Commit Graph

2081 Commits

Author SHA1 Message Date
Sheogorath c4dba48f79
Fix possible file limit errors
As we currently may need higher nofile limits than usual/default on
various systems this commit should probide a fix for that an allow to
build HackMD without highering these limits and increase security.

Inspiration was found in a copy-webpack-plugin-issue[1] and found by
@thegcat[2]. Thanks for that!

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>

[1]:
https://github.com/webpack-contrib/copy-webpack-plugin/issues/59#issuecomment-228563990
[2]: https://github.com/thegcat
2018-04-16 21:08:34 +02:00
Sheogorath 8a3cec73c1
Add config.json.example to npm test
This commit extends the find command to also match the example config
file.

This should validate the syntax or this file to prevent syntax errors
for future pull request.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-14 22:20:35 +02:00
Sheogorath 132b445fef
Fix example config
This commit fixes some json fromat issues in our config example that
causes errors on setup.

This change should fix it.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-14 22:20:25 +02:00
Sheogorath ef86bf5cba
Use API key instead of clientSecret
As recently discovered we send the clientSecret to the webclient which
is potentionally dangerous. This patch should fix the problem and
replace the clientSecret with the originally intended and correct way to
implement it using the API key.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-13 09:38:59 +02:00
Christoph (Sheogorath) Kern 10121118fb
Merge pull request #797 from SISheogorath/fix/LZErrorLog
Add check for noteId length
2018-04-11 22:48:40 +02:00
Christoph (Sheogorath) Kern 387afd1791
Merge pull request #799 from SISheogorath/fix/AnonymousEditTypos
Fix typos for `allowAnonymousEdits`
2018-04-11 22:48:15 +02:00
Sheogorath f23f403bcb
Extend README
Add hint about file descriptor limits and add the new translation
platform.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-11 09:38:56 +02:00
Sheogorath 735b806d5d
Add check for noteId length
As we know the length of an UUID we can check if the base64 string
of the provided UUID is long enough for a legacy base64 encoded nodeId
and stop processing it in legacy mode, if it's not the case.

This should make the ugly warning way less common.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-10 16:10:34 +02:00
Sheogorath 2492cf2cdf
Fix typos for `allowAnonymousEdits`
Looks like we lost some variables during the refactoring of the configs
to camel case.

This should fix it.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-10 14:40:27 +02:00
Sheogorath bdb8631a7b
Release 1.1.0-ce
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-06 16:24:36 +02:00
Sheogorath 14a0f8594f
Merge branch 'feature/releaseNotes1.1.0' 2018-04-06 16:24:08 +02:00
Sheogorath f4631b038a
Merge branch 'docs/features-1.1.0-ce' 2018-04-06 16:22:26 +02:00
Sheogorath 23b5e9e54a
Minor fixes in relase notes
Fix some spelling and style issues as well as adding the
latest changes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-06 16:19:24 +02:00
Sheogorath 81e5ebf6d6
Add migration section to README.md
As it was requested to be more visable, this commit adds a migration
section about the introduced config style changes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-06 02:20:34 +02:00
Christoph (Sheogorath) Kern b97d6cebad
Merge pull request #796 from SISheogorath/feature/addMatrix
Add matrix.org / Riot link
2018-04-06 01:59:00 +02:00
Sheogorath 95f46520e3
Add matrix.org / Riot link
As an active part of the community prefers Matrix.org over Gitter, we
should link Matrix.org as a place to meet us.

As the matrix and gitter channels are interconnected. We don't loose any
message if a person decides to go for one or another.

We use an more universal way of translation to make it easier to provide
a link to various platforms.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-05 11:58:54 +02:00
Christoph (Sheogorath) Kern 5a5b3e9ddd
Merge pull request #790 from SISheogorath/fix/nightModeCSS
Fix modal and panel colors in night mode
2018-04-05 01:24:34 +02:00
Christoph (Sheogorath) Kern 96af23fa31
Merge pull request #791 from SISheogorath/fix/extendedCSPPolicies
Fix CSP for disqus and Google Analytics
2018-04-05 01:13:15 +02:00
Sheogorath b90b215a84
Fix code blocks color in night mode
This provides more eye-friendly code boxes when night mode is active.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-05 00:58:41 +02:00
Sheogorath f2f0369259
Provide feature changes in 1.1.0-ce
Adding some documentation for night mode and upload times. Extend the
contact section for community support.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-30 20:42:55 +02:00
Sheogorath 645f38c228
Update release notes
Providing release notes for version 1.1.0-ce

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-30 20:38:37 +02:00
Sheogorath d939de17df
Fix CSP for disqus and Google Analytics
This commit should fix existing problems with Disqus and Google
Analytics enabled in the meta-yaml section of a note.

Before this commit they were blocked by the strict CSP. It's still
possible to disable the added directives using `addDisqus` and
`addGoogleAnalytics` in the `csp` config section.

They are enabled by default to prevent breaking changes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-30 16:33:52 +02:00
Sheogorath 291b33880c
Fix modal and panel colors in night mode
Night mode provides a generally, dark interface. This fix provides the
needed CSS to also turn modal and panels into night mode design as well.
This mainly effects the help modal.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-29 23:23:30 +02:00
Christoph (Sheogorath) Kern a9a0577230
Merge pull request #789 from SISheogorath/fix/sessionSecretEnv
Add session data to env vars
2018-03-29 19:40:38 +02:00
Sheogorath 30b5ff0d96
Add session data to env vars
Currently the session secret can only be set by config.json or docker
secrets. This creates a problem on Heroku hosted instances that can not
set a session secret.

Since we automatically generate them on startup this results in an
logout of all users on every config change in Heroku.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-29 19:34:32 +02:00
Christoph (Sheogorath) Kern d2cce7638a
Merge pull request #780 from SISheogorath/fix/sessionSecret
Automatically generate a session secret if default is used
2018-03-28 12:25:01 +02:00
Christoph (Sheogorath) Kern 1649a9b742
Merge pull request #786 from SISheogorath/fix/compatiblityConfig
Fix some issues with legacy config compatiblity
2018-03-27 19:38:21 +02:00
Christoph (Sheogorath) Kern 2d1dc881b8
Merge pull request #788 from mcnesium/docs/gitlab
Add documentation for setting up authentication with a self-hosted GitLab
2018-03-27 18:02:32 +02:00
mcnesium 18d2bbb5f3 Add documentation for setting up authentication with a self-hosted GitLab
Signed-off-by: mcnesium <git@mcnesium.com>
2018-03-27 17:51:59 +02:00
Pedro Ferreira 99abac343b 403: redirect user to login page if not logged in
Signed-Off-By: Pedro Ferreira <pedro.ferreira@cern.ch>
2018-03-27 08:53:37 +02:00
Sheogorath 10a81e7db2
Fix logical error in legacy config expression
We should check for an undefined and not just for a logical true or
false.

Example: When `usecdn` was set to false it was impossible to overwrite
the new config value because the if statement becomes false.

Thanks @davidmehren for pointing me to this issue.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-26 20:49:37 +02:00
Sheogorath 4eef661c15
Rename forgotten values
Looks like we forgot something during the migration. This should fix it.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-26 20:15:45 +02:00
Pedro Ferreira 34df7ccce8 Use TEXT instead of STRING for tokens
Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
2018-03-26 15:55:39 +02:00
Pedro Ferreira 40b3855702 Add support for generic OAuth2 providers
Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
2018-03-26 15:55:39 +02:00
Christoph (Sheogorath) Kern 5d57a4bb6f
Merge pull request #779 from SISheogorath/fix/cspForVideo
Allow embedding of video and audio tags
2018-03-26 14:51:09 +02:00
Christoph (Sheogorath) Kern 6a4350af2b
Merge pull request #778 from SISheogorath/fix/nightModeToggle
Fix night mode button after restore
2018-03-26 11:27:38 +02:00
Sheogorath 7681076eb3
Add title attribute in table of contents
Right now the full title of an element is may not shown as the space of
the ToC is limited. With this path it'll be shower on hover and this way
provide more useful information.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-26 11:20:18 +02:00
Sheogorath 3599fb79b4
Automatically generate a session secret if default is used
The session secret is used to sign and authenticate the session cookie
and this way very important for the authentication process.

By default the session secret is set to `secret` and never changes. This
commit will add a generator for a dynamic session secret if it stays
unchanged.

It prevents session hijacking this way and will warn the user about
the missing secret.

This also implies that on a restart without configured session secret
will log out all users. While it may seems annoying, it's for the users
best.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-26 00:36:28 +02:00
Sheogorath 450262c4ab
Allow embedding of video and audio tags
Adding mediaSrc to CSP so video and audio files can be embedded without
problems.

From a security perspective it should be fine to load audio and video
data without introducing a high security issue. Only from a privacy
perspective it allows another way to track users if there are data
embedded. But it doesn't introduce any new attack vector as pictures are
also allowed from everywhere.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 20:51:56 +02:00
Sheogorath 8b69013ebd
Fix night mode button after restore
The night mode toggle doesn't get the right state after restore from
local storage. This results in the need to toggle twice to disable night
mode.

This patch adds the needed class so the toggleNightMode function gets
the right state on execution.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 20:12:02 +02:00
Christoph (Sheogorath) Kern 57c47a65dd
Merge pull request #758 from SISheogorath/cleanup/config
Change config to camel case with backwards compatibility
2018-03-25 19:15:17 +02:00
Sheogorath 2411dffa2c
Change config to camel case with backwards compatibility
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 19:08:14 +02:00
Christoph (Sheogorath) Kern ea1d35eddb
Merge pull request #775 from SISheogorath/feature/nightMode
Persist nightmode so we can re-enable it on reload
2018-03-24 14:35:48 +01:00
Sheogorath 32c578db08
Persist nightmode so we can re-enable it
Right now the night mode is possible to set by a toggle in the menu bar
but needs to be re-enabled on every document switch, reload, etc.. This
is super annoying so we should keep this state in local storage or
a cookie.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-23 19:46:38 +01:00
Christoph (Sheogorath) Kern fa4a8418af
Merge pull request #772 from SISheogorath/fix/chromeFileError
Some fixes for inline-Attachments in Codemirror
2018-03-21 14:15:04 +01:00
Christoph (Sheogorath) Kern 6485f96659
Merge pull request #771 from SISheogorath/refactor/imageRouter
Refactoring imageRouter to modularity
2018-03-21 14:13:32 +01:00
Sheogorath 1756e76dc3
Refactoring imageRouter to modularity
This should make the imageRouter more modular and easier to extent. Also
a lot of code duplication was removed which should simplify maintenance
in future.

In the new setup we only need to provide a new module file which exports
a function called `uploadImage` and takes a filePath and a callback as
argument. The callback itself takes an error and an url as parameter.
This eliminates the need of a try-catch-block around the statement and
re-enabled the optimization in NodeJS.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-20 11:00:11 +01:00
Sheogorath 6e6a98b392
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-18 15:36:52 +01:00
Christoph (Sheogorath) Kern 5361a97188
Merge pull request #770 from SISheogorath/fix/ldapUUID
Add check for undefined UUID
2018-03-18 15:13:51 +01:00
Christoph (Sheogorath) Kern f6df2deb84
Merge pull request #743 from hackmdio/fix-to-use-url-safe-base64
Fix to use url-safe base64 in note url
2018-03-18 15:13:06 +01:00