Commit graph

142 commits

Author SHA1 Message Date
Yannick Bungers
9ecf7ba2be
Merge pull request #1935 from hedgedoc/feature/verify-password-change 2022-01-04 10:36:09 +01:00
David Mehren
745a1078f1
Merge pull request #1827 from hedgedoc/enhancement/lazy_load_relations 2022-01-03 19:51:39 +01:00
Erik Michelson
eda6835403
feat(auth): password change requires old password
By checking the "old" password of the user prior to a password change, the
password change function is more secured against abuse.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-12-28 02:09:05 +01:00
David Mehren
3e074d1879
fix(auth): use sha-512 for auth tokens
Bcrypt hashes are too slow to be validated on every request.
As our tokens are random and have a fixed length, it is reasonable
to use SHA-512 instead.

SHA-512 is recommended as cryptographically strong by the BSI:
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile

Fixes https://github.com/hedgedoc/hedgedoc/issues/1881

Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-13 22:44:38 +01:00
David Mehren
3c0c11e3d4
refactor(note): lazy-load relations
Signed-off-by: David Mehren <git@herrmehren.de>
2021-12-13 21:45:03 +01:00
Philip Molares
16cd42f197 test: fix note e2e test 'fails with non-existing alias'
Because the rejection now happens automatically in the permissions guard it does not get to the controller method and does not report the Content-Type to text/markdown

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-12-02 20:41:14 +01:00
Philip Molares
40e8acb6bb test: fix note e2e test 'fails, when user can't read note'
Because the rejection now happens automatically in the permissions guard it now returns a 403 instead of 401

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-12-02 20:41:14 +01:00
Philip Molares
d716873af2 test: fix test name in alias.e2e-spec.ts
This seems to be a copy/paste bug

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-11-21 18:06:41 +01:00
David Mehren
9c08ff94fe
fix(note): fix type for owner param
To make the create method easier to use in conjunction
with the authentication framework, this commit changes the type of
the `owner` parameter from `User | undefined` to `User | null`.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-11-14 21:46:04 +01:00
Philip Molares
d5c77613bb test(private-api): fix aliases expect
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-11-11 22:07:20 +01:00
David Mehren
ef2e90da20
Add E2E tests for login and registration
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-28 10:19:48 +02:00
David Mehren
5a16047f50
AuthController: Return 409 Conflict when user already exists
The previously used HTTP error 400 'Bad Request' is not really
applicable here, as the client did not send a malformed message.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-28 10:18:05 +02:00
David Mehren
3560d82c44
TestSetup: Initialize full app and session middleware
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-28 10:18:05 +02:00
David Mehren
691152579b
Update API routes in private API E2E tests
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-21 20:17:03 +02:00
David Mehren
c6cac58a67
Update API routes in public API E2E tests
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-21 20:17:03 +02:00
David Mehren
4428f3fb39
Separate private and public API in TestSetup
Including both PublicApiModule and PrivateApiModule in the test setup
lead to the API routes overwriting each other.
This adds a router to separate the APIs as they are in the normal app.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-21 20:17:03 +02:00
David Mehren
0bb333ca69
Migrate private history API E2E test to global TestSetup
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-21 20:17:03 +02:00
David Mehren
209a9b93a6
Migrate private me API E2E test to global TestSetup
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-21 20:17:03 +02:00
David Mehren
ddaeb4fc66
Migrate private media API E2E test to global TestSetup
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-21 20:17:02 +02:00
David Mehren
9489fbaa79
Migrate private notes API E2E test to global TestSetup
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-21 19:52:41 +02:00
David Mehren
8a640f6be9
Migrate public alias API E2E test to global TestSetup
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-21 19:52:41 +02:00
David Mehren
cddd28f082
Migrate public me API E2E test to global TestSetup
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-21 19:52:38 +02:00
David Mehren
5b2b2e9a44
Migrate public media API E2E test to global TestSetup
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-21 19:51:57 +02:00
David Mehren
9539581219
Migrate public notes API E2E test to global TestSetup
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-21 19:51:57 +02:00
David Mehren
046607f1e5
Move common test preparations into TestSetup class
Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-21 19:51:57 +02:00
David Mehren
ade58e3ca1
Move tsconfig.test.json to test directory
WebStorm does not support typescript.*.json files,
but always uses the nearest tsconfig.json.
Moving the test-specific tsconfig into the test folder allows WebStorm
to use the correct config for the E2E-tests and
stops it from showing unnecessary errors.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-10-21 19:51:57 +02:00
Alexandru Văleanu
b3d3015ce7
Add delete media in private API (#1736)
Adds the missing API route of deleting media in the private API.
2021-10-18 20:00:28 +02:00
Yannick Bungers
d33cfa4541 fix username spelling from userName
Signed-off-by: Yannick Bungers <git@innay.de>
2021-10-13 22:54:00 +02:00
Yannick Bungers
141b1bf5e8 Add e2e tests for tokens
Signed-off-by: Yannick Bungers <git@innay.de>
2021-10-13 20:54:27 +02:00
Yannick Bungers
276d423ee2 Fix tests with using sessions in e2e tests of private api
Signed-off-by: Yannick Bungers <git@innay.de>
2021-10-13 20:54:27 +02:00
Philip Molares
9f38b9036c test: fix e2e tests to handle the new aliases
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-09-22 20:43:45 +02:00
Philip Molares
67baa51b93 feat: add auth e2e tests
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-09-17 00:00:00 +02:00
Abhilasha Sinha
9d6aa10923 Add new API to purge note history #1064
Signed-off-by: Abhilasha Sinha <abhisinha662000@gmail.com>

Combine the describe block

Signed-off-by: Abhilasha Sinha <abhisinha662000@gmail.com>

Fix naming

Signed-off-by: Abhilasha Sinha <abhisinha662000@gmail.com>

Rename purgeRevision to purgeRevisions

Signed-off-by: Abhilasha Sinha <abhisinha662000@gmail.com>

Fix notes e2e test description

Signed-off-by: Abhilasha Sinha <abhisinha662000@gmail.com>

Add yarn.lock

Fix lint and format

Signed-off-by: Abhilasha Sinha <abhisinha662000@gmail.com>
2021-09-07 21:23:26 +05:30
David Mehren
7c618e7f9f
Merge pull request #1613 from hedgedoc/merge/tokenGuardAndStrategy 2021-09-06 12:12:44 +02:00
David Mehren
5c7a787d7e
MediaService: Refactor saveFile
The function now expects a `Note` object instead of a noteId
and a `User` instead of a username to
make it more consistent with other functions.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-09-04 22:40:15 +02:00
David Mehren
b552fc10b6
HistoryService: Refactor deleteHistoryEntry
The function now expects a `Note` object instead of a noteId to
make it more consistent with other functions.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-09-04 22:40:15 +02:00
David Mehren
99db4bc336
UserService: Improve method naming
This renames `createOrUpdateHistoryEntry` to `updateHistoryEntryTimestamp`,
which reduces confusion with the similarly named
`updateHistoryEntry` function.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-09-04 22:40:15 +02:00
David Mehren
f667410b51
Public API: Test that forbidden notes can't be accessed
Signed-off-by: David Mehren <git@herrmehren.de>
2021-09-04 22:40:15 +02:00
Philip Molares
c22727dad7 refactor: move TokenAuthGuard in the same file as TokenStrategy
This should help to make clear why code is executed when the TokenAuthGuard is encountered by a request. Currently, one has to connect both files via the string 'token', which is a bit cryptic

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-09-04 18:09:17 +02:00
David Mehren
bcc9ec9c75
Enforce import order with prettier
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-29 18:45:46 +02:00
David Mehren
392653607d
[E2E tests] Don't use hardcoded service tokens
The DI tokens for services seem to have changed with NestJS 8.
As we can also use the class object instead of a hardcoded token,
this commit replaces the tokens accordingly.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-07-15 20:30:51 +02:00
Philip Molares
fb79f44b1f chore(test): Change test to work with publicId
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-05-17 20:27:44 +02:00
David Mehren
e4317725cd
Format with Prettier 2.3
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-15 21:13:44 +02:00
David Mehren
b518583fd2
E2E Tests: Fix ESLint errors
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-09 20:59:31 +02:00
David Mehren
7adbc72a5f
Merge pull request #1130 from hedgedoc/history/transaction 2021-05-02 18:15:05 +02:00
Philip Molares
2ba1be6ea3 PrivateHistoryE2E: Extend POST /me/history
Test the correct behaviour in error cases

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-05-02 18:09:16 +02:00
David Mehren
5e61de9bd5
Use node12 TypeScript base config
TypeScript recommends using a base config from https://github.com/tsconfig/bases.

Using this config reduces compile times by ~30%
and the size of the dist folder by ~45%.
It also enables the recommended `esModuleInterop` option,
which necessitated some changes to imports.
See also https://www.typescriptlang.org/docs/handbook/release-notes/typescript-2-7.html#support-for-import-d-from-cjs-from-commonjs-modules-with---esmoduleinterop

Signed-off-by: David Mehren <git@herrmehren.de>
2021-04-29 22:55:01 +02:00
Yannick Bungers
0bad4827bf
Merge pull request #1179 from hedgedoc/util/replaceNull 2021-04-25 21:03:45 +02:00
Philip Molares
38ab6dc27b NotesE2ETest: Changed test for title and description
They should not return null and that's correctly tested now.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-04-24 21:33:47 +02:00
Philip Molares
1f897636bb PublicApi: Add option to keep media to DELETE /notes/{note}
This adds a body to the route DELETE /notes/{note} of the public api to specify if the associated media uploads of the note should be kept or deleted.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-04-22 23:13:13 +02:00