Commit graph

184 commits

Author SHA1 Message Date
Lautaro Alvarez
a0b5da6c8b refactor(media-apis): Implement a decorator to convert header to Note instance
Just find the related note in an Interceptor (in both public and private routes)

Related issue: https://github.com/hedgedoc/hedgedoc/issues/1594

Signed-off-by: Lautaro Alvarez <lautarolalvarez@gmail.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2022-06-19 20:58:23 +02:00
Philip Molares
b4e62c8425 feat: add ldap login to auth controller
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-04-17 21:05:13 +02:00
Yannick Bungers
70d7ca5475 Move permission update functions to permissions controller
Signed-off-by: Yannick Bungers <git@innay.de>
2022-03-13 21:33:02 +01:00
Yannick Bungers
0a3271e4a5 Add GroupsModule import to public API module
Signed-off-by: Yannick Bungers <git@innay.de>
2022-03-13 21:33:02 +01:00
Yannick Bungers
647990022b Add API routes for fine-grained permission manipulation
Signed-off-by: Yannick Bungers <git@innay.de>

fix lint

Signed-off-by: Yannick Bungers <git@innay.de>
2022-03-13 21:33:02 +01:00
David Mehren
64b16c831e refactor(register-dto): rename displayname -> displayName
Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
7050c9f13b feat(revision): include edits in dto
Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
6944094b9b fix(api/private/me): require and document displayName
This renames the argument in the POST /profile route to `displayName`
to be more consistent with the UserDTO.

It also adds OpenAPI docs.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
d6ea4d29fe feat(api/private/me): include authProvider in UserInfo
This information is supposed to be used by the frontend
to identify the login method that was used.

The used login method is saved as a string into the session data
and extracted via a new SessionAuthProvider decorator.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
3f8e3b0589 refactor(api/public/media): return MediaUpload object instead of url
This ensures the POST /media API behaves in the same way as /me/media

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
8e31f3a393 refactor(api/private/media): return MediaUpload object instead of url
This ensures the private POST /media API behaves in the same way as /me/media

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
552cb05d92 refactor(api/private/tokens): validate POST data with DTO
This adds a `AuthTokenCreateDto` which allows
to fully validate incoming JSON data.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
fd3fde9cc8 refactor(api/private/history): validate POST data with DTO
This adds a `HistoryEntryImportListDto` which allows
to fully validate incoming JSON data.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
a32d9e8305 fix(api/private/auth): wait for error
Previously, the `logout` method immediately returned and did not wait
for the possible error callback.

This wraps the call to `session.destroy` into a promise,
so the error can be properly handled.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
5eab4f42d6 refactor: merge AuthTokenDTOs into one file
Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
0be8e4ea55 feat(api/private): add GroupsController
The GroupsController can be used to fetch information about groups.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-01 20:20:18 +01:00
David Mehren
0394679134 feat(user-info-dto): split email into separate DTO
The email address should only be available
in /me routes.
This commit splits the email address into a new FullUserInfoDto.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-01 20:20:18 +01:00
David Mehren
a7edf00ebc feat(api/private): add UsersController
The UsersController can be used to fetch information about users.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-01 20:20:18 +01:00
Philip Molares
cf5c398933 fix: openapi decorator
This now correctly returns the dto if it is provided. Previously it would return () => undefined, when the dto was not defined, which crashed some internal logic in nestjs.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-27 18:40:53 +01:00
Philip Molares
86ef8f3c7f docs: add documentation to OpenApi decorator
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-20 20:56:09 +01:00
Philip Molares
89aac9d4b6 refactor: use new openapi decorator
Also remove fullapi decorator, because it's fully replaced by the openapi decorator.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-20 20:56:09 +01:00
Philip Molares
a283002a34 feat: create openapi decorator
This decorator gets a list of http codes and possible descriptions and adds all necessary decorator internally to the method or the class. This will prevent long OpenApi annotations and keep the controllers shorter.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-20 20:56:09 +01:00
Philip Molares
0955bf048d refactor: rename markdown body decorator
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-20 20:56:09 +01:00
Philip Molares
7f8d745c80 refactor: move permissions decorator into api utils dir
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-20 20:56:09 +01:00
Philip Molares
c891a95588 feat: checkNoteIdOrAlias in more alias service methods
This should prevent any interaction by a forbidden id

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-07 00:08:41 +01:00
Philip Molares
796b8294cf docs: improved auto-generated openapi docs
With these additional annotations the openapi docs under `/apidoc` and `/private/apidoc` will be improved by adding errors that the requests can return

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-07 00:08:41 +01:00
Philip Molares
2bc8c0d6da refactor(public-api): use TokenAuthGuard on controller not method level
As the public api is nearly completely protected by the TokenAuthGuard it seems unnecessarily verbose to add the guard to every method in the controllers, when an annotation at the top of the controller would be sufficient.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-07 00:08:41 +01:00
Philip Molares
d142cbadeb refactor: remove try catches from controllers
This is handled by the ErrorExceptionMapping class

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-07 00:08:41 +01:00
Philip Molares
2c7e82680e feat: add additional default descriptions for HttpExceptions
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-07 00:08:41 +01:00
Philip Molares
d0477a5e34 refactor: omit error mapping in GetNoteInterceptor
Because this mapping will now be done with the ErrorExceptionMapping class, the mapping will be omitted in the interceptor.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-07 00:08:41 +01:00
Philip Molares
4500caf882 refactor: move error messages from controller to service
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-07 00:08:41 +01:00
Philip Molares
f672c5179f test: remove controller tests
These test files are only autogenerated and don't have any benefit. Any behaviour one would test with them are (or at least should) already be covered by our e2e tests.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-06 20:57:34 +01:00
Philip Molares
f4a580cf2a refactor(config): extract note config from app config
This commit separates the app config object from a new note config object. This was done to separate different concerns in different config files. Especially if the number of settings that are about notes increase, it is a good idea to keep them separate from the app config.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-01-30 22:19:50 +01:00
David Mehren
64667d81c0
docs(api): Add missing tags
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-16 21:40:48 +01:00
Yannick Bungers
b562a5dac7
Change error types in checkLocalPassword and updateLocalPassword to InvalidCredentialsError and NoLocalIdentityError
Signed-off-by: Yannick Bungers <git@innay.de>
2022-01-06 21:59:46 +01:00
Erik Michelson
820a1ae43a
Rename local password check method
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2022-01-03 23:41:34 +01:00
Erik Michelson
277e2fb1ca
feat(auth): password change requires old password
By checking the "old" password of the user prior to a password change, the
password change function is more secured against abuse.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-12-28 01:46:40 +01:00
David Mehren
4e70044a2c
refactor(edit): lazy-load relations
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-05 19:58:01 +01:00
David Mehren
235e4f647c
refactor(note): lazy-load relations
Signed-off-by: David Mehren <git@herrmehren.de>
2021-11-30 16:46:07 +01:00
David Mehren
296d73c121
refactor(media-upload): lazy-load relations
Signed-off-by: David Mehren <git@herrmehren.de>
2021-11-18 18:47:12 +01:00
David Mehren
0c5fdf4201
refactor(group): lazy-load relations
Signed-off-by: David Mehren <git@herrmehren.de>
2021-11-16 19:05:28 +01:00
Philip Molares
10b5b11269
feat: replace GetNotePipe with GetNoteInterceptor and RequestNote
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-11-30 22:33:20 +01:00
Philip Molares
5a45ff2d0b
feat: add request note decorator
This extracts the note inserted with the get note interceptor into the request to be used by the controller service.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-11-30 22:26:55 +01:00
Philip Molares
470b32ed5e
feat: refactor get note pipe to interceptor
This is necessary, because of the order of operations in nestjs, the validation pipe is not able to get the note as the noteIdOrAlias will be transformed by the get note pipe after the validation did run.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-11-30 22:20:49 +01:00
Philip Molares
3e4abb561d
refactor: move permissions service calls into permissions guard
This commit removes all previous calls to the permissions service at the beginning of the controller methods to the permissions guard. This should make the code a bit cleaner and remove boilerplate code.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-11-21 17:19:57 +01:00
Philip Molares
3b92226bab
feat: create permissions guard
This guard protects resources and let's users only access them if they hold the correct permission

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-11-21 17:18:23 +01:00
Philip Molares
82643cd790
chore: extract getNote code from GetNotePipe.transform
This was done so the same code could be used in the PermissionsGuard

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-11-21 17:12:35 +01:00
Philip Molares
7927ac2217
chore: move get-note-pipe to api utils
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-11-21 17:05:27 +01:00
David Mehren
b9d3c95d2d
fix(note): fix type for owner param
To make the create method easier to use in conjunction
with the authentication framework, this commit changes the type of
the `owner` parameter from `User | undefined` to `User | null`.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-11-14 21:44:59 +01:00
David Mehren
c02f845ecb
AuthController: Return 409 Conflict when user already exists
The previously used HTTP error 400 'Bad Request' is not really
applicable here, as the client did not send a malformed message.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-27 19:39:18 +02:00