renovate[bot]
528f4dade1
fix(deps): update dependency raw-body to v3
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-09-02 10:36:06 +02:00
Erik Michelson
73d9c3231b
refactor(backend): rename auth to public-auth-token
...
Signed-off-by: Yannick Bungers <git@innay.de>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-09-02 10:33:08 +02:00
renovate[bot]
52fe7f55de
fix(deps): update dependency rimraf to v6
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-09-02 10:28:52 +02:00
Philip Molares
03a388c6f9
fix: turbo filter commands
...
turbo now wants you to specify the whole name and not just part of the name.
See: https://github.com/vercel/turborepo/pull/8137
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2024-08-31 12:53:53 +02:00
renovate[bot]
b481f79c34
chore(deps): remove dependency http-proxy-middleware
...
This is no longer necessary, as we needed this previously when the backend proxied the frontend
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2024-08-31 09:56:18 +02:00
renovate[bot]
3a8869fab9
chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v5
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-30 17:27:29 +02:00
renovate[bot]
5d45fc21e4
fix(deps): update definitelytyped
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-30 12:50:58 +02:00
renovate[bot]
cf51c7572a
fix: remove explicit typing
...
Apparently this is not need anymore and the linter does not like it.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2024-08-30 11:58:32 +02:00
renovate[bot]
f35d00806e
chore(deps): update dependency typescript to v5.5.4
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-30 11:58:32 +02:00
renovate[bot]
f948861bfe
chore(deps): update nestjs packages
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-30 10:47:49 +02:00
renovate[bot]
d00b1c454d
chore(deps): update linters
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-30 10:07:01 +02:00
renovate[bot]
cf7fe9df10
fix(deps): update dependency @azure/storage-blob to v12.24.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 14:51:29 +02:00
renovate[bot]
818e2bcddc
fix(deps): update dependency diff to v5.2.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 14:48:35 +02:00
renovate[bot]
0da190b00d
fix(deps): update dependency joi to v17.13.3
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 14:46:30 +02:00
renovate[bot]
ebde99f212
fix(deps): update dependency pg to v8.12.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 14:43:24 +02:00
renovate[bot]
289f874d40
chore(deps): update dependency ts-jest to v29.2.5
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 14:34:47 +02:00
renovate[bot]
44d41a5ec5
chore(deps): update yarn to v4.1.1
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-08-29 10:08:54 +00:00
renovate[bot]
8769f13f5d
fix(deps): update dependency rimraf to v5.0.10
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 09:41:38 +00:00
renovate[bot]
9e558f7f5d
fix(deps): update nestjs packages
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 09:22:13 +00:00
renovate[bot]
475c82316f
fix(deps): update dependency reflect-metadata to v0.2.2
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 09:19:10 +00:00
renovate[bot]
7516eb7761
fix(deps): update dependency joi to v17.12.3
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 09:16:16 +00:00
renovate[bot]
ecbe34746b
fix(deps): update dependency pg to v8.11.6
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 09:15:51 +00:00
renovate[bot]
1038d798d8
fix(deps): update dependency cli-color to v2.0.4
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 08:58:49 +00:00
renovate[bot]
e3b93ad9a1
chore(deps): update dependency yjs to v13.6.18
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 05:25:31 +00:00
renovate[bot]
aa759cc879
chore(deps): update dependency ts-jest to v29.1.5
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 02:21:47 +00:00
renovate[bot]
c3fd6993d2
chore(deps): update dependency @tsconfig/node18 to v18.2.4
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 02:15:21 +00:00
renovate[bot]
2cc71588fe
fix(deps): update dependency ws to v8.17.1 [security]
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 00:43:05 +02:00
renovate[bot]
6a6fd3b099
chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v4.6.1
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 00:33:01 +02:00
renovate[bot]
7773fe1bdb
fix(deps): pin dependency @node-rs/argon2 to 1.8.3
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-28 22:23:56 +00:00
renovate[bot]
14fe9470dd
chore(deps): update node.js to 1a526b9
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-28 22:07:27 +00:00
Erik Michelson
0c4e9bc080
fix(formatting): remove blank line to silence prettier
...
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-08-29 00:00:08 +02:00
yamashush
e99ba0615c
test: fix update patch when removing old revisions
...
Signed-off-by: yamashush <38120991+yamashush@users.noreply.github.com>
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2024-08-23 18:43:40 +02:00
Erik Michelson
f30f0d8e51
fix(passwords): use argon2id instead of bcrypt
...
OWASP [1] recommends for password hashing the following algorithms in
descending order: argon2id, scrypt, bcrypt. They state that bcrypt may
be used in legacy systems or when required due to legal regulations.
We're however not building any legacy application. Even HedgeDoc 1.x
utilizes a more modern algorithm by using scrypt.
While bcrypt is not insecure per se, our implementation had a major
security flaw, leading to invalid passwords being accepted in certain
cases. The bcrypt nodejs package - and the OWASP cheatsheet as well -
point out, that the maximum input length of passwords is limited to 72
bytes with bcrypt. When some user has a password longer than 72 bytes in
use, only the first 72 bytes are required to log in successfully.
Depending on the encoding (which could be UTF-8 or UTF-16 depending on
different circumstances) this could in worst-case be at 36 characters,
which is not very unusual for a password. See also [2].
This commit changes the used algorithm to argon2id. Argon2id has been in
use for several years now and seems to be a well-designed password
hashing function that even won the 2015 Password Hashing Competition.
Argon2 does not have any real-world max input length for passwords (it
is at 4 GiB).
The node-rs/argon2 implementation seems to be well maintained, widely
used (more than 150k downloads per week) and is published with
provenance, proving that the npm package was built on GitHub actions
using the source code in the repository. The implementation is written
in Rust, so it should be safe against memory leakages etc.
[1]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Che
at_Sheet.html#password-hashing-algorithms
[2]: https://security.stackexchange.com/a/39851
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-08-08 20:29:23 +02:00
Erik Michelson
6684b0f886
enhancement(realtime): send metadata update on revision save
...
When the frontend is notified about metadata updates, it refreshes the
data and therefore refreshes information like the timestamp of the last
revision save in the sidebar.
This commit adds such a notification from the backend to all clients on
each revision save, so that the "last saved at" value in the frontend is
correct.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-08-07 22:25:51 +02:00
Erik Michelson
9597ac5422
feat(notes): check for equal alias or note id
...
When creating a new note or adding a new alias to one,
it is checked that the new name
is neither forbidden nor already in use.
Co-authored-by: David Mehren <git@herrmehren.de>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-04-18 22:15:11 +02:00
Erik Michelson
8693edbf6a
refactor(media): add media redirection endpoint
...
Previous versions of HedgeDoc suffered from the problem
that changing the media backend required manipulation of
the media links in all created notes. We discussed in
#3704 that it's favourable to have an endpoint that
redirects to the image's original URL. When changing the
media backend, the link stays the same but just the
redirect changes.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-04-18 22:11:49 +02:00
Philip Molares
1f19a6fac4
lint: fix error in new test
...
This was probably introduced because the PR was open so long
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2024-04-18 21:52:36 +02:00
yamashush
1c22a425bd
test: complete todo
...
Signed-off-by: yamashush <38120991+yamashush@users.noreply.github.com>
2024-04-18 21:26:06 +02:00
renovate[bot]
9aaec95398
fix(deps): update dependency @nestjs/schedule to v4
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-04-09 11:31:07 +02:00
Erik Michelson
92bde4d281
enhancement(api-tokens): add prefix and more strict validation
...
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-04-09 10:54:35 +02:00
Erik Michelson
956dd28648
feat: add event listener for canceling destroy timer
...
Signed-off-by: yamashush <38120991+yamashush@users.noreply.github.com>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-03-03 21:15:32 +01:00
renovate[bot]
61bf3adf99
chore(deps): update linters
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-03-01 17:51:22 +01:00
renovate[bot]
5775b07b2d
chore(deps): update dependency @types/node to v20.11.18
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-15 15:34:38 +00:00
renovate[bot]
ecce1adc16
fix(deps): update nestjs packages to v10.3.3
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-12 13:13:48 +00:00
renovate[bot]
663faaf8f7
chore(deps): update yarn to v4.1.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
73e34755a1
fix(deps): update dependency joi to v17.12.1
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
315d43f209
fix(deps): update dependency htmlparser2 to v9.1.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
b58c475f83
fix(deps): update dependency express-session to v1.18.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
0eb473e5fc
chore(deps): update typescript-eslint monorepo to v6.21.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
eb71573227
chore(deps): update linters
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00