gaschz/trilium
1
0
Fork 0
mirror of https://github.com/zadam/trilium.git synced 2025-11-02 12:39:04 +01:00
Code Issues Actions 31 Packages Projects Releases Wiki Activity
12,718 Commits 42 Branches 349 Tags
Commit Graph

1514 Commits

Author SHA1 Message Date
Panagiotis Papadopoulos
2a740781cb feat(session_parser): use seconds for setting maxAge and update default value to 21 days 
21 days was used in the login route previously, when "remember me" was set
 2025-02-13 08:52:05 +01:00
Panagiotis Papadopoulos
04827c0ce1 fix(session_parser): FileStore ttl should be ideally the same as session cookies maxAge 
this avoids having "unused" dead session on the filesystem
 2025-02-13 08:21:29 +01:00
Panagiotis Papadopoulos
4e23b5193d feat(session_parser): use Session.cookieMaxAge from config 2025-02-13 08:21:29 +01:00
Panagiotis Papadopoulos
2bb79c4209 feat: "friendly number handling" for note erasure timeouts 2025-02-11 09:06:29 +01:00
Elian Doran
b1bf6931f2
Merge pull request #1162 from TriliumNext/refactor_routes-login 
refactor(routes/login): simplify login function and get rid of deprecated usage of expires
 2025-02-11 10:03:09 +02:00
Panagiotis Papadopoulos
e3b7ae018f refactor(routes/login): refactor login fn 
I also got rid of the deprecated use of "expires" - setting maxAge to undefined is the preferred way
 2025-02-11 07:55:18 +01:00
Elian Doran
d0399c173e
Merge pull request #1144 from TriliumNext/feature/swagger-ui-in-server 
Add Swagger UI endpoint
 2025-02-10 23:46:18 +02:00
Panagiotis Papadopoulos
62f8f8f1a7 refactor(config): rename Cookies to Session 
as requested in PR #1155
 2025-02-10 19:44:19 +01:00
Panagiotis Papadopoulos
b6d73df92e feat(csrf_protection): use cookiePath from config 2025-02-10 19:03:10 +01:00
perf3ct
9c86a03acc
Do this thing to make Pano happy :) 2025-02-10 16:03:01 +00:00
Panagiotis Papadopoulos
a600568ab8 feat(session_parser): use cookiePath from config 2025-02-10 08:35:01 +01:00
perf3ct
57a34e5c02
use fs/promises instead of fs 2025-02-10 00:50:43 +00:00
perf3ct
d859f50c98
Change Swagger endpoint and site title 2025-02-09 22:17:31 +00:00
perf3ct
18f5f1b759
add Swagger UI endpoint and add to router 2025-02-09 21:15:12 +00:00
Elian Doran
a1c97142a8
feat(build): set up faster electron build by skipping dist 2025-02-08 00:41:39 +02:00
Elian Doran
7f314d2d75
feat(build): set up webpack cache 2025-02-08 00:41:39 +02:00
Elian Doran
892734bce3
Merge develop into test_server-utils 2025-02-04 21:28:44 +02:00
Elian Doran
ec95f62cd2
fix(server): doc notes not being served in dev mode 2025-02-02 12:47:41 +02:00
Panagiotis Papadopoulos
03c1128a72 fix(isEmptyOrWhitespace): avoid exception throwing when passed value is undefined 
the req.body value from "routes/api/branches" actually seems to never get parsed into a JS object, but arrives as text string, so req.body.prefix could be undefined, which of course would cause an error to be thrown, when trying to call "match" on undefined.
 2025-02-01 14:37:12 +01:00
Elian Doran
2cc7113c2c
refactor(deps): get rid of print-this 2025-02-01 00:52:46 +02:00
Elian Doran
6fab899898
Merge pull request #1073 from TriliumNext/refactor_utils-isPlatform 
refactor(server/utils): turn isMac/isWin/isElectron/isDev into boolean
 2025-01-29 22:16:20 +02:00
Panagiotis Papadopoulos
31c46753de refactor(server/utils): isDev move to utils and replace fn with boolean 
this value cannot change during runtime,
=> there is no need to have these checks
as dynamic function, instead just
export the boolean value directly
 2025-01-29 10:58:00 +01:00
Panagiotis Papadopoulos
ca2bb94200 refactor(server/utils): isElectron - replace fn with boolean 
this values cannot change during runtime,
=> there is no need to have these checks
as dynamic function, instead just
export the boolean value directly
 2025-01-29 10:55:53 +01:00
Panagiotis Papadopoulos
ed33b72f57 chore(assets): remove manual provision of knockout 
this is only used in setup.ts and there it is already packed by webpack – so no need to manually provide it as static asset anymore
 2025-01-29 08:48:03 +01:00
Elian Doran
20584f622d
chore(client/ts): port zpetne_odkazy 2025-01-26 21:23:08 +02:00
Elian Doran
94a0403981
feat(geomap): load leaflet 2025-01-20 19:18:29 +02:00
Elian Doran
7d3f506efb
refactor(deps): use webpack import for canvas 2025-01-18 11:09:57 +02:00
Elian Doran
e7eb385b8f
refactor(deps): integrate force-graph into webpack 2025-01-17 20:21:52 +02:00
Panagiotis Papadopoulos
9382c278b3 fix(csrf): add exception for electron for httpOnly cookie 
it does not seem to like having httpOnly set in electron
 2025-01-17 17:26:52 +01:00
Panagiotis Papadopoulos
5f605b3a91 fix(csrf): set more secure cookieOptions settings 
- `sameSite` - previous setting inherited from csurf was to simply not set it at all, which makes all browser nag in their dev console output.
They will default to "Lax" for these type of cookies in the future.
We can even use "strict" here though for our use case:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value

- `httpOnly`: should be enabled for the csrf cookie as well
for the session cookie it already is enabled.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#httponly
 2025-01-16 21:40:12 +01:00
Panagiotis Papadopoulos
ec19ccd7a7 fix(csrf): stop leaking the CSRF token in the server logs 
As per OWASP:
"A CSRF token must not be leaked in the server logs or in the URL.", see:
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#transmissing-csrf-tokens-in-synchronized-patterns
 2025-01-16 21:16:33 +01:00
Panagiotis Papadopoulos
139bf3dcdf fix(csrf): use generateCsrfToken with more "user friendly" settings 
fixes the case, where existing TriliumNext users, will get
a "Invalid CSRF Token" Message, when they have an older
_csrf token in their cookies from a previous installation/visit.
the settings now will handle these cases in the background automatically.

also fixes #950
 2025-01-16 20:14:23 +01:00
Panagiotis Papadopoulos
6dd8ab31d5 refactor(csrf): export generateToken utility 2025-01-16 20:14:23 +01:00
Panagiotis Papadopoulos
e3d89ce2a5 refactor(csrf): move csrf to own file 2025-01-16 20:14:23 +01:00
Elian Doran
8a7a607fcb
Merge pull request #926 from pano9000:refactor_backend_log 
refactor(backend_log): improve `getBackendLog`
 2025-01-14 20:41:29 +02:00
Elian Doran
c8c501d717
Merge branch 'develop' into refactor_replace-csurf 2025-01-14 20:32:52 +02:00
Elian Doran
1807b2b031
chore(types): missing import type for JS imports 2025-01-13 23:18:10 +02:00
Panagiotis Papadopoulos
bcbf4f4090 chore: fix formatting 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
903988fec5 i18n(backend_log): translate messages 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
dcfdb67539 refactor(backend_log): improve handle 'file not found' 
handle errors more "user friendly" and actually
let the user know, that either the file is not
existing (yet), or that reading the log failed.
 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
67d858441a refactor(backend_log): include filename in log 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
c4ad84ab06 refactor(backend_log): print error to the log 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
eb4b5a44df refactor(backend_log): use path.join for log file path 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
06ebcc210e refactor(backend_log): use async readFile 
using synchronous functions on the backend
is not recommended, as it is "blocking the event loop", i.e. no other tasks get executed/processed,
while the file is being read
 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
ea621ef8e1 chore(prettier): fix code style 2025-01-12 13:30:02 +01:00
Panagiotis Papadopoulos
d1bd2d2812 refactor(routes/login): remove unused rendering of HTML 2025-01-12 13:13:59 +01:00
Panagiotis Papadopoulos
c36085e580 chore: fix TS warning by type narrowing 
`req.csrfToken` might be undefined according to `csrf-csrf`
provided types, so use type narrowing to make sure it exists,
before calling it
 2025-01-12 10:22:05 +01:00
Panagiotis Papadopoulos
d20a3bab2a fix(csrfMiddleware): use sessionSecret instead 
since `cookie-parser` is not configured with a secret,
req.secret is not set and hence is `undefined`,
which then is used as literal 'undefined' in the hashing function – making it less secure.

Instead we can use the existing sessionSecret:
the `csrf-csrf` developer confirmed in their Discord chat,
that it would be ok to use the same secret here.
 2025-01-12 10:22:05 +01:00
Panagiotis Papadopoulos
b787610717 refactor: replace csurf with csrf-csrf 
I've kept the identical same settings as before –
however they are not *ideal* from what I read.
More secure settings will need to be tested a bit more thoroughly first and will be a separate PR.
 2025-01-12 10:22:05 +01:00
Elian Doran
324696bc54
refactor(ts): enable verbatim module syntax 2025-01-09 18:36:24 +02:00