For non-OIDC compliant OAuth2 providers it was only possible to define
the authorize, token and userinfo URLs but not the end_session_endpoint.
This commit adds that functionality.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Error messages for manual OIDC attributes such as overriding the scope
resulted in wrong error messages when misconfigured.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
When the OIDC login flow for a new user is cancelled, the oidcIdToken
session variable should be cleared as well.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The userinfo response endpoint from the OIDC provider should not be
trusted to return what we expect. Fields could be undefined. In that
case HedgeDoc would have written "undefined" into the fields for
profile picture or email address.
This fix checks for fields being undefined and returns a default value
in that case.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This commit changes the caddyfile to not directly rely on the
HD_BASE_URL environment variable, but instead default to port 8080 as
used in our package.json scripts and docs.
The caddy domain can optionally be overridden using the CADDY_HOST env
variable.
Furthermore, this change adds a section to trust reverse-proxies in
front of Caddy if they are in a private range IP address network.
Both these changes are required to be able to expose a local development
setup with another domain than localhost to a co-developer. With
this change it works without having Caddy trying to generate TLS
certificates for that domain nor HedgeDoc erroring about a origin
mismatch, that occurs as Caddy doesn't forward specific headers
otherwise.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Since we use rathole while developing to share a local dev environment
with a co-developer, the client config with the secrets should not be
accidentally committed.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The provided types by ldapauth-fork are re-exported from ldapjs. ldapjs
is unmaintained by now but since their last update, the
ConnectionOptions type seems to not contain the mandatory parameter
`url` anymore. Therefore this typecast is needed.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Due to failing docker builds it was brought to our attention,
that the backend relied on the uuid package without declaring
it as dependency. This worked in all development and build
scenarios as the frontend declares uuid as dependency already
and top-level `yarn install` installs all dependencies from all
workspaces. However as the docker build only runs for either
the backend or the frontend, this failed.
This commit adds the dependency to the backend as well.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The API documentation belongs strictly to the API itself.
Due to the usage of version-prefixed API endpoints, there is no conflict
with existing or future endpoints.
The reason behind this is that we already have enough exceptions in the
routing (default everything to react-frontend, exceptions for backend)
and it is hard to keep it synchronized throughout all relevant places.
This came to attention as the dev setup didn't proxy the API docs to the
backend.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Thanks to all HedgeDoc team members for the time discussing,
helping with weird Nest issues, providing feedback
and suggestions!
Co-authored-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
If one wrote a frontmatter the incomplete ending dashes where interpreted as a headline and therefore the last line in the frontmatter was handled as the first heading of the document.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Add an empty entry to the emoji autocompletion which allows us to press enter to continue without any random emojis in the note where we did not intend them.
Fixes#5251
Signed-off-by: Philip Molares <philip.molares@udo.edu>
With the recent dicebear update we don't need to use the sync method anymore as toDataUri now is sync.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
We should use the most specific caddy first and go to more general caddy executables as is the norm and expected from systems in general.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Because turbo now removes non specified environment variables we need to specify --env-mode explicitly as loose
Signed-off-by: Philip Molares <philip.molares@udo.edu>
turbo now wants you to specify the whole name and not just part of the name.
See: https://github.com/vercel/turborepo/pull/8137
Signed-off-by: Philip Molares <philip.molares@udo.edu>