Commit graph

134 commits

Author SHA1 Message Date
Erik Michelson
e8793271a0 enhancement(caddy): expose :8080 by default, trust private proxies
This commit changes the caddyfile to not directly rely on the
HD_BASE_URL environment variable, but instead default to port 8080 as
used in our package.json scripts and docs.
The caddy domain can optionally be overridden using the CADDY_HOST env
variable.
Furthermore, this change adds a section to trust reverse-proxies in
front of Caddy if they are in a private range IP address network.
Both these changes are required to be able to expose a local development
setup with another domain than localhost to a co-developer. With
this change it works without having Caddy trying to generate TLS
certificates for that domain nor HedgeDoc erroring about a origin
mismatch, that occurs as Caddy doesn't forward specific headers
otherwise.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-09-18 17:56:25 +02:00
Erik Michelson
157a0fe278 refactor(media): store filenames, use pre-signed s3/azure URLs, UUIDs
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-09-12 14:49:17 +02:00
Erik Michelson
4132833b5d refactor(api-docs): move api docs to /api/doc/
The API documentation belongs strictly to the API itself.
Due to the usage of version-prefixed API endpoints, there is no conflict
with existing or future endpoints.
The reason behind this is that we already have enough exceptions in the
routing (default everything to react-frontend, exceptions for backend)
and it is hard to keep it synchronized throughout all relevant places.
This came to attention as the dev setup didn't proxy the API docs to the
backend.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-09-12 14:49:17 +02:00
Erik Michelson
7f665fae4b feat(auth): refactor auth, add oidc
Thanks to all HedgeDoc team members for the time discussing,
helping with weird Nest issues, providing feedback
and suggestions!

Co-authored-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-09-11 21:29:49 +02:00
Erik Michelson
1f1231a730 ci: remove netlify deployment workflow
This workflow was used in an early stage of development of HedgeDoc 2.
It allowed the core developers to quickly check fixes, improvements or
new features to the HedgeDoc UI without the requirement to check-out
the branch locally. As not every pull request required a deployment,
this workflow was only triggered when the "ci: force deployment"
label was added. Since some time already, the frontend and backend
are so tightly coupled that the netfliy deployment doesn't make any
sense anymore and therefore hasn't been used anymore. This commit
therefore removes this leftover workflow.

@RedYetiDev contacted us privately and reported that this deployment
workflow could have been abused to invoke arbitrary commands, including
extraction of environment variables which include our tokens for the
turborepo build cache or the netlify deployment token. For this it
would have been required that somebody created a "safe" pull request,
which would have been labelled with the deployment label and then
changed afterwards since the workflow checks out the pull request
source repository, not the target. We assured that the label was only
added to pull requests from trusted members of the HedgeDoc core team.
There was never any malicious use of the workflow. Furthermore, no
released versions of HedgeDoc (1.x) could have been affected by this,
even in the worst-case scenario.

We're thankful for putting this risk at our attention!
If you too encounter something unusual regarding security in HedgeDoc
itself or our toolchain around it, don't hesitate to contact us.
Details on this are wriiten in our SECURITY.md in the root of the
repository.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-07-30 08:48:38 +02:00
Jochen Martin Eppler
cdb9a5cbb0 Fix typo
defition --> definition

Signed-off-by: Jochen Martin Eppler <jougs@gmx.net>
2024-06-27 12:45:50 +02:00
Tilman Vatteroth
631b641041 fix(docs): linting of ldap config
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 16:02:31 +01:00
yamashush
275988716c doc: update e2e test script name
Signed-off-by: yamashush <38120991+yamashush@users.noreply.github.com>
2024-01-21 15:31:10 +01:00
Tilman Vatteroth
01d7eb9529 fix(deps): bump minimum node version to v20
With node 18 the tests always crash.

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-01-18 19:12:46 +01:00
Erik Michelson
482cb7729f docs: fix reverse-proxy how-to using wrong host header
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2023-12-25 12:58:48 +01:00
Philip Molares
e797d600d4 chore: release alpha 2
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-10-25 21:55:27 +02:00
Erik Michelson
520953d0bd enhancement(docs): add info about ports in the setup tutorial
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2023-10-13 09:58:33 +02:00
David Mehren
0df8533450 docs: set HD_INTERNAL_API_URL in docker-compose.yml example
Signed-off-by: David Mehren <git@herrmehren.de>
2023-10-08 21:12:51 +02:00
Tilman Vatteroth
f43c9fd2b1 feat: add internal api url
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2023-10-08 21:12:51 +02:00
Philip Molares
74ba21711c docs: add faq entry about fork awesome deprecation
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-10-08 21:12:15 +02:00
Yannick Bungers
8f66447ab9 Update docs for HD_SHOW_LOG_TIMESTAMP
Signed-off-by: Yannick Bungers <git@innay.de>

Signed-off-by: Yannick Bungers <git@innay.de>
2023-10-08 20:42:37 +02:00
David Mehren
3aee932736 docs: add alpha version warning to setup instructions
Signed-off-by: David Mehren <git@herrmehren.de>
2023-10-08 19:25:19 +02:00
David Mehren
de14b75369 docs: fix alpha image tag
Signed-off-by: David Mehren <git@herrmehren.de>
2023-10-08 19:25:19 +02:00
Philip Molares
d10c922cba docs: add netlify badge
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-10-08 19:21:10 +02:00
Philip Molares
09698579a7 fix: docs deployment
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-10-08 17:54:39 +02:00
Philip Molares
c1aa396a3e fix: docs deployment
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-10-08 17:44:00 +02:00
Philip Molares
576815013c fix: docs deployment
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-10-08 17:31:59 +02:00
Philip Molares
5335c48df7 feat(config): warn user about not yet supported config
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-10-07 14:33:21 +02:00
Philip Molares
d43da06ec1 refactor: remove dropbox, facebook & twitter login
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-10-07 13:28:37 +02:00
David Mehren
0693812e8b refactor: remove HstsConfig
This config object was originally ported from the HD1 config,
but is not required anymore.

HD2 does not support handling TLS anymore, so it does not make
sense for it to set TLS-related headers.
The reverse proxy terminating TLS can easily set HSTS headers.

Signed-off-by: David Mehren <git@herrmehren.de>
2023-10-07 11:10:37 +02:00
Philip Molares
5ed1fa18d6 fix: fix links to other files
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-09-17 21:50:21 +02:00
Philip Molares
e07cd62596 docs: restructure documentation
This rewrite follows the principles of https://diataxis.fr/

Co-authored-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2023-09-17 21:50:21 +02:00
Philip Molares
e0dd24ed29 refactor: move dco into root
They never really belonged into the docs anyway, but somehow were stuck there

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-09-17 21:50:21 +02:00
Philip Molares
d185e2e694 refactor: rename HD_AUTH_LDAPS to HD_AUTH_LDAP_SERVERS
This was done as LDAPS us both the plural of LDAP and the common abbreviation for secure LDAP connections.

Fixes #4460

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-07-22 11:37:17 +02:00
Philip Molares
e8e72c5328 docs: run lint:fix
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-07-09 20:07:07 +02:00
Philip Molares
50d4959e0a docs: run lint:fix
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-07-09 20:07:07 +02:00
Juned Khan
723c5752bd doc: Added documentation to enable debug logging in prod
Signed-off-by: Juned Khan <junedkhanc101@gmail.com>
2023-07-02 14:33:06 +02:00
Tilman Vatteroth
7fdd11f9ff fix: add license files for developer-certificate-of-origin.txt
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2023-06-21 15:31:10 +02:00
Tilman Vatteroth
40cc8cd7f2 doc: correct name of permission env vars
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2023-06-06 22:10:20 +02:00
Philip Molares
f306593e6c docs: update ldap dev docs
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-05-12 21:11:45 +02:00
Philip Molares
4bf2ca4ca7 docs: update ldap dev docs
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-05-12 21:11:45 +02:00
Philip Molares
06659ce0a7 docs: add ldap auth method
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-05-12 21:11:45 +02:00
Philip Molares
0932481117 docs: add images for customization docs
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-05-10 20:20:17 +02:00
Philip Molares
e86e40a61b docs: indent imgur warning correctly
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-05-10 13:57:25 +02:00
Tilman Vatteroth
23901d1454 chore: change recommended and CI node version to v20
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2023-05-10 13:43:05 +02:00
Philip Molares
a44e364553 docs(imgur): add warning about new imgur policy
Because imgur will delete images 6 month after the last access, we should tell our users about this change to help them make a informed decision about their media backend choice…

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2023-05-07 22:42:58 +02:00
Tilman Vatteroth
d8c1e35819 docs(docs): make clear that the s3 endpoint must be a URL
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2023-04-16 18:41:03 +02:00
Tilman Vatteroth
476aff890e fix: usage of .env file in getting-started dev guide
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2023-04-13 10:39:17 +02:00
David Mehren
57701b5d6c docs: add note about separate renderer domain
Signed-off-by: David Mehren <git@herrmehren.de>
2023-03-26 15:53:49 +02:00
David Mehren
80eb4c8a1a docs: change default session secret in docker deployment
Signed-off-by: David Mehren <git@herrmehren.de>
2023-03-26 15:53:49 +02:00
David Mehren
f7f052fca1 refactor: use separate env vars for frontend/backend port
As we moved to a combined .env file for simplicity, frontend and backend need to be configured with separate variables.

Signed-off-by: David Mehren <git@herrmehren.de>
2023-03-26 15:53:49 +02:00
David Mehren
b538c2c2a3 docs: minor fixes for config docs
Signed-off-by: David Mehren <git@herrmehren.de>
2023-03-25 13:05:42 +01:00
David Mehren
520d0933cb docs: add getting started guide
Signed-off-by: David Mehren <git@herrmehren.de>
2023-03-25 13:05:42 +01:00
David Mehren
26da4c6327 docs: consistent Markdown formatting
Signed-off-by: David Mehren <git@herrmehren.de>
2023-03-24 20:06:11 +01:00
David Mehren
31969c56eb docs: add missing design docs disclaimer
Signed-off-by: David Mehren <git@herrmehren.de>
2023-03-24 20:06:11 +01:00