mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-09-19 15:38:48 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
6536 commits 36 branches 47 tags 158 MiB
Commit graph

806 commits

Author SHA1 Message Date
Erik Michelson
3261929a2a fix(types): move and remove unused types 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-09-13 13:56:02 +02:00
renovate[bot]
7b66965014 fix(deps): update dependency ldapauth-fork to v6 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-09-13 13:56:02 +02:00
Erik Michelson
21dcf0eb49 fix(tests): minio upload type is not exported anymore
Some checks failed
Deploy HD2 docs to Netlify / Deploys to netlify (push) Has been cancelled
Details
Docker / build-and-push (backend) (push) Waiting to run
Details
Docker / build-and-push (frontend) (push) Waiting to run
Details
E2E Tests / backend-sqlite (push) Waiting to run
Details
E2E Tests / backend-mariadb (push) Waiting to run
Details
E2E Tests / backend-postgres (push) Waiting to run
Details
E2E Tests / Build test build of frontend (push) Waiting to run
Details
E2E Tests / frontend-cypress (1) (push) Blocked by required conditions
Details
E2E Tests / frontend-cypress (2) (push) Blocked by required conditions
Details
E2E Tests / frontend-cypress (3) (push) Blocked by required conditions
Details
Lint and check format / Lint files and check formatting (push) Waiting to run
Details
REUSE Compliance Check / reuse (push) Waiting to run
Details
Scorecard supply-chain security / Scorecard analysis (push) Waiting to run
Details
Static Analysis / Njsscan code scanning (push) Waiting to run
Details
Static Analysis / CodeQL analysis (push) Waiting to run
Details
Run tests & build / Test and build with NodeJS 20 (push) Waiting to run
Details 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-09-12 16:55:41 +02:00
renovate[bot]
57cba653e3 fix(deps): update dependency minio to v8 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-09-12 16:55:41 +02:00
Erik Michelson
62eb4b6d2b fix(packages): backend was missing uuid package 
Due to failing docker builds it was brought to our attention,
that the backend relied on the uuid package without declaring
it as dependency. This worked in all development and build
scenarios as the frontend declares uuid as dependency already
and top-level `yarn install` installs all dependencies from all
workspaces. However as the docker build only runs for either
the backend or the frontend, this failed.
This commit adds the dependency to the backend as well.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-09-12 15:45:14 +02:00
Erik Michelson
157a0fe278 refactor(media): store filenames, use pre-signed s3/azure URLs, UUIDs 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-09-12 14:49:17 +02:00
Erik Michelson
4132833b5d refactor(api-docs): move api docs to /api/doc/ 
The API documentation belongs strictly to the API itself.
Due to the usage of version-prefixed API endpoints, there is no conflict
with existing or future endpoints.
The reason behind this is that we already have enough exceptions in the
routing (default everything to react-frontend, exceptions for backend)
and it is hard to keep it synchronized throughout all relevant places.
This came to attention as the dev setup didn't proxy the API docs to the
backend.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-09-12 14:49:17 +02:00
Erik Michelson
7f665fae4b feat(auth): refactor auth, add oidc
Some checks are pending
Docker / build-and-push (frontend) (push) Waiting to run
Details
Docker / build-and-push (backend) (push) Waiting to run
Details
Deploy HD2 docs to Netlify / Deploys to netlify (push) Waiting to run
Details
E2E Tests / backend-sqlite (push) Waiting to run
Details
E2E Tests / backend-mariadb (push) Waiting to run
Details
E2E Tests / backend-postgres (push) Waiting to run
Details
E2E Tests / Build test build of frontend (push) Waiting to run
Details
E2E Tests / frontend-cypress (1) (push) Blocked by required conditions
Details
E2E Tests / frontend-cypress (2) (push) Blocked by required conditions
Details
E2E Tests / frontend-cypress (3) (push) Blocked by required conditions
Details
Lint and check format / Lint files and check formatting (push) Waiting to run
Details
REUSE Compliance Check / reuse (push) Waiting to run
Details
Scorecard supply-chain security / Scorecard analysis (push) Waiting to run
Details
Static Analysis / Njsscan code scanning (push) Waiting to run
Details
Static Analysis / CodeQL analysis (push) Waiting to run
Details
Run tests & build / Test and build with NodeJS 20 (push) Waiting to run
Details 
Thanks to all HedgeDoc team members for the time discussing,
helping with weird Nest issues, providing feedback
and suggestions!

Co-authored-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-09-11 21:29:49 +02:00
renovate[bot]
61fc33fc73 chore(deps): update yarn to v4.4.1
Some checks failed
Docker / build-and-push (backend) (push) Has been cancelled
Details
Docker / build-and-push (frontend) (push) Has been cancelled
Details
Deploy HD2 docs to Netlify / Deploys to netlify (push) Has been cancelled
Details
E2E Tests / backend-sqlite (push) Has been cancelled
Details
E2E Tests / backend-mariadb (push) Has been cancelled
Details
E2E Tests / backend-postgres (push) Has been cancelled
Details
E2E Tests / Build test build of frontend (push) Has been cancelled
Details
Lint and check format / Lint files and check formatting (push) Has been cancelled
Details
REUSE Compliance Check / reuse (push) Has been cancelled
Details
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Details
Static Analysis / Njsscan code scanning (push) Has been cancelled
Details
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Details
Run tests & build / Test and build with NodeJS 20 (push) Has been cancelled
Details
E2E Tests / frontend-cypress (1) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (2) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (3) (push) Has been cancelled
Details 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: David Mehren <git@herrmehren.de>
 2024-09-02 16:38:54 +02:00
renovate[bot]
528f4dade1 fix(deps): update dependency raw-body to v3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-09-02 10:36:06 +02:00
Erik Michelson
73d9c3231b refactor(backend): rename auth to public-auth-token 
Signed-off-by: Yannick Bungers <git@innay.de>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-09-02 10:33:08 +02:00
renovate[bot]
52fe7f55de fix(deps): update dependency rimraf to v6 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-09-02 10:28:52 +02:00
Philip Molares
03a388c6f9 fix: turbo filter commands 
turbo now wants you to specify the whole name and not just part of the name.

See: https://github.com/vercel/turborepo/pull/8137
Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2024-08-31 12:53:53 +02:00
renovate[bot]
b481f79c34 chore(deps): remove dependency http-proxy-middleware 
This is no longer necessary, as we needed this previously when the backend proxied the frontend

Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2024-08-31 09:56:18 +02:00
renovate[bot]
3a8869fab9 chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v5 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-30 17:27:29 +02:00
renovate[bot]
5d45fc21e4 fix(deps): update definitelytyped 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-30 12:50:58 +02:00
renovate[bot]
cf51c7572a fix: remove explicit typing 
Apparently this is not need anymore and the linter does not like it.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2024-08-30 11:58:32 +02:00
renovate[bot]
f35d00806e chore(deps): update dependency typescript to v5.5.4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-30 11:58:32 +02:00
renovate[bot]
f948861bfe chore(deps): update nestjs packages 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-30 10:47:49 +02:00
renovate[bot]
d00b1c454d chore(deps): update linters 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-30 10:07:01 +02:00
renovate[bot]
cf7fe9df10 fix(deps): update dependency @azure/storage-blob to v12.24.0 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 14:51:29 +02:00
renovate[bot]
818e2bcddc fix(deps): update dependency diff to v5.2.0 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 14:48:35 +02:00
renovate[bot]
0da190b00d fix(deps): update dependency joi to v17.13.3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 14:46:30 +02:00
renovate[bot]
ebde99f212 fix(deps): update dependency pg to v8.12.0 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 14:43:24 +02:00
renovate[bot]
289f874d40 chore(deps): update dependency ts-jest to v29.2.5 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 14:34:47 +02:00
renovate[bot]
44d41a5ec5 chore(deps): update yarn to v4.1.1 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-08-29 10:08:54 +00:00
renovate[bot]
8769f13f5d fix(deps): update dependency rimraf to v5.0.10 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:41:38 +00:00
renovate[bot]
9e558f7f5d fix(deps): update nestjs packages 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:22:13 +00:00
renovate[bot]
475c82316f fix(deps): update dependency reflect-metadata to v0.2.2 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:19:10 +00:00
renovate[bot]
7516eb7761 fix(deps): update dependency joi to v17.12.3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:16:16 +00:00
renovate[bot]
ecbe34746b fix(deps): update dependency pg to v8.11.6 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 09:15:51 +00:00
renovate[bot]
1038d798d8 fix(deps): update dependency cli-color to v2.0.4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 08:58:49 +00:00
renovate[bot]
e3b93ad9a1 chore(deps): update dependency yjs to v13.6.18 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 05:25:31 +00:00
renovate[bot]
aa759cc879 chore(deps): update dependency ts-jest to v29.1.5 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 02:21:47 +00:00
renovate[bot]
c3fd6993d2 chore(deps): update dependency @tsconfig/node18 to v18.2.4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 02:15:21 +00:00
renovate[bot]
2cc71588fe fix(deps): update dependency ws to v8.17.1 [security] 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 00:43:05 +02:00
renovate[bot]
6a6fd3b099 chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v4.6.1 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-29 00:33:01 +02:00
renovate[bot]
7773fe1bdb fix(deps): pin dependency @node-rs/argon2 to 1.8.3 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:23:56 +00:00
renovate[bot]
14fe9470dd chore(deps): update node.js to 1a526b9 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-08-28 22:07:27 +00:00
Erik Michelson
0c4e9bc080
fix(formatting): remove blank line to silence prettier 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-08-29 00:00:08 +02:00
yamashush
e99ba0615c test: fix update patch when removing old revisions
Some checks failed
Docker / build-and-push (backend) (push) Has been cancelled
Details
Docker / build-and-push (frontend) (push) Has been cancelled
Details
E2E Tests / backend-sqlite (push) Has been cancelled
Details
E2E Tests / backend-mariadb (push) Has been cancelled
Details
E2E Tests / backend-postgres (push) Has been cancelled
Details
E2E Tests / Build test build of frontend (push) Has been cancelled
Details
Lint and check format / Lint files and check formatting (push) Has been cancelled
Details
REUSE Compliance Check / reuse (push) Has been cancelled
Details
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Details
Static Analysis / Njsscan code scanning (push) Has been cancelled
Details
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Details
Run tests & build / Test and build with NodeJS 20 (push) Has been cancelled
Details
E2E Tests / frontend-cypress (1) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (2) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (3) (push) Has been cancelled
Details 
Signed-off-by: yamashush <38120991+yamashush@users.noreply.github.com>
Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2024-08-23 18:43:40 +02:00
Erik Michelson
f30f0d8e51 fix(passwords): use argon2id instead of bcrypt
Some checks failed
Docker / build-and-push (backend) (push) Has been cancelled
Details
Docker / build-and-push (frontend) (push) Has been cancelled
Details
E2E Tests / backend-sqlite (push) Has been cancelled
Details
E2E Tests / backend-mariadb (push) Has been cancelled
Details
E2E Tests / backend-postgres (push) Has been cancelled
Details
E2E Tests / Build test build of frontend (push) Has been cancelled
Details
Lint and check format / Lint files and check formatting (push) Has been cancelled
Details
REUSE Compliance Check / reuse (push) Has been cancelled
Details
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Details
Static Analysis / Njsscan code scanning (push) Has been cancelled
Details
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Details
Run tests & build / Test and build with NodeJS 20 (push) Has been cancelled
Details
E2E Tests / frontend-cypress (1) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (2) (push) Has been cancelled
Details
E2E Tests / frontend-cypress (3) (push) Has been cancelled
Details 
OWASP [1] recommends for password hashing the following algorithms in
descending order: argon2id, scrypt, bcrypt. They state that bcrypt may
be used in legacy systems or when required due to legal regulations.
We're however not building any legacy application. Even HedgeDoc 1.x
utilizes a more modern algorithm by using scrypt.

While bcrypt is not insecure per se, our implementation had a major
security flaw, leading to invalid passwords being accepted in certain
cases. The bcrypt nodejs package - and the OWASP cheatsheet as well -
point out, that the maximum input length of passwords is limited to 72
bytes with bcrypt. When some user has a password longer than 72 bytes in
use, only the first 72 bytes are required to log in successfully.
Depending on the encoding (which could be UTF-8 or UTF-16 depending on
different circumstances) this could in worst-case be at 36 characters,
which is not very unusual for a password. See also [2].

This commit changes the used algorithm to argon2id. Argon2id has been in
use for several years now and seems to be a well-designed password
hashing function that even won the 2015 Password Hashing Competition.
Argon2 does not have any real-world max input length for passwords (it
is at 4 GiB).

The node-rs/argon2 implementation seems to be well maintained, widely
used (more than 150k downloads per week) and is published with
provenance, proving that the npm package was built on GitHub actions
using the source code in the repository. The implementation is written
in Rust, so it should be safe against memory leakages etc.

[1]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Che
     at_Sheet.html#password-hashing-algorithms
[2]: https://security.stackexchange.com/a/39851

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-08-08 20:29:23 +02:00
Erik Michelson
6684b0f886 enhancement(realtime): send metadata update on revision save
Some checks are pending
Docker / build-and-push (backend) (push) Waiting to run
Details
Docker / build-and-push (frontend) (push) Waiting to run
Details
E2E Tests / backend-sqlite (push) Waiting to run
Details
E2E Tests / backend-mariadb (push) Waiting to run
Details
E2E Tests / backend-postgres (push) Waiting to run
Details
E2E Tests / Build test build of frontend (push) Waiting to run
Details
E2E Tests / frontend-cypress (1) (push) Blocked by required conditions
Details
E2E Tests / frontend-cypress (2) (push) Blocked by required conditions
Details
E2E Tests / frontend-cypress (3) (push) Blocked by required conditions
Details
Lint and check format / Lint files and check formatting (push) Waiting to run
Details
REUSE Compliance Check / reuse (push) Waiting to run
Details
Scorecard supply-chain security / Scorecard analysis (push) Waiting to run
Details
Static Analysis / Njsscan code scanning (push) Waiting to run
Details
Static Analysis / CodeQL analysis (javascript) (push) Waiting to run
Details
Run tests & build / Test and build with NodeJS 20 (push) Waiting to run
Details 
When the frontend is notified about metadata updates, it refreshes the
data and therefore refreshes information like the timestamp of the last
revision save in the sidebar.
This commit adds such a notification from the backend to all clients on
each revision save, so that the "last saved at" value in the frontend is
correct.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-08-07 22:25:51 +02:00
Erik Michelson
9597ac5422 feat(notes): check for equal alias or note id 
When creating a new note or adding a new alias to one,
it is checked that the new name
is neither forbidden nor already in use.

Co-authored-by: David Mehren <git@herrmehren.de>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-04-18 22:15:11 +02:00
Erik Michelson
8693edbf6a refactor(media): add media redirection endpoint 
Previous versions of HedgeDoc suffered from the problem
that changing the media backend required manipulation of
the media links in all created notes. We discussed in
#3704 that it's favourable to have an endpoint that
redirects to the image's original URL. When changing the
media backend, the link stays the same but just the
redirect changes.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-04-18 22:11:49 +02:00
Philip Molares
1f19a6fac4 lint: fix error in new test 
This was probably introduced because the PR was open so long

Signed-off-by: Philip Molares <philip.molares@udo.edu>
 2024-04-18 21:52:36 +02:00
yamashush
1c22a425bd test: complete todo 
Signed-off-by: yamashush <38120991+yamashush@users.noreply.github.com>
 2024-04-18 21:26:06 +02:00
renovate[bot]
9aaec95398 fix(deps): update dependency @nestjs/schedule to v4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2024-04-09 11:31:07 +02:00
Erik Michelson
92bde4d281 enhancement(api-tokens): add prefix and more strict validation 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-04-09 10:54:35 +02:00
Erik Michelson
956dd28648 feat: add event listener for canceling destroy timer 
Signed-off-by: yamashush <38120991+yamashush@users.noreply.github.com>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
 2024-03-03 21:15:32 +01:00