These guards check if the login or registration are enabled in the config. If so the guarded method is executed, if not the client will get the HTTP Error 400 Forbidden as an answer
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This was done to use the same term. Also email was the old term from HedgeDoc 1 and wildly inaccurate. As we never checked any mail addresses, in fact it was more of a username than anything else.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
this handles the settings for the cookie session. The secret and the lifeTime of the cookie can be configured.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This makes it possible that we can get identities from any user object even if we didn't specify that while getting them from the orm
Signed-off-by: Philip Molares <philip.molares@udo.edu>
As these methods will be used in both the AuthService and the IdentityService, it makes sense to extract them and use them in this manner. Especially if one considers that they are quite standalone functions.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This is used to give identities a type and to easily get the identity any auth method would need.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This should help to make clear why code is executed when the TokenAuthGuard is encountered by a request. Currently, one has to connect both files via the string 'token', which is a bit cryptic
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The functions now expect a `Note` object instead of a noteId to
make it more consistent with other functions.
Signed-off-by: David Mehren <git@herrmehren.de>
The function now expects a `Note` object instead of a noteId
and a `User` instead of a username to
make it more consistent with other functions.
Signed-off-by: David Mehren <git@herrmehren.de>
As we now have a GetNotePipe, we can easily get rid of this function.
All clients can directly provide a `Note` instance
and use `getEntryByNote`.
Signed-off-by: David Mehren <git@herrmehren.de>
The function now expects a `Note` object instead of a noteId to
make it more consistent with other functions.
Signed-off-by: David Mehren <git@herrmehren.de>
The function now expects a `Note` object instead of a noteId to
make it more consistent with `updateHistoryEntryTimestamp`.
Signed-off-by: David Mehren <git@herrmehren.de>
This renames `createOrUpdateHistoryEntry` to `updateHistoryEntryTimestamp`,
which reduces confusion with the similarly named
`updateHistoryEntry` function.
Signed-off-by: David Mehren <git@herrmehren.de>
This replaces repeated calls to `noteService.getNoteByIdOrAlias`
and associated error handling with the `GetNotePipe`
in the `Param` decorator.
Signed-off-by: David Mehren <git@herrmehren.de>
`getNoteMetadata` does not use a method that
can throw a `PermissionsUpdateInconsistentError`.
The try/catch-block seems to be a copy-paste error.
Signed-off-by: David Mehren <git@herrmehren.de>
This replaces repeated calls to `noteService.getNoteByIdOrAlias`
and associated error handling with the `GetNotePipe`
in the `Param` decorator.
Signed-off-by: David Mehren <git@herrmehren.de>
This pipe transforms a note ID or alias to a Note object
by loading it from the database.
It also performs error handling
Signed-off-by: David Mehren <git@herrmehren.de>
This introduces the `RequestUser` decorator
to extract the `User` from a request.
It reduces code duplication across the public API
and allows us to drop the override of the `Request` type from express.
Signed-off-by: David Mehren <git@herrmehren.de>
After Authorship was renamed to Edit, the DTO should follow.
The file is also moved to the revisions folder, where the entity
already is.
Signed-off-by: David Mehren <git@herrmehren.de>
As we now have a separate Author entity, which holds information
about an author (the color), the Authorship name became confusing.
Edit seems to be a better name, as the entity saves information
about a change in a note.
Signed-off-by: David Mehren <git@herrmehren.de>
This reimplements logic to get all Users that ever edited a note
and fixes the empty `editedBy` property of `toNoteMetadataDto`
introduced in 81cc092e.
Signed-off-by: David Mehren <git@herrmehren.de>
This commit replaces the user property with a author property,
in accordance with the DB schema updated in 0d6c3002.
It also adjusts the NoteService accordingly.
Signed-off-by: David Mehren <git@herrmehren.de>
The DB schema was updated in 0d6c3002,
this adds the new author property to
the Session and User entities.
Signed-off-by: David Mehren <git@herrmehren.de>
Before this commit, `Note.create()` did not return a complete object,
as the `publicId` property was missing.
This adds the generation of the property to the `create` method and
moves the actual generation code from the `NotesService`
to a utility method.
Signed-off-by: David Mehren <git@herrmehren.de>
This field is a randomly generated 128-bit value encoded with base32-encode using the crockford variant and converted to lowercase.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This was done because it was only a wrapper for a nodejs function to check if the given parameter is a positive number.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This is a 1.x relict and isn't used anymore in 2.x. All 1.x shortids will be converted to aliases on migration of 1.x to 2.x.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
As all tokens are valid for a maximum of 2 years, the
validUntil attribute is always populated.
This updates the database schema and the DTO to reflect that.
Fixes#1256
Signed-off-by: David Mehren <git@herrmehren.de>
TokenAuthGuard ensures that req.user is always
defined, but thanks to strict mode we have to check again.
In the future, we may add a custom Request type and
a custom param decorator to centralize the check.
Signed-off-by: David Mehren <git@herrmehren.de>
TypeORM columns with `nullable: true` can be `null` at runtime.
This commit ensures that the types of the corresponding properties reflect that.
Signed-off-by: David Mehren <git@herrmehren.de>
TokenAuthGuard ensures that req.user is always
defined, but thanks to strict mode we have to check again.
In the future, we may add a custom Request type and
a custom param decorator to centralize the check.
Signed-off-by: David Mehren <git@herrmehren.de>
TokenAuthGuard ensures that req.user is always
defined, but thanks to strict mode we have to check again.
In the future, we may add a custom Request type and
a custom param decorator to centralize the check.
Signed-off-by: David Mehren <git@herrmehren.de>
This adds error handling to getEntryByNote, so it throws a
NotInDBError instead of (illegally, according to the type) returning
null.
Signed-off-by: David Mehren <git@herrmehren.de>
Some properties already have a IsOptional decorator,
this makes the properties themselves also optional
Signed-off-by: David Mehren <git@herrmehren.de>
A string with a negative length is invalid, so we should throw here
instead of complicating the type with a possible null return value.
Signed-off-by: David Mehren <git@herrmehren.de>
validUntil and lastUsed already have a IsOptional decorator,
this makes the properties themselves also optional
Signed-off-by: David Mehren <git@herrmehren.de>
This adds error handling to various getters, so they throw a
NotInDBError instead of (illegally, according to the type) returning
null.
Signed-off-by: David Mehren <git@herrmehren.de>
This is the transactional reimplementation of the business logic of the history controllers setHistory method (of the private api). This should prevent the problem that the history gets deleted, but a later error in the handling of the list of HistoryEntryImportDto let's the call fail.
See also: https://docs.nestjs.com/techniques/database#transactions
Signed-off-by: Philip Molares <philip.molares@udo.edu>
As the function is now only called with a user and a note and the previous extra parameters are now added into the transactional setHistory method, this is no longer necessary.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
To reuse this functionality in the history services setHistory method, it was extracted into its own exported function.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This script invokes src/seed.ts to create a sqlite DB. The DB already contains some objects to manual test with. This ensures that devs easily can spin up a test instance of HedgeDoc and don't need to fumble around with the DB file.
See https://github.com/typeorm/typeorm#creating-a-connection-to-the-database
Signed-off-by: Philip Molares <philip.molares@udo.edu>
As we only use rendererOrigin in the frontend config service, where domain will be used if it is not defined, it makes more sense to move this default behavior to the app config directly. That makes it easier to understand what this variable contains and that it defaults to domain.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
NestJS adds the headers "Last Modified" and "ETag" to asset serving responses.
Therefore all the information we need for the banner are already given by the
file content or the file meta data.
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
This adds a body to the route DELETE /notes/{note} of the public api to specify if the associated media uploads of the note should be kept or deleted.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This adds a body to the route DELETE /notes/{note} of the private api to specify if the associated media uploads of the note should be kept or deleted.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
As it is possible to delete a note without also deleting the associated media uploads this needs to changed in the media upload entity, too.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This commit adds a few missing `functionContext` parameters in calls to
`this.logger` and fixes a copy-paste error in `ensureDirectory`
Signed-off-by: David Mehren <git@herrmehren.de>
Until now the app config mock used ts-loader's LogLevel instead of our own Loglevel, which is obviously wrong.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
To better handle deletion of entities, all necessary other entities got the option onDelete CASCADE set. So everything that does not make any sense if something else is deleted will be deleted along side of it.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The former deleteFile was moved to the public apis media controller and the actual deletion functionality was moved in a separate function to be called on user deletion.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Add test to createUser method to ensure an already used username triggers a AlreadyInDBError.
Add debug entry if user is deleted.
Add changeDisplayName method.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This makes it possible to create permissions by setting them in the note entity and delete them when either the user or note is deleted.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This functions makes it possible to make a partial order of the Loglevel enum. This simplifies the if statements in ConsoleLogger.
This is done, because the Loglevel enum already has a string backing for easy conversion from the config environmental variables and therefore can't also have a ordinal number assigned…
Signed-off-by: Philip Molares <philip.molares@udo.edu>
As the DTO is only for importing an existing history the lastVisited of those entries should also be posted.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
As the DTO is only for importing an existing history the pinStatus of those entries should also be posted.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
As the DTO is used to import a whole list of history entries rather than creating a single history entry (there is no way of doing that at the moment)
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The cache is never null, because it defaults to undefined, and therefore this function always returns undefined.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
All urls should be of the form `uploads/<filename>.<extension>` regardless of what the uploadDirectory is, because the backend proxies all locally uploaded files.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
These are used in the /config private API call and needed to distinguish with which of the multiple auth providers a login should occur.
This also fixes the types of the multiple auth provider arrays to something that works, as `[{}]` specifics exactly on object in an array.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
CustomizationConfig holds all possible customization configs.
ExternalConfig holds external services that may be configured.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
We need this function in at least on other part of the application so extracting it into an util file was only logical.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This makes it possible for the autogenerated openapi file to contain all the dtos instead of nothing.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
'...use' tries to go up one level and grab the value of 'use' there and not the same level 'use' as we want here
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This re-enables the `@typescript-eslint/explicit-module-boundary-types`
check and also enables the
`@typescript-eslint/explicit-function-return-type` check.
Signed-off-by: David Mehren <git@herrmehren.de>
This ensures stack traces are helpful at the cost of a slightly
lower performance (one more tick in the event loop).
Fixes#838
Signed-off-by: David Mehren <git@herrmehren.de>