Commit graph

29 commits

Author SHA1 Message Date
Christoph (Sheogorath) Kern
551840ad57
Merge pull request #784 from pferreir/add-oauth2-support
Add "generic" OAuth2 support
2018-06-04 15:54:47 +02:00
Ádám Hóka
376fcab2ca Add Azure Blob Storage support
Signed-off-by: Adam Hoka <hoka.adam@nexogen.hu>
2018-06-01 10:07:52 +02:00
Christoph (Sheogorath) Kern
6d44ded269
Revert "Workaround Google API problems" 2018-05-16 01:31:50 +02:00
Sheogorath
ef86bf5cba
Use API key instead of clientSecret
As recently discovered we send the clientSecret to the webclient which
is potentionally dangerous. This patch should fix the problem and
replace the clientSecret with the originally intended and correct way to
implement it using the API key.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-13 09:38:59 +02:00
Sheogorath
d939de17df
Fix CSP for disqus and Google Analytics
This commit should fix existing problems with Disqus and Google
Analytics enabled in the meta-yaml section of a note.

Before this commit they were blocked by the strict CSP. It's still
possible to disable the added directives using `addDisqus` and
`addGoogleAnalytics` in the `csp` config section.

They are enabled by default to prevent breaking changes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-30 16:33:52 +02:00
Pedro Ferreira
40b3855702 Add support for generic OAuth2 providers
Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
2018-03-26 15:55:39 +02:00
Sheogorath
3599fb79b4
Automatically generate a session secret if default is used
The session secret is used to sign and authenticate the session cookie
and this way very important for the authentication process.

By default the session secret is set to `secret` and never changes. This
commit will add a generator for a dynamic session secret if it stays
unchanged.

It prevents session hijacking this way and will warn the user about
the missing secret.

This also implies that on a restart without configured session secret
will log out all users. While it may seems annoying, it's for the users
best.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-26 00:36:28 +02:00
Sheogorath
2411dffa2c
Change config to camel case with backwards compatibility
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 19:08:14 +02:00
Sheogorath
efa490a50f
Add config option for report URI in CSP
This option is needed as it's currently not possible to add an report
URI by the directives array. This option also allows to get CSP reports
not only on docker based setup but also on our heroku instances.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-14 17:57:41 +01:00
Felix Schäfer
6094c61871 Remove unused LDAP option tokenSecret
hackmdio/hackmd#754

Signed-off-by: Felix Schäfer <felix@thegcat.net>
2018-03-05 14:06:05 +01:00
Dustin Frisch
d6ee10d176
Introduce ldap.useridField
Signed-off-by: Dustin Frisch <fooker@lab.sh>
2018-03-01 23:51:47 +01:00
Sheogorath
bd92010dd2
Remove camel case from imageuploadtype in config
This removes the only camel cased option of the config options
**we** added to the config.json.

In auth provider's config parts are a lot of camel cased options
provided. We shouldn't touch them to keep them as similar as
possible to the examples.

Fixes #315

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-27 23:50:15 +01:00
Christoph (Sheogorath) Kern
eec2318bda
Merge pull request #506 from erasys/minio
Add support for minio
2018-01-23 11:43:24 +01:00
Christoph (Sheogorath) Kern
7de6e3211f
Merge pull request #598 from xxyy/feature/csp
Implement basic CSP support
2018-01-22 20:43:46 +01:00
Dario Ernst
6ae4b8bf13 Add option to enable freely permission in closed instance
Before, closed disallowed guest edits completely, by removing
the `freely` permission. This makes it possible to explicitely bring
back guest-editing, but not guest-note-creation, to closed instances.

Signed-off-by: Dario Ernst <dario@kanojo.de>
2018-01-20 15:14:56 +01:00
Wu Cheng-Han
608008753f Fix not passing app key correctly in dropbox config 2018-01-19 00:25:08 +08:00
Lukas Kalbertodt
612b2d1811 Add setting ldap.usernameField
This determines which ldap field is used as the username on
HackMD. By default, the "id" is used as username, too. The id
is taken from the fields `uidNumber`, `uid` or
`sAMAccountName`. To give the user more flexibility, they can
now choose the field used for the username instead.
2017-12-09 12:30:48 +01:00
Norihito Nakae
2db2ff484f added guide for SAML settings 2017-12-04 20:13:15 +09:00
Norihito Nakae
a22be81feb fixed the SAML callback URL to unconfigurable. 2017-11-29 15:45:32 +09:00
Norihito Nakae
4a4ae9d332 Initial support for SAML authentication 2017-11-28 18:52:24 +09:00
Christoph Witzany
5cda55086a Add mattermost authentication 2017-10-31 10:34:51 +01:00
geekyd
d63e6780eb Adds PDF export via config 2017-10-25 19:19:37 +05:30
Literallie
91101c856c
Change CSP config format to be more intuitive 2017-10-22 00:03:46 +02:00
Literallie
0cbdc852cb
CSP: Allow more content types 2017-10-22 00:03:45 +02:00
Literallie
5d2d3ec875
CSP: Upgrade insecure requests if possible
Config option; default is to only upgrade if usessl
2017-10-22 00:03:45 +02:00
Literallie
ba183ce654
Add basic CSP support 2017-10-22 00:03:44 +02:00
Literallie
56411ca0e1
Make HSTS behaviour configurable; Fixes #584 2017-10-13 01:42:05 +02:00
Marc Deop
2c780f53df
Add support for minio 2017-08-30 18:58:34 +02:00
BoHong Li
ecb0533605 refactor(config.js): Extract config file
* Separate different config source to each files
* Freeze config object
2017-05-08 19:29:07 +08:00