Commit graph

10 commits

Author SHA1 Message Date
Erik Michelson
157a0fe278 refactor(media): store filenames, use pre-signed s3/azure URLs, UUIDs
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-09-12 14:49:17 +02:00
Erik Michelson
4132833b5d refactor(api-docs): move api docs to /api/doc/
The API documentation belongs strictly to the API itself.
Due to the usage of version-prefixed API endpoints, there is no conflict
with existing or future endpoints.
The reason behind this is that we already have enough exceptions in the
routing (default everything to react-frontend, exceptions for backend)
and it is hard to keep it synchronized throughout all relevant places.
This came to attention as the dev setup didn't proxy the API docs to the
backend.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-09-12 14:49:17 +02:00
Erik Michelson
1f1231a730 ci: remove netlify deployment workflow
This workflow was used in an early stage of development of HedgeDoc 2.
It allowed the core developers to quickly check fixes, improvements or
new features to the HedgeDoc UI without the requirement to check-out
the branch locally. As not every pull request required a deployment,
this workflow was only triggered when the "ci: force deployment"
label was added. Since some time already, the frontend and backend
are so tightly coupled that the netfliy deployment doesn't make any
sense anymore and therefore hasn't been used anymore. This commit
therefore removes this leftover workflow.

@RedYetiDev contacted us privately and reported that this deployment
workflow could have been abused to invoke arbitrary commands, including
extraction of environment variables which include our tokens for the
turborepo build cache or the netlify deployment token. For this it
would have been required that somebody created a "safe" pull request,
which would have been labelled with the deployment label and then
changed afterwards since the workflow checks out the pull request
source repository, not the target. We assured that the label was only
added to pull requests from trusted members of the HedgeDoc core team.
There was never any malicious use of the workflow. Furthermore, no
released versions of HedgeDoc (1.x) could have been affected by this,
even in the worst-case scenario.

We're thankful for putting this risk at our attention!
If you too encounter something unusual regarding security in HedgeDoc
itself or our toolchain around it, don't hesitate to contact us.
Details on this are wriiten in our SECURITY.md in the root of the
repository.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-07-30 08:48:38 +02:00
yamashush
275988716c doc: update e2e test script name
Signed-off-by: yamashush <38120991+yamashush@users.noreply.github.com>
2024-01-21 15:31:10 +01:00
Tilman Vatteroth
01d7eb9529 fix(deps): bump minimum node version to v20
With node 18 the tests always crash.

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-01-18 19:12:46 +01:00
Erik Michelson
482cb7729f docs: fix reverse-proxy how-to using wrong host header
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2023-12-25 12:58:48 +01:00
Philip Molares
e797d600d4 chore: release alpha 2
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-10-25 21:55:27 +02:00
David Mehren
de14b75369 docs: fix alpha image tag
Signed-off-by: David Mehren <git@herrmehren.de>
2023-10-08 19:25:19 +02:00
Philip Molares
5ed1fa18d6 fix: fix links to other files
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-09-17 21:50:21 +02:00
Philip Molares
e07cd62596 docs: restructure documentation
This rewrite follows the principles of https://diataxis.fr/

Co-authored-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2023-09-17 21:50:21 +02:00