github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-10-22 15:12:08 -04:00
Code Issues Projects Releases Packages Wiki Activity
4403 commits 40 branches 47 tags 110 MiB
Commit graph

589 commits

Author SHA1 Message Date
David Mehren
e09cdd5162
style(note-metadata): remove unused imports 
Signed-off-by: David Mehren <git@herrmehren.de>
 2022-01-17 11:58:23 +01:00
David Mehren
f63c15c1ab
refactor(note-metadata): do not embed User objects 
This is part of an effort to consistently not embed User objects
in API responses. Usernames are returned instead.

Signed-off-by: David Mehren <git@herrmehren.de>
 2022-01-17 11:56:58 +01:00
David Mehren
cdd4f58746
refactor(note-group-permission-update-dto): rename attribute groupName 
For consistency with NoteGroupPermissionEntryDto

Signed-off-by: David Mehren <git@herrmehren.de>
 2022-01-17 11:56:09 +01:00
David Mehren
fe4e3d5657
refactor(note-group-permission-entry-dto): do not embed Group objects 
This is part of an effort to consistently not embed Group objects
in API responses. Names are returned instead.

Signed-off-by: David Mehren <git@herrmehren.de>
 2022-01-17 11:56:09 +01:00
David Mehren
93301d84c7
refactor(note-user-permission-entry-dto): do not embed User objects 
This is part of an effort to consistently not embed User objects
in API responses. Usernames are returned instead.

Signed-off-by: David Mehren <git@herrmehren.de>
 2022-01-17 11:56:09 +01:00
David Mehren
acaefb3996
refactor(note-permissions-dto): do not embed User objects 
This is part of an effort to consistently not embed User objects
in API responses. Usernames are returned instead.

Signed-off-by: David Mehren <git@herrmehren.de>
 2022-01-17 11:56:09 +01:00
Yannick Bungers
9b856bf517
Merge pull request #1986 from hedgedoc/fix/consistent_timestamps 2022-01-16 23:05:13 +01:00
David Mehren
e2c2657b53
refactor(history-entry): rename lastVisited 
This is part of an effort to name all date attributes
consistently.

Signed-off-by: David Mehren <git@herrmehren.de>
 2022-01-16 22:04:53 +01:00
David Mehren
05e534a7d6
refactor(note-metadata): rename date attributes 
This is part of an effort to name all date attributes
consistently.

Signed-off-by: David Mehren <git@herrmehren.de>
 2022-01-16 22:04:53 +01:00
David Mehren
c7dd942c1f
refactor(auth-token): rename lastUsed to lastUsedAt 
This is part of an effort to name all date attributes
consistently.

Signed-off-by: David Mehren <git@herrmehren.de>
 2022-01-16 22:04:53 +01:00
David Mehren
41d0c16982
docs(api): Add missing tags 
Signed-off-by: David Mehren <git@herrmehren.de>
 2022-01-16 21:40:48 +01:00
David Mehren
c60f83357f
test(front-config): Add missing URL import 
Signed-off-by: David Mehren <git@herrmehren.de>
 2022-01-16 19:53:02 +01:00
Yannick Bungers
f3899f3afd Update error types for checkLocalPassword and updateLocalPassword to InvalidCredentialsError and NoLocalIdentityError in tests 
Signed-off-by: Yannick Bungers <git@innay.de>
 2022-01-06 22:01:39 +01:00
Yannick Bungers
29f60f8140 Change error types in checkLocalPassword and updateLocalPassword to InvalidCredentialsError and NoLocalIdentityError 
Signed-off-by: Yannick Bungers <git@innay.de>
 2022-01-06 21:59:46 +01:00
Yannick Bungers
9ecf7ba2be
Merge pull request #1935 from hedgedoc/feature/verify-password-change 2022-01-04 10:36:09 +01:00
David Mehren
85e7643b95
Merge pull request #1934 from hedgedoc/refactor/frontend-config/auth-providers 2022-01-04 10:08:58 +01:00
Erik Michelson
f581eeae79
Rename local password check method 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2022-01-03 23:45:43 +01:00
Erik Michelson
53f86919e3
refactor(frontend-config): return auth providers as array 
This change removes the customAuthNames property and redefines the
authProviders property of the frontend-config DTO. Instead of an
map from auth providers to their enabled-state (boolean), there is
now an array that just includes the configured auth providers while
also having the identifier and providerName of custom auth providers.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2022-01-03 22:22:45 +01:00
David Mehren
745a1078f1
Merge pull request #1827 from hedgedoc/enhancement/lazy_load_relations 2022-01-03 19:51:39 +01:00
Erik Michelson
eda6835403
feat(auth): password change requires old password 
By checking the "old" password of the user prior to a password change, the
password change function is more secured against abuse.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2021-12-28 02:09:05 +01:00
David Mehren
9de7f5ea21
Merge pull request #1882 from hedgedoc/fix/auth_token_hash 2021-12-14 19:41:36 +01:00
David Mehren
1957a39356
docs: explain the choice of sha-512 for auth tokens 
Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-14 19:37:15 +01:00
David Mehren
3e074d1879
fix(auth): use sha-512 for auth tokens 
Bcrypt hashes are too slow to be validated on every request.
As our tokens are random and have a fixed length, it is reasonable
to use SHA-512 instead.

SHA-512 is recommended as cryptographically strong by the BSI:
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile

Fixes https://github.com/hedgedoc/hedgedoc/issues/1881

Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-13 22:44:38 +01:00
David Mehren
e21b5e695d
refactor(identity): lazy-load relations 
Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-13 21:45:03 +01:00
David Mehren
977ed4b9fa
refactor(user): lazy-load relations 
Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-13 21:45:03 +01:00
David Mehren
4483d2b898
refactor(session): lazy-load relations 
Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-13 21:45:03 +01:00
David Mehren
2da6faa4b4
refactor(revision): lazy-load relations 
Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-13 21:45:03 +01:00
David Mehren
e73bd7c030
refactor(edit): lazy-load relations 
Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-13 21:45:03 +01:00
David Mehren
c5c7307552
docs(permissions): document why we can't lazy-load 
Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-13 21:45:03 +01:00
David Mehren
f164e84081
refactor(tag): lazy-load relations 
Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-13 21:45:03 +01:00
David Mehren
3c0c11e3d4
refactor(note): lazy-load relations 
Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-13 21:45:03 +01:00
David Mehren
9e608c75d3
refactor(alias): lazy-load relations 
Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-13 21:45:03 +01:00
David Mehren
facdc456cd
refactor(media-upload): lazy-load relations 
Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-13 21:45:03 +01:00
David Mehren
03981f9e0b
fix(session-guard): correctly check for missing session 
express-session always creates an `request.session` object, so only
checking if that exists is not sufficient.

Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-07 20:23:18 +01:00
David Mehren
8aae5cb574
docs(history-entry): document why we can't lazy-load 
Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-05 19:42:49 +01:00
David Mehren
8eabfbc0a5
refactor(group): lazy-load relations 
Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-05 19:42:47 +01:00
David Mehren
244e3f76ea
refactor(author): lazy-load relations 
Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-05 19:40:25 +01:00
David Mehren
552d06f182
refactor(auth-token): lazy-load relations 
Signed-off-by: David Mehren <git@herrmehren.de>
 2021-12-05 19:40:25 +01:00
Philip Molares
6fddeebc56 feat: replace GetNotePipe with GetNoteInterceptor and RequestNote 
Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2021-12-02 21:57:51 +01:00
Philip Molares
9e2a138a14 feat: add request note decorator 
This extracts the note inserted with the get note interceptor into the request to be used by the controller service.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2021-12-02 20:41:45 +01:00
Philip Molares
ea0588f02e feat: refactor get note pipe to interceptor 
This is necessary, because of the order of operations in nestjs, the validation pipe is not able to get the note as the noteIdOrAlias will be transformed by the get note pipe after the validation did run.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2021-12-02 20:41:45 +01:00
Philip Molares
d27c531d9a refactor: move permissions service calls into permissions guard 
This commit removes all previous calls to the permissions service at the beginning of the controller methods to the permissions guard. This should make the code a bit cleaner and remove boilerplate code.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2021-12-02 20:41:14 +01:00
Philip Molares
f6ae0d30a1 feat: create permissions guard 
This guard protects resources and let's users only access them if they hold the correct permission

Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2021-12-02 20:41:12 +01:00
Philip Molares
6f7cfced39 feat: create permission decorator 
This gathers the permission a user needs to hold to access a resource for the PermissionsGuard.

See https://docs.nestjs.com/guards#setting-roles-per-handler

Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2021-11-30 19:48:47 +01:00
Philip Molares
c30a06d90b feat: create permission enum 
This enum makes it possible which permissions a user needs to hold to access a specific resource

Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2021-11-30 19:48:47 +01:00
Philip Molares
dbf467fea5 chore: extract getNote code from GetNotePipe.transform 
This was done so the same code could be used in the PermissionsGuard

Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2021-11-30 19:48:47 +01:00
Philip Molares
4b3c726101 chore: move get-note-pipe to api utils 
Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2021-11-30 19:48:47 +01:00
Yannick Bungers
15e2e177fb Add missing null in type in permissions service 
The parameters of the permission checking methods were missing a null value for not set user. This is the case if user is not logged in and operating as guest.

Signed-off-by: Yannick Bungers <git@innay.de>
 2021-11-29 22:42:31 +01:00
David Mehren
bcd38e14c0
Merge pull request #1680 from hedgedoc/fix/createMethods 2021-11-16 19:07:00 +01:00
David Mehren
3a47e962ea
test(mockconfig): generate unique upload paths 
This stops multiple concurrently running tests disturbing each other.

Signed-off-by: David Mehren <git@herrmehren.de>
 2021-11-16 18:26:34 +01:00