| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| | |
Allow to disable gravatar
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since Gravatar is an external image source and not perfect from a
privacy perspective, forbidding it allows to improve privacy.
This commit also simplifies and optimizes the avatar code.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|/
|
|
|
|
|
|
| |
Since static path is providing with a high expiration data, we provide
configs via API. This shouldn't add any noticeable load while making it
uncached and this way working again.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
|
|
|
|
|
|
|
|
| |
In https://github.com/hackmdio/hackmd/issues/834 is described how
starting HackMD crashes when using the wrong working dir.
This is caused by a relative path in our upload routine. This change
should fix it and prevent future crashes.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
|
|
|
|
|
|
| |
This commit should prevent the i18n module from adding missing
translations to the local files in setups that are not for development.
This way we keep the directory clean and idempotent.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\
| |
| | |
Add "generic" OAuth2 support
|
| |
| |
| |
| | |
Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
|
| |
| |
| |
| | |
Signed-off-by: Adam Hoka <hoka.adam@nexogen.hu>
|
| | |
|
|\ \
| | |
| | | |
Workaround Google API problems
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As recently discovered we send the clientSecret to the webclient which
is potentionally dangerous. This patch should fix the problem and
replace the clientSecret with the originally intended and correct way to
implement it using the API key.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| | |
Looks like we lost some variables during the refactoring of the configs
to camel case.
This should fix it.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Fix CSP for disqus and Google Analytics
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This commit should fix existing problems with Disqus and Google
Analytics enabled in the meta-yaml section of a note.
Before this commit they were blocked by the strict CSP. It's still
possible to disable the added directives using `addDisqus` and
`addGoogleAnalytics` in the `csp` config section.
They are enabled by default to prevent breaking changes.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently the session secret can only be set by config.json or docker
secrets. This creates a problem on Heroku hosted instances that can not
set a session secret.
Since we automatically generate them on startup this results in an
logout of all users on every config change in Heroku.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Automatically generate a session secret if default is used
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The session secret is used to sign and authenticate the session cookie
and this way very important for the authentication process.
By default the session secret is set to `secret` and never changes. This
commit will add a generator for a dynamic session secret if it stays
unchanged.
It prevents session hijacking this way and will warn the user about
the missing secret.
This also implies that on a restart without configured session secret
will log out all users. While it may seems annoying, it's for the users
best.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We should check for an undefined and not just for a logical true or
false.
Example: When `usecdn` was set to false it was impossible to overwrite
the new config value because the if statement becomes false.
Thanks @davidmehren for pointing me to this issue.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|/
|
|
|
|
| |
Looks like we forgot something during the migration. This should fix it.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
|
|
|
|
|
|
| |
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\
| |
| | |
Refactoring imageRouter to modularity
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This should make the imageRouter more modular and easier to extent. Also
a lot of code duplication was removed which should simplify maintenance
in future.
In the new setup we only need to provide a new module file which exports
a function called `uploadImage` and takes a filePath and a callback as
argument. The callback itself takes an error and an url as parameter.
This eliminates the need of a try-catch-block around the statement and
re-enabled the optimization in NodeJS.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|/
|
|
|
|
|
|
|
| |
As minio causes various problem if you configure it using environment
variables and leave the port setting out, which will evaluate to NaN,
this change should fix this in a clean way for this time and helps to
support numbers in general in future.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\
| |
| | |
Add config option for report URI in CSP
|
| |
| |
| |
| |
| |
| |
| |
| | |
This option is needed as it's currently not possible to add an report
URI by the directives array. This option also allows to get CSP reports
not only on docker based setup but also on our heroku instances.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|/
|
|
|
| |
fix hackmdio/hackmd#763
Signed-off-by: Tang TsungYi <vazontang@gmail.com>
|
|
|
|
|
|
| |
hackmdio/hackmd#754
Signed-off-by: Felix Schäfer <felix@thegcat.net>
|
|
|
|
| |
Signed-off-by: Dustin Frisch <fooker@lab.sh>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This removes the only camel cased option of the config options
**we** added to the config.json.
In auth provider's config parts are a lot of camel cased options
provided. We shouldn't touch them to keep them as similar as
possible to the examples.
Fixes #315
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\
| |
| | |
Allow more detailed configuration of upload mime types
|
| |
| |
| |
| |
| |
| | |
Fixes #637
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
| |
| |
| | |
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Add support for minio
|
| | | |
|
|\ \ \
| | | |
| | | | |
Implement basic CSP support
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
Config option; default is to only upgrade if usessl
|
| | | | |
|
| |_|/
|/| |
| | |
| | |
| | |
| | |
| | |
| | | |
Before, closed disallowed guest edits completely, by removing
the `freely` permission. This makes it possible to explicitely bring
back guest-editing, but not guest-note-creation, to closed instances.
Signed-off-by: Dario Ernst <dario@kanojo.de>
|
|\ \ \
| | | |
| | | | |
Load version from package.json
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|/ / / |
|
| | | |
|
|\ \ \
| | | |
| | | | |
Fix sslcapath bug
|
| | | | |
|
| | | | |
|
| | | | |
|
|\ \ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Alec WM <firstcontact@owls.io>
|