Commit Graph

174 Commits

Author SHA1 Message Date
BoHong Li b884955fe5
refactor: fix lint on app.js
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2019-08-04 23:56:25 +08:00
BoHong Li 17e82c11c9
refactor(realtime): connection flow to queue
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-05-27 17:53:07 +08:00
BoHong Li d8b18ee241
refactor(realtime): disconnect flow
1. use queue for queueing disconnect request

Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-05-27 17:53:06 +08:00
BoHong Li 5575e08485
refactor: remove compression, response compression is responsibility of load balancer
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-05-27 17:53:01 +08:00
BoHong Li 0bed306ba9
refactor: Extract createHttpServer Function and Replace Temp with Query
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-05-27 17:53:01 +08:00
Sheogorath 20d1f17d2c
Add serbian language
Thanks for the work of the translator Vladan we got a serbian
translation added! Those few changes will add serbian language support
for future CodiMD releases.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-04 13:21:01 +01:00
Sheogorath 0aa3116805
Fix wrong maxAgeSeconds multiplication
It seems like the inital work on the hsts module expected milliseconds.
This has either changed or was never true. Either way, it caused that
the current defaults resulted in theory in a 1000 year HSTS policy.
Luckily helmet was smart enough to not go higher than 1 year.

Anyway, this patch fixes the multiplication of the configured size with
1000 by removing this multiplication.

Also to simplify the reading of the defaults, we split them into their
components, 60 times 60 seconds so we get one hour. 24 of those hours so
we get a day and finally 365 days to get our original wanted default of
one year.

Reference:
d69d65ea74
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-19 22:01:54 +01:00
Sheogorath bdeb053397
Fix streaming for winston
During the upgrade of winston in
c3584770f2 a the class extension for
streaming was removed.

This caused silent crashes. Somehow winston simply called
`process.exit(1)` whenever `logger.write()` was called. This is really
bad and only easy to debug because of the testing right after upgrading.

However, reimplementing the stream interface as it was, didn't work, due
to the fact that `logger.write()` is already implemented and causes the
mentioned problem. So we extent the object with an `stream` object that
implements `write()` for streams and pass that to morgan.

So this patch fixes unexpected exiting for streaming towards our logging
module.

References:
https://www.digitalocean.com/community/tutorials/how-to-use-winston-to-log-node-js-applications
c3584770f2
https://stackoverflow.com/a/28824464
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-16 11:49:39 +01:00
Sheogorath e8ec9a8af4
Enforce disabled index for static assets
ExpressJS still does allow serving index.html files. This change
disables that permanently.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-12 21:42:55 +01:00
Sheogorath bcc914a773
Add full version string
Currently we only provide the version from `package.json`. This means
that during updates of instances, e.g. the demo instance, which runs
latest master instead of a stable release, changes are not reflected to
the webclient.

This patch adds a fullversion string that contains the current commit
and this way makes that clients are notified about changes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-11 12:44:19 +01:00
Cédric Couralet 67f8a64f2b Fix menu for github and dropbox
Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
2018-11-07 12:30:17 +00:00
Cédric Couralet d24fb48f16 Fix menu when gitlab is enabled
Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
2018-11-07 11:32:20 +00:00
Claudius 44ffc564da removing global site layout vars from individual routers, putting them into app.local
Signed-off-by: Claudius <opensource@amenthes.de>
2018-11-03 00:52:48 +01:00
Christoph (Sheogorath) Kern 32af96aa37
Merge pull request #940 from WilliButz/fix-configurable-paths
enhance configurabiltiy of paths & make execution path-independent
2018-10-05 22:21:01 +02:00
Christoph (Sheogorath) Kern ae8fa41f92
Merge pull request #958 from SISheogorath/fix/uws
Replace `uws` with `ws` package
2018-10-03 16:54:35 +02:00
Claudius bb80bc2292
removing superfluous config parameters for template files
Signed-off-by: Claudius <opensource@amenthes.de>
2018-09-26 21:01:15 +02:00
WilliButz 825ee4e66e
app.js: add missing routes for configurable paths
Signed-off-by: WilliButz <wbutz@cyberfnord.de>
2018-09-26 20:58:38 +02:00
Sheogorath e65e85fa6d
Add indonesian language to CodiMD
Big thanks @filosofikode for the translation work!

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-09-23 17:23:16 +02:00
Sheogorath 6b80626dca
Replace `uws` with `ws` package
`uws` was deprecated by its maintainer and starts to cause more and more
problems and issue reports. So it's time to replace it and use a
maintained project instead. Lucky us, `uws` and `ws` can be used in an
identical way, without problems. To provide better performance, we
install the optional packages as well.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-09-18 00:02:23 +02:00
Miranda Kastemaa 70e8df5c04 Support 'host' & 'path' config options
Signed-off-by: Miranda Kastemaa <miranda@foldplop.com>
2018-07-27 15:35:29 +03:00
Sheogorath a762928e97
Do final internal renameing
A little minor change, by moving the CodiMD version header in its own
middleware. Should simplify to determine the version number of the
Backend in future.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 14:05:41 +02:00
Sheogorath 4b060c7dba
Rebrand HackMD to CodiMD
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 13:24:12 +02:00
Sheogorath 0ed4b50098
Move config out of statics path
Since static path is providing with a high expiration data, we provide
configs via API. This shouldn't add any noticeable load while making it
uncached and this way working again.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 00:07:32 +02:00
Sheogorath 47b18ada76
Remove unused zh.json from repo
Since the original idea of using a symlink didn't work anyway, we should
remove the zh.json symlink from the repo.  It doesn't provide any
benefit but alters the repo on start of HackMD.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-23 21:26:33 +02:00
Christoph (Sheogorath) Kern f36b10abb2
Merge pull request #837 from SISheogorath/translate/korean
Add korean translation
2018-06-07 14:52:56 +02:00
Sheogorath 56182532cb
Add korean translation
This translation was contributed via POEditor by the user Basix.

Thanks a lot for your work!

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-07 14:29:01 +02:00
Sheogorath 634b3c9cea
Fix i18n writing locale files in production
This commit should prevent the i18n module from adding missing
translations to the local files in setups that are not for development.
This way we keep the directory clean and idempotent.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-05 01:40:50 +02:00
Sheogorath ad69c5017b
Removing google drive integration
It's sad but it's not working. For multiple releases this should be
already broken which shows how often it's used.

As there is also a security issue related to that, it's better to
remove the feature completely. Whoever wants to rewrite it, feel free to
go.

This commit removes the Google Drive integration from HackMD's Frontend
editor and this way removes the need to provide any API key and Client
ID in the frontend.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-16 01:34:55 +02:00
Christoph (Sheogorath) Kern 6d44ded269
Revert "Workaround Google API problems" 2018-05-16 01:31:50 +02:00
Sheogorath ef86bf5cba
Use API key instead of clientSecret
As recently discovered we send the clientSecret to the webclient which
is potentionally dangerous. This patch should fix the problem and
replace the clientSecret with the originally intended and correct way to
implement it using the API key.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-13 09:38:59 +02:00
Sheogorath 2411dffa2c
Change config to camel case with backwards compatibility
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 19:08:14 +02:00
Sheogorath 714504618c
Add referrer policy
This commit adds a referrer policy to all requests.

The usage of `same-origin` allows HackMD to still interpret all requests
and this way not break anything. But it prevents 3rd party scripts,
pictures and more to get informations that may lead to not secured note.

It has to be mentioned that this maybe breaks some features of the
Google Analytics embedding. This has to be tested.

Fixes #724

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-02-12 01:59:48 +01:00
Christoph (Sheogorath) Kern 584f1c5249
Merge pull request #691 from SISheogorath/feature/upload
Allow more detailed configuration of upload mime types
2018-01-23 12:10:33 +01:00
Christoph (Sheogorath) Kern 7de6e3211f
Merge pull request #598 from xxyy/feature/csp
Implement basic CSP support
2018-01-22 20:43:46 +01:00
Sheogorath a7935a595a
Allow more detailed configuration of upload mime types
Fixes #637

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-20 15:16:53 +01:00
Wu Cheng-Han 608008753f Fix not passing app key correctly in dropbox config 2018-01-19 00:25:08 +08:00
Rwing 362a7eaf65 support Simplified Chinese and rename original zh to Traditional Chinese 2017-10-23 17:38:04 +08:00
Literallie 04f5e3a341
Move CSP logic to new file, Fix boolean config examples
Not sure why I was quoting these in the first place
2017-10-22 02:18:45 +02:00
Literallie e5f03fe135
Add dirty workaround for speakers view inline script 2017-10-22 00:03:46 +02:00
Literallie 2b2b8d6d1d
Allow any connect-src in CSP
Managing these for all the integrations seems like a lot of effort
2017-10-22 00:03:46 +02:00
Literallie d51da8c12c
Don't add nonce to CSP if unsafe-inline is on
Browsers ignore unsafe-inline if a nonce is sent
2017-10-22 00:03:46 +02:00
Literallie 91101c856c
Change CSP config format to be more intuitive 2017-10-22 00:03:46 +02:00
Literallie 996cb37991
CSP: Workaround for ws:// protocol
The spec allows wss:// for 'self', but not ws:// :(
2017-10-22 00:03:45 +02:00
Literallie 4238b9b3ef
Fix MathJax CSP issues 2017-10-22 00:03:45 +02:00
Literallie 080436aebb
CSP: Add nonce to slide view inline JS 2017-10-22 00:03:45 +02:00
Literallie 5d2d3ec875
CSP: Upgrade insecure requests if possible
Config option; default is to only upgrade if usessl
2017-10-22 00:03:45 +02:00
Literallie ba183ce654
Add basic CSP support 2017-10-22 00:03:44 +02:00
Literallie 56411ca0e1
Make HSTS behaviour configurable; Fixes #584 2017-10-13 01:42:05 +02:00
Wu Cheng-Han c8d3951d32 Add support of Danish locale 2017-06-11 15:52:04 +08:00
Wu Cheng-Han cceb5b1a26 Fix import module name typo in app.js 2017-05-08 20:35:51 +08:00