Commit Graph

653 Commits

Author SHA1 Message Date
Samuel Trégouët 6ff6d215ab fix: add state parameter for oauth2
state parameter is recommended with oauth2 authentification
to mitigate CSRF attacks (see [1]).
hydra [2] will throw the following error message if state is
missing:

  description="The state is missing or has less than 8 characters and is therefore considered too weak" error=invalid_state hint="Request
 parameter \"state\" must be at least be 8 characters long to ensure sufficient entropy."

[1]: https://auth0.com/docs/protocols/oauth2/oauth-state
[2]: https://www.ory.sh/hydra/

Signed-off-by: Samuel Trégouët <samuel.tregouet@gmail.com>
2020-05-11 15:59:49 +02:00
Lucas Druschke bcd92f500f return errorForbidden when anonymous user tries to create freeUrl pad (closes #1499)
Signed-off-by: Lucas Druschke <ldruschk@posteo.de>
2020-04-29 22:42:56 +02:00
Rafal Proszowski e1977a1da7
Fix GitHub's avatar URL
At the moment, the URL is being composed and modified with the use of
string composition.

This causes issues, if the URL returned by GitHub slightly differs from
the time developer initially had a look into it.

In our case, the URL from GitHub has two query parameters in it, whilst
the codebase only expected one.

This change will take all of these parameters and only set the one we
care about, whilst leaving others intact and carry on with the full URL.

Fixes #1489

Signed-off-by: Rafal Proszowski <paroxp@gmail.com>
2020-04-20 12:25:32 +01:00
BinotaLIU d4d0120ab7
prevert directly call of User.hashPassword()
this preverted changes made in 7b8576d. now we use hooks to hash password.
no need to call User.hashPassword() manually.

Signed-off-by: BinotaLIU <me@binota.org>
2020-04-20 00:04:13 +08:00
BinotaLIU 027195e973
add hooks for hash password
Signed-off-by: BinotaLIU <me@binota.org>
2020-04-20 00:04:13 +08:00
BinotaLIU f618576193
use async hashPassword/verifyPassword
Signed-off-by: BinotaLIU <me@binota.org>
2020-04-20 00:04:12 +08:00
BinotaLIU ec206db173
add methods for password hashing in User model
Signed-off-by: BinotaLIU <me@binota.org>
2020-04-20 00:04:12 +08:00
Raccoon 2fe10a78b7
chore: change aws-sdk to @aws-sdk/client-s3-node, reduced module size
Signed-off-by: Raccoon <raccoon@hackmd.io>
2020-04-12 02:24:35 +08:00
Raccoon 421ccbfc25
fix: lutim not required properly
Signed-off-by: Raccoon <raccoon@hackmd.io>
2020-04-12 02:11:43 +08:00
Raccoon e72bcfe0ea
Merge pull request #1459 from hackmdio/feat/improve-version-check
Improve version checker behavior
2020-04-05 15:36:10 +08:00
Raccoon 1b80245546
Merge pull request #1453 from moycat/feature/oauth-avatar
Support avatar for OAuth users
2020-03-26 05:17:27 +08:00
Mark Steve Samson 72c9d049f7
Fix check for creating free url notes
Signed-off-by: Mark Steve Samson <marksteve@thinkingmachin.es>
2020-03-17 21:00:16 +08:00
Raccoon bd508b166f
Update lib/web/middleware/checkVersion.js
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-03-17 02:24:01 +08:00
BoHong Li b49a4e24f1
feat(versionCheck): add timeout to 1s and change logger type to avoid log error to disturb user
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-03-17 01:24:38 +08:00
Kishan Mehta a1a69a75c0 Add correct path for minio
This should fix #1452

Signed-off-by: Kishan Mehta <kishan@scrapinghub.com>
2020-03-13 18:22:40 +05:30
moycat 46fdb6a6f0
Support avatar for OAuth users
Signed-off-by: Moycat <i@moy.cat>
2020-03-12 13:48:18 +08:00
BoHong Li 3ae3cb191d
fix: some environment variables not in docker secret
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-03-06 20:51:25 +08:00
Max Wu fc662661a8 fix: only enable dropbox directives when config is given
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2020-03-03 18:35:57 +08:00
Max Wu e2c31e4cb3 fix: allow Dropbox dropins in CSP directives
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2020-03-03 17:25:36 +08:00
Max Wu 5c9438697a
Merge pull request #1435 from hackmdio/feat/remove-old-config
Remove old config and environment
2020-03-02 21:55:24 +08:00
BoHong Li 48582617ad
doc: remove HMD related and remove docs
All docs migrate to online documentation now and store in `codimd-docs`

Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-03-02 18:35:25 +08:00
Max Wu d658903d01
Merge pull request #1433 from hackmdio/feature/disable-include-subdomain-hsts
Disable HSTS IncludeSubdomain, to prevent unexpected behavior
2020-03-02 18:29:03 +08:00
BoHong Li ffe0783869
feat: old config and environment is not use anymore
BREAKING CHANGE: remove old config and environment

Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-03-02 12:06:28 +08:00
BoHong Li ac0f5a9461
feat: change default anonymous setting
BREAKING CHANGE: change allowAnonymous to `false` and setup
allowAnonymousEdits and allowAnonymousViews to `true`

Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-03-02 11:58:29 +08:00
BoHong Li 40b6b06f57
feat(hsts): trun includeSubdomain to false
BREAKING CHANGE: change default setting from `true` to `false`

Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-03-02 11:53:35 +08:00
Max Wu c9badcf2e4
Merge pull request #1426 from hackmdio/feat/support-google-hosted-name
Support hostedName in google OAuth provider
2020-02-28 18:03:19 +08:00
BoHong Li b9f0e37eee
feat: support hostedName in google OAuth 2.0 provider
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-02-28 17:53:04 +08:00
Max Wu 371e985e29
Merge pull request #1289 from hackmdio/feature/embed-geolocation
Support embedding geolocation data
2020-02-28 17:37:23 +08:00
Yukai Huang 1a000226b0
fix: unwrap the geo div and throw error when input
location search not found

also fix the CSP rule that the img with data src might be violated

Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>
Co-authored-by: Max Wu <jackymaxj@gmail.com>
2020-02-28 15:48:09 +08:00
BoHong Li 72c5b0d14e
feat: support customize scope in OAuth2 provider
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-02-28 02:13:58 +08:00
BoHong Li d5d0f3d820
fix: extractProfileAttribute not working correctly
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-02-28 01:53:25 +08:00
Raccoon 50cbf036e3
Merge pull request #1420 from hackmdio/feature/upgrade-reveal.js-3.9.2
Feature/upgrade reveal.js 3.9.2
2020-02-27 19:04:52 +08:00
BoHong Li b8fb9dbb9e
fix: download pdf twice may crash server
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-02-27 00:02:18 +08:00
Max Wu adf3503c31 feat: update CSP nonce for reveal.js 3.9.2 speaker notes feature
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2020-02-26 22:36:25 +08:00
BoHong Li da3fd00577
refactor: change errorServiceUnavailable function signature to avoid parameter passing error
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-02-26 11:26:56 +08:00
BoHong Li 13ed2e6b44
refactor: change errorInternalError function signature to avoid parameter passing error
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-02-26 11:26:01 +08:00
BoHong Li 8787177991
refactor: change errorTooLong function signature to avoid parameter passing error
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-02-26 11:23:55 +08:00
BoHong Li 35a2135b36
refactor: change errorBadRequest function signature to avoid parameter passing error
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-02-26 11:22:59 +08:00
BoHong Li 09a353ffcc
refactor: change errorNotFound function signature to avoid parameter passing error
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-02-26 11:20:42 +08:00
BoHong Li 6b1ce381df
fix: change errorForbidden function signature, add req into function parameter
avoid incorrect function parameter passing

Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-02-26 11:13:45 +08:00
BoHong Li 7870b82249
fix: server throw TypeError when user not sign-in
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-02-26 10:25:25 +08:00
BoHong Li db615e5111
fix: page broken when shortId doesn't exists
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-02-26 10:25:25 +08:00
Raccoon d22ea95fb6
Merge pull request #1399 from hackmdio/feature/version-check
Version check middleware & logging
2020-02-24 16:13:50 +08:00
Max Wu 6f78c9ad9a
Merge pull request #1273 from hackmdio/feature/support-pandoc-export
Pandoc export
2020-02-17 11:35:02 +08:00
Yukai Huang f1c9ee4c89
Fix actioinPandoc
Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>
2020-02-10 11:23:52 +08:00
Yukai Huang 3b2df24b75 Change npm package target
Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>
2020-02-10 10:58:42 +08:00
Yukai Huang bb9c43348d Support pandoc export
Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>
2020-02-10 10:58:02 +08:00
BoHong Li 7969d17366
fix(noteController): should check permission when user view note
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-02-07 10:55:50 +08:00
Yukai Huang c26a9f10ca
Fix missing environment config for version check
Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>
2020-02-07 10:55:16 +08:00
Yukai Huang caf4ac61e5
Support emojify.css use cdn
Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>
2020-02-06 14:31:25 +08:00