feat: add fine-grained control for link signing (#3924)

* Determine whether the URL requires Sign

* Add File and Mem based KV

NOT TESTED: TokenKV Function

* Change Token KV func to common func.

Add File based KV func

* Remove KV, Remove Token

I found that the original Sign function is enough to complete the link signature, and only need to add simple configuration items to meet the requirements.

* Add IsStorageSigned func to judge if Signing is enabled in the storage settings.

It should be working now.

* Add a SIGN button to the management panel.

* Add enable_sign to the basic storage struct.

Can enable sign for every driver now.

Bug: When sign enabled, in download page, Copy link doesn't contain a sign.

(Not done yet)

* Fix a bug from commit 8f6c25f.

Response of fsread function does not contain sign.

* Optimize code and follow advices.

- Add back public/dist/README.md

- Enable sign when DownProxyUrl is enabled

- Merge needSign() to isEncrypt() in fsread.go

* simplify code

---------

Co-authored-by: Andy Hsu <i@nn.ci>

server/common/check.go

@@ -8,9 +8,15 @@ import (
 	"github.com/alist-org/alist/v3/internal/conf"
 	"github.com/alist-org/alist/v3/internal/driver"
 	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/pkg/utils"
 )
 
+func IsStorageSignEnabled(rawPath string) bool {
+	storage := op.GetBalancedStorage(rawPath)
+	return storage != nil && storage.GetStorage().EnableSign
+}
+
 func CanWrite(meta *model.Meta, path string) bool {
 	if meta == nil || !meta.Write {
 		return false

server/handles/fsread.go

@@ -165,6 +165,9 @@ func getReadme(meta *model.Meta, path string) string {
 }
 
 func isEncrypt(meta *model.Meta, path string) bool {
+	if common.IsStorageSignEnabled(path) {
+		return true
+	}
 	if meta == nil || meta.Password == "" {
 		return false
 	}
@@ -260,16 +263,20 @@ func FsGet(c *gin.Context) {
 			return
 		}
 		if storage.Config().MustProxy() || storage.GetStorage().WebProxy {
+			query := ""
+			if isEncrypt(meta, reqPath) {
+				query = "?sign=" + sign.Sign(reqPath)
+			}
 			if storage.GetStorage().DownProxyUrl != "" {
 				rawURL = fmt.Sprintf("%s%s?sign=%s",
 					strings.Split(storage.GetStorage().DownProxyUrl, "\n")[0],
 					utils.EncodePath(reqPath, true),
 					sign.Sign(reqPath))
 			} else {
-				rawURL = fmt.Sprintf("%s/p%s?sign=%s",
+				rawURL = fmt.Sprintf("%s/p%s%s",
 					common.GetApiUrl(c.Request),
 					utils.EncodePath(reqPath, true),
-					sign.Sign(reqPath))
+					query)
 			}
 		} else {
 			// file have raw url

server/middlewares/down.go

@@ -4,10 +4,11 @@ import (
 	"strings"
 
 	"github.com/alist-org/alist/v3/internal/conf"
+	"github.com/alist-org/alist/v3/internal/setting"
+
 	"github.com/alist-org/alist/v3/internal/errs"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
-	"github.com/alist-org/alist/v3/internal/setting"
 	"github.com/alist-org/alist/v3/internal/sign"
 	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/alist-org/alist/v3/server/common"
@@ -49,6 +50,9 @@ func needSign(meta *model.Meta, path string) bool {
 	if setting.GetBool(conf.SignAll) {
 		return true
 	}
+	if common.IsStorageSignEnabled(path) {
+		return true
+	}
 	if meta == nil || meta.Password == "" {
 		return false
 	}