David Mehren
e09cdd5162
style(note-metadata): remove unused imports
...
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-17 11:58:23 +01:00
David Mehren
f63c15c1ab
refactor(note-metadata): do not embed User objects
...
This is part of an effort to consistently not embed User objects
in API responses. Usernames are returned instead.
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-17 11:56:58 +01:00
David Mehren
cdd4f58746
refactor(note-group-permission-update-dto): rename attribute groupName
...
For consistency with NoteGroupPermissionEntryDto
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-17 11:56:09 +01:00
David Mehren
fe4e3d5657
refactor(note-group-permission-entry-dto): do not embed Group objects
...
This is part of an effort to consistently not embed Group objects
in API responses. Names are returned instead.
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-17 11:56:09 +01:00
David Mehren
93301d84c7
refactor(note-user-permission-entry-dto): do not embed User objects
...
This is part of an effort to consistently not embed User objects
in API responses. Usernames are returned instead.
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-17 11:56:09 +01:00
David Mehren
acaefb3996
refactor(note-permissions-dto): do not embed User objects
...
This is part of an effort to consistently not embed User objects
in API responses. Usernames are returned instead.
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-17 11:56:09 +01:00
Yannick Bungers
9b856bf517
Merge pull request #1986 from hedgedoc/fix/consistent_timestamps
2022-01-16 23:05:13 +01:00
David Mehren
e2c2657b53
refactor(history-entry): rename lastVisited
...
This is part of an effort to name all date attributes
consistently.
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-16 22:04:53 +01:00
David Mehren
05e534a7d6
refactor(note-metadata): rename date attributes
...
This is part of an effort to name all date attributes
consistently.
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-16 22:04:53 +01:00
David Mehren
c7dd942c1f
refactor(auth-token): rename lastUsed to lastUsedAt
...
This is part of an effort to name all date attributes
consistently.
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-16 22:04:53 +01:00
David Mehren
41d0c16982
docs(api): Add missing tags
...
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-16 21:40:48 +01:00
David Mehren
c60f83357f
test(front-config): Add missing URL import
...
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-16 19:53:02 +01:00
Yannick Bungers
f3899f3afd
Update error types for checkLocalPassword and updateLocalPassword to InvalidCredentialsError and NoLocalIdentityError in tests
...
Signed-off-by: Yannick Bungers <git@innay.de>
2022-01-06 22:01:39 +01:00
Yannick Bungers
29f60f8140
Change error types in checkLocalPassword and updateLocalPassword to InvalidCredentialsError and NoLocalIdentityError
...
Signed-off-by: Yannick Bungers <git@innay.de>
2022-01-06 21:59:46 +01:00
Yannick Bungers
9ecf7ba2be
Merge pull request #1935 from hedgedoc/feature/verify-password-change
2022-01-04 10:36:09 +01:00
David Mehren
85e7643b95
Merge pull request #1934 from hedgedoc/refactor/frontend-config/auth-providers
2022-01-04 10:08:58 +01:00
Erik Michelson
f581eeae79
Rename local password check method
...
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2022-01-03 23:45:43 +01:00
Erik Michelson
53f86919e3
refactor(frontend-config): return auth providers as array
...
This change removes the customAuthNames property and redefines the
authProviders property of the frontend-config DTO. Instead of an
map from auth providers to their enabled-state (boolean), there is
now an array that just includes the configured auth providers while
also having the identifier and providerName of custom auth providers.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2022-01-03 22:22:45 +01:00
David Mehren
745a1078f1
Merge pull request #1827 from hedgedoc/enhancement/lazy_load_relations
2022-01-03 19:51:39 +01:00
Erik Michelson
eda6835403
feat(auth): password change requires old password
...
By checking the "old" password of the user prior to a password change, the
password change function is more secured against abuse.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-12-28 02:09:05 +01:00
David Mehren
9de7f5ea21
Merge pull request #1882 from hedgedoc/fix/auth_token_hash
2021-12-14 19:41:36 +01:00
David Mehren
1957a39356
docs: explain the choice of sha-512 for auth tokens
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-14 19:37:15 +01:00
David Mehren
3e074d1879
fix(auth): use sha-512 for auth tokens
...
Bcrypt hashes are too slow to be validated on every request.
As our tokens are random and have a fixed length, it is reasonable
to use SHA-512 instead.
SHA-512 is recommended as cryptographically strong by the BSI:
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile
Fixes https://github.com/hedgedoc/hedgedoc/issues/1881
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-13 22:44:38 +01:00
David Mehren
e21b5e695d
refactor(identity): lazy-load relations
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-13 21:45:03 +01:00
David Mehren
977ed4b9fa
refactor(user): lazy-load relations
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-13 21:45:03 +01:00
David Mehren
4483d2b898
refactor(session): lazy-load relations
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-13 21:45:03 +01:00
David Mehren
2da6faa4b4
refactor(revision): lazy-load relations
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-13 21:45:03 +01:00
David Mehren
e73bd7c030
refactor(edit): lazy-load relations
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-13 21:45:03 +01:00
David Mehren
c5c7307552
docs(permissions): document why we can't lazy-load
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-13 21:45:03 +01:00
David Mehren
f164e84081
refactor(tag): lazy-load relations
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-13 21:45:03 +01:00
David Mehren
3c0c11e3d4
refactor(note): lazy-load relations
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-13 21:45:03 +01:00
David Mehren
9e608c75d3
refactor(alias): lazy-load relations
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-13 21:45:03 +01:00
David Mehren
facdc456cd
refactor(media-upload): lazy-load relations
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-13 21:45:03 +01:00
David Mehren
03981f9e0b
fix(session-guard): correctly check for missing session
...
express-session always creates an `request.session` object, so only
checking if that exists is not sufficient.
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-07 20:23:18 +01:00
David Mehren
8aae5cb574
docs(history-entry): document why we can't lazy-load
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-05 19:42:49 +01:00
David Mehren
8eabfbc0a5
refactor(group): lazy-load relations
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-05 19:42:47 +01:00
David Mehren
244e3f76ea
refactor(author): lazy-load relations
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-05 19:40:25 +01:00
David Mehren
552d06f182
refactor(auth-token): lazy-load relations
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-05 19:40:25 +01:00
Philip Molares
6fddeebc56
feat: replace GetNotePipe with GetNoteInterceptor and RequestNote
...
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-12-02 21:57:51 +01:00
Philip Molares
9e2a138a14
feat: add request note decorator
...
This extracts the note inserted with the get note interceptor into the request to be used by the controller service.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-12-02 20:41:45 +01:00
Philip Molares
ea0588f02e
feat: refactor get note pipe to interceptor
...
This is necessary, because of the order of operations in nestjs, the validation pipe is not able to get the note as the noteIdOrAlias will be transformed by the get note pipe after the validation did run.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-12-02 20:41:45 +01:00
Philip Molares
d27c531d9a
refactor: move permissions service calls into permissions guard
...
This commit removes all previous calls to the permissions service at the beginning of the controller methods to the permissions guard. This should make the code a bit cleaner and remove boilerplate code.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-12-02 20:41:14 +01:00
Philip Molares
f6ae0d30a1
feat: create permissions guard
...
This guard protects resources and let's users only access them if they hold the correct permission
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-12-02 20:41:12 +01:00
Philip Molares
6f7cfced39
feat: create permission decorator
...
This gathers the permission a user needs to hold to access a resource for the PermissionsGuard.
See https://docs.nestjs.com/guards#setting-roles-per-handler
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-11-30 19:48:47 +01:00
Philip Molares
c30a06d90b
feat: create permission enum
...
This enum makes it possible which permissions a user needs to hold to access a specific resource
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-11-30 19:48:47 +01:00
Philip Molares
dbf467fea5
chore: extract getNote code from GetNotePipe.transform
...
This was done so the same code could be used in the PermissionsGuard
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-11-30 19:48:47 +01:00
Philip Molares
4b3c726101
chore: move get-note-pipe to api utils
...
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-11-30 19:48:47 +01:00
Yannick Bungers
15e2e177fb
Add missing null in type in permissions service
...
The parameters of the permission checking methods were missing a null value for not set user. This is the case if user is not logged in and operating as guest.
Signed-off-by: Yannick Bungers <git@innay.de>
2021-11-29 22:42:31 +01:00
David Mehren
bcd38e14c0
Merge pull request #1680 from hedgedoc/fix/createMethods
2021-11-16 19:07:00 +01:00
David Mehren
3a47e962ea
test(mockconfig): generate unique upload paths
...
This stops multiple concurrently running tests disturbing each other.
Signed-off-by: David Mehren <git@herrmehren.de>
2021-11-16 18:26:34 +01:00