Commit Graph

107 Commits

Author SHA1 Message Date
Yukai Huang 98bf5a6148
Fix async series been interrupted by parse alias
Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>
2021-05-11 16:51:27 +08:00
Raccoon 965cca9d39
fix: lint
Signed-off-by: Raccoon <raccoon@hackmd.io>
2021-04-28 17:37:43 +08:00
Raccoon 20b10b7bb7
refactor: beforeCreate and parseNoteId
Signed-off-by: Raccoon <raccoon@hackmd.io>
2021-04-27 19:25:46 +08:00
Raccoon d3bbdfc7d3
fix: can traversal any md files
Signed-off-by: Raccoon <raccoon@hackmd.io>
2021-04-27 18:25:06 +08:00
Daniele Ricci 5463c8412c Use array for tags when available (close #1496)
Signed-off-by: Daniele Ricci <daniele@casaricci.it>
2020-04-30 20:31:22 +02:00
Rafal Proszowski e1977a1da7
Fix GitHub's avatar URL
At the moment, the URL is being composed and modified with the use of
string composition.

This causes issues, if the URL returned by GitHub slightly differs from
the time developer initially had a look into it.

In our case, the URL from GitHub has two query parameters in it, whilst
the codebase only expected one.

This change will take all of these parameters and only set the one we
care about, whilst leaving others intact and carry on with the full URL.

Fixes #1489

Signed-off-by: Rafal Proszowski <paroxp@gmail.com>
2020-04-20 12:25:32 +01:00
BinotaLIU 027195e973
add hooks for hash password
Signed-off-by: BinotaLIU <me@binota.org>
2020-04-20 00:04:13 +08:00
BinotaLIU f618576193
use async hashPassword/verifyPassword
Signed-off-by: BinotaLIU <me@binota.org>
2020-04-20 00:04:12 +08:00
BinotaLIU ec206db173
add methods for password hashing in User model
Signed-off-by: BinotaLIU <me@binota.org>
2020-04-20 00:04:12 +08:00
moycat 46fdb6a6f0
Support avatar for OAuth users
Signed-off-by: Moycat <i@moy.cat>
2020-03-12 13:48:18 +08:00
BoHong Li 66edff87c5
refactor: show note
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-01-06 14:19:03 +08:00
BoHong Li 80859f6cf7
feat: remove very old history migration method (since 0.2.8)
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2020-01-06 14:19:01 +08:00
kamijin_fanta 225e28bdbd support to login with github enterprise
Signed-off-by: kamijin_fanta <kamijin@live.jp>
2019-10-25 15:15:42 +09:00
BoHong Li 7eecb4a0d7
refactor: fix lint on lib/models/note.js
Signed-off-by: BoHong Li <raccoon@hackmd.io>
2019-08-04 23:56:26 +08:00
BoHong Li 6c137ae6ed
fix: mattermost has been deprecated, use mattermost-redux instead it.
1. change mattermost color and gitlab color to official color
2. Add mattermost icon because Fork-awesome/font-awesome doesn’t provide mattermost icon

Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-15 13:03:31 +08:00
BoHong Li ee7eea6f91
refactor: fix lint warning on models and migrations
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:01:39 +08:00
BoHong Li 4ae1c0ab3e
refactor: replace lz-string with @hackmd/lz-string
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:00:22 +08:00
BoHong Li 67707d097f
fix: remove string.js for sucurity issue
1. Upgrade Imgur to fix npm install
2. Upgrade less version for security
3. Change package name in package.json to fit npm package.json rule

Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:00:22 +08:00
BoHong Li 1150dbe73a
fix: upgrade sequelize to latest version to fix CVE
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-12 18:00:21 +08:00
BoHong Li 651c11f92a
refactor: replace diff-match-patch to @hackmd/diff-match-patch
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-11 19:35:12 +08:00
BoHong Li a68d19bc22
fix: scrypt cannot build on some platform, revert the change library commit
Signed-off-by: BoHong Li <a60814billy@gmail.com>
2019-04-10 18:34:31 +08:00
Sheogorath cee2aa92f9
Switch scrypt library to a successor
Since our previous scrypt library is unmaintained since 3 years, it's
time to look for an alternative.

A refactoring towards another password algorithm was worked on and this
is probably still the way to go. But for now the successor of our
previous library should already be enough.

https://www.npmjs.com/package/scrypt (old library)
https://github.com/ml1nk/node-scrypt (new library)
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-21 01:33:34 +01:00
Claudius Coenen 858a59529e switching to eslint for code checking
most rules degraded to WARN, so we don't go insane. This will
change over time. The aim is to conform to a common style

Signed-off-by: Claudius Coenen <opensource@amenthes.de>
2018-11-14 23:15:36 +01:00
WilliButz bd2f7cef49
lib/models/revision.js: make independent of exec-path
Previously calling `app.js` from another directory than
the base directory of CodiMD would result in an error being
thrown because `lib/workers/dmpWorker.js` could not be found.

This change makes the function call independent of the path CodiMD
is started from.

Signed-off-by: WilliButz <wbutz@cyberfnord.de>
2018-09-26 16:56:36 +02:00
Sheogorath db5b86df4c
Further improvement of error handling for LZString
This does some more in depth check on the error message and minimizes
the log noise that is caused by LZString.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-07-27 15:42:58 +02:00
Sheogorath 4b060c7dba
Rebrand HackMD to CodiMD
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 13:24:12 +02:00
Sheogorath 318b2d378f
Allow to disable gravatar
Since Gravatar is an external image source and not perfect from a
privacy perspective, forbidding it allows to improve privacy.

This commit also simplifies and optimizes the avatar code.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-23 23:40:55 +02:00
Christoph (Sheogorath) Kern 56d78a7d6c
Merge pull request #830 from SISheogorath/feature/GDPR
GDPR compliant part 1
2018-06-17 23:33:57 +02:00
Christoph (Sheogorath) Kern 551840ad57
Merge pull request #784 from pferreir/add-oauth2-support
Add "generic" OAuth2 support
2018-06-04 15:54:47 +02:00
Sheogorath 70df29790a
Add token based security feature
In the current setup users could be tricked into deleting their data by
providing a malicious link like `[click me](/me/delete)`. This commit
prevents such an easy attack and need the user's deleteToken to get his
data deleted. In case someone requests his deletion by email you can
also ask him for this token.

We can add a GUI that shows it later on.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 18:26:06 +02:00
Sheogorath e31d204d74
Fix requests for deleted users
When users are requested from the authorship which no longer exist, they
shouldn't cause a 500.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 16:15:18 +02:00
Sheogorath 408ab7ae1d
Use cascaded deletes
When we delete a user we should delete all the notes that belong to this
user including the revisions of these notes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 14:55:18 +02:00
Sheogorath 8aa5c03213
Use hard delete instead of soft delete
Right now we only flag notes as deleted. This is no longer allowed under
GDPR. Make sure you do regular backups!

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 14:50:37 +02:00
Christoph (Sheogorath) Kern 763479bea8
Merge pull request #803 from SISheogorath/fix/letterAvatarCSP
Move letter-avatars into own request
2018-04-17 22:29:37 +02:00
Sheogorath 69aed93282
Move letter-avatars into own request
To prevent further weakening of our CSP policies, moving the Avatars
into a non-inline version is the way to go.

This implementation probably needs some beautification. But already fixes
the bug.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-17 19:06:59 +02:00
Sheogorath 735b806d5d
Add check for noteId length
As we know the length of an UUID we can check if the base64 string
of the provided UUID is long enough for a legacy base64 encoded nodeId
and stop processing it in legacy mode, if it's not the case.

This should make the ugly warning way less common.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-10 16:10:34 +02:00
Pedro Ferreira 34df7ccce8 Use TEXT instead of STRING for tokens
Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
2018-03-26 15:55:39 +02:00
Sheogorath 2411dffa2c
Change config to camel case with backwards compatibility
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 19:08:14 +02:00
Max Wu 5e975cbe69 Fix to log instead of throwing error on parse note id
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-03-11 02:52:24 +08:00
Max Wu c7657ae81e Fix parseNoteId order to fix some edge case
that LZString note url could be parsed by base64url note url and thus return wrong note id

Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-03-10 16:52:24 +08:00
Max Wu fe429e9ac1 Update to use buffer in encode/decode note id
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-27 20:57:31 +08:00
Max Wu baa0418fb5 Remove and replace all note id compression in LZString with base64url
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-26 16:43:29 +08:00
Max Wu bb5e021f20 Fix field type to prevent data truncation of authorship (#721)
* Fix field type to prevent data truncation of authorship
2018-02-09 14:27:06 +01:00
Sheogorath 8bf8a1aef1
Ignore empty values for revision.
Fixes #420
2018-01-18 11:19:47 +01:00
Christoph (Sheogorath) Kern af082d9347
Merge pull request #567 from ccoenen/fix-mysql-text-length
converting all content fields to MEDIUMTEXT (affects MySQL only)
2018-01-18 11:16:59 +01:00
Norihito Nakae 4a4ae9d332 Initial support for SAML authentication 2017-11-28 18:52:24 +09:00
Christoph Witzany 5cda55086a Add mattermost authentication 2017-10-31 10:34:51 +01:00
Claudius Coenen cc49ce55c8 Fix #521 by converting content fields to LONGTEXT in MySQL, to prevent truncation of data. 2017-10-16 10:13:11 +02:00
Claudius Coenen 724a6bc26f createdAt DESC with quotation marks did not work with MySQL fixes #565 2017-10-09 14:03:33 +02:00
Sheogorath 500207545f
Fix broken profile images 2017-09-22 12:40:43 +02:00