Our frontend requests the `/me` pathname in order to determine whether
it's logged in or not. Due to the fact that the sameSite attribute of
the session cookie was set to `strict` in a previous commit, the session
token was no longer sent along with HTTP calls initiated by JS. This is
due to the RFCs definition of "safe" HTTP calls in RFC7231.
The bug triggers the UI to show up like an unauthenticated user, even
after a successful login. In order to debug it a look into the send
cookies to the `/me` turned out to be very enlightening.
The fix this patch implements is rather simple, it replaces the sameSite
attribute to `lax` which enables the cookies for those requests again.
Some older and mobile clients were unaffected by this due to the lack of
implementations of sameSite policies.
References:
https://tools.ietf.org/html/rfc7231#section-4.2.1https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7.1https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSitee77e7b165a
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
We enabled the `secure` flag for various cookies in previous commits.
This caused setups behind reverse proxies to drop cookies as the nodejs
instance wasn't aware of the fact that it was able to hand out secure
commits using an insecure connection (between the codimd instance and
the reverse proxy).
This patch makes express, the webserver framework we use, aware of
proxies and this way re-enabled the handing out of cookies. Not only the
cookie monster will enjoy, but also functionality like authentication
and real-time editing will return as intended.
References:
https://www.npmjs.com/package/express-session#cookiesecure383d791a50
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
As @davidmehren figured out, the problem that NodeJS version 14 gets
stuck while CodiMD is starting, was due to the outdated postgres
dependency. The old pg version doesn't work with node version 14 due to
an undocumented API change in the `readyState` in the socket API.
This patch updates the required dependency and this way resolves the
issue.
Reference:
https://github.com/sequelize/sequelize/issues/12158149f482324
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
The socket.io cookie doesn't really have any purpose as it's no longer
user in modern socket.io versions. This patch disables it.
References:
https://github.com/socketio/socket.io/issues/2276
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
While HSTS should take care of most of this, setting cookies to be
secure, and only applied on same site helps to improve situations where
for whatever reason, downgrade attacks are still a thing.
This patch adds the `sameSite` and `secure` to the session cookie and
this way prevent all accidents where a browser may doesn't support HSTS
or HSTS is intentionally dropped.
Reference:
https://www.npmjs.com/package/express-session#cookiesecure
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
According to https://github.com/socketio/socket.io/issues/2276 this cookie is not used for anything. To avoid browser warnings about the sameSite attribute, we disable it here.
Signed-off-by: David Mehren <dmehren1@gmail.com>
Modern browsers do not support (or will stop supporting) sameSite: none (or no sameSite attribute) without the Secure flag. As we don't want everyone to be able to make requests with our cookies anyway, this commit sets sameSite to strict. See https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Signed-off-by: David Mehren <dmehren1@gmail.com>
Adding translations for permissions for a possible 1.6.1 release doesn't
hurt but might helps some usecases of running CodiMD and we'll need the
translations in the new frontend anyway.
This patch adds the translations as well as the english local file.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This patch cleans up the remaining possible foreign-key constraint. This
case seem to appear, when notes are deleted, but due to missing database
contraints not their authroships.
This function should clean that up as well and complete the preparation
for the new db contraints.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
In order to prevent OOM situations due to large databases, this patch
should reduce the amount of data requested from the database
drastically.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This patch fixes the currently broken redirect on login when people try
to access a site they have no access to, they are redirected to the main
page to log in. After a successful login they should be redirected to
the original note, but instead are redirect to the index page again.
This aptch fixes the typo that causes the behavior and brings people
back to the note they edited.
Thanks to @clvs7-gh on Github[1], who submitted the patch via email.
On their behalf I hereby submit the change.
[1]: https://github.com/clvs7-gh
Note: I had to ajust this patch to work properly.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Depending on how the system was setup, this bug lead to keep user's data
around even after a successful deletion of user'S account. This patch
will make sure the missing database constraints are implemented and
missed out deletions are executed.
This bug was introduced to insufficent testing after implementing the
feature initially. It was well tested, using the app process itself, but
the migrations where missed out. I'm currently not sure, if there was
also a change in how sequelize handles cassaded deletion, since I'm
unter the impression that before switching to sequelize 5, this feature
has worked. But I haven't verified this.
No matter what, the cleanup process is rather straight forward and will
be invoked on migration, but can also be done manually using the new
`bin/cleanup` script.
This change will result in a release 1.6.1.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Node 8 is End of Life since the beginning of 2020.[1] Due to not
deprecating it earlier, the next release will be the last release
supporting it. There are no breaking changes to be expected anymore,
therefore removing the Tests can be considered safe and the release can
start its existence with a green CI.
This patch removes the test for NodeJS version 8 from the TravisCI jobs.
[1]: https://nodejs.org/en/about/releases/