gaschz/trilium
1
0
Fork 0
mirror of https://github.com/zadam/trilium.git synced 2025-11-04 05:28:59 +01:00
Code Issues Actions 26 Packages Projects Releases Wiki Activity
10,202 Commits 50 Branches 349 Tags
Commit Graph

1380 Commits

Author SHA1 Message Date
Elian Doran
e7eb385b8f
refactor(deps): integrate force-graph into webpack 2025-01-17 20:21:52 +02:00
Panagiotis Papadopoulos
9382c278b3 fix(csrf): add exception for electron for httpOnly cookie 
it does not seem to like having httpOnly set in electron
 2025-01-17 17:26:52 +01:00
Panagiotis Papadopoulos
5f605b3a91 fix(csrf): set more secure cookieOptions settings 
- `sameSite` - previous setting inherited from csurf was to simply not set it at all, which makes all browser nag in their dev console output.
They will default to "Lax" for these type of cookies in the future.
We can even use "strict" here though for our use case:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value

- `httpOnly`: should be enabled for the csrf cookie as well
for the session cookie it already is enabled.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#httponly
 2025-01-16 21:40:12 +01:00
Panagiotis Papadopoulos
ec19ccd7a7 fix(csrf): stop leaking the CSRF token in the server logs 
As per OWASP:
"A CSRF token must not be leaked in the server logs or in the URL.", see:
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#transmissing-csrf-tokens-in-synchronized-patterns
 2025-01-16 21:16:33 +01:00
Panagiotis Papadopoulos
139bf3dcdf fix(csrf): use generateCsrfToken with more "user friendly" settings 
fixes the case, where existing TriliumNext users, will get
a "Invalid CSRF Token" Message, when they have an older
_csrf token in their cookies from a previous installation/visit.
the settings now will handle these cases in the background automatically.

also fixes #950
 2025-01-16 20:14:23 +01:00
Panagiotis Papadopoulos
6dd8ab31d5 refactor(csrf): export generateToken utility 2025-01-16 20:14:23 +01:00
Panagiotis Papadopoulos
e3d89ce2a5 refactor(csrf): move csrf to own file 2025-01-16 20:14:23 +01:00
Elian Doran
8a7a607fcb
Merge pull request #926 from pano9000:refactor_backend_log 
refactor(backend_log): improve `getBackendLog`
 2025-01-14 20:41:29 +02:00
Elian Doran
c8c501d717
Merge branch 'develop' into refactor_replace-csurf 2025-01-14 20:32:52 +02:00
Elian Doran
1807b2b031
chore(types): missing import type for JS imports 2025-01-13 23:18:10 +02:00
Panagiotis Papadopoulos
bcbf4f4090 chore: fix formatting 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
903988fec5 i18n(backend_log): translate messages 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
dcfdb67539 refactor(backend_log): improve handle 'file not found' 
handle errors more "user friendly" and actually
let the user know, that either the file is not
existing (yet), or that reading the log failed.
 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
67d858441a refactor(backend_log): include filename in log 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
c4ad84ab06 refactor(backend_log): print error to the log 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
eb4b5a44df refactor(backend_log): use path.join for log file path 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
06ebcc210e refactor(backend_log): use async readFile 
using synchronous functions on the backend
is not recommended, as it is "blocking the event loop", i.e. no other tasks get executed/processed,
while the file is being read
 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
ea621ef8e1 chore(prettier): fix code style 2025-01-12 13:30:02 +01:00
Panagiotis Papadopoulos
d1bd2d2812 refactor(routes/login): remove unused rendering of HTML 2025-01-12 13:13:59 +01:00
Panagiotis Papadopoulos
c36085e580 chore: fix TS warning by type narrowing 
`req.csrfToken` might be undefined according to `csrf-csrf`
provided types, so use type narrowing to make sure it exists,
before calling it
 2025-01-12 10:22:05 +01:00
Panagiotis Papadopoulos
d20a3bab2a fix(csrfMiddleware): use sessionSecret instead 
since `cookie-parser` is not configured with a secret,
req.secret is not set and hence is `undefined`,
which then is used as literal 'undefined' in the hashing function – making it less secure.

Instead we can use the existing sessionSecret:
the `csrf-csrf` developer confirmed in their Discord chat,
that it would be ok to use the same secret here.
 2025-01-12 10:22:05 +01:00
Panagiotis Papadopoulos
b787610717 refactor: replace csurf with csrf-csrf 
I've kept the identical same settings as before –
however they are not *ideal* from what I read.
More secure settings will need to be tested a bit more thoroughly first and will be a separate PR.
 2025-01-12 10:22:05 +01:00
Elian Doran
324696bc54
refactor(ts): enable verbatim module syntax 2025-01-09 18:36:24 +02:00
Elian Doran
4cbb529fd4
chore(prettier): fix all files 2025-01-09 18:07:02 +02:00
Panagiotis Papadopoulos
14358d1ec0 refactor(views): use ejs partial for injecting window.glob 2025-01-08 09:15:16 +01:00
Elian Doran
bf4decb4fb
fix(server): compile errors after refactoring 2025-01-04 11:52:40 +02:00
Elian Doran
33067e61e3
feat(client): add more monospace system fonts 2025-01-03 21:08:30 +02:00
Elian Doran
84a0e789f1
feat(client): add more system fonts 2025-01-03 20:59:13 +02:00
Elian Doran
d34e575488
feat(client): add support for system font 2025-01-03 20:54:14 +02:00
Elian Doran
8667c0a686
refactor(server): split font route in two functions 2025-01-03 20:31:13 +02:00
Elian Doran
b6e97c1ae9
refactor(server): typed options 2025-01-03 18:32:09 +02:00
Panagiotis Papadopoulos
afb91f82e1 refactor(sanitizeAttributeNames): directly export function 
no need to wrap the exported function in an object first
 2025-01-02 18:25:09 +01:00
Elian Doran
b321d99076
chore(code): fix editorconfig for src/public 2024-12-22 15:42:15 +02:00
Elian Doran
e7e763435e
feat(client): use shared config which also fixes production builds 2024-12-21 21:22:27 +02:00
Elian Doran
ba6c6cb77f
Merge remote-tracking branch 'origin/develop' into feature/client_typescript_port1 
; Conflicts:
;	package-lock.json
 2024-12-19 19:05:51 +02:00
Elian Doran
42a7556c55
fix(server): not running in prod due to webpack change 2024-12-19 18:16:46 +02:00
Adorian Doran
8c17be8953 client: rename the "System" theme to "Auto" 2024-12-16 22:16:26 +02:00
Adorian Doran
aba2813682 client: add the "System" theme 2024-12-16 22:09:26 +02:00
Adorian Doran
3390a2a968 client: add color scheme-related variations of the Next theme 2024-12-16 21:13:29 +02:00
Elian Doran
80afac902a
chore(build): fix path to tsconfig 2024-12-14 10:37:01 +02:00
Elian Doran
9fd288fe7e
chore(build): integrate TypeScript into webpack 2024-12-14 10:25:25 +02:00
Elian Doran
5ea5bfdb59
feat(build): run only in dev mode 2024-12-14 10:10:10 +02:00
Elian Doran
b3b8ae4a0e
feat(build): integrate webpack middleware 2024-12-14 10:05:38 +02:00
Elian Doran
b2b41edd61
feat(theme): allow using next as base theme 2024-12-14 02:30:23 +02:00
Elian Doran
f30c35f0f2
feat(classic-toolbar): allow user to toggle multiline toolbar 2024-12-14 01:24:29 +02:00
Elian Doran
f96a3ce32e
fix(server): HTTP streaming notes with unicode names (closes #757) 2024-12-13 22:05:05 +02:00
Elian Doran
181ee3ef6d
fix(server): not building due to API change 2024-12-11 08:16:37 +02:00
Elian Doran
c6e8a2a459
Merge pull request #635 from TriliumNext/renovate/express-5.x 
chore(deps): update dependency @types/express to v5
 2024-12-10 22:43:47 +02:00
Elian Doran
5190b28d3c
chore(types): adapt to new express type definitions 2024-12-10 22:35:23 +02:00
Elian Doran
c39e8be29a
feat(server): set up option to toggle background effects 2024-12-09 21:57:54 +02:00