Commit graph

197 commits

Author SHA1 Message Date
Sheogorath
ad69c5017b
Removing google drive integration
It's sad but it's not working. For multiple releases this should be
already broken which shows how often it's used.

As there is also a security issue related to that, it's better to
remove the feature completely. Whoever wants to rewrite it, feel free to
go.

This commit removes the Google Drive integration from HackMD's Frontend
editor and this way removes the need to provide any API key and Client
ID in the frontend.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-16 01:34:55 +02:00
Christoph (Sheogorath) Kern
6d44ded269
Revert "Workaround Google API problems" 2018-05-16 01:31:50 +02:00
Sheogorath
ef86bf5cba
Use API key instead of clientSecret
As recently discovered we send the clientSecret to the webclient which
is potentionally dangerous. This patch should fix the problem and
replace the clientSecret with the originally intended and correct way to
implement it using the API key.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-13 09:38:59 +02:00
Sheogorath
2411dffa2c
Change config to camel case with backwards compatibility
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 19:08:14 +02:00
Sheogorath
714504618c
Add referrer policy
This commit adds a referrer policy to all requests.

The usage of `same-origin` allows HackMD to still interpret all requests
and this way not break anything. But it prevents 3rd party scripts,
pictures and more to get informations that may lead to not secured note.

It has to be mentioned that this maybe breaks some features of the
Google Analytics embedding. This has to be tested.

Fixes #724

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-02-12 01:59:48 +01:00
Christoph (Sheogorath) Kern
584f1c5249
Merge pull request #691 from SISheogorath/feature/upload
Allow more detailed configuration of upload mime types
2018-01-23 12:10:33 +01:00
Christoph (Sheogorath) Kern
7de6e3211f
Merge pull request #598 from xxyy/feature/csp
Implement basic CSP support
2018-01-22 20:43:46 +01:00
Sheogorath
a7935a595a
Allow more detailed configuration of upload mime types
Fixes #637

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-20 15:16:53 +01:00
Wu Cheng-Han
608008753f Fix not passing app key correctly in dropbox config 2018-01-19 00:25:08 +08:00
Rwing
362a7eaf65 support Simplified Chinese and rename original zh to Traditional Chinese 2017-10-23 17:38:04 +08:00
Literallie
04f5e3a341
Move CSP logic to new file, Fix boolean config examples
Not sure why I was quoting these in the first place
2017-10-22 02:18:45 +02:00
Literallie
e5f03fe135
Add dirty workaround for speakers view inline script 2017-10-22 00:03:46 +02:00
Literallie
2b2b8d6d1d
Allow any connect-src in CSP
Managing these for all the integrations seems like a lot of effort
2017-10-22 00:03:46 +02:00
Literallie
d51da8c12c
Don't add nonce to CSP if unsafe-inline is on
Browsers ignore unsafe-inline if a nonce is sent
2017-10-22 00:03:46 +02:00
Literallie
91101c856c
Change CSP config format to be more intuitive 2017-10-22 00:03:46 +02:00
Literallie
996cb37991
CSP: Workaround for ws:// protocol
The spec allows wss:// for 'self', but not ws:// :(
2017-10-22 00:03:45 +02:00
Literallie
4238b9b3ef
Fix MathJax CSP issues 2017-10-22 00:03:45 +02:00
Literallie
080436aebb
CSP: Add nonce to slide view inline JS 2017-10-22 00:03:45 +02:00
Literallie
5d2d3ec875
CSP: Upgrade insecure requests if possible
Config option; default is to only upgrade if usessl
2017-10-22 00:03:45 +02:00
Literallie
ba183ce654
Add basic CSP support 2017-10-22 00:03:44 +02:00
Literallie
56411ca0e1
Make HSTS behaviour configurable; Fixes #584 2017-10-13 01:42:05 +02:00
Wu Cheng-Han
c8d3951d32 Add support of Danish locale 2017-06-11 15:52:04 +08:00
Wu Cheng-Han
cceb5b1a26 Fix import module name typo in app.js 2017-05-08 20:35:51 +08:00
Raccoon Li
d79997808a fix(imageRouter): import missing dependency: getImageMimeType 2017-05-08 20:04:05 +08:00
BoHong Li
60ca6ed56c refactor: Rename checkURiVaild to checkURIValid to fit coding standard 2017-05-08 19:29:07 +08:00
BoHong Li
3919d4fc0e fix(app.js): Change config.maintenance to realtime.maintenance 2017-05-08 19:29:07 +08:00
BoHong Li
ecb0533605 refactor(config.js): Extract config file
* Separate different config source to each files
* Freeze config object
2017-05-08 19:29:07 +08:00
BoHong Li
4738ba7d36 fix: Add 'use strict' on app.js 2017-05-08 19:29:07 +08:00
BoHong Li
aca01f064d refactor: Remove require extension filename 2017-05-08 19:29:06 +08:00
BoHong Li
d88502e331 refactor(app.js): Move passport serialize and deserialize to auth module 2017-05-08 19:29:06 +08:00
BoHong Li
7ef17fd4e6 refactor(app.js): Extract tooBusy 2017-05-08 19:29:06 +08:00
BoHong Li
768943002c refactor(app.js): Extract upload image 2017-05-08 19:29:06 +08:00
BoHong Li
d90bd6da31 fix(app.js): Fixed typo 2017-05-08 19:24:38 +08:00
BoHong Li
689bade730 refactor(app.js): Extract note action 2017-05-08 19:24:38 +08:00
BoHong Li
e2ac73f5a3 refactor(app.js): Extract /me page 2017-05-08 19:24:38 +08:00
BoHong Li
e3fde01e3a refactor(app.js): Remove unused modules 2017-05-08 19:24:38 +08:00
BoHong Li
706df11e23 refactor(app.js): Extract history api 2017-05-08 19:24:38 +08:00
BoHong Li
c99ae8e1f8 refactor(app.js): Remove unused import modules 2017-05-08 19:24:38 +08:00
BoHong Li
69a9f7ca38 refactor(app.js, auth.js): Extract all auth method to individual modules 2017-05-08 19:24:38 +08:00
BoHong Li
766022378a refactor(app.js): Extract status pages 2017-05-08 19:24:37 +08:00
BoHong Li
66c68254b4 refactor(app.js): Extract index, 403, 404, 500 pages 2017-05-08 19:24:37 +08:00
BoHong Li
9f1f16c8e3 refactor(app.js): Extract urlencodedParser to utils module 2017-05-08 19:24:37 +08:00
BoHong Li
dee77c459a refactor(app.js): Extract middleware to module
extract check URi is valid, redirect without trailing slashes
2017-05-08 19:24:37 +08:00
BoHong Li
7ba0d600f1 fix(app.js): Stream log
use logger instead of logger.stream
2017-05-08 19:24:37 +08:00
LluisArevalo
6e277100ca Add reference to utils library 2017-05-08 10:52:30 +02:00
LluisArevalo
03ef1bf4f0 Add Content-Type to the images uploaded to AWS S3 2017-05-08 10:22:52 +02:00
Wu Cheng-Han
dde6e622a4 Fix front-end constants generation not getting config properly 2017-03-23 20:00:48 +08:00
Wu Cheng-Han
011d043b2a Update to indicate version in status API header 2017-03-22 23:44:09 +08:00
Wu Cheng-Han
e751684aa3 Update to print info on exit term signals handled 2017-03-22 15:31:39 +08:00
Wu Cheng-Han
0bcd83576f Update to handle SIGQUIT 2017-03-22 15:26:35 +08:00
Wu Cheng-Han
7989b89591 Add support of Catalan locale 2017-03-20 14:52:25 +08:00
Wu Cheng-Han
19a64f6b06 Fix typo and possible wrong value on provider is false on generating front-end constants 2017-03-20 01:54:44 +08:00
Wu Cheng-Han
448b006194 Update to generate front-end constants on server startup
To avoid extra webpacking on changing configs and follow the 12 factor app
2017-03-20 01:39:09 +08:00
Wu Cheng-Han
506a381eca Add config option for gitlab api scope and auto adapt gitlab snippet feature on it 2017-03-14 18:04:23 +08:00
BoHong Li
4889e9732d Use JavaScript Standard Style
Introduce JavaScript Standard Style as project style rule,
and fixed all fail on backend code.
2017-03-08 18:45:51 +08:00
NV
90c83ebd5b Fix image path problem when using filesystem backend 2017-02-09 14:07:36 +09:00
Wu Cheng-Han
92ad67b813 Update to remove history cache to lower application coupling 2017-02-03 21:39:08 +08:00
Jan Kunzmann
20dc3127b1 Handle SIGTERM the same way SIGINT is handled 2017-01-20 02:13:09 +01:00
Max Wu
4851098477 Merge pull request #317 from SISheogorath/master+allowEmailRegister
Add `allowemailregister` option
2017-01-12 23:37:28 +08:00
Sheogorath
747629e549 Add allowemailregister option 2017-01-12 13:54:45 +01:00
Wu Cheng-Han
fc788e805e Fix SIGINT checkClean should only log error instead throw error 2017-01-12 17:17:01 +08:00
Max Wu
b13635aac9 Merge pull request #279 from alecdwm/ldap-auth
Support for LDAP server authentication
2017-01-09 00:49:40 +08:00
James Stephenson
ec1ae8c6b5 Added Esperanto translation
Translation by Jonathan Powell and James Stephenson
2016-12-30 22:02:57 -05:00
knjcode
a2fbb3add9 Fix URL concatenation 2016-12-27 12:46:07 +09:00
S.Noda
c8bcc4c1c3 fix #284 2016-12-18 18:58:21 +09:00
alecdwm
fc8d709afb LDAP login improvements
- return bad request if no username or password given
- return to referer url on auth success
- flash error message on auth failure
2016-12-14 12:40:54 +01:00
alecdwm
02e9927714 Initial support for LDAP server authentication
Limitations as of this commit:

- tlsOptions can only be specified in config.json, not as env vars
- authentication failures are not yet gracefully handled by the UI
  - instead the error message is shown on a blank page (/auth/ldap)
- no email address is associated with the LDAP user's account
- no picture/profile URL is associated with the LDAP user's account
- we might have to generate our own access + refresh tokens,
  because we aren't using oauth. The currently generated
  tokens are just a placeholder.
- 'LDAP Sign in' needs to be translated to each locale
2016-12-13 22:41:07 +01:00
Wu Cheng-Han
bb3ed8e249 Fix missing dependency in app.js 2016-12-12 13:02:53 +08:00
Wu Cheng-Han
38505491ae Fix redirection to url without trailing slashes not considering about config urlpath 2016-12-12 10:50:43 +08:00
Yukai Huang
9e6fd505e1 Remove bower occurences 2016-12-11 11:18:08 +08:00
Wu Cheng-Han
778b6f32b3 Update to handle request with invalid uri 2016-12-03 14:37:24 +08:00
Wu Cheng-Han
5958654ea4 Remove preprocess image on upload image or it will losing support of image some formats 2016-12-03 14:37:12 +08:00
Wu Cheng-Han
a73d9ce39e Update to support optional email register and signin 2016-12-02 01:58:14 +08:00
Max Wu
bd3d4958e4 Merge pull request #248 from hackmdio/file-upload-options
Support other options for image uploading
2016-11-27 10:54:00 +08:00
Yukai Huang
1a4f3950e6 Handle preprocess image error 2016-11-22 07:20:48 +08:00
Wu Cheng-Han
f387bb312f Try to replace engine.io to uws in socket.io for better performance 2016-11-18 12:18:29 +08:00
Yukai Huang
2279986f97 Config sharp image preprocessing 2016-11-16 17:07:00 +08:00
Yukai Huang
518a4a120b upload image to s3 2016-11-16 12:05:24 +08:00
Yukai Huang
4d3672ae5d Join image path with config.serverurl 2016-11-16 10:50:07 +08:00
Yukai Huang
8db6624ae9 save to upload folder only when option enabled 2016-11-15 23:25:41 +08:00
Yukai Huang
a5dad29300 support filesystem image upload 2016-11-14 17:07:07 +08:00
Yukai Huang
81b368c11c upload image to public/uploads 2016-11-14 16:45:57 +08:00
Wu Cheng-Han
b9c4af8a65 Add to throw error when server not ready after db synced 2016-11-07 21:31:11 +08:00
Max Wu
7e05976a93 Revert "html minify in production environment" 2016-10-24 00:00:05 +08:00
Peter Dave Hello
731375c220 html minify in production environment 2016-10-23 23:31:04 +08:00
Wu Cheng-Han
215b5baa9f Update to support Swedish locale 2016-10-21 13:39:28 +08:00
Wu Cheng-Han
209534993a Fix socket disconnect might interrupt loop issue 2016-10-21 13:35:29 +08:00
Wu Cheng-Han
dbd7449740 Update to support Hindi locale 2016-10-14 22:52:54 +08:00
Wu Cheng-Han
bd6d69d7a7 Fix to handle checkAllNotesRevision might return null notes 2016-10-12 17:47:25 +08:00
Wu Cheng-Han
4ea5191d30 Fix fatal error should throw instead of return 2016-10-10 20:56:41 +08:00
Wu Cheng-Han
cbf078494b Update to add post history by note id with data, delete all history and delete history by id and rename methods 2016-10-10 20:52:09 +08:00
Wu Cheng-Han
af77bb8f59 Update to add cache to history 2016-10-10 20:51:46 +08:00
Wu Cheng-Han
a5e6b5dd3b Update to support Ukrainian locale 2016-10-10 19:48:05 +08:00
Wu Cheng-Han
4c9dc5fa1f Add support of Italian, Turkish, Russian, Dutch, Croatian, Polish locales 2016-10-10 16:29:40 +08:00
Wu Cheng-Han
aaf32dc4bf Update to support Greek and Portuguese locales 2016-10-02 10:34:10 +08:00
Jordan Matelsky
937e982109 Remove expiry from cookies
As per [this issue](https://github.com/expressjs/session/issues/365)
2016-09-26 12:13:24 -04:00
Wu Cheng-Han
79fd2d1364 Update to add revision saving policy 2016-09-18 16:50:20 +08:00
Wu Cheng-Han
0470a266fd Update to prevent caching and crawling status 2016-09-18 16:23:56 +08:00
Wu Cheng-Han
4cc00c6c40 Update to support French, Deutsch, Japanese and Spanish locales 2016-09-16 22:29:13 +08:00
robert
56a3a1d85d Removed redundant condition. 2016-09-06 14:37:05 +03:00