libretic/etherpad-lite
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
7761 commits 2 branches 0 tags 24 MiB
Commit graph

7761 commits

This branch
This branch
All branches
Author SHA1 Message Date
Richard Hansen
ec10700dff express-session: Don't save uninitialized sessions 
This should avoid frivolous session records, such as when the user
gets a 404 (unless login was required to see the 404).
 2022-01-17 21:45:56 -05:00
Richard Hansen
7255dd7ef0 express-session: Inherit proxy trust from Express 2022-01-17 21:45:56 -05:00
Richard Hansen
945e6848e2 SessionStore: Delete DB record when session expires 
This only deletes records known to the current Etherpad instance --
old records from previous runs are not automatically cleaned up.
 2022-01-17 21:45:56 -05:00
Richard Hansen
72cd983f0f SessionStore: Option to update DB record on touch() 2022-01-17 21:45:52 -05:00
Richard Hansen
b991948e21 SessionStore: Don't write DB record if already expired 2022-01-17 21:33:58 -05:00
Richard Hansen
4d498725c7 SessionStore: Improve cookie expiration check 
* Don't mutate `sess.cookie.expires`.
  * Allow `sess.cookie` to be nullish.
  * Always compare `Date` objects.
 2022-01-17 18:17:40 -05:00
Richard Hansen
928c598ecf tests: Add SessionStore backend tests 2022-01-17 17:51:08 -05:00
Richard Hansen
efab3aed0c deps: Update ueberdb2 to 2.0.1 to get proper JSON support 2022-01-14 00:45:47 -05:00
Richard Hansen
d3984aa621 express: Move preAuthorize hook after express-session 
The `ep_openid_connect` plugin needs access to session state before
authorization checks are made (to securely redirect the user back to
the start page when authentication completes). Now that the
`expressPreSession` hook exists, the rationale for moving
`preAuthorize` before the `express-session` middleware is gone.

This change undoes the following commits:
  * bf35dcfc50
  * 0b1ec20c5c
  * 30544b564e
 2022-01-14 00:44:54 -05:00
Richard Hansen
75637708c0 express: Move up cookie-parser middleware 
This makes it possible for the `preAuthorize` and `preExpressSession`
hooks to easily read or set cookies.
 2022-01-14 00:44:54 -05:00
Richard Hansen
ab85db4426 webaccess: Silence prototype pollution warning 2022-01-14 00:44:54 -05:00
Richard Hansen
dcd43e9849 webaccess: Use .startsWith() instead of .search() 2022-01-14 00:44:54 -05:00
translatewiki.net
b9118c22ba Localisation updates from https://translatewiki.net. 2022-01-13 13:02:54 +01:00
Richard Hansen
fd9b770579 PadManager: Refactor padList to avoid duplicate loads 2022-01-02 20:44:42 -05:00
Richard Hansen
66ce2b50a9 openapi: Convert Promise.catch() to catch block 2022-01-02 19:17:20 -05:00
Richard Hansen
fa8bdb0348 promises: Add a comment explaining a subtlety in Gate 2022-01-02 18:57:44 -05:00
Richard Hansen
a115c475ad promises: Expose reject in Gate 2022-01-02 18:57:44 -05:00
Richard Hansen
b72db7ebd6 promises: Return a Promise from Gate.then() 
It doesn't make sense to return a `Gate` from `Gate.then()`, and this
eliminates the semantically confusing constructor parameter.
 2022-01-02 18:57:44 -05:00
Richard Hansen
78a67801f3 promises: Move Gate from server.js (to enable reuse) 2022-01-02 18:57:44 -05:00
Richard Hansen
c8d45586c1 server: Fix stop Gate creation and check 2022-01-02 18:57:44 -05:00
Richard Hansen
10c55a2328 Changeset: Explain why number of removals doesn't matter 2021-12-31 22:53:59 -05:00
Richard Hansen
6495b1e6f4 tests: Disable deprecation warnings when testing deprecated functions 2021-12-31 22:15:03 -05:00
Richard Hansen
c0471dd238 tests: Avoid deprecated Changeset.opIterator 2021-12-31 22:14:07 -05:00
webzwo0i
0af728ffee textLinesMutator: coverage for changed attributes in multiline keeps 2021-12-30 18:44:29 -05:00
webzwo0i
93447b7493 easysync tests: cover more string operation scenarios 2021-12-30 18:44:29 -05:00
webzwo0i
395cbc01bb Changeset.js: refine comments 2021-12-30 18:44:29 -05:00
webzwo0i
55c47efd4c easysync tests: add some more smartOpAssembler tests 2021-12-30 18:44:29 -05:00
webzwo0i
12ebca897d easysync: add clear method to stringAssembler 2021-12-30 18:44:29 -05:00
Chocobozzz
0cc15df9b9 Prevent pad translation and crash 
Prevent "TypeError: Cannot read properties of null (reading 'sheet')"
exception because google chrome can translate `<style type="text/css" title="dynamicsyntax"></style>` title attribute
 2021-12-22 17:46:32 +01:00
Richard Hansen
cb257de8f9 Bump version to v1.9.0 for plugin peerDependencies 
This allows plugins to depend on the not-yet-released API by bumping
their `peerDependencies` to `>=1.9.0`.

IMPORTANT: v1.9.0 IS NOT RELEASED YET. I tried to bump the version to
1.9.0-alpha.0 instead, but unfortunately that doesn't satisfy
`>=1.8.6` which would break just about every plugin.
 2021-12-21 17:23:56 -05:00
Richard Hansen
02a56dc58c PadMessageHandler: Allow handleMessageSecurity to grant one-time write access 2021-12-21 17:23:56 -05:00
Richard Hansen
31b025bd9d PadMessageHandler: Pass session info to handleMessageSecurity hook 2021-12-21 17:23:56 -05:00
Richard Hansen
1b52c9f0c4 PadMessageHandler: Deprecate client context property 2021-12-21 17:23:56 -05:00
Richard Hansen
8539a66439 docs: Improve handleMessageSecurity documentation 2021-12-21 17:23:56 -05:00
Richard Hansen
f1856cf95a Docker: Use new /health endpoint for HEALTHCHECK 2021-12-21 17:19:56 -05:00
Richard Hansen
11de525508 Docker: Install and use link for etherpad binary 2021-12-21 17:19:56 -05:00
Richard Hansen
83f2898723 package.json: Define etherpad binary 2021-12-21 17:19:56 -05:00
Richard Hansen
696f9c3367 specialpages: New /health endpoint for health checking 
This endpoint is intended to conform with:
https://www.ietf.org/archive/id/draft-inadarei-api-health-check-06.html
 2021-12-21 17:19:56 -05:00
Dirk Jagdmann
2e4c546c7f Pad: Add new .spliceText() method 
Co-authored-by: Richard Hansen <rhansen@rhansen.org>
 2021-12-21 17:00:18 -05:00
Richard Hansen
30544b564e express: Skip express-session middleware if pre-authorized 2021-12-20 20:08:19 -05:00
Richard Hansen
649fbdccf5 express: Move static handlers to expressPreSession 
This avoids the need to exempt the paths from authentication checks,
and it eliminates unnecessary express-session state.
 2021-12-20 20:08:19 -05:00
Richard Hansen
72f4ae444d express: New expressPreSession server-side hook 2021-12-20 20:08:19 -05:00
Richard Hansen
0b1ec20c5c express: Move preAuthorize middleware before express-session 2021-12-20 20:08:19 -05:00
Richard Hansen
bf35dcfc50 webaccess: Move preAuthorize to its own middleware 2021-12-20 20:08:19 -05:00
Richard Hansen
7f3d0e71f7 express: Check access before expressConfigure middleware 
There are no guarantees about the order of execution of hook
functions, which means that a plugin's `expressConfigure` hook
function could theoretically register a handler/middleware before the
access check middleware is registered. If that happens, the plugin's
handler would run before the access check, which would be bad. Avoid
the problem by explicitly installing the `webaccess.checkAccess`
middleware before running the `expressConfigure` hook.
 2021-12-20 20:08:18 -05:00
Richard Hansen
472eddc821 webaccess: Skip checks if next is called in preAuthenticate 2021-12-20 20:08:18 -05:00
Richard Hansen
fc498f0ae6 tests: Delete test pad before attempting import 2021-12-20 20:08:18 -05:00
Richard Hansen
c4b25388ae docs: Server-side hook documentation improvements 2021-12-20 20:08:18 -05:00
Richard Hansen
02d1b90d30 tests: Factor out USER_CHANGES/ACCEPT_COMMIT helpers 
This will make it possible for other tests to reuse the code.
 2021-12-19 16:53:24 -05:00
snyk-bot
674a0ccedc fix: upgrade openapi-backend from 5.0.0 to 5.0.1 
Snyk has created this PR to upgrade openapi-backend from 5.0.0 to 5.0.1.

See this package in npm:
https://www.npmjs.com/package/openapi-backend

See this project in Snyk:
https://app.snyk.io/org/johnmclear/project/d9a12bfb-7ccd-443f-9e22-f30d339cc8c5?utm_source=github&utm_medium=referral&page=upgrade-pr
 2021-12-19 00:54:20 -05:00