advplyr.audiobookshelf/server/controllers/FileSystemController.js

const { Request, Response } = require('express')
const Path = require('path')
const Logger = require('../Logger')
const fs = require('../libs/fsExtra')
const { toNumber } = require('../utils/index')
const fileUtils = require('../utils/fileUtils')
const Database = require('../Database')

/**
 * @typedef RequestUserObject
 * @property {import('../models/User')} user
 *
 * @typedef {Request & RequestUserObject} RequestWithUser
 */

class FileSystemController {
  constructor() {}

  /**
   *
   * @param {RequestWithUser} req
   * @param {Response} res
   */
  async getPaths(req, res) {
    if (!req.user.isAdminOrUp) {
      Logger.error(`[FileSystemController] Non-admin user "${req.user.username}" attempting to get filesystem paths`)
      return res.sendStatus(403)
    }

    const relpath = req.query.path
    const level = toNumber(req.query.level, 0)

    // Validate path. Must be absolute
    if (relpath && (!Path.isAbsolute(relpath) || !(await fs.pathExists(relpath)))) {
      Logger.error(`[FileSystemController] Invalid path in query string "${relpath}"`)
      return res.status(400).send('Invalid "path" query string')
    }
    Logger.debug(`[FileSystemController] Getting file paths at ${relpath || 'root'} (${level})`)

    let directories = []

    // Windows returns drives first
    if (global.isWin) {
      if (relpath) {
        directories = await fileUtils.getDirectoriesInPath(relpath, level)
      } else {
        const drives = await fileUtils.getWindowsDrives().catch((error) => {
          Logger.error(`[FileSystemController] Failed to get windows drives`, error)
          return []
        })
        if (drives.length) {
          directories = drives.map((d) => {
            return {
              path: d,
              dirname: d,
              level: 0
            }
          })
        }
      }
    } else {
      directories = await fileUtils.getDirectoriesInPath(relpath || '/', level)
    }

    // Exclude some dirs from this project to be cleaner in Docker
    const excludedDirs = ['node_modules', 'client', 'server', '.git', 'static', 'build', 'dist', 'metadata', 'config', 'sys', 'proc', '.devcontainer', '.nyc_output', '.github', '.vscode'].map((dirname) => {
      return fileUtils.filePathToPOSIX(Path.join(global.appRoot, dirname))
    })
    directories = directories.filter((dir) => {
      return !excludedDirs.includes(dir.path)
    })

    res.json({
      posix: !global.isWin,
      directories
    })
  }

  /**
   * POST: /api/filesystem/pathexists
   *
   * @param {RequestWithUser} req
   * @param {Response} res
   */
  async checkPathExists(req, res) {
    if (!req.user.canUpload) {
      Logger.error(`[FileSystemController] User "${req.user.username}" without upload permissions attempting to check path exists`)
      return res.sendStatus(403)
    }

    const { directory, folderPath } = req.body
    if (!directory?.length || typeof directory !== 'string' || !folderPath?.length || typeof folderPath !== 'string') {
      Logger.error(`[FileSystemController] Invalid request body: ${JSON.stringify(req.body)}`)
      return res.status(400).json({
        error: 'Invalid request body'
      })
    }

    // Check that library folder exists
    const libraryFolder = await Database.libraryFolderModel.findOne({
      where: {
        path: folderPath
      }
    })

    if (!libraryFolder) {
      Logger.error(`[FileSystemController] Library folder not found: ${folderPath}`)
      return res.sendStatus(404)
    }

    if (!req.user.checkCanAccessLibrary(libraryFolder.libraryId)) {
      Logger.error(`[FileSystemController] User "${req.user.username}" attempting to check path exists for library "${libraryFolder.libraryId}" without access`)
      return res.sendStatus(403)
    }

    let filepath = Path.join(libraryFolder.path, directory)
    filepath = fileUtils.filePathToPOSIX(filepath)

    // Ensure filepath is inside library folder (prevents directory traversal)
    if (!filepath.startsWith(libraryFolder.path)) {
      Logger.error(`[FileSystemController] Filepath is not inside library folder: ${filepath}`)
      return res.sendStatus(400)
    }

    if (await fs.pathExists(filepath)) {
      return res.json({
        exists: true
      })
    }

    // Check if a library item exists in a subdirectory
    // See: https://github.com/advplyr/audiobookshelf/issues/4146
    const cleanedDirectory = directory.split('/').filter(Boolean).join('/')
    if (cleanedDirectory.includes('/')) {
      // Can only be 2 levels deep
      const possiblePaths = []
      const subdir = Path.dirname(directory)
      possiblePaths.push(fileUtils.filePathToPOSIX(Path.join(folderPath, subdir)))
      if (subdir.includes('/')) {
        possiblePaths.push(fileUtils.filePathToPOSIX(Path.join(folderPath, Path.dirname(subdir))))
      }

      const libraryItem = await Database.libraryItemModel.findOne({
        where: {
          path: possiblePaths
        }
      })

      if (libraryItem) {
        return res.json({
          exists: true,
          libraryItemTitle: libraryItem.title
        })
      }
    }

    return res.json({
      exists: false
    })
  }
}
module.exports = new FileSystemController()
Update API JS docs 2024-08-11 17:01:25 -05:00			`const { Request, Response } = require('express')`
Missing Path variable 2021-12-27 17:51:19 +01:00			`const Path = require('path')`
Update:Check if directory already exists before upload #1497 2023-05-27 16:00:34 -05:00			`const Logger = require('../Logger')`
			`const fs = require('../libs/fsExtra')`
Update:Library folder browser to also work for debian and windows 2024-01-03 16:23:17 -06:00			`const { toNumber } = require('../utils/index')`
			`const fileUtils = require('../utils/fileUtils')`
Fix uploader check if item already exists in a subdirectory #4146 2025-03-24 18:01:38 -05:00			`const Database = require('../Database')`
Change:Series volume numbers to use language sensitive sorting #261 2021-12-26 11:25:07 -06:00
Update API JS docs 2024-08-11 17:01:25 -05:00			`/**`
			`* @typedef RequestUserObject`
			`* @property {import('../models/User')} user`
			`*`
			`* @typedef {Request & RequestUserObject} RequestWithUser`
			`*/`

Change:Series volume numbers to use language sensitive sorting #261 2021-12-26 11:25:07 -06:00			`class FileSystemController {`
Update controllers to use new user model 2024-08-10 17:15:21 -05:00			`constructor() {}`
Change:Series volume numbers to use language sensitive sorting #261 2021-12-26 11:25:07 -06:00
Update:Library folder browser to also work for debian and windows 2024-01-03 16:23:17 -06:00			`/**`
Update controllers to use new user model 2024-08-10 17:15:21 -05:00			`*`
Update API JS docs 2024-08-11 17:01:25 -05:00			`* @param {RequestWithUser} req`
			`* @param {Response} res`
Update:Library folder browser to also work for debian and windows 2024-01-03 16:23:17 -06:00			`*/`
Change:Series volume numbers to use language sensitive sorting #261 2021-12-26 11:25:07 -06:00			`async getPaths(req, res) {`
Update:Express middleware sets req.user to new data model, openid permissions functions moved to new data model 2024-08-11 16:07:29 -05:00			`if (!req.user.isAdminOrUp) {`
			Logger.error(`[FileSystemController] Non-admin user "${req.user.username}" attempting to get filesystem paths`)
Update:Check if directory already exists before upload #1497 2023-05-27 16:00:34 -05:00			`return res.sendStatus(403)`
			`}`

Update:Library folder browser to also work for debian and windows 2024-01-03 16:23:17 -06:00			`const relpath = req.query.path`
			`const level = toNumber(req.query.level, 0)`

			`// Validate path. Must be absolute`
Update controllers to use new user model 2024-08-10 17:15:21 -05:00			`if (relpath && (!Path.isAbsolute(relpath) \|\| !(await fs.pathExists(relpath)))) {`
Update:Library folder browser to also work for debian and windows 2024-01-03 16:23:17 -06:00			Logger.error(`[FileSystemController] Invalid path in query string "${relpath}"`)
			`return res.status(400).send('Invalid "path" query string')`
			`}`
			Logger.debug(`[FileSystemController] Getting file paths at ${relpath \|\| 'root'} (${level})`)

			`let directories = []`
Change:Series volume numbers to use language sensitive sorting #261 2021-12-26 11:25:07 -06:00
Update:Library folder browser to also work for debian and windows 2024-01-03 16:23:17 -06:00			`// Windows returns drives first`
			`if (global.isWin) {`
			`if (relpath) {`
			`directories = await fileUtils.getDirectoriesInPath(relpath, level)`
			`} else {`
			`const drives = await fileUtils.getWindowsDrives().catch((error) => {`
			Logger.error(`[FileSystemController] Failed to get windows drives`, error)
			`return []`
			`})`
			`if (drives.length) {`
Update controllers to use new user model 2024-08-10 17:15:21 -05:00			`directories = drives.map((d) => {`
Update:Library folder browser to also work for debian and windows 2024-01-03 16:23:17 -06:00			`return {`
			`path: d,`
			`dirname: d,`
			`level: 0`
			`}`
			`})`
			`}`
			`}`
			`} else {`
			`directories = await fileUtils.getDirectoriesInPath(relpath \|\| '/', level)`
			`}`

			`// Exclude some dirs from this project to be cleaner in Docker`
Update controllers to use new user model 2024-08-10 17:15:21 -05:00			`const excludedDirs = ['node_modules', 'client', 'server', '.git', 'static', 'build', 'dist', 'metadata', 'config', 'sys', 'proc', '.devcontainer', '.nyc_output', '.github', '.vscode'].map((dirname) => {`
Update:Library folder browser to also work for debian and windows 2024-01-03 16:23:17 -06:00			`return fileUtils.filePathToPOSIX(Path.join(global.appRoot, dirname))`
			`})`
Update controllers to use new user model 2024-08-10 17:15:21 -05:00			`directories = directories.filter((dir) => {`
Update:Library folder browser to also work for debian and windows 2024-01-03 16:23:17 -06:00			`return !excludedDirs.includes(dir.path)`
Change:Series volume numbers to use language sensitive sorting #261 2021-12-26 11:25:07 -06:00			`})`

Update FileSystemController.js to respond with objects Changes: - `getPaths` (GET /api/filesystem) 2022-11-29 11:55:22 -06:00			`res.json({`
Update:Library folder browser to also work for debian and windows 2024-01-03 16:23:17 -06:00			`posix: !global.isWin,`
			`directories`
Update FileSystemController.js to respond with objects Changes: - `getPaths` (GET /api/filesystem) 2022-11-29 11:55:22 -06:00			`})`
Change:Series volume numbers to use language sensitive sorting #261 2021-12-26 11:25:07 -06:00			`}`
Update:Check if directory already exists before upload #1497 2023-05-27 16:00:34 -05:00
Update API JS docs 2024-08-11 17:01:25 -05:00			`/**`
			`* POST: /api/filesystem/pathexists`
			`*`
			`* @param {RequestWithUser} req`
			`* @param {Response} res`
			`*/`
Update:Check if directory already exists before upload #1497 2023-05-27 16:00:34 -05:00			`async checkPathExists(req, res) {`
Update:Express middleware sets req.user to new data model, openid permissions functions moved to new data model 2024-08-11 16:07:29 -05:00			`if (!req.user.canUpload) {`
Update pathexists file system API endpoint 2025-05-26 16:56:50 -05:00			Logger.error(`[FileSystemController] User "${req.user.username}" without upload permissions attempting to check path exists`)
Update:Check if directory already exists before upload #1497 2023-05-27 16:00:34 -05:00			`return res.sendStatus(403)`
			`}`

Update pathexists file system API endpoint 2025-05-26 16:56:50 -05:00			`const { directory, folderPath } = req.body`
			`if (!directory?.length \|\| typeof directory !== 'string' \|\| !folderPath?.length \|\| typeof folderPath !== 'string') {`
			Logger.error(`[FileSystemController] Invalid request body: ${JSON.stringify(req.body)}`)
			`return res.status(400).json({`
			`error: 'Invalid request body'`
			`})`
Update:Check if directory already exists before upload #1497 2023-05-27 16:00:34 -05:00			`}`

Update pathexists file system API endpoint 2025-05-26 16:56:50 -05:00			`// Check that library folder exists`
			`const libraryFolder = await Database.libraryFolderModel.findOne({`
			`where: {`
			`path: folderPath`
			`}`
			`})`

			`if (!libraryFolder) {`
			Logger.error(`[FileSystemController] Library folder not found: ${folderPath}`)
			`return res.sendStatus(404)`
			`}`
Fix uploader check if item already exists in a subdirectory #4146 2025-03-24 18:01:38 -05:00
Update pathexists endpoint to check user has access to library 2025-06-11 16:04:18 -05:00			`if (!req.user.checkCanAccessLibrary(libraryFolder.libraryId)) {`
			Logger.error(`[FileSystemController] User "${req.user.username}" attempting to check path exists for library "${libraryFolder.libraryId}" without access`)
			`return res.sendStatus(403)`
			`}`

Fix pathexists filepath back to posix 2025-06-11 16:37:07 -05:00			`let filepath = Path.join(libraryFolder.path, directory)`
			`filepath = fileUtils.filePathToPOSIX(filepath)`
Fix filesystem pathexists path join 2025-06-10 17:02:42 -05:00
Update pathexists file system API endpoint 2025-05-26 16:56:50 -05:00			`// Ensure filepath is inside library folder (prevents directory traversal)`
			`if (!filepath.startsWith(libraryFolder.path)) {`
			Logger.error(`[FileSystemController] Filepath is not inside library folder: ${filepath}`)
			`return res.sendStatus(400)`
			`}`

			`if (await fs.pathExists(filepath)) {`
Fix uploader check if item already exists in a subdirectory #4146 2025-03-24 18:01:38 -05:00			`return res.json({`
			`exists: true`
			`})`
			`}`

Update pathexists file system API endpoint 2025-05-26 16:56:50 -05:00			`// Check if a library item exists in a subdirectory`
Fix uploader check if item already exists in a subdirectory #4146 2025-03-24 18:01:38 -05:00			`// See: https://github.com/advplyr/audiobookshelf/issues/4146`
Update pathexists file system API endpoint 2025-05-26 16:56:50 -05:00			`const cleanedDirectory = directory.split('/').filter(Boolean).join('/')`
			`if (cleanedDirectory.includes('/')) {`
			`// Can only be 2 levels deep`
			`const possiblePaths = []`
			`const subdir = Path.dirname(directory)`
			`possiblePaths.push(fileUtils.filePathToPOSIX(Path.join(folderPath, subdir)))`
			`if (subdir.includes('/')) {`
			`possiblePaths.push(fileUtils.filePathToPOSIX(Path.join(folderPath, Path.dirname(subdir))))`
			`}`

			`const libraryItem = await Database.libraryItemModel.findOne({`
			`where: {`
			`path: possiblePaths`
Fix uploader check if item already exists in a subdirectory #4146 2025-03-24 18:01:38 -05:00			`}`
Update pathexists file system API endpoint 2025-05-26 16:56:50 -05:00			`})`
Fix uploader check if item already exists in a subdirectory #4146 2025-03-24 18:01:38 -05:00
Update pathexists file system API endpoint 2025-05-26 16:56:50 -05:00			`if (libraryItem) {`
			`return res.json({`
			`exists: true,`
			`libraryItemTitle: libraryItem.title`
Fix uploader check if item already exists in a subdirectory #4146 2025-03-24 18:01:38 -05:00			`})`
			`}`
			`}`

			`return res.json({`
			`exists: false`
Update:Check if directory already exists before upload #1497 2023-05-27 16:00:34 -05:00			`})`
			`}`
Change:Series volume numbers to use language sensitive sorting #261 2021-12-26 11:25:07 -06:00			`}`
Update controllers to use new user model 2024-08-10 17:15:21 -05:00			`module.exports = new FileSystemController()`