This is a moderate increase from about 2 req/minute to 2.6 req/minute
with an increase of the window to 15 minutes. Switching between
accounts a few times should be covered by the higher rate limit.
At the same time, the window increase reduces the attack/abuse chance
again.
Fixes#6471
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Docker / build-and-push (backend) (push) Has been cancelled
Docker / build-and-push (frontend) (push) Has been cancelled
Deploy HD2 docs to Netlify / Deploys to netlify (push) Has been cancelled
E2E Tests / backend-sqlite (push) Has been cancelled
E2E Tests / backend-mariadb (push) Has been cancelled
E2E Tests / backend-postgres (push) Has been cancelled
Lint and check format / Lint files and check formatting (push) Has been cancelled
Static Analysis / Njsscan code scanning (push) Has been cancelled
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Run tests & build / Test and build with NodeJS 24 (push) Has been cancelled
REUSE Compliance Check / reuse (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
This was originally contributed by @Avi98 back when the config still used
Joi and TypeORM instead of zod and knex. This commit adapts the same changes
previously done but ports them over to zod and knex. Furthermore, the tests
are updated to ensure all aspects of the config are tested.
Co-authored-by: Avinash <avinash.kumar.cs92@gmail.com>
Co-authored-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
E2E Tests / backend-sqlite (push) Has been cancelled
Docker / build-and-push (backend) (push) Has been cancelled
Docker / build-and-push (frontend) (push) Has been cancelled
Deploy HD2 docs to Netlify / Deploys to netlify (push) Has been cancelled
REUSE Compliance Check / reuse (push) Has been cancelled
E2E Tests / backend-mariadb (push) Has been cancelled
E2E Tests / backend-postgres (push) Has been cancelled
Lint and check format / Lint files and check formatting (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Static Analysis / Njsscan code scanning (push) Has been cancelled
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Run tests & build / Test and build with NodeJS 24 (push) Has been cancelled
The current implementation restricts the backend port binding
to 127.0.0.1, since this is the default of fastify. This is a
reasonable default from a security standpoint. However, in
certain contexts like docker network, this won't work.
The new configuration option HD_BACKEND_BIND_IP allows to set
a custom IP address to which fastify binds, or setting
0.0.0.0 to bind to all interfaces.
At the same time this fix extends the Dockerfile to announce
port 3000 to be available to the docker daemon.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This adds rate-limiting using the @fastify/rate-limit module with sane
default values, configuration options, the possibility to disable limits
and differentiation between logged-in users and unauthenticated requests.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Our config error messages are generated from the nested
Zod schema for the config. This means, if the path for
the type of media backend to use is
mediaBackend.type
then the env variable should be
HD_MEDIA_BACKEND_TYPE
Previously, we used some custom env variable names
like
HD_MEDIA_BACKEND
This however resulted in the message that the env
variable HD_MEDIA_BACKEND is not set even if it was,
or the other way around, because the generated error
messages were not fitting the actual variable name.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
As markdownlint now includes linting rules for tables,
this commit fixes our docs in that regard
Signed-off-by: Philip Molares <philip.molares@udo.edu>
We release Alpha v3 of HedgeDoc 2.0 and need to make sure that all
version are changed accordingly.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
For non-OIDC compliant OAuth2 providers it was only possible to define
the authorize, token and userinfo URLs but not the end_session_endpoint.
This commit adds that functionality.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This commit changes the caddyfile to not directly rely on the
HD_BASE_URL environment variable, but instead default to port 8080 as
used in our package.json scripts and docs.
The caddy domain can optionally be overridden using the CADDY_HOST env
variable.
Furthermore, this change adds a section to trust reverse-proxies in
front of Caddy if they are in a private range IP address network.
Both these changes are required to be able to expose a local development
setup with another domain than localhost to a co-developer. With
this change it works without having Caddy trying to generate TLS
certificates for that domain nor HedgeDoc erroring about a origin
mismatch, that occurs as Caddy doesn't forward specific headers
otherwise.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The API documentation belongs strictly to the API itself.
Due to the usage of version-prefixed API endpoints, there is no conflict
with existing or future endpoints.
The reason behind this is that we already have enough exceptions in the
routing (default everything to react-frontend, exceptions for backend)
and it is hard to keep it synchronized throughout all relevant places.
This came to attention as the dev setup didn't proxy the API docs to the
backend.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Thanks to all HedgeDoc team members for the time discussing,
helping with weird Nest issues, providing feedback
and suggestions!
Co-authored-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This workflow was used in an early stage of development of HedgeDoc 2.
It allowed the core developers to quickly check fixes, improvements or
new features to the HedgeDoc UI without the requirement to check-out
the branch locally. As not every pull request required a deployment,
this workflow was only triggered when the "ci: force deployment"
label was added. Since some time already, the frontend and backend
are so tightly coupled that the netfliy deployment doesn't make any
sense anymore and therefore hasn't been used anymore. This commit
therefore removes this leftover workflow.
@RedYetiDev contacted us privately and reported that this deployment
workflow could have been abused to invoke arbitrary commands, including
extraction of environment variables which include our tokens for the
turborepo build cache or the netlify deployment token. For this it
would have been required that somebody created a "safe" pull request,
which would have been labelled with the deployment label and then
changed afterwards since the workflow checks out the pull request
source repository, not the target. We assured that the label was only
added to pull requests from trusted members of the HedgeDoc core team.
There was never any malicious use of the workflow. Furthermore, no
released versions of HedgeDoc (1.x) could have been affected by this,
even in the worst-case scenario.
We're thankful for putting this risk at our attention!
If you too encounter something unusual regarding security in HedgeDoc
itself or our toolchain around it, don't hesitate to contact us.
Details on this are wriiten in our SECURITY.md in the root of the
repository.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Erik Michelson
Philip Molares
renovate[bot]
yamashu
Jochen Martin Eppler