summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Dietrich2021-01-22 16:47:47 +0100
committerNicolas Dietrich2021-01-22 16:52:49 +0100
commit497569fee4a841b13ed1606ca54f269162d3fa62 (patch)
tree3ad268aa959c51630cbc61a2b2fa73095585193b
parent3331c0947cb6d63ce7f2846c38d5a7b82960b2eb (diff)
Add config option which requires authentication in FreeURL mode
This mitigates unintended note creation by bots or humans through a simple GET call. See discussion in #754. Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
-rw-r--r--docs/content/configuration.md1
-rw-r--r--lib/config/default.js1
-rw-r--r--lib/config/environment.js1
-rw-r--r--lib/config/hackmdEnvironment.js1
-rw-r--r--lib/web/note/util.js2
5 files changed, 5 insertions, 1 deletions
diff --git a/docs/content/configuration.md b/docs/content/configuration.md
index f57d7178..ff459608 100644
--- a/docs/content/configuration.md
+++ b/docs/content/configuration.md
@@ -96,6 +96,7 @@ these are rarely used for various reasons.
| `allowAnonymous` | `CMD_ALLOW_ANONYMOUS` | **`true`** or `false` | Set to allow anonymous usage (default is `true`). |
| `allowAnonymousEdits` | `CMD_ALLOW_ANONYMOUS_EDITS` | **`false`** or `true` | If `allowAnonymous` is `false`: allow users to select `freely` permission, allowing guests to edit existing notes (default is `false`). |
| `allowFreeURL` | `CMD_ALLOW_FREEURL` | **`false`** or `true` | Set to allow new note creation by accessing a nonexistent note URL. This is the behavior familiar from [Etherpad](https://github.com/ether/etherpad-lite). |
+| `requireFreeURLAuthentication` | `CMD_REQUIRE_FREEURL_AUTH` | **`false`** or `true` | Set to require authentication for FreeURL mode style note creation. |
| `defaultPermission` | `CMD_DEFAULT_PERMISSION` | **`editable`**, `freely`, `limited`, `locked`, `protected` or `private` | Set notes default permission (only applied on signed-in users). |
| `sessionName` | | **`connect.sid`** | Cookie session name. |
| `sessionLife` | `CMD_SESSION_LIFE` | **`14 * 24 * 60 * 60 * 1000`**, `1209600000` (14 days) | Cookie session life time in milliseconds. |
diff --git a/lib/config/default.js b/lib/config/default.js
index fe9b7059..ed812f45 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -33,6 +33,7 @@ module.exports = {
allowAnonymous: true,
allowAnonymousEdits: false,
allowFreeURL: false,
+ requireFreeURLAuthentication: false,
forbiddenNoteIDs: ['robots.txt', 'favicon.ico', 'api', 'build', 'css', 'docs', 'fonts', 'js', 'uploads', 'vendor', 'views'],
defaultPermission: 'editable',
dbURL: '',
diff --git a/lib/config/environment.js b/lib/config/environment.js
index 2a2c5fbb..3f13c8e0 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -29,6 +29,7 @@ module.exports = {
allowAnonymous: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS),
allowAnonymousEdits: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_EDITS),
allowFreeURL: toBooleanConfig(process.env.CMD_ALLOW_FREEURL),
+ requireFreeURLAuthentication: toBooleanConfig(process.env.CMD_REQUIRE_FREEURL_AUTH),
forbiddenNoteIDs: toArrayConfig(process.env.CMD_FORBIDDEN_NOTE_IDS),
defaultPermission: process.env.CMD_DEFAULT_PERMISSION,
dbURL: process.env.CMD_DB_URL,
diff --git a/lib/config/hackmdEnvironment.js b/lib/config/hackmdEnvironment.js
index 76e41361..ecdd9a51 100644
--- a/lib/config/hackmdEnvironment.js
+++ b/lib/config/hackmdEnvironment.js
@@ -24,6 +24,7 @@ module.exports = {
allowAnonymous: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS),
allowAnonymousEdits: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_EDITS),
allowFreeURL: toBooleanConfig(process.env.HMD_ALLOW_FREEURL),
+ requireFreeURLAuthentication: toBooleanConfig(process.env.HMD_REQUIRE_FREEURL_AUTH),
defaultPermission: process.env.HMD_DEFAULT_PERMISSION,
dbURL: process.env.HMD_DB_URL,
sessionSecret: process.env.HMD_SESSION_SECRET,
diff --git a/lib/web/note/util.js b/lib/web/note/util.js
index 75f0c815..57438515 100644
--- a/lib/web/note/util.js
+++ b/lib/web/note/util.js
@@ -52,7 +52,7 @@ exports.newNote = function (req, res, body) {
return errors.errorForbidden(res)
}
if (noteId) {
- if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId)) {
+ if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId) && (!config.requireFreeURLAuthentication || req.isAuthenticated())) {
req.alias = noteId
} else {
return req.method === 'POST' ? errors.errorForbidden(res) : errors.errorNotFound(res)