cli.BoolFlag{
-		Name:   "s3-path-style",
-		Usage:  "Forces path style URLs, required for Minio.",
-		EnvVar: "S3_PATH_STYLE",
+	&cli.BoolFlag{
+		Name:    "s3-path-style",
+		Usage:   "Forces path style URLs, required for Minio.",
+		EnvVars: []string{"S3_PATH_STYLE"},
 	},
-	cli.StringFlag{
-		Name:   "gdrive-client-json-filepath",
-		Usage:  "",
-		Value:  "",
-		EnvVar: "GDRIVE_CLIENT_JSON_FILEPATH",
+	&cli.StringFlag{
+		Name:    "gdrive-client-json-filepath",
+		Usage:   "",
+		Value:   "",
+		EnvVars: []string{"GDRIVE_CLIENT_JSON_FILEPATH"},
 	},
-	cli.StringFlag{
-		Name:   "gdrive-local-config-path",
-		Usage:  "",
-		Value:  "",
-		EnvVar: "GDRIVE_LOCAL_CONFIG_PATH",
+	&cli.StringFlag{
+		Name:    "gdrive-local-config-path",
+		Usage:   "",
+		Value:   "",
+		EnvVars: []string{"GDRIVE_LOCAL_CONFIG_PATH"},
 	},
-	cli.IntFlag{
-		Name:   "gdrive-chunk-size",
-		Usage:  "",
-		Value:  googleapi.DefaultUploadChunkSize / 1024 / 1024,
-		EnvVar: "GDRIVE_CHUNK_SIZE",
+	&cli.IntFlag{
+		Name:    "gdrive-chunk-size",
+		Usage:   "",
+		Value:   googleapi.DefaultUploadChunkSize / 1024 / 1024,
+		EnvVars: []string{"GDRIVE_CHUNK_SIZE"},
 	},
-	cli.StringFlag{
-		Name:   "storj-access",
-		Usage:  "Access for the project",
-		Value:  "",
-		EnvVar: "STORJ_ACCESS",
+	&cli.StringFlag{
+		Name:    "storj-access",
+		Usage:   "Access for the project",
+		Value:   "",
+		EnvVars: []string{"STORJ_ACCESS"},
 	},
-	cli.StringFlag{
-		Name:   "storj-bucket",
-		Usage:  "Bucket to use within the project",
-		Value:  "",
-		EnvVar: "STORJ_BUCKET",
+	&cli.StringFlag{
+		Name:    "storj-bucket",
+		Usage:   "Bucket to use within the project",
+		Value:   "",
+		EnvVars: []string{"STORJ_BUCKET"},
 	},
-	cli.IntFlag{
-		Name:   "rate-limit",
-		Usage:  "requests per minute",
-		Value:  0,
-		EnvVar: "RATE_LIMIT",
+	&cli.IntFlag{
+		Name:    "rate-limit",
+		Usage:   "requests per minute",
+		Value:   0,
+		EnvVars: []string{"RATE_LIMIT"},
 	},
-	cli.IntFlag{
-		Name:   "purge-days",
-		Usage:  "number of days after uploads are purged automatically",
-		Value:  0,
-		EnvVar: "PURGE_DAYS",
+	&cli.IntFlag{
+		Name:    "purge-days",
+		Usage:   "number of days after uploads are purged automatically",
+		Value:   0,
+		EnvVars: []string{"PURGE_DAYS"},
 	},
-	cli.IntFlag{
-		Name:   "purge-interval",
-		Usage:  "interval in hours to run the automatic purge for",
-		Value:  0,
-		EnvVar: "PURGE_INTERVAL",
+	&cli.IntFlag{
+		Name:    "purge-interval",
+		Usage:   "interval in hours to run the automatic purge for",
+		Value:   0,
+		EnvVars: []string{"PURGE_INTERVAL"},
 	},
-	cli.Int64Flag{
-		Name:   "max-upload-size",
-		Usage:  "max limit for upload, in kilobytes",
-		Value:  0,
-		EnvVar: "MAX_UPLOAD_SIZE",
+	&cli.Int64Flag{
+		Name:    "max-upload-size",
+		Usage:   "max limit for upload, in kilobytes",
+		Value:   0,
+		EnvVars: []string{"MAX_UPLOAD_SIZE"},
 	},
-	cli.StringFlag{
-		Name:   "lets-encrypt-hosts",
-		Usage:  "host1, host2",
-		Value:  "",
-		EnvVar: "HOSTS",
+	&cli.StringFlag{
+		Name:    "lets-encrypt-hosts",
+		Usage:   "host1, host2",
+		Value:   "",
+		EnvVars: []string{"HOSTS"},
 	},
-	cli.StringFlag{
-		Name:   "log",
-		Usage:  "/var/log/transfersh.log",
-		Value:  "",
-		EnvVar: "LOG",
+	&cli.StringFlag{
+		Name:    "log",
+		Usage:   "/var/log/transfersh.log",
+		Value:   "",
+		EnvVars: []string{"LOG"},
 	},
-	cli.StringFlag{
-		Name:   "basedir",
-		Usage:  "path to storage",
-		Value:  "",
-		EnvVar: "BASEDIR",
+	&cli.StringFlag{
+		Name:    "basedir",
+		Usage:   "path to storage",
+		Value:   "",
+		EnvVars: []string{"BASEDIR"},
 	},
-	cli.StringFlag{
-		Name:   "clamav-host",
-		Usage:  "clamav-host",
-		Value:  "",
-		EnvVar: "CLAMAV_HOST",
+	&cli.StringFlag{
+		Name:    "clamav-host",
+		Usage:   "clamav-host",
+		Value:   "",
+		EnvVars: []string{"CLAMAV_HOST"},
 	},
-	cli.BoolFlag{
-		Name:   "perform-clamav-prescan",
-		Usage:  "perform-clamav-prescan",
-		EnvVar: "PERFORM_CLAMAV_PRESCAN",
+	&cli.BoolFlag{
+		Name:    "perform-clamav-prescan",
+		Usage:   "perform-clamav-prescan",
+		EnvVars: []string{"PERFORM_CLAMAV_PRESCAN"},
 	},
-	cli.StringFlag{
-		Name:   "virustotal-key",
-		Usage:  "virustotal-key",
-		Value:  "",
-		EnvVar: "VIRUSTOTAL_KEY",
+	&cli.StringFlag{
+		Name:    "virustotal-key",
+		Usage:   "virustotal-key",
+		Value:   "",
+		EnvVars: []string{"VIRUSTOTAL_KEY"},
 	},
-	cli.BoolFlag{
-		Name:   "profiler",
-		Usage:  "enable profiling",
-		EnvVar: "PROFILER",
+	&cli.BoolFlag{
+		Name:    "profiler",
+		Usage:   "enable profiling",
+		EnvVars: []string{"PROFILER"},
 	},
-	cli.StringFlag{
-		Name:   "http-auth-user",
-		Usage:  "user for http basic auth",
-		Value:  "",
-		EnvVar: "HTTP_AUTH_USER",
+	&cli.StringFlag{
+		Name:    "http-auth-user",
+		Usage:   "user for http basic auth",
+		Value:   "",
+		EnvVars: []string{"HTTP_AUTH_USER"},
 	},
-	cli.StringFlag{
-		Name:   "http-auth-pass",
-		Usage:  "pass for http basic auth",
-		Value:  "",
-		EnvVar: "HTTP_AUTH_PASS",
+	&cli.StringFlag{
+		Name:    "http-auth-pass",
+		Usage:   "pass for http basic auth",
+		Value:   "",
+		EnvVars: []string{"HTTP_AUTH_PASS"},
 	},
-	cli.StringFlag{
-		Name:   "ip-whitelist",
-		Usage:  "comma separated list of ips allowed to connect to the service",
-		Value:  "",
-		EnvVar: "IP_WHITELIST",
+	&cli.StringFlag{
+		Name:    "http-auth-htpasswd",
+		Usage:   "htpasswd file http basic auth",
+		Value:   "",
+		EnvVars: []string{"HTTP_AUTH_HTPASSWD"},
 	},
-	cli.StringFlag{
-		Name:   "ip-blacklist",
-		Usage:  "comma separated list of ips not allowed to connect to the service",
-		Value:  "",
-		EnvVar: "IP_BLACKLIST",
+	&cli.StringFlag{
+		Name:    "http-auth-ip-whitelist",
+		Usage:   "comma separated list of ips allowed to upload without being challenged an http auth",
+		Value:   "",
+		EnvVars: []string{"HTTP_AUTH_IP_WHITELIST"},
 	},
-	cli.StringFlag{
-		Name:   "cors-domains",
-		Usage:  "comma separated list of domains allowed for CORS requests",
-		Value:  "",
-		EnvVar: "CORS_DOMAINS",
+	&cli.StringFlag{
+		Name:    "ip-whitelist",
+		Usage:   "comma separated list of ips allowed to connect to the service",
+		Value:   "",
+		EnvVars: []string{"IP_WHITELIST"},
 	},
-	cli.IntFlag{
-		Name:   "random-token-length",
-		Usage:  "",
-		Value:  6,
-		EnvVar: "RANDOM_TOKEN_LENGTH",
+	&cli.StringFlag{
+		Name:    "ip-blacklist",
+		Usage:   "comma separated list of ips not allowed to connect to the service",
+		Value:   "",
+		EnvVars: []string{"IP_BLACKLIST"},
+	},
+	&cli.StringFlag{
+		Name:    "cors-domains",
+		Usage:   "comma separated list of domains allowed for CORS requests",
+		Value:   "",
+		EnvVars: []string{"CORS_DOMAINS"},
+	},
+	&cli.IntFlag{
+		Name:    "random-token-length",
+		Usage:   "",
+		Value:   10,
+		EnvVars: []string{"RANDOM_TOKEN_LENGTH"},
 	},
 }

@@ -300,8 +314,9 @@ type Cmd struct {
 	*cli.App
 }

-func versionCommand(_ *cli.Context) {
+func versionCommand(_ *cli.Context) error {
 	fmt.Println(color.YellowString("transfer.sh %s: Easy file sharing from the command line", Version))
+	return nil
 }

 // New is the factory for transfer.sh
@@ -310,13 +325,13 @@ func New() *Cmd {

 	app := cli.NewApp()
 	app.Name = "transfer.sh"
-	app.Author = ""
+	app.Authors = []*cli.Author{}
 	app.Usage = "transfer.sh"
 	app.Description = `Easy file sharing from the command line`
 	app.Version = Version
 	app.Flags = globalFlags
 	app.CustomAppHelpTemplate = helpTemplate
-	app.Commands = []cli.Command{
+	app.Commands = []*cli.Command{
 		{
 			Name:   "version",
 			Action: versionCommand,
@@ -327,7 +342,7 @@ func New() *Cmd {
 		return nil
 	}

-	app.Action = func(c *cli.Context) {
+	app.Action = func(c *cli.Context) error {
 		var options []server.OptionFn
 		if v := c.String("listener"); v != "" {
 			options = append(options, server.Listener(v))
@@ -396,7 +411,7 @@ func New() *Cmd {

 		if v := c.Bool("perform-clamav-prescan"); v {
 			if c.String("clamav-host") == "" {
-				panic("clamav-host not set")
+				return errors.New("clamav-host not set")
 			}

 			options = append(options, server.PerformClamavPrescan(v))
@@ -439,6 +454,17 @@ func New() *Cmd {
 			options = append(options, server.HTTPAuthCredentials(httpAuthUser, httpAuthPass))
 		}

+		if httpAuthHtpasswd := c.String("http-auth-htpasswd"); httpAuthHtpasswd != "" {
+			options = append(options, server.HTTPAuthHtpasswd(httpAuthHtpasswd))
+		}
+
+		if httpAuthIPWhitelist := c.String("http-auth-ip-whitelist"); httpAuthIPWhitelist != "" {
+			ipFilterOptions := server.IPFilterOptions{}
+			ipFilterOptions.AllowedIPs = strings.Split(httpAuthIPWhitelist, ",")
+			ipFilterOptions.BlockByDefault = false
+			options = append(options, server.HTTPAUTHFilterOptions(ipFilterOptions))
+		}
+
 		applyIPFilter := false
 		ipFilterOptions := server.IPFilterOptions{}
 		if ipWhitelist := c.String("ip-whitelist"); ipWhitelist != "" {
@@ -459,13 +485,13 @@ func New() *Cmd {
 		switch provider := c.String("provider"); provider {
 		case "s3":
 			if accessKey := c.String("aws-access-key"); accessKey == "" {
-				panic("access-key not set.")
+				return errors.New("access-key not set.")
 			} else if secretKey := c.String("aws-secret-key"); secretKey == "" {
-				panic("secret-key not set.")
+				return errors.New("secret-key not set.")
 			} else if bucket := c.String("bucket"); bucket == "" {
-				panic("bucket not set.")
-			} else if store, err := storage.NewS3Storage(accessKey, secretKey, bucket, purgeDays, c.String("s3-region"), c.String("s3-endpoint"), c.Bool("s3-no-multipart"), c.Bool("s3-path-style"), logger); err != nil {
-				panic(err)
+				return errors.New("bucket not set.")
+			} else if store, err := storage.NewS3Storage(c.Context, accessKey, secretKey, bucket, purgeDays, c.String("s3-region"), c.String("s3-endpoint"), c.Bool("s3-no-multipart"), c.Bool("s3-path-style"), logger); err != nil {
+				return err
 			} else {
 				options = append(options, server.UseStorage(store))
 			}
@@ -473,36 +499,36 @@ func New() *Cmd {
 			chunkSize := c.Int("gdrive-chunk-size") * 1024 * 1024

 			if clientJSONFilepath := c.String("gdrive-client-json-filepath"); clientJSONFilepath == "" {
-				panic("gdrive-client-json-filepath not set.")
+				return errors.New("gdrive-client-json-filepath not set.")
 			} else if localConfigPath := c.String("gdrive-local-config-path"); localConfigPath == "" {
-				panic("gdrive-local-config-path not set.")
+				return errors.New("gdrive-local-config-path not set.")
 			} else if basedir := c.String("basedir"); basedir == "" {
-				panic("basedir not set.")
-			} else if store, err := storage.NewGDriveStorage(clientJSONFilepath, localConfigPath, basedir, chunkSize, logger); err != nil {
-				panic(err)
+				return errors.New("basedir not set.")
+			} else if store, err := storage.NewGDriveStorage(c.Context, clientJSONFilepath, localConfigPath, basedir, chunkSize, logger); err != nil {
+				return err
 			} else {
 				options = append(options, server.UseStorage(store))
 			}
 		case "storj":
 			if access := c.String("storj-access"); access == "" {
-				panic("storj-access not set.")
+				return errors.New("storj-access not set.")
 			} else if bucket := c.String("storj-bucket"); bucket == "" {
-				panic("storj-bucket not set.")
-			} else if store, err := storage.NewStorjStorage(access, bucket, purgeDays, logger); err != nil {
-				panic(err)
+				return errors.New("storj-bucket not set.")
+			} else if store, err := storage.NewStorjStorage(c.Context, access, bucket, purgeDays, logger); err != nil {
+				return err
 			} else {
 				options = append(options, server.UseStorage(store))
 			}
 		case "local":
 			if v := c.String("basedir"); v == "" {
-				panic("basedir not set.")
+				return errors.New("basedir not set.")
 			} else if store, err := storage.NewLocalStorage(v, logger); err != nil {
-				panic(err)
+				return err
 			} else {
 				options = append(options, server.UseStorage(store))
 			}
 		default:
-			panic("Provider not set or invalid.")
+			return errors.New("Provider not set or invalid.")
 		}

 		srvr, err := server.New(
@@ -511,10 +537,11 @@ func New() *Cmd {

 		if err != nil {
 			logger.Println(color.RedString("Error starting server: %s", err.Error()))
-			return
+			return err
 		}

 		srvr.Run()
+		return nil
 	}

 	return &Cmd{
--- a/flake.nix
+++ b/flake.nix
@@ -44,6 +44,8 @@
              tls-private-key = mkOption { type = types.nullOr types.str; description = "path to tls private key "; };
              http-auth-user = mkOption { type = types.nullOr types.str; description = "user for basic http auth on upload"; };
              http-auth-pass = mkOption { type = types.nullOr types.str; description = "pass for basic http auth on upload"; };
+              http-auth-htpasswd = mkOption { type = types.nullOr types.str; description = "htpasswd file path for basic http auth on upload"; };
+              http-auth-ip-whitelist = mkOption { type = types.nullOr types.str; description = "comma separated list of ips allowed to upload without being challenged an http auth"; };
              ip-whitelist = mkOption { type = types.nullOr types.str; description = "comma separated list of ips allowed to connect to the service"; };
              ip-blacklist = mkOption { type = types.nullOr types.str; description = "comma separated list of ips not allowed to connect to the service"; };
              temp-path = mkOption { type = types.nullOr types.str; description = "path to temp folder"; };
--- a/go.mod
+++ b/go.mod
@@ -3,9 +3,15 @@ module github.com/dutchcoders/transfer.sh
 go 1.18

 require (
+	github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8
+	github.com/ProtonMail/gopenpgp/v2 v2.5.2
 	github.com/PuerkitoBio/ghost v0.0.0-20160324114900-206e6e460e14
 	github.com/VojtechVitek/ratelimit v0.0.0-20160722140851-dc172bc0f6d2
-	github.com/aws/aws-sdk-go v1.44.211
+	github.com/aws/aws-sdk-go-v2 v1.18.0
+	github.com/aws/aws-sdk-go-v2/config v1.18.25
+	github.com/aws/aws-sdk-go-v2/credentials v1.13.24
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.67
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.33.1
 	github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e
 	github.com/dutchcoders/go-virustotal v0.0.0-20140923143438-24cc8e6fa329
 	github.com/dutchcoders/transfer.sh-web v0.0.0-20221119114740-ca3a2621d2a6
@@ -14,13 +20,14 @@ require (
 	github.com/golang/gddo v0.0.0-20210115222349-20d68f94ee1f
 	github.com/gorilla/handlers v1.5.1
 	github.com/gorilla/mux v1.8.0
-	github.com/microcosm-cc/bluemonday v1.0.22
+	github.com/microcosm-cc/bluemonday v1.0.23
 	github.com/russross/blackfriday/v2 v2.1.0
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
+	github.com/tg123/go-htpasswd v1.2.1
 	github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce
-	github.com/urfave/cli v1.22.12
+	github.com/urfave/cli/v2 v2.25.3
 	golang.org/x/crypto v0.6.0
-	golang.org/x/net v0.7.0
+	golang.org/x/net v0.8.0
 	golang.org/x/oauth2 v0.5.0
 	google.golang.org/api v0.111.0
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
@@ -31,8 +38,24 @@ require (
 require (
 	cloud.google.com/go/compute v1.18.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.25 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.28 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.12.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.19.0 // indirect
+	github.com/aws/smithy-go v1.13.5 // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/calebcase/tmpfile v1.0.3 // indirect
+	github.com/cloudflare/circl v1.3.3 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/flynn/noise v1.0.0 // indirect
@@ -57,16 +80,18 @@ require (
 	github.com/rogpeppe/go-internal v1.9.0 // indirect
 	github.com/spacemonkeygo/monkit/v3 v3.0.19 // indirect
 	github.com/vivint/infectious v0.0.0-20200605153912-25a574ae18a3 // indirect
+	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	github.com/zeebo/errs v1.3.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/sys v0.6.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230227214838-9b19f0bdc514 // indirect
 	google.golang.org/grpc v1.53.0 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	storj.io/drpc v0.0.33-0.20230204035225-c9649dee8f2a // indirect
 	storj.io/picobuf v0.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -7,20 +7,68 @@ cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGB
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 cloud.google.com/go/longrunning v0.4.1 h1:v+yFJOfKC3yZdY6ZUI933pIYdhyhV8S3NpWrXWmg7jM=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 h1:KeNholpO2xKjgaaSyd+DyQRrsQjhbSeS7qe4nEw8aQw=
+github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962/go.mod h1:kC29dT1vFpj7py2OvG1khBdQpo3kInWP+6QipLbdngo=
+github.com/ProtonMail/go-crypto v0.0.0-20230124153114-0acdc8ae009b/go.mod h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g=
+github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 h1:wPbRQzjjwFc0ih8puEVAOFGELsn1zoIIYdxvML7mDxA=
+github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8/go.mod h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g=
+github.com/ProtonMail/go-mime v0.0.0-20221031134845-8fd9bc37cf08/go.mod h1:qRZgbeASl2a9OwmsV85aWwRqic0NHPh+9ewGAzb4cgM=
+github.com/ProtonMail/gopenpgp/v2 v2.5.2 h1:97SjlWNAxXl9P22lgwgrZRshQdiEfAht0g3ZoiA1GCw=
+github.com/ProtonMail/gopenpgp/v2 v2.5.2/go.mod h1:52qDaCnto6r+CoWbuU50T77XQt99lIs46HtHtvgFO3o=
 github.com/PuerkitoBio/ghost v0.0.0-20160324114900-206e6e460e14 h1:3zOOc7WdrATDXof+h/rBgMsg0sAmZIEVHft1UbWHh94=
 github.com/PuerkitoBio/ghost v0.0.0-20160324114900-206e6e460e14/go.mod h1:+VFiaivV54Sa94ijzA/ZHQLoHuoUIS9hIqCK6f/76Zw=
 github.com/VojtechVitek/ratelimit v0.0.0-20160722140851-dc172bc0f6d2 h1:sIvihcW4qpN5qGSjmrsDDAbLpEq5tuHjJJfWY0Hud5Y=
 github.com/VojtechVitek/ratelimit v0.0.0-20160722140851-dc172bc0f6d2/go.mod h1:3YwJE8rEisS9eraee0hygGG4G3gqX8H8Nyu+nPTUnGU=
-github.com/aws/aws-sdk-go v1.44.211 h1:YNr5DwdzG/8y9Tl0QrPTnC99aFUHgT5hhy6GpnnzHK4=
-github.com/aws/aws-sdk-go v1.44.211/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
+github.com/aws/aws-sdk-go-v2 v1.18.0 h1:882kkTpSFhdgYRKVZ/VCgf7sd0ru57p2JCxz4/oN5RY=
+github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10 h1:dK82zF6kkPeCo8J1e+tGx4JdvDIQzj7ygIoLg8WMuGs=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10/go.mod h1:VeTZetY5KRJLuD/7fkQXMU6Mw7H5m/KP2J5Iy9osMno=
+github.com/aws/aws-sdk-go-v2/config v1.18.25 h1:JuYyZcnMPBiFqn87L2cRppo+rNwgah6YwD3VuyvaW6Q=
+github.com/aws/aws-sdk-go-v2/config v1.18.25/go.mod h1:dZnYpD5wTW/dQF0rRNLVypB396zWCcPiBIvdvSWHEg4=
+github.com/aws/aws-sdk-go-v2/credentials v1.13.24 h1:PjiYyls3QdCrzqUN35jMWtUK1vqVZ+zLfdOa/UPFDp0=
+github.com/aws/aws-sdk-go-v2/credentials v1.13.24/go.mod h1:jYPYi99wUOPIFi0rhiOvXeSEReVOzBqFNOX5bXYoG2o=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.3 h1:jJPgroehGvjrde3XufFIJUZVK5A2L9a3KwSFgKy9n8w=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.3/go.mod h1:4Q0UFP0YJf0NrsEuEYHpM9fTSEVnD16Z3uyEF7J9JGM=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.67 h1:fI9/5BDEaAv/pv1VO1X1n3jfP9it+IGqWsCuuBQI8wM=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.67/go.mod h1:zQClPRIwQZfJlZq6WZve+s4Tb4JW+3V6eS+4+KrYeP8=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33 h1:kG5eQilShqmJbv11XL1VpyDbaEJzWxd4zRiCG30GSn4=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33/go.mod h1:7i0PF1ME/2eUPFcjkVIwq+DOygHEoK92t5cDqNgYbIw=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27 h1:vFQlirhuM8lLlpI7imKOMsjdQLuN9CPi+k44F/OFVsk=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27/go.mod h1:UrHnn3QV/d0pBZ6QBAEQcqFLf8FAzLmoUfPVIueOvoM=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34 h1:gGLG7yKaXG02/jBlg210R7VgQIotiQntNhsCFejawx8=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34/go.mod h1:Etz2dj6UHYuw+Xw830KfzCfWGMzqvUTCjUj5b76GVDc=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.25 h1:AzwRi5OKKwo4QNqPf7TjeO+tK8AyOK3GVSwmRPo7/Cs=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.25/go.mod h1:SUbB4wcbSEyCvqBxv/O/IBf93RbEze7U7OnoTlpPB+g=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11 h1:y2+VQzC6Zh2ojtV2LoC0MNwHWc6qXv/j2vrQtlftkdA=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11/go.mod h1:iV4q2hsqtNECrfmlXyord9u4zyuFEJX9eLgLpSPzWA8=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.28 h1:vGWm5vTpMr39tEZfQeDiDAMgk+5qsnvRny3FjLpnH5w=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.28/go.mod h1:spfrICMD6wCAhjhzHuy6DOZZ+LAIY10UxhUmLzpJTTs=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27 h1:0iKliEXAcCa2qVtRs7Ot5hItA2MsufrphbRFlz1Owxo=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27/go.mod h1:EOwBD4J4S5qYszS5/3DpkejfuK+Z5/1uzICfPaZLtqw=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.2 h1:NbWkRxEEIRSCqxhsHQuMiTH7yo+JZW1gp8v3elSVMTQ=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.2/go.mod h1:4tfW5l4IAB32VWCDEBxCRtR9T4BWy4I4kr1spr8NgZM=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.33.1 h1:O+9nAy9Bb6bJFTpeNFtd9UfHbgxO1o4ZDAM9rQp5NsY=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.33.1/go.mod h1:J9kLNzEiHSeGMyN7238EjJmBpCniVzFda75Gxl/NqB8=
+github.com/aws/aws-sdk-go-v2/service/sso v1.12.10 h1:UBQjaMTCKwyUYwiVnUt6toEJwGXsLBI6al083tpjJzY=
+github.com/aws/aws-sdk-go-v2/service/sso v1.12.10/go.mod h1:ouy2P4z6sJN70fR3ka3wD3Ro3KezSxU6eKGQI2+2fjI=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.10 h1:PkHIIJs8qvq0e5QybnZoG1K/9QTrLr9OsqCIo59jOBA=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.10/go.mod h1:AFvkxc8xfBe8XA+5St5XIHHrQQtkxqrRincx4hmMHOk=
+github.com/aws/aws-sdk-go-v2/service/sts v1.19.0 h1:2DQLAKDteoEDI8zpCzqBMaZlJuoE9iTYD0gFmXVax9E=
+github.com/aws/aws-sdk-go-v2/service/sts v1.19.0/go.mod h1:BgQOMsg8av8jset59jelyPW7NoZcZXLVpDsXunGDrk8=
+github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8=
+github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
 github.com/bradfitz/gomemcache v0.0.0-20170208213004-1952afaa557d/go.mod h1:PmM6Mmwb0LSuEubjR8N7PtNe1KxZLtOUHtbeikc5h60=
+github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/calebcase/tmpfile v1.0.3 h1:BZrOWZ79gJqQ3XbAQlihYZf/YCV0H4KPIdM5K5oMpJo=
 github.com/calebcase/tmpfile v1.0.3/go.mod h1:UAUc01aHeC+pudPagY/lWvt2qS9ZO5Zzof6/tIUzqeI=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
+github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
+github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
@@ -85,6 +133,7 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/pprof v0.0.0-20211108044417-e9b028704de0 h1:rsq1yB2xiFLDYYaYdlGBsSkwVzsCo500wMhxvW5A/bk=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -135,8 +184,8 @@ github.com/mattn/go-isatty v0.0.2/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNx
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
 github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/microcosm-cc/bluemonday v1.0.22 h1:p2tT7RNzRdCi0qmwxG+HbqD6ILkmwter1ZwVZn1oTxA=
-github.com/microcosm-cc/bluemonday v1.0.22/go.mod h1:ytNkv4RrDrLJ2pqlsSI46O6IVXmZOBBD4SaJyDwwTkM=
+github.com/microcosm-cc/bluemonday v1.0.23 h1:SMZe2IGa0NuHvnVNAZ+6B38gsTbi5e4sViiWJyDDqFY=
+github.com/microcosm-cc/bluemonday v1.0.23/go.mod h1:mN70sk7UkkF8TUr2IGBpNN0jAgStuPzlK76QuruE/z4=
 github.com/mitchellh/mapstructure v0.0.0-20170523030023-d0303fe80992/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d h1:VhgPp6v9qf9Agr/56bj7Y/xa04UccTW04VP0Qed4vnQ=
 github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d/go.mod h1:YUTz3bUH2ZwIWBy3CJBeOBEugqcmXREj14T+iG/4k4U=
@@ -164,16 +213,21 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/tg123/go-htpasswd v1.2.1 h1:i4wfsX1KvvkyoMiHZzjS0VzbAPWfxzI8INcZAKtutoU=
+github.com/tg123/go-htpasswd v1.2.1/go.mod h1:erHp1B86KXdwQf1X5ZrLb7erXZnWueEQezb2dql4q58=
 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce h1:fb190+cK2Xz/dvi9Hv8eCYJYvIGUTN2/KLq1pT6CjEc=
 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4=
-github.com/urfave/cli v1.22.12 h1:igJgVw1JdKH+trcLWLeLwZjU9fEfPesQ+9/e4MQ44S8=
-github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8=
+github.com/urfave/cli/v2 v2.25.3 h1:VJkt6wvEBOoSjPFQvOkv6iWIrsJyCrKGtCtxXWwmGeY=
+github.com/urfave/cli/v2 v2.25.3/go.mod h1:GHupkWPMM0M/sj1a2b4wUrWBPzazNrIjouW6fmdJLxc=
 github.com/vivint/infectious v0.0.0-20200605153912-25a574ae18a3 h1:zMsHhfK9+Wdl1F7sIKLyx3wrOFofpb3rWFbA4HgcK5k=
 github.com/vivint/infectious v0.0.0-20200605153912-25a574ae18a3/go.mod h1:R0Gbuw7ElaGSLOZUSwBm/GgVwMd30jWxBDdAyMOeTuc=
+github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 h1:bAn7/zixMGCfxrRTfdpNzjtPYqr8smhKouy9mxVdGPU=
+github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
@@ -188,6 +242,7 @@ github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
@@ -195,9 +250,15 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190731235908-ec7cb31e5a56/go.mod h1:JhuoJpWY28nO4Vef9tZUw9qufEGTyX1+7lmHxV5q5G4=
+golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
+golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
+golang.org/x/mobile v0.0.0-20221110043201-43a038452099/go.mod h1:aAjjkJNdrh3PMckS4B10TGS2nag27cbKR1y2BpUxsiY=
+golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -214,9 +275,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/oauth2 v0.0.0-20170912212905-13449ad91cb2/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s=
@@ -239,28 +299,27 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/time v0.0.0-20170424234030-8be79e1e0910/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -52,7 +52,13 @@ import (
 	textTemplate "text/template"
 	"time"

+	"github.com/ProtonMail/go-crypto/openpgp"
+	"github.com/ProtonMail/go-crypto/openpgp/armor"
+	"github.com/ProtonMail/go-crypto/openpgp/packet"
+	"github.com/ProtonMail/gopenpgp/v2/constants"
 	"github.com/dutchcoders/transfer.sh/server/storage"
+	"github.com/tg123/go-htpasswd"
+	"github.com/tomasen/realip"

 	web "github.com/dutchcoders/transfer.sh-web"
 	"github.com/gorilla/mux"
@@ -90,6 +96,128 @@ func initHTMLTemplates() *htmlTemplate.Template {
 	return templates
 }

+func attachEncryptionReader(reader io.ReadCloser, password string) (io.ReadCloser, error) {
+	if len(password) == 0 {
+		return reader, nil
+	}
+
+	return encrypt(reader, []byte(password))
+}
+
+func attachDecryptionReader(reader io.ReadCloser, password string) (io.ReadCloser, error) {
+	if len(password) == 0 {
+		return reader, nil
+	}
+
+	return decrypt(reader, []byte(password))
+}
+
+func decrypt(ciphertext io.ReadCloser, password []byte) (plaintext io.ReadCloser, err error) {
+	unarmored, err := armor.Decode(ciphertext)
+	if err != nil {
+		return
+	}
+
+	firstTimeCalled := true
+	var prompt = func(keys []openpgp.Key, symmetric bool) ([]byte, error) {
+		if firstTimeCalled {
+			firstTimeCalled = false
+			return password, nil
+		}
+		// Re-prompt still occurs if SKESK pasrsing fails (i.e. when decrypted cipher algo is invalid).
+		// For most (but not all) cases, inputting a wrong passwords is expected to trigger this error.
+		return nil, errors.New("gopenpgp: wrong password in symmetric decryption")
+	}
+
+	config := &packet.Config{
+		DefaultCipher: packet.CipherAES256,
+	}
+
+	var emptyKeyRing openpgp.EntityList
+	md, err := openpgp.ReadMessage(unarmored.Body, emptyKeyRing, prompt, config)
+	if err != nil {
+		// Parsing errors when reading the message are most likely caused by incorrect password, but we cannot know for sure
+		return
+	}
+
+	plaintext = io.NopCloser(md.UnverifiedBody)
+
+	return
+}
+
+type encryptWrapperReader struct {
+	plaintext         io.Reader
+	encrypt           io.WriteCloser
+	armored           io.WriteCloser
+	buffer            io.ReadWriter
+	plaintextReadZero bool
+}
+
+func (e *encryptWrapperReader) Read(p []byte) (n int, err error) {
+	p2 := make([]byte, len(p))
+
+	n, _ = e.plaintext.Read(p2)
+	if n == 0 {
+		if !e.plaintextReadZero {
+			err = e.encrypt.Close()
+			if err != nil {
+				return
+			}
+
+			err = e.armored.Close()
+			if err != nil {
+				return
+			}
+
+			e.plaintextReadZero = true
+		}
+
+		return e.buffer.Read(p)
+	}
+
+	return e.buffer.Read(p)
+}
+
+func (e *encryptWrapperReader) Close() error {
+	return nil
+}
+
+func NewEncryptWrapperReader(plaintext io.Reader, armored, encrypt io.WriteCloser, buffer io.ReadWriter) io.ReadCloser {
+	return &encryptWrapperReader{
+		plaintext: io.TeeReader(plaintext, encrypt),
+		encrypt:   encrypt,
+		armored:   armored,
+		buffer:    buffer,
+	}
+}
+
+func encrypt(plaintext io.ReadCloser, password []byte) (ciphertext io.ReadCloser, err error) {
+	bufferReadWriter := new(bytes.Buffer)
+	armored, err := armor.Encode(bufferReadWriter, constants.PGPMessageHeader, nil)
+	if err != nil {
+		return
+	}
+	config := &packet.Config{
+		DefaultCipher: packet.CipherAES256,
+		Time:          time.Now,
+	}
+
+	hints := &openpgp.FileHints{
+		IsBinary: true,
+		FileName: "",
+		ModTime:  time.Unix(time.Now().Unix(), 0),
+	}
+
+	encryptWriter, err := openpgp.SymmetricallyEncrypt(armored, password, hints, config)
+	if err != nil {
+		return
+	}
+
+	ciphertext = NewEncryptWrapperReader(plaintext, armored, encryptWriter, bufferReadWriter)
+
+	return
+}
+
 func healthHandler(w http.ResponseWriter, _ *http.Request) {
 	_, _ = w.Write([]byte("Approaching Neutral Zone, all systems normal and functioning."))
 }
@@ -117,6 +245,8 @@ func canContainsXSS(contentType string) bool {

 /* The preview handler will show a preview of the content for browsers (accept type text/html), and referer is not transfer.sh */
 func (s *Server) previewHandler(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Vary", "Range, Referer, X-Decrypt-Password")
+
 	vars := mux.Vars(r)

 	token := vars["token"]
@@ -244,7 +374,7 @@ func (s *Server) viewHandler(w http.ResponseWriter, r *http.Request) {

 	purgeTime := ""
 	if s.purgeDays > 0 {
-		purgeTime = s.purgeDays.String()
+		purgeTime = formatDurationDays(s.purgeDays)
 	}

 	data := struct {
@@ -269,6 +399,7 @@ func (s *Server) viewHandler(w http.ResponseWriter, r *http.Request) {
 		token(s.randomTokenLength),
 	}

+	w.Header().Set("Vary", "Accept")
 	if acceptsHTML(r.Header) {
 		if err := htmlTemplates.ExecuteTemplate(w, "index.html", data); err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
@@ -362,7 +493,7 @@ func (s *Server) postHandler(w http.ResponseWriter, r *http.Request) {
 				}
 			}

-			metadata := metadataForRequest(contentType, s.randomTokenLength, r)
+			metadata := metadataForRequest(contentType, contentLength, s.randomTokenLength, r)

 			buffer := &bytes.Buffer{}
 			if err := json.NewEncoder(buffer).Encode(metadata); err != nil {
@@ -379,7 +510,13 @@ func (s *Server) postHandler(w http.ResponseWriter, r *http.Request) {

 			s.logger.Printf("Uploading %s %s %d %s", token, filename, contentLength, contentType)

-			if err = s.storage.Put(r.Context(), token, filename, file, contentType, uint64(contentLength)); err != nil {
+			reader, err := attachEncryptionReader(file, r.Header.Get("X-Encrypt-Password"))
+			if err != nil {
+				http.Error(w, "Could not crypt file", http.StatusInternalServerError)
+				return
+			}
+
+			if err = s.storage.Put(r.Context(), token, filename, reader, contentType, uint64(contentLength)); err != nil {
 				s.logger.Printf("Backend storage error: %s", err.Error())
 				http.Error(w, err.Error(), http.StatusInternalServerError)
 				return
@@ -417,8 +554,8 @@ func (s *Server) cleanTmpFile(f *os.File) {
 type metadata struct {
 	// ContentType is the original uploading content type
 	ContentType string
-	// Secret as knowledge to delete file
-	// Secret string
+	// ContentLength is is the original uploading content length
+	ContentLength int64
 	// Downloads is the actual number of downloads
 	Downloads int
 	// MaxDownloads contains the maximum numbers of downloads
@@ -427,11 +564,16 @@ type metadata struct {
 	MaxDate time.Time
 	// DeletionToken contains the token to match against for deletion
 	DeletionToken string
+	// Encrypted contains if the file was encrypted
+	Encrypted bool
+	// DecryptedContentType is the original uploading content type
+	DecryptedContentType string
 }

-func metadataForRequest(contentType string, randomTokenLength int, r *http.Request) metadata {
+func metadataForRequest(contentType string, contentLength int64, randomTokenLength int, r *http.Request) metadata {
 	metadata := metadata{
 		ContentType:   strings.ToLower(contentType),
+		ContentLength: contentLength,
 		MaxDate:       time.Time{},
 		Downloads:     0,
 		MaxDownloads:  -1,
@@ -450,6 +592,14 @@ func metadataForRequest(contentType string, randomTokenLength int, r *http.Reque
 		metadata.MaxDate = time.Now().Add(time.Hour * 24 * time.Duration(v))
 	}

+	if password := r.Header.Get("X-Encrypt-Password"); password != "" {
+		metadata.Encrypted = true
+		metadata.ContentType = "text/plain; charset=utf-8"
+		metadata.DecryptedContentType = contentType
+	} else {
+		metadata.Encrypted = false
+	}
+
 	return metadata
 }

@@ -527,7 +677,7 @@ func (s *Server) putHandler(w http.ResponseWriter, r *http.Request) {

 	token := token(s.randomTokenLength)

-	metadata := metadataForRequest(contentType, s.randomTokenLength, r)
+	metadata := metadataForRequest(contentType, contentLength, s.randomTokenLength, r)

 	buffer := &bytes.Buffer{}
 	if err := json.NewEncoder(buffer).Encode(metadata); err != nil {
@@ -546,7 +696,13 @@ func (s *Server) putHandler(w http.ResponseWriter, r *http.Request) {

 	s.logger.Printf("Uploading %s %s %d %s", token, filename, contentLength, contentType)

-	if err := s.storage.Put(r.Context(), token, filename, reader, contentType, uint64(contentLength)); err != nil {
+	reader, err := attachEncryptionReader(reader, r.Header.Get("X-Encrypt-Password"))
+	if err != nil {
+		http.Error(w, "Could not crypt file", http.StatusInternalServerError)
+		return
+	}
+
+	if err = s.storage.Put(r.Context(), token, filename, reader, contentType, uint64(contentLength)); err != nil {
 		s.logger.Printf("Error putting new file: %s", err.Error())
 		http.Error(w, "Could not save file", http.StatusInternalServerError)
 		return
@@ -1004,6 +1160,7 @@ func (s *Server) headHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Connection", "close")
 	w.Header().Set("X-Remaining-Downloads", remainingDownloads)
 	w.Header().Set("X-Remaining-Days", remainingDays)
+	w.Header().Set("Vary", "Range, Referer, X-Decrypt-Password")

 	if s.storage.IsRangeSupported() {
 		w.Header().Set("Accept-Ranges", "bytes")
@@ -1054,7 +1211,6 @@ func (s *Server) getHandler(w http.ResponseWriter, r *http.Request) {
 	}

 	var disposition string
-
 	if action == "inline" {
 		disposition = "inline"
 		/*
@@ -1062,7 +1218,7 @@ func (s *Server) getHandler(w http.ResponseWriter, r *http.Request) {
 			So add text/plain in this case to fix XSS related issues/
 		*/
 		if strings.TrimSpace(contentType) == "" {
-			contentType = "text/plain"
+			contentType = "text/plain; charset=utf-8"
 		}
 	} else {
 		disposition = "attachment"
@@ -1070,14 +1226,28 @@ func (s *Server) getHandler(w http.ResponseWriter, r *http.Request) {

 	remainingDownloads, remainingDays := metadata.remainingLimitHeaderValues()

-	w.Header().Set("Content-Type", contentType)
-	w.Header().Set("Content-Length", strconv.FormatUint(contentLength, 10))
-	w.Header().Set("Content-Disposition", fmt.Sprintf("%s; filename=\"%s\"", disposition, filename))
+	w.Header().Set("Content-Disposition", fmt.Sprintf(`%s; filename="%s"`, disposition, filename))
 	w.Header().Set("Connection", "keep-alive")
 	w.Header().Set("Cache-Control", "no-store")
 	w.Header().Set("X-Remaining-Downloads", remainingDownloads)
 	w.Header().Set("X-Remaining-Days", remainingDays)

+	password := r.Header.Get("X-Decrypt-Password")
+	reader, err = attachDecryptionReader(reader, password)
+	if err != nil {
+		http.Error(w, "Could not decrypt file", http.StatusInternalServerError)
+		return
+	}
+
+	if metadata.Encrypted && len(password) > 0 {
+		contentType = metadata.DecryptedContentType
+		contentLength = uint64(metadata.ContentLength)
+	}
+
+	w.Header().Set("Content-Type", contentType)
+	w.Header().Set("Content-Length", strconv.FormatUint(contentLength, 10))
+	w.Header().Set("Vary", "Range, Referer, X-Decrypt-Password")
+
 	if rng != nil && rng.ContentRange() != "" {
 		w.WriteHeader(http.StatusPartialContent)
 	}
@@ -1149,27 +1319,55 @@ func ipFilterHandler(h http.Handler, ipFilterOptions *IPFilterOptions) http.Hand
 		if ipFilterOptions == nil {
 			h.ServeHTTP(w, r)
 		} else {
-			WrapIPFilter(h, *ipFilterOptions).ServeHTTP(w, r)
+			WrapIPFilter(h, ipFilterOptions).ServeHTTP(w, r)
 		}
 	}
 }

 func (s *Server) basicAuthHandler(h http.Handler) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		if s.AuthUser == "" || s.AuthPass == "" {
+		if s.authUser == "" && s.authPass == "" && s.authHtpasswd == "" {
 			h.ServeHTTP(w, r)
 			return
 		}

+		if s.htpasswdFile == nil && s.authHtpasswd != "" {
+			htpasswdFile, err := htpasswd.New(s.authHtpasswd, htpasswd.DefaultSystems, nil)
+			if err != nil {
+				http.Error(w, err.Error(), http.StatusInternalServerError)
+				return
+			}
+
+			s.htpasswdFile = htpasswdFile
+		}
+
+		if s.authIPFilter == nil && s.authIPFilterOptions != nil {
+			s.authIPFilter = newIPFilter(s.authIPFilterOptions)
+		}
+
 		w.Header().Set("WWW-Authenticate", "Basic realm=\"Restricted\"")

+		var authorized bool
+		if s.authIPFilter != nil {
+			remoteIP := realip.FromRequest(r)
+			authorized = s.authIPFilter.Allowed(remoteIP)
+		}
+
 		username, password, authOK := r.BasicAuth()
-		if !authOK {
+		if !authOK && !authorized {
 			http.Error(w, "Not authorized", http.StatusUnauthorized)
 			return
 		}

-		if username != s.AuthUser || password != s.AuthPass {
+		if !authorized && username == s.authUser && password == s.authPass {
+			authorized = true
+		}
+
+		if !authorized && s.htpasswdFile != nil {
+			authorized = s.htpasswdFile.Match(username, password)
+		}
+
+		if !authorized {
 			http.Error(w, "Not authorized", http.StatusUnauthorized)
 			return
 		}
--- a/server/ip_filter.go
+++ b/server/ip_filter.go
@@ -45,7 +45,6 @@ type IPFilterOptions struct {

 // ipFilter
 type ipFilter struct {
-	opts IPFilterOptions
 	//mut protects the below
 	//rw since writes are rare
 	mut            sync.RWMutex
@@ -60,13 +59,12 @@ type subnet struct {
 	allowed bool
 }

-func newIPFilter(opts IPFilterOptions) *ipFilter {
+func newIPFilter(opts *IPFilterOptions) *ipFilter {
 	if opts.Logger == nil {
 		flags := log.LstdFlags
 		opts.Logger = log.New(os.Stdout, "", flags)
 	}
 	f := &ipFilter{
-		opts:           opts,
 		ips:            map[string]bool{},
 		defaultAllowed: !opts.BlockByDefault,
 	}
@@ -189,7 +187,7 @@ func (f *ipFilter) Wrap(next http.Handler) http.Handler {
 }

 // WrapIPFilter is equivalent to newIPFilter(opts) then Wrap(next)
-func WrapIPFilter(next http.Handler, opts IPFilterOptions) http.Handler {
+func WrapIPFilter(next http.Handler, opts *IPFilterOptions) http.Handler {
 	return newIPFilter(opts).Wrap(next)
 }

--- a/server/server.go
+++ b/server/server.go
@@ -49,6 +49,7 @@ import (
 	"github.com/VojtechVitek/ratelimit/memory"
 	gorillaHandlers "github.com/gorilla/handlers"
 	"github.com/gorilla/mux"
+	"github.com/tg123/go-htpasswd"
 	"golang.org/x/crypto/acme/autocert"

 	web "github.com/dutchcoders/transfer.sh-web"
@@ -294,8 +295,26 @@ func TLSConfig(cert, pk string) OptionFn {
 // HTTPAuthCredentials sets basic http auth credentials
 func HTTPAuthCredentials(user string, pass string) OptionFn {
 	return func(srvr *Server) {
-		srvr.AuthUser = user
-		srvr.AuthPass = pass
+		srvr.authUser = user
+		srvr.authPass = pass
+	}
+}
+
+// HTTPAuthHtpasswd sets basic http auth htpasswd file
+func HTTPAuthHtpasswd(htpasswdPath string) OptionFn {
+	return func(srvr *Server) {
+		srvr.authHtpasswd = htpasswdPath
+	}
+}
+
+// HTTPAUTHFilterOptions sets basic http auth ips whitelist
+func HTTPAUTHFilterOptions(options IPFilterOptions) OptionFn {
+	for i, allowedIP := range options.AllowedIPs {
+		options.AllowedIPs[i] = strings.TrimSpace(allowedIP)
+	}
+
+	return func(srvr *Server) {
+		srvr.authIPFilterOptions = &options
 	}
 }

@@ -316,8 +335,13 @@ func FilterOptions(options IPFilterOptions) OptionFn {

 // Server is the main application
 type Server struct {
-	AuthUser string
-	AuthPass string
+	authUser            string
+	authPass            string
+	authHtpasswd        string
+	authIPFilterOptions *IPFilterOptions
+
+	htpasswdFile *htpasswd.File
+	authIPFilter *ipFilter

 	logger *log.Logger

--- a/server/storage/common.go
+++ b/server/storage/common.go
@@ -4,10 +4,9 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"regexp"
 	"strconv"
 	"time"
-
-	"regexp"
 )

 type Range struct {
--- a/server/storage/gdrive.go
+++ b/server/storage/gdrive.go
@@ -35,9 +35,7 @@ const gDriveTokenJSONFile = "token.json"
 const gDriveDirectoryMimeType = "application/vnd.google-apps.folder"

 // NewGDriveStorage is the factory for GDrive
-func NewGDriveStorage(clientJSONFilepath string, localConfigPath string, basedir string, chunkSize int, logger *log.Logger) (*GDrive, error) {
-
-	ctx := context.TODO()
+func NewGDriveStorage(ctx context.Context, clientJSONFilepath string, localConfigPath string, basedir string, chunkSize int, logger *log.Logger) (*GDrive, error) {

 	b, err := ioutil.ReadFile(clientJSONFilepath)
 	if err != nil {
--- a/server/storage/s3.go
+++ b/server/storage/s3.go
@@ -2,38 +2,48 @@ package storage

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"log"
 	"time"

-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/awserr"
-	"github.com/aws/aws-sdk-go/aws/credentials"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/s3"
-	"github.com/aws/aws-sdk-go/service/s3/s3manager"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/feature/s3/manager"
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 )

 // S3Storage is a storage backed by AWS S3
 type S3Storage struct {
 	Storage
 	bucket      string
-	session     *session.Session
-	s3          *s3.S3
+	s3          *s3.Client
 	logger      *log.Logger
 	purgeDays   time.Duration
 	noMultipart bool
 }

 // NewS3Storage is the factory for S3Storage
-func NewS3Storage(accessKey, secretKey, bucketName string, purgeDays int, region, endpoint string, disableMultipart bool, forcePathStyle bool, logger *log.Logger) (*S3Storage, error) {
-	sess := getAwsSession(accessKey, secretKey, region, endpoint, forcePathStyle)
+func NewS3Storage(ctx context.Context, accessKey, secretKey, bucketName string, purgeDays int, region, endpoint string, disableMultipart bool, forcePathStyle bool, logger *log.Logger) (*S3Storage, error) {
+	cfg, err := getAwsConfig(ctx, accessKey, secretKey)
+	if err != nil {
+		return nil, err
+	}
+
+	client := s3.NewFromConfig(cfg, func(o *s3.Options) {
+		o.Region = region
+		o.UsePathStyle = forcePathStyle
+		if len(endpoint) > 0 {
+			o.EndpointResolver = s3.EndpointResolverFromURL(endpoint)
+		}
+	})

 	return &S3Storage{
 		bucket:      bucketName,
-		s3:          s3.New(sess),
-		session:     sess,
+		s3:          client,
 		logger:      logger,
 		noMultipart: disableMultipart,
 		purgeDays:   time.Duration(purgeDays*24) * time.Hour,
@@ -55,14 +65,12 @@ func (s *S3Storage) Head(ctx context.Context, token string, filename string) (co
 	}

 	// content type , content length
-	response, err := s.s3.HeadObjectWithContext(ctx, headRequest)
+	response, err := s.s3.HeadObject(ctx, headRequest)
 	if err != nil {
 		return
 	}

-	if response.ContentLength != nil {
-		contentLength = uint64(*response.ContentLength)
-	}
+	contentLength = uint64(response.ContentLength)

 	return
 }
@@ -79,14 +87,8 @@ func (s *S3Storage) IsNotExist(err error) bool {
 		return false
 	}

-	if aerr, ok := err.(awserr.Error); ok {
-		switch aerr.Code() {
-		case s3.ErrCodeNoSuchKey:
-			return true
-		}
-	}
-
-	return false
+	var nkerr *types.NoSuchKey
+	return errors.As(err, &nkerr)
 }

 // Get retrieves a file from storage
@@ -102,14 +104,12 @@ func (s *S3Storage) Get(ctx context.Context, token string, filename string, rng
 		getRequest.Range = aws.String(rng.Range())
 	}

-	response, err := s.s3.GetObjectWithContext(ctx, getRequest)
+	response, err := s.s3.GetObject(ctx, getRequest)
 	if err != nil {
 		return
 	}

-	if response.ContentLength != nil {
-		contentLength = uint64(*response.ContentLength)
-	}
+	contentLength = uint64(response.ContentLength)
 	if rng != nil && response.ContentRange != nil {
 		rng.SetContentRange(*response.ContentRange)
 	}
@@ -126,7 +126,7 @@ func (s *S3Storage) Delete(ctx context.Context, token string, filename string) (
 		Key:    aws.String(metadata),
 	}

-	_, err = s.s3.DeleteObjectWithContext(ctx, deleteRequest)
+	_, err = s.s3.DeleteObject(ctx, deleteRequest)
 	if err != nil {
 		return
 	}
@@ -137,7 +137,7 @@ func (s *S3Storage) Delete(ctx context.Context, token string, filename string) (
 		Key:    aws.String(key),
 	}

-	_, err = s.s3.DeleteObjectWithContext(ctx, deleteRequest)
+	_, err = s.s3.DeleteObject(ctx, deleteRequest)

 	return
 }
@@ -155,7 +155,7 @@ func (s *S3Storage) Put(ctx context.Context, token string, filename string, read
 	}

 	// Create an uploader with the session and custom options
-	uploader := s3manager.NewUploader(s.session, func(u *s3manager.Uploader) {
+	uploader := manager.NewUploader(s.s3, func(u *manager.Uploader) {
 		u.Concurrency = concurrency // default is 5
 		u.LeavePartsOnError = false
 	})
@@ -165,7 +165,7 @@ func (s *S3Storage) Put(ctx context.Context, token string, filename string, read
 		expire = aws.Time(time.Now().Add(s.purgeDays))
 	}

-	_, err = uploader.UploadWithContext(ctx, &s3manager.UploadInput{
+	_, err = uploader.Upload(ctx, &s3.PutObjectInput{
 		Bucket:      aws.String(s.bucket),
 		Key:         aws.String(key),
 		Body:        reader,
@@ -178,11 +178,14 @@ func (s *S3Storage) Put(ctx context.Context, token string, filename string, read

 func (s *S3Storage) IsRangeSupported() bool { return true }

-func getAwsSession(accessKey, secretKey, region, endpoint string, forcePathStyle bool) *session.Session {
-	return session.Must(session.NewSession(&aws.Config{
-		Region:           aws.String(region),
-		Endpoint:         aws.String(endpoint),
-		Credentials:      credentials.NewStaticCredentials(accessKey, secretKey, ""),
-		S3ForcePathStyle: aws.Bool(forcePathStyle),
-	}))
+func getAwsConfig(ctx context.Context, accessKey, secretKey string) (aws.Config, error) {
+	return config.LoadDefaultConfig(ctx,
+		config.WithCredentialsProvider(credentials.StaticCredentialsProvider{
+			Value: aws.Credentials{
+				AccessKeyID:     accessKey,
+				SecretAccessKey: secretKey,
+				SessionToken:    "",
+			},
+		}),
+	)
 }
--- a/server/storage/storj.go
+++ b/server/storage/storj.go
@@ -22,13 +22,11 @@ type StorjStorage struct {
 }

 // NewStorjStorage is the factory for StorjStorage
-func NewStorjStorage(access, bucket string, purgeDays int, logger *log.Logger) (*StorjStorage, error) {
+func NewStorjStorage(ctx context.Context, access, bucket string, purgeDays int, logger *log.Logger) (*StorjStorage, error) {
 	var instance StorjStorage
 	var err error

-	pCtx := context.TODO()
-
-	ctx := fpath.WithTempData(pCtx, "", true)
+	ctx = fpath.WithTempData(ctx, "", true)

 	uplConf := &uplink.Config{
 		UserAgent: "transfer-sh",
--- a/server/utils.go
+++ b/server/utils.go
@@ -32,6 +32,7 @@ import (
 	"net/http"
 	"strconv"
 	"strings"
+	"time"

 	"github.com/golang/gddo/httputil/header"
 )
@@ -233,3 +234,11 @@ func formatSize(size int64) string {
 	getSuffix := suffixes[int(math.Floor(base))]
 	return fmt.Sprintf("%s %s", strconv.FormatFloat(newVal, 'f', -1, 64), getSuffix)
 }
+
+func formatDurationDays(durationDays time.Duration) string {
+	days := int(durationDays.Hours() / 24)
+	if days == 1 {
+		return fmt.Sprintf("%d day", days)
+	}
+	return fmt.Sprintf("%d days", days)
+}
Author	SHA1	Message	Date
Andrea Spacca	c5664b433d	better logic	2023-06-06 19:35:45 +09:00
Andrea Spacca	fc6f897eaa	fix basic auth	2023-06-06 19:30:32 +09:00
Michael Manganiello	fc844ac341	Upgrade aws-sdk-go to v2 (#559 ) * Upgrade aws-sdk-go to v2 `aws-sdk-go-v2` is the newer SDK version, replacing the one being used at the moment by the project. This change maintains full compatibility with existing flags and configurations, and only replaces the underlying library. * Simplify and isolate AWS config logic	2023-05-24 18:37:06 +09:00
Michael Manganiello	a653181ea8	Improve Docker layer caching for Go dependencies (#560 ) Running `go mod download` before copying the entire project to the Docker image avoids dependencies from being re-downloaded every time any file is modified, and `docker build` runs again. This follows the steps detailed in the official Docker guide for Go images: https://docs.docker.com/language/golang/build-images/#create-a-dockerfile-for-the-application Also, `GO111MODULE` doesn't make any difference for the supported Go versions, so it can be removed from the Dockerfile.	2023-05-23 11:54:02 +09:00
Natalí Paura	bafbf0c1a0	Improve purgeTime display in web page (#558 ) - changing the line `purgeTime = s.purgeDays.String()` to use a function that formats the days like this: "N days" or "1 day" - adding the function `formatDurationDays` in utils.go file Fixes #557 Co-authored-by: Andrea Spacca <andrea.spacca@gmail.com>	2023-05-19 19:01:54 +09:00
Michael Manganiello	df0d04f0da	Upgrade github.com/urfave/cli to v2 (#551 ) `urfave/cli` v2 was released in 2019, and it doesn't introduce relevant user-facing breaking changes. Migration guide from v1 can be found at: https://cli.urfave.org/migrate-v1-to-v2/ The only user-facing change is within the "Flags before args" section, but I haven't found that to affect `transfer.sh` as arguments are not used. Co-authored-by: Stefan Benten <mail@stefan-benten.de> Co-authored-by: Andrea Spacca <andrea.spacca@gmail.com>	2023-05-19 14:51:40 +09:00
Junoh Moon	2a11ca13a3	Add mime.types to docker container to select charset properly (#547 ) * Add charset to content type in getHandler Add charset to content type in the getHandler function to fix CJK-letter related issues. If the content type is empty after trimming, set it to "text/plain; charset=utf-8". * Add mailcap and mime.types to transfer.sh container This commit includes /etc/mime.types file to the container, which is necessary to properly select the charset using MIME typing during file upload. For more information, read https://github.com/dutchcoders/transfer.sh/pull/545#issuecomment-1528712181 --------- Co-authored-by: Andrea Spacca <andrea.spacca@gmail.com>	2023-05-19 13:09:37 +09:00
dependabot[bot]	1e6346c3d1	Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#552 ) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-05-19 11:57:12 +09:00
Michael Manganiello	eecf529138	Dockerfile: Use Go 1.20 by default (#550 ) Use Go 1.20 by default in Dockerfile Updating the default Go version used in the Dockerfile, to the latest one supported by the project at the moment. Also, Go `1.17` support was removed in `9f1fe62e05`	2023-05-11 18:23:58 +02:00
Junoh Moon	e837849d44	Add charset to content type in getHandler (#545 ) Add charset to content type in the getHandler function to fix CJK-letter related issues. If the content type is empty after trimming, set it to "text/plain; charset=utf-8".	2023-04-29 20:07:52 +09:00
Andrea Spacca	a5dacb36a9	call WriteHeader after last change to header map (#542 ) * call WriteHeader after last change to header map * fix reader/decryptionReader	2023-04-05 23:30:58 +09:00
Kot	3dcbfe2e4d	Add `Vary` headers in responses (#536 ) * Add `Vary` headers in responses * Add `Referer` to file handler `Vary` * Fix Vary value for routes	2023-03-16 10:25:46 +09:00
Andrea Spacca	1fb67f49ff	add IP_FILTERLIST_BYPASS_HTTP_AUTH (#538 ) * add IP_FILTERLIST_BYPASS_HTTP_AUTH * refactor to separated ip whitelist	2023-03-12 13:34:41 +09:00
Andrea Spacca	54cacb5487	add http-auth-htpasswd (#537 ) * add http-auth-htpasswd * go mod tidy	2023-03-12 11:52:45 +09:00
Andrea Spacca	3b777e1c19	gpg encryption support (#162 ) * gpg encryption support * gpg encryption support * refinement * refactor using protonmail opengpg * warning * remove exception in linting * reduce I/O on decrypt * fix typo * streaming in encrypt * Update README.md do not reference server public hosting version in encrypt/decrypt headers example * linting * linting fix * increase default random-token-length to 10	2023-03-11 10:08:55 +09:00
Andrea Spacca	28fc9c73f5	Lint accept range (#535 ) * Support Range header for GET * Adds 'Accept-Ranges: bytes' header to handlers * proper param name in error * bump gdrive dependecies * refactor CloseCheck to avoid panic on nil, remove range/audio/video special handling on get handler * refactor CloseCheck to avoid panic on nil, handle range with no limit * refactor CloseCheck to avoid panic on nil, handle range in gdrive storage * refactor CloseCheck to avoid panic on nil * handle range with no limit * lint * bump deps * go mod tidy * gofmt * cr fixes, replace deprecated ioutil.NopCloser * linting * do not write to file by default * fix storj --------- Co-authored-by: Vladislav Grubov <vladgrubov@gmail.com>	2023-03-11 01:41:43 +09:00