[PB-6018]: feat/add-webdav-custom-auth

README.md

@@ -1396,15 +1396,25 @@ Edit the configuration of the Internxt CLI WebDav server as the port or the prot
 
 ```
 USAGE
-  $ internxt webdav-config [--json] [-l <value>] [-p <value>] [-s | -h] [-t <value>] [-c]
+  $ internxt webdav-config [--json] [-x] [--debug] [-l <value>] [-p <value>] [-s | -h] [-t <value>] [-c] [-a] [-u
+    <value>] [-w <value>]
 
 FLAGS
+  -a, --[no-]customAuth      Configures the WebDAV server to use custom authentication.
   -c, --[no-]createFullPath  Auto-create missing parent directories during file uploads.
   -h, --http                 Configures the WebDAV server to use insecure plain HTTP.
   -l, --host=<value>         The listening host for the WebDAV server.
   -p, --port=<value>         The new port for the WebDAV server.
   -s, --https                Configures the WebDAV server to use HTTPS with self-signed certificates.
   -t, --timeout=<value>      Configures the WebDAV server to use this timeout in minutes.
+  -u, --username=<value>     Configures the WebDAV server to use this username for custom authentication.
+  -w, --password=<value>     Configures the WebDAV server to use this password for custom authentication.
+
+HELPER FLAGS
+  -x, --non-interactive  [env: INXT_NONINTERACTIVE] Prevents the CLI from being interactive. When enabled, the CLI will
+                         not request input through the console and will throw errors directly.
+      --debug            [env: INXT_DEBUG] Enables debug mode. When enabled, the CLI will print debug messages to the
+                         console.
 
 GLOBAL FLAGS
   --json  Format output as json.

docker/README.md

@@ -20,8 +20,12 @@ services:
       INXT_PASSWORD: ""       # Your Internxt account password
       INXT_TWOFACTORCODE: ""  # (Optional) Current 2FA one-time code
       INXT_OTPTOKEN: ""       # (Optional) OTP secret for auto-generating 2FA codes
+      INXT_WORKSPACE_ID: ""   # (Optional) Workspace ID to use for WebDAV server
       WEBDAV_PORT: ""         # (Optional) WebDAV port. Defaults to 3005 if empty
       WEBDAV_PROTOCOL: ""     # (Optional) WebDAV protocol. Accepts 'http' or 'https'. Defaults to 'https' if empty
+      WEBDAV_CUSTOM_AUTH: ""  # (Optional) Enable custom authentication. Set to 'true' to enable
+      WEBDAV_USERNAME: ""     # (Optional) Custom username for WebDAV authentication
+      WEBDAV_PASSWORD: ""     # (Optional) Custom password for WebDAV authentication
     ports:
       - "127.0.0.1:3005:3005" # Map container port to host. Change if WEBDAV_PORT is customized
 ```
@@ -42,8 +46,12 @@ docker run -d \
   -e INXT_PASSWORD="your_password" \
   -e INXT_TWOFACTORCODE="" \
   -e INXT_OTPTOKEN="" \
+  -e INXT_WORKSPACE_ID="" \
   -e WEBDAV_PORT="" \
   -e WEBDAV_PROTOCOL="" \
+  -e WEBDAV_CUSTOM_AUTH="false" \
+  -e WEBDAV_USERNAME="" \
+  -e WEBDAV_PASSWORD="" \
   -p 127.0.0.1:3005:3005 \
   internxt/webdav:latest
 ```
@@ -77,12 +85,28 @@ You can also run the `internxt/webdav` image directly on popular NAS devices lik
 | `INXT_PASSWORD`      | ✅ Yes   | Your Internxt account password.                                                                |
 | `INXT_TWOFACTORCODE` | ❌ No    | Temporary one-time code from your 2FA app. Must be refreshed every startup.                    |
 | `INXT_OTPTOKEN`      | ❌ No    | OTP secret key (base32). Used to auto-generate fresh codes at runtime.                         |
+| `INXT_WORKSPACE_ID`  | ❌ No    | Workspace ID to use. If set, the WebDAV server will operate within this workspace.             |
 | `WEBDAV_PORT`        | ❌ No    | Port for the WebDAV server. Defaults to `3005` if left empty.                                  |
 | `WEBDAV_PROTOCOL`    | ❌ No    | Protocol for the WebDAV server. Accepts `http` or `https`. Defaults to `https` if left empty.  |
+| `WEBDAV_CUSTOM_AUTH` | ❌ No    | Enable custom Basic Authentication for WebDAV. Set to `true` to enable.                        |
+| `WEBDAV_USERNAME`    | ❌ No    | Username for custom WebDAV authentication. Required if `WEBDAV_CUSTOM_AUTH` is enabled.        |
+| `WEBDAV_PASSWORD`    | ❌ No    | Password for custom WebDAV authentication. Required if `WEBDAV_CUSTOM_AUTH` is enabled.        |
 
 
 ---
 
+### Custom WebDAV Authentication
+
+By default, the WebDAV server starts with anonymous authentication enabled, meaning anyone with access to the server URL can connect without credentials. Under the hood, the server uses your Internxt credentials to access your files, but clients don't need to authenticate. If you want to restrict access to your WebDAV server or simply enhance its security, you can enable custom authentication with `WEBDAV_CUSTOM_AUTH`.
+
+**Security recommendations:**
+- 🚨 **We strongly recommend NOT exposing your WebDAV server to the internet.** Keep it on your secure local network whenever possible.
+- ⚠️ **Do NOT use your Internxt username and password** for `WEBDAV_USERNAME` and `WEBDAV_PASSWORD`
+- Create unique, strong credentials specifically for WebDAV access
+- Try to always use HTTPS (`WEBDAV_PROTOCOL=https`) when enabling custom authentication
+
+**Important:** When connecting to your WebDAV server with custom authentication enabled, you must use the credentials defined in `WEBDAV_USERNAME` and `WEBDAV_PASSWORD`, not your Internxt account credentials.
+
 ### 🔄 2FA Options Explained
 
 If your Internxt account has **two-factor authentication enabled**, you can choose one of the following:
@@ -95,6 +119,9 @@ If your Internxt account has **two-factor authentication enabled**, you can choo
 💡 **Recommended:** Use `INXT_OTPTOKEN` if you want your container to run unattended without re-entering codes on each restart.
 
 
+### Using Workspaces
+If you have access to Internxt Workspaces and want to use the WebDAV server with a specific workspace instead of your personal drive, you can set the INXT_WORKSPACE_ID environment variable.
+
 ## 🌐 Accessing WebDAV
 
 Once running, your Internxt WebDAV server will be available at:

docker/entrypoint.sh

@@ -22,6 +22,11 @@ fi
 
 internxt login-legacy $LOGIN_ARGS
 
+if [ -n "$INXT_WORKSPACE_ID" ]; then
+  echo "Switching to workspace: $INXT_WORKSPACE_ID"
+  internxt workspaces use -i="$INXT_WORKSPACE_ID"
+fi
+
 
 WEBDAV_ARGS="-l=0.0.0.0"
 
@@ -36,6 +41,16 @@ elif [ "$proto" = "https" ]; then
   WEBDAV_ARGS="$WEBDAV_ARGS -s"
 fi
 
+customAuth=$(echo "$WEBDAV_CUSTOM_AUTH" | tr '[:upper:]' '[:lower:]')
+if [ "$customAuth" = "true" ] || [ "$customAuth" = "1" ] || [ "$customAuth" = "yes" ] || [ "$customAuth" = "y" ]; then
+  if [ -z "$WEBDAV_USERNAME" ] || [ -z "$WEBDAV_PASSWORD" ]; then
+    echo "Error: WEBDAV_USERNAME and WEBDAV_PASSWORD must be set when WEBDAV_CUSTOM_AUTH is enabled."
+    exit 1
+  fi
+  echo "Enabling custom WebDAV authentication for user: $WEBDAV_USERNAME"
+  WEBDAV_ARGS="$WEBDAV_ARGS --customAuth -u=$WEBDAV_USERNAME -w=$WEBDAV_PASSWORD"
+fi
+
 internxt webdav-config $WEBDAV_ARGS
 
 internxt webdav enable

src/commands/webdav-config.ts

@@ -1,7 +1,12 @@
 import { Command, Flags } from '@oclif/core';
 import { ConfigService } from '../services/config.service';
 import { CLIUtils } from '../utils/cli.utils';
-import { NotValidPortError } from '../types/command.types';
+import {
+  EmptyCustomAuthUsernameError,
+  MissingCredentialsWhenUsingAuthError,
+  NotValidPortError,
+  EmptyCustomAuthPasswordError,
+} from '../types/command.types';
 import { ValidationService } from '../services/validation.service';
 
 export default class WebDAVConfig extends Command {
@@ -10,6 +15,7 @@ export default class WebDAVConfig extends Command {
   static readonly aliases = [];
   static readonly examples = ['<%= config.bin %> <%= command.id %>'];
   static readonly flags = {
+    ...CLIUtils.CommonFlags,
     host: Flags.string({
       char: 'l',
       description: 'The listening host for the WebDAV server.',
@@ -44,13 +50,31 @@ export default class WebDAVConfig extends Command {
       required: false,
       allowNo: true,
     }),
+    customAuth: Flags.boolean({
+      char: 'a',
+      description: 'Configures the WebDAV server to use custom authentication.',
+      required: false,
+      default: undefined,
+      allowNo: true,
+    }),
+    username: Flags.string({
+      char: 'u',
+      description: 'Configures the WebDAV server to use this username for custom authentication.',
+      required: false,
+    }),
+    password: Flags.string({
+      char: 'w',
+      description: 'Configures the WebDAV server to use this password for custom authentication.',
+      required: false,
+    }),
   };
   static readonly enableJsonFlag = true;
 
   public run = async () => {
-    const {
-      flags: { host, port, http, https, timeout, createFullPath },
-    } = await this.parse(WebDAVConfig);
+    const { flags } = await this.parse(WebDAVConfig);
+    const { host, port, https, http, timeout, createFullPath, customAuth, username, password } = flags;
+    const nonInteractive = flags['non-interactive'];
+
     const webdavConfig = await ConfigService.instance.readWebdavConfig();
 
     if (host) {
@@ -81,10 +105,30 @@ export default class WebDAVConfig extends Command {
       webdavConfig['createFullPath'] = createFullPath;
     }
 
+    if (customAuth !== undefined) {
+      webdavConfig['customAuth'] = customAuth;
+    }
+    if (username) {
+      webdavConfig['username'] = await this.getUsername(username, nonInteractive);
+    }
+    if (password) {
+      webdavConfig['password'] = await this.getPassword(password, nonInteractive);
+    }
+    if (webdavConfig['customAuth'] && (!webdavConfig['username'] || !webdavConfig['password'])) {
+      throw new MissingCredentialsWhenUsingAuthError();
+    }
+
     await ConfigService.instance.saveWebdavConfig(webdavConfig);
-    const message = `On the next start, the WebDAV server will use the next config: ${JSON.stringify(webdavConfig)}`;
+
+    const printWebdavConfig = {
+      ...webdavConfig,
+      password: undefined,
+    };
+
+    const message =
+      'On the next start, the WebDAV server will use the next config: ' + JSON.stringify(printWebdavConfig);
     CLIUtils.success(this.log.bind(this), message);
-    return { success: true, message, config: webdavConfig };
+    return { success: true, message, config: printWebdavConfig };
   };
 
   public catch = async (error: Error) => {
@@ -97,4 +141,48 @@ export default class WebDAVConfig extends Command {
     });
     this.exit(1);
   };
+
+  private getUsername = async (usernameFlag: string | undefined, nonInteractive: boolean): Promise<string> => {
+    const username = await CLIUtils.getValueFromFlag(
+      {
+        value: usernameFlag,
+        name: WebDAVConfig.flags['username'].name,
+      },
+      {
+        nonInteractive,
+        prompt: {
+          message: 'What is the custom auth username?',
+          options: { type: 'input' },
+        },
+      },
+      {
+        validate: ValidationService.instance.validateStringIsNotEmpty,
+        error: new EmptyCustomAuthUsernameError(),
+      },
+      this.log.bind(this),
+    );
+    return username;
+  };
+
+  private getPassword = async (passwordFlag: string | undefined, nonInteractive: boolean): Promise<string> => {
+    const password = await CLIUtils.getValueFromFlag(
+      {
+        value: passwordFlag,
+        name: WebDAVConfig.flags['password'].name,
+      },
+      {
+        nonInteractive,
+        prompt: {
+          message: 'What is the custom auth password?',
+          options: { type: 'password' },
+        },
+      },
+      {
+        validate: ValidationService.instance.validateStringIsNotEmpty,
+        error: new EmptyCustomAuthPasswordError(),
+      },
+      this.log.bind(this),
+    );
+    return password;
+  };
 }

src/commands/workspaces-use.ts

@@ -1,7 +1,12 @@
 import { Command, Flags } from '@oclif/core';
 import { ConfigService } from '../services/config.service';
-import { CLIUtils } from '../utils/cli.utils';
-import { MissingCredentialsError, NotValidWorkspaceUuidError } from '../types/command.types';
+import { CLIUtils, LogReporter } from '../utils/cli.utils';
+import {
+  LoginCredentials,
+  MissingCredentialsError,
+  NotValidWorkspaceUuidError,
+  Workspace,
+} from '../types/command.types';
 import { WorkspaceService } from '../services/drive/workspace.service';
 import { FormatUtils } from '../utils/format.utils';
 import { ValidationService } from '../services/validation.service';
@@ -43,46 +48,22 @@ export default class WorkspacesUse extends Command {
     const userCredentials = await ConfigService.instance.readUser();
     if (!userCredentials) throw new MissingCredentialsError();
 
+    const reporter = this.log.bind(this);
+
     if (flags['personal']) {
-      return WorkspacesUnset.unsetWorkspace(userCredentials, this.log.bind(this));
+      return WorkspacesUnset.unsetWorkspace(userCredentials, reporter);
     }
 
-    const workspaces = await WorkspaceService.instance.getAvailableWorkspaces(userCredentials.user);
-    const availableWorkspaces: string[] = workspaces.map((workspaceData) => {
-      const name = workspaceData.workspace.name;
-      const id = workspaceData.workspace.id;
-      const totalUsedSpace =
-        Number(workspaceData.workspaceUser?.driveUsage ?? 0) + Number(workspaceData.workspaceUser?.backupsUsage ?? 0);
-      const spaceLimit = Number(workspaceData.workspaceUser?.spaceLimit ?? 0);
-      const usedSpace = FormatUtils.humanFileSize(totalUsedSpace);
-      const availableSpace = FormatUtils.formatLimit(spaceLimit);
+    const workspace = await this.getWorkspace(userCredentials, flags['id'], nonInteractive, reporter);
 
-      return `[${id}] Name: ${name} | Used Space: ${usedSpace} | Available Space: ${availableSpace}`;
-    });
-    const workspaceUuid = await this.getWorkspaceUuid(flags['id'], availableWorkspaces, nonInteractive);
-
-    const workspaceCredentials = await WorkspaceService.instance.getWorkspaceCredentials(workspaceUuid);
-    const selectedWorkspace = workspaces.find((workspace) => workspace.workspace.id === workspaceUuid);
-    if (!selectedWorkspace) throw new NotValidWorkspaceUuidError();
-
-    SdkManager.init({ token: userCredentials.token, workspaceToken: workspaceCredentials.token });
-
-    await ConfigService.instance.saveUser({
-      ...userCredentials,
-      workspace: {
-        workspaceCredentials,
-        workspaceData: selectedWorkspace,
-      },
-    });
-
-    void DatabaseService.instance.clear();
+    await this.setWorkspace(userCredentials, workspace);
 
     const message =
-      `Workspace ${workspaceUuid} selected successfully. Now WebDAV and all of the CLI commands ` +
-      'will operate within this workspace until it is changed or unset.';
-    CLIUtils.success(this.log.bind(this), message);
+      `Workspace ${workspace.workspaceCredentials.id} selected successfully. Now WebDAV and ` +
+      'all of the CLI commands will operate within this workspace until it is changed or unset.';
+    CLIUtils.success(reporter, message);
 
-    return { success: true, list: { workspaces } };
+    return { success: true, workspace };
   };
 
   public catch = async (error: Error) => {
@@ -100,6 +81,7 @@ export default class WorkspacesUse extends Command {
     workspaceUuidFlag: string | undefined,
     availableWorkspaces: string[],
     nonInteractive: boolean,
+    reporter: LogReporter,
   ): Promise<string> => {
     const workspaceUuid = await CLIUtils.getValueFromFlag(
       {
@@ -121,11 +103,49 @@ export default class WorkspacesUse extends Command {
           ValidationService.instance.validateUUIDv4(this.extractUuidFromWorkspaceString(value)),
         error: new NotValidWorkspaceUuidError(),
       },
-      this.log.bind(this),
+      reporter,
     );
     return this.extractUuidFromWorkspaceString(workspaceUuid);
   };
 
   private extractUuidFromWorkspaceString = (workspaceString: string) =>
     workspaceString.match(/\[(.*?)\]/)?.[1] ?? workspaceString;
+
+  private getWorkspace = async (
+    userCredentials: LoginCredentials,
+    workspaceUuidFlag: string | undefined,
+    nonInteractive: boolean,
+    reporter: LogReporter,
+  ): Promise<Workspace> => {
+    const workspaces = await WorkspaceService.instance.getAvailableWorkspaces(userCredentials.user);
+    const availableWorkspaces: string[] = workspaces.map((workspaceData) => {
+      const name = workspaceData.workspace.name;
+      const id = workspaceData.workspace.id;
+      const totalUsedSpace =
+        Number(workspaceData.workspaceUser?.driveUsage ?? 0) + Number(workspaceData.workspaceUser?.backupsUsage ?? 0);
+      const spaceLimit = Number(workspaceData.workspaceUser?.spaceLimit ?? 0);
+      const usedSpace = FormatUtils.humanFileSize(totalUsedSpace);
+      const availableSpace = FormatUtils.formatLimit(spaceLimit);
+
+      return `[${id}] Name: ${name} | Used Space: ${usedSpace} | Available Space: ${availableSpace}`;
+    });
+    const workspaceUuid = await this.getWorkspaceUuid(workspaceUuidFlag, availableWorkspaces, nonInteractive, reporter);
+
+    const workspaceCredentials = await WorkspaceService.instance.getWorkspaceCredentials(workspaceUuid);
+    const selectedWorkspace = workspaces.find((workspace) => workspace.workspace.id === workspaceUuid);
+    if (!selectedWorkspace) throw new NotValidWorkspaceUuidError();
+
+    return { workspaceCredentials, workspaceData: selectedWorkspace };
+  };
+
+  private setWorkspace = async (userCredentials: LoginCredentials, workspace: Workspace) => {
+    SdkManager.init({ token: userCredentials.token, workspaceToken: workspace.workspaceCredentials.token });
+
+    await ConfigService.instance.saveUser({
+      ...userCredentials,
+      workspace,
+    });
+
+    void DatabaseService.instance.clear();
+  };
 }

src/constants/configs.ts

@@ -12,3 +12,4 @@ export const WEBDAV_DEFAULT_PORT = '3005';
 export const WEBDAV_DEFAULT_PROTOCOL = 'https';
 export const WEBDAV_DEFAULT_TIMEOUT = 0;
 export const WEBDAV_DEFAULT_CREATE_FULL_PATH = true;
+export const WEBDAV_DEFAULT_CUSTOM_AUTH = false;