Only the OAuth2 auth strategy was using the state parameter,
which should be used as described in the RFC. The other
auth strategies such as GitHub, GitLab or Google were lacking
the state parameter.
This change adds the required state parameter as well as
enabling PKCE support on providers where it's possible.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Previously, image uploads were always allowed, unless `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false`.
This PR adds a new config option `CMD_ENABLE_UPLOADS` to configure image uploads independently. There are three different modes: `all` (everyone can upload, guests too), `registered` (only registered and logged-in users can upload images), and `none` to completely disable image uploads.
The default value is non-breaking as it is `all`, unless the config `CMD_ALLOW_ANONYMOUS=false` and `CMD_ALLOW_ANONYMOUS_EDITS=false` is set, in which case the value is `registered`.
The UI will reflect the setting and either show or hide the upload button.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
It can be a security concern in some environments to expose system
capabilities even though they don't expose any PII. Add some
flags (defaulted `true` to maintain existing behaviour) to control
whether the /metrics and /status (and anything in the StatusRouter)
are exposed.
Signed-off-by: Stéphane Maniaci <stephane.maniaci@beta.gouv.fr>
New configurations:
- s3folder: (string) folder to save the files inside bucket
- s3publicFiles: (boolean) indicate if should send ACL parameters
Signed-off-by: Lautaro Alvarez <lautarolalvarez@gmail.com>
Using `CMD_SAML_PROVIDERNAME` and the respective auth provider objects
in the configuration structures.
Signed-off-by: Moritz Schlarb <schlarbm@uni-mainz.de>
This patch implements 6 additional environment variables that are used
for configuration of the database in order to allow easier configuration
in containerised environments, such as Kubernetes.
An example is the upcoming deployment of the demo instance that will use
an operator-backed postgresql database. This operator exposes username
and password as separate variables and while it's obviously possible to
generate a dbURL from that, this won't be possible without additional
code. Aiming for a solution in Hedgedoc itself, will help us to enable
other people in using Hedgedoc on Kubernetes without resulting in overly
customised setups for simple tasks like this.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This mitigates unintended note creation by bots or humans through a
simple GET call.
See discussion in #754.
Signed-off-by: Nicolas Dietrich <nidi@mailbox.org>
