summaryrefslogtreecommitdiff
path: root/app.js (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Relax cookie restrictions to 'lax' to allow frontend to workSheogorath2020-06-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Our frontend requests the `/me` pathname in order to determine whether it's logged in or not. Due to the fact that the sameSite attribute of the session cookie was set to `strict` in a previous commit, the session token was no longer sent along with HTTP calls initiated by JS. This is due to the RFCs definition of "safe" HTTP calls in RFC7231. The bug triggers the UI to show up like an unauthenticated user, even after a successful login. In order to debug it a look into the send cookies to the `/me` turned out to be very enlightening. The fix this patch implements is rather simple, it replaces the sameSite attribute to `lax` which enables the cookies for those requests again. Some older and mobile clients were unaffected by this due to the lack of implementations of sameSite policies. References: https://tools.ietf.org/html/rfc7231#section-4.2.1 https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7.1 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite https://github.com/codimd/server/commit/e77e7b165ac4920290015ec4b95e651730009edc Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix broken cookie handling due to missing proxy awarenessSheogorath2020-06-101-0/+7
| | | | | | | | | | | | | | | | | | | We enabled the `secure` flag for various cookies in previous commits. This caused setups behind reverse proxies to drop cookies as the nodejs instance wasn't aware of the fact that it was able to hand out secure commits using an insecure connection (between the codimd instance and the reverse proxy). This patch makes express, the webserver framework we use, aware of proxies and this way re-enabled the handing out of cookies. Not only the cookie monster will enjoy, but also functionality like authentication and real-time editing will return as intended. References: https://www.npmjs.com/package/express-session#cookiesecure https://github.com/codimd/server/commit/383d791a50919bb9890a3f3f797ecc95125ab8bf Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge branch 'fix/sessionCookies'Sheogorath2020-06-081-1/+2
|\
| * Remove unused socket.io cookieSheogorath2020-06-081-1/+1
| | | | | | | | | | | | | | | | | | The socket.io cookie doesn't really have any purpose as it's no longer user in modern socket.io versions. This patch disables it. References: https://github.com/socketio/socket.io/issues/2276 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
| * Ensure session cookies are secureSheogorath2020-06-081-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While HSTS should take care of most of this, setting cookies to be secure, and only applied on same site helps to improve situations where for whatever reason, downgrade attacks are still a thing. This patch adds the `sameSite` and `secure` to the session cookie and this way prevent all accidents where a browser may doesn't support HSTS or HSTS is intentionally dropped. Reference: https://www.npmjs.com/package/express-session#cookiesecure Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Disable unneeded 'io' cookie.David Mehren2020-06-081-1/+1
| | | | | | | | | | | | According to https://github.com/socketio/socket.io/issues/2276 this cookie is not used for anything. To avoid browser warnings about the sameSite attribute, we disable it here. Signed-off-by: David Mehren <dmehren1@gmail.com>
* | Set all cookies with sameSite: strictDavid Mehren2020-06-081-1/+2
|/ | | | | | Modern browsers do not support (or will stop supporting) sameSite: none (or no sameSite attribute) without the Secure flag. As we don't want everyone to be able to make requests with our cookies anyway, this commit sets sameSite to strict. See https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite Signed-off-by: David Mehren <dmehren1@gmail.com>
* Move note actions to their own file.David Mehren2019-10-271-3/+3
| | | | | | Because of circular import problems, this commit also moves the error messages from response.js to errors.js Signed-off-by: David Mehren <dmehren1@gmail.com>
* Slovak localeMartin Turoci2019-10-051-1/+1
| | | | Signed-off-by: Martin Turoci <martinturoci@gmail.com>
* Added Czech translationPetrTodorov2019-10-031-1/+1
| | | | Signed-off-by: PetrTodorov <info@petrtodorov.cz>
* Fixed #179 (redirect loop with a trailing slash)Erik Michelson2019-09-181-3/+3
| | | | Signed-off-by: Erik Michelson <erik@liltv.de>
* Add arabian translationSheogorath2019-08-151-1/+1
| | | | | | | Thanks to our great translators that made it to translate the major parts of CodiMD into Arabic! Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add vietnamese languageSheogorath2019-05-261-1/+1
| | | | | | | | There was some awesome work by Hồng in the recent days who translated CodiMD completely into Vietnamese language! This patch provides this awesome contributions. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* fix unix socket not removed on shutdown (#50)naimo2019-04-161-0/+3
| | | | | | * fix unix socket not removed on shutdown Signed-off-by: naimo <nicolas@aimon.fr>
* specifying the locale jsons to be in the exact style of poeditor should cut ↵Claudius2019-04-041-0/+1
| | | | | | down on unneccessary changes ('churn') Signed-off-by: Claudius <opensource@amenthes.de>
* Add serbian languageSheogorath2019-03-041-1/+1
| | | | | | | | Thanks for the work of the translator Vladan we got a serbian translation added! Those few changes will add serbian language support for future CodiMD releases. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix wrong maxAgeSeconds multiplicationSheogorath2018-11-191-1/+1
| | | | | | | | | | | | | | | | | | | It seems like the inital work on the hsts module expected milliseconds. This has either changed or was never true. Either way, it caused that the current defaults resulted in theory in a 1000 year HSTS policy. Luckily helmet was smart enough to not go higher than 1 year. Anyway, this patch fixes the multiplication of the configured size with 1000 by removing this multiplication. Also to simplify the reading of the defaults, we split them into their components, 60 times 60 seconds so we get one hour. 24 of those hours so we get a day and finally 365 days to get our original wanted default of one year. Reference: https://github.com/hackmdio/CodiMD/commit/d69d65ea7434eee85db4b905f0852f4d8fa7ecce Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix streaming for winstonSheogorath2018-11-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | During the upgrade of winston in c3584770f24205d84b9399abd9535cb27dc7b00c a the class extension for streaming was removed. This caused silent crashes. Somehow winston simply called `process.exit(1)` whenever `logger.write()` was called. This is really bad and only easy to debug because of the testing right after upgrading. However, reimplementing the stream interface as it was, didn't work, due to the fact that `logger.write()` is already implemented and causes the mentioned problem. So we extent the object with an `stream` object that implements `write()` for streams and pass that to morgan. So this patch fixes unexpected exiting for streaming towards our logging module. References: https://www.digitalocean.com/community/tutorials/how-to-use-winston-to-log-node-js-applications https://github.com/hackmdio/codimd/commit/c3584770f24205d84b9399abd9535cb27dc7b00c https://stackoverflow.com/a/28824464 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Enforce disabled index for static assetsSheogorath2018-11-121-1/+1
| | | | | | | ExpressJS still does allow serving index.html files. This change disables that permanently. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add full version stringSheogorath2018-11-111-0/+1
| | | | | | | | | | | | Currently we only provide the version from `package.json`. This means that during updates of instances, e.g. the demo instance, which runs latest master instead of a stable release, changes are not reflected to the webclient. This patch adds a fullversion string that contains the current commit and this way makes that clients are notified about changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix menu for github and dropboxCédric Couralet2018-11-071-1/+5
| | | | Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
* Fix menu when gitlab is enabledCédric Couralet2018-11-071-0/+1
| | | | Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
* removing global site layout vars from individual routers, putting them into ↵Claudius2018-11-031-0/+23
| | | | | | app.local Signed-off-by: Claudius <opensource@amenthes.de>
* Merge pull request #940 from WilliButz/fix-configurable-pathsChristoph (Sheogorath) Kern2018-10-051-1/+4
|\ | | | | enhance configurabiltiy of paths & make execution path-independent
| * removing superfluous config parameters for template filesClaudius2018-09-261-1/+1
| | | | | | | | Signed-off-by: Claudius <opensource@amenthes.de>
| * app.js: add missing routes for configurable pathsWilliButz2018-09-261-0/+3
| | | | | | | | Signed-off-by: WilliButz <wbutz@cyberfnord.de>
* | Merge pull request #958 from SISheogorath/fix/uwsChristoph (Sheogorath) Kern2018-10-031-1/+1
|\ \ | |/ |/| Replace `uws` with `ws` package
| * Replace `uws` with `ws` packageSheogorath2018-09-181-1/+1
| | | | | | | | | | | | | | | | | | | | `uws` was deprecated by its maintainer and starts to cause more and more problems and issue reports. So it's time to replace it and use a maintained project instead. Lucky us, `uws` and `ws` can be used in an identical way, without problems. To provide better performance, we install the optional packages as well. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Add indonesian language to CodiMDSheogorath2018-09-231-1/+1
|/ | | | | | Big thanks @filosofikode for the translation work! Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Support 'host' & 'path' config optionsMiranda Kastemaa2018-07-271-3/+13
| | | | Signed-off-by: Miranda Kastemaa <miranda@foldplop.com>
* Do final internal renameingSheogorath2018-06-241-0/+1
| | | | | | | | A little minor change, by moving the CodiMD version header in its own middleware. Should simplify to determine the version number of the Backend in future. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Rebrand HackMD to CodiMDSheogorath2018-06-241-1/+1
| | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Move config out of statics pathSheogorath2018-06-241-16/+0
| | | | | | | | Since static path is providing with a high expiration data, we provide configs via API. This shouldn't add any noticeable load while making it uncached and this way working again. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Remove unused zh.json from repoSheogorath2018-06-231-1/+1
| | | | | | | | Since the original idea of using a symlink didn't work anyway, we should remove the zh.json symlink from the repo. It doesn't provide any benefit but alters the repo on start of HackMD. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #837 from SISheogorath/translate/koreanChristoph (Sheogorath) Kern2018-06-071-1/+1
|\ | | | | Add korean translation
| * Add korean translationSheogorath2018-06-071-1/+1
| | | | | | | | | | | | | | | | This translation was contributed via POEditor by the user Basix. Thanks a lot for your work! Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Fix i18n writing locale files in productionSheogorath2018-06-051-1/+2
|/ | | | | | | | This commit should prevent the i18n module from adding missing translations to the local files in setups that are not for development. This way we keep the directory clean and idempotent. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Removing google drive integrationSheogorath2018-05-161-2/+0
| | | | | | | | | | | | | | | It's sad but it's not working. For multiple releases this should be already broken which shows how often it's used. As there is also a security issue related to that, it's better to remove the feature completely. Whoever wants to rewrite it, feel free to go. This commit removes the Google Drive integration from HackMD's Frontend editor and this way removes the need to provide any API key and Client ID in the frontend. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Revert "Workaround Google API problems"Christoph (Sheogorath) Kern2018-05-161-1/+1
|
* Use API key instead of clientSecretSheogorath2018-04-131-1/+1
| | | | | | | | | As recently discovered we send the clientSecret to the webclient which is potentionally dangerous. This patch should fix the problem and replace the clientSecret with the originally intended and correct way to implement it using the API key. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Change config to camel case with backwards compatibilitySheogorath2018-03-251-17/+17
| | | | | | | | This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add referrer policySheogorath2018-02-121-0/+7
| | | | | | | | | | | | | | | This commit adds a referrer policy to all requests. The usage of `same-origin` allows HackMD to still interpret all requests and this way not break anything. But it prevents 3rd party scripts, pictures and more to get informations that may lead to not secured note. It has to be mentioned that this maybe breaks some features of the Google Analytics embedding. This has to be tested. Fixes #724 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #691 from SISheogorath/feature/uploadChristoph (Sheogorath) Kern2018-01-231-1/+2
|\ | | | | Allow more detailed configuration of upload mime types
| * Allow more detailed configuration of upload mime typesSheogorath2018-01-201-1/+2
| | | | | | | | | | | | Fixes #637 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #598 from xxyy/feature/cspChristoph (Sheogorath) Kern2018-01-221-0/+14
|\ \ | |/ |/| Implement basic CSP support
| * Move CSP logic to new file, Fix boolean config examplesLiterallie2017-10-221-73/+4
| | | | | | | | Not sure why I was quoting these in the first place
| * Add dirty workaround for speakers view inline scriptLiterallie2017-10-221-0/+4
| |
| * Allow any connect-src in CSPLiterallie2017-10-221-1/+1
| | | | | | | | Managing these for all the integrations seems like a lot of effort
| * Don't add nonce to CSP if unsafe-inline is onLiterallie2017-10-221-1/+3
| | | | | | | | Browsers ignore unsafe-inline if a nonce is sent
| * Change CSP config format to be more intuitiveLiterallie2017-10-221-5/+35
| |