Commit Graph

33 Commits

Author SHA1 Message Date
Christoph (Sheogorath) Kern d87505d583
Merge pull request #854 from hackmdio/feature/disableGravatar
Allow to disable gravatar
2018-06-24 01:59:06 +02:00
Sheogorath 0ed4b50098
Move config out of statics path
Since static path is providing with a high expiration data, we provide
configs via API. This shouldn't add any noticeable load while making it
uncached and this way working again.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 00:07:32 +02:00
Sheogorath 318b2d378f
Allow to disable gravatar
Since Gravatar is an external image source and not perfect from a
privacy perspective, forbidding it allows to improve privacy.

This commit also simplifies and optimizes the avatar code.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-23 23:40:55 +02:00
Sheogorath a2608c319a
Fix possible error if HackMD is started with wrong workdir
In https://github.com/hackmdio/hackmd/issues/834 is described how
starting HackMD crashes when using the wrong working dir.

This is caused by a relative path in our upload routine. This change
should fix it and prevent future crashes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-23 23:01:01 +02:00
Christoph (Sheogorath) Kern 551840ad57
Merge pull request #784 from pferreir/add-oauth2-support
Add "generic" OAuth2 support
2018-06-04 15:54:47 +02:00
Ádám Hóka 376fcab2ca Add Azure Blob Storage support
Signed-off-by: Adam Hoka <hoka.adam@nexogen.hu>
2018-06-01 10:07:52 +02:00
Christoph (Sheogorath) Kern 6d44ded269
Revert "Workaround Google API problems" 2018-05-16 01:31:50 +02:00
Sheogorath ef86bf5cba
Use API key instead of clientSecret
As recently discovered we send the clientSecret to the webclient which
is potentionally dangerous. This patch should fix the problem and
replace the clientSecret with the originally intended and correct way to
implement it using the API key.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-13 09:38:59 +02:00
Sheogorath d939de17df
Fix CSP for disqus and Google Analytics
This commit should fix existing problems with Disqus and Google
Analytics enabled in the meta-yaml section of a note.

Before this commit they were blocked by the strict CSP. It's still
possible to disable the added directives using `addDisqus` and
`addGoogleAnalytics` in the `csp` config section.

They are enabled by default to prevent breaking changes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-30 16:33:52 +02:00
Pedro Ferreira 40b3855702 Add support for generic OAuth2 providers
Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
2018-03-26 15:55:39 +02:00
Sheogorath 3599fb79b4
Automatically generate a session secret if default is used
The session secret is used to sign and authenticate the session cookie
and this way very important for the authentication process.

By default the session secret is set to `secret` and never changes. This
commit will add a generator for a dynamic session secret if it stays
unchanged.

It prevents session hijacking this way and will warn the user about
the missing secret.

This also implies that on a restart without configured session secret
will log out all users. While it may seems annoying, it's for the users
best.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-26 00:36:28 +02:00
Sheogorath 2411dffa2c
Change config to camel case with backwards compatibility
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 19:08:14 +02:00
Sheogorath efa490a50f
Add config option for report URI in CSP
This option is needed as it's currently not possible to add an report
URI by the directives array. This option also allows to get CSP reports
not only on docker based setup but also on our heroku instances.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-14 17:57:41 +01:00
Felix Schäfer 6094c61871 Remove unused LDAP option `tokenSecret`
hackmdio/hackmd#754

Signed-off-by: Felix Schäfer <felix@thegcat.net>
2018-03-05 14:06:05 +01:00
Dustin Frisch d6ee10d176
Introduce ldap.useridField
Signed-off-by: Dustin Frisch <fooker@lab.sh>
2018-03-01 23:51:47 +01:00
Sheogorath bd92010dd2
Remove camel case from `imageuploadtype` in config
This removes the only camel cased option of the config options
**we** added to the config.json.

In auth provider's config parts are a lot of camel cased options
provided. We shouldn't touch them to keep them as similar as
possible to the examples.

Fixes #315

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-27 23:50:15 +01:00
Christoph (Sheogorath) Kern eec2318bda
Merge pull request #506 from erasys/minio
Add support for minio
2018-01-23 11:43:24 +01:00
Christoph (Sheogorath) Kern 7de6e3211f
Merge pull request #598 from xxyy/feature/csp
Implement basic CSP support
2018-01-22 20:43:46 +01:00
Dario Ernst 6ae4b8bf13 Add option to enable `freely` permission in closed instance
Before, closed disallowed guest edits completely, by removing
the `freely` permission. This makes it possible to explicitely bring
back guest-editing, but not guest-note-creation, to closed instances.

Signed-off-by: Dario Ernst <dario@kanojo.de>
2018-01-20 15:14:56 +01:00
Wu Cheng-Han 608008753f Fix not passing app key correctly in dropbox config 2018-01-19 00:25:08 +08:00
Lukas Kalbertodt 612b2d1811 Add setting `ldap.usernameField`
This determines which ldap field is used as the username on
HackMD. By default, the "id" is used as username, too. The id
is taken from the fields `uidNumber`, `uid` or
`sAMAccountName`. To give the user more flexibility, they can
now choose the field used for the username instead.
2017-12-09 12:30:48 +01:00
Norihito Nakae 2db2ff484f added guide for SAML settings 2017-12-04 20:13:15 +09:00
Norihito Nakae a22be81feb fixed the SAML callback URL to unconfigurable. 2017-11-29 15:45:32 +09:00
Norihito Nakae 4a4ae9d332 Initial support for SAML authentication 2017-11-28 18:52:24 +09:00
Christoph Witzany 5cda55086a Add mattermost authentication 2017-10-31 10:34:51 +01:00
geekyd d63e6780eb Adds PDF export via config 2017-10-25 19:19:37 +05:30
Literallie 91101c856c
Change CSP config format to be more intuitive 2017-10-22 00:03:46 +02:00
Literallie 0cbdc852cb
CSP: Allow more content types 2017-10-22 00:03:45 +02:00
Literallie 5d2d3ec875
CSP: Upgrade insecure requests if possible
Config option; default is to only upgrade if usessl
2017-10-22 00:03:45 +02:00
Literallie ba183ce654
Add basic CSP support 2017-10-22 00:03:44 +02:00
Literallie 56411ca0e1
Make HSTS behaviour configurable; Fixes #584 2017-10-13 01:42:05 +02:00
Marc Deop 2c780f53df
Add support for minio 2017-08-30 18:58:34 +02:00
BoHong Li ecb0533605 refactor(config.js): Extract config file
* Separate different config source to each files
* Freeze config object
2017-05-08 19:29:07 +08:00