From ef86bf5cba65af3dc3db10944cec8d40d848daaa Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Fri, 13 Apr 2018 09:33:55 +0200 Subject: [PATCH 1/2] Use API key instead of clientSecret As recently discovered we send the clientSecret to the webclient which is potentionally dangerous. This patch should fix the problem and replace the clientSecret with the originally intended and correct way to implement it using the API key. Signed-off-by: Sheogorath --- app.js | 2 +- lib/config/default.js | 1 + lib/config/environment.js | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/app.js b/app.js index fcf905d..63b880c 100644 --- a/app.js +++ b/app.js @@ -33,7 +33,7 @@ var data = { urlpath: config.urlPath, debug: config.debug, version: config.version, - GOOGLE_API_KEY: config.google.clientSecret, + GOOGLE_API_KEY: config.google.apiKey, GOOGLE_CLIENT_ID: config.google.clientID, DROPBOX_APP_KEY: config.dropbox.appKey, allowedUploadMimeTypes: config.allowedUploadMimeTypes diff --git a/lib/config/default.js b/lib/config/default.js index 68849d3..db0c036 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -104,6 +104,7 @@ module.exports = { appKey: undefined }, google: { + apiKey: undefined, clientID: undefined, clientSecret: undefined }, diff --git a/lib/config/environment.js b/lib/config/environment.js index 3dde478..8e1e517 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -74,6 +74,7 @@ module.exports = { appKey: process.env.HMD_DROPBOX_APPKEY }, google: { + apiKey: process.env.HMD_GOOGLE_APIKEY, clientID: process.env.HMD_GOOGLE_CLIENTID, clientSecret: process.env.HMD_GOOGLE_CLIENTSECRET }, From 2cc3058a44473a150b1dedeb5257d73859b7acae Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Tue, 1 May 2018 23:12:45 +0200 Subject: [PATCH 2/2] Remove Google Upload from UI This temporarily removes the Upload from the UI as it's broken right now. Needs a refactoring and can be added in again later on by undoing this commit. Signed-off-by: Sheogorath --- public/views/hackmd/header.ejs | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/public/views/hackmd/header.ejs b/public/views/hackmd/header.ejs index e179f17..8fe7f5c 100644 --- a/public/views/hackmd/header.ejs +++ b/public/views/hackmd/header.ejs @@ -32,13 +32,11 @@
  • <%= __('Slide Mode') %>
    • - <% if((typeof github !== 'undefined' && github) || (typeof dropbox !== 'undefined' && dropbox) || (typeof google !== 'undefined' && google) || (typeof gitlab !== 'undefined' && gitlab && (!gitlab.scope || gitlab.scope === 'api'))) { %> + <% if((typeof github !== 'undefined' && github) || (typeof dropbox !== 'undefined' && dropbox) || (typeof gitlab !== 'undefined' && gitlab && (!gitlab.scope || gitlab.scope === 'api'))) { %>
  • <%= __('Export') %>
  • Dropbox
    • -
  • Google Drive -
    • <% if(typeof github !== 'undefined' && github) { %>
  • Gist
    • @@ -52,8 +50,6 @@
  • <%= __('Import') %>
  • Dropbox
    • -
  • Google Drive -
  • Gist
    • <% if(typeof gitlab !== 'undefined' && gitlab && (!gitlab.scope || gitlab.scope === 'api')) { %> @@ -143,8 +139,6 @@
  • <%= __('Export') %>
  • Dropbox
    • -
  • Google Drive -
    • <% if(typeof github !== 'undefined' && github) { %>
  • Gist
    • @@ -158,8 +152,6 @@
  • <%= __('Import') %>
  • Dropbox
    • -
  • Google Drive -
  • Gist
    • <% if(typeof gitlab !== 'undefined' && gitlab && (!gitlab.scope || gitlab.scope === 'api')) { %>