Commit graph

560 commits

Author SHA1 Message Date
renovate[bot]
528f4dade1 fix(deps): update dependency raw-body to v3
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-09-02 10:36:06 +02:00
renovate[bot]
52fe7f55de fix(deps): update dependency rimraf to v6
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-09-02 10:28:52 +02:00
renovate[bot]
b481f79c34 chore(deps): remove dependency http-proxy-middleware
This is no longer necessary, as we needed this previously when the backend proxied the frontend

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2024-08-31 09:56:18 +02:00
renovate[bot]
3a8869fab9 chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v5
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-30 17:27:29 +02:00
renovate[bot]
5d45fc21e4 fix(deps): update definitelytyped
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-30 12:50:58 +02:00
renovate[bot]
f35d00806e chore(deps): update dependency typescript to v5.5.4
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-30 11:58:32 +02:00
renovate[bot]
f948861bfe chore(deps): update nestjs packages
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-30 10:47:49 +02:00
renovate[bot]
d00b1c454d chore(deps): update linters
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-30 10:07:01 +02:00
renovate[bot]
cf7fe9df10 fix(deps): update dependency @azure/storage-blob to v12.24.0
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 14:51:29 +02:00
renovate[bot]
818e2bcddc fix(deps): update dependency diff to v5.2.0
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 14:48:35 +02:00
renovate[bot]
0da190b00d fix(deps): update dependency joi to v17.13.3
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 14:46:30 +02:00
renovate[bot]
ebde99f212 fix(deps): update dependency pg to v8.12.0
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 14:43:24 +02:00
renovate[bot]
289f874d40 chore(deps): update dependency ts-jest to v29.2.5
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 14:34:47 +02:00
renovate[bot]
44d41a5ec5 chore(deps): update yarn to v4.1.1
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-08-29 10:08:54 +00:00
renovate[bot]
8769f13f5d fix(deps): update dependency rimraf to v5.0.10
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 09:41:38 +00:00
renovate[bot]
9e558f7f5d fix(deps): update nestjs packages
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 09:22:13 +00:00
renovate[bot]
475c82316f fix(deps): update dependency reflect-metadata to v0.2.2
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 09:19:10 +00:00
renovate[bot]
7516eb7761 fix(deps): update dependency joi to v17.12.3
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 09:16:16 +00:00
renovate[bot]
ecbe34746b fix(deps): update dependency pg to v8.11.6
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 09:15:51 +00:00
renovate[bot]
1038d798d8 fix(deps): update dependency cli-color to v2.0.4
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 08:58:49 +00:00
renovate[bot]
e3b93ad9a1 chore(deps): update dependency yjs to v13.6.18
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 05:25:31 +00:00
renovate[bot]
aa759cc879 chore(deps): update dependency ts-jest to v29.1.5
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 02:21:47 +00:00
renovate[bot]
c3fd6993d2 chore(deps): update dependency @tsconfig/node18 to v18.2.4
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 02:15:21 +00:00
renovate[bot]
2cc71588fe fix(deps): update dependency ws to v8.17.1 [security]
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 00:43:05 +02:00
renovate[bot]
6a6fd3b099 chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v4.6.1
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-29 00:33:01 +02:00
renovate[bot]
7773fe1bdb fix(deps): pin dependency @node-rs/argon2 to 1.8.3
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-28 22:23:56 +00:00
Erik Michelson
f30f0d8e51 fix(passwords): use argon2id instead of bcrypt
OWASP [1] recommends for password hashing the following algorithms in
descending order: argon2id, scrypt, bcrypt. They state that bcrypt may
be used in legacy systems or when required due to legal regulations.
We're however not building any legacy application. Even HedgeDoc 1.x
utilizes a more modern algorithm by using scrypt.

While bcrypt is not insecure per se, our implementation had a major
security flaw, leading to invalid passwords being accepted in certain
cases. The bcrypt nodejs package - and the OWASP cheatsheet as well -
point out, that the maximum input length of passwords is limited to 72
bytes with bcrypt. When some user has a password longer than 72 bytes in
use, only the first 72 bytes are required to log in successfully.
Depending on the encoding (which could be UTF-8 or UTF-16 depending on
different circumstances) this could in worst-case be at 36 characters,
which is not very unusual for a password. See also [2].

This commit changes the used algorithm to argon2id. Argon2id has been in
use for several years now and seems to be a well-designed password
hashing function that even won the 2015 Password Hashing Competition.
Argon2 does not have any real-world max input length for passwords (it
is at 4 GiB).

The node-rs/argon2 implementation seems to be well maintained, widely
used (more than 150k downloads per week) and is published with
provenance, proving that the npm package was built on GitHub actions
using the source code in the repository. The implementation is written
in Rust, so it should be safe against memory leakages etc.

[1]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Che
     at_Sheet.html#password-hashing-algorithms
[2]: https://security.stackexchange.com/a/39851

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-08-08 20:29:23 +02:00
renovate[bot]
9aaec95398 fix(deps): update dependency @nestjs/schedule to v4
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-04-09 11:31:07 +02:00
renovate[bot]
61bf3adf99 chore(deps): update linters
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-03-01 17:51:22 +01:00
renovate[bot]
5775b07b2d chore(deps): update dependency @types/node to v20.11.18
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-15 15:34:38 +00:00
renovate[bot]
ecce1adc16 fix(deps): update nestjs packages to v10.3.3
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-12 13:13:48 +00:00
renovate[bot]
663faaf8f7 chore(deps): update yarn to v4.1.0
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
73e34755a1 fix(deps): update dependency joi to v17.12.1
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
315d43f209 fix(deps): update dependency htmlparser2 to v9.1.0
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
b58c475f83 fix(deps): update dependency express-session to v1.18.0
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
0eb473e5fc chore(deps): update typescript-eslint monorepo to v6.21.0
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
eb71573227 chore(deps): update linters
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
01257ea7ac chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v4.5.0
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
d089634369 fix(deps): update dependency ws to v8.16.0
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
20c41578f3 fix(deps): update dependency reflect-metadata to v0.2.1
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
970686202d chore(deps): update nestjs packages
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
1ccf02bab6 fix(deps): update nestjs packages
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
0474dbbac8 fix(deps): update dependency typeorm to v0.3.20
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
3f5f7bbc27 chore(deps): update dependency yjs to v13.6.12
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
68ae8fd726 chore(deps): update dependency @types/jest to v29.5.12
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
bf0991a671 chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v4.4.3
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
074a92444b chore(deps): update definitelytyped
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
c36bf7f1c2 chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v4.4.0
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-01-29 16:19:43 +01:00
renovate[bot]
95e09f02f7 chore(deps): update dependency @types/node to v20.11.10
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-01-28 21:02:24 +00:00
renovate[bot]
696cc5086c fix(deps): update dependency sqlite3 to v5.1.7
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-01-28 16:55:25 +00:00