Commit graph

2703 commits

Author SHA1 Message Date
David Mehren
2050f5acc2
Update database schema.
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:10 +02:00
David Mehren
fbd89977cd
Add 'special' property to GroupInfoDto and rename 'id' to 'name'
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:10 +02:00
David Mehren
d0c1c93fba
Add (still incomplete) database schema
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:10 +02:00
David Mehren
ea217b3613
Adapt permission DTOs for group permissions
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:10 +02:00
David Mehren
84b7840ce3
Implement routes in MonitoringController
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:10 +02:00
David Mehren
eab06c0296
Add monitoring module
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:10 +02:00
David Mehren
f98bf0d32d
Add media upload route to MediaController
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:09 +02:00
David Mehren
06b0d19c4b
RevisionsService: Add hardcoded-data warnings.
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:09 +02:00
David Mehren
7e2abf366c
NotesService: Add hardcoded-data warnings.
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:09 +02:00
David Mehren
eedaf61921
Implement /notes API routes
This adds all currently specified routes under /notes.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:09 +02:00
David Mehren
604b8f498c
Add more features to NotesService
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:09 +02:00
David Mehren
5d26d767cd
Add update-DTOs for note permissions and permission entries.
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:09 +02:00
David Mehren
d7fe7a95c7
Add DTOs for notes and note authorship
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:09 +02:00
David Mehren
5ce8a532a8
Add RevisionsService
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:08 +02:00
David Mehren
783d2cf5e4
Add DTOs for revision and revision metadata
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:08 +02:00
David Mehren
9a545bb394
Update Revision database schema
Still uses the old schema, should probably be changed

Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:08 +02:00
David Mehren
e490ecba36
Add /me/notes route to MeController
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:08 +02:00
David Mehren
5fcb220346
Add NotesService
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:08 +02:00
David Mehren
574c7d1dd4
Log warnings when using hardcoded data.
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:08 +02:00
David Mehren
f3d1644f95
Enable automatic OpenAPI spec generation.
NestJS can automatically generate an OpenAPI spec by analyzing controllers and used DTOs.
This commit enables this feature. The API docs are served under /apidoc.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:08 +02:00
David Mehren
c675ecc5f2
Add dist folder and coverage foldert to .gitignore
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:07 +02:00
David Mehren
9fd67eb1ad
Fix formatting in main.ts
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:07 +02:00
David Mehren
5a11a7cc8e
Import new modules into AppModule
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:07 +02:00
David Mehren
56d5a2e1b1
Add NoteModule
This contains the module, a model which was adapted from the old code and two DTOs.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:07 +02:00
David Mehren
b528d7f76e
Add RevisionsModule
This contains the module and a model which still needs many properties.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:07 +02:00
David Mehren
348cd3ffe1
Add PublicAPIModule
This adds all controllers needed in the public API (at least as currently specified) and implements some routes under `/me`

Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:07 +02:00
David Mehren
eeeacb8c67
Add AuthorsModule
This contains the module and a model which still needs many properties.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:07 +02:00
David Mehren
960deeb059
Add HistoryModule
This contains the module, a service (which only returns mock data), a model and two DTOs for history entries.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:06 +02:00
David Mehren
e6ac4cf20b
Add UsersModule
This contains the module, a service (which only returns mock data), a model and the UserInfo DTO.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:06 +02:00
David Mehren
4135b7e6e4
Add TypeORM support
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:06 +02:00
David Mehren
42c66d1343
Exclude old backend code from tsc compilation
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:06 +02:00
David Mehren
1aca4a2986
Use default NestJS lint config
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:06 +02:00
David Mehren
f4caee2ac7
Add empty NestJS application
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:06 +02:00
David Mehren
35e567bfcd
Delete old frontend code
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:06 +02:00
David Mehren
7b9f9a487b
Move old backend code to old_src folder
Signed-off-by: David Mehren <git@herrmehren.de>
2020-08-20 19:43:05 +02:00
Yannick Bungers
c42d2223e8
Merge pull request #465 from Skgland/330-followup
#330 followup
2020-08-13 21:13:17 +02:00
Bennet Bleßmann
8811ba6dfe
add ldap.starttls to config file docs
Signed-off-by: Bennet Bleßmann <bb-github@t-online.de>
2020-08-05 00:45:38 +02:00
Bennet Bleßmann
e316f1dcd9
fix eslint warning and error, one each
fix warning line 38 Missing return type on function
fix error   line 47 Missing space before function parentheses

Signed-off-by: Bennet Bleßmann <bb-github@t-online.de>
2020-08-05 00:09:59 +02:00
Bennet Bleßmann
2aac53670e
add starttls field to ldap in Config interface
Signed-off-by: Bennet Bleßmann <bb-github@t-online.de>
2020-08-05 00:09:58 +02:00
David Mehren
a194156b0f
Merge pull request #384 from SISheogorath/feature/automated-migrations
Run database migrations automatically on startup
2020-07-11 21:25:59 +02:00
Sheogorath
6c1ca5bd8d
Run database migrations automatically on startup
Instead of using sequelize-cli and ensure migrations by shellscript,
this patch automates database migrations properly to the umzug library.
The sequelize CLI becomes a dev dependencies as it's still useful for
generating migrations.

This should eliminate the need for crude generating of database config
files and alike. Instead we utilize the pre-configured sequelize
connection that CodiMD will use anyway.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-07-11 20:33:35 +02:00
Yannick Bungers
2c3522992b
Merge pull request #441 from codimd/fix-pg-in-2.0
[2.0] Upgrade pg package to fix node version 14 compatibility
2020-07-10 22:56:55 +02:00
David Mehren
244a5a937e
Merge pull request #428 from dalcde/cookies 2020-07-10 18:59:58 +02:00
David Mehren
4df1ea6a5c
Upgrade pg package to fix node version 14 compatibility
This is a forward-port of d6ce60c.

The old pg version doesn't work with node version 14 due to
an undocumented API change in the `readyState` in the socket API.
This patch updates the required dependency and this way resolves the
issue.

Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-07-10 18:52:15 +02:00
David Mehren
e14903e0cb
Merge pull request #434 from dalcde/log
Fix dmpWorker logging
2020-07-10 18:46:34 +02:00
Dexter Chua
efaa402dca Fix dmpWorker logging
dmpWorker is run as a childProcess, which is a completely separate
nodejs instance. As such, the `logger` it obtains is a separate instance
than the one in the parent. The parent reads the config file to
determine the log level, but the childProcess does not. So the log level
used in dmpWorker is always `debug`, regardless of the configuration
options.

In addition to polluting the logs, this is potentially a privacy issue,
because `dmpWorker` logs the diffs of notes at the `debug` level, which
will then enter the system logs.

This commit fixes this by making `dmpWorker` send any messages back to
the parent, who is responsible for logging. This also avoids any
potential race conditions between the two loggers writing to the same
output.

Fixes #433

Signed-off-by: Dexter Chua <dec41@srcf.net>
2020-07-10 18:41:07 +08:00
Sheogorath
c67214b7d0 Relax cookie restrictions to 'lax' to allow frontend to work
Our frontend requests the `/me` pathname in order to determine whether
it's logged in or not. Due to the fact that the sameSite attribute of
the session cookie was set to `strict` in a previous commit, the session
token was no longer sent along with HTTP calls initiated by JS. This is
due to the RFCs definition of "safe" HTTP calls in RFC7231.

The bug triggers the UI to show up like an unauthenticated user, even
after a successful login. In order to debug it a look into the send
cookies to the `/me` turned out to be very enlightening.

The fix this patch implements is rather simple, it replaces the sameSite
attribute to `lax` which enables the cookies for those requests again.

Some older and mobile clients were unaffected by this due to the lack of
implementations of sameSite policies.

References:
https://tools.ietf.org/html/rfc7231#section-4.2.1
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7.1
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
e77e7b165a

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-07-10 18:40:56 +08:00
Sheogorath
3ae999024f Fix broken cookie handling due to missing proxy awareness
We enabled the `secure` flag for various cookies in previous commits.
This caused setups behind reverse proxies to drop cookies as the nodejs
instance wasn't aware of the fact that it was able to hand out secure
commits using an insecure connection (between the codimd instance and
the reverse proxy).

This patch makes express, the webserver framework we use, aware of
proxies and this way re-enabled the handing out of cookies. Not only the
cookie monster will enjoy, but also functionality like authentication
and real-time editing will return as intended.

References:
https://www.npmjs.com/package/express-session#cookiesecure
383d791a50

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-07-10 18:40:56 +08:00
Sheogorath
8406f75bb7 Ensure session cookies are secure
While HSTS should take care of most of this, setting cookies to be
secure, and only applied on same site helps to improve situations where
for whatever reason, downgrade attacks are still a thing.

This patch adds the `sameSite` and `secure` to the session cookie and
this way prevent all accidents where a browser may doesn't support HSTS
or HSTS is intentionally dropped.

Reference:
https://www.npmjs.com/package/express-session#cookiesecure

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-07-10 18:40:56 +08:00
David Mehren
fb77878143 Disable unneeded 'io' cookie.
According to https://github.com/socketio/socket.io/issues/2276 this cookie is not used for anything. To avoid browser warnings about the sameSite attribute, we disable it here.

Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-07-10 18:40:56 +08:00