feat!: close sign_all by default

fix(aliyundrive): device session signature error (#3398 )
* fix signature * fix: indent-error-flow [skip ci]
2023-02-14 19:20:15 +08:00 · 2023-02-14 19:17:21 +08:00 · 2023-02-14 15:47:41 +08:00 · 2023-02-14 15:30:33 +08:00 · 2023-02-14 15:20:45 +08:00 · 2023-02-14 14:11:07 +08:00
50 changed files with 1398 additions and 366 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -25,6 +25,7 @@ jobs:

      - name: Install dependencies
        run: |
+          sudo snap install zig --classic --beta
          docker pull crazymax/xgo:latest
          go install github.com/crazy-max/xgo@latest
          sudo apt install upx
--- a/.github/workflows/build_docker.yml
+++ b/.github/workflows/build_docker.yml
@ -30,7 +30,7 @@ jobs:
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Build and push
        id: docker_build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
        with:
          context: .
          push: true
--- a/.github/workflows/issue_question.yml
+++ b/.github/workflows/issue_question.yml
@ -10,7 +10,7 @@ jobs:
    if: github.event.label.name == 'question'
    steps:
      - name: Create comment
-        uses: actions-cool/issues-helper@v3.3.3
+        uses: actions-cool/issues-helper@v3.4.0
        with:
          actions: 'create-comment'
          token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -38,6 +38,7 @@ jobs:

      - name: Install dependencies
        run: |
+          sudo snap install zig --classic --beta
          docker pull crazymax/xgo:latest
          go install github.com/crazy-max/xgo@latest
          sudo apt install upx
--- a/.github/workflows/release_docker.yml
+++ b/.github/workflows/release_docker.yml
@ -33,7 +33,7 @@ jobs:

      - name: Build and push
        id: docker_build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
        with:
          context: .
          push: true
--- a/build.sh
+++ b/build.sh
@ -1,7 +1,7 @@
 appName="alist"
 builtAt="$(date +'%F %T %z')"
 goVersion=$(go version | sed 's/go version //')
-gitAuthor=$(git show -s --format='format:%aN <%ae>' HEAD)
+gitAuthor="Xhofe <i@nn.ci>"
 gitCommit=$(git log --pretty=format:"%h" -1)

 if [ "$1" = "dev" ]; then
@ -41,6 +41,15 @@ FetchWebRelease() {
  rm -rf dist.tar.gz
 }

+BuildWinArm64() {
+  echo building for windows-arm64
+  export GOOS=windows
+  export GOARCH=arm64
+  export CC=$(pwd)/wrapper/zcc-arm64
+  export CXX=$(pwd)/wrapper/zcxx-arm64
+  go build -o "$1" -ldflags="$ldflags" -tags=jsoniter .
+}
+
 BuildDev() {
  rm -rf .git/
  xgo -targets=linux/amd64,windows/amd64,darwin/amd64 -out "$appName" -ldflags="$ldflags" -tags=jsoniter .
@ -48,7 +57,7 @@ BuildDev() {
  mv alist-* dist
  cd dist
  upx -9 ./alist-linux*
-  upx -9 ./alist-windows*
+  upx -9 ./alist-windows-amd64.exe
  find . -type f -print0 | xargs -0 md5sum >md5.txt
  cat md5.txt
 }
@ -80,10 +89,11 @@ BuildRelease() {
    export CGO_ENABLED=1
    go build -o ./build/$appName-$os_arch -ldflags="$muslflags" -tags=jsoniter .
  done
+  BuildWinArm64 ./build/alist-windows-arm64.exe
  xgo -out "$appName" -ldflags="$ldflags" -tags=jsoniter .
  # why? Because some target platforms seem to have issues with upx compression
  upx -9 ./alist-linux-amd64
-  upx -9 ./alist-windows*
+  upx -9 ./alist-windows-amd64.exe
  mv alist-* build
 }

--- a/cmd/server.go
+++ b/cmd/server.go
@ -29,6 +29,7 @@ the address is defined in config file`,
 	Run: func(cmd *cobra.Command, args []string) {
 		Init()
 		bootstrap.InitAria2()
+		bootstrap.InitQbittorrent()
 		bootstrap.LoadStorages()
 		if !flags.Debug && !flags.Dev {
 			gin.SetMode(gin.ReleaseMode)
--- a/drivers/123/driver.go
+++ b/drivers/123/driver.go
@ -96,14 +96,14 @@ func (d *Pan123) Link(ctx context.Context, file model.Obj, args model.LinkArgs)
 				return nil, err
 			}
 		}
-		u_ := fmt.Sprintf("https://%s%s", u.Host, u.Path)
+		u_ := u.String()
 		res, err := base.NoRedirectClient.R().SetQueryParamsFromValues(u.Query()).Head(u_)
 		if err != nil {
 			return nil, err
 		}
 		log.Debug(res.String())
 		link := model.Link{
-			URL: downloadUrl,
+			URL: u_,
 		}
 		log.Debugln("res code: ", res.StatusCode())
 		if res.StatusCode() == 302 {
--- a/drivers/139/driver.go
+++ b/drivers/139/driver.go
@ -83,8 +83,7 @@ func (d *Yun139) MakeDir(ctx context.Context, parentDir model.Obj, dirName strin
 		}
 		pathname = "/orchestration/familyCloud/cloudCatalog/v1.0/createCloudDoc"
 	}
-	_, err := d.post(pathname,
-		data, nil)
+	_, err := d.post(pathname, data, nil)
 	return err
 }

@ -222,6 +221,22 @@ func (d *Yun139) Remove(ctx context.Context, obj model.Obj) error {
 	return err
 }

+const (
+	_  = iota //ignore first value by assigning to blank identifier
+	KB = 1 << (10 * iota)
+	MB
+	GB
+	TB
+)
+
+func getPartSize(size int64) int64 {
+	// 网盘对于分片数量存在上限
+	if size/GB > 30 {
+		return 512 * MB
+	}
+	return 100 * MB
+}
+
 func (d *Yun139) Put(ctx context.Context, dstDir model.Obj, stream model.FileStreamer, up driver.UpdateProgress) error {
 	data := base.Json{
 		"manualRename": 2,
@ -267,17 +282,17 @@ func (d *Yun139) Put(ctx context.Context, dstDir model.Obj, stream model.FileStr
 	// Progress
 	p := driver.NewProgress(stream.GetSize(), up)

-	var Default int64 = 104857600
-	part := (stream.GetSize() + Default - 1) / Default
+	var partSize = getPartSize(stream.GetSize())
+	part := (stream.GetSize() + partSize - 1) / partSize
 	for i := int64(0); i < part; i++ {
 		if utils.IsCanceled(ctx) {
 			return ctx.Err()
 		}

-		start := i * Default
+		start := i * partSize
 		byteSize := stream.GetSize() - start
-		if byteSize > Default {
-			byteSize = Default
+		if byteSize > partSize {
+			byteSize = partSize
 		}

 		limitReader := io.LimitReader(stream, byteSize)
@ -301,6 +316,11 @@ func (d *Yun139) Put(ctx context.Context, dstDir model.Obj, stream model.FileStr
 			return err
 		}
 		log.Debugf("%+v", res)
+
+		if res.StatusCode != http.StatusOK {
+			return fmt.Errorf("unexpected status code: %d", res.StatusCode)
+		}
+
 		res.Body.Close()
 	}

--- a/drivers/aliyundrive/driver.go
+++ b/drivers/aliyundrive/driver.go
@ -31,6 +31,7 @@ type AliDrive struct {
 	AccessToken string
 	cron        *cron.Cron
 	DriveId     string
+	UserID      string
 }

 func (d *AliDrive) Config() driver.Config {
@ -54,6 +55,7 @@ func (d *AliDrive) Init(ctx context.Context) error {
 		return err
 	}
 	d.DriveId = utils.Json.Get(res, "default_drive_id").ToString()
+	d.UserID = utils.Json.Get(res, "user_id").ToString()
 	d.cron = cron.NewCron(time.Hour * 2)
 	d.cron.Do(func() {
 		err := d.refreshToken()
@ -61,7 +63,22 @@ func (d *AliDrive) Init(ctx context.Context) error {
 			log.Errorf("%+v", err)
 		}
 	})
-	return err
+	if global.Has(d.UserID) {
+		return nil
+	}
+	// init deviceID
+	deviceID := utils.GetSHA256Encode(d.UserID)
+	// init privateKey
+	privateKey, _ := NewPrivateKeyFromHex(deviceID)
+	state := State{
+		nonce:      -1,
+		privateKey: privateKey,
+		deviceID:   deviceID,
+	}
+	// store state
+	global.Store(d.UserID, &state)
+	// init signature
+	return d.reSign()
 }

 func (d *AliDrive) Drop(ctx context.Context) error {
@ -169,17 +186,27 @@ func (d *AliDrive) Put(ctx context.Context, dstDir model.Obj, stream model.FileS
 		"type":            "file",
 	}

+	var localFile *os.File
+	if fileStream, ok := file.ReadCloser.(*model.FileStream); ok {
+		localFile, _ = fileStream.ReadCloser.(*os.File)
+	}
 	if d.RapidUpload {
 		buf := bytes.NewBuffer(make([]byte, 0, 1024))
 		io.CopyN(buf, file, 1024)
 		reqBody["pre_hash"] = utils.GetSHA1Encode(buf.String())
-		// 把头部拼接回去
-		file.ReadCloser = struct {
-			io.Reader
-			io.Closer
-		}{
-			Reader: io.MultiReader(buf, file),
-			Closer: file,
+		if localFile != nil {
+			if _, err := localFile.Seek(0, io.SeekStart); err != nil {
+				return err
+			}
+		} else {
+			// 把头部拼接回去
+			file.ReadCloser = struct {
+				io.Reader
+				io.Closer
+			}{
+				Reader: io.MultiReader(buf, file),
+				Closer: file,
+			}
 		}
 	} else {
 		reqBody["content_hash_name"] = "none"
@ -196,18 +223,28 @@ func (d *AliDrive) Put(ctx context.Context, dstDir model.Obj, stream model.FileS
 	}

 	if d.RapidUpload && e.Code == "PreHashMatched" {
-		tempFile, err := os.CreateTemp(conf.Conf.TempDir, "file-*")
-		if err != nil {
-			return err
-		}
-		defer func() {
-			_ = tempFile.Close()
-			_ = os.Remove(tempFile.Name())
-		}()
 		delete(reqBody, "pre_hash")
 		h := sha1.New()
-		if _, err = io.Copy(io.MultiWriter(tempFile, h), file); err != nil {
-			return err
+		if localFile != nil {
+			if _, err = io.Copy(h, localFile); err != nil {
+				return err
+			}
+			if _, err = localFile.Seek(0, io.SeekStart); err != nil {
+				return err
+			}
+		} else {
+			tempFile, err := os.CreateTemp(conf.Conf.TempDir, "file-*")
+			if err != nil {
+				return err
+			}
+			defer func() {
+				_ = tempFile.Close()
+				_ = os.Remove(tempFile.Name())
+			}()
+			if _, err = io.Copy(io.MultiWriter(tempFile, h), file); err != nil {
+				return err
+			}
+			localFile = tempFile
 		}
 		reqBody["content_hash"] = hex.EncodeToString(h.Sum(nil))
 		reqBody["content_hash_name"] = "sha1"
@ -228,7 +265,7 @@ func (d *AliDrive) Put(ctx context.Context, dstDir model.Obj, stream model.FileS
 		if file.GetSize() > 0 {
 			o = r.Mod(r, i)
 		}
-		n, _ := io.NewSectionReader(tempFile, o.Int64(), 8).Read(buf[:8])
+		n, _ := io.NewSectionReader(localFile, o.Int64(), 8).Read(buf[:8])
 		reqBody["proof_code"] = base64.StdEncoding.EncodeToString(buf[:n])

 		_, err, e := d.request("https://api.aliyundrive.com/adrive/v2/file/createWithFolders", http.MethodPost, func(req *resty.Request) {
@ -241,17 +278,21 @@ func (d *AliDrive) Put(ctx context.Context, dstDir model.Obj, stream model.FileS
 			return nil
 		}
 		// 秒传失败
-		if _, err = tempFile.Seek(0, io.SeekStart); err != nil {
+		if _, err = localFile.Seek(0, io.SeekStart); err != nil {
 			return err
 		}
-		file.ReadCloser = tempFile
+		file.ReadCloser = localFile
 	}

 	for i, partInfo := range resp.PartInfoList {
 		if utils.IsCanceled(ctx) {
 			return ctx.Err()
 		}
-		req, err := http.NewRequest("PUT", partInfo.UploadUrl, io.LimitReader(file, DEFAULT))
+		url := partInfo.UploadUrl
+		if d.InternalUpload {
+			url = partInfo.InternalUploadUrl
+		}
+		req, err := http.NewRequest("PUT", url, io.LimitReader(file, DEFAULT))
 		if err != nil {
 			return err
 		}
--- a/drivers/aliyundrive/global.go
+++ b/drivers/aliyundrive/global.go
@ -0,0 +1,16 @@
+package aliyundrive
+
+import (
+	"crypto/ecdsa"
+
+	"github.com/alist-org/alist/v3/pkg/generic_sync"
+)
+
+type State struct {
+	deviceID   string
+	signature  string
+	nonce      int
+	privateKey *ecdsa.PrivateKey
+}
+
+var global = generic_sync.MapOf[string, *State]{}
--- a/drivers/aliyundrive/help.go
+++ b/drivers/aliyundrive/help.go
@ -0,0 +1,66 @@
+package aliyundrive
+
+import (
+	"crypto/ecdsa"
+	"crypto/rand"
+	"encoding/hex"
+	"math/big"
+
+	"github.com/dustinxie/ecc"
+)
+
+func NewPrivateKey() (*ecdsa.PrivateKey, error) {
+	p256k1 := ecc.P256k1()
+	return ecdsa.GenerateKey(p256k1, rand.Reader)
+}
+
+func NewPrivateKeyFromHex(hex_ string) (*ecdsa.PrivateKey, error) {
+	data, err := hex.DecodeString(hex_)
+	if err != nil {
+		return nil, err
+	}
+	return NewPrivateKeyFromBytes(data), nil
+
+}
+
+func NewPrivateKeyFromBytes(priv []byte) *ecdsa.PrivateKey {
+	p256k1 := ecc.P256k1()
+	x, y := p256k1.ScalarBaseMult(priv)
+	return &ecdsa.PrivateKey{
+		PublicKey: ecdsa.PublicKey{
+			Curve: p256k1,
+			X:     x,
+			Y:     y,
+		},
+		D: new(big.Int).SetBytes(priv),
+	}
+}
+
+func PrivateKeyToHex(private *ecdsa.PrivateKey) string {
+	return hex.EncodeToString(PrivateKeyToBytes(private))
+}
+
+func PrivateKeyToBytes(private *ecdsa.PrivateKey) []byte {
+	return private.D.Bytes()
+}
+
+func PublicKeyToHex(public *ecdsa.PublicKey) string {
+	return hex.EncodeToString(PublicKeyToBytes(public))
+}
+
+func PublicKeyToBytes(public *ecdsa.PublicKey) []byte {
+	x := public.X.Bytes()
+	if len(x) < 32 {
+		for i := 0; i < 32-len(x); i++ {
+			x = append([]byte{0}, x...)
+		}
+	}
+
+	y := public.Y.Bytes()
+	if len(y) < 32 {
+		for i := 0; i < 32-len(y); i++ {
+			y = append([]byte{0}, y...)
+		}
+	}
+	return append(x, y...)
+}
--- a/drivers/aliyundrive/meta.go
+++ b/drivers/aliyundrive/meta.go
@ -7,10 +7,12 @@ import (

 type Addition struct {
 	driver.RootID
-	RefreshToken   string `json:"refresh_token" required:"true"`
+	RefreshToken string `json:"refresh_token" required:"true"`
+	//DeviceID       string `json:"device_id" required:"true"`
 	OrderBy        string `json:"order_by" type:"select" options:"name,size,updated_at,created_at"`
 	OrderDirection string `json:"order_direction" type:"select" options:"ASC,DESC"`
 	RapidUpload    bool   `json:"rapid_upload"`
+	InternalUpload bool   `json:"internal_upload"`
 }

 var config = driver.Config{
--- a/drivers/aliyundrive/types.go
+++ b/drivers/aliyundrive/types.go
@ -48,7 +48,8 @@ type UploadResp struct {
 	FileId       string `json:"file_id"`
 	UploadId     string `json:"upload_id"`
 	PartInfoList []struct {
-		UploadUrl string `json:"upload_url"`
+		UploadUrl         string `json:"upload_url"`
+		InternalUploadUrl string `json:"internal_upload_url"`
 	} `json:"part_info_list"`

 	RapidUpload bool `json:"rapid_upload"`
--- a/drivers/aliyundrive/util.go
+++ b/drivers/aliyundrive/util.go
@ -1,6 +1,8 @@
 package aliyundrive

 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"net/http"
@ -8,9 +10,69 @@ import (
 	"github.com/alist-org/alist/v3/drivers/base"
 	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/pkg/utils"
+	"github.com/dustinxie/ecc"
 	"github.com/go-resty/resty/v2"
+	"github.com/google/uuid"
+	log "github.com/sirupsen/logrus"
 )

+func (d *AliDrive) createSession() error {
+	state, ok := global.Load(d.UserID)
+	if !ok {
+		return fmt.Errorf("can't load user state, user_id: %s", d.UserID)
+	}
+	_, err, _ := d.request("https://api.aliyundrive.com/users/v1/users/device/create_session", http.MethodPost, func(req *resty.Request) {
+		req.SetBody(base.Json{
+			"deviceName":   "samsung",
+			"modelName":    "SM-G9810",
+			"nonce":        state.nonce,
+			"pubKey":       PublicKeyToHex(&state.privateKey.PublicKey),
+			"refreshToken": d.RefreshToken,
+		})
+	}, nil)
+	return err
+}
+
+func (d *AliDrive) renewSession() error {
+	_, err, _ := d.request("https://api.aliyundrive.com/users/v1/users/device/renew_session", http.MethodPost, nil, nil)
+	return err
+}
+
+func (d *AliDrive) sign() {
+	state, ok := global.Load(d.UserID)
+	if !ok {
+		log.Errorf("can't load user state, user_id: %s", d.UserID)
+		return
+	}
+	secpAppID := "5dde4e1bdf9e4966b387ba58f4b3fdc3"
+	singdata := fmt.Sprintf("%s:%s:%s:%d", secpAppID, state.deviceID, d.UserID, state.nonce)
+	hash := sha256.Sum256([]byte(singdata))
+	data, _ := ecc.SignBytes(state.privateKey, hash[:], ecc.RecID|ecc.LowerS)
+	state.signature = hex.EncodeToString(data)
+}
+
+func (d *AliDrive) reSign() error {
+	state, ok := global.Load(d.UserID)
+	if !ok {
+		return fmt.Errorf("can't load user state, user_id: %s", d.UserID)
+	}
+	state.nonce++
+	if state.nonce >= 1073741823 {
+		state.nonce = 0
+	}
+	d.sign()
+	if state.nonce == 0 {
+		return d.createSession()
+	}
+	err := d.renewSession()
+	if err != nil && err.Error() == "device session signature error" {
+		state.nonce = 0
+		d.sign()
+		return d.createSession()
+	}
+	return nil
+}
+
 // do others that not defined in Driver interface

 func (d *AliDrive) refreshToken() error {
@ -39,9 +101,24 @@ func (d *AliDrive) refreshToken() error {

 func (d *AliDrive) request(url, method string, callback base.ReqCallback, resp interface{}) ([]byte, error, RespErr) {
 	req := base.RestyClient.R()
-	req.SetHeader("Authorization", "Bearer\t"+d.AccessToken)
-	req.SetHeader("content-type", "application/json")
-	req.SetHeader("origin", "https://www.aliyundrive.com")
+	state, ok := global.Load(d.UserID)
+	if !ok {
+		if url == "https://api.aliyundrive.com/v2/user/get" {
+			state = &State{}
+		} else {
+			return nil, fmt.Errorf("can't load user state, user_id: %s", d.UserID), RespErr{}
+		}
+	}
+	req.SetHeaders(map[string]string{
+		"Authorization": "Bearer\t" + d.AccessToken,
+		"content-type":  "application/json",
+		"origin":        "https://www.aliyundrive.com",
+		"Referer":       "https://aliyundrive.com/",
+		"X-Signature":   state.signature,
+		"x-request-id":  uuid.NewString(),
+		"X-Canary":      "client=Android,app=adrive,version=v4.1.0",
+		"X-Device-Id":   state.deviceID,
+	})
 	if callback != nil {
 		callback(req)
 	} else {
@ -57,14 +134,21 @@ func (d *AliDrive) request(url, method string, callback base.ReqCallback, resp i
 		return nil, err, e
 	}
 	if e.Code != "" {
-		if e.Code == "AccessTokenInvalid" {
+		switch e.Code {
+		case "AccessTokenInvalid":
 			err = d.refreshToken()
 			if err != nil {
 				return nil, err, e
 			}
-			return d.request(url, method, callback, resp)
+		case "DeviceSessionSignatureInvalid":
+			err = d.reSign()
+			if err != nil {
+				return nil, err, e
+			}
+		default:
+			return nil, errors.New(e.Message), e
 		}
-		return nil, errors.New(e.Message), e
+		return d.request(url, method, callback, resp)
 	} else if res.IsError() {
 		return nil, errors.New("bad status code " + res.Status()), e
 	}
--- a/drivers/aliyundrive_share/driver.go
+++ b/drivers/aliyundrive_share/driver.go
@ -54,6 +54,7 @@ func (d *AliyundriveShare) Drop(ctx context.Context) error {
 	if d.cron != nil {
 		d.cron.Stop()
 	}
+	d.DriveId = ""
 	return nil
 }

--- a/drivers/baidu_netdisk/util.go
+++ b/drivers/baidu_netdisk/util.go
@ -187,7 +187,7 @@ func (d *BaiduNetdisk) create(path string, size int64, isdir int, uploadid, bloc
 	params := map[string]string{
 		"method": "create",
 	}
-	data := fmt.Sprintf("path=%s&size=%d&isdir=%d", encodeURIComponent(path), size, isdir)
+	data := fmt.Sprintf("path=%s&size=%d&isdir=%d&rtype=3", encodeURIComponent(path), size, isdir)
 	if uploadid != "" {
 		data += fmt.Sprintf("&uploadid=%s&block_list=%s", uploadid, block_list)
 	}
--- a/drivers/base/client.go
+++ b/drivers/base/client.go
@ -23,8 +23,9 @@ func init() {
 }

 func NewRestyClient() *resty.Client {
-	return resty.New().
+	client := resty.New().
 		SetHeader("user-agent", UserAgent).
 		SetRetryCount(3).
 		SetTimeout(DefaultTimeout)
+	return client
 }
--- a/drivers/google_drive/driver.go
+++ b/drivers/google_drive/driver.go
@ -56,7 +56,7 @@ func (d *GoogleDrive) Link(ctx context.Context, file model.Obj, args model.LinkA
 		return nil, err
 	}
 	link := model.Link{
-		URL: url + "&alt=media",
+		URL: url + "&alt=media&acknowledgeAbuse=true",
 		Header: http.Header{
 			"Authorization": []string{"Bearer " + d.AccessToken},
 		},
--- a/drivers/local/driver.go
+++ b/drivers/local/driver.go
@ -151,7 +151,7 @@ func (d *Local) Link(ctx context.Context, file model.Obj, args model.LinkArgs) (

 func (d *Local) MakeDir(ctx context.Context, parentDir model.Obj, dirName string) error {
 	fullPath := filepath.Join(parentDir.GetPath(), dirName)
-	err := os.MkdirAll(fullPath, 0700)
+	err := os.MkdirAll(fullPath, 0777)
 	if err != nil {
 		return err
 	}
--- a/drivers/onedrive/types.go
+++ b/drivers/onedrive/types.go
@ -43,7 +43,7 @@ type File struct {
 }

 type Object struct {
-	model.ObjThumbURL
+	model.ObjThumb
 	ParentID string
 }

@ -53,7 +53,7 @@ func fileToObj(f File, parentID string) *Object {
 		thumb = f.Thumbnails[0].Medium.Url
 	}
 	return &Object{
-		ObjThumbURL: model.ObjThumbURL{
+		ObjThumb: model.ObjThumb{
 			Object: model.Object{
 				ID:       f.Id,
 				Name:     f.Name,
@ -62,7 +62,7 @@ func fileToObj(f File, parentID string) *Object {
 				IsFolder: f.File == nil,
 			},
 			Thumbnail: model.Thumbnail{Thumbnail: thumb},
-			Url:       model.Url{Url: f.Url},
+			//Url:       model.Url{Url: f.Url},
 		},
 		ParentID: parentID,
 	}
--- a/drivers/onedrive/util.go
+++ b/drivers/onedrive/util.go
@ -127,7 +127,7 @@ func (d *Onedrive) Request(url string, method string, callback base.ReqCallback,

 func (d *Onedrive) getFiles(path string) ([]File, error) {
 	var res []File
-	nextLink := d.GetMetaUrl(false, path) + "/children?$expand=thumbnails"
+	nextLink := d.GetMetaUrl(false, path) + "/children?$top=5000&$expand=thumbnails($select=medium)&$select=id,name,size,lastModifiedDateTime,content.downloadUrl,file,parentReference"
 	for nextLink != "" {
 		var files Files
 		_, err := d.Request(nextLink, http.MethodGet, nil, &files)
--- a/go.mod
+++ b/go.mod
@ -5,12 +5,12 @@ go 1.19
 require (
 	github.com/SheltonZhu/115driver v1.0.13
 	github.com/Xhofe/go-cache v0.0.0-20220723083548-714439c8af9a
-	github.com/aws/aws-sdk-go v1.44.174
+	github.com/aws/aws-sdk-go v1.44.194
 	github.com/blevesearch/bleve/v2 v2.3.6
-	github.com/caarlos0/env/v6 v6.10.1
 	github.com/caarlos0/env/v7 v7.0.0
 	github.com/deckarep/golang-set/v2 v2.1.0
 	github.com/disintegration/imaging v1.6.2
+	github.com/dustinxie/ecc v0.0.0-20210511000915-959544187564
 	github.com/gin-contrib/cors v1.4.0
 	github.com/gin-gonic/gin v1.8.2
 	github.com/go-resty/resty/v2 v2.7.0
@ -30,13 +30,13 @@ require (
 	github.com/t3rm1n4l/go-mega v0.0.0-20220725095014-c4e0c2b5debf
 	github.com/upyun/go-sdk/v3 v3.0.3
 	github.com/winfsp/cgofuse v1.5.0
-	golang.org/x/crypto v0.5.0
-	golang.org/x/image v0.3.0
-	golang.org/x/net v0.5.0
-	gorm.io/driver/mysql v1.4.5
-	gorm.io/driver/postgres v1.4.6
+	golang.org/x/crypto v0.6.0
+	golang.org/x/image v0.4.0
+	golang.org/x/net v0.6.0
+	gorm.io/driver/mysql v1.4.6
+	gorm.io/driver/postgres v1.4.7
 	gorm.io/driver/sqlite v1.4.4
-	gorm.io/gorm v1.24.3
+	gorm.io/gorm v1.24.5
 )

 require (
@ -97,8 +97,8 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/ugorji/go/codec v1.2.7 // indirect
 	go.etcd.io/bbolt v1.3.5 // indirect
-	golang.org/x/sys v0.4.0 // indirect
-	golang.org/x/text v0.6.0 // indirect
+	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/text v0.7.0 // indirect
 	golang.org/x/time v0.0.0-20220922220347-f3bd1da661af // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
--- a/go.sum
+++ b/go.sum
@ -12,10 +12,8 @@ github.com/aliyun/aliyun-oss-go-sdk v2.2.5+incompatible h1:QoRMR0TCctLDqBCMyOu1e
 github.com/aliyun/aliyun-oss-go-sdk v2.2.5+incompatible/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
 github.com/andreburgaud/crypt2go v1.1.0 h1:eitZxTPY1krUsxinsng3Qvt/Ud7q/aQmmYRh8p4hyPw=
 github.com/andreburgaud/crypt2go v1.1.0/go.mod h1:4qhZPzarj1dCIRmCkpdgCklwp+hBq9yEt0zPe9Ayuhc=
-github.com/aws/aws-sdk-go v1.44.173 h1:8kXIxvQnBpGhmR3Eof6SnCKgR0q5/L/3Qbv9vAC5wic=
-github.com/aws/aws-sdk-go v1.44.173/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
-github.com/aws/aws-sdk-go v1.44.174 h1:9lR4a6MKQW/t6YCG0ZKAt1GAkjdEPP8sWch/pfcuR0c=
-github.com/aws/aws-sdk-go v1.44.174/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
+github.com/aws/aws-sdk-go v1.44.194 h1:1ZDK+QDcc5oRbZGgRZSz561eR8XVizXCeGpoZKo33NU=
+github.com/aws/aws-sdk-go v1.44.194/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/bits-and-blooms/bitset v1.2.0 h1:Kn4yilvwNtMACtf1eYDlG8H77R07mZSPbMjLyS07ChA=
 github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/blevesearch/bleve/v2 v2.3.6 h1:NlntUHcV5CSWIhpugx4d/BRMGCiaoI8ZZXrXlahzNq4=
@ -54,8 +52,7 @@ github.com/bluele/gcache v0.0.2 h1:WcbfdXICg7G/DGBh1PFfcirkWOQV+v077yF1pSy3DGw=
 github.com/bluele/gcache v0.0.2/go.mod h1:m15KV+ECjptwSPxKhOhQoAFQVtUFjTVkc3H8o0t/fp0=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
-github.com/caarlos0/env/v6 v6.10.1 h1:t1mPSxNpei6M5yAeu1qtRdPAK29Nbcf/n3G7x+b3/II=
-github.com/caarlos0/env/v6 v6.10.1/go.mod h1:hvp/ryKXKipEkcuYjs9mI4bBCg+UI0Yhgm5Zu0ddvwc=
+github.com/caarlos0/env/v7 v7.0.0 h1:cyczlTd/zREwSr9ch/mwaDl7Hse7kJuUY8hvHfXu5WI=
 github.com/caarlos0/env/v7 v7.0.0/go.mod h1:LPPWniDUq4JaO6Q41vtlyikhMknqymCLBw0eX4dcH1E=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@ -66,6 +63,8 @@ github.com/deckarep/golang-set/v2 v2.1.0 h1:g47V4Or+DUdzbs8FxCCmgb6VYd+ptPAngjM6
 github.com/deckarep/golang-set/v2 v2.1.0/go.mod h1:VAky9rY/yGXJOLEDv3OMci+7wtDpOF4IN+y82NBOac4=
 github.com/disintegration/imaging v1.6.2 h1:w1LecBlG2Lnp8B3jk5zSuNqd7b4DXhcjwek1ei82L+c=
 github.com/disintegration/imaging v1.6.2/go.mod h1:44/5580QXChDfwIclfc/PCwrr44amcmDAg8hxG0Ewe4=
+github.com/dustinxie/ecc v0.0.0-20210511000915-959544187564 h1:I6KUy4CI6hHjqnyJLNCEi7YHVMkwwtfSr2k9splgdSM=
+github.com/dustinxie/ecc v0.0.0-20210511000915-959544187564/go.mod h1:yekO+3ZShy19S+bsmnERmznGy9Rfg6dWWWpiGJjNAz8=
 github.com/gaoyb7/115drive-webdav v0.1.8 h1:EJt4PSmcbvBY4KUh2zSo5p6fN9LZFNkIzuKejipubVw=
 github.com/gaoyb7/115drive-webdav v0.1.8/go.mod h1:BKbeY6j8SKs3+rzBFFALznGxbPmefEm3vA+dGhqgOGU=
 github.com/geoffgarside/ber v1.1.0 h1:qTmFG4jJbwiSzSXoNJeHcOprVzZ8Ulde2Rrrifu5U9w=
@ -236,11 +235,11 @@ golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.4.0/go.mod h1:3quD/ATkf6oY+rnes5c3ExXTbLc8mueNue5/DoinL80=
-golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE=
-golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
+golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.3.0 h1:HTDXbdK9bjfSWkPzDJIw89W8CAtfFGduujWs33NLLsg=
-golang.org/x/image v0.3.0/go.mod h1:fXd9211C/0VTlYuAcOhW8dY/RtEJqODXOWBDpmYBf+A=
+golang.org/x/image v0.4.0 h1:x1RWAiZIvERqkltrFjtQP1ycmiR5pmhjtCfVOtdURuQ=
+golang.org/x/image v0.4.0/go.mod h1:FVC7BI/5Ym8R25iw5OLsgshdUBbT1h5jZTpA+mvAdZ4=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@ -250,8 +249,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
-golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw=
-golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
+golang.org/x/net v0.6.0 h1:L4ZwwTvKW9gr0ZMS1yrHD9GZhIuVjOBBnaKH+SPQK0Q=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220923202941-7f9b1623fab7/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -272,13 +271,13 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18=
-golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
-golang.org/x/term v0.4.0 h1:O7UWfv5+A2qiuulQk30kVinPoMtoIPeVaKLEgLpVkvg=
+golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@ -286,8 +285,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k=
-golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20220922220347-f3bd1da661af h1:Yx9k8YCG3dvF87UAn2tu2HQLf2dt/eR1bXxpLMWeH+Y=
 golang.org/x/time v0.0.0-20220922220347-f3bd1da661af/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@ -317,14 +316,14 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gorm.io/driver/mysql v1.4.5 h1:u1lytId4+o9dDaNcPCFzNv7h6wvmc92UjNk3z8enSBU=
-gorm.io/driver/mysql v1.4.5/go.mod h1:SxzItlnT1cb6e1e4ZRpgJN2VYtcqJgqnHxWr4wsP8oc=
-gorm.io/driver/postgres v1.4.6 h1:1FPESNXqIKG5JmraaH2bfCVlMQ7paLoCreFxDtqzwdc=
-gorm.io/driver/postgres v1.4.6/go.mod h1:UJChCNLFKeBqQRE+HrkFUbKbq9idPXmTOk2u4Wok8S4=
+gorm.io/driver/mysql v1.4.6 h1:5zS3vIKcyb46byXZNcYxaT9EWNIhXzu0gPuvvVrwZ8s=
+gorm.io/driver/mysql v1.4.6/go.mod h1:SxzItlnT1cb6e1e4ZRpgJN2VYtcqJgqnHxWr4wsP8oc=
+gorm.io/driver/postgres v1.4.7 h1:J06jXZCNq7Pdf7LIPn8tZn9LsWjd81BRSKveKNr0ZfA=
+gorm.io/driver/postgres v1.4.7/go.mod h1:UJChCNLFKeBqQRE+HrkFUbKbq9idPXmTOk2u4Wok8S4=
 gorm.io/driver/sqlite v1.4.4 h1:gIufGoR0dQzjkyqDyYSCvsYR6fba1Gw5YKDqKeChxFc=
 gorm.io/driver/sqlite v1.4.4/go.mod h1:0Aq3iPO+v9ZKbcdiz8gLWRw5VOPcBOPUQJFLq5e2ecI=
 gorm.io/gorm v1.23.8/go.mod h1:l2lP/RyAtc1ynaTjFksBde/O8v9oOGIApu2/xRitmZk=
 gorm.io/gorm v1.24.0/go.mod h1:DVrVomtaYTbqs7gB/x2uVvqnXzv0nqjB396B8cG4dBA=
 gorm.io/gorm v1.24.2/go.mod h1:DVrVomtaYTbqs7gB/x2uVvqnXzv0nqjB396B8cG4dBA=
-gorm.io/gorm v1.24.3 h1:WL2ifUmzR/SLp85CSURAfybcHnGZ+yLSGSxgYXlFBHg=
-gorm.io/gorm v1.24.3/go.mod h1:DVrVomtaYTbqs7gB/x2uVvqnXzv0nqjB396B8cG4dBA=
+gorm.io/gorm v1.24.5 h1:g6OPREKqqlWq4kh/3MCQbZKImeB9e6Xgc4zD+JgNZGE=
+gorm.io/gorm v1.24.5/go.mod h1:DVrVomtaYTbqs7gB/x2uVvqnXzv0nqjB396B8cG4dBA=
--- a/internal/bootstrap/config.go
+++ b/internal/bootstrap/config.go
@ -1,13 +1,15 @@
 package bootstrap

 import (
+	"crypto/tls"
 	"os"
 	"path/filepath"

 	"github.com/alist-org/alist/v3/cmd/flags"
+	"github.com/alist-org/alist/v3/drivers/base"
 	"github.com/alist-org/alist/v3/internal/conf"
 	"github.com/alist-org/alist/v3/pkg/utils"
-	"github.com/caarlos0/env/v6"
+	"github.com/caarlos0/env/v7"
 	log "github.com/sirupsen/logrus"
 )

@ -49,7 +51,7 @@ func InitConfig() {
 		if err != nil {
 			log.Fatalf("marshal config error: %+v", err)
 		}
-		err = os.WriteFile(configPath, confBody, 0777)
+		err = os.WriteFile(configPath, confBody, 0o777)
 		if err != nil {
 			log.Fatalf("update config struct error: %+v", err)
 		}
@ -69,11 +71,14 @@ func InitConfig() {
 	if err != nil {
 		log.Errorln("failed delete temp file:", err)
 	}
-	err = os.MkdirAll(conf.Conf.TempDir, 0777)
+	err = os.MkdirAll(conf.Conf.TempDir, 0o777)
 	if err != nil {
 		log.Fatalf("create temp dir error: %+v", err)
 	}
 	log.Debugf("config: %+v", conf.Conf)
+	if conf.Conf.TlsInsecureSkipVerify {
+		base.RestyClient = base.RestyClient.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true})
+	}
 }

 func confFromEnv() {
--- a/internal/bootstrap/data/setting.go
+++ b/internal/bootstrap/data/setting.go
@ -129,13 +129,14 @@ func InitialSettings() []model.SettingItem {
 		{Key: conf.CustomizeHead, Value: `<script src="https://polyfill.io/v3/polyfill.min.js?features=String.prototype.replaceAll"></script>`, Type: conf.TypeText, Group: model.GLOBAL, Flag: model.PRIVATE},
 		{Key: conf.CustomizeBody, Type: conf.TypeText, Group: model.GLOBAL, Flag: model.PRIVATE},
 		{Key: conf.LinkExpiration, Value: "0", Type: conf.TypeNumber, Group: model.GLOBAL, Flag: model.PRIVATE},
-		{Key: conf.SignAll, Value: "true", Type: conf.TypeBool, Group: model.GLOBAL, Flag: model.PRIVATE},
+		{Key: conf.SignAll, Value: "false", Type: conf.TypeBool, Group: model.GLOBAL, Flag: model.PRIVATE},
 		{Key: conf.PrivacyRegs, Value: `(?:(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])
 ([[:xdigit:]]{1,4}(?::[[:xdigit:]]{1,4}){7}|::|:(?::[[:xdigit:]]{1,4}){1,6}|[[:xdigit:]]{1,4}:(?::[[:xdigit:]]{1,4}){1,5}|(?:[[:xdigit:]]{1,4}:){2}(?::[[:xdigit:]]{1,4}){1,4}|(?:[[:xdigit:]]{1,4}:){3}(?::[[:xdigit:]]{1,4}){1,3}|(?:[[:xdigit:]]{1,4}:){4}(?::[[:xdigit:]]{1,4}){1,2}|(?:[[:xdigit:]]{1,4}:){5}:[[:xdigit:]]{1,4}|(?:[[:xdigit:]]{1,4}:){1,6}:)
 (?U)access_token=(.*)&`,
 			Type: conf.TypeText, Group: model.GLOBAL, Flag: model.PRIVATE},
 		{Key: conf.OcrApi, Value: "https://api.nn.ci/ocr/file/json", Type: conf.TypeString, Group: model.GLOBAL},
 		{Key: conf.FilenameCharMapping, Value: `{"/": "|"}`, Type: conf.TypeText, Group: model.GLOBAL},
+		{Key: conf.ForwardDirectLinkParams, Value: "false", Type: conf.TypeBool, Group: model.GLOBAL},

 		// aria2 settings
 		{Key: conf.Aria2Uri, Value: "http://localhost:6800/jsonrpc", Type: conf.TypeString, Group: model.ARIA2, Flag: model.PRIVATE},
@ -153,6 +154,9 @@ func InitialSettings() []model.SettingItem {
 		{Key: conf.GithubClientId, Value: "", Type: conf.TypeString, Group: model.GITHUB, Flag: model.PRIVATE},
 		{Key: conf.GithubClientSecrets, Value: "", Type: conf.TypeString, Group: model.GITHUB, Flag: model.PRIVATE},
 		{Key: conf.GithubLoginEnabled, Value: "false", Type: conf.TypeBool, Group: model.GITHUB, Flag: model.PUBLIC},
+
+		// qbittorrent settings
+		{Key: conf.QbittorrentUrl, Value: "http://admin:adminadmin@localhost:8080/", Type: conf.TypeString, Group: model.QBITTORRENT, Flag: model.PRIVATE},
 	}
 	if flags.Dev {
 		initialSettingItems = append(initialSettingItems, []model.SettingItem{
--- a/internal/bootstrap/data/user.go
+++ b/internal/bootstrap/data/user.go
@ -48,6 +48,7 @@ func initUser() {
 				Role:       model.GUEST,
 				BasePath:   "/",
 				Permission: 0,
+				Disabled:   true,
 			}
 			if err := db.CreateUser(guest); err != nil {
 				panic(err)
--- a/internal/bootstrap/log.go
+++ b/internal/bootstrap/log.go
@ -35,19 +35,22 @@ func setLog(l *logrus.Logger) {
 }

 func Log() {
-	log.SetOutput(logrus.StandardLogger().Out)
 	setLog(logrus.StandardLogger())
 	setLog(utils.Log)
 	logConfig := conf.Conf.Log
 	if logConfig.Enable {
-		mw := io.MultiWriter(os.Stdout, &lumberjack.Logger{
+		var w io.Writer = &lumberjack.Logger{
 			Filename:   logConfig.Name,
 			MaxSize:    logConfig.MaxSize, // megabytes
 			MaxBackups: logConfig.MaxBackups,
 			MaxAge:     logConfig.MaxAge,   //days
 			Compress:   logConfig.Compress, // disabled by default
-		})
-		logrus.SetOutput(mw)
+		}
+		if flags.Debug || flags.Dev {
+			w = io.MultiWriter(os.Stdout, w)
+		}
+		logrus.SetOutput(w)
 	}
+	log.SetOutput(logrus.StandardLogger().Out)
 	utils.Log.Infof("init logrus...")
 }
--- a/internal/bootstrap/qbittorrent.go
+++ b/internal/bootstrap/qbittorrent.go
@ -0,0 +1,15 @@
+package bootstrap
+
+import (
+	"github.com/alist-org/alist/v3/internal/qbittorrent"
+	"github.com/alist-org/alist/v3/pkg/utils"
+)
+
+func InitQbittorrent() {
+	go func() {
+		err := qbittorrent.InitClient()
+		if err != nil {
+			utils.Log.Infof("qbittorrent not ready.")
+		}
+	}()
+}
--- a/internal/conf/config.go
+++ b/internal/conf/config.go
@ -35,19 +35,20 @@ type LogConfig struct {
 }

 type Config struct {
-	Force          bool      `json:"force" env:"FORCE"`
-	Address        string    `json:"address" env:"ADDR"`
-	Port           int       `json:"port" env:"PORT"`
-	SiteURL        string    `json:"site_url" env:"SITE_URL"`
-	Cdn            string    `json:"cdn" env:"CDN"`
-	JwtSecret      string    `json:"jwt_secret" env:"JWT_SECRET"`
-	TokenExpiresIn int       `json:"token_expires_in" env:"TOKEN_EXPIRES_IN"`
-	Database       Database  `json:"database"`
-	Scheme         Scheme    `json:"scheme"`
-	TempDir        string    `json:"temp_dir" env:"TEMP_DIR"`
-	BleveDir       string    `json:"bleve_dir" env:"BLEVE_DIR"`
-	Log            LogConfig `json:"log"`
-	MaxConnections int       `json:"max_connections" env:"MAX_CONNECTIONS"`
+	Force                 bool      `json:"force" env:"FORCE"`
+	Address               string    `json:"address" env:"ADDR"`
+	Port                  int       `json:"port" env:"PORT"`
+	SiteURL               string    `json:"site_url" env:"SITE_URL"`
+	Cdn                   string    `json:"cdn" env:"CDN"`
+	JwtSecret             string    `json:"jwt_secret" env:"JWT_SECRET"`
+	TokenExpiresIn        int       `json:"token_expires_in" env:"TOKEN_EXPIRES_IN"`
+	Database              Database  `json:"database"`
+	Scheme                Scheme    `json:"scheme"`
+	TempDir               string    `json:"temp_dir" env:"TEMP_DIR"`
+	BleveDir              string    `json:"bleve_dir" env:"BLEVE_DIR"`
+	Log                   LogConfig `json:"log"`
+	MaxConnections        int       `json:"max_connections" env:"MAX_CONNECTIONS"`
+	TlsInsecureSkipVerify bool      `json:"tls_insecure_skip_verify" env:"TLS_INSECURE_SKIP_VERIFY"`
 }

 func DefaultConfig() *Config {
@ -75,6 +76,7 @@ func DefaultConfig() *Config {
 			MaxBackups: 5,
 			MaxAge:     28,
 		},
-		MaxConnections: 0,
+		MaxConnections:        0,
+		TlsInsecureSkipVerify: false,
 	}
 }
--- a/internal/conf/const.go
+++ b/internal/conf/const.go
@ -1,70 +1,74 @@
 package conf

 const (
-	TypeString = "string"
-	TypeSelect = "select"
-	TypeBool   = "bool"
-	TypeText   = "text"
-	TypeNumber = "number"
+    TypeString = "string"
+    TypeSelect = "select"
+    TypeBool   = "bool"
+    TypeText   = "text"
+    TypeNumber = "number"
 )

 const (
-	// site
-	VERSION      = "version"
-	SiteTitle    = "site_title"
-	Announcement = "announcement"
-	AllowIndexed = "allow_indexed"
+    // site
+    VERSION      = "version"
+    SiteTitle    = "site_title"
+    Announcement = "announcement"
+    AllowIndexed = "allow_indexed"

-	Logo      = "logo"
-	Favicon   = "favicon"
-	MainColor = "main_color"
+    Logo      = "logo"
+    Favicon   = "favicon"
+    MainColor = "main_color"

-	// preview
-	TextTypes          = "text_types"
-	AudioTypes         = "audio_types"
-	VideoTypes         = "video_types"
-	ImageTypes         = "image_types"
-	ProxyTypes         = "proxy_types"
-	ProxyIgnoreHeaders = "proxy_ignore_headers"
-	AudioAutoplay      = "audio_autoplay"
-	VideoAutoplay      = "video_autoplay"
+    // preview
+    TextTypes          = "text_types"
+    AudioTypes         = "audio_types"
+    VideoTypes         = "video_types"
+    ImageTypes         = "image_types"
+    ProxyTypes         = "proxy_types"
+    ProxyIgnoreHeaders = "proxy_ignore_headers"
+    AudioAutoplay      = "audio_autoplay"
+    VideoAutoplay      = "video_autoplay"

 	// global
-	HideFiles           = "hide_files"
-	CustomizeHead       = "customize_head"
-	CustomizeBody       = "customize_body"
-	LinkExpiration      = "link_expiration"
-	SignAll             = "sign_all"
-	PrivacyRegs         = "privacy_regs"
-	OcrApi              = "ocr_api"
-	FilenameCharMapping = "filename_char_mapping"
-
+	HideFiles               = "hide_files"
+	CustomizeHead           = "customize_head"
+	CustomizeBody           = "customize_body"
+	LinkExpiration          = "link_expiration"
+	SignAll                 = "sign_all"
+	PrivacyRegs             = "privacy_regs"
+	OcrApi                  = "ocr_api"
+	FilenameCharMapping     = "filename_char_mapping"
+	ForwardDirectLinkParams = "forward_direct_link_params"
+	
 	// index
 	SearchIndex     = "search_index"
 	AutoUpdateIndex = "auto_update_index"
 	IgnorePaths     = "ignore_paths"
 	MaxIndexDepth   = "max_index_depth"

-	// aria2
-	Aria2Uri    = "aria2_uri"
-	Aria2Secret = "aria2_secret"
+    // aria2
+    Aria2Uri    = "aria2_uri"
+    Aria2Secret = "aria2_secret"

-	// single
-	Token         = "token"
-	IndexProgress = "index_progress"
+    // single
+    Token         = "token"
+    IndexProgress = "index_progress"

-	//Github
-	GithubClientId      = "github_client_id"
-	GithubClientSecrets = "github_client_secrets"
-	GithubLoginEnabled  = "github_login_enabled"
+    //Github
+    GithubClientId      = "github_client_id"
+    GithubClientSecrets = "github_client_secrets"
+    GithubLoginEnabled  = "github_login_enabled"
+
+    // qbittorrent
+    QbittorrentUrl = "qbittorrent_url"
 )

 const (
-	UNKNOWN = iota
-	FOLDER
-	//OFFICE
-	VIDEO
-	AUDIO
-	TEXT
-	IMAGE
+    UNKNOWN = iota
+    FOLDER
+    //OFFICE
+    VIDEO
+    AUDIO
+    TEXT
+    IMAGE
 )
--- a/internal/fs/util.go
+++ b/internal/fs/util.go
@ -41,9 +41,9 @@ func getFileStreamFromLink(file model.Obj, link *model.Link) (*model.FileStream,
 	if link.Data != nil {
 		rc = link.Data
 	} else if link.FilePath != nil {
-		// copy a new temp, because will be deleted after upload
+		// create a new temp symbolic link, because it will be deleted after upload
 		newFilePath := stdpath.Join(conf.Conf.TempDir, fmt.Sprintf("%s-%s", uuid.NewString(), file.GetName()))
-		err := utils.CopyFile(*link.FilePath, newFilePath)
+		err := utils.SymlinkOrCopyFile(*link.FilePath, newFilePath)
 		if err != nil {
 			return nil, err
 		}
--- a/internal/model/setting.go
+++ b/internal/model/setting.go
@ -9,6 +9,7 @@ const (
 	ARIA2
 	INDEX
 	GITHUB
+	QBITTORRENT
 )

 const (
--- a/internal/model/user.go
+++ b/internal/model/user.go
@ -18,17 +18,19 @@ type User struct {
 	Password string `json:"password"`                                  // password
 	BasePath string `json:"base_path"`                                 // base path
 	Role     int    `json:"role"`                                      // user's role
+	Disabled bool   `json:"disabled"`
 	// Determine permissions by bit
-	//  0: can see hidden files
-	//  1: can access without password
-	//  2: can add aria2 tasks
-	//  3: can mkdir and upload
-	//  4: can rename
-	//  5: can move
-	//  6: can copy
-	//  7: can remove
-	//  8: webdav read
-	//  9: webdav write
+	//   0: can see hidden files
+	//   1: can access without password
+	//   2: can add aria2 tasks
+	//   3: can mkdir and upload
+	//   4: can rename
+	//   5: can move
+	//   6: can copy
+	//   7: can remove
+	//   8: webdav read
+	//   9: webdav write
+	//  10: can add qbittorrent tasks
 	Permission int32  `json:"permission"`
 	OtpSecret  string `json:"-"`
 	GithubID   int    `json:"github_id"`
@ -92,6 +94,10 @@ func (u User) CanWebdavManage() bool {
 	return u.IsAdmin() || (u.Permission>>9)&1 == 1
 }

+func (u User) CanAddQbittorrentTasks() bool {
+	return u.IsAdmin() || (u.Permission>>10)&1 == 1
+}
+
 func (u User) JoinPath(reqPath string) (string, error) {
 	return utils.JoinBasePath(u.BasePath, reqPath)
 }
--- a/internal/qbittorrent/add.go
+++ b/internal/qbittorrent/add.go
@ -0,0 +1,58 @@
+package qbittorrent
+
+import (
+	"context"
+	"fmt"
+	"path/filepath"
+
+	"github.com/alist-org/alist/v3/internal/conf"
+	"github.com/alist-org/alist/v3/internal/errs"
+	"github.com/alist-org/alist/v3/internal/op"
+	"github.com/alist-org/alist/v3/pkg/task"
+	"github.com/google/uuid"
+	"github.com/pkg/errors"
+)
+
+func AddURL(ctx context.Context, url string, dstDirPath string) error {
+	// check storage
+	storage, dstDirActualPath, err := op.GetStorageAndActualPath(dstDirPath)
+	if err != nil {
+		return errors.WithMessage(err, "failed get storage")
+	}
+	// check is it could upload
+	if storage.Config().NoUpload {
+		return errors.WithStack(errs.UploadNotSupported)
+	}
+	// check path is valid
+	obj, err := op.Get(ctx, storage, dstDirActualPath)
+	if err != nil {
+		if !errs.IsObjectNotFound(err) {
+			return errors.WithMessage(err, "failed get object")
+		}
+	} else {
+		if !obj.IsDir() {
+			// can't add to a file
+			return errors.WithStack(errs.NotFolder)
+		}
+	}
+	// call qbittorrent
+	id := uuid.NewString()
+	tempDir := filepath.Join(conf.Conf.TempDir, "qbittorrent", id)
+	err = qbclient.AddFromLink(url, tempDir, id)
+	if err != nil {
+		return errors.Wrapf(err, "failed to add url %s", url)
+	}
+	DownTaskManager.Submit(task.WithCancelCtx(&task.Task[string]{
+		ID:   id,
+		Name: fmt.Sprintf("download %s to [%s](%s)", url, storage.GetStorage().MountPath, dstDirActualPath),
+		Func: func(tsk *task.Task[string]) error {
+			m := &Monitor{
+				tsk:        tsk,
+				tempDir:    tempDir,
+				dstDirPath: dstDirPath,
+			}
+			return m.Loop()
+		},
+	}))
+	return nil
+}
--- a/internal/qbittorrent/client.go
+++ b/internal/qbittorrent/client.go
@ -0,0 +1,337 @@
+package qbittorrent
+
+import (
+	"bytes"
+	"errors"
+	"github.com/alist-org/alist/v3/pkg/utils"
+	"io"
+	"mime/multipart"
+	"net/http"
+	"net/http/cookiejar"
+	"net/url"
+)
+
+type Client interface {
+	AddFromLink(link string, savePath string, id string) error
+	GetInfo(id string) (TorrentInfo, error)
+	GetFiles(id string) ([]FileInfo, error)
+	Delete(id string) error
+}
+
+type client struct {
+	url    *url.URL
+	client http.Client
+	Client
+}
+
+func New(webuiUrl string) (Client, error) {
+	u, err := url.Parse(webuiUrl)
+	if err != nil {
+		return nil, err
+	}
+
+	jar, err := cookiejar.New(nil)
+	if err != nil {
+		return nil, err
+	}
+	var c = &client{
+		url:    u,
+		client: http.Client{Jar: jar},
+	}
+
+	err = c.checkAuthorization()
+	if err != nil {
+		return nil, err
+	}
+	return c, nil
+}
+
+func (c *client) checkAuthorization() error {
+	// check authorization
+	if c.authorized() {
+		return nil
+	}
+
+	// check authorization after logging in
+	err := c.login()
+	if err != nil {
+		return err
+	}
+	if c.authorized() {
+		return nil
+	}
+	return errors.New("unauthorized qbittorrent url")
+}
+
+func (c *client) authorized() bool {
+	resp, err := c.post("/api/v2/app/version", nil)
+	if err != nil {
+		return false
+	}
+	return resp.StatusCode == 200 // the status code will be 403 if not authorized
+}
+
+func (c *client) login() error {
+	// prepare HTTP request
+	v := url.Values{}
+	v.Set("username", c.url.User.Username())
+	passwd, _ := c.url.User.Password()
+	v.Set("password", passwd)
+	resp, err := c.post("/api/v2/auth/login", v)
+	if err != nil {
+		return err
+	}
+
+	// check result
+	body := make([]byte, 2)
+	_, err = resp.Body.Read(body)
+	if err != nil {
+		return err
+	}
+	if string(body) != "Ok" {
+		return errors.New("failed to login into qBittorrent webui with url: " + c.url.String())
+	}
+	return nil
+}
+
+func (c *client) post(path string, data url.Values) (*http.Response, error) {
+	u := c.url.JoinPath(path)
+	u.User = nil // remove userinfo for requests
+
+	req, err := http.NewRequest("POST", u.String(), bytes.NewReader([]byte(data.Encode())))
+	if err != nil {
+		return nil, err
+	}
+	if data != nil {
+		req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	}
+
+	resp, err := c.client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	if resp.Cookies() != nil {
+		c.client.Jar.SetCookies(u, resp.Cookies())
+	}
+	return resp, nil
+}
+
+func (c *client) AddFromLink(link string, savePath string, id string) error {
+	err := c.checkAuthorization()
+	if err != nil {
+		return err
+	}
+
+	buf := new(bytes.Buffer)
+	writer := multipart.NewWriter(buf)
+
+	addField := func(name string, value string) {
+		if err != nil {
+			return
+		}
+		err = writer.WriteField(name, value)
+	}
+	addField("urls", link)
+	addField("savepath", savePath)
+	addField("tags", "alist-"+id)
+	if err != nil {
+		return err
+	}
+
+	err = writer.Close()
+	if err != nil {
+		return err
+	}
+
+	u := c.url.JoinPath("/api/v2/torrents/add")
+	u.User = nil // remove userinfo for requests
+	req, err := http.NewRequest("POST", u.String(), buf)
+	if err != nil {
+		return err
+	}
+	req.Header.Add("Content-Type", writer.FormDataContentType())
+
+	resp, err := c.client.Do(req)
+	if err != nil {
+		return err
+	}
+
+	// check result
+	body := make([]byte, 2)
+	_, err = resp.Body.Read(body)
+	if err != nil {
+		return err
+	}
+	if resp.StatusCode != 200 || string(body) != "Ok" {
+		return errors.New("failed to add qBittorrent task: " + link)
+	}
+	return nil
+}
+
+type TorrentStatus string
+
+const (
+	ERROR              TorrentStatus = "error"
+	MISSINGFILES       TorrentStatus = "missingFiles"
+	UPLOADING          TorrentStatus = "uploading"
+	PAUSEDUP           TorrentStatus = "pausedUP"
+	QUEUEDUP           TorrentStatus = "queuedUP"
+	STALLEDUP          TorrentStatus = "stalledUP"
+	CHECKINGUP         TorrentStatus = "checkingUP"
+	FORCEDUP           TorrentStatus = "forcedUP"
+	ALLOCATING         TorrentStatus = "allocating"
+	DOWNLOADING        TorrentStatus = "downloading"
+	METADL             TorrentStatus = "metaDL"
+	PAUSEDDL           TorrentStatus = "pausedDL"
+	QUEUEDDL           TorrentStatus = "queuedDL"
+	STALLEDDL          TorrentStatus = "stalledDL"
+	CHECKINGDL         TorrentStatus = "checkingDL"
+	FORCEDDL           TorrentStatus = "forcedDL"
+	CHECKINGRESUMEDATA TorrentStatus = "checkingResumeData"
+	MOVING             TorrentStatus = "moving"
+	UNKNOWN            TorrentStatus = "unknown"
+)
+
+// https://github.com/DGuang21/PTGo/blob/main/app/client/client_distributer.go
+type TorrentInfo struct {
+	AddedOn           int           `json:"added_on"`           // 将 torrent 添加到客户端的时间（Unix Epoch）
+	AmountLeft        int64         `json:"amount_left"`        // 剩余大小（字节）
+	AutoTmm           bool          `json:"auto_tmm"`           // 此 torrent 是否由 Automatic Torrent Management 管理
+	Availability      float64       `json:"availability"`       // 当前百分比
+	Category          string        `json:"category"`           //
+	Completed         int64         `json:"completed"`          // 完成的传输数据量（字节）
+	CompletionOn      int           `json:"completion_on"`      // Torrent 完成的时间（Unix Epoch）
+	ContentPath       string        `json:"content_path"`       // torrent 内容的绝对路径（多文件 torrent 的根路径，单文件 torrent 的绝对文件路径）
+	DlLimit           int           `json:"dl_limit"`           // Torrent 下载速度限制（字节/秒）
+	Dlspeed           int           `json:"dlspeed"`            // Torrent 下载速度（字节/秒）
+	Downloaded        int64         `json:"downloaded"`         // 已经下载大小
+	DownloadedSession int64         `json:"downloaded_session"` // 此会话下载的数据量
+	Eta               int           `json:"eta"`                //
+	FLPiecePrio       bool          `json:"f_l_piece_prio"`     // 如果第一个最后一块被优先考虑，则为true
+	ForceStart        bool          `json:"force_start"`        // 如果为此 torrent 启用了强制启动，则为true
+	Hash              string        `json:"hash"`               //
+	LastActivity      int           `json:"last_activity"`      // 上次活跃的时间（Unix Epoch）
+	MagnetURI         string        `json:"magnet_uri"`         // 与此 torrent 对应的 Magnet URI
+	MaxRatio          int           `json:"max_ratio"`          // 种子/上传停止种子前的最大共享比率
+	MaxSeedingTime    int           `json:"max_seeding_time"`   // 停止种子种子前的最长种子时间（秒）
+	Name              string        `json:"name"`               //
+	NumComplete       int           `json:"num_complete"`       //
+	NumIncomplete     int           `json:"num_incomplete"`     //
+	NumLeechs         int           `json:"num_leechs"`         // 连接到的 leechers 的数量
+	NumSeeds          int           `json:"num_seeds"`          // 连接到的种子数
+	Priority          int           `json:"priority"`           // 速度优先。如果队列被禁用或 torrent 处于种子模式，则返回 -1
+	Progress          float64       `json:"progress"`           // 进度
+	Ratio             float64       `json:"ratio"`              // Torrent 共享比率
+	RatioLimit        int           `json:"ratio_limit"`        //
+	SavePath          string        `json:"save_path"`
+	SeedingTime       int           `json:"seeding_time"`       // Torrent 完成用时（秒）
+	SeedingTimeLimit  int           `json:"seeding_time_limit"` // max_seeding_time
+	SeenComplete      int           `json:"seen_complete"`      // 上次 torrent 完成的时间
+	SeqDl             bool          `json:"seq_dl"`             // 如果启用顺序下载，则为true
+	Size              int64         `json:"size"`               //
+	State             TorrentStatus `json:"state"`              // 参见https://github.com/qbittorrent/qBittorrent/wiki/WebUI-API-(qBittorrent-4.1)#get-torrent-list
+	SuperSeeding      bool          `json:"super_seeding"`      // 如果启用超级播种，则为true
+	Tags              string        `json:"tags"`               // Torrent 的逗号连接标签列表
+	TimeActive        int           `json:"time_active"`        // 总活动时间（秒）
+	TotalSize         int64         `json:"total_size"`         // 此 torrent 中所有文件的总大小（字节）（包括未选择的文件）
+	Tracker           string        `json:"tracker"`            // 第一个具有工作状态的tracker。如果没有tracker在工作，则返回空字符串。
+	TrackersCount     int           `json:"trackers_count"`     //
+	UpLimit           int           `json:"up_limit"`           // 上传限制
+	Uploaded          int64         `json:"uploaded"`           // 累计上传
+	UploadedSession   int64         `json:"uploaded_session"`   // 当前session累计上传
+	Upspeed           int           `json:"upspeed"`            // 上传速度（字节/秒）
+}
+
+func (c *client) GetInfo(id string) (TorrentInfo, error) {
+	var infos []TorrentInfo
+
+	err := c.checkAuthorization()
+	if err != nil {
+		return TorrentInfo{}, err
+	}
+
+	v := url.Values{}
+	v.Set("tag", "alist-"+id)
+	response, err := c.post("/api/v2/torrents/info", v)
+	if err != nil {
+		return TorrentInfo{}, err
+	}
+
+	body, err := io.ReadAll(response.Body)
+	if err != nil {
+		return TorrentInfo{}, err
+	}
+	err = utils.Json.Unmarshal(body, &infos)
+	if err != nil {
+		return TorrentInfo{}, err
+	}
+	if len(infos) != 1 {
+		return TorrentInfo{}, errors.New("there should be exactly one task with tag \"alist-" + id + "\"")
+	}
+	return infos[0], nil
+}
+
+type FileInfo struct {
+	Index        int     `json:"index"`
+	Name         string  `json:"name"`
+	Size         int64   `json:"size"`
+	Progress     float32 `json:"progress"`
+	Priority     int     `json:"priority"`
+	IsSeed       bool    `json:"is_seed"`
+	PieceRange   []int   `json:"piece_range"`
+	Availability float32 `json:"availability"`
+}
+
+func (c *client) GetFiles(id string) ([]FileInfo, error) {
+	var infos []FileInfo
+
+	err := c.checkAuthorization()
+	if err != nil {
+		return []FileInfo{}, err
+	}
+
+	tInfo, err := c.GetInfo(id)
+	if err != nil {
+		return []FileInfo{}, err
+	}
+
+	v := url.Values{}
+	v.Set("hash", tInfo.Hash)
+	response, err := c.post("/api/v2/torrents/files", v)
+	if err != nil {
+		return []FileInfo{}, err
+	}
+
+	body, err := io.ReadAll(response.Body)
+	if err != nil {
+		return []FileInfo{}, err
+	}
+	err = utils.Json.Unmarshal(body, &infos)
+	if err != nil {
+		return []FileInfo{}, err
+	}
+	return infos, nil
+}
+
+func (c *client) Delete(id string) error {
+	err := c.checkAuthorization()
+	if err != nil {
+		return err
+	}
+
+	info, err := c.GetInfo(id)
+	if err != nil {
+		return err
+	}
+	v := url.Values{}
+	v.Set("hashes", info.Hash)
+	v.Set("deleteFiles", "false")
+	response, err := c.post("/api/v2/torrents/delete", v)
+	if err != nil {
+		return err
+	}
+	if response.StatusCode != 200 {
+		return errors.New("failed")
+	}
+	return nil
+}
--- a/internal/qbittorrent/client_test.go
+++ b/internal/qbittorrent/client_test.go
@ -0,0 +1,152 @@
+package qbittorrent
+
+import (
+	"net/http"
+	"net/http/cookiejar"
+	"net/url"
+	"testing"
+)
+
+func TestLogin(t *testing.T) {
+	// test logging in with wrong password
+	u, err := url.Parse("http://admin:admin@127.0.0.1:8080/")
+	if err != nil {
+		t.Error(err)
+	}
+	jar, err := cookiejar.New(nil)
+	if err != nil {
+		t.Error(err)
+	}
+	var c = &client{
+		url:    u,
+		client: http.Client{Jar: jar},
+	}
+	err = c.login()
+	if err == nil {
+		t.Error(err)
+	}
+
+	// test logging in with correct password
+	u, err = url.Parse("http://admin:adminadmin@127.0.0.1:8080/")
+	if err != nil {
+		t.Error(err)
+	}
+	c.url = u
+	err = c.login()
+	if err != nil {
+		t.Error(err)
+	}
+}
+
+// in this test, the `Bypass authentication for clients on localhost` option in qBittorrent webui should be disabled
+func TestAuthorized(t *testing.T) {
+	// init client
+	u, err := url.Parse("http://admin:adminadmin@127.0.0.1:8080/")
+	if err != nil {
+		t.Error(err)
+	}
+	jar, err := cookiejar.New(nil)
+	if err != nil {
+		t.Error(err)
+	}
+	var c = &client{
+		url:    u,
+		client: http.Client{Jar: jar},
+	}
+
+	// test without logging in, which should be unauthorized
+	authorized := c.authorized()
+	if authorized {
+		t.Error("Should not be authorized")
+	}
+
+	// test after logging in
+	err = c.login()
+	if err != nil {
+		t.Error(err)
+	}
+	authorized = c.authorized()
+	if !authorized {
+		t.Error("Should be authorized")
+	}
+}
+
+func TestNew(t *testing.T) {
+	_, err := New("http://admin:adminadmin@127.0.0.1:8080/")
+	if err != nil {
+		t.Error(err)
+	}
+	_, err = New("http://admin:wrong_password@127.0.0.1:8080/")
+	if err == nil {
+		t.Error("Should get an error")
+	}
+}
+
+func TestAdd(t *testing.T) {
+	// init client
+	c, err := New("http://admin:adminadmin@127.0.0.1:8080/")
+	if err != nil {
+		t.Error(err)
+	}
+
+	// test add
+	err = c.login()
+	if err != nil {
+		t.Error(err)
+	}
+	err = c.AddFromLink(
+		"https://releases.ubuntu.com/22.04/ubuntu-22.04.1-desktop-amd64.iso.torrent",
+		"D:\\qBittorrentDownload\\alist",
+		"uuid-1",
+	)
+	if err != nil {
+		t.Error(err)
+	}
+	err = c.AddFromLink(
+		"magnet:?xt=urn:btih:375ae3280cd80a8e9d7212e11dfaf7c45069dd35&dn=archlinux-2023.02.01-x86_64.iso",
+		"D:\\qBittorrentDownload\\alist",
+		"uuid-2",
+	)
+	if err != nil {
+		t.Error(err)
+	}
+}
+
+func TestGetInfo(t *testing.T) {
+	// init client
+	c, err := New("http://admin:adminadmin@127.0.0.1:8080/")
+	if err != nil {
+		t.Error(err)
+	}
+	_, err = c.GetInfo("uuid-1")
+	if err != nil {
+		t.Error(err)
+	}
+}
+
+func TestGetFiles(t *testing.T) {
+	// init client
+	c, err := New("http://admin:adminadmin@127.0.0.1:8080/")
+	if err != nil {
+		t.Error(err)
+	}
+	files, err := c.GetFiles("uuid-1")
+	if err != nil {
+		t.Error(err)
+	}
+	if len(files) != 1 {
+		t.Error("should have exactly one file")
+	}
+}
+
+func TestDelete(t *testing.T) {
+	// init client
+	c, err := New("http://admin:adminadmin@127.0.0.1:8080/")
+	if err != nil {
+		t.Error(err)
+	}
+	err = c.Delete("uuid-2")
+	if err != nil {
+		t.Error(err)
+	}
+}
--- a/internal/qbittorrent/monitor.go
+++ b/internal/qbittorrent/monitor.go
@ -0,0 +1,147 @@
+package qbittorrent
+
+import (
+	"fmt"
+	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/internal/op"
+	"github.com/alist-org/alist/v3/pkg/task"
+	"github.com/alist-org/alist/v3/pkg/utils"
+	"github.com/pkg/errors"
+	log "github.com/sirupsen/logrus"
+	"os"
+	"path"
+	"path/filepath"
+	"sync"
+	"sync/atomic"
+	"time"
+)
+
+type Monitor struct {
+	tsk        *task.Task[string]
+	tempDir    string
+	dstDirPath string
+	finish     chan struct{}
+}
+
+func (m *Monitor) Loop() error {
+	var (
+		err       error
+		completed bool
+	)
+	m.finish = make(chan struct{})
+outer:
+	for {
+		select {
+		case <-m.tsk.Ctx.Done():
+			err = qbclient.Delete(m.tsk.ID)
+			return err
+		case <-time.After(time.Second * 2):
+			completed, err = m.update()
+			if completed {
+				break outer
+			}
+		}
+	}
+	if err != nil {
+		return err
+	}
+	m.tsk.SetStatus("qbittorrent download completed, transferring")
+	<-m.finish
+	m.tsk.SetStatus("completed")
+	return nil
+}
+
+func (m *Monitor) update() (bool, error) {
+	info, err := qbclient.GetInfo(m.tsk.ID)
+	if err != nil {
+		m.tsk.SetStatus("qbittorrent " + string(info.State))
+		return true, err
+	}
+
+	progress := float64(info.Completed) / float64(info.Size) * 100
+	m.tsk.SetProgress(int(progress))
+	switch info.State {
+	case UPLOADING:
+	case PAUSEDUP:
+	case QUEUEDUP:
+	case STALLEDUP:
+	case FORCEDUP:
+	case CHECKINGUP:
+		err = m.complete()
+		return true, errors.WithMessage(err, "failed to transfer file")
+	case ALLOCATING:
+	case DOWNLOADING:
+	case METADL:
+	case PAUSEDDL:
+	case QUEUEDDL:
+	case STALLEDDL:
+	case CHECKINGDL:
+	case FORCEDDL:
+	case CHECKINGRESUMEDATA:
+	case MOVING:
+	case UNKNOWN: // or maybe should return an error for UNKNOWN?
+		m.tsk.SetStatus("qbittorrent downloading")
+		return false, nil
+	case ERROR:
+	case MISSINGFILES:
+		return true, errors.Errorf("failed to download %s, error: %s", m.tsk.ID, info.State)
+	}
+	return true, errors.New("unknown error occurred downloading qbittorrent") // should never happen
+}
+
+var TransferTaskManager = task.NewTaskManager(3, func(k *uint64) {
+	atomic.AddUint64(k, 1)
+})
+
+func (m *Monitor) complete() error {
+	// check dstDir again
+	storage, dstDirActualPath, err := op.GetStorageAndActualPath(m.dstDirPath)
+	if err != nil {
+		return errors.WithMessage(err, "failed get storage")
+	}
+	// get files
+	files, err := qbclient.GetFiles(m.tsk.ID)
+	if err != nil {
+		return errors.Wrapf(err, "failed to get files of %s", m.tsk.ID)
+	}
+	log.Debugf("files len: %d", len(files))
+	// upload files
+	var wg sync.WaitGroup
+	wg.Add(len(files))
+	go func() {
+		wg.Wait()
+		err := os.RemoveAll(m.tempDir)
+		m.finish <- struct{}{}
+		if err != nil {
+			log.Errorf("failed to remove qbittorrent temp dir: %+v", err.Error())
+		}
+	}()
+	for _, file := range files {
+		filePath := filepath.Join(m.tempDir, file.Name)
+		TransferTaskManager.Submit(task.WithCancelCtx(&task.Task[uint64]{
+			Name: fmt.Sprintf("transfer %s to [%s](%s)", filePath, storage.GetStorage().MountPath, dstDirActualPath),
+			Func: func(tsk *task.Task[uint64]) error {
+				defer wg.Done()
+				size := file.Size
+				mimetype := utils.GetMimeType(filePath)
+				f, err := os.Open(filePath)
+				if err != nil {
+					return errors.Wrapf(err, "failed to open file %s", filePath)
+				}
+				stream := &model.FileStream{
+					Obj: &model.Object{
+						Name:     path.Base(filePath),
+						Size:     size,
+						Modified: time.Now(),
+						IsFolder: false,
+					},
+					ReadCloser: f,
+					Mimetype:   mimetype,
+				}
+				newDistDir := filepath.Join(dstDirActualPath, file.Name)
+				return op.Put(tsk.Ctx, storage, newDistDir, stream, tsk.SetProgress)
+			},
+		}))
+	}
+	return nil
+}
--- a/internal/qbittorrent/qbittorrent.go
+++ b/internal/qbittorrent/qbittorrent.go
@ -0,0 +1,23 @@
+package qbittorrent
+
+import (
+	"github.com/alist-org/alist/v3/internal/conf"
+	"github.com/alist-org/alist/v3/internal/setting"
+	"github.com/alist-org/alist/v3/pkg/task"
+)
+
+var DownTaskManager = task.NewTaskManager[string](3)
+var qbclient Client
+
+func InitClient() error {
+	var err error
+	qbclient = nil
+
+	url := setting.GetStr(conf.QbittorrentUrl)
+	qbclient, err = New(url)
+	return err
+}
+
+func IsQbittorrentReady() bool {
+	return qbclient != nil
+}
--- a/internal/search/util.go
+++ b/internal/search/util.go
@ -52,10 +52,12 @@ func updateIgnorePaths() {
 					url := addition.Address + "/api/public/settings"
 					res, err := base.RestyClient.R().Get(url)
 					if err == nil {
-						allowIndexed = utils.Json.Get(res.Body(), "data", conf.AllowIndexed).ToBool()
+						log.Debugf("allow_indexed body: %+v", res.String())
+						allowIndexed = utils.Json.Get(res.Body(), "data", conf.AllowIndexed).ToString() == "true"
 						v3Visited[addition.Address] = allowIndexed
 					}
 				}
+				log.Debugf("%s allow_indexed: %v", addition.Address, allowIndexed)
 				if !allowIndexed {
 					ignorePaths = append(ignorePaths, storage.GetStorage().MountPath)
 				}
--- a/pkg/utils/file.go
+++ b/pkg/utils/file.go
@ -40,7 +40,7 @@ func CopyFile(src, dst string) error {
 }

 // CopyDir Dir copies a whole directory recursively
-func CopyDir(src string, dst string) error {
+func CopyDir(src, dst string) error {
 	var err error
 	var fds []os.DirEntry
 	var srcinfo os.FileInfo
@ -71,6 +71,17 @@ func CopyDir(src string, dst string) error {
 	return nil
 }

+// SymlinkOrCopyFile symlinks a file or copy if symlink failed
+func SymlinkOrCopyFile(src, dst string) error {
+	if err := CreateNestedDirectory(filepath.Dir(dst)); err != nil {
+		return err
+	}
+	if err := os.Symlink(src, dst); err != nil {
+		return CopyFile(src, dst)
+	}
+	return nil
+}
+
 // Exists determine whether the file exists
 func Exists(name string) bool {
 	if _, err := os.Stat(name); err != nil {
@ -81,15 +92,20 @@ func Exists(name string) bool {
 	return true
 }

+// CreateNestedDirectory create nested directory
+func CreateNestedDirectory(path string) error {
+	err := os.MkdirAll(path, 0700)
+	if err != nil {
+		log.Errorf("can't create folder, %s", err)
+	}
+	return err
+}
+
 // CreateNestedFile create nested file
 func CreateNestedFile(path string) (*os.File, error) {
 	basePath := filepath.Dir(path)
-	if !Exists(basePath) {
-		err := os.MkdirAll(basePath, 0700)
-		if err != nil {
-			log.Errorf("can't create folder, %s", err)
-			return nil, err
-		}
+	if err := CreateNestedDirectory(basePath); err != nil {
+		return nil, err
 	}
 	return os.Create(path)
 }
--- a/pkg/utils/hash.go
+++ b/pkg/utils/hash.go
@ -3,6 +3,7 @@ package utils
 import (
 	"crypto/md5"
 	"crypto/sha1"
+	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
 	"strings"
@ -14,6 +15,12 @@ func GetSHA1Encode(data string) string {
 	return hex.EncodeToString(h.Sum(nil))
 }

+func GetSHA256Encode(data string) string {
+	h := sha256.New()
+	h.Write([]byte(data))
+	return hex.EncodeToString(h.Sum(nil))
+}
+
 func GetMD5Encode(data string) string {
 	h := md5.New()
 	h.Write([]byte(data))
--- a/server/handles/down.go
+++ b/server/handles/down.go
@ -2,6 +2,7 @@ package handles

 import (
 	"fmt"
+	"net/url"
 	stdpath "path"
 	"strings"

@ -9,6 +10,7 @@ import (
 	"github.com/alist-org/alist/v3/internal/driver"
 	"github.com/alist-org/alist/v3/internal/fs"
 	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/internal/setting"
 	"github.com/alist-org/alist/v3/internal/sign"
 	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/alist-org/alist/v3/server/common"
@ -27,6 +29,7 @@ func Down(c *gin.Context) {
 		Proxy(c)
 		return
 	} else {
+
 		link, _, err := fs.Link(c, rawPath, model.LinkArgs{
 			IP:     c.ClientIP(),
 			Header: c.Request.Header,
@ -38,6 +41,23 @@ func Down(c *gin.Context) {
 		}
 		c.Header("Referrer-Policy", "no-referrer")
 		c.Header("Cache-Control", "max-age=0, no-cache, no-store, must-revalidate")
+		if setting.GetBool(conf.ForwardDirectLinkParams) {
+			params := c.Request.URL.Query()
+			params.Del("sign")
+			u, err := url.Parse(link.URL)
+			if err != nil {
+				common.ErrorResp(c, err, 500)
+				return
+			}
+			values := u.Query()
+			for k := range params {
+				for i := range params[k] {
+					values.Set(k, params[k][i])
+				}
+			}
+			u.RawQuery = values.Encode()
+			link.URL = u.String()
+		}
 		c.Redirect(302, link.URL)
 	}
 }
@ -71,6 +91,23 @@ func Proxy(c *gin.Context) {
 			common.ErrorResp(c, err, 500)
 			return
 		}
+		if link.URL != "" && setting.GetBool(conf.ForwardDirectLinkParams) {
+			params := c.Request.URL.Query()
+			params.Del("sign")
+			u, err := url.Parse(link.URL)
+			if err != nil {
+				common.ErrorResp(c, err, 500)
+				return
+			}
+			values := u.Query()
+			for k := range params {
+				for i := range params[k] {
+					values.Set(k, params[k][i])
+				}
+			}
+			u.RawQuery = values.Encode()
+			link.URL = u.String()
+		}
 		err = common.Proxy(c.Writer, c.Request, link, file)
 		if err != nil {
 			common.ErrorResp(c, err, 500, true)
--- a/server/handles/qbittorrent.go
+++ b/server/handles/qbittorrent.go
@ -0,0 +1,69 @@
+package handles
+
+import (
+	"github.com/alist-org/alist/v3/internal/conf"
+	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/internal/op"
+	"github.com/alist-org/alist/v3/internal/qbittorrent"
+	"github.com/alist-org/alist/v3/server/common"
+	"github.com/gin-gonic/gin"
+)
+
+type SetQbittorrentReq struct {
+	Url string `json:"url" form:"url"`
+}
+
+func SetQbittorrent(c *gin.Context) {
+	var req SetQbittorrentReq
+	if err := c.ShouldBind(&req); err != nil {
+		common.ErrorResp(c, err, 400)
+		return
+	}
+	items := []model.SettingItem{
+		{Key: conf.QbittorrentUrl, Value: req.Url, Type: conf.TypeString, Group: model.QBITTORRENT, Flag: model.PRIVATE},
+	}
+	if err := op.SaveSettingItems(items); err != nil {
+		common.ErrorResp(c, err, 500)
+		return
+	}
+	if err := qbittorrent.InitClient(); err != nil {
+		common.ErrorResp(c, err, 500)
+		return
+	}
+	common.SuccessResp(c, "ok")
+}
+
+type AddQbittorrentReq struct {
+	Urls []string `json:"urls"`
+	Path string   `json:"path"`
+}
+
+func AddQbittorrent(c *gin.Context) {
+	user := c.MustGet("user").(*model.User)
+	if !user.CanAddQbittorrentTasks() {
+		common.ErrorStrResp(c, "permission denied", 403)
+		return
+	}
+	if !qbittorrent.IsQbittorrentReady() {
+		common.ErrorStrResp(c, "qbittorrent not ready", 500)
+		return
+	}
+	var req AddQbittorrentReq
+	if err := c.ShouldBind(&req); err != nil {
+		common.ErrorResp(c, err, 400)
+		return
+	}
+	reqPath, err := user.JoinPath(req.Path)
+	if err != nil {
+		common.ErrorResp(c, err, 403)
+		return
+	}
+	for _, url := range req.Urls {
+		err := qbittorrent.AddURL(c, url, reqPath)
+		if err != nil {
+			common.ErrorResp(c, err, 500)
+			return
+		}
+	}
+	common.SuccessResp(c)
+}
--- a/server/handles/task.go
+++ b/server/handles/task.go
@ -5,6 +5,7 @@ import (

 	"github.com/alist-org/alist/v3/internal/aria2"
 	"github.com/alist-org/alist/v3/internal/fs"
+	"github.com/alist-org/alist/v3/internal/qbittorrent"
 	"github.com/alist-org/alist/v3/pkg/task"
 	"github.com/alist-org/alist/v3/server/common"
 	"github.com/gin-gonic/gin"
@ -19,9 +20,19 @@ type TaskInfo struct {
 	Error    string `json:"error"`
 }

-func getTaskInfoUint(task *task.Task[uint64]) TaskInfo {
+type K2Str[K comparable] func(k K) string
+
+func uint64K2Str(k uint64) string {
+	return strconv.FormatUint(k, 10)
+}
+
+func strK2Str(str string) string {
+	return str
+}
+
+func getTaskInfo[K comparable](task *task.Task[K], k2Str K2Str[K]) TaskInfo {
 	return TaskInfo{
-		ID:       strconv.FormatUint(task.ID, 10),
+		ID:       k2Str(task.ID),
 		Name:     task.Name,
 		State:    task.GetState(),
 		Status:   task.GetStatus(),
@ -30,183 +41,68 @@ func getTaskInfoUint(task *task.Task[uint64]) TaskInfo {
 	}
 }

-func getTaskInfoStr(task *task.Task[string]) TaskInfo {
-	return TaskInfo{
-		ID:       task.ID,
-		Name:     task.Name,
-		State:    task.GetState(),
-		Status:   task.GetStatus(),
-		Progress: task.GetProgress(),
-		Error:    task.GetErrMsg(),
-	}
-}
-
-func getTaskInfosUint(tasks []*task.Task[uint64]) []TaskInfo {
+func getTaskInfos[K comparable](tasks []*task.Task[K], k2Str K2Str[K]) []TaskInfo {
 	var infos []TaskInfo
 	for _, t := range tasks {
-		infos = append(infos, getTaskInfoUint(t))
+		infos = append(infos, getTaskInfo(t, k2Str))
 	}
 	return infos
 }

-func getTaskInfosStr(tasks []*task.Task[string]) []TaskInfo {
-	var infos []TaskInfo
-	for _, t := range tasks {
-		infos = append(infos, getTaskInfoStr(t))
-	}
-	return infos
+type Str2K[K comparable] func(str string) (K, error)
+
+func str2Uint64K(str string) (uint64, error) {
+	return strconv.ParseUint(str, 10, 64)
 }

-func UndoneDownTask(c *gin.Context) {
-	common.SuccessResp(c, getTaskInfosStr(aria2.DownTaskManager.ListUndone()))
+func str2StrK(str string) (string, error) {
+	return str, nil
 }

-func DoneDownTask(c *gin.Context) {
-	common.SuccessResp(c, getTaskInfosStr(aria2.DownTaskManager.ListDone()))
-}
-
-func CancelDownTask(c *gin.Context) {
-	tid := c.Query("tid")
-	if err := aria2.DownTaskManager.Cancel(tid); err != nil {
-		common.ErrorResp(c, err, 500)
-	} else {
+func taskRoute[K comparable](g *gin.RouterGroup, manager *task.Manager[K], k2Str K2Str[K], str2K Str2K[K]) {
+	g.GET("/undone", func(c *gin.Context) {
+		common.SuccessResp(c, getTaskInfos(manager.ListUndone(), k2Str))
+	})
+	g.GET("/done", func(c *gin.Context) {
+		common.SuccessResp(c, getTaskInfos(manager.ListDone(), k2Str))
+	})
+	g.POST("/cancel", func(c *gin.Context) {
+		tid := c.Query("tid")
+		id, err := str2K(tid)
+		if err != nil {
+			common.ErrorResp(c, err, 400)
+			return
+		}
+		if err := manager.Cancel(id); err != nil {
+			common.ErrorResp(c, err, 500)
+		} else {
+			common.SuccessResp(c)
+		}
+	})
+	g.POST("/delete", func(c *gin.Context) {
+		tid := c.Query("tid")
+		id, err := str2K(tid)
+		if err != nil {
+			common.ErrorResp(c, err, 400)
+			return
+		}
+		if err := manager.Remove(id); err != nil {
+			common.ErrorResp(c, err, 500)
+		} else {
+			common.SuccessResp(c)
+		}
+	})
+	g.POST("/clear_done", func(c *gin.Context) {
+		manager.ClearDone()
 		common.SuccessResp(c)
-	}
+	})
 }

-func DeleteDownTask(c *gin.Context) {
-	tid := c.Query("tid")
-	if err := aria2.DownTaskManager.Remove(tid); err != nil {
-		common.ErrorResp(c, err, 500)
-	} else {
-		common.SuccessResp(c)
-	}
-}
-
-func ClearDoneDownTasks(c *gin.Context) {
-	aria2.DownTaskManager.ClearDone()
-	common.SuccessResp(c)
-}
-
-func UndoneTransferTask(c *gin.Context) {
-	common.SuccessResp(c, getTaskInfosUint(aria2.TransferTaskManager.ListUndone()))
-}
-
-func DoneTransferTask(c *gin.Context) {
-	common.SuccessResp(c, getTaskInfosUint(aria2.TransferTaskManager.ListDone()))
-}
-
-func CancelTransferTask(c *gin.Context) {
-	id := c.Query("tid")
-	tid, err := strconv.ParseUint(id, 10, 64)
-	if err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	if err := aria2.TransferTaskManager.Cancel(tid); err != nil {
-		common.ErrorResp(c, err, 500)
-	} else {
-		common.SuccessResp(c)
-	}
-}
-
-func DeleteTransferTask(c *gin.Context) {
-	id := c.Query("tid")
-	tid, err := strconv.ParseUint(id, 10, 64)
-	if err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	if err := aria2.TransferTaskManager.Remove(tid); err != nil {
-		common.ErrorResp(c, err, 500)
-	} else {
-		common.SuccessResp(c)
-	}
-}
-
-func ClearDoneTransferTasks(c *gin.Context) {
-	aria2.TransferTaskManager.ClearDone()
-	common.SuccessResp(c)
-}
-
-func UndoneUploadTask(c *gin.Context) {
-	common.SuccessResp(c, getTaskInfosUint(fs.UploadTaskManager.ListUndone()))
-}
-
-func DoneUploadTask(c *gin.Context) {
-	common.SuccessResp(c, getTaskInfosUint(fs.UploadTaskManager.ListDone()))
-}
-
-func CancelUploadTask(c *gin.Context) {
-	id := c.Query("tid")
-	tid, err := strconv.ParseUint(id, 10, 64)
-	if err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	if err := fs.UploadTaskManager.Cancel(tid); err != nil {
-		common.ErrorResp(c, err, 500)
-	} else {
-		common.SuccessResp(c)
-	}
-}
-
-func DeleteUploadTask(c *gin.Context) {
-	id := c.Query("tid")
-	tid, err := strconv.ParseUint(id, 10, 64)
-	if err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	if err := fs.UploadTaskManager.Remove(tid); err != nil {
-		common.ErrorResp(c, err, 500)
-	} else {
-		common.SuccessResp(c)
-	}
-}
-
-func ClearDoneUploadTasks(c *gin.Context) {
-	fs.UploadTaskManager.ClearDone()
-	common.SuccessResp(c)
-}
-
-func UndoneCopyTask(c *gin.Context) {
-	common.SuccessResp(c, getTaskInfosUint(fs.CopyTaskManager.ListUndone()))
-}
-
-func DoneCopyTask(c *gin.Context) {
-	common.SuccessResp(c, getTaskInfosUint(fs.CopyTaskManager.ListDone()))
-}
-
-func CancelCopyTask(c *gin.Context) {
-	id := c.Query("tid")
-	tid, err := strconv.ParseUint(id, 10, 64)
-	if err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	if err := fs.CopyTaskManager.Cancel(tid); err != nil {
-		common.ErrorResp(c, err, 500)
-	} else {
-		common.SuccessResp(c)
-	}
-}
-
-func DeleteCopyTask(c *gin.Context) {
-	id := c.Query("tid")
-	tid, err := strconv.ParseUint(id, 10, 64)
-	if err != nil {
-		common.ErrorResp(c, err, 400)
-		return
-	}
-	if err := fs.CopyTaskManager.Remove(tid); err != nil {
-		common.ErrorResp(c, err, 500)
-	} else {
-		common.SuccessResp(c)
-	}
-}
-
-func ClearDoneCopyTasks(c *gin.Context) {
-	fs.CopyTaskManager.ClearDone()
-	common.SuccessResp(c)
+func SetupTaskRoute(g *gin.RouterGroup) {
+	taskRoute(g.Group("/aria2_down"), aria2.DownTaskManager, strK2Str, str2StrK)
+	taskRoute(g.Group("/aria2_transfer"), aria2.TransferTaskManager, uint64K2Str, str2Uint64K)
+	taskRoute(g.Group("/upload"), fs.UploadTaskManager, uint64K2Str, str2Uint64K)
+	taskRoute(g.Group("/copy"), fs.CopyTaskManager, uint64K2Str, str2Uint64K)
+	taskRoute(g.Group("/qbit_down"), qbittorrent.DownTaskManager, strK2Str, str2StrK)
+	taskRoute(g.Group("/qbit_transfer"), qbittorrent.TransferTaskManager, uint64K2Str, str2Uint64K)
 }
--- a/server/handles/user.go
+++ b/server/handles/user.go
@ -67,6 +67,10 @@ func UpdateUser(c *gin.Context) {
 	if req.OtpSecret == "" {
 		req.OtpSecret = user.OtpSecret
 	}
+	if req.Disabled && req.IsAdmin() {
+		common.ErrorStrResp(c, "admin user can not be disabled", 400)
+		return
+	}
 	if err := op.UpdateUser(&req); err != nil {
 		common.ErrorResp(c, err, 500)
 	} else {
--- a/server/middlewares/auth.go
+++ b/server/middlewares/auth.go
@ -33,6 +33,11 @@ func Auth(c *gin.Context) {
 			c.Abort()
 			return
 		}
+		if guest.Disabled {
+			common.ErrorStrResp(c, "Guest user is disabled, login please", 401)
+			c.Abort()
+			return
+		}
 		c.Set("user", guest)
 		log.Debugf("use empty token: %+v", guest)
 		c.Next()
@ -50,6 +55,11 @@ func Auth(c *gin.Context) {
 		c.Abort()
 		return
 	}
+	if user.Disabled {
+		common.ErrorStrResp(c, "Current user is disabled, replace please", 401)
+		c.Abort()
+		return
+	}
 	c.Set("user", user)
 	log.Debugf("use login token: %+v", user)
 	c.Next()
--- a/server/router.go
+++ b/server/router.go
@ -34,8 +34,10 @@ func Init(r *gin.Engine) {
 	auth.POST("/me/update", handles.UpdateCurrent)
 	auth.POST("/auth/2fa/generate", handles.Generate2FA)
 	auth.POST("/auth/2fa/verify", handles.Verify2FA)
-	auth.GET("/auth/github", handles.GithubLoginRedirect)
-	auth.GET("/auth/github_callback", handles.GithubLoginCallback)
+
+	// github auth
+	api.GET("/auth/github", handles.GithubLoginRedirect)
+	api.GET("/auth/github_callback", handles.GithubLoginCallback)

 	// no need auth
 	public := api.Group("/public")
@ -87,28 +89,10 @@ func admin(g *gin.RouterGroup) {
 	setting.POST("/delete", handles.DeleteSetting)
 	setting.POST("/reset_token", handles.ResetToken)
 	setting.POST("/set_aria2", handles.SetAria2)
+	setting.POST("/set_qbittorrent", handles.SetQbittorrent)

 	task := g.Group("/task")
-	task.GET("/down/undone", handles.UndoneDownTask)
-	task.GET("/down/done", handles.DoneDownTask)
-	task.POST("/down/cancel", handles.CancelDownTask)
-	task.POST("/down/delete", handles.DeleteDownTask)
-	task.POST("/down/clear_done", handles.ClearDoneDownTasks)
-	task.GET("/transfer/undone", handles.UndoneTransferTask)
-	task.GET("/transfer/done", handles.DoneTransferTask)
-	task.POST("/transfer/cancel", handles.CancelTransferTask)
-	task.POST("/transfer/delete", handles.DeleteTransferTask)
-	task.POST("/transfer/clear_done", handles.ClearDoneTransferTasks)
-	task.GET("/upload/undone", handles.UndoneUploadTask)
-	task.GET("/upload/done", handles.DoneUploadTask)
-	task.POST("/upload/cancel", handles.CancelUploadTask)
-	task.POST("/upload/delete", handles.DeleteUploadTask)
-	task.POST("/upload/clear_done", handles.ClearDoneUploadTasks)
-	task.GET("/copy/undone", handles.UndoneCopyTask)
-	task.GET("/copy/done", handles.DoneCopyTask)
-	task.POST("/copy/cancel", handles.CancelCopyTask)
-	task.POST("/copy/delete", handles.DeleteCopyTask)
-	task.POST("/copy/clear_done", handles.ClearDoneCopyTasks)
+	handles.SetupTaskRoute(task)

 	ms := g.Group("/message")
 	ms.POST("/get", message.HttpInstance.GetHandle)
@ -137,6 +121,7 @@ func _fs(g *gin.RouterGroup) {
 	g.PUT("/form", middlewares.FsUp, handles.FsForm)
 	g.POST("/link", middlewares.AuthAdmin, handles.Link)
 	g.POST("/add_aria2", handles.AddAria2)
+	g.POST("/add_qbit", handles.AddQbittorrent)
 }

 func Cors(r *gin.Engine) {
--- a/wrapper/zcc-arm64
+++ b/wrapper/zcc-arm64
@ -0,0 +1,2 @@
+#!/bin/sh
+zig cc -target aarch64-windows-gnu $@
--- a/wrapper/zcxx-arm64
+++ b/wrapper/zcxx-arm64
@ -0,0 +1,2 @@
+#!/bin/sh
+zig c++ -target aarch64-windows-gnu $@
Author	SHA1	Message	Date
Andy Hsu	fe416ba15c	feat!: close `sign_all` by default	2023-02-14 19:20:15 +08:00
Andy Hsu	de66708b24	fix(aliyundrive): device session signature error (#3398 ) * fix signature * fix: indent-error-flow [skip ci]	2023-02-14 19:17:21 +08:00
Andy Hsu	2ca3e0b8bc	fix(123): incorrect download url (close #3385 )	2023-02-14 15:47:41 +08:00
Andy Hsu	ae04a0a760	chore: go mod tidy	2023-02-14 15:30:33 +08:00
kdxcxs	c28168c970	feat: support qbittorrent (close #3087 in #3333 ) * feat(qbittorrent): authorization and logging in support * feat(qbittorrent/client): support `AddFromLink` * refactor(qbittorrent/client): check authorization when getting a new client * feat(qbittorrent/client): support `GetInfo` * test(qbittorrent/client): update test cases * feat(qbittorrent): init qbittorrent client on bootstrap * feat(qbittorrent): support setting webui url via gin * feat(qbittorrent/client): support deleting * feat(qbittorrent/client): parse `TorrentStatus` enum when unmarshalling json in `GetInfo()` * feat(qbittorrent/client): support getting files by id * feat(qbittorrent): support adding qbittorrent tasks via gin * refactor(qbittorrent/client): return a `Client` interface in `New()` instead of `client` refactor: task handle * chore: fix typo * chore: change path --------- Co-authored-by: Andy Hsu <i@nn.ci>	2023-02-14 15:20:45 +08:00
foxxorcat	46b2ed2507	fix(aliyundriver):x-device-id error code (#3390 ) * fix(aliyundriver):x-drvice-id error code * fix(aliyunpan):session signature error * fix typo --------- Co-authored-by: Andy Hsu <i@nn.ci>	2023-02-14 14:11:07 +08:00
NewbieOrange	22843ffc70	fix(fs): copy file if symlink failed (#3368 )	2023-02-13 14:41:35 +08:00
NewbieOrange	e1b6368343	feat(aliyundrive): zero copy for local file uploads (#3359 )	2023-02-12 16:13:57 +08:00
NewbieOrange	62dae50d70	feat(fs): create symbolic link instead of copy local files (close #2186 in #3354 )	2023-02-12 16:03:11 +08:00
Andy Hsu	43a8ed472b	fix: can't login by github after disable guest (close #3314 )	2023-02-09 20:12:04 +08:00
Andy Hsu	d87878c232	ci: cancel `win/arm64` on dev build [skip ci]	2023-02-09 20:05:00 +08:00
Noah Hsu	ab7dee49b0	feat: add `windows/arm64` target (close #3308 )	2023-02-09 19:52:40 +08:00
renovate[bot]	dca115506d	fix(deps): update module golang.org/x/crypto to v0.6.0 [skip ci] (#3315 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-02-09 16:17:10 +08:00
renovate[bot]	be17fba0c6	fix(deps): update module golang.org/x/net to v0.6.0 [skip ci] (#3316 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-02-09 16:16:43 +08:00
renovate[bot]	cd58aa5efe	fix(deps): update module gorm.io/driver/mysql to v1.4.6 (#3311 ) [skip ci] Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-02-09 16:00:08 +08:00
renovate[bot]	946833d2cc	fix(deps): update module golang.org/x/image to v0.4.0 (#3323 ) [skip ci] Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-02-09 15:59:31 +08:00
renovate[bot]	eb42d09849	chore(deps): update docker/build-push-action action to v4 (#3200 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-02-08 22:22:33 +08:00
renovate[bot]	9d00492750	fix(deps): update module gorm.io/driver/postgres to v1.4.7 (#3312 ) [skip ci] Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-02-08 22:20:04 +08:00
renovate[bot]	b6711d6ab9	chore(deps): update actions-cool/issues-helper action to v3.4.0 (#3279 ) [skip ci] Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-02-08 22:12:02 +08:00
BoYanZh	7bc46de8aa	feat: settings for tls insecure skip verify (close #3306 in #3307 )	2023-02-08 22:01:26 +08:00
Noah Hsu	a4f4fb2d73	chore(deps): upgrade github.com/caarlos0/env	2023-02-07 19:55:55 +08:00
Noah Hsu	a181b56ea7	feat: optional forward direct link params (close #3123 )	2023-02-07 16:39:14 +08:00
Noah Hsu	d0b743d955	fix(onedrive): downloadUrl missed on personal account (close #3276 )	2023-02-07 16:16:29 +08:00
Noah Hsu	a985b748e9	fix: allow_indexed check (close #3291 )	2023-02-07 15:14:39 +08:00
Andy Hsu	44cb8aaafe	feat: only log to std on debug/dev mode	2023-02-05 09:17:37 +08:00
Andy Hsu	51f5d1b3c4	fix(local): set perm `0777` for folder (close #2996 )	2023-02-04 12:11:13 +08:00
Andy Hsu	36e0d6f787	perf(onedrive): optimize request parameter (close #3178 )	2023-02-04 11:53:13 +08:00
Andy Hsu	3d0065bdcf	feat!: allow disable user (close #3241 ) From this commit, the guest user will be disabled by default	2023-02-04 11:44:17 +08:00
renovate[bot]	7bf8071095	fix(deps): update module github.com/aws/aws-sdk-go to v1.44.194 (#2940 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-02-04 11:24:47 +08:00
renovate[bot]	30d39f8e10	fix(deps): update module gorm.io/gorm to v1.24.5 (#3231 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-02-04 11:22:39 +08:00
aimuz	20d3ef7de6	fix(139): check http code & increase chunk size (#3224 ) * fixed: 大文件上传导致连接重置 Signed-off-by: aimuz <mr.imuz@gmail.com> * revert Dockerfile --------- Signed-off-by: aimuz <mr.imuz@gmail.com> Co-authored-by: Andy Hsu <i@nn.ci>	2023-02-04 11:20:13 +08:00
Code2qing	86e5dae4d1	fix(aliyundrive_share): no permission after share_id change (#3246 )	2023-02-04 11:10:28 +08:00
Andy Hsu	d89b1d4871	fix(baidu_baidu_netdisk): override for create (close #3242 )	2023-02-03 18:10:39 +08:00
Zayia	080e6fb22a	fix(google_drive): allow download abuse file (#3217 ) 通过添加参数acknowledgeAbuse=true，对疑似风险文件直接下载	2023-02-01 19:43:36 +08:00
Wuxuan	e1cd71616d	feat(aliyundrive): internal upload (aliyun ECS for Beijing area only) (#3188 ) Co-authored-by: wangwuxuan2011 <git@wangwuxuan.cn>	2023-01-30 11:18:08 +08:00