Tools/Notes
1
0
Fork 0
mirror of https://github.com/TriliumNext/Notes.git synced 2025-09-02 21:42:15 +08:00
Code Issues Packages Projects Releases Wiki Activity
10,321 Commits 21 Branches 339 Tags
Commit Graph

7860 Commits

Author SHA1 Message Date
Panagiotis Papadopoulos
ec19ccd7a7 fix(csrf): stop leaking the CSRF token in the server logs 
As per OWASP:
"A CSRF token must not be leaked in the server logs or in the URL.", see:
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#transmissing-csrf-tokens-in-synchronized-patterns
 2025-01-16 21:16:33 +01:00
Panagiotis Papadopoulos
139bf3dcdf fix(csrf): use generateCsrfToken with more "user friendly" settings 
fixes the case, where existing TriliumNext users, will get
a "Invalid CSRF Token" Message, when they have an older
_csrf token in their cookies from a previous installation/visit.
the settings now will handle these cases in the background automatically.

also fixes #950
 2025-01-16 20:14:23 +01:00
Panagiotis Papadopoulos
6dd8ab31d5 refactor(csrf): export generateToken utility 2025-01-16 20:14:23 +01:00
Panagiotis Papadopoulos
e3d89ce2a5 refactor(csrf): move csrf to own file 2025-01-16 20:14:23 +01:00
Elian Doran
edc6b983ac
Merge remote-tracking branch 'origin/master' into develop 2025-01-16 18:36:35 +02:00
Elian Doran
d684440c1f
fix(client): undefined entity in some cases 2025-01-16 18:36:29 +02:00
Elian Doran
1e182f5820
chore(client/ts): port mermaid 2025-01-16 18:20:23 +02:00
Elian Doran
5ca876ca62
fix(mobile): force grouping in editing toolbar 2025-01-16 16:41:52 +02:00
Elian Doran
187ef60350
feat(mobile): disable overscroll for toolbar 2025-01-16 16:32:47 +02:00
Elian Doran
706b011b23
feat(mobile): enforce classic editor 2025-01-16 16:29:51 +02:00
Elian Doran
6f2538a070
feat(mobile): hide editing toolbar on non-text note 2025-01-16 16:14:37 +02:00
Elian Doran
6caddc8004
fix(mobile): position of editing toolbar on tablet mode 2025-01-16 16:09:11 +02:00
Elian Doran
0cab891d2e
chore(client/ts): port classic_editor_toolbar 2025-01-16 15:51:58 +02:00
Elian Doran
1d6e3af9aa
fix(mobile): position of editing toolbar 2025-01-16 15:48:56 +02:00
Elian Doran
7dfeb20678
Merge pull request #936 from pano9000/fix_views-deprecated-meta-tag 
fix(views): replace deprecated meta tag
 2025-01-14 23:51:46 +02:00
hasecilu
7f9e42abbd
chore(i18n): update Spanish translation 2025-01-14 13:26:39 -06:00
Elian Doran
8a7a607fcb
Merge pull request #926 from pano9000:refactor_backend_log 
refactor(backend_log): improve `getBackendLog`
 2025-01-14 20:41:29 +02:00
Elian Doran
c8c501d717
Merge branch 'develop' into refactor_replace-csurf 2025-01-14 20:32:52 +02:00
Elian Doran
eb1af98830
Merge pull request #880 from pano9000/refactor_data_dir 
refactor(data_dir): simplify logic and make code robust and testable
 2025-01-14 20:20:32 +02:00
Elian Doran
3c0e4b842a
Merge pull request #941 from process/ck-logging 
Add server logging for CKEditor state changes
 2025-01-14 20:18:06 +02:00
Elian Doran
0221039ebe
fix(client/ts): fix build errors & define command to event bridge 2025-01-14 20:08:57 +02:00
Elian Doran
580bebb4a3
chore(client/ts): port mind_map 2025-01-14 19:18:44 +02:00
Elian Doran
e16f4a1a71
chore(client/ts): port type_widget 2025-01-14 19:12:29 +02:00
Elian Doran
353156e625
fix(mindmap): not working due to dependency change 2025-01-14 18:47:42 +02:00
Justin Chines
b173429dc5 Add more logging of CKEditor crashes 2025-01-14 15:39:04 +07:00
Justin Chines
7768511fe6 Add server logging for CKEditor state changes 2025-01-14 15:38:13 +07:00
Elian Doran
1807b2b031
chore(types): missing import type for JS imports 2025-01-13 23:18:10 +02:00
Panagiotis Papadopoulos
8b91c528aa fix(views): replace deprecated meta tag 
`apple-mobile-web-app-capable` =>
`mobile-web-app-capable`

as warned by Chrome and also already implemented by
e.g. Flutter or vercel/Next.js:

https://github.com/vercel/next.js/pull/70363
https://github.com/flutter/flutter/issues/154596
 2025-01-13 20:49:53 +01:00
Panagiotis Papadopoulos
bcbf4f4090 chore: fix formatting 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
903988fec5 i18n(backend_log): translate messages 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
dcfdb67539 refactor(backend_log): improve handle 'file not found' 
handle errors more "user friendly" and actually
let the user know, that either the file is not
existing (yet), or that reading the log failed.
 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
67d858441a refactor(backend_log): include filename in log 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
c4ad84ab06 refactor(backend_log): print error to the log 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
eb4b5a44df refactor(backend_log): use path.join for log file path 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
06ebcc210e refactor(backend_log): use async readFile 
using synchronous functions on the backend
is not recommended, as it is "blocking the event loop", i.e. no other tasks get executed/processed,
while the file is being read
 2025-01-13 09:21:24 +01:00
Panagiotis Papadopoulos
5373ef509b chore(prettier): fix code style 2025-01-13 08:28:12 +01:00
Panagiotis Papadopoulos
6818b2d54c style: move "important" funcs to top of file 2025-01-13 08:26:07 +01:00
Panagiotis Papadopoulos
c47522eb50 refactor(data_dir): pass DIR_NAME as argument to getTriliumDir 
makes it a bit cleaner and easier to test in the future,
as it is one thing less that'd need mocking :-)
 2025-01-13 08:26:07 +01:00
Panagiotis Papadopoulos
94b8bcf8c9 refactor(data_dir): export functions to allow for testing 2025-01-13 08:26:07 +01:00
Panagiotis Papadopoulos
8b1071c459 refactor(data_dir): export dirs as frozen readonly object 
previously exported object allowed the values to be changed
accidentally at runtime and buildtime
 2025-01-13 08:26:07 +01:00
Panagiotis Papadopoulos
759d24855b style(data_dir): fix indentation 2025-01-13 08:26:07 +01:00
Panagiotis Papadopoulos
7a1e8714af refactor(data_dir): logically order/split cases in getTriliumDataDir 
- the blocks now clearly follow the intended logic described in the comments
- I renamed the `getAppDataDir` to more specific `getPlatformAppDataDir`
 2025-01-13 08:25:53 +01:00
Panagiotis Papadopoulos
3481c8ba84 refactor(data_dir): use path.join for safer joins 
https://nodejs.org/api/path.html#pathjoinpaths
 2025-01-13 08:24:04 +01:00
Panagiotis Papadopoulos
8826021c63 refactor(data_dir): add createDirIfNotExisting function 
removes some code duplication
 2025-01-13 08:24:04 +01:00
Panagiotis Papadopoulos
61a19d5628 refactor(data_dir): add FOLDER_PERMISSION const 
gets rid of previously "magic number"
 2025-01-13 08:24:01 +01:00
Panagiotis Papadopoulos
ea621ef8e1 chore(prettier): fix code style 2025-01-12 13:30:02 +01:00
Panagiotis Papadopoulos
d1bd2d2812 refactor(routes/login): remove unused rendering of HTML 2025-01-12 13:13:59 +01:00
Panagiotis Papadopoulos
59ecc614c2 refactor: call logout route via JS 
required for csrf-csrf to correctly protect against
CSRF, as it required the _csrf cookie AND the
x-csrf-token HTTP header, the latter cannot be set
via simple Form POST action

using "../login" here, because "server" method is automatically prepending all paths with "/api",
which we don't want here, as we want "/login"
 2025-01-12 11:43:41 +01:00
Panagiotis Papadopoulos
c36085e580 chore: fix TS warning by type narrowing 
`req.csrfToken` might be undefined according to `csrf-csrf`
provided types, so use type narrowing to make sure it exists,
before calling it
 2025-01-12 10:22:05 +01:00
Panagiotis Papadopoulos
d20a3bab2a fix(csrfMiddleware): use sessionSecret instead 
since `cookie-parser` is not configured with a secret,
req.secret is not set and hence is `undefined`,
which then is used as literal 'undefined' in the hashing function – making it less secure.

Instead we can use the existing sessionSecret:
the `csrf-csrf` developer confirmed in their Discord chat,
that it would be ok to use the same secret here.
 2025-01-12 10:22:05 +01:00