Commit graph

162 commits

Author SHA1 Message Date
David Mehren
9f284b752b
Use import syntax for logger and config
Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-04-25 16:04:05 +02:00
Yannick Bungers
bb8297dca3
Added Types to actions.js and reformat
Signed-off-by: Yannick Bungers <git@innay.de>
Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-04-25 16:04:04 +02:00
David Mehren
77e336dfda
Various refactors to use the new models
Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-04-25 16:04:01 +02:00
David Mehren
1d4107fe90
Migrate models to TypeScript
Co-authored-by: David Mehren <dmehren1@gmail.com>
Co-authored-by: Yannick Bungers <git@innay.de>
Co-authored-by: Philipp Hochkamp <me@phochkamp.de>
Co-authored-by: nzbr <mail@nzbr.de>

Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-04-25 16:04:01 +02:00
Sheogorath
d2ace4b2a0
Merge pull request #330 from Skgland/master
Pass through ldap starttls option
2020-04-23 23:34:46 +02:00
Sheogorath
4104f9835d
Merge pull request #278 from elespike/master
Add OIDC scopes for email & profile retrieval
2020-04-22 20:56:58 +02:00
Bennet Bleßmann
5fad6a25a8
Pass through ldap starttls option
Fixing Issue #329

(cherry picked from commit b9169eb279020f21b372a843a83c71929fb6fd1d)

Signed-off-by: Bennet Bleßmann <bb-github@t-online.de>
2020-04-20 10:55:50 +02:00
Charles Parmentier
856fc01fb9 Fixes relative path for fetching the style when set
Signed-off-by: Charles Parmentier <charles.parmentier@hotmail.com>
2020-03-06 00:09:54 +01:00
Sheogorath
97628595ed
Fix unsused import of fs
Let's make the CI happy again :-)

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-26 15:11:24 +01:00
Sheogorath
a2522888b2
Remove PDF export
As we already decleared in earlier versions, this patch removes PDF
export entirely. It's a not acceptable security risk for every CodiMD
instance.

The current implementation allowed to extract arbitary files from the
CodiMD host and therefore leaking secrets from a `/etc/passwd` to
CodiMD's own config files and all secrets contained in it.

Thanks to Joona for finding this vulnerability in August last year,
which lead to an emergency disabling of PDF exports in 1.5.0.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-26 15:05:54 +01:00
Sheogorath
37923d11f8
Rewrite slide controller to TypeScript
Before this patch the non-TypeScript version of the slide mode causes
problems with the TypeScript code. Therefore, in order to get things
working, this patch does minimalistic changes to the slide mode
controller to bring it into TypeScript convention. And unbreak slide
mode. Further changes are required, but this gets slide mode back to a
usable state.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-26 15:05:51 +01:00
Erik Michelson
c976217c12
Remove mattermost integration
Signed-off-by: Erik Michelson <erik@liltv.de>
2020-02-25 14:33:30 +01:00
Sheogorath
004e2fbcb2
TypeScript: Tighten configs to improve type validation
TypeScript considers null and undefined as fine for all variable by
default. This patch enables `strictNullChecks`, which should cause
errors to be thrown as soon as a variable is null or undefined without
having it explicitly decleared for itself.[1]

[1]: https://www.typescriptlang.org/docs/handbook/migrating-from-javascript.html#strict-null--undefined-checks

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-24 16:19:17 +01:00
David Mehren
f6eec0ce90
Convert first files to TypeScript
Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-02-24 15:08:23 +01:00
Marius
6332fce5d8 Add OIDC scopes for email & profile retrieval
Signed-off-by: Marius <elespike@lab26.net>
2020-02-22 00:16:16 -05:00
ike
197223dc81 Add Google oauth variable: hostedDomain
Which is part of `passport-google-oauth2`.
It could be used as whitelist to a domain supported by google oauth.
Ref: https://github.com/jaredhanson/passport-google-oauth2/issues/3

Signed-off-by: ike <developer@ikewat.com>
2020-02-08 15:57:22 +08:00
Ralph Krimmel
3fb3ca54e9 Removing returnTo setting from referer in all other authentication sources
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-28 12:25:59 +01:00
Ralph Krimmel
e0a8872742 Moving the storage of referrer information to main authorization check instead of doing it in the authentication source
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-28 10:59:59 +01:00
Ralph Krimmel
3e8cf5778f Fixing linting problems
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-27 15:17:00 +01:00
foobarable
1881775379 Fixing redirection after SAML login
Saving referer into session in SAML auth so passport can redirect correctly after SAML login.

Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-27 15:08:30 +01:00
Sheogorath
689f5a0a95
Merge pull request #213 from davidmehren/refactor_backend_notes
First steps in refactoring the backend code
2019-11-20 20:07:35 +01:00
Girish Ramakrishnan
c034ee5571 Fix crash in lutim integration
Signed-off-by: Girish Ramakrishnan <girish@cloudron.io>
2019-10-29 20:23:13 -07:00
David Mehren
b5ccceff59
Inline renderPublishSlide
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 15:50:24 +01:00
David Mehren
3c39d07723
Inline responseCodiMD
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 15:29:10 +01:00
David Mehren
ca9e6e49c9
Inline publish and slide
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 15:27:48 +01:00
David Mehren
25a540ebbc
Inline renderPublish
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 15:26:50 +01:00
David Mehren
2bc4233ba8
Move showPublishNote and publishNoteActions to note controller
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 15:23:38 +01:00
David Mehren
dee62ce571
Move showNote to note controller
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 15:23:38 +01:00
David Mehren
181d5646cf
Move note actions into their own file
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 15:23:31 +01:00
David Mehren
30487f7c01
Rename actions.js to controller.js and rename functions to be more descriptive
Move postNote to NoteController and rename to createFromPost

Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 14:40:36 +01:00
David Mehren
afb317b551
Move slide actions to own file
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 14:27:15 +01:00
David Mehren
9d938c334a
Fix errors constant in note/actions.js
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 14:19:46 +01:00
David Mehren
f78540c3fb
Move note actions to their own file.
Because of circular import problems, this commit also moves the error messages from response.js to errors.js

Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 13:51:53 +01:00
hoijui
e654ca8a31 Allow to generate lower case header references through the config
This makes the references consistent/compatible with GitHub,
GitLab, Pandoc and many other tools.

This behavior can be enabled in config.json with:

```
"linkifyHeaderStyle": "gfm"
```

Signed-off-by: hoijui <hoijui.quaero@gmail.com>
2019-10-22 09:05:37 +02:00
Erik Michelson
6e5e6696ad
Refactored note-creation with given noteId
Known bugs/features:
 - pushing towards an existing note results in an error 500

Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-04 20:25:32 +02:00
Erik Michelson
8d29d74b02 Added endpoint for note-creation with given alias
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-09-04 12:28:44 +02:00
Sheogorath
2e627099d8
Merge pull request #32 from codimd/aws-endpoints
make aws s3 endpoint configurable
2019-09-02 18:50:29 +03:00
Sheogorath
b5fc6db75d
Rework debug logging
We have various places with overly simple if statements that could be
handled by our logging library. Also a lot of those logs are not marked
as debug logs but as info logs, which can cause confusion during
debugging.

This patch removed unneeded if clauses around debug logging statements,
reworks debug log messages towards ECMA templates and add some new
logging statements which might be helpful in order to debug things like
image uploads.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-06-08 21:27:29 +02:00
Sheogorath
4da68597f7
Fix eslint warnings
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.

There should no functional change be introduced.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-31 00:30:29 +02:00
Sheogorath
6c62efae2a
Add config for toobusy middleware
With very low CPU frequency or bad IO situation, as well as not-loaded
JS CodiMD happens to present unneeded "I'm busy"-messages to users.

This patch allows to configure the lag. The default is taken from the
libray but set in our own default configs.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-25 21:08:38 +02:00
Claudius
1d403e183d asyncified setting and verifying the password
Signed-off-by: Claudius <opensource@amenthes.de>
2019-05-13 19:37:21 +02:00
Dylan Dervaux
208070d2e7
Add lutim support
Signed-off-by: Dylan Dervaux <dylanderv05@gmail.com>
2019-04-10 01:37:12 +02:00
Emmanuel Ormancey
df53f465c0
Added a configuration option for passport-saml:
disableRequestedAuthnContext: true|false

By default only Password authmethod is accepted, this option allows any other method.

Issue and option described here:
https://github.com/bergie/passport-saml/issues/226

Signed-off-by: Emmanuel Ormancey <emmanuel.ormancey@cern.ch>
2019-04-06 17:54:58 +02:00
Thor77
022c7ad616
Hide port from minio URL for protocol default port
Signed-off-by: Thor77 <thor77@thor77.org>
2019-04-06 13:52:49 +02:00
Sheogorath
cda878d377
Add required change for Google+ API deprecation
Since Google+ is shutting down soon, we need to get the profile data
from another URL. Since the library already supports it, all we need to
do is adding a single line of code.

Details:
https://github.com/hackmdio/codimd/issues/1160

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-09 14:42:06 +01:00
Mathias Merscher
9613197f5d
make aws s3 endpoint configurable
Signed-off-by: Mathias Merscher <Mathias.Merscher@dg-i.net>
2019-02-11 17:45:24 +01:00
Sheogorath
0621d7a72d
Fix usage of new URL API
Due to the deprecation of the old `url`-API provided by NodeJS we
replaced `url.resolve` with `url.URL.resolve`, which doesn't exist.

This patch fixes the local filesystem upload of CodiMD by using the new
API correctly. Creating an URL object and using its href.

Some more background:
https://nodejs.org/api/url.html#url_url_href
https://nodejs.org/api/url.html#url_url_resolve_from_to

Fixes https://github.com/hackmdio/codimd/issues/1102

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-12-18 14:52:18 +01:00
Christoph (Sheogorath) Kern
b749d50e20
Merge pull request #1082 from cloudyu/pull
Fix wrong config options

In `./lib/web/auth/` some config includes still used `config.serverurl` instead of the correct `config.serverURL`. This causes wrong URL in worst case.

This patch should fix those problems and migrate the wrong statements to camelcase.
2018-11-28 13:27:38 +01:00
Daan Sprenkels
9fba268288 Prevent subdirectories in user export
This commit also refactors the code a bit, and adds a '-' separator
between a filename and its duplicate index.

This commit fixes #1079.

Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2018-11-28 09:13:28 +01:00
CloudYu
35a9f72a06 Fix typo
Signed-off-by: CloudYu <cloudyu322@gmail.com>
2018-11-27 22:14:37 +08:00
Christoph (Sheogorath) Kern
f1367ba270
Merge pull request #1058 from ccoenen/bug/oauth2internalerror
InternalOAuthError is not part of passport, but of passport-oauth2 #1056
2018-11-16 11:45:50 +01:00
Claudius Coenen
858a59529e switching to eslint for code checking
most rules degraded to WARN, so we don't go insane. This will
change over time. The aim is to conform to a common style

Signed-off-by: Claudius Coenen <opensource@amenthes.de>
2018-11-14 23:15:36 +01:00
Claudius Coenen
56c043424d InternalOAuthError is not part of passport, but of passport-oauth2
This fixes part of #1056: an error while obtaining the profile
would have `502`-crashed the server.

Signed-off-by: Claudius Coenen <opensource@amenthes.de>
2018-11-14 14:38:47 +01:00
Sheogorath
bcc914a773
Add full version string
Currently we only provide the version from `package.json`. This means
that during updates of instances, e.g. the demo instance, which runs
latest master instead of a stable release, changes are not reflected to
the webclient.

This patch adds a fullversion string that contains the current commit
and this way makes that clients are notified about changes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-11 12:44:19 +01:00
Sheogorath
9f9c4089be
Add OpenID to CodiMD
With OpenID every OpenID capable provider can provide authentication for
users of a CodiMD instance. This means we have federated
authentication.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-05 22:43:32 +02:00
Claudius
bb80bc2292
removing superfluous config parameters for template files
Signed-off-by: Claudius <opensource@amenthes.de>
2018-09-26 21:01:15 +02:00
WilliButz
12cd747270
imageRouter/filesystem: make callback path-independent
Images are now properly served when `config.uploadsPath`
differs from its default value.

Signed-off-by: WilliButz <wbutz@cyberfnord.de>
2018-09-26 20:55:15 +02:00
Sheogorath
d76ea5440a
Fixing content types in status router
As it turns out, expressjs doesn't detect the right mimetype and it
seems like I didn't bother to test this enough. So lets fix it for the
next release.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-07-03 20:38:52 +02:00
Sheogorath
562985a115
Update passport-ldap
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-30 16:52:33 +02:00
Sheogorath
a762928e97
Do final internal renameing
A little minor change, by moving the CodiMD version header in its own
middleware. Should simplify to determine the version number of the
Backend in future.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 14:05:41 +02:00
Christoph (Sheogorath) Kern
b8726bbe8d
Merge pull request #855 from hackmdio/fix/constants
Move config out of statics path
2018-06-24 01:58:08 +02:00
Sheogorath
bf9400e107
Fix breaking regex
The image upload regex breaks with the new path for uploads.

This commit fixes it.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 01:03:45 +02:00
Sheogorath
0ed4b50098
Move config out of statics path
Since static path is providing with a high expiration data, we provide
configs via API. This shouldn't add any noticeable load while making it
uncached and this way working again.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 00:07:32 +02:00
Sheogorath
a2608c319a
Fix possible error if HackMD is started with wrong workdir
In https://github.com/hackmdio/hackmd/issues/834 is described how
starting HackMD crashes when using the wrong working dir.

This is caused by a relative path in our upload routine. This change
should fix it and prevent future crashes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-23 23:01:01 +02:00
Christoph (Sheogorath) Kern
56d78a7d6c
Merge pull request #830 from SISheogorath/feature/GDPR
GDPR compliant part 1
2018-06-17 23:33:57 +02:00
Christoph (Sheogorath) Kern
551840ad57
Merge pull request #784 from pferreir/add-oauth2-support
Add "generic" OAuth2 support
2018-06-04 15:54:47 +02:00
Adam Hoka
b5574466cd Fix callback validation
Signed-off-by: Adam Hoka <hoka.adam@nexogen.hu>
2018-06-01 14:26:28 +02:00
Ádám Hóka
376fcab2ca Add Azure Blob Storage support
Signed-off-by: Adam Hoka <hoka.adam@nexogen.hu>
2018-06-01 10:07:52 +02:00
Sheogorath
bcbb8c67c9
Add note export function
This function is the first step to get out data following GDPR about the
transportability of data.

Details: https://gdpr-info.eu/art-20-gdpr/
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-26 03:12:21 +02:00
Sheogorath
70df29790a
Add token based security feature
In the current setup users could be tricked into deleting their data by
providing a malicious link like `[click me](/me/delete)`. This commit
prevents such an easy attack and need the user's deleteToken to get his
data deleted. In case someone requests his deletion by email you can
also ask him for this token.

We can add a GUI that shows it later on.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 18:26:06 +02:00
Sheogorath
4229084c62
Add delete function for authenticated users
Allow users to delete themselbes. This is require to be GDPR compliant.

See: https://gdpr-info.eu/art-17-gdpr/
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 15:24:47 +02:00
Max Wu
e0629c7d27
Fix typo of "grouptAttribute" in saml auth module
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-04-27 21:52:05 +08:00
Sheogorath
69aed93282
Move letter-avatars into own request
To prevent further weakening of our CSP policies, moving the Avatars
into a non-inline version is the way to go.

This implementation probably needs some beautification. But already fixes
the bug.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-17 19:06:59 +02:00
Pedro Ferreira
40b3855702 Add support for generic OAuth2 providers
Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
2018-03-26 15:55:39 +02:00
Sheogorath
2411dffa2c
Change config to camel case with backwards compatibility
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 19:08:14 +02:00
Christoph (Sheogorath) Kern
6485f96659
Merge pull request #771 from SISheogorath/refactor/imageRouter
Refactoring imageRouter to modularity
2018-03-21 14:13:32 +01:00
Sheogorath
1756e76dc3
Refactoring imageRouter to modularity
This should make the imageRouter more modular and easier to extent. Also
a lot of code duplication was removed which should simplify maintenance
in future.

In the new setup we only need to provide a new module file which exports
a function called `uploadImage` and takes a filePath and a callback as
argument. The callback itself takes an error and an url as parameter.
This eliminates the need of a try-catch-block around the statement and
re-enabled the optimization in NodeJS.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-20 11:00:11 +01:00
Sheogorath
638eae0dfb
Add check for undefined UUID
This check is needed at there are tons of LDAP implementations out there
and none has at least one guaranteed unique field. As we currently check
three fields and added an option to select one yourself, it's still not
said that any of these fields is set. This will now create an error
and fail the authentication instead of letting people may get access to
other people's notes which are stored under a this way deterministic
wrong userid named `LDAP-undefined`.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-18 00:27:07 +01:00
Felix Schäfer
12dae4465f Multiple emails from LDAP are already an Array
Signed-off-by: Felix Schäfer <felix@thegcat.net>
2018-03-09 14:39:08 +01:00
Dustin Frisch
d6ee10d176
Introduce ldap.useridField
Signed-off-by: Dustin Frisch <fooker@lab.sh>
2018-03-01 23:51:47 +01:00
Sheogorath
eddf8a3a33
Fix uncaught exception for non-existent user
Since we added user management it's possible to get non-existent users
which can cause a crash of the Backend server.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-30 21:53:36 +01:00
Sheogorath
bd92010dd2
Remove camel case from imageuploadtype in config
This removes the only camel cased option of the config options
**we** added to the config.json.

In auth provider's config parts are a lot of camel cased options
provided. We shouldn't touch them to keep them as similar as
possible to the examples.

Fixes #315

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-27 23:50:15 +01:00
Christoph (Sheogorath) Kern
eec2318bda
Merge pull request #506 from erasys/minio
Add support for minio
2018-01-23 11:43:24 +01:00
Dustin Frisch
f47601857e
Allow posting new note with content
Signed-off-by: Dustin Frisch <fooker@lab.sh>
2018-01-18 10:41:58 +01:00
Lukas Kalbertodt
612b2d1811 Add setting ldap.usernameField
This determines which ldap field is used as the username on
HackMD. By default, the "id" is used as username, too. The id
is taken from the fields `uidNumber`, `uid` or
`sAMAccountName`. To give the user more flexibility, they can
now choose the field used for the username instead.
2017-12-09 12:30:48 +01:00
Norihito Nakae
2db2ff484f added guide for SAML settings 2017-12-04 20:13:15 +09:00
Norihito Nakae
a22be81feb fixed the SAML callback URL to unconfigurable. 2017-11-29 15:45:32 +09:00
Norihito Nakae
4a4ae9d332 Initial support for SAML authentication 2017-11-28 18:52:24 +09:00
Christoph Witzany
5cda55086a Add mattermost authentication 2017-10-31 10:34:51 +01:00
Sheogorath
881e800fd8 Merge pull request #562 from SISheogorath/fix/LDAP
Fix LDAP problem about missing uidNumber
2017-10-27 12:48:45 +02:00
Sheogorath
f93a14e3e1 Fix LDAP problem about missing uidNumber
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2017-10-12 14:52:28 +02:00
Kaiyu Shi
4ae8086301 Give google the correct name. 2017-09-04 16:04:20 +08:00
Marc Deop
2c780f53df
Add support for minio 2017-08-30 18:58:34 +02:00
Kotaro Yamamoto
1220bbe9f6 fix s3 us-east-1 region endpoint 2017-06-14 11:08:09 +09:00
Max Wu
0a6793747c fix: export to gist occurred 404 not found 2017-05-17 02:42:44 +08:00
Max Wu
0ef0e70579 Rename checkURiValid.js to checkURIValid.js 2017-05-08 20:13:55 +08:00
Raccoon Li
d79997808a fix(imageRouter): import missing dependency: getImageMimeType 2017-05-08 20:04:05 +08:00
BoHong Li
ecb0533605 refactor(config.js): Extract config file
* Separate different config source to each files
* Freeze config object
2017-05-08 19:29:07 +08:00
BoHong Li
aca01f064d refactor: Remove require extension filename 2017-05-08 19:29:06 +08:00
BoHong Li
34c9f07669 refactor(baseRouter.js): Adjust style fit standard 2017-05-08 19:29:06 +08:00