Fix SFTP file upload failures with JWT filer tokens (#8448)

* Fix SFTP file upload failures with JWT filer tokens (issue #8425) When JWT authentication is enabled for filer operations via jwt.filer_signing.* configuration, SFTP server file upload requests were rejected because they lacked JWT authorization headers. Changes: - Added JWT signing key and expiration fields to SftpServer struct - Modified putFile() to generate and include JWT tokens in upload requests - Enhanced SFTPServiceOptions with JWT configuration fields - Updated SFTP command startup to load and pass JWT config to service This allows SFTP uploads to authenticate with JWT-enabled filers, consistent with how other SeaweedFS components (S3 API, file browser) handle filer auth. Fixes #8425 * Apply suggestion from @gemini-code-assist[bot] Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2026-02-25 14:30:21 -08:00
parent a92e9baddf
commit 7f6e58b791
4 changed files with 51 additions and 24 deletions
--- a/weed/command/sftp.go
+++ b/weed/command/sftp.go
@@ -101,6 +101,12 @@ func (sftpOpt *SftpOptions) startSftpServer() bool {
 	filerAddress := pb.ServerAddress(*sftpOpt.filer)
 	grpcDialOption := security.LoadClientTLS(util.GetViper(), "grpc.client")

+	// Load JWT configuration for filer signing
+	v := util.GetViper()
+	filerSigningKey := v.GetString("jwt.filer_signing.key")
+	v.SetDefault("jwt.filer_signing.expires_after_seconds", 600)
+	filerSigningExpiresAfter := v.GetInt("jwt.filer_signing.expires_after_seconds")
+
 	// metrics read from the filer
 	var metricsAddress string
 	var metricsIntervalSec int
@@ -137,19 +143,21 @@ func (sftpOpt *SftpOptions) startSftpServer() bool {

 	// Create a new SFTP service instance with all options
 	service := sftpd.NewSFTPService(&sftpd.SFTPServiceOptions{
-		GrpcDialOption:      grpcDialOption,
-		DataCenter:          *sftpOpt.dataCenter,
-		FilerGroup:          filerGroup,
-		Filer:               filerAddress,
-		SshPrivateKey:       *sftpOpt.sshPrivateKey,
-		HostKeysFolder:      *sftpOpt.hostKeysFolder,
-		AuthMethods:         authMethods,
-		MaxAuthTries:        *sftpOpt.maxAuthTries,
-		BannerMessage:       *sftpOpt.bannerMessage,
-		LoginGraceTime:      *sftpOpt.loginGraceTime,
-		ClientAliveInterval: *sftpOpt.clientAliveInterval,
-		ClientAliveCountMax: *sftpOpt.clientAliveCountMax,
-		UserStoreFile:       *sftpOpt.userStoreFile,
+		GrpcDialOption:           grpcDialOption,
+		DataCenter:               *sftpOpt.dataCenter,
+		FilerGroup:               filerGroup,
+		Filer:                    filerAddress,
+		SshPrivateKey:            *sftpOpt.sshPrivateKey,
+		HostKeysFolder:           *sftpOpt.hostKeysFolder,
+		AuthMethods:              authMethods,
+		MaxAuthTries:             *sftpOpt.maxAuthTries,
+		BannerMessage:            *sftpOpt.bannerMessage,
+		LoginGraceTime:           *sftpOpt.loginGraceTime,
+		ClientAliveInterval:      *sftpOpt.clientAliveInterval,
+		ClientAliveCountMax:      *sftpOpt.clientAliveCountMax,
+		UserStoreFile:            *sftpOpt.userStoreFile,
+		FilerSigningKey:          []byte(filerSigningKey),
+		FilerSigningExpiresAfter: filerSigningExpiresAfter,
 	})

 	// Register reload hook for HUP signal