feat: Optional path-prefix and method scoping for Filer HTTP JWT (#8014)

* Implement optional path-prefix and method scoping for Filer HTTP JWT

* Fix security vulnerability and improve test error handling

* Address PR feedback: replace debug logging and improve tests

* Use URL.Path in logs to avoid leaking query params

weed/server/filer_server_handlers.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"net/http"
-	"os"
 	"strconv"
 	"strings"
 	"sync/atomic"
@@ -148,7 +147,7 @@ func (fs *FilerServer) readonlyFilerHandler(w http.ResponseWriter, r *http.Reque
 	statusRecorder := stats.NewStatusResponseWriter(w)
 	w = statusRecorder
 
-	os.Stdout.WriteString("Request: " + r.Method + " " + r.URL.String() + "\n")
+	glog.V(4).Infof("Request: %s %s", r.Method, r.URL.Path)
 
 	origin := r.Header.Get("Origin")
 	if origin != "" {
@@ -242,9 +241,42 @@ func (fs *FilerServer) maybeCheckJwtAuthorization(r *http.Request, isWrite bool)
 	if !token.Valid {
 		glog.V(1).Infof("jwt invalid from %s: %v", r.RemoteAddr, tokenStr)
 		return false
-	} else {
-		return true
 	}
+
+	claims, ok := token.Claims.(*security.SeaweedFilerClaims)
+	if !ok {
+		glog.V(1).Infof("jwt claims not of type *SeaweedFilerClaims from %s", r.RemoteAddr)
+		return false
+	}
+
+	if len(claims.AllowedPrefixes) > 0 {
+		hasPrefix := false
+		for _, prefix := range claims.AllowedPrefixes {
+			if strings.HasPrefix(r.URL.Path, prefix) {
+				hasPrefix = true
+				break
+			}
+		}
+		if !hasPrefix {
+			glog.V(1).Infof("jwt path not allowed from %s: %v", r.RemoteAddr, r.URL.Path)
+			return false
+		}
+	}
+	if len(claims.AllowedMethods) > 0 {
+		hasMethod := false
+		for _, method := range claims.AllowedMethods {
+			if method == r.Method {
+				hasMethod = true
+				break
+			}
+		}
+		if !hasMethod {
+			glog.V(1).Infof("jwt method not allowed from %s: %v", r.RemoteAddr, r.Method)
+			return false
+		}
+	}
+
+	return true
 }
 
 func (fs *FilerServer) filerHealthzHandler(w http.ResponseWriter, r *http.Request) {