summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Add note export functionSheogorath2018-05-261-0/+56
| | | | | | | | This function is the first step to get out data following GDPR about the transportability of data. Details: https://gdpr-info.eu/art-20-gdpr/ Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add token based security featureSheogorath2018-05-255-13/+53
| | | | | | | | | | | | In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add delete user UISheogorath2018-05-253-16/+44
| | | | | | | | | | This provides the UI for the delete user feature introduced in 4229084c6211db3d22cd9abec99b957725650b9e Placing of the user delete button is not perfect, but can be moved to an own user tab later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix requests for deleted usersSheogorath2018-05-252-5/+10
| | | | | | | When users are requested from the authorship which no longer exist, they shouldn't cause a 500. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add delete function for authenticated usersSheogorath2018-05-251-0/+24
| | | | | | | Allow users to delete themselbes. This is require to be GDPR compliant. See: https://gdpr-info.eu/art-17-gdpr/ Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Use cascaded deletesSheogorath2018-05-253-4/+12
| | | | | | | When we delete a user we should delete all the notes that belong to this user including the revisions of these notes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Use hard delete instead of soft deleteSheogorath2018-05-251-1/+1
| | | | | | | Right now we only flag notes as deleted. This is no longer allowed under GDPR. Make sure you do regular backups! Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add privacy and ToS linksSheogorath2018-05-243-4/+9
| | | | | | | | | | | | | | To be GDPR compliant we need to provide privacy statement. These should be linked on the index page. So as soon as a document exist under `public/docs/privacy.md` the link will show up. Since we already add legal links, we also add Terms of Use, which will show up as soon as `public/docs/terms-of-use.md` exists. This should allow everyone to provide the legal documents they need for GDPR and other privacy and business laws. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Update yarn.lockSheogorath2018-05-211-3/+3
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add current requirements for node versionsSheogorath2018-05-211-1/+1
| | | | | | | Right now we can only run on node versions below 10.x thanks to scrypt dependencies. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #826 from SISheogorath/upgrade/base64urlChristoph (Sheogorath) Kern2018-05-171-1/+1
|\ | | | | Upgrade base64url package
| * Upgrade base64url packageSheogorath2018-05-171-1/+1
| | | | | | | | | | | | | | | | | | There was recently a possible security problem with base64url. Shouldn't really hit us but it doesn't hurt. Details: https://snyk.io/vuln/npm:base64url:20180511 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #825 from SISheogorath/remove/GoogleDriveChristoph (Sheogorath) Kern2018-05-1611-516/+3
|\ \ | |/ |/| Removing google drive integration
| * Removing google drive integrationSheogorath2018-05-1611-516/+3
|/ | | | | | | | | | | | | | | It's sad but it's not working. For multiple releases this should be already broken which shows how often it's used. As there is also a security issue related to that, it's better to remove the feature completely. Whoever wants to rewrite it, feel free to go. This commit removes the Google Drive integration from HackMD's Frontend editor and this way removes the need to provide any API key and Client ID in the frontend. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #824 from hackmdio/revert-813-fix/googleAPIChristoph (Sheogorath) Kern2018-05-164-4/+10
|\ | | | | Revert "Workaround Google API problems"
| * Revert "Workaround Google API problems"Christoph (Sheogorath) Kern2018-05-164-4/+10
|/
* Merge pull request #813 from SISheogorath/fix/googleAPIChristoph (Sheogorath) Kern2018-05-104-10/+4
|\ | | | | Workaround Google API problems
| * Remove Google Upload from UISheogorath2018-05-011-9/+1
| | | | | | | | | | | | | | | | | | | | This temporarily removes the Upload from the UI as it's broken right now. Needs a refactoring and can be added in again later on by undoing this commit. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
| * Use API key instead of clientSecretSheogorath2018-04-133-1/+3
| | | | | | | | | | | | | | | | | | As recently discovered we send the clientSecret to the webclient which is potentionally dangerous. This patch should fix the problem and replace the clientSecret with the originally intended and correct way to implement it using the API key. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #811 from hackmdio/fix-saml-typoChristoph (Sheogorath) Kern2018-04-281-2/+2
|\ \ | | | | | | Fix typo of "grouptAttribute" in saml auth module
| * | Fix typo of "grouptAttribute" in saml auth moduleMax Wu2018-04-271-2/+2
|/ / | | | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
* | Merge pull request #803 from SISheogorath/fix/letterAvatarCSPChristoph (Sheogorath) Kern2018-04-173-11/+23
|\ \ | | | | | | Move letter-avatars into own request
| * | Move letter-avatars into own requestSheogorath2018-04-173-11/+23
| |/ | | | | | | | | | | | | | | | | | | To prevent further weakening of our CSP policies, moving the Avatars into a non-inline version is the way to go. This implementation probably needs some beautification. But already fixes the bug. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Update yarn.lockSheogorath2018-04-171-1/+1
| | | | | | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #805 from SISheogorath/fix/noFileChristoph (Sheogorath) Kern2018-04-173-2/+7
|\ \ | | | | | | Fix possible file limit errors
| * | Fix possible file limit errorsSheogorath2018-04-163-2/+7
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | As we currently may need higher nofile limits than usual/default on various systems this commit should probide a fix for that an allow to build HackMD without highering these limits and increase security. Inspiration was found in a copy-webpack-plugin-issue[1] and found by @thegcat[2]. Thanks for that! Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> [1]: https://github.com/webpack-contrib/copy-webpack-plugin/issues/59#issuecomment-228563990 [2]: https://github.com/thegcat
* | Add config.json.example to npm testSheogorath2018-04-141-1/+1
| | | | | | | | | | | | | | | | | | | | This commit extends the find command to also match the example config file. This should validate the syntax or this file to prevent syntax errors for future pull request. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Fix example configSheogorath2018-04-141-2/+2
| | | | | | | | | | | | | | | | | | This commit fixes some json fromat issues in our config example that causes errors on setup. This change should fix it. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #797 from SISheogorath/fix/LZErrorLogChristoph (Sheogorath) Kern2018-04-111-0/+9
|\ \ | | | | | | Add check for noteId length
| * | Add check for noteId lengthSheogorath2018-04-101-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As we know the length of an UUID we can check if the base64 string of the provided UUID is long enough for a legacy base64 encoded nodeId and stop processing it in legacy mode, if it's not the case. This should make the ugly warning way less common. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | | Merge pull request #799 from SISheogorath/fix/AnonymousEditTyposChristoph (Sheogorath) Kern2018-04-113-4/+4
|\ \ \ | |_|/ |/| | Fix typos for `allowAnonymousEdits`
| * | Fix typos for `allowAnonymousEdits`Sheogorath2018-04-103-4/+4
| |/ | | | | | | | | | | | | | | | | Looks like we lost some variables during the refactoring of the configs to camel case. This should fix it. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* / Extend READMESheogorath2018-04-111-0/+4
|/ | | | | | | Add hint about file descriptor limits and add the new translation platform. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Release 1.1.0-ceSheogorath2018-04-061-1/+1
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge branch 'feature/releaseNotes1.1.0'Sheogorath2018-04-062-12/+83
|\
| * Minor fixes in relase notesSheogorath2018-04-061-9/+10
| | | | | | | | | | | | | | Fix some spelling and style issues as well as adding the latest changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
| * Add migration section to README.mdSheogorath2018-04-061-2/+9
| | | | | | | | | | | | | | As it was requested to be more visable, this commit adds a migration section about the introduced config style changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
| * Update release notesSheogorath2018-03-301-10/+73
| | | | | | | | | | | | Providing release notes for version 1.1.0-ce Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge branch 'docs/features-1.1.0-ce'Sheogorath2018-04-061-3/+8
|\ \
| * | Provide feature changes in 1.1.0-ceSheogorath2018-03-301-3/+8
| |/ | | | | | | | | | | | | Adding some documentation for night mode and upload times. Extend the contact section for community support. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #796 from SISheogorath/feature/addMatrixChristoph (Sheogorath) Kern2018-04-065-5/+7
|\ \ | | | | | | Add matrix.org / Riot link
| * | Add matrix.org / Riot linkSheogorath2018-04-055-5/+7
|/ / | | | | | | | | | | | | | | | | | | | | | | | | As an active part of the community prefers Matrix.org over Gitter, we should link Matrix.org as a place to meet us. As the matrix and gitter channels are interconnected. We don't loose any message if a person decides to go for one or another. We use an more universal way of translation to make it easier to provide a link to various platforms. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #790 from SISheogorath/fix/nightModeCSSChristoph (Sheogorath) Kern2018-04-052-2/+21
|\ \ | | | | | | Fix modal and panel colors in night mode
| * | Fix code blocks color in night modeSheogorath2018-04-051-0/+5
| | | | | | | | | | | | | | | | | | This provides more eye-friendly code boxes when night mode is active. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
| * | Fix modal and panel colors in night modeSheogorath2018-03-291-2/+16
| |/ | | | | | | | | | | | | | | Night mode provides a generally, dark interface. This fix provides the needed CSS to also turn modal and panels into night mode design as well. This mainly effects the help modal. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #791 from SISheogorath/fix/extendedCSPPoliciesChristoph (Sheogorath) Kern2018-04-056-9/+25
|\ \ | | | | | | Fix CSP for disqus and Google Analytics
| * | Fix CSP for disqus and Google AnalyticsSheogorath2018-03-306-9/+25
| |/ | | | | | | | | | | | | | | | | | | | | | | | | This commit should fix existing problems with Disqus and Google Analytics enabled in the meta-yaml section of a note. Before this commit they were blocked by the strict CSP. It's still possible to disable the added directives using `addDisqus` and `addGoogleAnalytics` in the `csp` config section. They are enabled by default to prevent breaking changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #789 from SISheogorath/fix/sessionSecretEnvChristoph (Sheogorath) Kern2018-03-293-0/+8
|\ \ | |/ |/| Add session data to env vars
| * Add session data to env varsSheogorath2018-03-293-0/+8
|/ | | | | | | | | | | Currently the session secret can only be set by config.json or docker secrets. This creates a problem on Heroku hosted instances that can not set a session secret. Since we automatically generate them on startup this results in an logout of all users on every config change in Heroku. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #780 from SISheogorath/fix/sessionSecretChristoph (Sheogorath) Kern2018-03-282-0/+10
|\ | | | | Automatically generate a session secret if default is used