Since we lack of tests but got some great point to start, let's write
more tests.
This patch provides some basic tests for our CSP library. It's more an
integration than a unit test, but gets the job done.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Commit c3584770 upgrades Winston and with that version
`logger.transports.console` becomes undefined. This commit
updates the code to prevent the crash.
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
Seems like there was a security problem with the library.
This patch updates to version 1.0.0 which fixed the details.
Details: https://snyk.io/vuln/SNYK-JS-PASSPORTSAML-72411
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Looks like GitHub changed their asset system and our CSP prevented them
from getting loaded.
This patch should fix the Gist embedding with enabled CSP by replacing
the old URL `https://assets-cdn.github.com` with the new
`https://github.githubassets.com`.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Disqus loads it's embed config.js from its root domain
(https://disqus.com). Our CSPs only allow subdomains (e.g.:
https://codimd.disqus.com). This causes the disqus embedding to fail.
This patch should fix this problem by adding https://disqus.com to the
CSP setting. From a security perspective there is no real change. Since
still the same parties are involved.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Looks like I was wrong in my previous commit to update revealjs.[1]
The speaker notes broke again with the CSPs. So this patch updates the
hash and this way the speaker notes.
[1]: bcebf1e8d2
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
We see some issues that are based on not properly configured
`config.serverURL`.
This patch adds a warning when `config.serverURL` is an empty value.
This should provide users direct feedback about how to improve their
configs.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Fix wrong config options
In `./lib/web/auth/` some config includes still used `config.serverurl` instead of the correct `config.serverURL`. This causes wrong URL in worst case.
This patch should fix those problems and migrate the wrong statements to camelcase.
Our socket.io version is 2.0.4 while the current socket.io version is
2.1.1.
This patch updates socket.io to version 2.1.1 and takes care of the CDN
client version.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit also refactors the code a bit, and adds a '-' separator
between a filename and its duplicate index.
This commit fixes#1079.
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
There are some places in our code that made it to be not translated.
This patch fixes some small translation problems and adds some static
strings in templates to translation.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
When installing doctoc it throws some warnings about the markdown-to-ast
package that moved to an own namespace.
This patch updates to the version containing the new, namespaced,
package.
References:
https://github.com/thlorenz/doctoc/pull/151
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
We currently install `uuid` and `node-uuid`. `node-uuid` is deprecated
in favor of `uuid`. It seems like we already switched a while ago, but
somehow missed to remove the dependency.
This patch does exactly that. It removes the dependency from
`package.json` and this way removes the warning during install about
`node-uuid` being deprecated.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
We recently added the new logging option. As it turns out, the new
option was not added correctly, which points out that our current json
linting is **not working**. It throws an error but doesn't break.
This patch fixes the typo in the example. It does not fix the CI part.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Since our previous scrypt library is unmaintained since 3 years, it's
time to look for an alternative.
A refactoring towards another password algorithm was worked on and this
is probably still the way to go. But for now the successor of our
previous library should already be enough.
https://www.npmjs.com/package/scrypt (old library)
https://github.com/ml1nk/node-scrypt (new library)
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
