From 3331c0947cb6d63ce7f2846c38d5a7b82960b2eb Mon Sep 17 00:00:00 2001 From: Nicolas Dietrich Date: Fri, 22 Jan 2021 15:36:47 +0100 Subject: Minor refactoring of freeURL condition check Signed-off-by: Nicolas Dietrich --- lib/web/note/util.js | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/web/note/util.js b/lib/web/note/util.js index 9c6c1c8a..75f0c815 100644 --- a/lib/web/note/util.js +++ b/lib/web/note/util.js @@ -51,10 +51,12 @@ exports.newNote = function (req, res, body) { } else if (!config.allowAnonymous) { return errors.errorForbidden(res) } - if (config.allowFreeURL && noteId && !config.forbiddenNoteIDs.includes(noteId)) { - req.alias = noteId - } else if (noteId) { - return req.method === 'POST' ? errors.errorForbidden(res) : errors.errorNotFound(res) + if (noteId) { + if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId)) { + req.alias = noteId + } else { + return req.method === 'POST' ? errors.errorForbidden(res) : errors.errorNotFound(res) + } } models.Note.create({ ownerId: owner, -- cgit v1.2.3 From 497569fee4a841b13ed1606ca54f269162d3fa62 Mon Sep 17 00:00:00 2001 From: Nicolas Dietrich Date: Fri, 22 Jan 2021 16:47:47 +0100 Subject: Add config option which requires authentication in FreeURL mode This mitigates unintended note creation by bots or humans through a simple GET call. See discussion in #754. Signed-off-by: Nicolas Dietrich --- docs/content/configuration.md | 1 + lib/config/default.js | 1 + lib/config/environment.js | 1 + lib/config/hackmdEnvironment.js | 1 + lib/web/note/util.js | 2 +- 5 files changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/content/configuration.md b/docs/content/configuration.md index f57d7178..ff459608 100644 --- a/docs/content/configuration.md +++ b/docs/content/configuration.md @@ -96,6 +96,7 @@ these are rarely used for various reasons. | `allowAnonymous` | `CMD_ALLOW_ANONYMOUS` | **`true`** or `false` | Set to allow anonymous usage (default is `true`). | | `allowAnonymousEdits` | `CMD_ALLOW_ANONYMOUS_EDITS` | **`false`** or `true` | If `allowAnonymous` is `false`: allow users to select `freely` permission, allowing guests to edit existing notes (default is `false`). | | `allowFreeURL` | `CMD_ALLOW_FREEURL` | **`false`** or `true` | Set to allow new note creation by accessing a nonexistent note URL. This is the behavior familiar from [Etherpad](https://github.com/ether/etherpad-lite). | +| `requireFreeURLAuthentication` | `CMD_REQUIRE_FREEURL_AUTH` | **`false`** or `true` | Set to require authentication for FreeURL mode style note creation. | | `defaultPermission` | `CMD_DEFAULT_PERMISSION` | **`editable`**, `freely`, `limited`, `locked`, `protected` or `private` | Set notes default permission (only applied on signed-in users). | | `sessionName` | | **`connect.sid`** | Cookie session name. | | `sessionLife` | `CMD_SESSION_LIFE` | **`14 * 24 * 60 * 60 * 1000`**, `1209600000` (14 days) | Cookie session life time in milliseconds. | diff --git a/lib/config/default.js b/lib/config/default.js index fe9b7059..ed812f45 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -33,6 +33,7 @@ module.exports = { allowAnonymous: true, allowAnonymousEdits: false, allowFreeURL: false, + requireFreeURLAuthentication: false, forbiddenNoteIDs: ['robots.txt', 'favicon.ico', 'api', 'build', 'css', 'docs', 'fonts', 'js', 'uploads', 'vendor', 'views'], defaultPermission: 'editable', dbURL: '', diff --git a/lib/config/environment.js b/lib/config/environment.js index 2a2c5fbb..3f13c8e0 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -29,6 +29,7 @@ module.exports = { allowAnonymous: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS), allowAnonymousEdits: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_EDITS), allowFreeURL: toBooleanConfig(process.env.CMD_ALLOW_FREEURL), + requireFreeURLAuthentication: toBooleanConfig(process.env.CMD_REQUIRE_FREEURL_AUTH), forbiddenNoteIDs: toArrayConfig(process.env.CMD_FORBIDDEN_NOTE_IDS), defaultPermission: process.env.CMD_DEFAULT_PERMISSION, dbURL: process.env.CMD_DB_URL, diff --git a/lib/config/hackmdEnvironment.js b/lib/config/hackmdEnvironment.js index 76e41361..ecdd9a51 100644 --- a/lib/config/hackmdEnvironment.js +++ b/lib/config/hackmdEnvironment.js @@ -24,6 +24,7 @@ module.exports = { allowAnonymous: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS), allowAnonymousEdits: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_EDITS), allowFreeURL: toBooleanConfig(process.env.HMD_ALLOW_FREEURL), + requireFreeURLAuthentication: toBooleanConfig(process.env.HMD_REQUIRE_FREEURL_AUTH), defaultPermission: process.env.HMD_DEFAULT_PERMISSION, dbURL: process.env.HMD_DB_URL, sessionSecret: process.env.HMD_SESSION_SECRET, diff --git a/lib/web/note/util.js b/lib/web/note/util.js index 75f0c815..57438515 100644 --- a/lib/web/note/util.js +++ b/lib/web/note/util.js @@ -52,7 +52,7 @@ exports.newNote = function (req, res, body) { return errors.errorForbidden(res) } if (noteId) { - if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId)) { + if (config.allowFreeURL && !config.forbiddenNoteIDs.includes(noteId) && (!config.requireFreeURLAuthentication || req.isAuthenticated())) { req.alias = noteId } else { return req.method === 'POST' ? errors.errorForbidden(res) : errors.errorNotFound(res) -- cgit v1.2.3 From 5e269e4af97b78765b63c3e1dc638d5cbb50ac0b Mon Sep 17 00:00:00 2001 From: Nicolas Dietrich Date: Sat, 23 Jan 2021 14:14:47 +0100 Subject: Keep JS and env varibale name in sync (requireFreeURLAuthentication) Signed-off-by: Nicolas Dietrich --- docs/content/configuration.md | 2 +- lib/config/environment.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/configuration.md b/docs/content/configuration.md index ff459608..9429e0c2 100644 --- a/docs/content/configuration.md +++ b/docs/content/configuration.md @@ -96,7 +96,7 @@ these are rarely used for various reasons. | `allowAnonymous` | `CMD_ALLOW_ANONYMOUS` | **`true`** or `false` | Set to allow anonymous usage (default is `true`). | | `allowAnonymousEdits` | `CMD_ALLOW_ANONYMOUS_EDITS` | **`false`** or `true` | If `allowAnonymous` is `false`: allow users to select `freely` permission, allowing guests to edit existing notes (default is `false`). | | `allowFreeURL` | `CMD_ALLOW_FREEURL` | **`false`** or `true` | Set to allow new note creation by accessing a nonexistent note URL. This is the behavior familiar from [Etherpad](https://github.com/ether/etherpad-lite). | -| `requireFreeURLAuthentication` | `CMD_REQUIRE_FREEURL_AUTH` | **`false`** or `true` | Set to require authentication for FreeURL mode style note creation. | +| `requireFreeURLAuthentication` | `CMD_REQUIRE_FREEURL_AUTHENTICATION` | **`false`** or `true` | Set to require authentication for FreeURL mode style note creation. | | `defaultPermission` | `CMD_DEFAULT_PERMISSION` | **`editable`**, `freely`, `limited`, `locked`, `protected` or `private` | Set notes default permission (only applied on signed-in users). | | `sessionName` | | **`connect.sid`** | Cookie session name. | | `sessionLife` | `CMD_SESSION_LIFE` | **`14 * 24 * 60 * 60 * 1000`**, `1209600000` (14 days) | Cookie session life time in milliseconds. | diff --git a/lib/config/environment.js b/lib/config/environment.js index 3f13c8e0..e03bac8a 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -29,7 +29,7 @@ module.exports = { allowAnonymous: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS), allowAnonymousEdits: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_EDITS), allowFreeURL: toBooleanConfig(process.env.CMD_ALLOW_FREEURL), - requireFreeURLAuthentication: toBooleanConfig(process.env.CMD_REQUIRE_FREEURL_AUTH), + requireFreeURLAuthentication: toBooleanConfig(process.env.CMD_REQUIRE_FREEURL_AUTHENTICATION), forbiddenNoteIDs: toArrayConfig(process.env.CMD_FORBIDDEN_NOTE_IDS), defaultPermission: process.env.CMD_DEFAULT_PERMISSION, dbURL: process.env.CMD_DB_URL, -- cgit v1.2.3 From ad056d7dbbe0c0bf6cb8d390f88d5e47a288cae1 Mon Sep 17 00:00:00 2001 From: Nicolas Dietrich Date: Sat, 23 Jan 2021 14:15:51 +0100 Subject: Don't add new config option in hackmd compatibility layer Signed-off-by: Nicolas Dietrich --- lib/config/hackmdEnvironment.js | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/config/hackmdEnvironment.js b/lib/config/hackmdEnvironment.js index ecdd9a51..76e41361 100644 --- a/lib/config/hackmdEnvironment.js +++ b/lib/config/hackmdEnvironment.js @@ -24,7 +24,6 @@ module.exports = { allowAnonymous: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS), allowAnonymousEdits: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_EDITS), allowFreeURL: toBooleanConfig(process.env.HMD_ALLOW_FREEURL), - requireFreeURLAuthentication: toBooleanConfig(process.env.HMD_REQUIRE_FREEURL_AUTH), defaultPermission: process.env.HMD_DEFAULT_PERMISSION, dbURL: process.env.HMD_DB_URL, sessionSecret: process.env.HMD_SESSION_SECRET, -- cgit v1.2.3