hedgedoc/lib/response.js

'use strict'
// response
// external modules
const fs = require('fs')
const path = require('path')
const fetch = require('node-fetch')
// core
const config = require('./config')
const logger = require('./logger')
const models = require('./models')
const noteUtil = require('./web/note/util')
const errors = require('./errors')

// public
const response = {
  showIndex: showIndex,
  githubActions: githubActions,
  gitlabActions: gitlabActions
}

function showIndex (req, res, next) {
  const authStatus = req.isAuthenticated()
  const deleteToken = ''

  const data = {
    signin: authStatus,
    infoMessage: req.flash('info'),
    errorMessage: req.flash('error'),
    imprint: fs.existsSync(path.join(config.docsPath, 'imprint.md')),
    privacyStatement: fs.existsSync(path.join(config.docsPath, 'privacy.md')),
    termsOfUse: fs.existsSync(path.join(config.docsPath, 'terms-of-use.md')),
    deleteToken: deleteToken
  }

  if (authStatus) {
    models.User.findOne({
      where: {
        id: req.user.id
      }
    }).then(function (user) {
      if (user) {
        data.deleteToken = user.deleteToken
        res.render('index.ejs', data)
      }
    })
  } else {
    res.render('index.ejs', data)
  }
}

function githubActions (req, res, next) {
  const noteId = req.params.noteId
  noteUtil.findNote(req, res, function (note) {
    const action = req.params.action
    switch (action) {
      case 'gist':
        githubActionGist(req, res, note)
        break
      default:
        res.redirect(config.serverURL + '/' + noteId)
        break
    }
  })
}

function githubActionGist (req, res, note) {
  const code = req.query.code
  const state = req.query.state
  if (!code || !state) {
    return errors.errorForbidden(res)
  } else {
    const data = {
      client_id: config.github.clientID,
      client_secret: config.github.clientSecret,
      code: code,
      state: state
    }
    const authUrl = 'https://github.com/login/oauth/access_token'
    fetch(authUrl, {
      method: 'POST',
      body: JSON.stringify(data),
      headers: {
        'Content-Type': 'application/json',
        Accept: 'application/json'
      }
    }).then(resp => {
      if (!resp.ok) {
        throw new Error('forbidden')
      }
      return resp.json()
    }).then(body => {
      const accessToken = body.access_token
      if (!accessToken) {
        throw new Error('forbidden')
      }
      const content = note.content
      const title = models.Note.decodeTitle(note.title)
      const filename = title.replace('/', ' ') + '.md'
      const gist = {
        files: {}
      }
      gist.files[filename] = {
        content: content
      }
      const gistUrl = 'https://api.github.com/gists'
      return fetch(gistUrl, {
        method: 'POST',
        body: JSON.stringify(gist),
        headers: {
          'User-Agent': 'HedgeDoc',
          Authorization: 'token ' + accessToken,
          'Content-Type': 'application/json',
          Accept: 'application/json'
        }
      })
    }).then(resp => {
      if (resp.status !== 201) {
        throw new Error('forbidden')
      }
      return resp.json()
    }).then(body => {
      res.setHeader('referer', '')
      res.redirect(body.html_url)
    }).catch(error => {
      if (error.message === 'forbidden') {
        return errors.errorForbidden(res)
      }
      logger.error('GitHub Gist auth failed: ' + error)
      return errors.errorInternalError(res)
    })
  }
}

function gitlabActions (req, res, next) {
  const noteId = req.params.noteId
  noteUtil.findNote(req, res, function (note) {
    const action = req.params.action
    switch (action) {
      case 'projects':
        gitlabActionProjects(req, res, note)
        break
      default:
        res.redirect(config.serverURL + '/' + noteId)
        break
    }
  })
}

function gitlabActionProjects (req, res, note) {
  if (req.isAuthenticated()) {
    models.User.findOne({
      where: {
        id: req.user.id
      }
    }).then(function (user) {
      if (!user) {
        return errors.errorNotFound(res)
      }
      const ret = { baseURL: config.gitlab.baseURL, version: config.gitlab.version }
      ret.accesstoken = user.accessToken
      ret.profileid = user.profileid
      const apiUrl = `${config.gitlab.baseURL}/api/${config.gitlab.version}/projects?membership=yes&per_page=100&access_token=${user.accessToken}`
      fetch(apiUrl).then(resp => {
        if (!resp.ok) {
          res.send(ret)
          return Promise.reject(new Error('HTTP request returned not okay-ish status'))
        }
        return resp.json()
      }).then(body => {
        ret.projects = body
        return res.send(ret)
      }).catch(err => {
        logger.error('gitlab action projects failed: ', err)
      })
    }).catch(function (err) {
      logger.error('gitlab action projects failed: ' + err)
      return errors.errorInternalError(res)
    })
  } else {
    return errors.errorForbidden(res)
  }
}

module.exports = response
Use strict mode in all backend files add ‘use strict’ in all backend file 2017-03-14 01:02:43 -04:00			`'use strict'`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`// response`
			`// external modules`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const fs = require('fs')`
			`const path = require('path')`
Replace request library with node-fetch Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2021-03-11 10:40:24 -05:00			`const fetch = require('node-fetch')`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`// core`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const config = require('./config')`
			`const logger = require('./logger')`
			`const models = require('./models')`
Move note actions to their own file. Because of circular import problems, this commit also moves the error messages from response.js to errors.js Signed-off-by: David Mehren <dmehren1@gmail.com> 2019-10-27 08:51:53 -04:00			`const noteUtil = require('./web/note/util')`
			`const errors = require('./errors')`
First commit, version 0.2.7 2015-05-04 03:53:29 -04:00
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`// public`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const response = {`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`showIndex: showIndex,`
			`githubActions: githubActions,`
			`gitlabActions: gitlabActions`
			`}`
First commit, version 0.2.7 2015-05-04 03:53:29 -04:00
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`function showIndex (req, res, next) {`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const authStatus = req.isAuthenticated()`
			`const deleteToken = ''`
Add token based security feature In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-25 12:19:31 -04:00
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const data = {`
Add token based security feature In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-25 12:19:31 -04:00			`signin: authStatus,`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`infoMessage: req.flash('info'),`
Add privacy and ToS links To be GDPR compliant we need to provide privacy statement. These should be linked on the index page. So as soon as a document exist under `public/docs/privacy.md` the link will show up. Since we already add legal links, we also add Terms of Use, which will show up as soon as `public/docs/terms-of-use.md` exists. This should allow everyone to provide the legal documents they need for GDPR and other privacy and business laws. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-22 19:14:52 -04:00			`errorMessage: req.flash('error'),`
Add link to imprint Signed-off-by: Matthias Lindinger <m.lindinger@live.de> 2019-08-26 08:55:41 -04:00			`imprint: fs.existsSync(path.join(config.docsPath, 'imprint.md')),`
Add privacy and ToS links To be GDPR compliant we need to provide privacy statement. These should be linked on the index page. So as soon as a document exist under `public/docs/privacy.md` the link will show up. Since we already add legal links, we also add Terms of Use, which will show up as soon as `public/docs/terms-of-use.md` exists. This should allow everyone to provide the legal documents they need for GDPR and other privacy and business laws. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-22 19:14:52 -04:00			`privacyStatement: fs.existsSync(path.join(config.docsPath, 'privacy.md')),`
Add token based security feature In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-25 12:19:31 -04:00			`termsOfUse: fs.existsSync(path.join(config.docsPath, 'terms-of-use.md')),`
			`deleteToken: deleteToken`
			`}`

			`if (authStatus) {`
			`models.User.findOne({`
			`where: {`
			`id: req.user.id`
			`}`
			`}).then(function (user) {`
			`if (user) {`
			`data.deleteToken = user.deleteToken`
removing superfluous config parameters for template files Signed-off-by: Claudius <opensource@amenthes.de> 2018-09-10 16:35:38 -04:00			`res.render('index.ejs', data)`
Add token based security feature In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-25 12:19:31 -04:00			`}`
			`})`
			`} else {`
removing superfluous config parameters for template files Signed-off-by: Claudius <opensource@amenthes.de> 2018-09-10 16:35:38 -04:00			`res.render('index.ejs', data)`
Add token based security feature In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-25 12:19:31 -04:00			`}`
Added server option "useCdn", use template statement to route resources' source 2015-09-22 00:06:13 -04:00			`}`

Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`function githubActions (req, res, next) {`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const noteId = req.params.noteId`
Move note actions to their own file. Because of circular import problems, this commit also moves the error messages from response.js to errors.js Signed-off-by: David Mehren <dmehren1@gmail.com> 2019-10-27 08:51:53 -04:00			`noteUtil.findNote(req, res, function (note) {`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const action = req.params.action`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`switch (action) {`
			`case 'gist':`
			`githubActionGist(req, res, note)`
			`break`
			`default:`
Change config to camel case with backwards compatibility This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-07 09:17:35 -05:00			`res.redirect(config.serverURL + '/' + noteId)`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`break`
			`}`
			`})`
Supported export to gist 2016-01-31 16:42:26 -05:00			`}`

Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`function githubActionGist (req, res, note) {`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const code = req.query.code`
			`const state = req.query.state`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`if (!code \|\| !state) {`
Move note actions to their own file. Because of circular import problems, this commit also moves the error messages from response.js to errors.js Signed-off-by: David Mehren <dmehren1@gmail.com> 2019-10-27 08:51:53 -04:00			`return errors.errorForbidden(res)`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`} else {`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const data = {`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`client_id: config.github.clientID,`
			`client_secret: config.github.clientSecret,`
			`code: code,`
			`state: state`
			`}`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const authUrl = 'https://github.com/login/oauth/access_token'`
Replace request library with node-fetch Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2021-03-11 10:40:24 -05:00			`fetch(authUrl, {`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`method: 'POST',`
Replace request library with node-fetch Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2021-03-11 10:40:24 -05:00			`body: JSON.stringify(data),`
			`headers: {`
			`'Content-Type': 'application/json',`
			`Accept: 'application/json'`
			`}`
			`}).then(resp => {`
			`if (!resp.ok) {`
			`throw new Error('forbidden')`
			`}`
			`return resp.json()`
			`}).then(body => {`
			`const accessToken = body.access_token`
			`if (!accessToken) {`
			`throw new Error('forbidden')`
			`}`
			`const content = note.content`
			`const title = models.Note.decodeTitle(note.title)`
			`const filename = title.replace('/', ' ') + '.md'`
			`const gist = {`
			`files: {}`
			`}`
			`gist.files[filename] = {`
			`content: content`
			`}`
			`const gistUrl = 'https://api.github.com/gists'`
			`return fetch(gistUrl, {`
			`method: 'POST',`
			`body: JSON.stringify(gist),`
			`headers: {`
			`'User-Agent': 'HedgeDoc',`
			`Authorization: 'token ' + accessToken,`
			`'Content-Type': 'application/json',`
			`Accept: 'application/json'`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`}`
Replace request library with node-fetch Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2021-03-11 10:40:24 -05:00			`})`
			`}).then(resp => {`
			`if (resp.status !== 201) {`
			`throw new Error('forbidden')`
			`}`
			`return resp.json()`
			`}).then(body => {`
			`res.setHeader('referer', '')`
			`res.redirect(body.html_url)`
			`}).catch(error => {`
			`if (error.message === 'forbidden') {`
Move note actions to their own file. Because of circular import problems, this commit also moves the error messages from response.js to errors.js Signed-off-by: David Mehren <dmehren1@gmail.com> 2019-10-27 08:51:53 -04:00			`return errors.errorForbidden(res)`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`}`
Replace request library with node-fetch Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2021-03-11 10:40:24 -05:00			`logger.error('GitHub Gist auth failed: ' + error)`
			`return errors.errorInternalError(res)`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`})`
			`}`
Supported export to gist 2016-01-31 16:42:26 -05:00			`}`
Jump to 0.3.1 2015-07-01 12:10:20 -04:00
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`function gitlabActions (req, res, next) {`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const noteId = req.params.noteId`
Move note actions to their own file. Because of circular import problems, this commit also moves the error messages from response.js to errors.js Signed-off-by: David Mehren <dmehren1@gmail.com> 2019-10-27 08:51:53 -04:00			`noteUtil.findNote(req, res, function (note) {`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const action = req.params.action`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`switch (action) {`
			`case 'projects':`
			`gitlabActionProjects(req, res, note)`
			`break`
			`default:`
Change config to camel case with backwards compatibility This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-03-07 09:17:35 -05:00			`res.redirect(config.serverURL + '/' + noteId)`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`break`
			`}`
			`})`
Update to move gitlab api path to sub path and fix its find user method for PR #121 2016-05-16 06:16:45 -04:00			`}`

Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`function gitlabActionProjects (req, res, note) {`
			`if (req.isAuthenticated()) {`
			`models.User.findOne({`
			`where: {`
			`id: req.user.id`
			`}`
			`}).then(function (user) {`
Don't throw error if gitlab response is not okay-ish Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> 2021-10-29 14:54:57 -04:00			`if (!user) {`
			`return errors.errorNotFound(res)`
			`}`
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-02-15 03:42:51 -05:00			`const ret = { baseURL: config.gitlab.baseURL, version: config.gitlab.version }`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`ret.accesstoken = user.accessToken`
			`ret.profileid = user.profileid`
Replace request library with node-fetch Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2021-03-11 10:40:24 -05:00			const apiUrl = `${config.gitlab.baseURL}/api/${config.gitlab.version}/projects?membership=yes&per_page=100&access_token=${user.accessToken}`
			`fetch(apiUrl).then(resp => {`
			`if (!resp.ok) {`
			`res.send(ret)`
Don't throw error if gitlab response is not okay-ish Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> 2021-10-29 14:54:57 -04:00			`return Promise.reject(new Error('HTTP request returned not okay-ish status'))`
Fix eslint warnings Since we are about to release it's time to finally fix our linting. This patch basically runs eslint --fix and does some further manual fixes. Also it sets up eslint to fail on every warning on order to make warnings visable in the CI process. There should no functional change be introduced. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2019-05-30 18:27:56 -04:00			`}`
Replace request library with node-fetch Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2021-03-11 10:40:24 -05:00			`return resp.json()`
			`}).then(body => {`
			`ret.projects = body`
			`return res.send(ret)`
Don't throw error if gitlab response is not okay-ish Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de> 2021-10-29 14:54:57 -04:00			`}).catch(err => {`
			`logger.error('gitlab action projects failed: ', err)`
Replace request library with node-fetch Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2021-03-11 10:40:24 -05:00			`})`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`}).catch(function (err) {`
			`logger.error('gitlab action projects failed: ' + err)`
Move note actions to their own file. Because of circular import problems, this commit also moves the error messages from response.js to errors.js Signed-off-by: David Mehren <dmehren1@gmail.com> 2019-10-27 08:51:53 -04:00			`return errors.errorInternalError(res)`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`})`
			`} else {`
Move note actions to their own file. Because of circular import problems, this commit also moves the error messages from response.js to errors.js Signed-off-by: David Mehren <dmehren1@gmail.com> 2019-10-27 08:51:53 -04:00			`return errors.errorForbidden(res)`
Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`}`
Update to move gitlab api path to sub path and fix its find user method for PR #121 2016-05-16 06:16:45 -04:00			`}`

Use JavaScript Standard Style Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. 2017-03-08 05:45:51 -05:00			`module.exports = response`