diff options
| author | Nicolas Dietrich | 2021-01-22 16:47:47 +0100 |
|---|---|---|
| committer | Nicolas Dietrich | 2021-01-22 16:52:49 +0100 |
| commit | 497569fee4a841b13ed1606ca54f269162d3fa62 (patch) | |
| tree | 3ad268aa959c51630cbc61a2b2fa73095585193b /lib | |
| parent | 3331c0947cb6d63ce7f2846c38d5a7b82960b2eb (diff) | |
Add config option which requires authentication in FreeURL mode
This mitigates unintended note creation by bots or humans through a
simple GET call.
See discussion in #754.
Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/config/default.js | 1 | ||||
| -rw-r--r-- | lib/config/environment.js | 1 | ||||
| -rw-r--r-- | lib/config/hackmdEnvironment.js | 1 | ||||
| -rw-r--r-- | lib/web/note/util.js | 2 |
4 files changed, 4 insertions, 1 deletions
diff --git a/lib/config/default.js b/lib/config/default.js index fe9b7059..ed812f45 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -33,6 +33,7 @@ module.exports = { allowAnonymous: true, allowAnonymousEdits: false, allowFreeURL: false, + requireFreeURLAuthentication: false, forbiddenNoteIDs: ['robots.txt', 'favicon.ico', 'api', 'build', 'css', 'docs', 'fonts', 'js', 'uploads', 'vendor', 'views'], defaultPermission: 'editable', dbURL: '', diff --git a/lib/config/environment.js b/lib/config/environment.js index 2a2c5fbb..3f13c8e0 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -29,6 +29,7 @@ module.exports = { allowAnonymous: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS), allowAnonymousEdits: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_EDITS), allowFreeURL: toBooleanConfig(process.env.CMD_ALLOW_FREEURL), + requireFreeURLAuthentication: toBooleanConfig(process.env.CMD_REQUIRE_FREEURL_AUTH), forbiddenNoteIDs: toArrayConfig(process.env.CMD_FORBIDDEN_NOTE_IDS), defaultPermission: process.env.CMD_DEFAULT_PERMISSION, dbURL: process.env.CMD_DB_URL, diff --git a/lib/config/hackmdEnvironment.js b/lib/config/hackmdEnvironment.js index 76e41361..ecdd9a51 100644 --- a/lib/config/hackmdEnvironment.js +++ b/lib/config/hackmdEnvironment.js @@ -24,6 +24,7 @@ module.exports = { allowAnonymous: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS), allowAnonymousEdits: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_EDITS), allowFreeURL: toBooleanConfig(process.env.HMD_ALLOW_FREEURL), + requireFreeURLAuthentication: toBooleanConfig(process.env.HMD_REQUIRE_FREEURL_AUTH), defaultPermission: process.env.HMD_DEFAULT_PERMISSION, dbURL: process.env.HMD_DB_URL, sessionSecret: process.env.HMD_SESSION_SECRET, diff --git a/lib/web/note/util.js b/lib/web/note/util.js index 75f0c815..57438515 100644 --- a/lib/web/note/util.js +++ b/lib/web/note/util.js @@ -52,7 +52,7 @@ exports.newNote = function (req, res, body) { return errors.errorForbidden(res) } if (noteId) { - if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId)) { + if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId) && (!config.requireFreeURLAuthentication || req.isAuthenticated())) { req.alias = noteId } else { return req.method === 'POST' ? errors.errorForbidden(res) : errors.errorNotFound(res) |