summaryrefslogtreecommitdiff
path: root/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Generic OAuth2: Set state: trueDexter Chua2020-10-221-1/+2
| | | | | | | | | | The OAuth2 specification RECOMMENDS setting the state to protect against CSRF attacks. Some OAuth2 providers (e.g. ORY Hydra) refuse to authenticate without the state set. This is a cherry-pick of 852868419dc03d5dec79e75a3d7692ab670c927f. Signed-off-by: haslersn <sebastian.hasler@gmx.net>
* Merge pull request #486 from codimd/feature/cookie-policyDavid Mehren2020-09-254-1/+9
|\
| * Update documentation and messages to new default valueErik Michelson2020-09-081-1/+1
| | | | | | | | Signed-off-by: Erik Michelson <github@erik.michelson.eu>
| * Changed default policy from 'strict' to 'lax' due to the reasons mentioned ↵Erik Michelson2020-08-272-2/+2
| | | | | | | | | | | | in 3d1fab05 Signed-off-by: Erik Michelson <github@erik.michelson.eu>
| * Add config option for cookie SameSite policyErik Michelson2020-08-274-1/+9
| | | | | | | | Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* | Add missing unsafe-inline CSP directiveErik Michelson2020-08-231-1/+1
| | | | | | | | | | | | Dropbox loads an external script that adds inline javascript. Therefore, this addition is needed when enabling dropbox support. Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* | Add dropbox CSP directive if configured and make button clickableErik Michelson2020-08-231-0/+5
|/ | | | | | | The lack of a 'preventDefault' on the click event handler resulted in the dropbox link being unclickable. Furthermore because of a missing CSP rule, the dropbox script couldn't be loaded. The dropbox origin is now added to the CSP script sources if dropbox integration is configured. Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* saml: make logger print actual error messageSimeon Keske2020-07-111-2/+2
| | | | | Signed-off-by: Simeon Keske <git@n0emis.eu> Signed-off-by: Leo Maroni <git@em0lar.de>
* add error handling to saml-certsSimeon Keske2020-07-111-2/+15
| | | | | Signed-off-by: Simeon Keske <git@n0emis.eu> Signed-off-by: Leo Maroni <git@em0lar.de>
* allow to set a saml client certificateSimeon Keske2020-07-113-0/+3
| | | | Signed-off-by: Simeon Keske <git@n0emis.eu>
* Fixed meta parsing of lang-attribute for using it in the published-viewErik Michelson2020-07-042-1/+2
| | | | Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* Added dynamic lang-attr to pretty.ejsErik Michelson2020-07-031-0/+1
| | | | | | CodiMD currently only uses the 'lang' attribute in YAML-metadata of a note for setting certain js-elements of the markdown-renderer. This commit adds the chosen lang into the published version of a note. Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* Backport of #278 for 1.6.1Victor Berger2020-06-204-4/+8
| | | | | | | This is a backport of #278 with the default value of `scope` changed to `undefined`. This is thus a fully backward-compatible change. Signed-off-by: Victor Berger <victor.berger@m4x.org>
* findNoteOrCreate: Create new note with empty string instead of `null`Sandro2020-04-281-1/+1
| | | | | | Backport of #345 to 1.x Signed-off-by: Sandro Jäckel <sandro.jaeckel@gmail.com>
* Fix broken redirect on loginSheogorath2020-03-211-2/+4
| | | | | | | | | | | | | | | | | | | | This patch fixes the currently broken redirect on login when people try to access a site they have no access to, they are redirected to the main page to log in. After a successful login they should be redirected to the original note, but instead are redirect to the index page again. This aptch fixes the typo that causes the behavior and brings people back to the note they edited. Thanks to @clvs7-gh on Github[1], who submitted the patch via email. On their behalf I hereby submit the change. [1]: https://github.com/clvs7-gh Note: I had to ajust this patch to work properly. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Backport Fix for relative theme pathSheogorath2020-03-211-1/+1
| | | | | | This commit backport 856fc01fb9b30489b254f2ef9d29de80aa189118 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add fix for missing deletion of notes on user-deletion requestSheogorath2020-03-211-0/+61
| | | | | | | | | | | | | | | | | | | | | | Depending on how the system was setup, this bug lead to keep user's data around even after a successful deletion of user'S account. This patch will make sure the missing database constraints are implemented and missed out deletions are executed. This bug was introduced to insufficent testing after implementing the feature initially. It was well tested, using the app process itself, but the migrations where missed out. I'm currently not sure, if there was also a change in how sequelize handles cassaded deletion, since I'm unter the impression that before switching to sequelize 5, this feature has worked. But I haven't verified this. No matter what, the cleanup process is rather straight forward and will be invoked on migration, but can also be done manually using the new `bin/cleanup` script. This change will result in a release 1.6.1. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Update CDN defaultsSheogorath2020-02-091-1/+1
| | | | | | | | | | | | | | | | | | As we noticed in our poll about CDN usage, that most people intentionally turn it off, but very little intetionally turn it on or leave it on. [1] There is also strong indicators that CDNs don't really provide any benefits in loading time and due to the small deployments of CodiMD, there is no big savings due to CDNs either. [2] Therefore this patch changes the CDN default settings to off in order to reduce the exposed user data. [1]: https://community.codimd.org/t/poll-on-cdn-usage/28 [2]: https://csswizardry.com/2019/05/self-host-your-static-assets/ Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add Google oauth variable: hostedDomainike2020-02-084-4/+7
| | | | | | | | Which is part of `passport-google-oauth2`. It could be used as whitelist to a domain supported by google oauth. Ref: https://github.com/jaredhanson/passport-google-oauth2/issues/3 Signed-off-by: ike <developer@ikewat.com>
* Update RevealJS to version 3.9.2Sheogorath2020-02-011-1/+1
| | | | | | | | | | | | This update of revealJS helps us to get rid of the headjs depedency integration using webpack. It updates reveal.js to 3.9.2 and updates the csp hash accordingly for using the slide mode. Background for this update is the critical security vulnerability described by snyk in their disclosure: https://snyk.io/vuln/SNYK-JS-REVEALJS-543841 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #218 from hoijui/linkifyHeaderStyleSheogorath2019-12-032-1/+15
|\ | | | | Linkify header style
| * allow to define header link generation style via environment varhoijui2019-10-301-1/+2
| | | | | | | | Signed-off-by: hoijui <hoijui.quaero@gmail.com>
| * document `linkifyHeaderStyle` in default.jshoijui2019-10-301-0/+13
| | | | | | | | Signed-off-by: hoijui <hoijui.quaero@gmail.com>
* | Making the linter happy by removing superfluous ;Ralph Krimmel2019-11-281-1/+1
| | | | | | | | Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
* | Removing returnTo setting from referer in all other authentication sourcesRalph Krimmel2019-11-2812-28/+8
| | | | | | | | Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
* | Moving the storage of referrer information to main authorization check ↵Ralph Krimmel2019-11-282-5/+5
| | | | | | | | | | | | instead of doing it in the authentication source Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
* | Fixing linting problemsRalph Krimmel2019-11-271-4/+3
| | | | | | | | Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
* | Fixing redirection after SAML loginfoobarable2019-11-271-2/+5
| | | | | | | | | | | | Saving referer into session in SAML auth so passport can redirect correctly after SAML login. Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
* | Merge pull request #213 from davidmehren/refactor_backend_notesSheogorath2019-11-2018-578/+561
|\ \ | |/ |/| First steps in refactoring the backend code
| * Inline renderPublishSlideDavid Mehren2019-10-271-8/+4
| | | | | | | | Signed-off-by: David Mehren <dmehren1@gmail.com>
| * Inline responseCodiMDDavid Mehren2019-10-271-18/+14
| | | | | | | | Signed-off-by: David Mehren <dmehren1@gmail.com>
| * Inline publish and slideDavid Mehren2019-10-271-10/+2
| | | | | | | | Signed-off-by: David Mehren <dmehren1@gmail.com>
| * Inline renderPublishDavid Mehren2019-10-271-8/+4
| | | | | | | | Signed-off-by: David Mehren <dmehren1@gmail.com>
| * Move showPublishNote and publishNoteActions to note controllerDavid Mehren2019-10-276-125/+99
| | | | | | | | Signed-off-by: David Mehren <dmehren1@gmail.com>
| * Move showNote to note controllerDavid Mehren2019-10-273-133/+19
| | | | | | | | Signed-off-by: David Mehren <dmehren1@gmail.com>
| * Move note actions into their own fileDavid Mehren2019-10-272-9/+131
| | | | | | | | Signed-off-by: David Mehren <dmehren1@gmail.com>
| * Rename actions.js to controller.js and rename functions to be more descriptiveDavid Mehren2019-10-273-34/+33
| | | | | | | | | | | | Move postNote to NoteController and rename to createFromPost Signed-off-by: David Mehren <dmehren1@gmail.com>
| * Move slide actions to own fileDavid Mehren2019-10-274-85/+87
| | | | | | | | Signed-off-by: David Mehren <dmehren1@gmail.com>
| * Fix errors constant in note/actions.jsDavid Mehren2019-10-271-7/+7
| | | | | | | | Signed-off-by: David Mehren <dmehren1@gmail.com>
| * Move note actions to their own file.David Mehren2019-10-2715-387/+407
| | | | | | | | | | | | Because of circular import problems, this commit also moves the error messages from response.js to errors.js Signed-off-by: David Mehren <dmehren1@gmail.com>
* | Fix crash in lutim integrationGirish Ramakrishnan2019-10-291-1/+1
|/ | | | Signed-off-by: Girish Ramakrishnan <girish@cloudron.io>
* Allow to generate lower case header references through the confighoijui2019-10-222-2/+4
| | | | | | | | | | | | | This makes the references consistent/compatible with GitHub, GitLab, Pandoc and many other tools. This behavior can be enabled in config.json with: ``` "linkifyHeaderStyle": "gfm" ``` Signed-off-by: hoijui <hoijui.quaero@gmail.com>
* Fix broken error template due to missing opengraphSheogorath2019-10-111-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This regression bug was caused by the error page using the `codimd/head` template. This resulted in error messages like this: ``` ReferenceError: /codimd/public/views/error.ejs:5 3| 4| <head> >> 5| <%- include codimd/head %> 6| <link rel="stylesheet" href="<%- serverURL %>/css/center.css"> 7| </head> 8| /codimd/public/views/codimd/head.ejs:7 5| <meta name="apple-mobile-web-app-status-bar-style" content="black"> 6| <meta name="mobile-web-app-capable" content="yes"> >> 7| <% for (var og in opengraph) { %> 8| <% if (opengraph.hasOwnProperty(og) && opengraph[og].trim() !== '') { %> 9| <meta property="og:<%- og %>" content="<%- opengraph[og] %>"> 10| <% }} if (!opengraph.hasOwnProperty('image')) { %> opengraph is not defined at eval (eval at compile (/codimd/node_modules/ejs/lib/ejs.js:618:12), <anonymous>:18:23) at eval (eval at compile (/codimd/node_modules/ejs/lib/ejs.js:618:12), <anonymous>:99:10) at returnedFn (/codimd/node_modules/ejs/lib/ejs.js:653:17) at tryHandleCache (/codimd/node_modules/ejs/lib/ejs.js:251:36) at View.exports.renderFile [as engine] (/codimd/node_modules/ejs/lib/ejs.js:482:10) at View.render (/codimd/node_modules/express/lib/view.js:135:8) at tryRender (/codimd/node_modules/express/lib/application.js:640:10) at Function.render (/codimd/node_modules/express/lib/application.js:592:3) at ServerResponse.render (/codimd/node_modules/express/lib/response.js:1012:7) at responseError (/codimd/lib/response.js:57:20) at Object.errorNotFound (/codimd/lib/response.js:30:5) at newNote (/codimd/lib/response.js:134:76) at /codimd/lib/response.js:172:16 at tryCatcher (/codimd/node_modules/bluebird/js/release/util.js:16:23) at Promise._settlePromiseFromHandler (/codimd/node_modules/bluebird/js/release/promise.js:517:31) at Promise._settlePromise (/codimd/node_modules/bluebird/js/release/promise.js:574:18) at Promise._settlePromise0 (/codimd/node_modules/bluebird/js/release/promise.js:619:10) at Promise._settlePromises (/codimd/node_modules/bluebird/js/release/promise.js:699:18) at _drainQueueStep (/codimd/node_modules/bluebird/js/release/async.js:138:12) at _drainQueue (/codimd/node_modules/bluebird/js/release/async.js:131:9) at Async._drainQueues (/codimd/node_modules/bluebird/js/release/async.js:147:5) at Immediate.Async.drainQueues (/codimd/node_modules/bluebird/js/release/async.js:17:14) ``` The fix for that is rather trivial. We simply provide an empty array of metadata when generating the error template. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #191 from ErikMichelson/feature/ogmetadataSheogorath2019-10-102-2/+15
|\ | | | | Add customizable opengraph metadata for notes (see #40)
| * Added customizable og-metadata to notesErik Michelson2019-10-042-2/+15
| | | | | | | | Signed-off-by: Erik Michelson <erik@liltv.de>
* | remove unused variable to pass ci testing - #58Amolith2019-10-031-1/+0
| | | | | | | | Signed-off-by: Amolith <amolith@nixnet.xyz>
* | remove legacy code to solve #58Amolith2019-10-031-10/+0
|/ | | | Signed-off-by: Amolith <amolith@nixnet.xyz>
* Merge pull request #170 from ErikMichelson/post-note-urlSheogorath2019-09-262-13/+19
|\ | | | | Added endpoint for note-creation with given alias
| * Refactored note-creation with given noteIdErik Michelson2019-09-042-14/+18
| | | | | | | | | | | | | | Known bugs/features: - pushing towards an existing note results in an error 500 Signed-off-by: Erik Michelson <erik@liltv.de>
| * Added endpoint for note-creation with given aliasErik Michelson2019-09-042-2/+4
| | | | | | | | Signed-off-by: Erik Michelson <erik@liltv.de>