861a929a43
docker: Sync `settings.json.docker` with `.template`
2022-01-19 23:06:56 -05:00
692749d1cf
express-session: Extend session lifetime if user is active
2022-01-17 21:45:56 -05:00
9c1f52f1b0
express-session: Install package from `@etherpad` scope
...
This allows us to use some in-progress features.
2022-01-17 21:45:56 -05:00
023e58cfe6
express-session: Set a finite cookie lifetime
2022-01-17 21:45:56 -05:00
ec10700dff
express-session: Don't save uninitialized sessions
...
This should avoid frivolous session records, such as when the user
gets a 404 (unless login was required to see the 404).
2022-01-17 21:45:56 -05:00
7255dd7ef0
express-session: Inherit proxy trust from Express
2022-01-17 21:45:56 -05:00
945e6848e2
SessionStore: Delete DB record when session expires
...
This only deletes records known to the current Etherpad instance --
old records from previous runs are not automatically cleaned up.
2022-01-17 21:45:56 -05:00
72cd983f0f
SessionStore: Option to update DB record on `touch()`
2022-01-17 21:45:52 -05:00
b991948e21
SessionStore: Don't write DB record if already expired
2022-01-17 21:33:58 -05:00
4d498725c7
SessionStore: Improve cookie expiration check
...
* Don't mutate `sess.cookie.expires`.
* Allow `sess.cookie` to be nullish.
* Always compare `Date` objects.
2022-01-17 18:17:40 -05:00
928c598ecf
tests: Add SessionStore backend tests
2022-01-17 17:51:08 -05:00
efab3aed0c
deps: Update ueberdb2 to 2.0.1 to get proper JSON support
2022-01-14 00:45:47 -05:00
d3984aa621
express: Move `preAuthorize` hook after `express-session`
...
The `ep_openid_connect` plugin needs access to session state before
authorization checks are made (to securely redirect the user back to
the start page when authentication completes). Now that the
`expressPreSession` hook exists, the rationale for moving
`preAuthorize` before the `express-session` middleware is gone.
This change undoes the following commits:
* bf35dcfc500b1ec20c5c30544b564e
2022-01-14 00:44:54 -05:00
75637708c0
express: Move up `cookie-parser` middleware
...
This makes it possible for the `preAuthorize` and `preExpressSession`
hooks to easily read or set cookies.
2022-01-14 00:44:54 -05:00
ab85db4426
webaccess: Silence prototype pollution warning
2022-01-14 00:44:54 -05:00
dcd43e9849
webaccess: Use `.startsWith()` instead of `.search()`
2022-01-14 00:44:54 -05:00
b9118c22ba
Localisation updates from https://translatewiki.net .
2022-01-13 13:02:54 +01:00
fd9b770579
PadManager: Refactor `padList` to avoid duplicate loads
2022-01-02 20:44:42 -05:00
66ce2b50a9
openapi: Convert `Promise.catch()` to `catch` block
2022-01-02 19:17:20 -05:00
fa8bdb0348
promises: Add a comment explaining a subtlety in `Gate`
2022-01-02 18:57:44 -05:00
a115c475ad
promises: Expose `reject` in `Gate`
2022-01-02 18:57:44 -05:00
b72db7ebd6
promises: Return a `Promise` from `Gate.then()`
...
It doesn't make sense to return a `Gate` from `Gate.then()`, and this
eliminates the semantically confusing constructor parameter.
2022-01-02 18:57:44 -05:00
78a67801f3
promises: Move Gate from `server.js` (to enable reuse)
2022-01-02 18:57:44 -05:00
c8d45586c1
server: Fix stop Gate creation and check
2022-01-02 18:57:44 -05:00
10c55a2328
Changeset: Explain why number of removals doesn't matter
2021-12-31 22:53:59 -05:00
6495b1e6f4
tests: Disable deprecation warnings when testing deprecated functions
2021-12-31 22:15:03 -05:00
c0471dd238
tests: Avoid deprecated `Changeset.opIterator`
2021-12-31 22:14:07 -05:00
0af728ffee
textLinesMutator: coverage for changed attributes in multiline keeps
2021-12-30 18:44:29 -05:00
93447b7493
easysync tests: cover more string operation scenarios
2021-12-30 18:44:29 -05:00
395cbc01bb
Changeset.js: refine comments
2021-12-30 18:44:29 -05:00
55c47efd4c
easysync tests: add some more smartOpAssembler tests
2021-12-30 18:44:29 -05:00
12ebca897d
easysync: add clear method to stringAssembler
2021-12-30 18:44:29 -05:00
0cc15df9b9
Prevent pad translation and crash
...
Prevent "TypeError: Cannot read properties of null (reading 'sheet')"
exception because google chrome can translate `<style type="text/css" title="dynamicsyntax"></style>` title attribute
2021-12-22 17:46:32 +01:00
cb257de8f9
Bump version to v1.9.0 for plugin `peerDependencies`
...
This allows plugins to depend on the not-yet-released API by bumping
their `peerDependencies` to `>=1.9.0`.
IMPORTANT: v1.9.0 IS NOT RELEASED YET. I tried to bump the version to
1.9.0-alpha.0 instead, but unfortunately that doesn't satisfy
`>=1.8.6` which would break just about every plugin.
2021-12-21 17:23:56 -05:00
02a56dc58c
PadMessageHandler: Allow `handleMessageSecurity` to grant one-time write access
2021-12-21 17:23:56 -05:00
31b025bd9d
PadMessageHandler: Pass session info to `handleMessageSecurity` hook
2021-12-21 17:23:56 -05:00
1b52c9f0c4
PadMessageHandler: Deprecate `client` context property
2021-12-21 17:23:56 -05:00
8539a66439
docs: Improve `handleMessageSecurity` documentation
2021-12-21 17:23:56 -05:00
f1856cf95a
Docker: Use new `/health` endpoint for HEALTHCHECK
2021-12-21 17:19:56 -05:00
11de525508
Docker: Install and use link for `etherpad` binary
2021-12-21 17:19:56 -05:00
83f2898723
package.json: Define `etherpad` binary
2021-12-21 17:19:56 -05:00
696f9c3367
specialpages: New `/health` endpoint for health checking
...
This endpoint is intended to conform with:
https://www.ietf.org/archive/id/draft-inadarei-api-health-check-06.html
2021-12-21 17:19:56 -05:00
2e4c546c7f
Pad: Add new `.spliceText()` method
...
Co-authored-by: Richard Hansen <rhansen@rhansen.org>
2021-12-21 17:00:18 -05:00
30544b564e
express: Skip express-session middleware if pre-authorized
2021-12-20 20:08:19 -05:00
649fbdccf5
express: Move static handlers to `expressPreSession`
...
This avoids the need to exempt the paths from authentication checks,
and it eliminates unnecessary express-session state.
2021-12-20 20:08:19 -05:00
72f4ae444d
express: New `expressPreSession` server-side hook
2021-12-20 20:08:19 -05:00
0b1ec20c5c
express: Move `preAuthorize` middleware before express-session
2021-12-20 20:08:19 -05:00
bf35dcfc50
webaccess: Move `preAuthorize` to its own middleware
2021-12-20 20:08:19 -05:00
7f3d0e71f7
express: Check access before `expressConfigure` middleware
...
There are no guarantees about the order of execution of hook
functions, which means that a plugin's `expressConfigure` hook
function could theoretically register a handler/middleware before the
access check middleware is registered. If that happens, the plugin's
handler would run before the access check, which would be bad. Avoid
the problem by explicitly installing the `webaccess.checkAccess`
middleware before running the `expressConfigure` hook.
2021-12-20 20:08:18 -05:00
472eddc821
webaccess: Skip checks if `next` is called in `preAuthenticate`
2021-12-20 20:08:18 -05:00
Richard Hansen