E2E Tests / backend-sqlite (push) Has been cancelled
Docker / build-and-push (backend) (push) Has been cancelled
Docker / build-and-push (frontend) (push) Has been cancelled
Deploy HD2 docs to Netlify / Deploys to netlify (push) Has been cancelled
REUSE Compliance Check / reuse (push) Has been cancelled
E2E Tests / backend-mariadb (push) Has been cancelled
E2E Tests / backend-postgres (push) Has been cancelled
Lint and check format / Lint files and check formatting (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Static Analysis / Njsscan code scanning (push) Has been cancelled
Static Analysis / CodeQL analysis (javascript) (push) Has been cancelled
Run tests & build / Test and build with NodeJS 24 (push) Has been cancelled
The current implementation restricts the backend port binding
to 127.0.0.1, since this is the default of fastify. This is a
reasonable default from a security standpoint. However, in
certain contexts like docker network, this won't work.
The new configuration option HD_BACKEND_BIND_IP allows to set
a custom IP address to which fastify binds, or setting
0.0.0.0 to bind to all interfaces.
At the same time this fix extends the Dockerfile to announce
port 3000 to be available to the docker daemon.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This uses the yjs undo-manager and some keybindings for
CodeMirror to call that manager. The undo-manager ensures
to only undo or redo changes of the current user.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This commit adds pooling to Knex since this seems the only reliable way to reconnect
the database after a lost connection. The pooling is only applied to MariaDB and
PostgreSQL since it makes no sense for SQLite.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Since the monitoring endpoints should be accessible without
requiring an API token, the token guard was removed.
For the detailed monitoring information, we might want to add
some extra monitoring token later on, or make that endpoint
dependent on some admin flag set for the user account trying
to access the endpoints.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This adds rate-limiting using the @fastify/rate-limit module with sane
default values, configuration options, the possibility to disable limits
and differentiation between logged-in users and unauthenticated requests.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This adds a new endpoint /api/private/csrf/token which serves a CSRF-token that
is stored in the user's session. Following requests with POST, PUT, PATCH or DELETE
request methods, need to provide this token in the CSRF-Token header. Since this
is not possible to do via HTML forms or other cross-site effects, this prevents
cross-site attacks. The frontend loads the CSRF token on app initialization and
stores it in the redux. It keeps using the token for up to one hour and then
updates the stored token from the API endpoint again.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Fastify is a more modern web framework than express. Although it
shares almost the same API it has a way better performance and
supports more modern features. Several modules like csurf for
CSRF-protection aren't maintained for express anymore but there
is a Fastify replacement.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This makes tests behave consistently and makes the API more
predictable. Furthermore, this could reduce the requirement
for client-side sorting in the modal.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This allows us to communicate to the clients that everybody should update their aliases.
This route allows us to get all aliases of a note
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This allows us to communicate to the clients that everybody should update their note permissions.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This route should be used to get only the permissions of a specific note.
It's useful when we update the permissions and only want to get an update for that.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Previously, the method to generate the fallback image returned the
image given by the auth provider, if existing. It now includes a
new flag to foce the generation of a fallback image.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This function actually takes an error and builds the notification.
This new name makes the usage of the function more clear.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
renovate[bot]
Erik Michelson
Philip Molares