summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* feat: add remark-lint dependencies and scriptoupala2020-07-021-0/+3
| | | | | | Add remark-lint dependencies as dev dependencies, and an npm script alias to launch markdown linting with `npm run markdownlint`. Signed-off-by: oupala <oupala@users.noreply.github.com>
* doc: add a markdown linting configuration fileoupala2020-07-021-0/+5
| | | | | | Add a markdown linting configuration file. The configuration file is using [remark-preset-lint-markdown-style-guide](https://github.com/remarkjs/remark-lint/tree/master/packages/remark-preset-lint-markdown-style-guide). This preset configure `remark-lint` with settings that the [Markdown Style Guide](http://www.cirosantilli.com/markdown-style-guide/) recommends. Signed-off-by: oupala <oupala@users.noreply.github.com>
* Upgrade LDAP-auth to fix RCE in ldapauth dependencySheogorath2020-06-271-40/+69
| | | | | | | | | | | | | | | Synk reported an Remote Code Execution vulnerability for the passport-ldapauth dependency `bunyan`. This RCE is due to wrong command sanitizing but doesn't only affects the executable the libary provides. It has no impact on CodiMD. This patch just updates passport-ldapauth since it's long overdue anyway and to silence annoying security scanners that pretend this is rather critical for us. Reference: https://github.com/trentm/node-bunyan/commit/ea21d75f548373f29bb772b15faeb83e87089746 https://app.snyk.io/vuln/SNYK-JS-BUNYAN-573166
* Merge pull request #423 from codimd/SuperSandro2000-patch-1Sheogorath2020-06-261-6/+6
|\ | | | | Fix browser logo links
| * Fix browser logo linksSandro2020-06-261-6/+6
|/ | | | Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>
* Merge pull request #419 from vberger/masterSheogorath2020-06-235-5/+10
|\ | | | | Backport of #278 for 1.6.1
| * Backport of #278 for 1.6.1Victor Berger2020-06-205-5/+10
|/ | | | | | | This is a backport of #278 with the default value of `scope` changed to `undefined`. This is thus a fully backward-compatible change. Signed-off-by: Victor Berger <victor.berger@m4x.org>
* Merge pull request #398 from gramakri/patch-1Sheogorath2020-06-201-1/+6
|\ | | | | Update Cloudron docs
| * Update Cloudron docsGirish Ramakrishnan2020-06-121-1/+6
| | | | | | | | | | | | Added a link to the demo and source code repo Signed-off-by: Girish Ramakrishnan <girish@cloudron.io>
* | Merge pull request #416 from oupala/patch-2Sheogorath2020-06-201-7/+6
|\ \ | | | | | | fix: outdated internal links in documentation
| * | fix: outdated internal links in documentationoupala2020-06-201-7/+6
|/ / | | | | | | Signed-off-by: oupala <oupala@users.noreply.github.com>
* | Merge pull request #414 from dalcde/configSheogorath2020-06-191-4/+4
|\ \ | | | | | | Fix docs/configuration formatting
| * | Fix docs/configuration formattingDexter Chua2020-06-191-4/+4
|/ / | | | | | | Signed-off-by: Dexter Chua <dalcde@yahoo.com.hk>
* | Merge pull request #404 from oupala/masterSheogorath2020-06-184-456/+268
|\ \ | | | | | | improve documentation about configuration
| * | refactor: move some documentationoupala2020-06-171-4/+4
| | | | | | | | | | | | Signed-off-by: oupala <oupala@users.noreply.github.com>
| * | fix: document CMD_S3_ENDPOINT ENV variableoupala2020-06-171-0/+1
| | | | | | | | | | | | | | | | | | fix #349 Signed-off-by: oupala <oupala@users.noreply.github.com>
| * | refactor: lint markdownoupala2020-06-171-24/+1
| | | | | | | | | | | | Signed-off-by: oupala <oupala@users.noreply.github.com>
| * | doc: merge configuration-config-file.md and configuration-env-vars.md to ↵oupala2020-06-174-456/+290
|/ / | | | | | | | | | | configuration.md Signed-off-by: oupala <oupala@users.noreply.github.com>
* | Merge pull request #400 from david-sawatzke/fix-anonymous-edits-docuSheogorath2020-06-132-2/+2
|\ \ | |/ |/| Fix allow anonymous edit documentation
| * Fix allow anonymous edit documentationDavid Sawatzke2020-06-122-2/+2
|/ | | | | | The default is false and the option only matters if allowAnonymous is true Signed-off-by: David Sawatzke <d-git@sawatzke.dev>
* Relax cookie restrictions to 'lax' to allow frontend to workSheogorath2020-06-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Our frontend requests the `/me` pathname in order to determine whether it's logged in or not. Due to the fact that the sameSite attribute of the session cookie was set to `strict` in a previous commit, the session token was no longer sent along with HTTP calls initiated by JS. This is due to the RFCs definition of "safe" HTTP calls in RFC7231. The bug triggers the UI to show up like an unauthenticated user, even after a successful login. In order to debug it a look into the send cookies to the `/me` turned out to be very enlightening. The fix this patch implements is rather simple, it replaces the sameSite attribute to `lax` which enables the cookies for those requests again. Some older and mobile clients were unaffected by this due to the lack of implementations of sameSite policies. References: https://tools.ietf.org/html/rfc7231#section-4.2.1 https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7.1 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite https://github.com/codimd/server/commit/e77e7b165ac4920290015ec4b95e651730009edc Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix broken cookie handling due to missing proxy awarenessSheogorath2020-06-101-0/+7
| | | | | | | | | | | | | | | | | | | We enabled the `secure` flag for various cookies in previous commits. This caused setups behind reverse proxies to drop cookies as the nodejs instance wasn't aware of the fact that it was able to hand out secure commits using an insecure connection (between the codimd instance and the reverse proxy). This patch makes express, the webserver framework we use, aware of proxies and this way re-enabled the handing out of cookies. Not only the cookie monster will enjoy, but also functionality like authentication and real-time editing will return as intended. References: https://www.npmjs.com/package/express-session#cookiesecure https://github.com/codimd/server/commit/383d791a50919bb9890a3f3f797ecc95125ab8bf Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Upgrade pg to fix node version 14 compatibilitySheogorath2020-06-092-23/+23
| | | | | | | | | | | | | | | | As @davidmehren figured out, the problem that NodeJS version 14 gets stuck while CodiMD is starting, was due to the outdated postgres dependency. The old pg version doesn't work with node version 14 due to an undocumented API change in the `readyState` in the socket API. This patch updates the required dependency and this way resolves the issue. Reference: https://github.com/sequelize/sequelize/issues/12158 https://github.com/brianc/node-postgres/commit/149f48232445da0fb3022044e4f1c53509040ad3 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge branch 'fix/sessionCookies'Sheogorath2020-06-081-1/+2
|\
| * Remove unused socket.io cookieSheogorath2020-06-081-1/+1
| | | | | | | | | | | | | | | | | | The socket.io cookie doesn't really have any purpose as it's no longer user in modern socket.io versions. This patch disables it. References: https://github.com/socketio/socket.io/issues/2276 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
| * Ensure session cookies are secureSheogorath2020-06-081-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While HSTS should take care of most of this, setting cookies to be secure, and only applied on same site helps to improve situations where for whatever reason, downgrade attacks are still a thing. This patch adds the `sameSite` and `secure` to the session cookie and this way prevent all accidents where a browser may doesn't support HSTS or HSTS is intentionally dropped. Reference: https://www.npmjs.com/package/express-session#cookiesecure Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge branch 'pr-upstream-389'Sheogorath2020-06-085-14/+27
|\ \ | |/ |/|
| * Disable unneeded 'io' cookie.David Mehren2020-06-081-1/+1
| | | | | | | | | | | | According to https://github.com/socketio/socket.io/issues/2276 this cookie is not used for anything. To avoid browser warnings about the sameSite attribute, we disable it here. Signed-off-by: David Mehren <dmehren1@gmail.com>
| * Set all cookies with sameSite: strictDavid Mehren2020-06-085-13/+26
|/ | | | | | Modern browsers do not support (or will stop supporting) sameSite: none (or no sameSite attribute) without the Secure flag. As we don't want everyone to be able to make requests with our cookies anyway, this commit sets sameSite to strict. See https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite Signed-off-by: David Mehren <dmehren1@gmail.com>
* Merge pull request #375 from codingHahn/fix-checksumsSheogorath2020-05-283-3/+3
|\ | | | | Fix checksums of mermaid
| * Fix checksums of mermaidNick Hahn2020-05-283-3/+3
|/ | | | Signed-off-by: Nick Hahn <nick.hahn@posteo.de>
* Merge pull request #373 from codingHahn/update-mermaidSheogorath2020-05-275-10/+17
|\ | | | | Update to mermaid 8.5.1
| * Update all other dependenciesNick Hahn2020-05-271-6/+13
| | | | | | | | | | | | because I can't figure out how to just update mermaid Signed-off-by: Nick Hahn <nick.hahn@posteo.de>
| * Update to mermaid 8.5.1Nick Hahn2020-05-274-4/+4
|/ | | | Signed-off-by: Nick Hahn <nick.hahn@posteo.de>
* Add translations for permissionsSheogorath2020-05-262-7/+13
| | | | | | | | | | Adding translations for permissions for a possible 1.6.1 release doesn't hurt but might helps some usecases of running CodiMD and we'll need the translations in the new frontend anyway. This patch adds the translations as well as the english local file. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Upgrade jquery to 3.5.1Sheogorath2020-05-262-5/+5
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #344 from SuperSandro2000/fix-links-1.xSheogorath2020-05-171-9/+9
|\ | | | | Fix redirected, outdated links and convert all to https
| * Update outdated linksSandro Jäckel2020-04-261-3/+3
| | | | | | | | Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>
| * Update all links with httpsSandro Jäckel2020-04-261-6/+6
| | | | | | | | Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>
* | Merge pull request #335 from ErikMichelson/docs/url-schemeSheogorath2020-05-101-0/+34
|\ \ | | | | | | Add document explaining different URLs
| * | Add document explaining different URLsErik Michelson2020-04-251-0/+34
| | | | | | | | | | | | Signed-off-by: Erik Michelson <erik@liltv.de>
* | | Merge pull request #347 from codimd/backport-345Sheogorath2020-04-281-1/+1
|\ \ \ | |/ / |/| | findNoteOrCreate: Create new note with empty string instead of `null`
| * | findNoteOrCreate: Create new note with empty string instead of `null`Sandro2020-04-281-1/+1
|/ / | | | | | | | | | | Backport of #345 to 1.x Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>
* | Merge pull request #309 from margau/masterSheogorath2020-04-211-2/+4
|\ \ | | | | | | Make "transform-style: preserve-3d;" screen-only.
| * | Make "transform-style: preserve-3d;" screen-only.Marvin Gaube2020-03-231-2/+4
| | | | | | | | | | | | Signed-off-by: Marvin Gaube <dev@marvingaube.de>
* | | Merge pull request #321 from codimd/snyk-fix-36a009650e9001b5861c54337c2b192dSheogorath2020-04-162-22/+6
|\ \ \ | |/ / |/| | [Snyk] Security upgrade jquery from 3.4.1 to 3.5.0
| * | fix: package.json & yarn.lock to reduce vulnerabilitiessnyk-bot2020-04-142-22/+6
|/ / | | | | | | | | The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-JQUERY-565129
* | Merge pull request #305 from ErikMichelson/fix/eslintSheogorath2020-03-221-19/+23
|\ \ | | | | | | Fixed eslint errors in cleanup-script
| * | Fixed eslint errors (whitespaces)Erik Michelson2020-03-211-19/+23
|/ / | | | | | | Signed-off-by: Erik Michelson <erik@liltv.de>
* | Clean up all foreign-key constraintsSheogorath2020-03-211-0/+20
| | | | | | | | | | | | | | | | | | | | | | This patch cleans up the remaining possible foreign-key constraint. This case seem to appear, when notes are deleted, but due to missing database contraints not their authroships. This function should clean that up as well and complete the preparation for the new db contraints. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>