From d3e693ab462e4e5875c3e36eb2d2ea184417e94d Mon Sep 17 00:00:00 2001 From: Nick Date: Sat, 24 Aug 2019 22:19:35 -0400 Subject: [PATCH] feat: mandatory password change on login + UI fixes --- client/components/admin/admin-contribute.vue | 2 +- client/components/admin/admin-dev-flags.vue | 2 +- client/components/admin/admin-general.vue | 134 +- .../admin/admin-groups-edit-users.vue | 39 +- client/components/admin/admin-groups.vue | 2 +- client/components/admin/admin-pages-edit.vue | 6 +- client/components/admin/admin-pages.vue | 2 +- client/components/admin/admin-search.vue | 4 +- client/components/admin/admin-storage.vue | 14 +- client/components/admin/admin-system.vue | 20 +- .../components/admin/admin-users-create.vue | 3 +- client/components/admin/admin-users-edit.vue | 97 +- client/components/common/page-delete.vue | 2 +- client/components/common/user-search.vue | 6 +- client/components/login.vue | 178 +- .../admin/site/site-mutation-save-config.gql | 14 +- client/graph/admin/site/site-query-config.gql | 6 + .../graph/admin/users/users-query-single.gql | 2 + .../login/login-mutation-changepassword.gql | 13 + client/graph/login/login-mutation-login.gql | 5 +- client/graph/login/login-mutation-tfa.gql | 5 +- client/scss/pages/_error.scss | 19 +- client/themes/default/components/page.vue | 39 +- dev/templates/legacy.pug | 2 +- dev/templates/master.pug | 2 +- package.json | 109 +- server/app/data.yml | 7 + server/graph/resolvers/authentication.js | 32 +- server/graph/resolvers/site.js | 13 +- server/graph/schemas/authentication.graphql | 14 +- server/graph/schemas/site.graphql | 12 + server/graph/schemas/user.graphql | 2 + server/middlewares/security.js | 15 +- server/models/userKeys.js | 2 +- server/models/users.js | 83 +- .../authentication/local/definition.yml | 2 +- server/views/error.pug | 28 +- server/views/legacy/master.pug | 2 +- server/views/master.pug | 2 +- yarn.lock | 1591 +++++++++-------- 40 files changed, 1468 insertions(+), 1064 deletions(-) create mode 100644 client/graph/login/login-mutation-changepassword.gql diff --git a/client/components/admin/admin-contribute.vue b/client/components/admin/admin-contribute.vue index 619d8054..0ee8d968 100644 --- a/client/components/admin/admin-contribute.vue +++ b/client/components/admin/admin-contribute.vue @@ -66,7 +66,7 @@ v-tab-item(:transition='false', :reverse-transition='false') .body-1.pa-3 {{ $t('admin:contribute.tshirts') }} v-card-actions.ml-2 - v-btn(outline, :color='darkMode ? `blue lighten-1` : `primary`', href='https://wikijs.threadless.com', large) + v-btn(outlined, :color='darkMode ? `blue lighten-1` : `primary`', href='https://wikijs.threadless.com', large) v-icon(left) mdi-tshirt-crew span {{ $t('admin:contribute.shop') }} v-divider.mt-3 diff --git a/client/components/admin/admin-dev-flags.vue b/client/components/admin/admin-dev-flags.vue index ba1ef5b2..c24bf0a7 100644 --- a/client/components/admin/admin-dev-flags.vue +++ b/client/components/admin/admin-dev-flags.vue @@ -13,7 +13,7 @@ span {{$t('common:actions.apply')}} v-card.mt-3.white.grey--text.text--darken-3 - v-alert(color='red', value='true', icon='mdi-alert', dark, prominent) + v-alert(color='red', :value='true', icon='mdi-alert', dark, prominent) span Do NOT enable these flags unless you know what you're doing! .caption Doing so may result in data loss or broken installation! v-card-text diff --git a/client/components/admin/admin-general.vue b/client/components/admin/admin-general.vue index 944380d0..d7a800f4 100644 --- a/client/components/admin/admin-general.vue +++ b/client/components/admin/admin-general.vue @@ -92,14 +92,14 @@ v-flex(lg6 xs12) v-card.animated.fadeInUp.wait-p4s - v-toolbar(color='primary', dark, dense, flat) + v-toolbar(color='indigo', dark, dense, flat) v-toolbar-title.subtitle-1 Features v-spacer - v-chip(label, color='white', small).primary--text coming soon + v-chip(label, color='white', small).indigo--text coming soon v-card-text v-switch( label='Asset Image Optimization' - color='primary' + color='indigo' v-model='config.featureTinyPNG' persistent-hint hint='Image optimization tool to reduce filesize and bandwidth costs.' @@ -119,7 +119,7 @@ v-divider.mt-3 v-switch( label='Page Ratings' - color='primary' + color='indigo' v-model='config.featurePageRatings' persistent-hint hint='Allow users to rate pages.' @@ -129,7 +129,7 @@ v-divider.mt-3 v-switch( label='Page Comments' - color='primary' + color='indigo' v-model='config.featurePageComments' persistent-hint hint='Allow users to leave comments on pages.' @@ -139,13 +139,75 @@ v-divider.mt-3 v-switch( label='Personal Wikis' - color='primary' + color='indigo' v-model='config.featurePersonalWikis' persistent-hint hint='Allow users to have their own personal wiki.' disabled ) + v-card.mt-5.animated.fadeInUp.wait-p5s + v-toolbar(color='red darken-2', dark, dense, flat) + v-toolbar-title.subtitle-1 Security + v-card-text + v-alert(outlined, color='red darken-2', icon='mdi-information-outline').body-2 Make sure to understand the implications before turning on / off a security feature. + v-switch.mt-3( + label='Block IFrame Embedding' + color='red darken-2' + v-model='config.securityIframe' + persistent-hint + hint='Prevents other websites from embedding your wiki in an iframe. This provides clickjacking protection.' + ) + v-divider.mt-3 + v-switch( + label='Same Origin Referrer Policy' + color='red darken-2' + v-model='config.securityReferrerPolicy' + persistent-hint + hint='Limits the referrer header to same origin.' + ) + + v-divider.mt-3 + v-switch( + label='Enforce HSTS' + color='red darken-2' + v-model='config.securityHSTS' + persistent-hint + hint='This ensures the connection cannot be established through an insecure HTTP connection.' + ) + v-select.mt-5( + outlined + label='HSTS Max Age' + :items='hstsDurations' + v-model='config.securityHSTSDuration' + prepend-icon='mdi-subdirectory-arrow-right' + :disabled='!config.securityHSTS' + hide-details + style='max-width: 450px;' + ) + .pl-11.mt-3 + .caption Defines the duration for which the server should only deliver content through HTTPS. + .caption It's a good idea to start with small values and make sure that nothing breaks on your wiki before moving to longer values. + + v-divider.mt-3 + v-switch( + label='Enforce CSP' + color='red darken-2' + v-model='config.securityCSP' + persistent-hint + hint='Restricts scripts to pre-approved content sources.' + disabled + ) + v-textarea.mt-5( + label='CSP Directives' + outlined + v-model='config.securityCSPDirectives' + prepend-icon='mdi-subdirectory-arrow-right' + persistent-hint + hint='One directive per line.' + disabled + ) +