summaryrefslogtreecommitdiff
path: root/lib/models/user.js (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Sanitize username and photo URLDavid Mehren2021-05-091-2/+3
| | | | | | | | | | | | | HedgeDoc displays the username and user photo at various places by rendering the respective variables into an `ejs` template. As the values are user-provided or generated from user-provided data, it may be possible to inject unwanted HTML. This commit sanitizes the username and photo URL by passing them through the `xss` library. Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de>
* Remove unneeded polyfillErik Michelson2021-04-261-9/+0
| | | | | | This polyfill was added because node versions less than 10.5.0 didn't include scrypt support. As we now raised the minimum required version to 12.0.0, this polyfill isn't needed anymore. Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
* Linter: Fix all lint errorsPhilip Molares2021-02-151-2/+2
| | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
* fix: upgrade sequelize to latest version to fix CVEBoHong Li2019-06-111-104/+103
| | | | Signed-off-by: BoHong Li <a60814billy@gmail.com>
* Fix missing pictures for OpenIDSheogorath2019-05-261-0/+3
| | | | | | | | | | Currently a problem appears when using OpenID for authentication as there is no method to add a profile picture right now. This patch makes sure that all undefined login methods get a profile picture. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* polyfilling scrypt for node 8.5+Claudius2019-05-131-4/+13
| | | | Signed-off-by: Claudius <opensource@amenthes.de>
* asyncified setting and verifying the passwordClaudius2019-05-131-9/+7
| | | | Signed-off-by: Claudius <opensource@amenthes.de>
* getting password hashing into a hook where it could be asyncClaudius2019-05-131-6/+14
| | | | Signed-off-by: Claudius <opensource@amenthes.de>
* Switch scrypt library to a successorSheogorath2018-11-211-1/+1
| | | | | | | | | | | | | Since our previous scrypt library is unmaintained since 3 years, it's time to look for an alternative. A refactoring towards another password algorithm was worked on and this is probably still the way to go. But for now the successor of our previous library should already be enough. https://www.npmjs.com/package/scrypt (old library) https://github.com/ml1nk/node-scrypt (new library) Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* switching to eslint for code checkingClaudius Coenen2018-11-141-1/+1
| | | | | | | most rules degraded to WARN, so we don't go insane. This will change over time. The aim is to conform to a common style Signed-off-by: Claudius Coenen <opensource@amenthes.de>
* Allow to disable gravatarSheogorath2018-06-231-25/+5
| | | | | | | | | Since Gravatar is an external image source and not perfect from a privacy perspective, forbidding it allows to improve privacy. This commit also simplifies and optimizes the avatar code. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #830 from SISheogorath/feature/GDPRChristoph (Sheogorath) Kern2018-06-171-0/+7
|\ | | | | GDPR compliant part 1
| * Add token based security featureSheogorath2018-05-251-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
| * Fix requests for deleted usersSheogorath2018-05-251-0/+3
| | | | | | | | | | | | | | When users are requested from the authorship which no longer exist, they shouldn't cause a 500. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #784 from pferreir/add-oauth2-supportChristoph (Sheogorath) Kern2018-06-041-2/+2
|\ \ | |/ |/| Add "generic" OAuth2 support
| * Use TEXT instead of STRING for tokensPedro Ferreira2018-03-261-2/+2
| | | | | | | | Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
* | Move letter-avatars into own requestSheogorath2018-04-171-5/+5
|/ | | | | | | | | | To prevent further weakening of our CSP policies, moving the Avatars into a non-inline version is the way to go. This implementation probably needs some beautification. But already fixes the bug. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Initial support for SAML authenticationNorihito Nakae2017-11-281-0/+9
|
* Add mattermost authenticationChristoph Witzany2017-10-311-0/+9
|
* Fix broken profile imagesSheogorath2017-09-221-2/+6
|
* refactor: Remove `require` extension filenameBoHong Li2017-05-081-2/+2
|
* Use strict mode in all backend filesBoHong Li2017-03-141-0/+1
| | | | add ‘use strict’ in all backend file
* Use JavaScript Standard StyleBoHong Li2017-03-081-140/+138
| | | | | Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code.
* Fix user profile photo might not replace to proper sizeWu Cheng-Han2017-02-181-4/+4
|
* Update to add biggerphoto on parsing user profileWu Cheng-Han2017-02-031-10/+26
|
* Profile pictures for LDAP usersalecdwm2017-01-061-0/+11
|
* Update to support optional email register and signinWu Cheng-Han2016-12-021-0/+33
|
* Update to use bigger size of profile imageCheng-Han, Wu2016-05-211-3/+3
|
* Add support of google signinCheng-Han, Wu2016-05-211-0/+3
|
* Update to use bigger avatar image and twitter now use screen_name based ↵Cheng-Han, Wu2016-05-201-2/+2
| | | | profile image url
* Add db migrations for PR #121Cheng-Han, Wu2016-05-151-0/+3
|
* Retrieve GitLab avatar.Jason Croft2016-05-121-0/+3
|
* Add accessToken columnJason Croft2016-05-111-1/+4
|
* Refactor server with Sequelize ORM, refactor server configs, now will show ↵Cheng-Han, Wu2016-04-201-0/+77
note status (created or updated) and support docs (note alias)