By checking the "old" password of the user prior to a password change, the
password change function is more secured against abuse.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This change removes the customAuthNames property and redefines the
authProviders property of the frontend-config DTO. Instead of an
map from auth providers to their enabled-state (boolean), there is
now an array that just includes the configured auth providers while
also having the identifier and providerName of custom auth providers.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
express-session always creates an `request.session` object, so only
checking if that exists is not sufficient.
Signed-off-by: David Mehren <git@herrmehren.de>
This extracts the note inserted with the get note interceptor into the request to be used by the controller service.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This is necessary, because of the order of operations in nestjs, the validation pipe is not able to get the note as the noteIdOrAlias will be transformed by the get note pipe after the validation did run.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This commit removes all previous calls to the permissions service at the beginning of the controller methods to the permissions guard. This should make the code a bit cleaner and remove boilerplate code.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This guard protects resources and let's users only access them if they hold the correct permission
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This enum makes it possible which permissions a user needs to hold to access a specific resource
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The parameters of the permission checking methods were missing a null value for not set user. This is the case if user is not logged in and operating as guest.
Signed-off-by: Yannick Bungers <git@innay.de>
To make the create method easier to use in conjunction
with the authentication framework, this commit changes the type of
the `owner` parameter from `User | undefined` to `User | null`.
Signed-off-by: David Mehren <git@herrmehren.de>
To make the create method more consistent with the
guidelines,
this commit removes the default value from the `primary` parameter.
Signed-off-by: David Mehren <git@herrmehren.de>
To make the create method more consistent with the
guidelines,
this commit removes the default value from the `syncSource` parameter.
An Identity will be created as sync source,
when the associated account is created using an external provider.
Signed-off-by: David Mehren <git@herrmehren.de>
To make the create method more consistent with the
guidelines, this commit adds the `special` flag to
the parameters.
As this function will only be used to create the two hard-coded groups
and to handle API requests at one or two places, adding the parameter
should not be too problematic.
Signed-off-by: David Mehren <git@herrmehren.de>
This was done to give better typings to the function signatures of entities `create` methods.
It also ensures that each field that should be set to `null` is set to `null` and doesn't leave that up to the typeorm handlers.
See: #1641
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The previously used HTTP error 400 'Bad Request' is not really
applicable here, as the client did not send a malformed message.
Signed-off-by: David Mehren <git@herrmehren.de>
This adds a reverse proxy to the backend, that automatically
redirects requests that are not handled by the backend to the React
dev server running on port 3001.
The reverse proxy is only enabled when NODE_ENV is set to
'development'.
Signed-off-by: David Mehren <git@herrmehren.de>
Previously, when an error was encountered while validating
the request, only an HTTP 400 status code was returned to the client.
This adds logging of the error message,
so invalid requests can be debugged.
Signed-off-by: David Mehren <git@herrmehren.de>
This commit makes it possible to identifier notes via any alias in the note and history service.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
One of the aliases can be primary for each note, but all can be used to get information from the apis.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
These guards check if the login or registration are enabled in the config. If so the guarded method is executed, if not the client will get the HTTP Error 400 Forbidden as an answer
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This was done to use the same term. Also email was the old term from HedgeDoc 1 and wildly inaccurate. As we never checked any mail addresses, in fact it was more of a username than anything else.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
this handles the settings for the cookie session. The secret and the lifeTime of the cookie can be configured.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This makes it possible that we can get identities from any user object even if we didn't specify that while getting them from the orm
Signed-off-by: Philip Molares <philip.molares@udo.edu>
As these methods will be used in both the AuthService and the IdentityService, it makes sense to extract them and use them in this manner. Especially if one considers that they are quite standalone functions.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This is used to give identities a type and to easily get the identity any auth method would need.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This should help to make clear why code is executed when the TokenAuthGuard is encountered by a request. Currently, one has to connect both files via the string 'token', which is a bit cryptic
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The functions now expect a `Note` object instead of a noteId to
make it more consistent with other functions.
Signed-off-by: David Mehren <git@herrmehren.de>
The function now expects a `Note` object instead of a noteId
and a `User` instead of a username to
make it more consistent with other functions.
Signed-off-by: David Mehren <git@herrmehren.de>
As we now have a GetNotePipe, we can easily get rid of this function.
All clients can directly provide a `Note` instance
and use `getEntryByNote`.
Signed-off-by: David Mehren <git@herrmehren.de>
The function now expects a `Note` object instead of a noteId to
make it more consistent with other functions.
Signed-off-by: David Mehren <git@herrmehren.de>
The function now expects a `Note` object instead of a noteId to
make it more consistent with `updateHistoryEntryTimestamp`.
Signed-off-by: David Mehren <git@herrmehren.de>
This renames `createOrUpdateHistoryEntry` to `updateHistoryEntryTimestamp`,
which reduces confusion with the similarly named
`updateHistoryEntry` function.
Signed-off-by: David Mehren <git@herrmehren.de>
This replaces repeated calls to `noteService.getNoteByIdOrAlias`
and associated error handling with the `GetNotePipe`
in the `Param` decorator.
Signed-off-by: David Mehren <git@herrmehren.de>
`getNoteMetadata` does not use a method that
can throw a `PermissionsUpdateInconsistentError`.
The try/catch-block seems to be a copy-paste error.
Signed-off-by: David Mehren <git@herrmehren.de>
This replaces repeated calls to `noteService.getNoteByIdOrAlias`
and associated error handling with the `GetNotePipe`
in the `Param` decorator.
Signed-off-by: David Mehren <git@herrmehren.de>
This pipe transforms a note ID or alias to a Note object
by loading it from the database.
It also performs error handling
Signed-off-by: David Mehren <git@herrmehren.de>
This introduces the `RequestUser` decorator
to extract the `User` from a request.
It reduces code duplication across the public API
and allows us to drop the override of the `Request` type from express.
Signed-off-by: David Mehren <git@herrmehren.de>
After Authorship was renamed to Edit, the DTO should follow.
The file is also moved to the revisions folder, where the entity
already is.
Signed-off-by: David Mehren <git@herrmehren.de>
As we now have a separate Author entity, which holds information
about an author (the color), the Authorship name became confusing.
Edit seems to be a better name, as the entity saves information
about a change in a note.
Signed-off-by: David Mehren <git@herrmehren.de>
This reimplements logic to get all Users that ever edited a note
and fixes the empty `editedBy` property of `toNoteMetadataDto`
introduced in 81cc092e.
Signed-off-by: David Mehren <git@herrmehren.de>
This commit replaces the user property with a author property,
in accordance with the DB schema updated in 0d6c3002.
It also adjusts the NoteService accordingly.
Signed-off-by: David Mehren <git@herrmehren.de>
The DB schema was updated in 0d6c3002,
this adds the new author property to
the Session and User entities.
Signed-off-by: David Mehren <git@herrmehren.de>
Before this commit, `Note.create()` did not return a complete object,
as the `publicId` property was missing.
This adds the generation of the property to the `create` method and
moves the actual generation code from the `NotesService`
to a utility method.
Signed-off-by: David Mehren <git@herrmehren.de>
This field is a randomly generated 128-bit value encoded with base32-encode using the crockford variant and converted to lowercase.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This was done because it was only a wrapper for a nodejs function to check if the given parameter is a positive number.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This is a 1.x relict and isn't used anymore in 2.x. All 1.x shortids will be converted to aliases on migration of 1.x to 2.x.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
As all tokens are valid for a maximum of 2 years, the
validUntil attribute is always populated.
This updates the database schema and the DTO to reflect that.
Fixes#1256
Signed-off-by: David Mehren <git@herrmehren.de>
TokenAuthGuard ensures that req.user is always
defined, but thanks to strict mode we have to check again.
In the future, we may add a custom Request type and
a custom param decorator to centralize the check.
Signed-off-by: David Mehren <git@herrmehren.de>
TypeORM columns with `nullable: true` can be `null` at runtime.
This commit ensures that the types of the corresponding properties reflect that.
Signed-off-by: David Mehren <git@herrmehren.de>
TokenAuthGuard ensures that req.user is always
defined, but thanks to strict mode we have to check again.
In the future, we may add a custom Request type and
a custom param decorator to centralize the check.
Signed-off-by: David Mehren <git@herrmehren.de>
TokenAuthGuard ensures that req.user is always
defined, but thanks to strict mode we have to check again.
In the future, we may add a custom Request type and
a custom param decorator to centralize the check.
Signed-off-by: David Mehren <git@herrmehren.de>