add webdav

[931122]

No description provided.

[Copilot]

Pull request overview

This pull request adds WebDAV support to the HTTP static file server, enabling WebDAV clients to interact with the server using standard WebDAV operations. The changes integrate the golang.org/x/net/webdav package and modify authentication and request handling to support WebDAV methods.

Changes:

• Integrated WebDAV handler using golang.org/x/net/webdav package for file operations
• Added new route handler for WebDAV-specific HTTP methods (OPTIONS, PROPFIND, PUT, LOCK, UNLOCK, MKCOL, MOVE, PROPPATCH)
• Modified authentication to support Basic Auth for WebDAV access alongside existing session-based authentication
• Removed OPTIONS handling from CORS middleware and updated Go version to 1.23.0

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 8 comments.

File	Description
main.go	Removed OPTIONS request handling from CORS middleware
httpstaticserver.go	Added WebDAV handler initialization, new hWebdav method, canWebdavAccess authentication method, and modified hIndex and hDelete to use WebDAV handler
go.mod	Updated Go version to 1.23.0, promoted golang.org/x/net to direct dependency, reorganized indirect dependencies
go.sum	Cleaned up unused dependency checksums for various golang.org/x packages

Comments suppressed due to low confidence (1)

httpstaticserver.go:229

• The code after the return statement on line 217 is unreachable and will never execute. Lines 218-229 contain the original delete logic including error handling that has been bypassed by the early return. This means delete operations are now handled only by the WebDAV handler without the original safety checks and error reporting.

	s.Handler.ServeHTTP(w, req)
	return
	// TODO: path safe check
	err := os.RemoveAll(realPath)
	if err != nil {
		pathErr, ok := err.(*os.PathError)
		if ok {
			http.Error(w, pathErr.Op+" "+path+": "+pathErr.Err.Error(), 500)
		} else {
			http.Error(w, err.Error(), 500)
		}
		return
	}
	w.Write([]byte("Success"))

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The canWebdavAccess method should only set the WWW-Authenticate header when authentication fails, not on every call. Currently, the header is set even when authentication succeeds (when Users list is empty or valid credentials are provided), which can cause clients to unnecessarily prompt for credentials. Move the header setting to just before returning false.

[codeskyblue]

@copilot open a new pull request to apply changes based on this feedback

[Copilot]

The authorization logic is confusing and potentially incorrect. The code checks if delete is NOT allowed, and if so, it then checks WebDAV access. This creates a fallback where if session-based delete is forbidden, WebDAV access with basic auth can still proceed. This may unintentionally allow delete operations through WebDAV when they should be forbidden. The logic should be clearer about when each authentication method applies and whether they should be alternatives or both required.

[codeskyblue]

@copilot open a new pull request to apply changes based on this feedback