summaryrefslogtreecommitdiff
path: root/app.js (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Ensure session cookies are secureSheogorath2020-06-081-1/+3
| | | | | | | | | | | | | | | While HSTS should take care of most of this, setting cookies to be secure, and only applied on same site helps to improve situations where for whatever reason, downgrade attacks are still a thing. This patch adds the `sameSite` and `secure` to the session cookie and this way prevent all accidents where a browser may doesn't support HSTS or HSTS is intentionally dropped. Reference: https://www.npmjs.com/package/express-session#cookiesecure Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Move note actions to their own file.David Mehren2019-10-271-3/+3
| | | | | | Because of circular import problems, this commit also moves the error messages from response.js to errors.js Signed-off-by: David Mehren <dmehren1@gmail.com>
* Slovak localeMartin Turoci2019-10-051-1/+1
| | | | Signed-off-by: Martin Turoci <martinturoci@gmail.com>
* Added Czech translationPetrTodorov2019-10-031-1/+1
| | | | Signed-off-by: PetrTodorov <info@petrtodorov.cz>
* Fixed #179 (redirect loop with a trailing slash)Erik Michelson2019-09-181-3/+3
| | | | Signed-off-by: Erik Michelson <erik@liltv.de>
* Add arabian translationSheogorath2019-08-151-1/+1
| | | | | | | Thanks to our great translators that made it to translate the major parts of CodiMD into Arabic! Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add vietnamese languageSheogorath2019-05-261-1/+1
| | | | | | | | There was some awesome work by Hồng in the recent days who translated CodiMD completely into Vietnamese language! This patch provides this awesome contributions. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* fix unix socket not removed on shutdown (#50)naimo2019-04-161-0/+3
| | | | | | * fix unix socket not removed on shutdown Signed-off-by: naimo <nicolas@aimon.fr>
* specifying the locale jsons to be in the exact style of poeditor should cut ↵Claudius2019-04-041-0/+1
| | | | | | down on unneccessary changes ('churn') Signed-off-by: Claudius <opensource@amenthes.de>
* Add serbian languageSheogorath2019-03-041-1/+1
| | | | | | | | Thanks for the work of the translator Vladan we got a serbian translation added! Those few changes will add serbian language support for future CodiMD releases. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix wrong maxAgeSeconds multiplicationSheogorath2018-11-191-1/+1
| | | | | | | | | | | | | | | | | | | It seems like the inital work on the hsts module expected milliseconds. This has either changed or was never true. Either way, it caused that the current defaults resulted in theory in a 1000 year HSTS policy. Luckily helmet was smart enough to not go higher than 1 year. Anyway, this patch fixes the multiplication of the configured size with 1000 by removing this multiplication. Also to simplify the reading of the defaults, we split them into their components, 60 times 60 seconds so we get one hour. 24 of those hours so we get a day and finally 365 days to get our original wanted default of one year. Reference: https://github.com/hackmdio/CodiMD/commit/d69d65ea7434eee85db4b905f0852f4d8fa7ecce Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix streaming for winstonSheogorath2018-11-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | During the upgrade of winston in c3584770f24205d84b9399abd9535cb27dc7b00c a the class extension for streaming was removed. This caused silent crashes. Somehow winston simply called `process.exit(1)` whenever `logger.write()` was called. This is really bad and only easy to debug because of the testing right after upgrading. However, reimplementing the stream interface as it was, didn't work, due to the fact that `logger.write()` is already implemented and causes the mentioned problem. So we extent the object with an `stream` object that implements `write()` for streams and pass that to morgan. So this patch fixes unexpected exiting for streaming towards our logging module. References: https://www.digitalocean.com/community/tutorials/how-to-use-winston-to-log-node-js-applications https://github.com/hackmdio/codimd/commit/c3584770f24205d84b9399abd9535cb27dc7b00c https://stackoverflow.com/a/28824464 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Enforce disabled index for static assetsSheogorath2018-11-121-1/+1
| | | | | | | ExpressJS still does allow serving index.html files. This change disables that permanently. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add full version stringSheogorath2018-11-111-0/+1
| | | | | | | | | | | | Currently we only provide the version from `package.json`. This means that during updates of instances, e.g. the demo instance, which runs latest master instead of a stable release, changes are not reflected to the webclient. This patch adds a fullversion string that contains the current commit and this way makes that clients are notified about changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix menu for github and dropboxCédric Couralet2018-11-071-1/+5
| | | | Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
* Fix menu when gitlab is enabledCédric Couralet2018-11-071-0/+1
| | | | Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
* removing global site layout vars from individual routers, putting them into ↵Claudius2018-11-031-0/+23
| | | | | | app.local Signed-off-by: Claudius <opensource@amenthes.de>
* Merge pull request #940 from WilliButz/fix-configurable-pathsChristoph (Sheogorath) Kern2018-10-051-1/+4
|\ | | | | enhance configurabiltiy of paths & make execution path-independent
| * removing superfluous config parameters for template filesClaudius2018-09-261-1/+1
| | | | | | | | Signed-off-by: Claudius <opensource@amenthes.de>
| * app.js: add missing routes for configurable pathsWilliButz2018-09-261-0/+3
| | | | | | | | Signed-off-by: WilliButz <wbutz@cyberfnord.de>
* | Merge pull request #958 from SISheogorath/fix/uwsChristoph (Sheogorath) Kern2018-10-031-1/+1
|\ \ | |/ |/| Replace `uws` with `ws` package
| * Replace `uws` with `ws` packageSheogorath2018-09-181-1/+1
| | | | | | | | | | | | | | | | | | | | `uws` was deprecated by its maintainer and starts to cause more and more problems and issue reports. So it's time to replace it and use a maintained project instead. Lucky us, `uws` and `ws` can be used in an identical way, without problems. To provide better performance, we install the optional packages as well. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Add indonesian language to CodiMDSheogorath2018-09-231-1/+1
|/ | | | | | Big thanks @filosofikode for the translation work! Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Support 'host' & 'path' config optionsMiranda Kastemaa2018-07-271-3/+13
| | | | Signed-off-by: Miranda Kastemaa <miranda@foldplop.com>
* Do final internal renameingSheogorath2018-06-241-0/+1
| | | | | | | | A little minor change, by moving the CodiMD version header in its own middleware. Should simplify to determine the version number of the Backend in future. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Rebrand HackMD to CodiMDSheogorath2018-06-241-1/+1
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Move config out of statics pathSheogorath2018-06-241-16/+0
| | | | | | | | Since static path is providing with a high expiration data, we provide configs via API. This shouldn't add any noticeable load while making it uncached and this way working again. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Remove unused zh.json from repoSheogorath2018-06-231-1/+1
| | | | | | | | Since the original idea of using a symlink didn't work anyway, we should remove the zh.json symlink from the repo. It doesn't provide any benefit but alters the repo on start of HackMD. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #837 from SISheogorath/translate/koreanChristoph (Sheogorath) Kern2018-06-071-1/+1
|\ | | | | Add korean translation
| * Add korean translationSheogorath2018-06-071-1/+1
| | | | | | | | | | | | | | | | This translation was contributed via POEditor by the user Basix. Thanks a lot for your work! Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Fix i18n writing locale files in productionSheogorath2018-06-051-1/+2
|/ | | | | | | | This commit should prevent the i18n module from adding missing translations to the local files in setups that are not for development. This way we keep the directory clean and idempotent. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Removing google drive integrationSheogorath2018-05-161-2/+0
| | | | | | | | | | | | | | | It's sad but it's not working. For multiple releases this should be already broken which shows how often it's used. As there is also a security issue related to that, it's better to remove the feature completely. Whoever wants to rewrite it, feel free to go. This commit removes the Google Drive integration from HackMD's Frontend editor and this way removes the need to provide any API key and Client ID in the frontend. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Revert "Workaround Google API problems"Christoph (Sheogorath) Kern2018-05-161-1/+1
|
* Use API key instead of clientSecretSheogorath2018-04-131-1/+1
| | | | | | | | | As recently discovered we send the clientSecret to the webclient which is potentionally dangerous. This patch should fix the problem and replace the clientSecret with the originally intended and correct way to implement it using the API key. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Change config to camel case with backwards compatibilitySheogorath2018-03-251-17/+17
| | | | | | | | This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add referrer policySheogorath2018-02-121-0/+7
| | | | | | | | | | | | | | | This commit adds a referrer policy to all requests. The usage of `same-origin` allows HackMD to still interpret all requests and this way not break anything. But it prevents 3rd party scripts, pictures and more to get informations that may lead to not secured note. It has to be mentioned that this maybe breaks some features of the Google Analytics embedding. This has to be tested. Fixes #724 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #691 from SISheogorath/feature/uploadChristoph (Sheogorath) Kern2018-01-231-1/+2
|\ | | | | Allow more detailed configuration of upload mime types
| * Allow more detailed configuration of upload mime typesSheogorath2018-01-201-1/+2
| | | | | | | | | | | | Fixes #637 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #598 from xxyy/feature/cspChristoph (Sheogorath) Kern2018-01-221-0/+14
|\ \ | |/ |/| Implement basic CSP support
| * Move CSP logic to new file, Fix boolean config examplesLiterallie2017-10-221-73/+4
| | | | | | | | Not sure why I was quoting these in the first place
| * Add dirty workaround for speakers view inline scriptLiterallie2017-10-221-0/+4
| |
| * Allow any connect-src in CSPLiterallie2017-10-221-1/+1
| | | | | | | | Managing these for all the integrations seems like a lot of effort
| * Don't add nonce to CSP if unsafe-inline is onLiterallie2017-10-221-1/+3
| | | | | | | | Browsers ignore unsafe-inline if a nonce is sent
| * Change CSP config format to be more intuitiveLiterallie2017-10-221-5/+35
| |
| * CSP: Workaround for ws:// protocolLiterallie2017-10-221-2/+12
| | | | | | | | The spec allows wss:// for 'self', but not ws:// :(
| * Fix MathJax CSP issuesLiterallie2017-10-221-7/+7
| |
| * CSP: Add nonce to slide view inline JSLiterallie2017-10-221-0/+7
| |
| * CSP: Upgrade insecure requests if possibleLiterallie2017-10-221-0/+5
| | | | | | | | Config option; default is to only upgrade if usessl
| * Add basic CSP supportLiterallie2017-10-221-0/+25
| |
* | Fix not passing app key correctly in dropbox configWu Cheng-Han2018-01-191-1/+1
| |