Commit graph

24 commits

Author SHA1 Message Date
John McLear
474918a881
feat: make cookie names configurable with prefix setting (#7450)
* feat: make cookie names configurable with prefix setting

Add cookie.prefix setting (default "ep_") that gets prepended to all
cookie names set by Etherpad. This prevents conflicts with other
applications on the same domain that use generic cookie names like
"sessionID" or "token".

Affected cookies: token, sessionID, language, prefs/prefsHttp,
express_sid.

The prefix is passed to the client via clientVars.cookiePrefix in the
bootstrap templates so it's available before the handshake. Server-side
cookie reads fall back to unprefixed names for backward compatibility
during migration.

Fixes #664

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: default cookie prefix to empty string for backward compatibility

Changing the default to "ep_" would invalidate all existing sessions
on upgrade since express-session only looks for the configured cookie
name. Default to "" (no prefix) so upgrades are non-breaking — users
opt-in to prefixed names by setting cookie.prefix in settings.json.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address Qodo review — cookie prefix migration and fallbacks

- l10n.ts: Read prefixed language cookie with fallback to unprefixed
- welcome.ts: Use cookiePrefix for token transfer reads
- timeslider.ts: Use prefix for sessionID in socket messages
- pad_cookie.ts: Fall back to unprefixed prefs cookie for migration
- indexBootstrap.js: Pass cookiePrefix via clientVars to welcome page
- specialpages.ts: Pass settings to indexBootstrap template

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: escape regex metacharacters in cookie prefix, document Vite hardcode

- l10n.ts: Escape special regex characters in cookiePrefix before using
  it in RegExp constructor to prevent runtime errors
- padViteBootstrap.js: Add comment noting the hardcoded prefix is
  dev-only and must match settings.json

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* security: validate cookie prefix to prevent header injection

Reject cookie.prefix values containing characters outside
[a-zA-Z0-9_-] to prevent HTTP header injection via crafted cookie
names (e.g., \r\n sequences). Falls back to empty prefix with an
error log.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 01:58:29 +01:00
John McLear
fd975323e0
Fix ESM/CJS interop for Settings module breaking plugin compatibility (#7421)
* Pin plugins to last-known-good versions in backend tests

Pin ep_font_size@0.4.65, ep_headings2@0.2.76, ep_markdown@10.0.1
to the versions that passed on March 31. The newer versions cause
a template crash: Cannot read properties of undefined (reading
'indexOf') at pad.html:67 in toolbar.menu().

This will help narrow down which plugin update is the culprit.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Unpin ep_markdown, 1.0.8 is latest and code-identical to 10.0.1

Only ep_font_size@0.4.65 and ep_headings2@0.2.76 remain pinned to
narrow down which plugin update causes the toolbar template crash.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Use pnpm instead of gnpm for plugin install in backend tests

gnpm ignores version pins — it reports installing the pinned version
but the plugin loader picks up the latest from its store. Switching
to pnpm for the plugin install step so version pins actually work.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Use gnpm exec pnpm for plugin install to bypass gnpm caching

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Remove ep_hash_auth from backend test plugin list

ep_hash_auth blocks unauthenticated requests, causing 28 backend tests
to get 500 Internal Server Error when accessing pads. The tests don't
provide credentials, so any auth plugin will break them.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix ESM/CJS interop for Settings module and harden toolbar

Plugins use require('ep_etherpad-lite/node/utils/Settings') (CJS) but
Settings.ts uses export default (ESM). With tsx, CJS require puts the
default export under .default, so settings.toolbar is undefined and
ep_font_size crashes with "Cannot read properties of undefined
(reading 'indexOf')" when rendering pad.html.

Two fixes:
- Settings.ts: add property getters on module.exports so CJS consumers
  can access settings properties directly
- toolbar.ts: guard against undefined buttons array to prevent crashes
  if Settings interop doesn't propagate through gnpm's plugin_packages

Tested locally: 735 passing, 0 failing with all plugins.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 11:39:40 +01:00
SamTV12345
21f0992a17
chore: added settings for darkmode and relaxed width and height of inputs (#7204)
* chore: added settings for darkmode and relaxed width and height of inputs

* chore: add explanation for showRecentPads
2025-10-29 20:29:40 +01:00
SamTV12345
b8e61b4606
chore: fixed git determination and fixed no skin css issues (#7089) 2025-08-24 22:17:18 +02:00
SamTV12345
8588d99f12
chore: migrated settings to esm6 (#7062)
* chore: migrated settings to esm6

* chore: fixed frontends

* chore: fixed missing usage of specialpages

* chore: fixed last errors for settings

* chore: fixed favicon test
2025-08-04 22:42:50 +02:00
SamTV12345
920308a627
chore: moved first files to esm (#7061)
* chore: moved first files to esm

* chore: moved first files to esm

* chore: fix read only manager
2025-08-04 19:59:28 +02:00
SamTV12345
60a40d53a7
chore: enabled dark mode (#7057) 2025-08-02 23:01:06 +02:00
SamTV12345
233b8fcc04 feat: added home button also in settings.ts as default 2025-07-28 20:02:58 +02:00
SamTV12345
40884fa96b feat: disable stats endpoint if enableMetrics is false 2025-07-27 22:22:18 +02:00
Stefan Müller
1ad9418a6f
Add code for revision cleanup (#6442)
* Add initial code for revision cleanup

* Some improvements - code cleanup

* Cleanup logging

* Add button in admin backend to cleanup revisions of a specific pad

* Disable cleanup by default and show errors in admin area

* Improve cleanup code

* Load revisions for cleanup in parallel

* Consider saved revisions during pad cleanup
2024-09-14 15:54:30 +02:00
SamTV12345
4891243c27
Added support for alternative update servers. (#6645) 2024-09-09 20:47:45 +02:00
SamTV12345
f066c6b4a8 Added support for sqlite rust backend. 2024-09-07 14:59:05 +02:00
SamTV12345
d4cbbf18e0
Added new database rustydb (#6632)
Co-authored-by: SamTv12345 <samtv12345@samtv12345.com>
2024-09-05 16:06:16 +02:00
Zuo Zongyuan
44024e8a5f
fix: correct the transport protocol check (#6576) 2024-08-12 20:07:02 +02:00
Helder Sepulveda
c8797efaf2
Adding a layoutType (#6559)
This will allow end users to change the console output to not output colors
2024-08-05 21:28:48 +02:00
SamTV12345
16c5b33549
fix: Fallback to websocket and polling when unknown(old) config is present for socket io (#6497) 2024-07-07 19:25:14 +02:00
Helder Sepulveda
0b0d882477
Increase the maxHttpBufferSize (#6409) 2024-06-01 13:17:02 +02:00
SamTV12345
63e9b2d4eb
Fixed api header authorization (#6399) 2024-05-22 21:16:19 +02:00
SamTV12345
556c3c8e5b
Readded support for apikey (#6382) 2024-05-14 22:36:16 +02:00
webzwo0i
8a76d2c680
chore: add docs how to obtain bearer token (#6328)
* chore: add docs how to obtain bearer token

* Added configurable ttl to settings

---------

Co-authored-by: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
2024-04-29 17:04:00 +02:00
SamTV12345
820d728ce6 fix: Add local issuer by default. 2024-04-03 20:19:20 +02:00
SamTV12345
fb56809e55
Feat/oauth2 (#6281): Added oauth to API paths
* Added oauth provider.

* Fixed provider.

* Added auth flow.

* Fixed auth flow and added scaffolding vite config.

* Added working oauth2.

* Fixed dockerfile.

* Adapted run.sh script

* Moved api tests to oauth2.

* Updated security schemes.

* Removed api key from existance.

* Fixed installation

* Added missing issuer in config.

* Fixed dev dependencies.

* Updated lock file.
2024-03-26 17:11:24 +01:00
SamTV12345
bf7cd11b59
Added env configuration for plugins
* Added env.

* Added tree config.

* Added tree.

* Fixed settings test.

* Added test cases.
2024-03-21 18:50:02 +01:00
SamTV12345
4bd27a1c79
Moved more classes to ts. (#6179) 2024-02-22 11:36:43 +01:00
Renamed from src/node/utils/Settings.js (Browse further)