Commit graph

560 commits

Author SHA1 Message Date
David Mehren
dcdb6c1f96
Merge pull request #509 from pierreozoux/quick-fix
Makes the mime also work with upper case extension
2020-11-13 17:17:47 +01:00
pierreozoux
afc801b1c3 Makes the mime also work with upper case extension
Signed-off-by: pierreozoux <pierre@ozoux.net>
2020-11-12 21:06:09 +01:00
David Mehren
9dd74da17f
Save note title to database when creating a note
Currently, when creating a note with content via the API, a title is only saved to the database after visiting the note with the browser. This commit makes sure that a title is saved at creation time.

Closes #306

Signed-off-by: David Mehren <git@herrmehren.de>
2020-11-11 21:24:55 +01:00
Dexter Chua
a88b4aff2a Generic OAuth2: Set state: true
The OAuth2 specification RECOMMENDS setting the state to protect against
CSRF attacks. Some OAuth2 providers (e.g. ORY Hydra) refuse to
authenticate without the state set.

This is a cherry-pick of 852868419d.

Signed-off-by: haslersn <sebastian.hasler@gmx.net>
2020-10-22 22:50:34 +02:00
David Mehren
3461993ee0
Merge pull request #486 from codimd/feature/cookie-policy 2020-09-25 22:39:30 +02:00
Erik Michelson
4ece86f0ef
Update documentation and messages to new default value
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-09-08 09:58:15 +02:00
Erik Michelson
387e668275
Changed default policy from 'strict' to 'lax' due to the reasons mentioned in 3d1fab05
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-08-27 09:05:17 +02:00
Erik Michelson
824f910bfe
Add config option for cookie SameSite policy
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-08-27 02:04:49 +02:00
Erik Michelson
8932260360
Add missing unsafe-inline CSP directive
Dropbox loads an external script that adds inline javascript. Therefore, this addition is needed when enabling dropbox support.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-08-23 01:29:53 +02:00
Erik Michelson
d9adf598d8
Add dropbox CSP directive if configured and make button clickable
The lack of a 'preventDefault' on the click event handler resulted in the dropbox link being unclickable.
Furthermore because of a missing CSP rule, the dropbox script couldn't be loaded. The dropbox origin is now added to the CSP script sources if dropbox integration is configured.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-08-23 01:11:31 +02:00
Simeon Keske
a134aa3f35
saml: make logger print actual error message
Signed-off-by: Simeon Keske <git@n0emis.eu>
Signed-off-by: Leo Maroni <git@em0lar.de>
2020-07-11 21:21:01 +02:00
Simeon Keske
bab0409ed0
add error handling to saml-certs
Signed-off-by: Simeon Keske <git@n0emis.eu>
Signed-off-by: Leo Maroni <git@em0lar.de>
2020-07-11 21:21:00 +02:00
Simeon Keske
17f0067ab2
allow to set a saml client certificate
Signed-off-by: Simeon Keske <git@n0emis.eu>
2020-07-11 21:19:49 +02:00
Erik Michelson
e4214f32a0
Fixed meta parsing of lang-attribute for using it in the published-view
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-07-04 03:37:19 +02:00
Erik Michelson
ee4210a511 Added dynamic lang-attr to pretty.ejs
CodiMD currently only uses the 'lang' attribute in YAML-metadata of a note for setting certain js-elements of the markdown-renderer. This commit adds the chosen lang into the published version of a note.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-07-03 00:06:03 +02:00
Victor Berger
5f3a1b6266 Backport of #278 for 1.6.1
This is a backport of #278 with the default value of `scope` changed to
`undefined`. This is thus a fully backward-compatible change.

Signed-off-by: Victor Berger <victor.berger@m4x.org>
2020-06-20 16:48:25 +02:00
Sandro
4c0094a1f8
findNoteOrCreate: Create new note with empty string instead of null
Backport of #345 to 1.x

Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>
2020-04-28 00:56:35 +02:00
Sheogorath
d389f45818
Fix broken redirect on login
This patch fixes the currently broken redirect on login when people try
to access a site they have no access to, they are redirected to the main
page to log in. After a successful login they should be redirected to
the original note, but instead are redirect to the index page again.

This aptch fixes the typo that causes the behavior and brings people
back to the note they edited.

Thanks to @clvs7-gh on Github[1], who submitted the patch via email.

On their behalf I hereby submit the change.

[1]: https://github.com/clvs7-gh

Note: I had to ajust this patch to work properly.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-03-21 16:56:09 +01:00
Sheogorath
840109b129
Backport Fix for relative theme path
This commit backport 856fc01fb9

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-03-21 16:20:01 +01:00
Sheogorath
a9d98d4b52
Add fix for missing deletion of notes on user-deletion request
Depending on how the system was setup, this bug lead to keep user's data
around even after a successful deletion of user'S account. This patch
will make sure the missing database constraints are implemented and
missed out deletions are executed.

This bug was introduced to insufficent testing after implementing the
feature initially. It was well tested, using the app process itself, but
the migrations where missed out. I'm currently not sure, if there was
also a change in how sequelize handles cassaded deletion, since I'm
unter the impression that before switching to sequelize 5, this feature
has worked. But I haven't verified this.

No matter what, the cleanup process is rather straight forward and will
be invoked on migration, but can also be done manually using the new
`bin/cleanup` script.

This change will result in a release 1.6.1.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-03-21 16:14:43 +01:00
Sheogorath
651db60985
Update CDN defaults
As we noticed in our poll about CDN usage, that most people
intentionally turn it off, but very little intetionally turn it on or
leave it on. [1]

There is also strong indicators that CDNs don't really provide any
benefits in loading time and due to the small deployments of CodiMD,
there is no big savings due to CDNs either. [2]

Therefore this patch changes the CDN default settings to off in order to
reduce the exposed user data.

[1]: https://community.codimd.org/t/poll-on-cdn-usage/28
[2]: https://csswizardry.com/2019/05/self-host-your-static-assets/

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-09 21:59:17 +01:00
ike
197223dc81 Add Google oauth variable: hostedDomain
Which is part of `passport-google-oauth2`.
It could be used as whitelist to a domain supported by google oauth.
Ref: https://github.com/jaredhanson/passport-google-oauth2/issues/3

Signed-off-by: ike <developer@ikewat.com>
2020-02-08 15:57:22 +08:00
Sheogorath
b3d4cdbceb
Update RevealJS to version 3.9.2
This update of revealJS helps us to get rid of the headjs depedency
integration using webpack. It updates reveal.js to 3.9.2 and updates the
csp hash accordingly for using the slide mode.

Background for this update is the critical security vulnerability
described by snyk in their disclosure:
https://snyk.io/vuln/SNYK-JS-REVEALJS-543841

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-01 12:53:15 +01:00
Sheogorath
33150b79c7
Merge pull request #218 from hoijui/linkifyHeaderStyle
Linkify header style
2019-12-03 14:40:00 +01:00
Ralph Krimmel
9534cdafbf Making the linter happy by removing superfluous ;
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-28 14:00:34 +01:00
Ralph Krimmel
3fb3ca54e9 Removing returnTo setting from referer in all other authentication sources
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-28 12:25:59 +01:00
Ralph Krimmel
e0a8872742 Moving the storage of referrer information to main authorization check instead of doing it in the authentication source
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-28 10:59:59 +01:00
Ralph Krimmel
3e8cf5778f Fixing linting problems
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-27 15:17:00 +01:00
foobarable
1881775379 Fixing redirection after SAML login
Saving referer into session in SAML auth so passport can redirect correctly after SAML login.

Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
2019-11-27 15:08:30 +01:00
Sheogorath
689f5a0a95
Merge pull request #213 from davidmehren/refactor_backend_notes
First steps in refactoring the backend code
2019-11-20 20:07:35 +01:00
hoijui
e1ff73877b allow to define header link generation style via environment var
Signed-off-by: hoijui <hoijui.quaero@gmail.com>
2019-10-30 17:46:38 +01:00
hoijui
cfa2ec38c5 document linkifyHeaderStyle in default.js
Signed-off-by: hoijui <hoijui.quaero@gmail.com>
2019-10-30 17:46:17 +01:00
Girish Ramakrishnan
c034ee5571 Fix crash in lutim integration
Signed-off-by: Girish Ramakrishnan <girish@cloudron.io>
2019-10-29 20:23:13 -07:00
David Mehren
b5ccceff59
Inline renderPublishSlide
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 15:50:24 +01:00
David Mehren
3c39d07723
Inline responseCodiMD
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 15:29:10 +01:00
David Mehren
ca9e6e49c9
Inline publish and slide
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 15:27:48 +01:00
David Mehren
25a540ebbc
Inline renderPublish
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 15:26:50 +01:00
David Mehren
2bc4233ba8
Move showPublishNote and publishNoteActions to note controller
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 15:23:38 +01:00
David Mehren
dee62ce571
Move showNote to note controller
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 15:23:38 +01:00
David Mehren
181d5646cf
Move note actions into their own file
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 15:23:31 +01:00
David Mehren
30487f7c01
Rename actions.js to controller.js and rename functions to be more descriptive
Move postNote to NoteController and rename to createFromPost

Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 14:40:36 +01:00
David Mehren
afb317b551
Move slide actions to own file
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 14:27:15 +01:00
David Mehren
9d938c334a
Fix errors constant in note/actions.js
Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 14:19:46 +01:00
David Mehren
f78540c3fb
Move note actions to their own file.
Because of circular import problems, this commit also moves the error messages from response.js to errors.js

Signed-off-by: David Mehren <dmehren1@gmail.com>
2019-10-27 13:51:53 +01:00
hoijui
e654ca8a31 Allow to generate lower case header references through the config
This makes the references consistent/compatible with GitHub,
GitLab, Pandoc and many other tools.

This behavior can be enabled in config.json with:

```
"linkifyHeaderStyle": "gfm"
```

Signed-off-by: hoijui <hoijui.quaero@gmail.com>
2019-10-22 09:05:37 +02:00
Sheogorath
7e5bb8a24b
Fix broken error template due to missing opengraph
This regression bug was caused by the error page using the `codimd/head`
template. This resulted in error messages like this:

```
ReferenceError: /codimd/public/views/error.ejs:5
    3|
    4| <head>
 >> 5|     <%- include codimd/head %>
    6|     <link rel="stylesheet" href="<%- serverURL %>/css/center.css">
    7| </head>
    8|
/codimd/public/views/codimd/head.ejs:7
    5| <meta name="apple-mobile-web-app-status-bar-style" content="black">
    6| <meta name="mobile-web-app-capable" content="yes">
 >> 7| <% for (var og in opengraph) { %>
    8| <% if (opengraph.hasOwnProperty(og) && opengraph[og].trim() !== '') { %>
    9| <meta property="og:<%- og %>" content="<%- opengraph[og] %>">
    10| <% }} if (!opengraph.hasOwnProperty('image')) { %>
opengraph is not defined
    at eval (eval at compile (/codimd/node_modules/ejs/lib/ejs.js:618:12), <anonymous>:18:23)
    at eval (eval at compile (/codimd/node_modules/ejs/lib/ejs.js:618:12), <anonymous>:99:10)
    at returnedFn (/codimd/node_modules/ejs/lib/ejs.js:653:17)
    at tryHandleCache (/codimd/node_modules/ejs/lib/ejs.js:251:36)
    at View.exports.renderFile [as engine] (/codimd/node_modules/ejs/lib/ejs.js:482:10)
    at View.render (/codimd/node_modules/express/lib/view.js:135:8)
    at tryRender (/codimd/node_modules/express/lib/application.js:640:10)
    at Function.render (/codimd/node_modules/express/lib/application.js:592:3)
    at ServerResponse.render (/codimd/node_modules/express/lib/response.js:1012:7)
    at responseError (/codimd/lib/response.js:57:20)
    at Object.errorNotFound (/codimd/lib/response.js:30:5)
    at newNote (/codimd/lib/response.js:134:76)
    at /codimd/lib/response.js:172:16
    at tryCatcher (/codimd/node_modules/bluebird/js/release/util.js:16:23)
    at Promise._settlePromiseFromHandler (/codimd/node_modules/bluebird/js/release/promise.js:517:31)
    at Promise._settlePromise (/codimd/node_modules/bluebird/js/release/promise.js:574:18)
    at Promise._settlePromise0 (/codimd/node_modules/bluebird/js/release/promise.js:619:10)
    at Promise._settlePromises (/codimd/node_modules/bluebird/js/release/promise.js:699:18)
    at _drainQueueStep (/codimd/node_modules/bluebird/js/release/async.js:138:12)
    at _drainQueue (/codimd/node_modules/bluebird/js/release/async.js:131:9)
    at Async._drainQueues (/codimd/node_modules/bluebird/js/release/async.js:147:5)
    at Immediate.Async.drainQueues (/codimd/node_modules/bluebird/js/release/async.js:17:14)

```

The fix for that is rather trivial. We simply provide an empty array of
metadata when generating the error template.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-10-11 17:03:09 +02:00
Sheogorath
cd34a8c702
Merge pull request #191 from ErikMichelson/feature/ogmetadata
Add customizable opengraph metadata for notes (see #40)
2019-10-10 14:55:34 +02:00
Erik Michelson
2881f8211a
Added customizable og-metadata to notes
Signed-off-by: Erik Michelson <erik@liltv.de>
2019-10-04 19:49:45 +02:00
Amolith
71e900e9e8
remove unused variable to pass ci testing - #58
Signed-off-by: Amolith <amolith@nixnet.xyz>
2019-10-03 09:24:46 -04:00
Amolith
e6eab33e2d
remove legacy code to solve #58
Signed-off-by: Amolith <amolith@nixnet.xyz>
2019-10-03 08:39:51 -04:00