Commit graph

3273 commits

Author SHA1 Message Date
Philip Molares
a7f35aaeec tests: Fix tests as part of the DTO Refactor
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-31 00:11:58 +01:00
Yannick Bungers
b07d6d478c Refactoring of controllers and service interfaces
DTO should only be used for sending information to and from user.
Services now have methods which return normal internal objects and
methods which convert them to DTOs. This conversion is done in the
controlers

Signed-off-by: Yannick Bungers <git@innay.de>
2021-01-30 00:15:05 +01:00
Yannick Bungers
3431934ceb
Merge pull request #778 from hedgedoc/fix/secretLength 2021-01-29 22:27:54 +01:00
Philip Molares
08b3dd5db9 auth: Fix undefined secret error
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-29 22:24:19 +01:00
Philip Molares
ba517b3cfe auth: Fix UnauthorizedException throwing
Move conversion of Errors from AuthService to TokenStrategy.
This is necessary to correctly test the validateToken method.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-29 22:00:47 +01:00
Philip Molares
5a727d530b auth: Fix secret length
The former length of 64 bytes (512-bit) is transformed into base64url (a 6-bit code) ~86 characters long. This is too long for bcrypt as it ignores any characters beyond the 72th.
This fix therefore reduces the amount of generated bytes to 54 (as 72*6/8 = 54) characters. This ensures that removing one character from the token the hash won't be the same anymore.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-29 21:32:54 +01:00
David Mehren
b49c802c79
Merge pull request #776 from hedgedoc/fix/UnauthorizedException
auth: Fix handling of internal server errors
2021-01-29 20:52:36 +01:00
Philip Molares
84915b61ac auth: Fix handling of internal server errors
Catch all NotInDbErrors and TokenNotValidError and transform them to UnauthorizedException with the correct message.
This prevents nest from telling the api user that an internal server error has happened and instead display the correct http error code 401.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-29 20:33:56 +01:00
David Mehren
63b61f304b
Merge pull request #783 from hedgedoc/renovate/ts-jest-26.x
chore(deps): update dependency ts-jest to v26.5.0
2021-01-29 19:24:55 +01:00
David Mehren
d8a02aa409
Merge pull request #780 from hedgedoc/fix/inconsistentEnvVars
config: Fix inconsistent env vars
2021-01-29 19:24:01 +01:00
Renovate Bot
1f26c992a1
chore(deps): update dependency ts-jest to v26.5.0
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-01-29 14:02:05 +00:00
Philip Molares
2f17291079 config: Fix inconsistent env vars
This should make the translation from env var name to config name and vice versa more consistent.

Fixes #751

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-28 23:28:16 +01:00
Yannick Bungers
333b5a07e6
Merge pull request #768 from hedgedoc/feat/split-openapi
Swagger: Split public and private API
2021-01-27 23:13:49 +01:00
David Mehren
13fcd72f2d
Merge pull request #770 from hedgedoc/renovate/nestjs-packages
fix(deps): update nestjs packages to v7.6.7
2021-01-27 20:07:14 +01:00
David Mehren
3ba64f15f1
Swagger: Split public and private API
Fixes #759

Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-27 20:02:25 +01:00
David Mehren
932cb636ff
Merge pull request #771 from hedgedoc/fix/base64Url 2021-01-27 19:49:02 +01:00
Renovate Bot
df3e389b6f
fix(deps): update nestjs packages to v7.6.7
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-01-27 17:26:10 +00:00
David Mehren
4d03577bba
Merge pull request #772 from hedgedoc/renovate/mkdocs-material-6.x
Update dependency mkdocs-material to v6.2.6
2021-01-27 18:25:36 +01:00
Renovate Bot
c39d159cf2
Update dependency mkdocs-material to v6.2.6
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-01-27 17:23:14 +00:00
David Mehren
b029d3100a
Merge pull request #769 from hedgedoc/renovate/pymdown-extensions-8.x
Update dependency pymdown-extensions to v8.1.1
2021-01-27 18:22:23 +01:00
Philip Molares
563f862846 auth: Encode secret in base64url
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-27 00:23:43 +01:00
Philip Molares
7aeb77b262 auth: Fix base64url transformation
The problem was that replace only replaces the first occurrence of a string and not all as is needed for this function.
tsconfig.json needed lib to be set to esnext or the replaceAll function won't be available…

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-26 10:56:45 +01:00
Renovate Bot
fa235f6fe1
Update dependency pymdown-extensions to v8.1.1
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-01-26 01:46:17 +00:00
David Mehren
f8757d0e5b
Merge pull request #766 from hedgedoc/feat/dto-docs 2021-01-25 23:16:02 +01:00
David Mehren
12263acce6
Merge pull request #767 from hedgedoc/renovate/test-packages
chore(deps): update dependency supertest to v6.1.3
2021-01-25 23:10:55 +01:00
Renovate Bot
af555d972b
chore(deps): update dependency supertest to v6.1.3
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-01-25 22:02:40 +00:00
David Mehren
c0ee27e2b0
Merge pull request #765 from hedgedoc/renovate/pin-dependencies
fix(deps): pin dependencies
2021-01-25 23:02:09 +01:00
Renovate Bot
999099c94b
fix(deps): pin dependencies
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-01-25 21:52:35 +00:00
David Mehren
3dc223847d
HistoryEntryDto: Add doc comments
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-25 22:48:39 +01:00
David Mehren
3f16a398d2
HistoryEntryUpdateDto: Add doc comments
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-25 22:48:39 +01:00
David Mehren
5f71e779ef
NoteDto: Add doc comments
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-25 22:48:39 +01:00
David Mehren
be2dc0e4d6
NoteAuthorshipDto: Add doc comments
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-25 22:48:39 +01:00
David Mehren
84143eec7d
RevisionMetadataDto: Add doc comments
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-25 22:48:39 +01:00
David Mehren
43194500e9
RevisionDto: Add doc comments
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-25 22:48:38 +01:00
David Mehren
e4f0c5c064
NoteMetadata DTOs: Add doc comments
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-25 22:48:38 +01:00
David Mehren
a83a7c7a66
NotePermission DTOs: Add doc comments
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-25 22:48:38 +01:00
David Mehren
d3acd3d2db
UserInfoDto: Add doc comments
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-25 22:48:38 +01:00
David Mehren
a144a55eb4
Swagger: Enable comment parsing
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-25 22:48:38 +01:00
Yannick Bungers
ca04856425
Merge pull request #738 from hedgedoc/private/tokens 2021-01-25 21:38:53 +01:00
Philip Molares
2c38bd55a8 regenerated yarn.lock
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-25 21:34:11 +01:00
Philip Molares
bfe14dad8d auth: Run removeInvalidTokens 5s after startup
This should prevent problem with the AuthToken purge on Sundays, as the service is either running on sunday or will be restarted there after.

Also move base64url comment to right function

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-25 21:30:08 +01:00
Philip Molares
67a5f3c7ec auth: Add maximum token lifetime of 2 years.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-25 21:30:08 +01:00
Philip Molares
99d6b39e00 auth: Run removeInvalidTokens 5s after startup
This should prevent problem with the AuthToken purge on Sundays, as the service is either running on sunday or will be restarted there after.

Also move base64url comment to right function

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-25 21:30:08 +01:00
Philip Molares
c2d759da53 auth: Add token limit of 200
This is a very high ceiling unlikely to hinder legitimate usage, but should prevent possible attack vectors

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-25 21:30:08 +01:00
Philip Molares
c96edb31a5 tokens: Add token creation
Fix token deletion
Update plantuml docs
Add token validUntil and lastUsed fields

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-25 21:30:08 +01:00
Philip Molares
28abc37e2c auth: fixes unit and e2e tests
adds MockAuthGuard which always return user 'hardcoded'

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-25 21:30:08 +01:00
Philip Molares
ee6293f5a3 auth: adds token-auth to public api
adds auth service
adds auth module
adds token-auth strategy
adds token-auth to all public api calls

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-25 21:30:06 +01:00
Philip Molares
0a3247492a auth: Add cron to clean old tokens
Rename AuthToken.identifier to label

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-25 21:30:04 +01:00
Philip Molares
cc2fcac532 auth: Remove userName parameter of removeToken function
As suggested by @innaytool

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-25 21:30:02 +01:00
Philip Molares
f68caab6e8 auth: Integrate suggestions by @davidmehren
Add number type alias TimestampMillis
Remove solved ToDos
Change AuthToken and AuthTokenDto to use Date
Rename authService unit tests

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-25 21:30:02 +01:00