Commit Graph

133 Commits (71fdca9f685cd2163d1da5067fc38a14c218e1ab)

Author SHA1 Message Date
Richard Hansen 2bb431e7e5
express-session: Implement and enable key rotation (#5362) by @rhansen
* SecretRotator: New class to coordinate key rotation

* express-session: Enable key rotation

* Added new entry in docker.adoc

* Move to own package.Removed fallback as Node 16 is now lowest node version.

* Updated package-lock.json

---------

Co-authored-by: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
2023-07-03 22:58:49 +02:00
DanielHabenicht 675c0130b9
allow option to make pad names case-insensitive (#5501) by @DanielHabenicht
* New option to make pad names case-insensitive

fixes #3844

* fix helper.gotoTimeslider()

* fix helper.aNewPad() return value

* Update src/node/utils/Settings.js

Co-authored-by: Richard Hansen <rhansen@rhansen.org>

* remove timeout

* rename enforceLowerCasePadIds to lowerCasePadIds

* use before and after hooks

* update with socket specific test

* enforce sanitizing padID for websocket connections

- only enforce for newly created pads, to combat case-sensitive pad name hijacking

* Added updated package.json file.

---------

Co-authored-by: Richard Hansen <rhansen@rhansen.org>
Co-authored-by: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
2023-07-03 20:52:49 +02:00
Richard Hansen 861a929a43 docker: Sync `settings.json.docker` with `.template` 2022-01-19 23:06:56 -05:00
Richard Hansen 692749d1cf express-session: Extend session lifetime if user is active 2022-01-17 21:45:56 -05:00
Richard Hansen 023e58cfe6 express-session: Set a finite cookie lifetime 2022-01-17 21:45:56 -05:00
Richard Hansen 8c857a85ac pad: Use `null` as default for `userName`, `userColor` options
These options are used as strings, so it doesn't make sense to default
them to a boolean value.

Note that this change has no effect due to a bug in how pad options
are processed; that bug will be fixed in a future commit.
2021-12-04 23:06:16 -05:00
Richard Hansen 61b608e264 pad: Use `null` as default for `lang` option
It doesn't make sense to override the browser's language with `en-gb`
by default.

Note that this change has no effect due to a bug in how pad options
are processed; that bug will be fixed in a future commit.
2021-12-04 23:06:16 -05:00
Richard Hansen aec619cc0b log4js: Deprecate the `logconfig` setting
This will make it possible to upgrade log4js in a future version.
2021-09-28 04:30:26 -04:00
Richard Hansen 428f8d1684 Settings: Deprecate null as the default default value 2021-06-06 14:00:52 -04:00
Richard Hansen c7bb18c6da Settings: Support null and undefined env var substitutions 2021-06-06 14:00:51 -04:00
Richard Hansen ea8846154f favicon: Redo favicon customization 2021-04-20 13:33:55 -04:00
Chocobozzz a001a13411 fix(perf): Disable wtfnode dump by default
Consumes a lot of CPU so it's better to enable it on purpose
2021-04-13 16:01:41 +02:00
John McLear b7e88cb904 security: New setting for Socket.IO `maxHttpBufferSize` 2021-02-15 12:45:31 -05:00
Ole Langbehn 4c6a12ce2b Add commitRateLimiting settings block to settings.json.docker
The settings commitRateLimiting.duration and commitRateLimiting.points
were not available in the settings.json.docker file, and therefore it
was not possible to override their values via environment variables.

Now, they can be overridden by setting the following env vars:

* commitRateLimiting.duration: COMMIT_RATE_LIMIT_DURATION
* commitRateLimiting.points:   COMMIT_RATE_LIMIT_POINTS
2021-02-08 19:19:03 +00:00
John McLear 2b112ac851
tests: Admin Frontend Test Coverage(#4717)
Covers all frontend admin operations, runs separated in CI.
2021-02-07 11:32:57 +00:00
freddii ea202e41f6 docs: fixed typos 2021-02-03 00:30:07 +01:00
John McLear 66df0a572f
Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178)
This will be a breaking change for some people.  

We removed all internal password control logic.  If this affects you, you have two options:

1. Use a plugin for authentication and use session based pad access (recommended).
1. Use a plugin for password setting.

The reasoning for removing this feature is to reduce the overall security footprint of Etherpad.  It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own).
2020-10-07 13:43:54 +01:00
Richard Hansen a8cf434d1d import: Replace the `allowAnyoneToImport` check with `userCanModify`
This reduces the number of hoops a user or tool must jump through to
import.
2020-10-05 18:48:16 +01:00
Richard Hansen 2db4b04af3 cookies: Use `SameSite=None` if in an iframe from another site 2020-10-04 08:57:44 +01:00
Richard Hansen bf9d613e95
feature: New user-specific `readOnly` and `canCreate` settings (#4370)
Also:
  * Group the tests for readability.
  * Factor out some common test setup.
2020-09-28 11:22:06 +01:00
John McLear 40014d8230
Rate limit Socket IO communication - WIP (#4036)
Includes settings
    Includes i18n
    Includes a nice notification
    Disconnects on rate limit
    Includes feeding into metrics/stats
    Include console warn to server console.
2020-07-19 22:44:24 +01:00
John McLear bfca481b0b
import: setting for allowing import without author existing 2020-06-01 18:19:06 +01:00
Daniel Krol 61c7bb9699
feat(i18n) Custom i18n strings (#4000)
* Custom i18n strings (and some code formatting)

* Documentation for per-instance l10n overwrites
2020-05-19 13:21:31 +01:00
muxator 9882362e2e settings: clarify that null defaults are supported, using the syntax "${VAR_NAME}"
Using "${VAR_NAME:null}", instead, would define the literal string "null".
2020-04-21 04:44:56 +02:00
Sebastian Castro c6f5ced23c css: adds UI skin variants builder (only for colibris skin) 2020-04-19 03:03:44 +02:00
Sebastian Castro 709e5d2233 colibris: introduce skin variants, in order to customize the rendering
This provide a nice way to change the colors of main containers from settings file. See comment inside settings for how it works
2020-04-19 03:03:44 +02:00
John McLear c9d55c81a3 import/export: always rate limit import and exports
This is a departure from previous versions, which did not limit import/export
requests. Now such requests are ALWAYS rate limited. The default is 10 requests
per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3.

Administrators can tune the parameters via settings.importExportRateLimiting.
2020-04-14 03:36:13 +02:00
John McLear f4418149cb import: introduce importMaxFileSize setting. Defaults to 50 MB
From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported
file will always be bounded.

The maximum allowed size can be configured via importMaxFileSize.
2020-04-14 03:36:13 +02:00
muxator 6cba0f1dc5 settings: "http://etherpad.org" -> "https://etherpad.org" in the default text of a pad 2020-04-09 03:54:46 +02:00
Paul Tiedtke 79406051fa Settings.js: support newlines in default values when using variable substitution
This allows, among other things, to correctly support the configuration of
defaultPadText in Docker via an environment variable.
2020-04-07 04:32:37 +02:00
John McLear fa3e4b146a settings: document the possibility of using Unix sockets
We have been supporting Unix sockets by ages, because express.listen()
(http://expressjs.com/en/4x/api.html#app.listen_path_callback) re-exposes
net.server.listen() (https://nodejs.org/api/net.html#net_server_listen), which
in turn supports Unix sockets.

The only remaining thing to do was documenting it.

Fixes #3312
2020-03-30 03:36:55 +02:00
muxator 70bc71c0c3 skins: make "colibris" the default skin for new installations
Colibris skin was first introduced in 1.7.5 and received some bugfixes in 1.8.0.
It is now time to make it the default for new installs.
2019-12-08 00:32:03 +01:00
muxator a817acbbcc security: when served over https, set the "secure" flag for "express_sid" and "language" cookie
The mechanism used for determining if the application is being served over SSL
is wrapped by the "express-session" library for "express_sid", and manual for
the "language" cookie, but it's very similar in both cases.

The "secure" flag is set if one of these is true:

1. we are directly serving Etherpad over SSL using the native nodejs
   functionality, via the "ssl" options in settings.json

2. Etherpad is being served in plaintext by nodejs, but we are using a reverse
   proxy for terminating the SSL for us;
   In this case, the user has to be instructed to properly set trustProxy: true
   in settings.json, and the information wheter the application is over SSL or
   not will be extracted from the X-Forwarded-Proto HTTP header.

Please note that this will not be compatible with applications being served over
http and https at the same time.

The change on webaccess.js amends 009b61b338, which did not work when the SSL
termination was performed by a reverse proxy.

Reference for automatic "express_sid" configuration:
https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure

Closes #3561.
2019-12-07 04:36:01 +01:00
muxator 7c099fef5e settings: do not create a user if he has no password field, or if his password is null.
This will be used by the settings.json in the default Dockerfile to eschew
creating an admin user when no password is set.

Closes #3648.
2019-10-19 00:54:56 +02:00
muxator 4e758a9f4a settings: better explain that no default value is very different from ''
If environment variable PASSW is not defined, the following would be very
different:

  "password": "${PASSW}"  // would result in password === null
  "password": "${PASSW:}" // would result in password === ''

This characteristic will be used in the next commit, when we will use it to
discard a user if his password were null (and in turn use it for docker
containerization).

No functional changes.
2019-10-19 00:34:00 +02:00
muxator 1cc6838772 settings: reformat settings.json.template, in preparation for next commits
No functional changes.
2019-10-10 20:25:34 +02:00
Tristram Gräbener 357780d573 Display the version in the web interface
In the settings drop-down this adds an “About” section that also shows
the commit if "exposeVersion" is set to true.

Fixes #2968
2019-04-15 23:17:34 +00:00
Tristram Gräbener 28a6f505c5 Parameters: the version is exposed in http header only when configured
Currently the version is exposed in a 'Server' http headers.

This commit allows to parameterize it in the settings. By defaults it is
not exposed.

Fixes #3423
2019-04-15 23:17:34 +00:00
muxator 2955740a6e Settings.js: support syntax for default values
+---------------------------+---------------+------------------+
| Configuration string in   | Value of      | Resulting confi- |
| settings.json             | ENV_VAR       | guration value   |
|---------------------------|---------------|------------------|
| "${ENV_VAR}"              | "some_string" | "some_string"    |
| "${ENV_VAR}"              | "9001"        | 9001             |
| "${ENV_VAR}"              | undefined     | null             |
| "${ENV_VAR:some_default}" | "some_string" | "some_string"    |
| "${ENV_VAR:some_default}" | undefined     | "some_default"   |
+---------------------------+---------------+------------------+

Mention this briefly in the main README.md, also.

Closes #3578.
2019-03-21 23:32:08 +01:00
muxator 21ac37170e doc: rephrase settings.json.template and Settings.js
Better document current behaviour.
In this revision, ENV_VAR are supported, default values are not.
2019-03-21 23:32:08 +01:00
muxator 6d400050a3 Settings.js: support configuration via environment variables.
All the configuration values can be read from environment variables using the
syntax "${ENV_VAR_NAME}".
This is useful, for example, when running in a Docker container.

EXAMPLE:
   "port":     "${PORT}"
   "minify":   "${MINIFY}"
   "skinName": "${SKIN_NAME}"

Would read the configuration values for those items from the environment
variables PORT, MINIFY and SKIN_NAME.

REMARKS:
Please note that a variable substitution always needs to be quoted.
   "port":   9001,          <-- Literal values. When not using substitution,
   "minify": false              only strings must be quoted: booleans and
   "skin":   "colibris"         numbers must not.

   "port":   ${PORT}        <-- ERROR: this is not valid json
   "minify": ${MINIFY}
   "skin":   ${SKIN_NAME}

   "port":   "${PORT}"      <-- CORRECT: if you want to use a variable
   "minify": "${MINIFY}"        substitution, put quotes around its name,
   "skin":   "${SKIN_NAME}"     even if the required value is a number or a
                                boolean.
                                Etherpad will take care of rewriting it to
                                the proper type if necessary.

Resolves #3543
2019-03-11 08:11:30 +01:00
muxator ee4a27d10e settings.json.template: minor rewording of a comment 2019-03-11 08:11:30 +01:00
muxator 7edc0fea16 skins: added new parameter "skinName" in setting.json.template
"colibris" does not exist yet, but let's mention it anyway.
2018-08-26 21:17:04 +02:00
muxator 06476f7ad2 settings.json.template: reorganized dbSetting section to be more comment-friendly
It is better to keep the dirtyDB settings together, so they can be commented out
via a /* ... */.
Nested comments blocks would crash the application on start, because they are
syntactically incorrect.

Let's reduce this possibility, promoting an easier standard.
2018-08-24 01:26:05 +02:00
muxator d38f53181f settings.json: in the mysql example, mention the existence of port parameter
The port parameter is supported by the mysql driver, but to know this one has to
read through ueberDB's code.

At least for this simple case, it may make sense to be explicit.

Fixes #3453
2018-08-11 16:44:37 +02:00
muxator 10f0cb3253 security: suggest installing ep_hash_auth to get rid of plain text passwords
In its current form, Etherpad stores passwords for users in plain text in
settings.json. We should at least mention the opportunity of installing
ep_hash_auth to start tackling this problem.

The advice was added in README.md and in settings.json.template

Fixes #3444
2018-08-09 00:17:15 +02:00
muxator 044f761b99 settings.json: reformat comments, no functional changes. 2018-08-08 23:49:32 +02:00
Wikinaut 6dd172d6b7 Update settings.json.template 2018-05-12 21:48:21 +02:00
Wikinaut 784bd8c7cc Update settings.json.template
harmonizing the database name. "store" is the table name - not to be used here! Database name must not contain "-", but can contain "_". See https://github.com/ether/etherpad-lite/wiki/How-to-use-Etherpad-Lite-with-MySQL
2018-05-12 21:48:21 +02:00
Joas Souza f1fcd16894 Add settings to scroll on edition out of viewport (#3282)
* Add scroll when it edits a line out of viewport

By default, when there is an edition of a line, which is out of the
viewport, Etherpad scrolls the minimum necessary to make this line
visible. This makes that the line stays either on the top or the bottom
of the viewport. With this commit, we add a setting to make possible to
scroll to a position x% pixels from the viewport. Besides of that, we
add a setting to make an animation of this scroll.
If nothing is changed on settings.json the Etherpad default behavior is
kept
2018-01-03 19:57:28 -02:00