summaryrefslogtreecommitdiff
path: root/app.js (unfollow)
Commit message (Collapse)AuthorFilesLines
2018-11-19Fix wrong maxAgeSeconds multiplicationSheogorath1-1/+1
It seems like the inital work on the hsts module expected milliseconds. This has either changed or was never true. Either way, it caused that the current defaults resulted in theory in a 1000 year HSTS policy. Luckily helmet was smart enough to not go higher than 1 year. Anyway, this patch fixes the multiplication of the configured size with 1000 by removing this multiplication. Also to simplify the reading of the defaults, we split them into their components, 60 times 60 seconds so we get one hour. 24 of those hours so we get a day and finally 365 days to get our original wanted default of one year. Reference: https://github.com/hackmdio/CodiMD/commit/d69d65ea7434eee85db4b905f0852f4d8fa7ecce Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-16Fix streaming for winstonSheogorath1-1/+1
During the upgrade of winston in c3584770f24205d84b9399abd9535cb27dc7b00c a the class extension for streaming was removed. This caused silent crashes. Somehow winston simply called `process.exit(1)` whenever `logger.write()` was called. This is really bad and only easy to debug because of the testing right after upgrading. However, reimplementing the stream interface as it was, didn't work, due to the fact that `logger.write()` is already implemented and causes the mentioned problem. So we extent the object with an `stream` object that implements `write()` for streams and pass that to morgan. So this patch fixes unexpected exiting for streaming towards our logging module. References: https://www.digitalocean.com/community/tutorials/how-to-use-winston-to-log-node-js-applications https://github.com/hackmdio/codimd/commit/c3584770f24205d84b9399abd9535cb27dc7b00c https://stackoverflow.com/a/28824464 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-12Enforce disabled index for static assetsSheogorath1-1/+1
ExpressJS still does allow serving index.html files. This change disables that permanently. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-11Add full version stringSheogorath1-0/+1
Currently we only provide the version from `package.json`. This means that during updates of instances, e.g. the demo instance, which runs latest master instead of a stable release, changes are not reflected to the webclient. This patch adds a fullversion string that contains the current commit and this way makes that clients are notified about changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-07Fix menu for github and dropboxCédric Couralet1-1/+5
Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
2018-11-07Fix menu when gitlab is enabledCédric Couralet1-0/+1
Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
2018-11-03removing global site layout vars from individual routers, putting them into ↵Claudius1-0/+23
app.local Signed-off-by: Claudius <opensource@amenthes.de>
2018-09-26removing superfluous config parameters for template filesClaudius1-1/+1
Signed-off-by: Claudius <opensource@amenthes.de>
2018-09-26app.js: add missing routes for configurable pathsWilliButz1-0/+3
Signed-off-by: WilliButz <wbutz@cyberfnord.de>
2018-09-23Add indonesian language to CodiMDSheogorath1-1/+1
Big thanks @filosofikode for the translation work! Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-09-18Replace `uws` with `ws` packageSheogorath1-1/+1
`uws` was deprecated by its maintainer and starts to cause more and more problems and issue reports. So it's time to replace it and use a maintained project instead. Lucky us, `uws` and `ws` can be used in an identical way, without problems. To provide better performance, we install the optional packages as well. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-07-27Support 'host' & 'path' config optionsMiranda Kastemaa1-3/+13
Signed-off-by: Miranda Kastemaa <miranda@foldplop.com>
2018-06-24Do final internal renameingSheogorath1-0/+1
A little minor change, by moving the CodiMD version header in its own middleware. Should simplify to determine the version number of the Backend in future. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24Rebrand HackMD to CodiMDSheogorath1-1/+1
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24Move config out of statics pathSheogorath1-16/+0
Since static path is providing with a high expiration data, we provide configs via API. This shouldn't add any noticeable load while making it uncached and this way working again. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-23Remove unused zh.json from repoSheogorath1-1/+1
Since the original idea of using a symlink didn't work anyway, we should remove the zh.json symlink from the repo. It doesn't provide any benefit but alters the repo on start of HackMD. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-07Add korean translationSheogorath1-1/+1
This translation was contributed via POEditor by the user Basix. Thanks a lot for your work! Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-05Fix i18n writing locale files in productionSheogorath1-1/+2
This commit should prevent the i18n module from adding missing translations to the local files in setups that are not for development. This way we keep the directory clean and idempotent. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-16Removing google drive integrationSheogorath1-2/+0
It's sad but it's not working. For multiple releases this should be already broken which shows how often it's used. As there is also a security issue related to that, it's better to remove the feature completely. Whoever wants to rewrite it, feel free to go. This commit removes the Google Drive integration from HackMD's Frontend editor and this way removes the need to provide any API key and Client ID in the frontend. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-16Revert "Workaround Google API problems"Christoph (Sheogorath) Kern1-1/+1
2018-04-13Use API key instead of clientSecretSheogorath1-1/+1
As recently discovered we send the clientSecret to the webclient which is potentionally dangerous. This patch should fix the problem and replace the clientSecret with the originally intended and correct way to implement it using the API key. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25Change config to camel case with backwards compatibilitySheogorath1-17/+17
This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-02-12Add referrer policySheogorath1-0/+7
This commit adds a referrer policy to all requests. The usage of `same-origin` allows HackMD to still interpret all requests and this way not break anything. But it prevents 3rd party scripts, pictures and more to get informations that may lead to not secured note. It has to be mentioned that this maybe breaks some features of the Google Analytics embedding. This has to be tested. Fixes #724 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-20Allow more detailed configuration of upload mime typesSheogorath1-1/+2
Fixes #637 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-19Fix not passing app key correctly in dropbox configWu Cheng-Han1-1/+1
2017-10-23support Simplified Chinese and rename original zh to Traditional ChineseRwing1-1/+1
2017-10-22Move CSP logic to new file, Fix boolean config examplesLiterallie1-73/+4
Not sure why I was quoting these in the first place
2017-10-22Add dirty workaround for speakers view inline scriptLiterallie1-0/+4
2017-10-22Allow any connect-src in CSPLiterallie1-1/+1
Managing these for all the integrations seems like a lot of effort
2017-10-22Don't add nonce to CSP if unsafe-inline is onLiterallie1-1/+3
Browsers ignore unsafe-inline if a nonce is sent
2017-10-22Change CSP config format to be more intuitiveLiterallie1-5/+35
2017-10-22CSP: Workaround for ws:// protocolLiterallie1-2/+12
The spec allows wss:// for 'self', but not ws:// :(
2017-10-22Fix MathJax CSP issuesLiterallie1-7/+7
2017-10-22CSP: Add nonce to slide view inline JSLiterallie1-0/+7
2017-10-22CSP: Upgrade insecure requests if possibleLiterallie1-0/+5
Config option; default is to only upgrade if usessl
2017-10-22Add basic CSP supportLiterallie1-0/+25
2017-10-13Make HSTS behaviour configurable; Fixes #584Literallie1-5/+10
2017-06-11Add support of Danish localeWu Cheng-Han1-1/+1
2017-05-08Fix import module name typo in app.jsWu Cheng-Han1-1/+1
2017-05-08fix(imageRouter): import missing dependency: getImageMimeTypeRaccoon Li1-3/+0
2017-05-08refactor: Rename checkURiVaild to checkURIValid to fit coding standardBoHong Li1-2/+1
2017-05-08fix(app.js): Change config.maintenance to realtime.maintenanceBoHong Li1-1/+1
2017-05-08refactor(config.js): Extract config fileBoHong Li1-8/+5
* Separate different config source to each files * Freeze config object
2017-05-08fix: Add 'use strict' on app.jsBoHong Li1-0/+1
2017-05-08refactor: Remove `require` extension filenameBoHong Li1-3/+3
2017-05-08refactor(app.js): Move passport serialize and deserialize to auth moduleBoHong Li1-19/+0
2017-05-08refactor(app.js): Extract tooBusyBoHong Li1-8/+2
2017-05-08refactor(app.js): Extract upload imageBoHong Li1-84/+2
2017-05-08fix(app.js): Fixed typoBoHong Li1-1/+1
2017-05-08refactor(app.js): Extract note actionBoHong Li1-17/+4
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-29 11:47:04 +0000