I followed your posts so I know a bit about what you're doing.
I would probably look for the first 4 characters, and reject anything that's not "GET[space]" or "POST". Then I'd extract the URL after GET[space] or POST[space] and do something depending on it.
Keep in mind that you'll HAVE TO account for parameters in the URL even if your pages won't have such parameters, and you also have to account for the HTTP tag after the URL.
Some browsers when they don't get information through response header about caching the page will add some bogus parameter at the end of URLs because that often forced web servers to send the document again, instead of replying with HTTP 304 Not Modified. Some browsers did this when user pressed Shift + F5 (forced refresh)
ex you could have GET /index.html?parameter=value HTTP/1.1
Could be HTTP/1.0 , could be HTTP/1.1, could be HTTP/2 so you can't just assume it will always be 8 characters. You'd have to look for the space after the verb, then the next space as an end for the URL. The URL's spaces will be escaped as %20 so space is a good separator character, to separate verb, url and http version.
The most common verbs are POST, GET, PUT, PATCH and DELETE .... but really GET AND POST are the most used, DELETE is sometimes used in APIs of various services, and PUT/PATCH are very rarely used.
You really only need GET and POST
File upload is easy. You put a form on the page with the fields you need, and when the user hits upload, the browser will send a POST request to your server with the data. At the end of transmission it will send one or two empty lines and keep the connection active, waiting for your reply.
You accept the incoming data, dump it into a temporary file if you don't have a lot of memory, then do your thing on the temporary file and you then send a proper reply to the browser. It could be something as simple as a 200 OK and do a redirect in the html ex <html><head> <meta http-equiv="Refresh" content="0; URL=https://example.com/"></head><body /></head> and you could redirect to the page listing the newly uploaded content.
The form on the page would be something like this:
// see the input type="file" for a lot of good details :
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file<form method="POST" enctype="multipart/form-data" action="/upload.html" >
<div>
<label for="file_up">Select file to upload:</label>
<input type="file" name="file_up" accept =".doc,.pdf,application/msword" placeholder="Please pick a file!" >
<input type="hidden" name="folder" value="/documents/uploads/" >
<input type="submit" name="button_upload" value="Upload" >
</div>
</form>
The form has a file selection called file_up , a hidden parameter named "folder" with the value the path (filled by you when serving the page to the user) and a button named "button_upload"
When user hits the Upload button, the browser is gonna do POST /upload.html and do a multipart-formdata and you'll get at least these 3 items separated by that boundary
The accept and placeholder are optional, I just added them to show it's possible.
Editing of a document can be done just the same with a POST form, only you can use a TEXTAREA -
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/textarea - around the contents of the document and the user will see the text in a editable text box on the screen
When you hit the save button, the browser will send you the whole contents of that textarea and whatever other parameters are in the form (hidden on purpose by you or not)
Note that the contents of the document would have to be escaped ex < > and & at the very least : < would be < , > would be > and & would be & - the browser will parse the html and show the characters properly on the screen and send you the actual characters in the POST form data, not the escaped ones.
There's some other gotchas, like if you don't specify a text encoding for your html files, it's assumed your html file and whatever is in it is UTF-8, so if you dump a .txt file that was written with character encoding ISO-8859-1 then some valid characters in ISO-8859-1 would be invalid in UTF-8 (invalid code points, those specific characters get two byte combinations in utf-8) and not rendered properly on screen. See for example
https://mincong.io/2019/04/07/understanding-iso-8859-1-and-utf-8/ for explanation
user and password ... easiest would be to use cookies or a session id
Basically you make a form with username and password and a login button and you submit these with a POST request to your server (GET works too, but it's not "cool" to use GET because the parameters may show up in your address bar)
You get the username, password and you verify them against some internal database and if they're correct you add to the HTTP response headers a cookie with the Set-Cookie attribute :
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-CookieFor example, say jsmith logs in and the password he submits is correct, you generate a token of some sort ex "20220717jsm453" and you add this to your records with an expiration date (ex in case user leaves browser page opened for 10 days and someone hits refresh you don't want that random user to mess around)
Then you send cookie
Set-cookie: token=20220717jsm453; Max-Age=86400
When 86400 seconds go by, the cookie is deleted. You can't rely on this as a user with bad intentions could just go and edit the cookie database in the browser and set the max age to 2 billion and never expire the cookie, on your server it would be wise to also check when token was generated and invalidate the cookie by sending Set-Cookie with another token value
If you don't say Max-Age or Expires the cookie is treated as a "Session cookie", it lasts as long as the session lasts, which could be indefinite (if user has option restore tabs at start)
So once you do a Set-Cookie, the browser will send the cookies back to you with every request, ex
Cookie: token=20220717jsm453;[SPACE]anothercookie=somedata;[space]yetanothercookie=morecrap
And you can check on every request to see if that token is valid, and if it's not, you could just give a 304 temporary redirect and redirect to a login page.