mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-21 16:06:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 26
5998 commits 213 branches 107 tags 72 MiB
Commit graph

37 commits

Author SHA1 Message Date
Richard Hansen
e82a3055e6 webaccess: Whitespace fixes 2020-09-05 12:37:23 +01:00
John McLear
b15154cc23
Same site cookie fix - Ready for testing / merge (#3990) 
* initial fix for httpprefs

* token

* express_sid fix
 2020-07-10 08:43:20 +01:00
Richard Hansen
07c73d4f2d
webaccess: Log authentication attempts (#4022) 
Addresses issue #4016.
 2020-06-01 20:11:57 +01:00
John McLear
c2ea2b3a6d webaccess: do not resave session 
Before this change, the database was spammed with session values.
Modern express-session has this baked in.
See https://www.npmjs.com/package/express-session#resave for docs.
 2020-04-03 02:55:33 +02:00
muxator
a817acbbcc security: when served over https, set the "secure" flag for "express_sid" and "language" cookie 
The mechanism used for determining if the application is being served over SSL
is wrapped by the "express-session" library for "express_sid", and manual for
the "language" cookie, but it's very similar in both cases.

The "secure" flag is set if one of these is true:

1. we are directly serving Etherpad over SSL using the native nodejs
   functionality, via the "ssl" options in settings.json

2. Etherpad is being served in plaintext by nodejs, but we are using a reverse
   proxy for terminating the SSL for us;
   In this case, the user has to be instructed to properly set trustProxy: true
   in settings.json, and the information wheter the application is over SSL or
   not will be extracted from the X-Forwarded-Proto HTTP header.

Please note that this will not be compatible with applications being served over
http and https at the same time.

The change on webaccess.js amends 009b61b338, which did not work when the SSL
termination was performed by a reverse proxy.

Reference for automatic "express_sid" configuration:
https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure

Closes #3561.
 2019-12-07 04:36:01 +01:00
muxator
b82816c774 express: reformat session configuration in preparation for the next commit 
No functional changes.
 2019-12-07 04:22:54 +01:00
muxator
9d815c58b8 deprecations: get rid of DEP0005 about Buffer() 
Similar code still lives in some dependent libraries.
It will be updated when upgrading the dependencies.

Fixes #3446
 2018-08-14 19:45:03 +02:00
John McLear
fa83de778c Password check fix 2018-04-07 10:31:47 +01:00
Peter 'Pita' Martischka
6d5dc93dbf merged 2018-04-07 10:23:49 +01:00
thomas
ffe24c3dd9
Update webaccess.js 2018-04-06 22:21:33 +02:00
John McLear
8767410a36
be more strict on password check 2018-03-23 19:21:52 +00:00
Avery Pennarun
e0582797f2 Call authentication hooks before default basic authentication. 
This allows authenticators to do any extra session setup for a given user,
even if their username/password happens to match settings.json.
 2017-12-31 12:32:50 +00:00
Sjoerd Langkemper
21a6e66e25 Remove deprecated comment 
The session key is currently stored in SESSIONKEY.txt, so it is no longer reset
every time the server starts.
 2017-01-26 09:59:09 +01:00
Stefan
009b61b338 Make express-session cookie scheme dependent 2016-07-10 12:44:45 +02:00
Stefan
4ea9c4f98d Add secure flag to express-session cookies 2016-06-08 21:15:26 +02:00
Simon Gaeremynck
5a7750781b Use the cookie parser middleware 2015-05-07 18:35:21 +01:00
Tom Hunkapiller
de67714cf8 fix minify route path; update deprecated calls 2015-04-10 05:52:58 -05:00
Tom Hunkapiller
d0b39c01fb update for express 4.x 2015-04-08 23:12:11 -05:00
webzwo0i
b204aa2085 remove more dead requires. 2014-12-16 19:10:01 +01:00
John McLear
e1fa43e640 quick formatting clean up 2014-03-17 19:20:32 +00:00
Marcel Klehr
940f114a84 Record metrics with 'measured' 2013-10-27 17:42:55 +01:00
vileda
43e1af93c1 allow users to have colons in password 2013-09-10 16:00:36 +02:00
Marcel Klehr
a628317b55 Log http on debug log level 
... and additionally log the response time
 2013-03-19 18:34:21 +01:00
John McLear
efce99c3a1 session key in settings file OR generate temp key for instance 2013-02-13 21:51:09 +00:00
John McLear
5c9d081391 Begin supporting the database but still have a problem where it generates new key on restart... 2013-02-13 01:33:22 +00:00
Marcel Klehr
377ff1eade Fix #1219: Make api work if requireAuth is enabled 2012-12-05 14:04:48 +01:00
Marcel Klehr
0c9c1f514f Fix socket.io auth: Use connect to parse signed cookies (migrate to express v3) 2012-09-22 16:03:40 +02:00
Marcel Klehr
794c3d1afe Set secret on cookieParser (migrate to express v3) 2012-09-22 14:05:41 +02:00
Marcel Klehr
71579d1478 Fix res.send (migrate to express v3) 2012-09-22 13:51:39 +02:00
Marcel Klehr
ff7cf991c9 Upgrade log4js to v0.5 2012-09-21 21:39:08 +02:00
Egil Moeller
b438a278a1 Make the server restart on plugin install 2012-07-03 23:31:44 +02:00
Egil Moeller
ecac40d062 Changed the authentication mechanism to support hooks 2012-04-19 16:04:03 +02:00
Egil Moeller
ac36a99a72 More general basic auth 2012-04-19 14:25:12 +02:00
Jordan Hollinger
362ef454b8 Don't block static paths with http auth 2012-04-13 05:17:48 -04:00
Matthias Bartelmeß
396b586dbd when no password is set, dont allow access to admin page 2012-04-03 14:17:19 +02:00
Egil Moeller
e06bf0e991 Basic auth for admin page 2012-04-02 18:45:37 +02:00
Egil Moeller
1239ce7f28 The Big Renaming - etherpad is now an NPM module 2012-02-26 13:07:51 +01:00
Renamed from node/hooks/express/webaccess.js (Browse further)