From 497569fee4a841b13ed1606ca54f269162d3fa62 Mon Sep 17 00:00:00 2001
From: Nicolas Dietrich
Date: Fri, 22 Jan 2021 16:47:47 +0100
Subject: Add config option which requires authentication in FreeURL mode

This mitigates unintended note creation by bots or humans through a
simple GET call.

See discussion in #754.

Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
---
 lib/config/default.js           | 1 +
 lib/config/environment.js       | 1 +
 lib/config/hackmdEnvironment.js | 1 +
 3 files changed, 3 insertions(+)

(limited to 'lib/config')

diff --git a/lib/config/default.js b/lib/config/default.js
index fe9b7059..ed812f45 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -33,6 +33,7 @@ module.exports = {
   allowAnonymous: true,
   allowAnonymousEdits: false,
   allowFreeURL: false,
+  requireFreeURLAuthentication: false,
   forbiddenNoteIDs: ['robots.txt', 'favicon.ico', 'api', 'build', 'css', 'docs', 'fonts', 'js', 'uploads', 'vendor', 'views'],
   defaultPermission: 'editable',
   dbURL: '',
diff --git a/lib/config/environment.js b/lib/config/environment.js
index 2a2c5fbb..3f13c8e0 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -29,6 +29,7 @@ module.exports = {
   allowAnonymous: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS),
   allowAnonymousEdits: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_EDITS),
   allowFreeURL: toBooleanConfig(process.env.CMD_ALLOW_FREEURL),
+  requireFreeURLAuthentication: toBooleanConfig(process.env.CMD_REQUIRE_FREEURL_AUTH),
   forbiddenNoteIDs: toArrayConfig(process.env.CMD_FORBIDDEN_NOTE_IDS),
   defaultPermission: process.env.CMD_DEFAULT_PERMISSION,
   dbURL: process.env.CMD_DB_URL,
diff --git a/lib/config/hackmdEnvironment.js b/lib/config/hackmdEnvironment.js
index 76e41361..ecdd9a51 100644
--- a/lib/config/hackmdEnvironment.js
+++ b/lib/config/hackmdEnvironment.js
@@ -24,6 +24,7 @@ module.exports = {
   allowAnonymous: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS),
   allowAnonymousEdits: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_EDITS),
   allowFreeURL: toBooleanConfig(process.env.HMD_ALLOW_FREEURL),
+  requireFreeURLAuthentication: toBooleanConfig(process.env.HMD_REQUIRE_FREEURL_AUTH),
   defaultPermission: process.env.HMD_DEFAULT_PERMISSION,
   dbURL: process.env.HMD_DB_URL,
   sessionSecret: process.env.HMD_SESSION_SECRET,
-- 
cgit v1.2.3