summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/config/default.js9
-rw-r--r--lib/config/defaultSSL.js8
-rw-r--r--lib/config/dockerSecret.js3
-rw-r--r--lib/config/environment.js6
-rw-r--r--lib/config/index.js19
-rw-r--r--lib/csp.js15
-rw-r--r--lib/letter-avatars.js17
-rw-r--r--lib/models/note.js9
-rw-r--r--lib/models/user.js10
-rw-r--r--lib/realtime.js2
-rw-r--r--lib/response.js15
-rw-r--r--lib/web/auth/saml/index.js4
-rw-r--r--lib/web/imageRouter/azure.js35
-rw-r--r--lib/web/userRouter.js7
14 files changed, 130 insertions, 29 deletions
diff --git a/lib/config/default.js b/lib/config/default.js
index 19ddccf6..30ce2090 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -18,6 +18,8 @@ module.exports = {
directives: {
},
addDefaults: true,
+ addDisqus: true,
+ addGoogleAnalytics: true,
upgradeInsecureRequests: 'auto',
reportURI: undefined
},
@@ -46,6 +48,7 @@ module.exports = {
// session
sessionName: 'connect.sid',
sessionSecret: 'secret',
+ sessionSecretLen: 128,
sessionLife: 14 * 24 * 60 * 60 * 1000, // 14 days
staticCacheTime: 1 * 24 * 60 * 60 * 1000, // 1 day
// socket.io
@@ -53,7 +56,7 @@ module.exports = {
heartbeatTimeout: 10000,
// document
documentMaxLength: 100000,
- // image upload setting, available options are imgur/s3/filesystem
+ // image upload setting, available options are imgur/s3/filesystem/azure
imageUploadType: 'filesystem',
imgur: {
clientID: undefined
@@ -71,6 +74,10 @@ module.exports = {
port: 9000
},
s3bucket: undefined,
+ azure: {
+ connectionString: undefined,
+ container: undefined
+ },
// authentication
facebook: {
clientID: undefined,
diff --git a/lib/config/defaultSSL.js b/lib/config/defaultSSL.js
index 362c62a1..ba020466 100644
--- a/lib/config/defaultSSL.js
+++ b/lib/config/defaultSSL.js
@@ -10,8 +10,8 @@ function getFile (path) {
}
module.exports = {
- sslkeypath: getFile('/run/secrets/key.pem'),
- sslcertpath: getFile('/run/secrets/cert.pem'),
- sslcapath: getFile('/run/secrets/ca.pem') !== undefined ? [getFile('/run/secrets/ca.pem')] : [],
- dhparampath: getFile('/run/secrets/dhparam.pem')
+ sslKeyPath: getFile('/run/secrets/key.pem'),
+ sslCertPath: getFile('/run/secrets/cert.pem'),
+ sslCAPath: getFile('/run/secrets/ca.pem') !== undefined ? [getFile('/run/secrets/ca.pem')] : [],
+ dhParamPath: getFile('/run/secrets/dhparam.pem')
}
diff --git a/lib/config/dockerSecret.js b/lib/config/dockerSecret.js
index b9116cd3..fd66ddfe 100644
--- a/lib/config/dockerSecret.js
+++ b/lib/config/dockerSecret.js
@@ -22,6 +22,9 @@ if (fs.existsSync(basePath)) {
accessKeyId: getSecret('s3_acccessKeyId'),
secretAccessKey: getSecret('s3_secretAccessKey')
},
+ azure: {
+ connectionString: getSecret('azure_connectionString')
+ },
facebook: {
clientID: getSecret('facebook_clientID'),
clientSecret: getSecret('facebook_clientSecret')
diff --git a/lib/config/environment.js b/lib/config/environment.js
index cab3bc3e..810cb225 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -26,6 +26,8 @@ module.exports = {
allowFreeURL: toBooleanConfig(process.env.HMD_ALLOW_FREEURL),
defaultPermission: process.env.HMD_DEFAULT_PERMISSION,
dbURL: process.env.HMD_DB_URL,
+ sessionSecret: process.env.HMD_SESSION_SECRET,
+ sessionLife: toIntegerConfig(process.env.HMD_SESSION_LIFE),
imageUploadType: process.env.HMD_IMAGE_UPLOAD_TYPE,
imgur: {
clientID: process.env.HMD_IMGUR_CLIENTID
@@ -43,6 +45,10 @@ module.exports = {
port: toIntegerConfig(process.env.HMD_MINIO_PORT)
},
s3bucket: process.env.HMD_S3_BUCKET,
+ azure: {
+ connectionString: process.env.HMD_AZURE_CONNECTION_STRING,
+ container: process.env.HMD_AZURE_CONTAINER
+ },
facebook: {
clientID: process.env.HMD_FACEBOOK_CLIENTID,
clientSecret: process.env.HMD_FACEBOOK_CLIENTSECRET
diff --git a/lib/config/index.js b/lib/config/index.js
index fae51e52..f10eadb8 100644
--- a/lib/config/index.js
+++ b/lib/config/index.js
@@ -1,6 +1,7 @@
'use strict'
+const crypto = require('crypto')
const fs = require('fs')
const path = require('path')
const {merge} = require('lodash')
@@ -52,7 +53,7 @@ if (config.ldap.tlsca) {
// Permission
config.permission = Permission
-if (!config.allowAnonymous && !config.allowAnonymousedits) {
+if (!config.allowAnonymous && !config.allowAnonymousEdits) {
delete config.permission.freely
}
if (!(config.defaultPermission in config.permission)) {
@@ -110,16 +111,24 @@ for (let i = keys.length; i--;) {
// and the config with uppercase is not set
// we set the new config using the old key.
if (uppercase.test(keys[i]) &&
- config[lowercaseKey] &&
- !config[keys[1]]) {
+ config[lowercaseKey] !== undefined &&
+ fileConfig[keys[i]] === undefined) {
logger.warn('config.js contains deprecated lowercase setting for ' + keys[i] + '. Please change your config.js file to replace ' + lowercaseKey + ' with ' + keys[i])
config[keys[i]] = config[lowercaseKey]
}
}
+// Generate session secret if it stays on default values
+if (config.sessionSecret === 'secret') {
+ logger.warn('Session secret not set. Using random generated one. Please set `sessionSecret` in your config.js file. All users will be logged out.')
+ config.sessionSecret = crypto.randomBytes(Math.ceil(config.sessionSecretLen / 2)) // generate crypto graphic random number
+ .toString('hex') // convert to hexadecimal format
+ .slice(0, config.sessionSecretLen) // return required number of characters
+}
+
// Validate upload upload providers
-if (['filesystem', 's3', 'minio', 'imgur'].indexOf(config.imageUploadType) === -1) {
- logger.error('"imageuploadtype" is not correctly set. Please use "filesystem", "s3", "minio" or "imgur". Defaulting to "imgur"')
+if (['filesystem', 's3', 'minio', 'imgur', 'azure'].indexOf(config.imageUploadType) === -1) {
+ logger.error('"imageuploadtype" is not correctly set. Please use "filesystem", "s3", "minio", "azure" or "imgur". Defaulting to "imgur"')
config.imageUploadType = 'imgur'
}
diff --git a/lib/csp.js b/lib/csp.js
index cef2e2f6..d0f906a3 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -5,12 +5,13 @@ var CspStrategy = {}
var defaultDirectives = {
defaultSrc: ['\'self\''],
- scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', 'https://*.disqus.com', '\'unsafe-eval\''],
+ scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', '\'unsafe-eval\''],
// ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/hackmd/issues/594
imgSrc: ['*'],
styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views
fontSrc: ['\'self\'', 'https://public.slidesharecdn.com'],
objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
+ mediaSrc: ['*'],
childSrc: ['*'],
connectSrc: ['*']
}
@@ -21,11 +22,23 @@ var cdnDirectives = {
fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com']
}
+var disqusDirectives = {
+ scriptSrc: ['https://*.disqus.com', 'https://*.disquscdn.com'],
+ styleSrc: ['https://*.disquscdn.com'],
+ fontSrc: ['https://*.disquscdn.com']
+}
+
+var googleAnalyticsDirectives = {
+ scriptSrc: ['https://www.google-analytics.com']
+}
+
CspStrategy.computeDirectives = function () {
var directives = {}
mergeDirectives(directives, config.csp.directives)
mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives)
mergeDirectivesIf(config.useCDN, directives, cdnDirectives)
+ mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
+ mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
if (!areAllInlineScriptsAllowed(directives)) {
addInlineScriptExceptions(directives)
}
diff --git a/lib/letter-avatars.js b/lib/letter-avatars.js
index 7ba336b6..b5b1d9e7 100644
--- a/lib/letter-avatars.js
+++ b/lib/letter-avatars.js
@@ -1,16 +1,17 @@
'use strict'
// external modules
-var randomcolor = require('randomcolor')
+const randomcolor = require('randomcolor')
+const config = require('./config')
// core
-module.exports = function (name) {
- var color = randomcolor({
+exports.generateAvatar = function (name) {
+ const color = randomcolor({
seed: name,
luminosity: 'dark'
})
- var letter = name.substring(0, 1).toUpperCase()
+ const letter = name.substring(0, 1).toUpperCase()
- var svg = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>'
+ let svg = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>'
svg += '<svg xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://www.w3.org/2000/svg" height="96" width="96" version="1.1" viewBox="0 0 96 96">'
svg += '<g>'
svg += '<rect width="96" height="96" fill="' + color + '" />'
@@ -20,5 +21,9 @@ module.exports = function (name) {
svg += '</g>'
svg += '</svg>'
- return 'data:image/svg+xml;base64,' + new Buffer(svg).toString('base64')
+ return svg
+}
+
+exports.generateAvatarURL = function (name) {
+ return config.serverURL + '/user/' + name + '/avatar.svg'
}
diff --git a/lib/models/note.js b/lib/models/note.js
index 69393dd4..2a048e37 100644
--- a/lib/models/note.js
+++ b/lib/models/note.js
@@ -211,6 +211,15 @@ module.exports = function (sequelize, DataTypes) {
},
// parse note id by LZString is deprecated, here for compability
parseNoteIdByLZString: function (_callback) {
+ // Calculate minimal string length for an UUID that is encoded
+ // base64 encoded and optimize comparsion by using -1
+ // this should make a lot of LZ-String parsing errors obsolete
+ // as we can assume that a nodeId that is 48 chars or longer is a
+ // noteID.
+ const base64UuidLength = ((4 * 36) / 3) - 1
+ if (!(noteId.length > base64UuidLength)) {
+ return _callback(null, null)
+ }
// try to parse note id by LZString Base64
try {
var id = LZString.decompressFromBase64(noteId)
diff --git a/lib/models/user.js b/lib/models/user.js
index f421fe43..4c823355 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -6,7 +6,7 @@ var scrypt = require('scrypt')
// core
var logger = require('../logger')
-var letterAvatars = require('../letter-avatars')
+var {generateAvatarURL} = require('../letter-avatars')
module.exports = function (sequelize, DataTypes) {
var User = sequelize.define('User', {
@@ -108,7 +108,7 @@ module.exports = function (sequelize, DataTypes) {
if (bigger) photo = photo.replace(/(\?s=)\d*$/i, '$1400')
else photo = photo.replace(/(\?s=)\d*$/i, '$196')
} else {
- photo = letterAvatars(profile.username)
+ photo = generateAvatarURL(profile.username)
}
break
case 'mattermost':
@@ -117,7 +117,7 @@ module.exports = function (sequelize, DataTypes) {
if (bigger) photo = photo.replace(/(\?s=)\d*$/i, '$1400')
else photo = photo.replace(/(\?s=)\d*$/i, '$196')
} else {
- photo = letterAvatars(profile.username)
+ photo = generateAvatarURL(profile.username)
}
break
case 'dropbox':
@@ -140,7 +140,7 @@ module.exports = function (sequelize, DataTypes) {
if (bigger) photo += '?s=400'
else photo += '?s=96'
} else {
- photo = letterAvatars(profile.username)
+ photo = generateAvatarURL(profile.username)
}
break
case 'saml':
@@ -149,7 +149,7 @@ module.exports = function (sequelize, DataTypes) {
if (bigger) photo += '?s=400'
else photo += '?s=96'
} else {
- photo = letterAvatars(profile.username)
+ photo = generateAvatarURL(profile.username)
}
break
}
diff --git a/lib/realtime.js b/lib/realtime.js
index d8b0b4c5..070bde2d 100644
--- a/lib/realtime.js
+++ b/lib/realtime.js
@@ -788,7 +788,7 @@ function connection (socket) {
var note = notes[noteId]
// Only owner can change permission
if (note.owner && note.owner === socket.request.user.id) {
- if (permission === 'freely' && !config.allowAnonymous && !config.allowAnonymousedits) return
+ if (permission === 'freely' && !config.allowAnonymous && !config.allowAnonymousEdits) return
note.permission = permission
models.Note.update({
permission: permission
diff --git a/lib/response.js b/lib/response.js
index b18fd7a3..d6fb3b42 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -17,7 +17,13 @@ var utils = require('./utils')
// public
var response = {
errorForbidden: function (res) {
- responseError(res, '403', 'Forbidden', 'oh no.')
+ const {req} = res
+ if (req.user) {
+ responseError(res, '403', 'Forbidden', 'oh no.')
+ } else {
+ req.flash('error', 'You are not allowed to access this page. Maybe try logging in?')
+ res.redirect(config.serverURL)
+ }
},
errorNotFound: function (res) {
responseError(res, '404', 'Not Found', 'oops.')
@@ -59,7 +65,7 @@ function showIndex (req, res, next) {
url: config.serverURL,
useCDN: config.useCDN,
allowAnonymous: config.allowAnonymous,
- allowAnonymousEdits: config.allowAnonymousedits,
+ allowAnonymousEdits: config.allowAnonymousEdits,
facebook: config.isFacebookEnable,
twitter: config.isTwitterEnable,
github: config.isGitHubEnable,
@@ -94,7 +100,7 @@ function responseHackMD (res, note) {
title: title,
useCDN: config.useCDN,
allowAnonymous: config.allowAnonymous,
- allowAnonymousEdits: config.allowAnonymousedits,
+ allowAnonymousEdits: config.allowAnonymousEdits,
facebook: config.isFacebookEnable,
twitter: config.isTwitterEnable,
github: config.isGitHubEnable,
@@ -226,7 +232,8 @@ function showPublishNote (req, res, next) {
lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null,
robots: meta.robots || false, // default allow robots
GA: meta.GA,
- disqus: meta.disqus
+ disqus: meta.disqus,
+ cspNonce: res.locals.nonce
}
return renderPublish(data, res)
}).catch(function (err) {
diff --git a/lib/web/auth/saml/index.js b/lib/web/auth/saml/index.js
index 3ecbc6f3..b8d98340 100644
--- a/lib/web/auth/saml/index.js
+++ b/lib/web/auth/saml/index.js
@@ -20,14 +20,14 @@ passport.use(new SamlStrategy({
identifierFormat: config.saml.identifierFormat
}, function (user, done) {
// check authorization if needed
- if (config.saml.externalGroups && config.saml.grouptAttribute) {
+ if (config.saml.externalGroups && config.saml.groupAttribute) {
var externalGroups = intersection(config.saml.externalGroups, user[config.saml.groupAttribute])
if (externalGroups.length > 0) {
logger.error('saml permission denied: ' + externalGroups.join(', '))
return done('Permission denied', null)
}
}
- if (config.saml.requiredGroups && config.saml.grouptAttribute) {
+ if (config.saml.requiredGroups && config.saml.groupAttribute) {
if (intersection(config.saml.requiredGroups, user[config.saml.groupAttribute]).length === 0) {
logger.error('saml permission denied')
return done('Permission denied', null)
diff --git a/lib/web/imageRouter/azure.js b/lib/web/imageRouter/azure.js
new file mode 100644
index 00000000..cc98e5fc
--- /dev/null
+++ b/lib/web/imageRouter/azure.js
@@ -0,0 +1,35 @@
+'use strict'
+const path = require('path')
+
+const config = require('../../config')
+const logger = require('../../logger')
+
+const azure = require('azure-storage')
+
+exports.uploadImage = function (imagePath, callback) {
+ if (!imagePath || typeof imagePath !== 'string') {
+ callback(new Error('Image path is missing or wrong'), null)
+ return
+ }
+
+ if (!callback || typeof callback !== 'function') {
+ logger.error('Callback has to be a function')
+ return
+ }
+
+ var azureBlobService = azure.createBlobService(config.azure.connectionString)
+
+ azureBlobService.createContainerIfNotExists(config.azure.container, { publicAccessLevel: 'blob' }, function (err, result, response) {
+ if (err) {
+ callback(new Error(err.message), null)
+ } else {
+ azureBlobService.createBlockBlobFromLocalFile(config.azure.container, path.basename(imagePath), imagePath, function (err, result, response) {
+ if (err) {
+ callback(new Error(err.message), null)
+ } else {
+ callback(null, azureBlobService.getUrl(config.azure.container, result.name))
+ }
+ })
+ }
+ })
+}
diff --git a/lib/web/userRouter.js b/lib/web/userRouter.js
index ecfbaf8b..963961c7 100644
--- a/lib/web/userRouter.js
+++ b/lib/web/userRouter.js
@@ -5,6 +5,7 @@ const Router = require('express').Router
const response = require('../response')
const models = require('../models')
const logger = require('../logger')
+const {generateAvatar} = require('../letter-avatars')
const UserRouter = module.exports = Router()
@@ -34,3 +35,9 @@ UserRouter.get('/me', function (req, res) {
})
}
})
+
+UserRouter.get('/user/:username/avatar.svg', function (req, res, next) {
+ res.setHeader('Content-Type', 'image/svg+xml')
+ res.setHeader('Cache-Control', 'public, max-age=86400')
+ res.send(generateAvatar(req.params.username))
+})