Just find the related note in an Interceptor (in both public and private routes)
Related issue: https://github.com/hedgedoc/hedgedoc/issues/1594
Signed-off-by: Lautaro Alvarez <lautarolalvarez@gmail.com>
Signed-off-by: David Mehren <git@herrmehren.de>
This renames the argument in the POST /profile route to `displayName`
to be more consistent with the UserDTO.
It also adds OpenAPI docs.
Signed-off-by: David Mehren <git@herrmehren.de>
This information is supposed to be used by the frontend
to identify the login method that was used.
The used login method is saved as a string into the session data
and extracted via a new SessionAuthProvider decorator.
Signed-off-by: David Mehren <git@herrmehren.de>
Previously, the `logout` method immediately returned and did not wait
for the possible error callback.
This wraps the call to `session.destroy` into a promise,
so the error can be properly handled.
Signed-off-by: David Mehren <git@herrmehren.de>
The email address should only be available
in /me routes.
This commit splits the email address into a new FullUserInfoDto.
Signed-off-by: David Mehren <git@herrmehren.de>
This now correctly returns the dto if it is provided. Previously it would return () => undefined, when the dto was not defined, which crashed some internal logic in nestjs.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This decorator gets a list of http codes and possible descriptions and adds all necessary decorator internally to the method or the class. This will prevent long OpenApi annotations and keep the controllers shorter.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
With these additional annotations the openapi docs under `/apidoc` and `/private/apidoc` will be improved by adding errors that the requests can return
Signed-off-by: Philip Molares <philip.molares@udo.edu>
As the public api is nearly completely protected by the TokenAuthGuard it seems unnecessarily verbose to add the guard to every method in the controllers, when an annotation at the top of the controller would be sufficient.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Because this mapping will now be done with the ErrorExceptionMapping class, the mapping will be omitted in the interceptor.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
These test files are only autogenerated and don't have any benefit. Any behaviour one would test with them are (or at least should) already be covered by our e2e tests.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This commit separates the app config object from a new note config object. This was done to separate different concerns in different config files. Especially if the number of settings that are about notes increase, it is a good idea to keep them separate from the app config.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
By checking the "old" password of the user prior to a password change, the
password change function is more secured against abuse.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This extracts the note inserted with the get note interceptor into the request to be used by the controller service.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This is necessary, because of the order of operations in nestjs, the validation pipe is not able to get the note as the noteIdOrAlias will be transformed by the get note pipe after the validation did run.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This commit removes all previous calls to the permissions service at the beginning of the controller methods to the permissions guard. This should make the code a bit cleaner and remove boilerplate code.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This guard protects resources and let's users only access them if they hold the correct permission
Signed-off-by: Philip Molares <philip.molares@udo.edu>
To make the create method easier to use in conjunction
with the authentication framework, this commit changes the type of
the `owner` parameter from `User | undefined` to `User | null`.
Signed-off-by: David Mehren <git@herrmehren.de>
The previously used HTTP error 400 'Bad Request' is not really
applicable here, as the client did not send a malformed message.
Signed-off-by: David Mehren <git@herrmehren.de>