Commit graph

1011 commits

Author SHA1 Message Date
Andrew Nicolaou
6cbc376d6e CSRF/XSS protection (#374)
* /api endpoints only allows requests with application/json Content-Type

Otherwise sends 406 Unacceptable

* Uses CSRF token

The CSRF token is sent as the cookie 'XSRF-TOKEN' on all HTML page
requests. This token is  picked up automatically by axios
and sent to the API with all requests as an 'X-XSRF-TOKEN' header.
The middleware runs on all routes and verifies that the token matches
what's stored in the session.
2017-06-26 13:58:58 -04:00
Cassie Tarakajian
4476405021 change all email links to update protocol based on node env 2017-06-26 13:48:24 -04:00
Andrew Nicolaou
1dc0c22cb7 Email verification (#369)
* Re-introduce Email Verification code

Revert "Revert "Email verification""
This reverts commit d154d8bff259350523a0f139e844db96c43d2ee1.

* Uses MJML to generate Reset Password email

* Sends Password Reset and Email Confirmation emails using MJML template

* Sends verified status along with user data

* API endpoint for resending email verification confirmation

* Displays verification status on Account page and allows resending

* Send back error string

* Passes email address through to sign/verify helper

* Uses enum-style object to set verified state

* Sends minimal info when user verifies since it can be done without login

* Provides /verify UI and sends confirmation token to API

* Better name for JWT secret token env var

* Adds mail config variables to Readme

* Encrypts email address in JWT

The JWT sent as the token in the Confirm Password URL
can be unencoded by anyone, although it's signature can only
be verified by us. To ensure that no passwords are leaked,
we encrypt the email address before creating the token.

* Removes unused mail templates

* Resets verified flag when email is changed and sends another email

* Moves email confirmation functions next to each other

* Extracts random token generator to helper

* Moves email confirmation actions into Redux

- updates the AccountForm label with a message to check inbox
- show status when verifying email token

* Uses generated token stored in DB for email confirmation

* Sets email confirmation status to verified if logging in from Github

* Sends email using new method on account creation

* Fixes linting errors

* Removes replyTo config
2017-06-26 12:48:28 -04:00
Zach Rispoli
7403b2b2d6 Current sketch will stop playing if a new example is opened (issue #357) (#365)
* Current sketch will stop playing if a new example is opened (#357)

* stopSketch dispatches on route change

* Remove extra stopSketcch calls
2017-06-18 17:11:23 -04:00
Cassie Tarakajian
1ae37ebaaa fix lingering linting errors 2017-06-13 16:47:36 -04:00
Zach Rispoli
396fc701c7 Fix issue with serving assets inside folders 2017-06-12 13:49:45 -04:00
Andrew Nicolaou
2e62c6b288 Find (#359)
* Styles CodeMirror Search box

* Switch to fork of search add-on

* Styles search box using custom markup

* Prev/Next search behaviour, highlighting current result

* Hide search modifiers until implemented

* Regexp search

* Style RegExp modifier button active state

* Styles search modifiers

* Wires up Case Sensitive search button

* Allows case insenstive regexp search

* Do not show underlying regexp query string when re-opening dialog

* Adds "Whole word" search

* Adds title and aria-label for tooltip and screenreaders

* Whole Word button shows correct active/inactive state

* Disables replace implementation which doesn't work

* Tidies up query parsing so it's less of a hack

- uses state to convert query text into a regexp
- avoids having to fake regexp using "/.../" syntax
- parsing is now in one place

* Uses shared metaKey function for Cmd/Ctrl key

* Adds find function to keyboard shortcuts modals

* Sets aria-checked to true/false to indicate button state

* Sets role=checkbox on checkbox-like buttons
2017-06-06 15:20:21 -04:00
Zach Rispoli
3f32ccc89c Remove comments before using loopProtect on scripts (fixes #218) (#364) 2017-06-05 22:46:19 -04:00
Zach Rispoli
c596b74b27 Sketch name is used as <title> (issue #108) (#363)
* Sketch name is used as <title> (#108)

* add newline to end of file
2017-06-05 22:37:41 -04:00
Andrew Nicolaou
313fc856d1 Fixes linting errors (#362) 2017-06-05 22:33:32 -04:00
Zach Rispoli
61afce46ed Server can serve individual assets from projects (fixes #212, fixes #219) 2017-06-01 00:08:11 -04:00
Mathura MG
82207a50d3 Accessibility (#361)
* add p5 interceptor submodule

* update package

* remoce interceptor

* update interceptor;

* merge scripts

* change postinstall script

* refactor interceptor files

* remove merge conflicts

* change source files

* add registry class

* provide seperate outputs for text and grid

* switch textOutput to boolean

* make both modules usable together

* update interceptor for safari

* fix grid label

* add sound output as well

* change file strucure

* change constants

* change input lables

* switch submodule branch

* change variable name

* change grid to table

* remove role from table elements

* switch submodule branch
2017-05-31 15:23:30 -04:00
Cassie Tarakajian
8e1a65daed fixes #344, update sketches to by default use p5 version 0.5.10 2017-05-24 12:20:38 -04:00
Cassie Tarakajian
e6979ebed2 add step to download examples to development and production setup, #349 2017-05-24 12:08:12 -04:00
Cassie Tarakajian
5f1de43493 enable sourcemap 2017-05-18 17:41:25 -04:00
Cassie Tarakajian
7deb3745bf fix #354 2017-05-13 22:23:07 -04:00
Cassie Tarakajian
15346c9a00 more to test object copying 2017-05-13 21:46:58 -04:00
Cassie Tarakajian
dc9ad0eea9 log errors in s3 object copy 2017-05-13 21:38:48 -04:00
Cassie Tarakajian
3c6049ceef duplicate is probably less broken than it was 2017-05-13 21:17:58 -04:00
Cassie Tarakajian
517045623c fix autosave, which apparently had never worked 2017-05-13 20:47:41 -04:00
Cassie Tarakajian
acd0f60f19 fix minor styling bug on safari 2017-05-10 16:12:24 -04:00
Cassie Tarakajian
66833d22b6 fix #351, increase limit for body-parser 2017-05-10 15:07:40 -04:00
Cassie Tarakajian
341ea63437 forgot to commit a file for fix to #347 2017-05-10 13:23:10 -04:00
Cassie Tarakajian
19d6aa230d fix #347 2017-05-10 13:19:46 -04:00
Kevin Dodge
6518bf14bf Fix typo in preview version/bug reporting announcement (space needed between 'bugs' and 'here'). (#345) 2017-05-03 11:57:33 -04:00
Andrew Nicolaou
ae668f681e HTTPS UI switch (#335)
* Checkbox to toggle project's serveSecure flag

This doesn't yet persist or reload the page.

* Help button that shows modal to explain feature

* Extracts protocol redirection to helper

* Returns promise from saveProject() action to allow chaining

* Setting serveSecure flag on project redirects after saving project

* Set serveSecure on Project model in API and client

* Redirect to correct protocol when project is loaded
2017-05-03 11:46:12 -04:00
Cassie Tarakajian
32d3f7a76c allow file names to change case of file extension 2017-04-27 13:08:20 -04:00
Andrew Nicolaou
a267837fb7 Persists Redux store to/from sessionStorage (#334)
* Persists Redux store when reloading app for login

* Disable confirmation box when leaving page for login

* Removes extra console.warn

* Sets serveSecure: true for new projects if served over HTTPS

* Clears persisted state on IDEView load

Because when a sketch is created on HTTPS and then the user logs in
the page won't be reloaded

* Appends ?source=<protocol> to URL to track return protocol
2017-04-20 14:05:15 -04:00
Cassie Tarakajian
a4a1a36f02 #330 add google analytics 2017-04-13 14:49:45 -04:00
Cassie Tarakajian
2a9ea85ed8 #339 add region to .env 2017-04-13 14:39:03 -04:00
Cassie Tarakajian
40b3e26f24 #339 make duplication backwards compatible with old s3 links 2017-04-13 14:17:30 -04:00
Cassie Tarakajian
94694c5a72 start to fix editing permissions for the sidebar 2017-04-13 13:41:03 -04:00
Andrew Nicolaou
7be45ce875 Search for existing user account using Github emails (#337)
* Tries to match user account from list of emails in Github API

Requests the 'user:email' scope from Github which returns the private
emails associated with the user's account.

* Centres GitHub button in layout
2017-04-13 12:04:10 -04:00
Anderson
4f531c14f4 Update README.md (#338) 2017-04-11 19:55:05 -04:00
Cassie Tarakajian
6ce8515cf3 update pm2 to use clusering mode 2017-04-07 00:01:58 -04:00
Cassie Tarakajian
99152f6e37 handle case for #169 where project does not yet have an owner 2017-04-06 16:22:34 -04:00
Cassie Tarakajian
aaa5e868e2 make inital changes for #169--need to migrate the locations of a user's s3 files to be namespaced under their userid 2017-04-06 14:34:14 -04:00
Cassie Tarakajian
23560c7879 delete file from s3 if data environment variable is undefined 2017-04-05 23:23:38 -04:00
Cassie Tarakajian
8392acdf3f delete files based on S3, with a date to be backwards compatible 2017-04-05 23:23:38 -04:00
Cassie Tarakajian
75b49d10a9 add function to delete file from s3 2017-04-05 23:23:38 -04:00
Cassie Tarakajian
ed540f4275 don't duplicate file if it isn't hosted on S3 2017-04-05 23:23:38 -04:00
Cassie Tarakajian
fa04054d28 duplicating files works 2017-04-05 23:23:38 -04:00
Cassie Tarakajian
f01a58353b initial commit to cloning files on S3, untested 2017-04-05 23:23:37 -04:00
JunShern
8e82fe96c3 Set Ctrl+Enter shortcuts to null, don't generate newlines (#333) 2017-04-05 21:50:44 -04:00
JunShern
bece2292fb Fix broken Markdown formatting (#332) 2017-04-05 21:50:17 -04:00
Cassie Tarakajian
67e4669605 fix nav styling 2017-03-30 13:22:23 -04:00
Andrew Nicolaou
69acd3c12c Server should respond to account page request (#327) 2017-03-30 12:37:48 -04:00
Andrew Nicolaou
dc801ccf7f Force HTTPS redirection for log in and sign up (#319)
* Higher-order component to force some routes to HTTPS

* Force all user-management routes to HTTPS

* Redirect to sourceProtocol as route unmounts.

By default, no redirection occurs if sourceProtocol is not explicitly
defined.

* Sets serveSecure flag on new projects and usea after forcing protocol

The flag is set to `false` on all projects and as the UI has no way to
change this, it always redirects to HTTP after a signup/login action.

* Move HoC to be with other top-level components

* Server should respond to account page request

* Serves AccountView over HTTPS

* Turns HTTPS redirection off in development by default

Will log to the browser console any redirection that would
have happened. Added a line in the README about how to
enable this for testing in development.
2017-03-30 12:36:26 -04:00
Cassie Tarakajian
608ebbf917 add link to local ssl proxy gist in readme 2017-03-23 14:56:45 -04:00
Andrew Nicolaou
a1121e2e6b Enable CORS for all origins and requests on API (#324)
* Enable CORS for all origins and requests on API

* Whitelist CORS origins: *.p5js.org in production and also localhost in development
2017-03-23 14:53:16 -04:00