Commit Graph

102 Commits

Author SHA1 Message Date
9490457d04 Applied StyleCI changes 2021-11-30 14:25:09 +00:00
3b3eb0f44f Updated API session auth to consider public access setting
For #3091
2021-11-30 13:55:56 +00:00
8d7c8ac8bf Done a round of phpstan fixes 2021-11-06 00:32:01 +00:00
de5322288c Applied latest styleci changes 2021-11-04 22:57:49 +00:00
f139cded78 Laravel 8 shift squash & merge (#3029)
* Temporarily moved back config path
* Apply Laravel coding style
* Shift exception handler
* Shift HTTP kernel and middleware
* Shift service providers
* Convert options array to fluent methods
* Shift to class based routes
* Shift console routes
* Ignore temporary framework files
* Shift to class based factories
* Namespace seeders
* Shift PSR-4 autoloading
* Shift config files
* Default config files
* Shift Laravel dependencies
* Shift return type of base TestCase methods
* Shift cleanup
* Applied stylci style changes
* Reverted config files location
* Applied manual changes to Laravel 8 shift

Co-authored-by: Shift <shift@laravelshift.com>
2021-10-30 21:29:59 +01:00
f77236aa38 Laravel 7.x Shift (#3011)
* Apply Laravel coding style
* Shift bindings
* Shift core files
* Shift to Throwable
* Add laravel/ui dependency
* Shift Eloquent methods
* Shift config files
* Shift Laravel dependencies
* Shift cleanup
* Shift test config and references
* Applied styleci changes
* Applied fixes post shift to laravel 7

Co-authored-by: Shift <shift@laravelshift.com>
2021-10-26 22:04:18 +01:00
a75cfd1f25 Added estonian to language logic 2021-10-25 14:49:03 +01:00
a9b3df537f Applied changes from styleci 2021-10-08 22:23:17 +01:00
41ac69adb1 Forced response cache revalidation on logged-in responses
- Prevents authenticated responses being visible when back button
  pressed in browser.
- Previously, 'no-cache, private' was added by default by Symfony which
  would have prevents proxy cache issues but this adds no-store and a
  max-age option to also invalidate all caching.

Thanks to @haxatron via huntr.dev
Ref: https://huntr.dev/bounties/6cda9df9-4987-4e1c-b48f-855b6901ef53/
2021-10-08 15:22:09 +01:00
fb80bb5d58 Applied latest styleci changes 2021-09-06 22:19:06 +01:00
492af79c27 Added a couple of additional CSP rules
As per guidance from google's CSP evaluator.
2021-09-04 14:34:43 +01:00
253f386f00 Finished off script CSP rules
- Added caching for custom html head parsing to add nonce.
- Also moved api docs page into web routes to prevent issues.
2021-09-04 13:57:04 +01:00
fd44e4ba74 Started application of CSP headers 2021-09-03 23:32:42 +01:00
8f12c8bc99 Applied styleci changes 2021-08-30 21:32:07 +01:00
2740603d99 Added back email confirmation check in middleware
During writing of the update notes, found that the upgrade path would be
tricky from a security point of view. If people were pending email
confirmation but had an active session, they could technically be
actively logged in after the next release.

Added middlware as an extra precaution for now.
2021-08-30 21:28:17 +01:00
7d9de23a25 Applied styleci patches 2021-08-28 21:51:15 +01:00
eda9e89c55 Added role permissions for exporting content 2021-08-28 21:48:17 +01:00
ce6e25b341 Added lithuanian option to locale system 2021-08-21 20:24:58 +01:00
64785ed9da Apply fixes from StyleCI 2021-08-21 14:49:40 +00:00
78e94bb003 Improved login redirect and setup experience
- Updated auth system for mfa to not update intended URL so that the
  user is not redirected to mfa setup after eventual login.
- Added notification for users setting up MFA, after setup when
  redirected back to login screen to advise that MFA setup was complete
  but they need to login again.
- Updated some bits of wording to display better.
2021-08-21 15:14:24 +01:00
39a205ed28 Quick test of email confirmation routes and fix of tests 2021-08-07 21:18:59 +01:00
70f39757b1 Updated API auth handling of email confirmations
Email confirmations are now done within the guard during auth checking
instead of at the middleware layer.
2021-08-05 22:07:08 +01:00
9b271e559f Worked on MFA setup required flow
- Restructured some of the route naming to be a little more consistent.
- Moved the routes about to be more logically in one place.
- Created a new middleware to handle the auth of people that should be
  allowed access to mfa setup routes, since these could be used by
  existing logged in users or by people needing to setup MFA on access.
- Added testing to cover MFA setup required flow.
- Added TTL and method tracking to session last-login tracking system.
2021-08-02 22:02:25 +01:00
1278fb4969 Started moving MFA and email confirmation to new login flow
Instead of being soley middleware based.
2021-07-17 18:24:50 +01:00
9249addb5c Updated all login events to route through single service 2021-07-17 17:45:00 +01:00
78f9c01519 Started on some MFA access-time checks
Discovered some difficult edge cases:
- User image loading in header bar when using local_secure storage
- 404s showing user-specific visible content due to content listing on
  404 page since user is in semi-logged in state. Maybe need to go
  through and change up how logins are handled to centralise and
  provide us better control at login time to prevent any auth level.
2021-07-16 23:23:36 +01:00
09c2814dc7 Added role based MFA control
- Added new DB column for control and role updated create/update actions.
- Created new middleware as a start to actual enforcement logic.
- Added indicator to role list of whether MFA is enforced.
2021-07-03 13:34:48 +01:00
934a833818 Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
24eef03fb9 Added croatian to required arrays/lists 2021-06-02 21:55:30 +01:00
9d37af9453 Added web-middleware based theme events 2021-03-17 12:56:56 +00:00
98a1e57ba9 Ran phpcbf and updated phpcs.xml 2021-03-07 22:24:05 +00:00
1f2fd58e28 Merge branch 'master' of git://github.com/Ereza/BookStack into Ereza-master 2021-03-07 17:25:07 +00:00
d731a4f695 Updated language lists with Bosnian, Indonesian, Latvian & Portuguese 2021-03-07 17:02:28 +00:00
7893e8229f Add Catalan translation 2021-02-04 00:55:01 +01:00
7ba6962707 Removed lesser-used middleware and updated localization middleware
So that DB/User access is not explicitly enforced.
Same for GlobalViewData middleware although that was also just doubling
up on ways to access user/auth info.
Also cleaned up Localization Middleware doc blocks.
2021-01-17 13:41:43 +00:00
e53e4f85c7 Aligned norwegian lang with others and used correct locale 2021-01-02 15:58:23 +00:00
a04a800258 Merge branch 'master' of git://github.com/Swoy/BookStack into Swoy-master 2021-01-02 15:45:18 +00:00
92922288dd Added iframe CSP, improved session cookie security
Added iframe CSP headers with configuration via .env.
Updated session cookies to be lax by default, dynamically changing to
none when iframes configured to allow third-party control.
Updated cookie security to be auto-secure if a https APP_URL is set.

Related to #2427 and #2207.
2021-01-02 02:43:50 +00:00
36daa09441 Update Localization.php in Middleware with "no" tag for estimate. 2020-10-19 12:43:41 +02:00
1f202f6dbc Updated locale lists for Bulgarian 2020-09-19 15:36:17 +01:00
ff1ee2d71f Updated flow to ensure /register/confirm route is used where needed
Was accidentally skipped during previous updates. Will now be used on
saml, ldap & standard registration where required.
Uses session to know if the email was just sent and, if so, show the
confirmation route.
2020-09-05 17:26:48 +01:00
24bad5034a Updated API auth to allow public user if given permission 2020-05-22 22:34:18 +01:00
64942268b8 Added Slovenian to available language options
Related to #1946
2020-03-14 22:24:27 +00:00
b94b945fb0 Merge branch 'master' of git://github.com/Binternet/BookStack into Binternet-master 2020-03-04 22:22:08 +00:00
34616ac195 Updated lanauge lists to match latest translations 2020-03-04 22:14:25 +00:00
e6c6de0848 Simplified guard names and rolled out guard route checks
- Included tests to cover for LDAP and SAML
- Updated wording for external auth id option.
- Updated 'assertPermissionError' test case to be usable in BrowserKitTests
2020-02-02 13:10:21 +00:00
5ff89a1abb Added danish to language arrays 2020-01-18 16:10:16 +00:00
be554b9c79 Added configurable API throttling, Handled API errors standardly 2020-01-18 15:03:28 +00:00
a8595d8aaf Fixed test class names + add perm. check to api session auth 2020-01-01 17:01:36 +00:00
a7a97a53f1 Added API listing filtering & cleaned ApiAuthenticate returns
API listing endpoint filter can be found via &filter[name]=my+book query
parameters. There are a range of operators that can be used such as
&filter[id:gte]=4
2020-01-01 16:33:47 +00:00