Commit graph

165 commits

Author SHA1 Message Date
Philip Molares
174eee8f0a test: ldap auth config
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-04-17 21:05:13 +02:00
Yannick Bungers
2650a986a9 Fix e2e test for moved permission functions
Signed-off-by: Yannick Bungers <git@innay.de>
2022-03-13 21:33:02 +01:00
Yannick Bungers
e1e3138561 Add permissions service to test-setup
Signed-off-by: Yannick Bungers <git@innay.de>
2022-03-13 21:33:02 +01:00
David Mehren
e7ca10bb66 refactor(history-entry-import-dto): rename lastVisited -> lastVisitedAt
Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
09ec447069 feat(note): save createdAt in a separate column
To keep the createdAt date stable, even when the revisions are dropped,
this adds a separate column
 to store this data separately from revisions.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
342efcd7b7 feat(note-metadata): replace primaryAlias with primaryAddress
The primary address is never null.
If no alias is set, the id is returned.

To still easily get the primary alias, the complete Alias DTOs
are now included in the metadata.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
64b16c831e refactor(register-dto): rename displayname -> displayName
Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
6944094b9b fix(api/private/me): require and document displayName
This renames the argument in the POST /profile route to `displayName`
to be more consistent with the UserDTO.

It also adds OpenAPI docs.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
d6ea4d29fe feat(api/private/me): include authProvider in UserInfo
This information is supposed to be used by the frontend
to identify the login method that was used.

The used login method is saved as a string into the session data
and extracted via a new SessionAuthProvider decorator.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
3f8e3b0589 refactor(api/public/media): return MediaUpload object instead of url
This ensures the POST /media API behaves in the same way as /me/media

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
8e31f3a393 refactor(api/private/media): return MediaUpload object instead of url
This ensures the private POST /media API behaves in the same way as /me/media

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-07 13:54:43 +01:00
David Mehren
513d64493e test: add and use a mocked DatabaseConfig
Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
f9448bb801 fix(session): limit subqueries for mariadb
MariaDB does not support `connect-typeorm`s subqueries,
so they need to be disabled if this dialect is used.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
9c6d3d9dab test: test don't need to set up sessions by themselves
The setup is handled inside TestSetupBuilder.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
9030488025 test: make tests order-independent
MariaDB seems to order the returned media objects in a different way,
making our tests fail.

This refactors the tests to be independent of the order of returned data.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
c7e77d25a0 test: support running e2e tests with mariadb
Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
552cb05d92 refactor(api/private/tokens): validate POST data with DTO
This adds a `AuthTokenCreateDto` which allows
to fully validate incoming JSON data.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
5b7026758a test: enable validationPipe in TestSetup
Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
5eab4f42d6 refactor: merge AuthTokenDTOs into one file
Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
a6734cc58f test: ensure testSetup.cleanup is called
Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
f0e6f6150d test: allow running e2e tests with different DBs
This commits adds infrastructure for running the E2E tests
with databases other than sqlite.

Initially, support for Postgres is added.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-06 22:24:21 +01:00
David Mehren
0be8e4ea55 feat(api/private): add GroupsController
The GroupsController can be used to fetch information about groups.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-01 20:20:18 +01:00
David Mehren
0394679134 feat(user-info-dto): split email into separate DTO
The email address should only be available
in /me routes.
This commit splits the email address into a new FullUserInfoDto.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-01 20:20:18 +01:00
David Mehren
a7edf00ebc feat(api/private): add UsersController
The UsersController can be used to fetch information about users.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-03-01 20:20:18 +01:00
Philip Molares
cae55e0baa test: fix e2e test error codes
As these were changed with the openapi decorator the test need to reflect this.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-20 20:56:09 +01:00
David Mehren
81d47b57d6 test: app should not crash on requests to /
Regression test for 396ad181d0

Signed-off-by: David Mehren <git@herrmehren.de>
2022-02-14 11:28:02 +01:00
Philip Molares
6269c7f7bc test: fix expected error codes in multiple test
In the e2e tests the global filter must be added via the special provider 'APP_FILTER' and not with useGlobalFilters, because if not the filter breaks, because of the way supertest handles the http-connection.

See: https://github.com/nestjs/nest/issues/1160#issuecomment-468698640

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-02-07 00:08:41 +01:00
Yannick Bungers
42ad99e20b Replace fs.rmdir recursive by fs.rm recursive
fs.rmdir(path, { recursive: true}) is deprecated and
is replaced by fs.rm(path, { recursive: true}).

Signed-off-by: Yannick Bungers <git@innay.de>
2022-01-31 08:55:42 +01:00
Philip Molares
f4a580cf2a refactor(config): extract note config from app config
This commit separates the app config object from a new note config object. This was done to separate different concerns in different config files. Especially if the number of settings that are about notes increase, it is a good idea to keep them separate from the app config.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2022-01-30 22:19:50 +01:00
David Mehren
ac1cdc63e0 style(e2e-tests): remove unused imports
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-27 21:05:17 +01:00
David Mehren
4499ad4d96 test(e2e/public/alias): code cleanup
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-27 21:05:17 +01:00
David Mehren
54eefa9f6b feat(test-setup): create notes in withUsers
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-27 21:05:17 +01:00
David Mehren
d1dbd1bb22 feat(test-setup): restructure to synchronous builder
The previous pattern used async methods for the builder pattern,
which were hideous to use when chained multiple times.

This extracts the builder into a separate class
and uses normal functions in the builder.
These queue async functions in arrays, which are executed
at the correct time, when the new async `build` function is called.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-27 21:05:17 +01:00
David Mehren
8f1aeab934 test(e2e/public/alias): test all error scenarios
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-27 21:05:17 +01:00
David Mehren
64b136fb8b test(e2e/public/alias): use real authentication
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-27 21:05:17 +01:00
David Mehren
28bd07597a test: create auth tokens in testSetup
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-27 21:05:17 +01:00
David Mehren
ff500f1be0 test: allow disabling mocked authentication
This adds a (default true) parameter `withMockAuth` to the
TestSetup class.
If it is false, the TokenAuthGuard is not overridden with a mock
implementation, allowing to test with the real authentication.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-27 21:05:17 +01:00
David Mehren
ae52f70ef9 test(e2e/private/alias): test all error scenarios
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-27 21:05:17 +01:00
David Mehren
b2802d4c29 test(e2e/private/alias): use testSetup with users
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-27 21:05:17 +01:00
David Mehren
2096e23e35 test: allow creating testSetup with users
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-27 21:05:17 +01:00
David Mehren
898abc08f3 style: remove unused variables
Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-23 23:01:45 +01:00
David Mehren
08f97209ec
refactor(note-metadata): do not embed User objects
This is part of an effort to consistently not embed User objects
in API responses. Usernames are returned instead.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-16 22:54:53 +01:00
David Mehren
b955faa983
refactor(note-permissions-dto): do not embed User objects
This is part of an effort to consistently not embed User objects
in API responses. Usernames are returned instead.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-16 22:19:53 +01:00
David Mehren
6cd3feb82c
refactor(history-entry): rename lastVisited
This is part of an effort to name all date attributes
consistently.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-16 22:04:34 +01:00
David Mehren
f1feb3bf94
refactor(note-metadata): rename date attributes
This is part of an effort to name all date attributes
consistently.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-16 21:59:54 +01:00
David Mehren
b0e2987987
refactor(auth-token): rename lastUsed to lastUsedAt
This is part of an effort to name all date attributes
consistently.

Signed-off-by: David Mehren <git@herrmehren.de>
2022-01-16 21:52:15 +01:00
Erik Michelson
277e2fb1ca
feat(auth): password change requires old password
By checking the "old" password of the user prior to a password change, the
password change function is more secured against abuse.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-12-28 01:46:40 +01:00
David Mehren
235e4f647c
refactor(note): lazy-load relations
Signed-off-by: David Mehren <git@herrmehren.de>
2021-11-30 16:46:07 +01:00
David Mehren
b4a65b47f0
fix(auth): use sha-512 for auth tokens
Bcrypt hashes are too slow to be validated on every request.
As our tokens are random and have a fixed length, it is reasonable
to use SHA-512 instead.

SHA-512 is recommended as cryptographically strong by the BSI:
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile

Fixes https://github.com/hedgedoc/hedgedoc/issues/1881

Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-09 23:04:00 +01:00
Philip Molares
0cb3b65998
test: fix note e2e test 'fails with non-existing alias'
Because the rejection now happens automatically in the permissions guard it does not get to the controller method and does not report the Content-Type to text/markdown

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-11-21 18:04:47 +01:00