libretic
/
etherpad-lite
5
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7,766 Commits 2 Branches 0 Tags 24 MiB
Commit Graph

4719 Commits

Author SHA1 Message Date
Richard Hansen 692749d1cf express-session: Extend session lifetime if user is active 2022-01-17 21:45:56 -05:00
Richard Hansen 9c1f52f1b0 express-session: Install package from `@etherpad` scope 
This allows us to use some in-progress features.
 2022-01-17 21:45:56 -05:00
Richard Hansen 023e58cfe6 express-session: Set a finite cookie lifetime 2022-01-17 21:45:56 -05:00
Richard Hansen ec10700dff express-session: Don't save uninitialized sessions 
This should avoid frivolous session records, such as when the user
gets a 404 (unless login was required to see the 404).
 2022-01-17 21:45:56 -05:00
Richard Hansen 7255dd7ef0 express-session: Inherit proxy trust from Express 2022-01-17 21:45:56 -05:00
Richard Hansen 945e6848e2 SessionStore: Delete DB record when session expires 
This only deletes records known to the current Etherpad instance --
old records from previous runs are not automatically cleaned up.
 2022-01-17 21:45:56 -05:00
Richard Hansen 72cd983f0f SessionStore: Option to update DB record on `touch()` 2022-01-17 21:45:52 -05:00
Richard Hansen b991948e21 SessionStore: Don't write DB record if already expired 2022-01-17 21:33:58 -05:00
Richard Hansen 4d498725c7 SessionStore: Improve cookie expiration check 
* Don't mutate `sess.cookie.expires`.
  * Allow `sess.cookie` to be nullish.
  * Always compare `Date` objects.
 2022-01-17 18:17:40 -05:00
Richard Hansen 928c598ecf tests: Add SessionStore backend tests 2022-01-17 17:51:08 -05:00
Richard Hansen efab3aed0c deps: Update ueberdb2 to 2.0.1 to get proper JSON support 2022-01-14 00:45:47 -05:00
Richard Hansen d3984aa621 express: Move `preAuthorize` hook after `express-session` 
The `ep_openid_connect` plugin needs access to session state before
authorization checks are made (to securely redirect the user back to
the start page when authentication completes). Now that the
`expressPreSession` hook exists, the rationale for moving
`preAuthorize` before the `express-session` middleware is gone.

This change undoes the following commits:
  * bf35dcfc50
  * 0b1ec20c5c
  * 30544b564e
 2022-01-14 00:44:54 -05:00
Richard Hansen 75637708c0 express: Move up `cookie-parser` middleware 
This makes it possible for the `preAuthorize` and `preExpressSession`
hooks to easily read or set cookies.
 2022-01-14 00:44:54 -05:00
Richard Hansen ab85db4426 webaccess: Silence prototype pollution warning 2022-01-14 00:44:54 -05:00
Richard Hansen dcd43e9849 webaccess: Use `.startsWith()` instead of `.search()` 2022-01-14 00:44:54 -05:00
translatewiki.net b9118c22ba Localisation updates from https://translatewiki.net. 2022-01-13 13:02:54 +01:00
Richard Hansen fd9b770579 PadManager: Refactor `padList` to avoid duplicate loads 2022-01-02 20:44:42 -05:00
Richard Hansen 66ce2b50a9 openapi: Convert `Promise.catch()` to `catch` block 2022-01-02 19:17:20 -05:00
Richard Hansen fa8bdb0348 promises: Add a comment explaining a subtlety in `Gate` 2022-01-02 18:57:44 -05:00
Richard Hansen a115c475ad promises: Expose `reject` in `Gate` 2022-01-02 18:57:44 -05:00
Richard Hansen b72db7ebd6 promises: Return a `Promise` from `Gate.then()` 
It doesn't make sense to return a `Gate` from `Gate.then()`, and this
eliminates the semantically confusing constructor parameter.
 2022-01-02 18:57:44 -05:00
Richard Hansen 78a67801f3 promises: Move Gate from `server.js` (to enable reuse) 2022-01-02 18:57:44 -05:00
Richard Hansen c8d45586c1 server: Fix stop Gate creation and check 2022-01-02 18:57:44 -05:00
Richard Hansen 10c55a2328 Changeset: Explain why number of removals doesn't matter 2021-12-31 22:53:59 -05:00
Richard Hansen 6495b1e6f4 tests: Disable deprecation warnings when testing deprecated functions 2021-12-31 22:15:03 -05:00
Richard Hansen c0471dd238 tests: Avoid deprecated `Changeset.opIterator` 2021-12-31 22:14:07 -05:00
webzwo0i 0af728ffee textLinesMutator: coverage for changed attributes in multiline keeps 2021-12-30 18:44:29 -05:00
webzwo0i 93447b7493 easysync tests: cover more string operation scenarios 2021-12-30 18:44:29 -05:00
webzwo0i 395cbc01bb Changeset.js: refine comments 2021-12-30 18:44:29 -05:00
webzwo0i 55c47efd4c easysync tests: add some more smartOpAssembler tests 2021-12-30 18:44:29 -05:00
webzwo0i 12ebca897d easysync: add clear method to stringAssembler 2021-12-30 18:44:29 -05:00
Chocobozzz 0cc15df9b9 Prevent pad translation and crash 
Prevent "TypeError: Cannot read properties of null (reading 'sheet')"
exception because google chrome can translate `<style type="text/css" title="dynamicsyntax"></style>` title attribute
 2021-12-22 17:46:32 +01:00
Richard Hansen cb257de8f9 Bump version to v1.9.0 for plugin `peerDependencies` 
This allows plugins to depend on the not-yet-released API by bumping
their `peerDependencies` to `>=1.9.0`.

IMPORTANT: v1.9.0 IS NOT RELEASED YET. I tried to bump the version to
1.9.0-alpha.0 instead, but unfortunately that doesn't satisfy
`>=1.8.6` which would break just about every plugin.
 2021-12-21 17:23:56 -05:00
Richard Hansen 02a56dc58c PadMessageHandler: Allow `handleMessageSecurity` to grant one-time write access 2021-12-21 17:23:56 -05:00
Richard Hansen 31b025bd9d PadMessageHandler: Pass session info to `handleMessageSecurity` hook 2021-12-21 17:23:56 -05:00
Richard Hansen 1b52c9f0c4 PadMessageHandler: Deprecate `client` context property 2021-12-21 17:23:56 -05:00
Richard Hansen f1856cf95a Docker: Use new `/health` endpoint for HEALTHCHECK 2021-12-21 17:19:56 -05:00
Richard Hansen 83f2898723 package.json: Define `etherpad` binary 2021-12-21 17:19:56 -05:00
Richard Hansen 696f9c3367 specialpages: New `/health` endpoint for health checking 
This endpoint is intended to conform with:
https://www.ietf.org/archive/id/draft-inadarei-api-health-check-06.html
 2021-12-21 17:19:56 -05:00
Dirk Jagdmann 2e4c546c7f Pad: Add new `.spliceText()` method 
Co-authored-by: Richard Hansen <rhansen@rhansen.org>
 2021-12-21 17:00:18 -05:00
Richard Hansen 30544b564e express: Skip express-session middleware if pre-authorized 2021-12-20 20:08:19 -05:00
Richard Hansen 649fbdccf5 express: Move static handlers to `expressPreSession` 
This avoids the need to exempt the paths from authentication checks,
and it eliminates unnecessary express-session state.
 2021-12-20 20:08:19 -05:00
Richard Hansen 72f4ae444d express: New `expressPreSession` server-side hook 2021-12-20 20:08:19 -05:00
Richard Hansen 0b1ec20c5c express: Move `preAuthorize` middleware before express-session 2021-12-20 20:08:19 -05:00
Richard Hansen bf35dcfc50 webaccess: Move `preAuthorize` to its own middleware 2021-12-20 20:08:19 -05:00
Richard Hansen 7f3d0e71f7 express: Check access before `expressConfigure` middleware 
There are no guarantees about the order of execution of hook
functions, which means that a plugin's `expressConfigure` hook
function could theoretically register a handler/middleware before the
access check middleware is registered. If that happens, the plugin's
handler would run before the access check, which would be bad. Avoid
the problem by explicitly installing the `webaccess.checkAccess`
middleware before running the `expressConfigure` hook.
 2021-12-20 20:08:18 -05:00
Richard Hansen 472eddc821 webaccess: Skip checks if `next` is called in `preAuthenticate` 2021-12-20 20:08:18 -05:00
Richard Hansen fc498f0ae6 tests: Delete test pad before attempting import 2021-12-20 20:08:18 -05:00
Richard Hansen 02d1b90d30 tests: Factor out USER_CHANGES/ACCEPT_COMMIT helpers 
This will make it possible for other tests to reuse the code.
 2021-12-19 16:53:24 -05:00
snyk-bot 674a0ccedc fix: upgrade openapi-backend from 5.0.0 to 5.0.1 
Snyk has created this PR to upgrade openapi-backend from 5.0.0 to 5.0.1.

See this package in npm:
https://www.npmjs.com/package/openapi-backend

See this project in Snyk:
https://app.snyk.io/org/johnmclear/project/d9a12bfb-7ccd-443f-9e22-f30d339cc8c5?utm_source=github&utm_medium=referral&page=upgrade-pr
 2021-12-19 00:54:20 -05:00