summaryrefslogtreecommitdiff
path: root/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #1091 from SISheogorath/fix/speakerNotesCSPChristoph (Sheogorath) Kern2018-12-061-1/+1
|\ | | | | Fix CSP for speaker notes
| * Fix CSP for speaker notesSheogorath2018-12-051-1/+1
| | | | | | | | | | | | | | | | | | | | | | Looks like I was wrong in my previous commit to update revealjs.[1] The speaker notes broke again with the CSPs. So this patch updates the hash and this way the speaker notes. [1]: bcebf1e8d285184f8c905f00e0270621790e7b80 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Fix disqus CSPSheogorath2018-12-051-1/+1
|/ | | | | | | | | | | | Disqus loads it's embed config.js from its root domain (https://disqus.com). Our CSPs only allow subdomains (e.g.: https://codimd.disqus.com). This causes the disqus embedding to fail. This patch should fix this problem by adding https://disqus.com to the CSP setting. From a security perspective there is no real change. Since still the same parties are involved. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1086 from SISheogorath/feature/urlWarningChristoph (Sheogorath) Kern2018-12-011-0/+4
|\ | | | | Warn on missing serverURL
| * Warn on missing serverURLSheogorath2018-11-281-0/+4
| | | | | | | | | | | | | | | | | | | | | | We see some issues that are based on not properly configured `config.serverURL`. This patch adds a warning when `config.serverURL` is an empty value. This should provide users direct feedback about how to improve their configs. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1082 from cloudyu/pullChristoph (Sheogorath) Kern2018-11-282-4/+4
|\ \ | |/ |/| | | | | | | | | Fix wrong config options In `./lib/web/auth/` some config includes still used `config.serverurl` instead of the correct `config.serverURL`. This causes wrong URL in worst case. This patch should fix those problems and migrate the wrong statements to camelcase.
| * Fix typoCloudYu2018-11-272-4/+4
| | | | | | | | Signed-off-by: CloudYu <cloudyu322@gmail.com>
* | Prevent subdirectories in user exportDaan Sprenkels2018-11-281-9/+11
|/ | | | | | | | | This commit also refactors the code a bit, and adds a '-' separator between a filename and its duplicate index. This commit fixes #1079. Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
* Switch scrypt library to a successorSheogorath2018-11-211-1/+1
| | | | | | | | | | | | | Since our previous scrypt library is unmaintained since 3 years, it's time to look for an alternative. A refactoring towards another password algorithm was worked on and this is probably still the way to go. But for now the successor of our previous library should already be enough. https://www.npmjs.com/package/scrypt (old library) https://github.com/ml1nk/node-scrypt (new library) Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix wrong maxAgeSeconds multiplicationSheogorath2018-11-191-1/+1
| | | | | | | | | | | | | | | | | | | It seems like the inital work on the hsts module expected milliseconds. This has either changed or was never true. Either way, it caused that the current defaults resulted in theory in a 1000 year HSTS policy. Luckily helmet was smart enough to not go higher than 1 year. Anyway, this patch fixes the multiplication of the configured size with 1000 by removing this multiplication. Also to simplify the reading of the defaults, we split them into their components, 60 times 60 seconds so we get one hour. 24 of those hours so we get a day and finally 365 days to get our original wanted default of one year. Reference: https://github.com/hackmdio/CodiMD/commit/d69d65ea7434eee85db4b905f0852f4d8fa7ecce Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #1053 from dsprenkels/robots.txtChristoph (Sheogorath) Kern2018-11-173-1/+3
|\ | | | | Disallow creation of robots.txt in freeurl
| * Disallow creation of robots.txt in freeurlDaan Sprenkels2018-11-173-1/+3
| | | | | | | | | | | | | | | | | | | | | | Add a configuration setting to "hard"-disable creation of notes as set by the configuration value. This defaults to `['robots.txt', 'favicon.ico']`, because these files are often accidentally created by bots and browsers. This commit fixes #1052. Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
* | Merge pull request #1040 from sunbit/masterChristoph (Sheogorath) Kern2018-11-178-8/+8
|\ \ | | | | | | Fix migration failure due to change on error messages
| * | Update error message text checksCarles Bruguera2018-11-168-8/+8
| | | | | | | | | | | | Signed-off-by: Carles Bruguera <carlesba@gmail.com>
* | | Fix streaming for winstonSheogorath2018-11-161-1/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | During the upgrade of winston in c3584770f24205d84b9399abd9535cb27dc7b00c a the class extension for streaming was removed. This caused silent crashes. Somehow winston simply called `process.exit(1)` whenever `logger.write()` was called. This is really bad and only easy to debug because of the testing right after upgrading. However, reimplementing the stream interface as it was, didn't work, due to the fact that `logger.write()` is already implemented and causes the mentioned problem. So we extent the object with an `stream` object that implements `write()` for streams and pass that to morgan. So this patch fixes unexpected exiting for streaming towards our logging module. References: https://www.digitalocean.com/community/tutorials/how-to-use-winston-to-log-node-js-applications https://github.com/hackmdio/codimd/commit/c3584770f24205d84b9399abd9535cb27dc7b00c https://stackoverflow.com/a/28824464 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | | Merge pull request #1058 from ccoenen/bug/oauth2internalerrorChristoph (Sheogorath) Kern2018-11-161-4/+4
|\ \ \ | | | | | | | | InternalOAuthError is not part of passport, but of passport-oauth2 #1056
| * | | InternalOAuthError is not part of passport, but of passport-oauth2Claudius Coenen2018-11-141-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes part of #1056: an error while obtaining the profile would have `502`-crashed the server. Signed-off-by: Claudius Coenen <opensource@amenthes.de>
* | | | switching to eslint for code checkingClaudius Coenen2018-11-144-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | most rules degraded to WARN, so we don't go insane. This will change over time. The aim is to conform to a common style Signed-off-by: Claudius Coenen <opensource@amenthes.de>
* | | | Merge pull request #1055 from SISheogorath/upgrade/winstonChristoph (Sheogorath) Kern2018-11-144-16/+20
|\ \ \ \ | |/ / / |/| | | Upgrade winston / refactor logging
| * | | Upgrade winstonSheogorath2018-11-144-16/+20
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | Our log library got a new major version which should be implemented. That's exactly what this patch does. Implementing the new version of the logging library. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* / | Fix logging in ot moduleSheogorath2018-11-131-5/+5
|/ / | | | | | | | | | | | | Seems like there was some debugging going on some day, this patch should make sure the right logging is used. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #1027 from asg017/masterChristoph (Sheogorath) Kern2018-11-121-0/+3
|\ \ | | | | | | Add download action to published notes
| * | forgot break statementAlex Garcia2018-10-271-0/+1
| | | | | | | | | | | | Signed-off-by: Alex Garcia <alexsebastian.garcia@gmail.com>
| * | Add download action to published notesAlex Garcia2018-10-271-0/+2
| | | | | | | | | | | | Signed-off-by: Alex Garcia <alexsebastian.garcia@gmail.com>
* | | Merge pull request #1051 from SISheogorath/feature/fullversionChristoph (Sheogorath) Kern2018-11-121-1/+1
|\ \ \ | | | | | | | | Fix wrong reading from commit
| * | | Fix wrong reading from commitSheogorath2018-11-121-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Right now we use a substr after reading the commit. That's definitely wrong and leads to wrong commit hashes since the first 5 chars are missing. This patch removes the substr usage here and this way fixes the generated links. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | | | Merge pull request #961 from SISheogorath/feature/osTEMPChristoph (Sheogorath) Kern2018-11-111-1/+3
|\ \ \ \ | |/ / / |/| | | Use OS based tmp dir
| * | | Use OS based tmp dirSheogorath2018-10-311-1/+3
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | We should use the official OS temp directory instead of an own one, to not run into conflicts. Also various dependencies already use the OS temp directory, which makes it pointless to use a different for our internal purposes then. This commit provides the changes needed to use the OS tmp directory by default. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | | Add full version stringSheogorath2018-11-115-4/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently we only provide the version from `package.json`. This means that during updates of instances, e.g. the demo instance, which runs latest master instead of a stable release, changes are not reflected to the webclient. This patch adds a fullversion string that contains the current commit and this way makes that clients are notified about changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | | Fix menu for github and dropboxCédric Couralet2018-11-071-0/+2
| |/ |/| | | | | Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
* | removing global site layout vars from individual routers, putting them into ↵Claudius2018-11-031-50/+2
|/ | | | | | app.local Signed-off-by: Claudius <opensource@amenthes.de>
* Merge pull request #985 from SISheogorath/fix/helmetCSPChristoph (Sheogorath) Kern2018-10-111-1/+1
|\ | | | | Add `data:` URL to CSP and upgrade helmet
| * Add `data:` URL to CSP and upgrade helmetSheogorath2018-10-041-1/+1
| | | | | | | | | | | | | | | | | | Seems like the old version of helmet had a problem with `data:`. This patch upgrades to the latest version and adds the CSP rule to allow Google Fonts and the offline version of it, to properly include the fonts and no longer throw ugly error messages at us. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #990 from SISheogorath/fix/oauthProviderNameChristoph (Sheogorath) Kern2018-10-092-0/+2
|\ \ | | | | | | Make oauth2 provider name accessible
| * | Make oauth2 provider name accessibleSheogorath2018-10-042-0/+2
| |/ | | | | | | | | | | | | | | | | Right now the feature exists but is almost not usable since the only way to configure it is to know that it exists from reading the source code and add it to config.json. This patch provides all needed changes so it can be used by everyone including documentation. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Fix #1001: get only project user is member of (and return max of results)Cédric Couralet2018-10-091-1/+1
| | | | | | | | Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
* | Add OpenID to CodiMDSheogorath2018-10-056-3/+70
| | | | | | | | | | | | | | | | With OpenID every OpenID capable provider can provide authentication for users of a CodiMD instance. This means we have federated authentication. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #940 from WilliButz/fix-configurable-pathsChristoph (Sheogorath) Kern2018-10-056-31/+23
|\ \ | |/ |/| enhance configurabiltiy of paths & make execution path-independent
| * removing superfluous config parameters for template filesClaudius2018-09-264-21/+10
| | | | | | | | Signed-off-by: Claudius <opensource@amenthes.de>
| * imageRouter/filesystem: make callback path-independentWilliButz2018-09-261-1/+2
| | | | | | | | | | | | | | Images are now properly served when `config.uploadsPath` differs from its default value. Signed-off-by: WilliButz <wbutz@cyberfnord.de>
| * lib/config: use `path.resolve` instead of `path.join`WilliButz2018-09-261-14/+14
| | | | | | | | | | | | | | | | | | | | | | While paths like `tmpPath` could previously be configured, they were all interpreted relative to `appRootPath` because of `path.join`. Now the configurable paths can be canonical and therefore independent of the `appRootPath`. Signed-off-by: WilliButz <wbutz@cyberfnord.de>
| * lib/config: add environment variable to set config fileWilliButz2018-09-261-1/+2
| | | | | | | | | | | | | | | | | | | | Previously it was assumed that `config.json` would be placed in the same directory as the rest of CodiMD without any optional override. This allows to override the path to the `config.json` by setting `CMD_CONFIG_FILE` to the canonical path of the desired config file. Signed-off-by: WilliButz <wbutz@cyberfnord.de>
| * lib/models/revision.js: make independent of exec-pathWilliButz2018-09-261-1/+2
| | | | | | | | | | | | | | | | | | | | | | Previously calling `app.js` from another directory than the base directory of CodiMD would result in an error being thrown because `lib/workers/dmpWorker.js` could not be found. This change makes the function call independent of the path CodiMD is started from. Signed-off-by: WilliButz <wbutz@cyberfnord.de>
* | Fix little bug in length limitSheogorath2018-09-281-1/+1
| | | | | | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #971 from SISheogorath/fix/gitlabWarningChristoph (Sheogorath) Kern2018-09-271-1/+2
|\ \ | | | | | | Set default to `v4`
| * | Set default to `v4`Sheogorath2018-09-271-1/+2
| |/ | | | | | | | | | | | | Seems like we didn't fix the problem with the last patch. This should finally fix it. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* / Fix document length limit on postSheogorath2018-09-261-1/+9
|/ | | | | | | | | We recently introduced a new way to create notes using a post requeest to the `/new` endpoint. This is not limited in size, other than pasting a note in the editor. This patch should enforce this limit also on this way. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Omit unneeded warning if no gitlab is configuredSheogorath2018-09-251-1/+1
| | | | | | | This patch should fix the unneeded warning of the wrong API version, when gitlab isn't configured at all. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix server crash on PDF creationSheogorath2018-09-241-0/+4
| | | | | | | | | `markdown-pdf` seems to fail to provide the PDFs on tmpfs. This leads crashing codimd which expects the file to be there. This patch should add some proper error handling when expectation and reality don't fit together. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Extend migration error handlingSheogorath2018-09-058-9/+9
| | | | | | | | | | The current error handling seems to conflict with some sequelize versions. So we add a second version of it in our excemptions. I'm not happy about it, but when it helps to prevent further migration breaking, it's worth it. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>