Christoph (Sheogorath) Kern
551840ad57
Merge pull request #784 from pferreir/add-oauth2-support
...
Add "generic" OAuth2 support
2018-06-04 15:54:47 +02:00
Adam Hoka
b5574466cd
Fix callback validation
...
Signed-off-by: Adam Hoka <hoka.adam@nexogen.hu>
2018-06-01 14:26:28 +02:00
Ádám Hóka
376fcab2ca
Add Azure Blob Storage support
...
Signed-off-by: Adam Hoka <hoka.adam@nexogen.hu>
2018-06-01 10:07:52 +02:00
Christoph (Sheogorath) Kern
12ab90020a
Merge pull request #785 from pferreir/redirect-to-login
...
403: Redirect user to login page if not logged in
2018-05-31 12:16:11 +02:00
Sheogorath
bcbb8c67c9
Add note export function
...
This function is the first step to get out data following GDPR about the
transportability of data.
Details: https://gdpr-info.eu/art-20-gdpr/
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-26 03:12:21 +02:00
Sheogorath
70df29790a
Add token based security feature
...
In the current setup users could be tricked into deleting their data by
providing a malicious link like `[click me](/me/delete)`. This commit
prevents such an easy attack and need the user's deleteToken to get his
data deleted. In case someone requests his deletion by email you can
also ask him for this token.
We can add a GUI that shows it later on.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 18:26:06 +02:00
Sheogorath
e31d204d74
Fix requests for deleted users
...
When users are requested from the authorship which no longer exist, they
shouldn't cause a 500.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 16:15:18 +02:00
Sheogorath
4229084c62
Add delete function for authenticated users
...
Allow users to delete themselbes. This is require to be GDPR compliant.
See: https://gdpr-info.eu/art-17-gdpr/
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 15:24:47 +02:00
Sheogorath
408ab7ae1d
Use cascaded deletes
...
When we delete a user we should delete all the notes that belong to this
user including the revisions of these notes.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 14:55:18 +02:00
Sheogorath
8aa5c03213
Use hard delete instead of soft delete
...
Right now we only flag notes as deleted. This is no longer allowed under
GDPR. Make sure you do regular backups!
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 14:50:37 +02:00
Sheogorath
41a36e2e18
Add privacy and ToS links
...
To be GDPR compliant we need to provide privacy statement. These should
be linked on the index page. So as soon as a document exist under
`public/docs/privacy.md` the link will show up.
Since we already add legal links, we also add Terms of Use, which will
show up as soon as `public/docs/terms-of-use.md` exists.
This should allow everyone to provide the legal documents they need for
GDPR and other privacy and business laws.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-24 18:10:36 +02:00
Christoph (Sheogorath) Kern
6d44ded269
Revert "Workaround Google API problems"
2018-05-16 01:31:50 +02:00
Christoph (Sheogorath) Kern
e4e198c819
Merge pull request #813 from SISheogorath/fix/googleAPI
...
Workaround Google API problems
2018-05-10 00:13:23 +02:00
Max Wu
e0629c7d27
Fix typo of "grouptAttribute" in saml auth module
...
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-04-27 21:52:05 +08:00
Christoph (Sheogorath) Kern
763479bea8
Merge pull request #803 from SISheogorath/fix/letterAvatarCSP
...
Move letter-avatars into own request
2018-04-17 22:29:37 +02:00
Sheogorath
69aed93282
Move letter-avatars into own request
...
To prevent further weakening of our CSP policies, moving the Avatars
into a non-inline version is the way to go.
This implementation probably needs some beautification. But already fixes
the bug.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-17 19:06:59 +02:00
Sheogorath
ef86bf5cba
Use API key instead of clientSecret
...
As recently discovered we send the clientSecret to the webclient which
is potentionally dangerous. This patch should fix the problem and
replace the clientSecret with the originally intended and correct way to
implement it using the API key.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-13 09:38:59 +02:00
Christoph (Sheogorath) Kern
10121118fb
Merge pull request #797 from SISheogorath/fix/LZErrorLog
...
Add check for noteId length
2018-04-11 22:48:40 +02:00
Sheogorath
735b806d5d
Add check for noteId length
...
As we know the length of an UUID we can check if the base64 string
of the provided UUID is long enough for a legacy base64 encoded nodeId
and stop processing it in legacy mode, if it's not the case.
This should make the ugly warning way less common.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-10 16:10:34 +02:00
Sheogorath
2492cf2cdf
Fix typos for `allowAnonymousEdits`
...
Looks like we lost some variables during the refactoring of the configs
to camel case.
This should fix it.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-10 14:40:27 +02:00
Christoph (Sheogorath) Kern
96af23fa31
Merge pull request #791 from SISheogorath/fix/extendedCSPPolicies
...
Fix CSP for disqus and Google Analytics
2018-04-05 01:13:15 +02:00
Sheogorath
d939de17df
Fix CSP for disqus and Google Analytics
...
This commit should fix existing problems with Disqus and Google
Analytics enabled in the meta-yaml section of a note.
Before this commit they were blocked by the strict CSP. It's still
possible to disable the added directives using `addDisqus` and
`addGoogleAnalytics` in the `csp` config section.
They are enabled by default to prevent breaking changes.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-30 16:33:52 +02:00
Sheogorath
30b5ff0d96
Add session data to env vars
...
Currently the session secret can only be set by config.json or docker
secrets. This creates a problem on Heroku hosted instances that can not
set a session secret.
Since we automatically generate them on startup this results in an
logout of all users on every config change in Heroku.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-29 19:34:32 +02:00
Christoph (Sheogorath) Kern
d2cce7638a
Merge pull request #780 from SISheogorath/fix/sessionSecret
...
Automatically generate a session secret if default is used
2018-03-28 12:25:01 +02:00
Christoph (Sheogorath) Kern
1649a9b742
Merge pull request #786 from SISheogorath/fix/compatiblityConfig
...
Fix some issues with legacy config compatiblity
2018-03-27 19:38:21 +02:00
Pedro Ferreira
99abac343b
403: redirect user to login page if not logged in
...
Signed-Off-By: Pedro Ferreira <pedro.ferreira@cern.ch>
2018-03-27 08:53:37 +02:00
Sheogorath
10a81e7db2
Fix logical error in legacy config expression
...
We should check for an undefined and not just for a logical true or
false.
Example: When `usecdn` was set to false it was impossible to overwrite
the new config value because the if statement becomes false.
Thanks @davidmehren for pointing me to this issue.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-26 20:49:37 +02:00
Sheogorath
4eef661c15
Rename forgotten values
...
Looks like we forgot something during the migration. This should fix it.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-26 20:15:45 +02:00
Pedro Ferreira
34df7ccce8
Use TEXT instead of STRING for tokens
...
Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
2018-03-26 15:55:39 +02:00
Pedro Ferreira
40b3855702
Add support for generic OAuth2 providers
...
Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
2018-03-26 15:55:39 +02:00
Sheogorath
3599fb79b4
Automatically generate a session secret if default is used
...
The session secret is used to sign and authenticate the session cookie
and this way very important for the authentication process.
By default the session secret is set to `secret` and never changes. This
commit will add a generator for a dynamic session secret if it stays
unchanged.
It prevents session hijacking this way and will warn the user about
the missing secret.
This also implies that on a restart without configured session secret
will log out all users. While it may seems annoying, it's for the users
best.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-26 00:36:28 +02:00
Sheogorath
450262c4ab
Allow embedding of video and audio tags
...
Adding mediaSrc to CSP so video and audio files can be embedded without
problems.
From a security perspective it should be fine to load audio and video
data without introducing a high security issue. Only from a privacy
perspective it allows another way to track users if there are data
embedded. But it doesn't introduce any new attack vector as pictures are
also allowed from everywhere.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 20:51:56 +02:00
Sheogorath
2411dffa2c
Change config to camel case with backwards compatibility
...
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 19:08:14 +02:00
Christoph (Sheogorath) Kern
6485f96659
Merge pull request #771 from SISheogorath/refactor/imageRouter
...
Refactoring imageRouter to modularity
2018-03-21 14:13:32 +01:00
Sheogorath
1756e76dc3
Refactoring imageRouter to modularity
...
This should make the imageRouter more modular and easier to extent. Also
a lot of code duplication was removed which should simplify maintenance
in future.
In the new setup we only need to provide a new module file which exports
a function called `uploadImage` and takes a filePath and a callback as
argument. The callback itself takes an error and an url as parameter.
This eliminates the need of a try-catch-block around the statement and
re-enabled the optimization in NodeJS.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-20 11:00:11 +01:00
Christoph (Sheogorath) Kern
5361a97188
Merge pull request #770 from SISheogorath/fix/ldapUUID
...
Add check for undefined UUID
2018-03-18 15:13:51 +01:00
Christoph (Sheogorath) Kern
f6df2deb84
Merge pull request #743 from hackmdio/fix-to-use-url-safe-base64
...
Fix to use url-safe base64 in note url
2018-03-18 15:13:06 +01:00
Sheogorath
638eae0dfb
Add check for undefined UUID
...
This check is needed at there are tons of LDAP implementations out there
and none has at least one guaranteed unique field. As we currently check
three fields and added an option to select one yourself, it's still not
said that any of these fields is set. This will now create an error
and fail the authentication instead of letting people may get access to
other people's notes which are stored under a this way deterministic
wrong userid named `LDAP-undefined`.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-18 00:27:07 +01:00
Christoph (Sheogorath) Kern
6b30f66272
Merge pull request #757 from SISheogorath/fix/migration
...
Add missing migration for permissions
2018-03-17 21:33:02 +01:00
Sheogorath
d682695bf1
Add helper function to fix number problems
...
As minio causes various problem if you configure it using environment
variables and leave the port setting out, which will evaluate to NaN,
this change should fix this in a clean way for this time and helps to
support numbers in general in future.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-16 20:37:59 +01:00
Christoph (Sheogorath) Kern
9cbe03d8a8
Merge pull request #761 from SISheogorath/feature/reportURI
...
Add config option for report URI in CSP
2018-03-14 22:10:23 +01:00
vazontang
070dd27f95
Convert HMD_MINIO_PORT into Number type.
...
fix hackmdio/hackmd#763
Signed-off-by: Tang TsungYi <vazontang@gmail.com>
2018-03-15 04:07:45 +08:00
Sheogorath
efa490a50f
Add config option for report URI in CSP
...
This option is needed as it's currently not possible to add an report
URI by the directives array. This option also allows to get CSP reports
not only on docker based setup but also on our heroku instances.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-14 17:57:41 +01:00
Max Wu
5e975cbe69
Fix to log instead of throwing error on parse note id
...
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-03-11 02:52:24 +08:00
Max Wu
c7657ae81e
Fix parseNoteId order to fix some edge case
...
that LZString note url could be parsed by base64url note url and thus return wrong note id
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-03-10 16:52:24 +08:00
Max Wu
16cb842b94
Improve history migration performance
...
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-03-10 16:51:00 +08:00
Felix Schäfer
12dae4465f
Multiple emails from LDAP are already an Array
...
Signed-off-by: Felix Schäfer <felix@thegcat.net>
2018-03-09 14:39:08 +01:00
Sheogorath
f85ba6df53
Add missing migration for permissions
...
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-06 16:31:41 +01:00
Felix Schäfer
6094c61871
Remove unused LDAP option `tokenSecret`
...
hackmdio/hackmd#754
Signed-off-by: Felix Schäfer <felix@thegcat.net>
2018-03-05 14:06:05 +01:00
Dustin Frisch
d6ee10d176
Introduce ldap.useridField
...
Signed-off-by: Dustin Frisch <fooker@lab.sh>
2018-03-01 23:51:47 +01:00
Max Wu
fe429e9ac1
Update to use buffer in encode/decode note id
...
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-27 20:57:31 +08:00
Max Wu
44298baa93
Add migration for LZString compressed note id in history
...
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-26 16:46:59 +08:00
Max Wu
baa0418fb5
Remove and replace all note id compression in LZString with base64url
...
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-26 16:43:29 +08:00
Max Wu
15ef54c2dc
Fix to show 500 message when got error in parseNoteId
...
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-17 00:57:00 +08:00
Max Wu
bb5e021f20
Fix field type to prevent data truncation of authorship ( #721 )
...
* Fix field type to prevent data truncation of authorship
2018-02-09 14:27:06 +01:00
Takeaki Matsumoto
a9973cabc4
Fix typo of DB migration script
...
Signed-off-by: Takeaki Matsumoto <takeaki.matsumoto@ntt.com>
2018-02-08 10:15:05 +09:00
Stefan Bühler
c4f8fb78ee
don't require referer to find note id in socket.io connections ( fixes #623 )
...
Signed-off-by: Stefan Bühler <buehler@cert.uni-stuttgart.de>
2018-02-05 14:26:42 +01:00
Sheogorath
eddf8a3a33
Fix uncaught exception for non-existent user
...
Since we added user management it's possible to get non-existent users
which can cause a crash of the Backend server.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-30 21:53:36 +01:00
Christoph (Sheogorath) Kern
adc781f7e3
Merge pull request #704 from SISheogorath/fix/ldapProviderName
...
Fix ldap provider name in template
2018-01-29 15:59:27 +01:00
Sheogorath
bd92010dd2
Remove camel case from `imageuploadtype` in config
...
This removes the only camel cased option of the config options
**we** added to the config.json.
In auth provider's config parts are a lot of camel cased options
provided. We shouldn't touch them to keep them as similar as
possible to the examples.
Fixes #315
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-27 23:50:15 +01:00
Sheogorath
e44751b3f1
Fix ldap provider name in template
...
Before this fix it's impossible to set the provider name in the
sign-model since `ldap` is a boolean there and this way not able
to have an attribute like `ldap.providerName`.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-26 10:46:22 +01:00
Christoph (Sheogorath) Kern
584f1c5249
Merge pull request #691 from SISheogorath/feature/upload
...
Allow more detailed configuration of upload mime types
2018-01-23 12:10:33 +01:00
Sheogorath
817bb9e639
Fix broken port config
...
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-23 12:00:11 +01:00
Christoph (Sheogorath) Kern
eec2318bda
Merge pull request #506 from erasys/minio
...
Add support for minio
2018-01-23 11:43:24 +01:00
Christoph (Sheogorath) Kern
7de6e3211f
Merge pull request #598 from xxyy/feature/csp
...
Implement basic CSP support
2018-01-22 20:43:46 +01:00
Christoph (Sheogorath) Kern
268c81a323
Merge pull request #673 from fooker/master
...
Allow posting new note with content
2018-01-20 19:45:41 +01:00
Sheogorath
a7935a595a
Allow more detailed configuration of upload mime types
...
Fixes #637
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-20 15:16:53 +01:00
Dario Ernst
6ae4b8bf13
Add option to enable `freely` permission in closed instance
...
Before, closed disallowed guest edits completely, by removing
the `freely` permission. This makes it possible to explicitely bring
back guest-editing, but not guest-note-creation, to closed instances.
Signed-off-by: Dario Ernst <dario@kanojo.de>
2018-01-20 15:14:56 +01:00
Christoph (Sheogorath) Kern
60005d3039
Merge pull request #686 from SISheogorath/feature/configVersion
...
Load version from package.json
2018-01-19 14:34:54 +01:00
Sheogorath
583aa4f462
Load version from package.json
...
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-19 13:54:19 +01:00
Wu Cheng-Han
608008753f
Fix not passing app key correctly in dropbox config
2018-01-19 00:25:08 +08:00
Sheogorath
11a5dd0eb4
Release 1.0.0-ce
2018-01-18 13:03:18 +01:00
Sheogorath
8bf8a1aef1
Ignore empty values for revision.
...
Fixes #420
2018-01-18 11:19:47 +01:00
Christoph (Sheogorath) Kern
8375544dea
Merge pull request #636 from laysdra7265/fix/sslcapath
...
Fix sslcapath bug
2018-01-18 11:17:17 +01:00
Christoph (Sheogorath) Kern
af082d9347
Merge pull request #567 from ccoenen/fix-mysql-text-length
...
converting all content fields to MEDIUMTEXT (affects MySQL only)
2018-01-18 11:16:59 +01:00
Dustin Frisch
f47601857e
Allow posting new note with content
...
Signed-off-by: Dustin Frisch <fooker@lab.sh>
2018-01-18 10:41:58 +01:00
Max Wu
68879d20ed
Fix minor typos
...
of wrong parameters passing order and wrong user object indexing in for each function
2018-01-16 15:51:24 +08:00
Christoph (Sheogorath) Kern
45976a8916
Update index.js
2017-12-22 12:25:13 +01:00
Christoph (Sheogorath) Kern
fc626a6724
Simplify loop
2017-12-22 12:19:19 +01:00
Peter Dave Hello
76873d3f7e
Fix file permission, remove useless executable
2017-12-14 05:05:18 +08:00
Christoph (Sheogorath) Kern
17e3b8b5cd
Merge branch 'master' into ldap-username-field
2017-12-12 10:27:22 +01:00
alecdwm
5e5a021ce0
parse HMD_LDAP_SEARCHATTRIBUTES env var as a comma-separated array
...
Signed-off-by: Alec WM <firstcontact@owls.io>
2017-12-09 20:33:57 +01:00
Lukas Kalbertodt
612b2d1811
Add setting `ldap.usernameField`
...
This determines which ldap field is used as the username on
HackMD. By default, the "id" is used as username, too. The id
is taken from the fields `uidNumber`, `uid` or
`sAMAccountName`. To give the user more flexibility, they can
now choose the field used for the username instead.
2017-12-09 12:30:48 +01:00
LaysDragon
9949795533
fixed sslcapath bug
2017-12-05 12:06:10 +08:00
Norihito Nakae
2db2ff484f
added guide for SAML settings
2017-12-04 20:13:15 +09:00
Norihito Nakae
410268da74
added environment variables for SAML
2017-11-29 20:26:28 +09:00
Norihito Nakae
a22be81feb
fixed the SAML callback URL to unconfigurable.
2017-11-29 15:45:32 +09:00
Norihito Nakae
4a4ae9d332
Initial support for SAML authentication
2017-11-28 18:52:24 +09:00
Sheogorath
8808399c48
Fix mattermost breaking notes
2017-10-31 13:48:35 +01:00
Christoph Witzany
5cda55086a
Add mattermost authentication
2017-10-31 10:34:51 +01:00
Sheogorath
881e800fd8
Merge pull request #562 from SISheogorath/fix/LDAP
...
Fix LDAP problem about missing uidNumber
2017-10-27 12:48:45 +02:00
geekyd
f7d2ef970a
Adds 403 response if PDF export is disabled
2017-10-25 19:21:34 +05:30
geekyd
d63e6780eb
Adds PDF export via config
2017-10-25 19:19:37 +05:30
Literallie
04f5e3a341
Move CSP logic to new file, Fix boolean config examples
...
Not sure why I was quoting these in the first place
2017-10-22 02:18:45 +02:00
Literallie
91101c856c
Change CSP config format to be more intuitive
2017-10-22 00:03:46 +02:00
Literallie
0cbdc852cb
CSP: Allow more content types
2017-10-22 00:03:45 +02:00
Literallie
080436aebb
CSP: Add nonce to slide view inline JS
2017-10-22 00:03:45 +02:00
Literallie
5d2d3ec875
CSP: Upgrade insecure requests if possible
...
Config option; default is to only upgrade if usessl
2017-10-22 00:03:45 +02:00
Literallie
ba183ce654
Add basic CSP support
2017-10-22 00:03:44 +02:00
Claudius Coenen
cc49ce55c8
Fix #521 by converting content fields to LONGTEXT in MySQL, to prevent truncation of data.
2017-10-16 10:13:11 +02:00
Literallie
6bdc90d6ff
Add env vars for extra HSTS options
2017-10-13 01:42:05 +02:00
Literallie
1634d5c567
Add on/off env var for HSTS
2017-10-13 01:42:05 +02:00
Literallie
56411ca0e1
Make HSTS behaviour configurable; Fixes #584
2017-10-13 01:42:05 +02:00
Sheogorath
f93a14e3e1
Fix LDAP problem about missing uidNumber
...
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2017-10-12 14:52:28 +02:00
Sheogorath
53c2d0b5ca
Merge pull request #581 from SISheogorath/fix/HMD_URL_ADDPORT
...
Fix missing boolean setting for HMD_URL_ADDPORT
2017-10-12 00:01:27 +02:00
Sheogorath
89c60d1331
Fix missing boolean setting for HMD_URL_ADDPORT
...
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2017-10-11 23:13:22 +02:00
Claudius Coenen
724a6bc26f
createdAt DESC with quotation marks did not work with MySQL fixes #565
2017-10-09 14:03:33 +02:00
Sheogorath
a99cac0cf0
Merge pull request #550 from SISheogorath/fix/gitlabAvatar
...
Fix broken profile images in GitLab
Fixes #549
2017-10-08 22:20:35 +02:00
Sheogorath
500207545f
Fix broken profile images
2017-09-22 12:40:43 +02:00
Kaiyu Shi
4ae8086301
Give google the correct name.
2017-09-04 16:04:20 +08:00
Marc Deop
2c780f53df
Add support for minio
2017-08-30 18:58:34 +02:00
Kotaro Yamamoto
1220bbe9f6
fix s3 us-east-1 region endpoint
2017-06-14 11:08:09 +09:00
Wu Cheng-Han
20c5c78c29
Fix typo in the db config
2017-06-05 03:52:25 +08:00
Wu Cheng-Han
ca95901204
Fix slide might not provide slideOptions meta
2017-06-05 01:12:40 +08:00
Max Wu
38cf2f7535
Merge pull request #471 from butlerx/reveal/theme
...
add the ability to set slide theme in slide options
2017-06-03 12:51:03 +08:00
butlerx
0c827703c1
switch to __dirname
2017-06-02 11:34:35 +01:00
tkykm
bf3512f8f6
Read to correct tlsca file path
2017-06-01 19:58:55 +09:00
butlerx
c531d96f66
check if reveal theme exists
2017-06-01 10:12:40 +01:00
butlerx
e5834c077f
add the ability to set slide theme in slide options
2017-05-31 23:28:43 +01:00
Max Wu
0a6793747c
fix: export to gist occurred 404 not found
2017-05-17 02:42:44 +08:00
Raccoon Li
0c619fee91
fix(config): ssl environment configs not parse properly
2017-05-08 20:41:38 +08:00
Raccoon Li
826ad213d6
fix(config): some environment config not parse properly
2017-05-08 20:38:59 +08:00
Max Wu
0ef0e70579
Rename checkURiValid.js to checkURIValid.js
2017-05-08 20:13:55 +08:00
Raccoon Li
d79997808a
fix(imageRouter): import missing dependency: getImageMimeType
2017-05-08 20:04:05 +08:00
BoHong Li
ecb0533605
refactor(config.js): Extract config file
...
* Separate different config source to each files
* Freeze config object
2017-05-08 19:29:07 +08:00
BoHong Li
aca01f064d
refactor: Remove `require` extension filename
2017-05-08 19:29:06 +08:00
BoHong Li
34c9f07669
refactor(baseRouter.js): Adjust style fit standard
2017-05-08 19:29:06 +08:00
BoHong Li
a7e3c4d535
refactor(auth.js): Remove base path
2017-05-08 19:29:06 +08:00
BoHong Li
d88502e331
refactor(app.js): Move passport serialize and deserialize to auth module
2017-05-08 19:29:06 +08:00
BoHong Li
7ef17fd4e6
refactor(app.js): Extract tooBusy
2017-05-08 19:29:06 +08:00
BoHong Li
768943002c
refactor(app.js): Extract upload image
2017-05-08 19:29:06 +08:00
BoHong Li
689bade730
refactor(app.js): Extract note action
2017-05-08 19:24:38 +08:00
BoHong Li
e2ac73f5a3
refactor(app.js): Extract /me page
2017-05-08 19:24:38 +08:00
BoHong Li
706df11e23
refactor(app.js): Extract history api
2017-05-08 19:24:38 +08:00
BoHong Li
69a9f7ca38
refactor(app.js, auth.js): Extract all auth method to individual modules
2017-05-08 19:24:38 +08:00
BoHong Li
766022378a
refactor(app.js): Extract status pages
2017-05-08 19:24:37 +08:00
BoHong Li
66c68254b4
refactor(app.js): Extract index, 403, 404, 500 pages
2017-05-08 19:24:37 +08:00
BoHong Li
9f1f16c8e3
refactor(app.js): Extract urlencodedParser to utils module
2017-05-08 19:24:37 +08:00
BoHong Li
dee77c459a
refactor(app.js): Extract middleware to module
...
extract check URi is valid, redirect without trailing slashes
2017-05-08 19:24:37 +08:00
BoHong Li
036b2414f3
refactor(logger): Refactor logger.js
...
Use class style implement write interface
2017-05-08 19:24:37 +08:00
LluisArevalo
6bf32afb0b
Use single quotes
2017-05-08 11:00:45 +02:00
LluisArevalo
03ef1bf4f0
Add Content-Type to the images uploaded to AWS S3
2017-05-08 10:22:52 +02:00
BoHong Li
e46874d04a
fix: Other dialect duplicated add index problem
...
Detect is using SQLite to add index
2017-03-28 15:28:33 +08:00
BoHong Li
e26bb0503f
fix: Support SQlite
...
Move 'unique' constraint to another statement (SQLite don't support set unique when addColumn)
2017-03-28 15:16:09 +08:00
BoHong Li
6f14822413
fix: Add missing migration
2017-03-27 19:23:00 +08:00
BoHong Li
66fc817ad4
fix: Fixed sequelize-cli db:migration cannot stop when occur error
...
Up and Down method must return a Promise.
breaking changes: docker-hackmd cannot initialize, because db:migration will fail
2017-03-24 11:26:04 +08:00
Wu Cheng-Han
dde6e622a4
Fix front-end constants generation not getting config properly
2017-03-23 20:00:48 +08:00
Wu Cheng-Han
7e3b74d0da
Mark as 0.5.1
2017-03-23 00:22:44 +08:00
Wu Cheng-Han
448b006194
Update to generate front-end constants on server startup
...
To avoid extra webpacking on changing configs and follow the 12 factor app
2017-03-20 01:39:09 +08:00
Wu Cheng-Han
4a1d08c653
Fix strip null byte in model should cast to string to use replace function
2017-03-15 22:12:24 +08:00
Wu Cheng-Han
506a381eca
Add config option for gitlab api scope and auto adapt gitlab snippet feature on it
2017-03-14 18:04:23 +08:00
Wu Cheng-Han
baf13072c1
Fix update doc from filesystem cause redundant authorship stringify
2017-03-14 17:11:52 +08:00
BoHong Li
5870d988b5
Use strict mode in all backend files
...
add ‘use strict’ in all backend file
2017-03-14 13:02:43 +08:00
BoHong Li
4889e9732d
Use JavaScript Standard Style
...
Introduce JavaScript Standard Style as project style rule,
and fixed all fail on backend code.
2017-03-08 18:45:51 +08:00
BoHong Li
8f1c97f4a4
Fixed Syntax Error
2017-03-04 17:06:11 +08:00
Raccoon
48592d692c
Merge branch 'master' into feature/addSecrets
2017-03-03 09:22:35 +08:00
Wu Cheng-Han
2aee0f267c
Fix user profile photo might not replace to proper size
2017-02-18 20:07:15 +08:00
Mike
d29aff6505
first envs then the config
...
or docker -e will not work
2017-02-15 10:22:38 +01:00
NV
5375fe5779
Add validation to defaultpermission in config
2017-02-10 11:46:10 +09:00
NV
0a7adaf35d
Add default permission config
2017-02-10 10:16:38 +09:00
Wu Cheng-Han
1cc27e1794
Fix ldap config not initialize properly
2017-02-07 22:31:38 +08:00
Wu Cheng-Han
bbbf64aae4
Fix HMD_LDAP_TLS_CA not passing correctly and update README.md
2017-02-07 21:17:05 +08:00
Sheogorath
a8b99638b2
Add basics for secret management by Docker 1.13
...
See https://docs.docker.com/engine/swarm/secrets/
2017-02-07 02:46:23 +01:00
Wu Cheng-Han
8cfbfa4352
Update to add biggerphoto on parsing user profile
2017-02-03 21:48:36 +08:00
Wu Cheng-Han
ef0ac7768d
Update realtime to use timer to avoid memory leaks on busy tick
2017-02-03 21:47:38 +08:00
Wu Cheng-Han
92ad67b813
Update to remove history cache to lower application coupling
2017-02-03 21:39:08 +08:00
Yukai Huang
74b04d08b5
Merge branch 'master' into es6-integration
2017-01-21 12:55:45 +08:00
Wu Cheng-Han
6e8ff3de23
Fix redundant parameter to removeColumn in db migration scripts
2017-01-21 12:53:18 +08:00
Yukai Huang
4bbe035beb
Merge branch 'master' into frontend-next
2017-01-21 12:08:52 +08:00
Wu Cheng-Han
1473437295
Refactor checkViewPermission to fix limited & protected permission check bug and fix code style
2017-01-16 23:47:53 +08:00
Wu Cheng-Han
3c0667813c
Fix missing config in hackmd response
2017-01-16 12:41:34 +08:00
Yukai Huang
a9a38c3d75
Recover config change in 0f833f0
2017-01-15 11:58:00 +08:00
Yukai Huang
c0e8306961
Merge branch 'frontend-next' into t216-refactor-common
2017-01-15 11:33:22 +08:00
Yukai Huang
0f833f099f
Update server google/dropbox config check
2017-01-14 19:05:54 +08:00
Wu Cheng-Han
6be875263a
Fix allowemailregister config typo and default should be true
2017-01-12 23:53:22 +08:00
Wu Cheng-Han
3ee65cd38e
Fix for limited and protected permissions should forbid guest in realtime events
2017-01-12 23:45:51 +08:00
Max Wu
4851098477
Merge pull request #317 from SISheogorath/master+allowEmailRegister
...
Add `allowemailregister` option
2017-01-12 23:37:28 +08:00
Sheogorath
747629e549
Add `allowemailregister` option
2017-01-12 13:54:45 +01:00
Wu Cheng-Han
5f65795e79
Fix permission order and keep wording consistency
2017-01-12 19:04:17 +08:00
Wu Cheng-Han
7e191acbde
Fix author creation in operationCallback might cause unique constraint validation error
2017-01-12 17:18:24 +08:00
Max Wu
a8068d38d5
Merge pull request #313 from elct9620/feature/disable_anonymous_view
...
WIP: Add options to limit anonymous view note
2017-01-10 20:23:47 +08:00
蒼時弦也
7b02c48d93
Adjust permission order to more clarly
2017-01-10 14:13:30 +08:00
蒼時弦也
be7696170f
Fix syntax when use case
2017-01-10 10:19:18 +08:00
蒼時弦也
89b8ddeaba
Add limited and protected permission
2017-01-10 10:02:37 +08:00
蒼時弦也
c21fb8e2a0
Recovery tariling spaces
2017-01-10 09:35:21 +08:00
蒼時弦也
f8e5b54767
Remove temporary change
2017-01-10 09:32:44 +08:00
neopostmodern
ff545b2688
Allow displaying LDAP provider name on sign-in modal
2017-01-09 12:49:23 +01:00
Max Wu
b13635aac9
Merge pull request #279 from alecdwm/ldap-auth
...
Support for LDAP server authentication
2017-01-09 00:49:40 +08:00
alecdwm
94abfaba7c
removed comma
2017-01-06 07:21:59 +01:00
alecdwm
e4fe93249f
dark avatar backgrounds only
2017-01-06 07:18:22 +01:00
alecdwm
b044c2ae19
Use randomcolor not seedrandom for avatar backgrounds
2017-01-06 07:08:07 +01:00
alecdwm
01361afa7a
Profile pictures for LDAP users
2017-01-06 05:37:40 +01:00
蒼時弦也
1fbecbb03d
Fix anonymouse view permission check
2017-01-05 23:37:10 +08:00
蒼時弦也
aaf1ff4b2f
Add limit for constrain anonymous view note
2017-01-05 22:36:40 +08:00
Wu Cheng-Han
c1b5e74cf9
Fix and refactor extracting content using metaMarked directly might lead in invalid object
2017-01-04 23:57:16 +08:00
Wu Cheng-Han
bd4335964d
Mark as 0.5.0
2017-01-02 11:19:01 +08:00
Wu Cheng-Han
10a8448c6a
Fix yaml metadata description not able to show
2017-01-02 11:13:41 +08:00
Wu Cheng-Han
b1ec3ba748
Refactor data processing to model definition
2017-01-02 11:05:36 +08:00
Wu Cheng-Han
d9e19b6029
Update to remove null byte before saving to DB and remove null byte on changes
2017-01-02 11:05:05 +08:00
Wu Cheng-Han
c3a96ff112
Fix migration script of revision lacks of definition of primary key
2017-01-02 11:00:40 +08:00
Wu Cheng-Han
99628a5662
Fix to not use diff_cleanupSemantic, bug report refer to https://code.google.com/p/google-diff-match-patch/issues/detail?id=67
2017-01-02 11:00:08 +08:00
Wu Cheng-Han
f6d8e3ab00
Remove LZString compression for data storage
2017-01-02 10:59:53 +08:00
Wu Cheng-Han
c904083d1f
Remove manual LZString compression for partial socket io event data
2017-01-02 10:52:47 +08:00
bananaappletw
96fb3743f3
Use dburl to configurate
2016-12-22 21:51:48 +08:00
bananaappletw
3a091ff9a5
Simplify code for heroku
2016-12-22 19:42:00 +08:00
bananaappletw
acaeef172a
Fix #293
2016-12-22 13:23:17 +08:00
Florian Rhiem
fdea226159
Fixed typo: anonmyous
2016-12-21 14:36:54 +01:00
Wu Cheng-Han
d140a140de
Fix possible user is undefined in realtime events
2016-12-20 20:33:46 +08:00
Wu Cheng-Han
ae2db1da16
Fix email option in config not parse correctly
2016-12-20 10:47:37 +08:00
Wu Cheng-Han
39521f25a7
Mark as 0.4.6
2016-12-19 17:30:33 +08:00
Wu Cheng-Han
62eccd48e5
Try to fix when server have heavy loading cache might not update to db properly
2016-12-18 22:52:30 +08:00
Wu Cheng-Han
5bb3de2675
Add support of allow free url config option with correspond modifications
2016-12-16 15:38:05 +08:00
Wu Cheng-Han
4b7b902806
Fix typo
2016-12-16 15:37:01 +08:00
Wu Cheng-Han
5c7eb48319
Add support of allow anonymous config option with correspond modifications
2016-12-15 14:11:23 +08:00
alecdwm
3491f97f7e
LDAP auth use email if provided
2016-12-14 13:24:25 +01:00
alecdwm
3007163799
Tokens not required for ldap auth
2016-12-14 12:38:03 +01:00
alecdwm
6ba9a2f039
Added HMD_LDAP_TLS_CA env variable
2016-12-14 11:49:33 +01:00
alecdwm
02e9927714
Initial support for LDAP server authentication
...
Limitations as of this commit:
- tlsOptions can only be specified in config.json, not as env vars
- authentication failures are not yet gracefully handled by the UI
- instead the error message is shown on a blank page (/auth/ldap)
- no email address is associated with the LDAP user's account
- no picture/profile URL is associated with the LDAP user's account
- we might have to generate our own access + refresh tokens,
because we aren't using oauth. The currently generated
tokens are just a placeholder.
- 'LDAP Sign in' needs to be translated to each locale
2016-12-13 22:41:07 +01:00
Yukai Huang
5282bf491e
Update sequelize init condition
2016-12-12 11:12:59 +08:00
Yukai Huang
74c1da4536
Simplify output with sequelize database argument
2016-12-12 10:36:24 +08:00
Wu Cheng-Han
a73d9ce39e
Update to support optional email register and signin
2016-12-02 01:58:14 +08:00
Max Wu
bd3d4958e4
Merge pull request #248 from hackmdio/file-upload-options
...
Support other options for image uploading
2016-11-27 10:54:00 +08:00
Wu Cheng-Han
71a356552f
Update to auto generate meta description based on content in publish note and slide
2016-11-26 23:04:29 +08:00
Wu Cheng-Han
9d4ede4cff
Fix possible XSS in yaml-metadata and turn using ejs escape syntax than external lib [Security Issue]
2016-11-26 22:55:31 +08:00
Wu Cheng-Han
f86a9e0c4b
Fix slide might trigger script when processing markdown which cause XSS [Security Issue]
2016-11-26 22:46:08 +08:00
Wu Cheng-Han
c671d54d67
Add dmp worker to leverage CPU intensive calculation to child process
2016-11-18 12:09:58 +08:00
Yukai Huang
46a4fe10ab
Add env config prefix
2016-11-17 16:28:02 +08:00
Yukai Huang
2b2c593531
Config s3 through env variables
2016-11-16 14:44:42 +08:00
Wu Cheng-Han
c58162a2e7
Revert "Add workers for notes to leverage CPU intensive work loading"
...
This reverts commit 4ccfdfa538
.
2016-11-16 13:58:59 +08:00
Wu Cheng-Han
7adb78aba8
Revert "Add workers for history to leverage CPU intensive work loading"
...
This reverts commit b5920fbbd1
.
2016-11-16 13:58:54 +08:00
Yukai Huang
518a4a120b
upload image to s3
2016-11-16 12:05:24 +08:00
Yukai Huang
a5dad29300
support filesystem image upload
2016-11-14 17:07:07 +08:00
Wu Cheng-Han
b5920fbbd1
Add workers for history to leverage CPU intensive work loading
2016-11-07 21:30:53 +08:00
Wu Cheng-Han
4ccfdfa538
Add workers for notes to leverage CPU intensive work loading
2016-11-07 21:30:40 +08:00
Wu Cheng-Han
e6dfc749f6
Fix config.js use cdn option not parse properly and add missing cdn resources
2016-10-23 22:42:47 +08:00
Wu Cheng-Han
d37321e28d
Change use cdn config option default to be true
2016-10-23 22:27:02 +08:00
Wu Cheng-Han
223c0726cd
Change to raise socket io timeout, heartbeat interval and timeout to lower offline period
2016-10-23 21:42:27 +08:00
Wu Cheng-Han
1e6de0b90e
Change revision saving policy period
2016-10-15 13:54:16 +08:00
Wu Cheng-Han
1418b7a801
Fix socket disconnect might interrupt loop issue
2016-10-14 17:36:04 +08:00
Wu Cheng-Han
c98d263928
Fix to handle undefined document on update history
2016-10-12 17:50:36 +08:00
Wu Cheng-Han
07673f0726
Fix note extract tags might get encoded HTML entity
2016-10-12 13:14:59 +08:00
Wu Cheng-Han
c06b2f4838
Fix history time should save in UNIX timestamp to avoid time offset issue
2016-10-11 16:46:50 +08:00
Wu Cheng-Han
9a15cad42d
Mark as 0.4.5
2016-10-11 11:01:05 +08:00
Wu Cheng-Han
510b125432
Fix new note with empty content not saving to history and remove debug code
2016-10-11 01:22:08 +08:00
Wu Cheng-Han
bc74c1f0cb
Fix doc updating revision not stringify and compress authorship before save
2016-10-11 00:55:38 +08:00
Wu Cheng-Han
dfc8aeeba0
Add more environment variables for server configuration, update related section in README.md
2016-10-10 21:16:58 +08:00
Wu Cheng-Han
b734eb9c85
Try to fix memory leaks by clear OT server before disconnect note
2016-10-10 21:05:49 +08:00
Wu Cheng-Han
12d5ed43a7
Update to support delete note
2016-10-10 21:04:24 +08:00
Wu Cheng-Han
d6d2cf978a
Update to send note title on emit check and refresh event
2016-10-10 20:56:22 +08:00
Wu Cheng-Han
36a1900ce3
Update to make note history count in server-side when user logged
2016-10-10 20:55:33 +08:00