Commit Graph

454 Commits

Author SHA1 Message Date
Sam Atkins
062e23b5c9 fix: Correct APIError imports
APIError is the only thing exported from its file, so we must not wrap
it in {}.
2024-05-15 17:47:15 +01:00
Sam Atkins
a8160a8cdc fix: Add missing file extension to 0009_app-prefix-fix.sql in DB init 2024-05-15 10:18:28 +01:00
KernelDeimos
0b093dd57e Revoke other sessions when password is changed 2024-05-14 19:40:57 -04:00
KernelDeimos
923d5878c3 Prevent enable of 2FA without configure 2024-05-14 17:33:14 -04:00
Sam Atkins
4ef3e53de3 fix(Terminal): Accept input from Chrome on Android
Xterm.js produces two kinds of events: onKey and onData. On a desktop,
these are effectively the same, but on mobile, IME inputs produce data
but not key presses. By listening to onData instead of onKey, we get
that input.

With some experimentation, I also found that we don't need the code to
handle enter, home, end, or Ctrl-Shift-V. All of these function as
expected without that code, so we can remove it and simplify this
further. :^)
2024-05-14 16:10:30 +01:00
Sam Atkins
2656b47640 chore: Update xterm
From version 5.4.0 onwards, xterm scopes its package names as
`@xterm/foo` instead of just `xterm-foo`.

We currently have a copy of xterm.css which we use instead of directly
including the one from the `@xterm/xterm` package, so I've updated the
contents of that too.
2024-05-14 16:10:30 +01:00
Sam Atkins
fafbc292ca Remove xterm dependency from Phoenix
This is used by Terminal, not Phoenix.
2024-05-14 16:10:30 +01:00
KernelDeimos
800aef1942 Implement anti-CSRF for logout 2024-05-13 20:40:27 -04:00
KernelDeimos
da7f73baa6 Add AntiCSRFService 2024-05-13 19:08:51 -04:00
KernelDeimos
afb9d866b5 fix: Fix phoenix app prefix and TokenService test 2024-05-13 18:17:39 -04:00
KernelDeimos
c2f1694107 Require password entry to disable 2FA 2024-05-13 16:00:07 -04:00
KernelDeimos
23215bd6f7 Move change_email/start to password-protected endpoint 2024-05-13 16:00:07 -04:00
KernelDeimos
1493cacb69 Add rate-limiting to new password change endpoint 2024-05-13 16:00:07 -04:00
KernelDeimos
9076fddc0d Add new password change endpoint 2024-05-13 16:00:07 -04:00
KernelDeimos
a89c9d59cf Add UserProtectedEndpointsService 2024-05-13 16:00:07 -04:00
KernelDeimos
15dec21118 doc(backend): Document the boot sequence
Now that the boot sequence is better formalized it may be documented.
2024-05-13 16:00:07 -04:00
KernelDeimos
d800b12569 refactor(backend): Trigger webserver events in webserver
We were triggering webserver events in Kernel. This change improves
adherence to separation-of-concerns and ensures event cascading is
working as expected. This also better formalizes the boot sequence.
2024-05-13 01:05:49 -04:00
Eric Dubé
3992fe1a45
Merge pull request #384 from AtkinsSJ/progress-dialogs
refactor: Replace several existing progress dialogs with one configurable one
2024-05-10 12:25:32 -04:00
Eric Dubé
17e08cafce
Merge pull request #380 from AtkinsSJ/eslint-ci
Run ESLint on CI
2024-05-10 12:24:31 -04:00
KernelDeimos
cd2daa1910 Require email verification for contact form 2024-05-09 19:40:34 -04:00
KernelDeimos
8b6bbe003d fix(security) Disable 2FA configure if 2FA is enabled 2024-05-09 18:04:58 -04:00
Sam Atkins
f3269693de Stop dumping binary data to the console
This was freaking out and freezing the Puter server, and my entire
terminal app. XD
2024-05-09 18:28:39 +01:00
KernelDeimos
df24c663df Invalidate email confirmation on password change 2024-05-08 22:28:41 -04:00
KernelDeimos
45e7f162a2 Add password change notification 2024-05-08 16:01:20 -04:00
Sam Atkins
8c70efa058 Suppress remaining eslint errors
These two seem like bugs but are unclear to me how to fix, so I've added
FIXMEs.

/puter/packages/backend/src/routers/kvstore/clearItems.js
  41:32  error  'DB_MODE_WRITE' is not defined  no-undef

/puter/packages/backend/src/routers/whoami.js
  104:35  error  'db' is not defined  no-undef
2024-05-08 18:53:36 +01:00
KernelDeimos
5890b7e7bf Disable password reset token when email or password is changed 2024-05-07 20:18:11 -04:00
KernelDeimos
d20249f29a Send email notifications when 2FA state changes 2024-05-06 21:13:00 -04:00
KernelDeimos
7f3e2852c6 Add rate limits 2024-05-06 16:12:54 -04:00
KernelDeimos
7fce223a6d Fix OTP test endpoint 2024-05-06 15:40:34 -04:00
KernelDeimos
a628358c9f Fix OTP time window 2024-05-06 15:02:14 -04:00
KernelDeimos
918eb3bb67 Put otpauth back on 9.2.4 2024-05-06 02:10:22 -04:00
KernelDeimos
ecae1997aa Maybe this?? 2024-05-06 01:58:55 -04:00
KernelDeimos
e4c7caa8ea Worth a try 2024-05-06 01:54:02 -04:00
KernelDeimos
00c8ece07e Finish recovery codes 2024-05-06 00:02:46 -04:00
KernelDeimos
5cbe256120 Add missing part of previous commit 2024-05-06 00:02:46 -04:00
KernelDeimos
a2a8f9de74 Fix cache state 2024-05-06 00:02:46 -04:00
KernelDeimos
3e380ba844 Add otp test endpoint and next wizard step 2024-05-06 00:02:46 -04:00
KernelDeimos
2681a78501 Use username as otp label 2024-05-06 00:02:46 -04:00
KernelDeimos
3bf7737790 Add recovery codes 2024-05-06 00:02:46 -04:00
KernelDeimos
455d3946d6 Add checkboxes and cancel action for 2FA setup 2024-05-06 00:02:46 -04:00
KernelDeimos
2dfecb5287 Add 2fa setting and complete login flow 2024-05-06 00:02:46 -04:00
KernelDeimos
d7c5c37cf8 Implement backend for 2FA 2024-05-06 00:02:46 -04:00
KernelDeimos
038373cbbc Fix filename inconsistency that breaks Linux support 2024-05-06 00:02:33 -04:00
Didi Keke
4d30740198 fix: typographical errors 🐛 2024-05-05 08:34:50 +00:00
Didi Keke
551121524c refactor: name from SelfhostedModule to SelfHostedModule 🔨 2024-05-05 07:53:55 +00:00
KernelDeimos
a86106c0c1 Fix save_account token 2024-05-04 14:19:09 -04:00
Eric Dubé
4d0e6b4772
Merge pull request #336 from AtkinsSJ/app-tab-completion
Phoenix: Add tab-completion for command names
2024-05-03 12:39:07 -04:00
Sam Atkins
44aa4f1b0a chore: Remove debugger calls
/puter/packages/phoenix/src/ansi-shell/arg-parsers/simple-parser.js
  30:38  warning  Unexpected 'debugger' statement  no-debugger

/puter/packages/phoenix/src/ansi-shell/pipeline/Coupler.js
  71:32  warning  Unexpected 'debugger' statement  no-debugger
2024-05-02 17:41:14 +01:00
Sam Atkins
fa7c6bee96 fix: Correct variables used in errors in sign.js
I couldn't figure out how to get a name for the no_suitable_app error
unfortunately, so that's just commented out.

/puter/packages/backend/src/routers/sign.js
   65:74  error  'subject' is not defined  no-undef
  114:59  error  'subject' is not defined  no-undef
2024-05-02 17:39:01 +01:00
Sam Atkins
fa3b86fa7e chore: Amend empty blocks in upload.js
/puter/packages/puter-js/src/modules/FileSystem/operations/upload.js
   63:22  error  Empty block statement  no-empty
  173:22  error  Empty block statement  no-empty
2024-05-02 17:31:17 +01:00
Sam Atkins
52d5299374 fix: Use correct variable for version number
/puter/packages/backend/src/services/ComplainAboutVersionsService.js
  30:36  error  'current_version' is not defined  no-undef
2024-05-02 17:30:53 +01:00
Sam Atkins
8d4a1e0ed3 fix: Add missing TextEncoder to PTT
Solves this eslint issue:

/puter/packages/terminal/src/pty/PTT.js
  35:29  error  'encoder' is not defined  no-undef
2024-05-02 11:21:50 +01:00
Sam Atkins
ca65ed1258 chore: Use this to refer to itemWatchCallbackFunctions field
Solves these eslint issues:

/puter/packages/puter-js/src/modules/UI.js
  418:20  error  'itemWatchCallbackFunctions' is not defined  no-undef
  418:74  error  'itemWatchCallbackFunctions' is not defined  no-undef
  419:21  error  'itemWatchCallbackFunctions' is not defined  no-undef
2024-05-02 11:21:50 +01:00
Sam Atkins
33785b3786 chore: Add missing imports for node:process 2024-05-02 11:21:50 +01:00
Sam Atkins
96e9c154bd chore: Fix a couple of regex related eslint issues
/puter/packages/phoenix/src/puter-shell/providers/ScriptCommandProvider.js
  27:38  error  Unnecessary escape character: \/  no-useless-escape

/puter/packages/phoenix/src/util/wrap-text.js
  24:33  error  Unexpected control character(s) in regular expression: \x1b  no-control-regex
2024-05-02 11:21:50 +01:00
Sam Atkins
c8a20cadbf fix: Correct grep output when asking for line numbers
A couple of issues here:
- We didn't pass the line number to do_grep_line() so `i` was undefined
- Operator precedence messed with the ternary so when line numbers were
  requested, the line wouldn't be output.

Found thanks to this now-solved eslint issue:

/puter/packages/phoenix/src/puter-shell/coreutils/grep.js
  100:60  error  'i' is not defined  no-undef
2024-05-02 11:21:50 +01:00
Sam Atkins
71f8afab9a chore: Adjust comment for eslint
This was confusing its fallthrough detection:

/puter/packages/phoenix/src/puter-shell/coreutils/date.js
  132:21  error  Expected a 'break' statement before 'case'  no-fallthrough
2024-05-02 11:21:50 +01:00
Sam Atkins
6ad8f5e06a fix: Parse octal echo escapes
Found by this eslint issue:

/puter/packages/phoenix/src/puter-shell/coreutils/coreutil_lib/echo_escapes.js
  107:59  error  'hexchars' is not defined  no-undef
2024-05-02 11:21:50 +01:00
Sam Atkins
50d75cd2f9 refactor: Make loop condition non-constant
Resolves this eslint issue:

/puter/packages/phoenix/src/ansi-shell/readline/readline.js
  154:33  error  Unexpected constant condition  no-constant-condition
2024-05-02 11:21:50 +01:00
Sam Atkins
6d895dff42 chore: Remove empty block statement
Resolves this eslint issue:

/puter/packages/phoenix/src/ansi-shell/parsing/PuterShellParser.js
  25:9  error  Empty block statement  no-empty
2024-05-02 11:21:50 +01:00
Sam Atkins
d4c2b492ef fix: Correct inverted instanceof check in SignalReader.read()
Also make tmp_value non-const because it gets modified later.

Solves these eslint issues:

/puter/packages/phoenix/src/ansi-shell/ioutil/SignalReader.js
  45:14  error  Unexpected negating the left operand of 'instanceof' operator  no-unsafe-negation
  46:13  error  'tmp_value' is constant                                        no-const-assign
2024-05-02 11:21:50 +01:00
Sam Atkins
64c886bfeb chore: Clarify setter to not return a value
Solves this eslint issue:

/puter/packages/phoenix/src/ansi-shell/ANSIShell.js
  86:23  error  Setter cannot return a value  no-setter-return
2024-05-02 11:21:50 +01:00
Sam Atkins
2094e05a2e chore: Comment out unreachable code in ExpectationService
The `return` looks temporary but I don't know this code well enough.

Solves this eslint issue:

/puter/packages/backend/src/services/runtime-analysis/ExpectationService.js
  94:9  error  Unreachable code  no-unreachable
2024-05-02 11:21:50 +01:00
Sam Atkins
0df0de6507 chore: Define def() and defv() using const
Fixes these eslint issues:

/puter/packages/backend/src/services/auth/TokenService.js
   3:1   error  'def' is not defined   no-undef
  18:1   error  'defv' is not defined  no-undef
  61:11  error  'def' is not defined   no-undef
  69:21  error  'defv' is not defined  no-undef
2024-05-02 11:21:50 +01:00
Sam Atkins
01ab6b88ea chore: Remove unused uses of uuid_user in save_account.js
The variable doesn't exist, and we never use it after this. Seems like a
copy-paste error.

Solves these eslint errors:

/puter/packages/backend/src/routers/save_account.js
  90:9   error  'uuid_user' is not defined  no-undef
  91:9   error  'uuid_user' is not defined  no-undef
  91:21  error  'uuid_user' is not defined  no-undef
2024-05-02 11:21:50 +01:00
Sam Atkins
9b3dd6b753 chore: Fix eslint issues in backend util
/puter/packages/backend/src/util/stdioutil.js
  26:24  error  Unexpected control character(s) in regular expression: \x1b  no-control-regex

/puter/packages/backend/src/util/streamutil.js
  368:1  error  'string_to_stream' is not defined  no-undef
  463:5  error  'string_to_stream' is not defined  no-undef

/puter/packages/backend/src/util/strutil.js
  42:1  error  'format_as_usd' is not defined  no-undef
  56:5  error  'format_as_usd' is not defined  no-undef
2024-05-02 11:21:50 +01:00
Sam Atkins
60523dc7a7 chore: Fix some eslint issues in services
/puter/packages/backend/src/services/ContextInitService.js
  57:18  error  'async_factory' is not defined  no-undef

/puter/packages/backend/src/services/StorageService.js
  22:5  error  Expected to call 'super()'  constructor-super

/puter/packages/backend/src/services/WebServerService.js
  258:35  error  'services' is not defined  no-undef

/puter/packages/backend/src/services/auth/AuthService.js
  52:13  error  Unreachable code  no-unreachable

/puter/packages/backend/src/services/drivers/implementations/BaseImplementation.js
   64:25  error  'services' is not defined  no-undef
   75:39  error  'services' is not defined  no-undef
  117:39  error  'services' is not defined  no-undef
  123:42  error  'services' is not defined  no-undef
  149:42  error  'services' is not defined  no-undef
  168:38  error  'services' is not defined  no-undef

/puter/packages/backend/src/services/drivers/implementations/PuterDriverProxy.js
  43:5  error  Expected to call 'super()'              constructor-super
  44:9  error  'this' is not allowed before 'super()'  no-this-before-super

/puter/packages/backend/src/services/drivers/meta/Construct.js
  125:9  error  Unreachable code  no-unreachable

/puter/packages/backend/src/services/runtime-analysis/PagerService.js
  49:41  error  'util' is not defined  no-undef
2024-05-02 11:21:50 +01:00
Sam Atkins
ca3f9a823d chore: Fix some eslint issues in routers
/puter/packages/backend/src/routers/open_item.js
  48:10  error  Unexpected negating the left operand of 'instanceof' operator  no-unsafe-negation

/puter/packages/backend/src/routers/save_account.js
  106:34  error  'get_user' is not defined   no-undef

/puter/packages/backend/src/routers/sign.js
  37:10  error  Unexpected negating the left operand of 'instanceof' operator  no-unsafe-negation
2024-05-02 11:21:50 +01:00
Sam Atkins
0c0846eef9 chore: Fix some backend router eslint issues
/puter/packages/backend/src/routers/auth/list-permissions.js
  36:15  error  'APIError' is not defined  no-undef

/puter/packages/backend/src/routers/auth/list-sessions.js
  17:15  error  'APIError' is not defined  no-undef

/puter/packages/backend/src/routers/auth/revoke-user-app.js
  34:15  error  'APIError' is not defined  no-undef
  43:15  error  'APIError' is not defined  no-undef

/puter/packages/backend/src/routers/delete-site.js
  43:11  error  Unexpected empty object pattern  no-empty-pattern

/puter/packages/backend/src/routers/drivers/usage.js
  146:11  error  'k' is not defined  no-undef
  147:21  error  'k' is not defined  no-undef
  147:52  error  'k' is not defined  no-undef

/puter/packages/backend/src/routers/drivers/xd.js
  68:5  error  'window' is not defined  no-undef
  69:21  error  Parsing error: The keyword 'interface' is reserved

/puter/packages/backend/src/routers/filesystem_api/batch/all.js
   51:21  error  'get_app' is not defined       no-undef
  224:13  error  Unexpected constant condition  no-constant-condition

/puter/packages/backend/src/routers/filesystem_api/copy.js
   70:10  error  Unexpected constant condition  no-constant-condition
  106:13  error  Duplicate key 'new_name'       no-dupe-keys

/puter/packages/backend/src/routers/filesystem_api/read.js
  80:5  error  Unreachable code  no-unreachable

/puter/packages/backend/src/routers/filesystem_api/token-read.js
   53:9  error  Unreachable code  no-unreachable
   58:9  error  Unreachable code  no-unreachable
  104:5  error  Unreachable code  no-unreachable

/puter/packages/backend/src/routers/hosting/puter-site.js
  65:21  error  Unexpected constant nullishness on the left-hand side of a `??` expression  no-constant-binary-expression
2024-05-02 11:21:50 +01:00
Sam Atkins
b4af28a91b chore: Miscellaneous eslint fixes
/puter/packages/backend/src/om/entitystorage/ValidationES.js
  89:25  error  Do not assign to the exception parameter  no-ex-assign

/puter/packages/backend/src/om/proptypes/__all__.js
  166:17  warning  Unexpected 'debugger' statement  no-debugger

/puter/packages/backend/src/routers/_default.js
  405:31  error  'err' is not defined  no-undef
2024-05-02 11:21:50 +01:00
Sam Atkins
4879ee93bf chore: Fix eslint errors in backend/src/helpers.js
/puter/packages/backend/src/helpers.js
   682:9   error  'sharing_users' is not defined     no-undef
   689:12  error  'sharing_users' is not defined     no-undef
   690:28  error  'sharing_users' is not defined     no-undef
   695:28  error  'sharing_users' is not defined     no-undef
   720:9   error  'shared_fsentries' is not defined  no-undef
   733:12  error  'shared_fsentries' is not defined  no-undef
   734:28  error  'shared_fsentries' is not defined  no-undef
   735:17  error  'shared_fsentries' is not defined  no-undef
   735:58  error  'shared_fsentries' is not defined  no-undef
   736:31  error  'shared_fsentries' is not defined  no-undef
   900:57  error  'e' is not defined                 no-undef
  1849:18  error  Empty block statement              no-empty
2024-05-02 11:21:50 +01:00
Sam Atkins
8ab1cd0ca8 chore: Remove unused 'connective' source files 2024-05-02 11:21:50 +01:00
Sam Atkins
11f3e29604 chore: Disable eslint checks on puter-js tests
These currently work in a way that's different from what eslint expects,
so disable it. At some point it would be good if it could check them
(and if the tests could run on CI) but right now they just make a lot of
noise.
2024-05-02 11:21:50 +01:00
Sam Atkins
8cf6379de3 chore: Correct eslint errors in backend filesystem
Removes or disables the following eslint errors/warnings:

/puter/packages/backend/src/api/filesystem/FlagParam.js
  33:19  error  'APIError' is not defined  no-undef
  47:19  error  'APIError' is not defined  no-undef
  58:15  error  'APIError' is not defined  no-undef

/puter/packages/backend/src/api/filesystem/StringParam.js
  32:19  error  'APIError' is not defined  no-undef
  39:13  error  'APIError' is not defined  no-undef
  46:19  error  'APIError' is not defined  no-undef

/puter/packages/backend/src/filesystem/FilesystemService.js
  141:17  warning  Unexpected 'debugger' statement  no-debugger
  366:21  error    'services' is not defined        no-undef

/puter/packages/backend/src/filesystem/batch/BatchExecutor.js
  121:21  error  Do not assign to the exception parameter  no-ex-assign

/puter/packages/backend/src/filesystem/hl_operations/hl_data_read.js
  44:19  error  'APIError' is not defined     no-undef
  47:22  error  'chkperm' is not defined      no-undef
  48:19  error  'APIError' is not defined     no-undef
  51:29  error  'LLRead' is not defined       no-undef
  54:13  error  'version_id' is not defined   no-undef
  88:35  error  'PassThrough' is not defined  no-undef

/puter/packages/backend/src/filesystem/hl_operations/hl_mkdir.js
  68:49  error  'fs' is not defined  no-undef

/puter/packages/backend/src/filesystem/hl_operations/hl_move.js
  102:33  error  'get_user' is not defined  no-undef
  104:35  error  'get_user' is not defined  no-undef
  110:33  error  'df' is not defined        no-undef

/puter/packages/backend/src/filesystem/hl_operations/hl_read.js
  54:13  error  'stream' is constant  no-const-assign

/puter/packages/backend/src/filesystem/hl_operations/hl_stat.js
  40:37  error  'APIError' is not defined  no-undef

/puter/packages/backend/src/filesystem/lib/PuterPath.js
  67:5  error  Expected to return a value in getter 'hasRelativePortion'  getter-return

/puter/packages/backend/src/filesystem/ll_operations/ll_copy_idea.js
   53:21  error  'UploadProgressTracker' is not defined   no-undef
   73:17  error  'PuterS3StorageStrategy' is not defined  no-undef
  137:22  error  'LLFilesystemOperation' is not defined   no-undef

/puter/packages/backend/src/filesystem/ll_operations/ll_read.js
  102:65  error  'offset' is not defined  no-undef
  102:73  error  'offset' is not defined  no-undef
  102:80  error  'length' is not defined  no-undef

/puter/packages/backend/src/filesystem/ll_operations/ll_rmnode.js
  43:23  error  'APIError' is not defined  no-undef

/puter/packages/backend/src/filesystem/storage/SystemFSEntryService.js
  101:26  error  '_path' is not defined  no-undef

/puter/packages/backend/src/filesystem/validation.js
  27:29  error  Unexpected control character(s) in regular expression: \x00, \x1f  no-control-regex
  28:29  error  Unexpected control character(s) in regular expression: \x00, \x1f  no-control-regex
  28:31  error  Unnecessary escape character: \/                                   no-useless-escape
2024-05-02 11:21:50 +01:00
KernelDeimos
8e6ee9ea79 Fix oversight in token compression 2024-04-29 22:48:10 -04:00
KernelDeimos
e7e7363fa7 Drop useless header 2024-04-29 22:34:19 -04:00
KernelDeimos
5a76bad28d fix: reduce token lengths 2024-04-29 21:46:02 -04:00
KernelDeimos
c1e4eeec32 Add TokenService and test utility 2024-04-29 21:11:31 -04:00
KernelDeimos
04432df554 feat: improve password recovery experience 2024-04-29 19:26:29 -04:00
KernelDeimos
c44028f413 refactor: normalize email calls 2024-04-29 17:34:24 -04:00
Nariman Jelveh
42d85abfc2 Update WebServerService.js 2024-04-27 19:10:10 -07:00
Nariman Jelveh
fd4e2f59dc Update WebServerService.js 2024-04-27 19:03:48 -07:00
Nariman Jelveh
053728a03f Validate the Host header before responding to requests 2024-04-27 18:52:01 -07:00
KernelDeimos
d7d6ff0cca Rate limit updates 2024-04-26 21:02:01 -04:00
KernelDeimos
79d6f64451 Notify old email when email change is initiated 2024-04-26 21:02:01 -04:00
Eric Dubé
2ee00ca8e6
Revert "fix(security): Prevent email enumeration" (#351) 2024-04-26 18:22:14 -04:00
Nariman Jelveh
378b87459a Add robust hostname comparison for when declaring an environment as GUI 2024-04-25 17:51:20 -07:00
KernelDeimos
ecec8bf75d Use pread for signup page 2024-04-25 19:44:06 -04:00
KernelDeimos
736ebb6f28 Improve server health service 2024-04-25 19:39:18 -04:00
Nariman Jelveh
928dd90f61
Merge pull request #346 from youngsiiimba/main
fix(security): Prevent email enumeration
2024-04-25 14:59:56 -07:00
KernelDeimos
eb166a67a9 fix(security): Fix session revocation 2024-04-25 16:19:46 -04:00
Nariman Jelveh
c4b2d9861f Clean up some of the unnecessary console warnings 2024-04-25 13:11:11 -07:00
Simba Chawanda
ed70314686 fix(security): Prevent email enumeration 2024-04-25 09:27:37 +02:00
KernelDeimos
7800ef6102 fix(security): skip cache when checking old passwd 2024-04-24 22:28:27 -04:00
Nariman Jelveh
25eea41f60 Keep track of app_instance_ids 2024-04-24 17:57:30 -07:00
KernelDeimos
74e9270d58 Fix 2024-04-24 16:16:31 -04:00
KernelDeimos
b2e72adba9 Add ratelimit for /confirm-email 2024-04-24 16:12:09 -04:00
KernelDeimos
1eac147918 Add ratelimit for /contactUs 2024-04-24 16:09:04 -04:00
スーチ・ファトマワティ
3f6f4bb4c0
fix(security): update follow-redirects
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

## Steps To Reproduce & PoC
```js
const axios = require('axios');

axios.get('http://127.0.0.1:10081/', {
 headers: {
 'AuThorization': 'Rear Test',
 'ProXy-AuthoriZation': 'Rear Test',
 'coOkie': 't=1'
 }
})
 .then((response) => {
 console.log(response);
 })
```
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

```diff
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
```
CWE-200
`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
CVE-2024-28849
2024-04-24 15:23:47 -04:00
Sam Atkins
a8d1d3b87a
docs: Add help text to dcall utility (#335) 2024-04-24 15:21:31 -04:00
Nariman Jelveh
cdd0231a76 translation fix 2024-04-24 12:06:05 -07:00
Sam Atkins
cf0eee1fa3 feat: Add command names to phoenix tab-completion
Gives CommandProviders a `complete(query, {ctx})` method where they can provide completed command names, and then make use of this in CommandCompleter.

Supported CommandProvider sources:
- Shell built-ins (was supported previously)
- PATH executables (when running under Node)
- Puter app names (when running in Puter)

Script filenames are not yet supported.
2024-04-24 15:08:54 +01:00
Sam Atkins
dc5b010d09 feat: Allow querying puter-apps driver by partial app names 2024-04-24 15:08:54 +01:00
Sam Atkins
a854a0dc0a feat: Implement 'Like' predicate in entity storage
This acts like the SQL 'LIKE' keyword, allowing partial string matches.
2024-04-24 15:08:54 +01:00
Sam Atkins
d733119456 fix: Make PathCommandProvider reject queries with path separators
`../bin/foo` should only find `foo` relative to the current working
directory, not to directories in PATH.

Also switch to using the Node path library since PathCommandProvider is
Node-only, and this means getting the correct path separator and
delimiter values on Windows.
2024-04-24 11:45:21 +01:00
Sam Atkins
670673ab8d Rename FooCompleter js files to match FooCommandProvider file names 2024-04-24 11:19:25 +01:00
Nariman Jelveh
c9e8207e4b Clean up the console warninf message 2024-04-23 23:53:15 -07:00
KernelDeimos
44aac16991 Add ip rate limiting 2024-04-23 19:13:37 -04:00
KernelDeimos
65a73b5b45 Rename workspace modules to avoid confusion 2024-04-23 04:06:15 -04:00
KernelDeimos
74e213a534 fix(security): always use application/octet-stream 2024-04-22 23:54:03 -04:00
KernelDeimos
f9d561d40b docs: document purpose of scary-looking token 2024-04-22 23:48:45 -04:00
KernelDeimos
c166560ff4 feat: add /healthcheck endpoint 2024-04-22 22:02:40 -04:00
Eric Dubé
331d9e7542
feat: allow apps to add a menubar via puter.js
* Begin work on menubar and dropdowns

* Improve menubar

* Fix pointer event behavior

* Fix labels

* Fix active button

* Eliminate flicker

* Update _default.js

---------

Co-authored-by: Nariman Jelveh <n.jelveh@gmail.com>
2024-04-22 20:38:16 -04:00
Nariman Jelveh
3cba4cab1e Disable iframing of the main domain using meta tags as well 2024-04-22 14:14:20 -07:00
Nariman Jelveh
ef35a04c4a Disable iframing of the main domain 2024-04-22 14:09:32 -07:00
KernelDeimos
eee5c9e48b Cleanup 2024-04-22 16:29:12 -04:00
KernelDeimos
2f5780d1d1 Cleanup 2024-04-22 16:28:22 -04:00
KernelDeimos
a741bd5419 Make errors in /batch more preemptive 2024-04-22 04:35:01 -04:00
KernelDeimos
4d2d4a7ca3 Fix 86888h53w 2024-04-21 22:06:36 -04:00
KernelDeimos
5c1e6ab16b Fix false-positive password recovery response 2024-04-21 18:28:58 -04:00
KernelDeimos
b2f5cc11b5 Fix dbrr reference 2024-04-21 17:10:18 -04:00
Eric Dubé
dc2a620b4e
Merge pull request #304 from HeyPuter/eric/stdio-bridge/2
stdio-bridge 2
2024-04-20 19:29:15 -04:00
KernelDeimos
58b83c27f2 Remove large log 2024-04-20 07:23:32 -04:00
KernelDeimos
27553ef926 Cleanup 2024-04-19 23:35:56 -04:00
KernelDeimos
3f249fcc89 Fix pipes 2024-04-19 23:31:23 -04:00
KernelDeimos
c3654ab148 Add more streaming fixes 2024-04-19 23:24:32 -04:00
KernelDeimos
0e9e8d41d9 Fix authorizer not defined 2024-04-19 17:12:15 -04:00
Sam Atkins
2f49c1c9b0 Remove a whole load of noisy log messages
These can be added back if and when we need them, but right now, it's
hard to follow console output with all this chatter. 😅
2024-04-19 17:29:26 +01:00
Sam Atkins
072dbe8db5 Make BetterReader buffer and cancel, to fix stdin data loss
BetterReader.read_with_cancel() returns both the read promise, and a
function that can be used to cancel the read. A cancelled read is
placed back into the BetterReader's chunk buffer, to be consumed by the
next user that requests a read.

This is used by Coupler so that when the coupler is closed, its pending
read() call does not consume the next batch of input.

This fixes the problem we were having with child applications consuming
one chunk of stdin after they are closed, meaning the first key you
press after an app exits would disappear.

Co-authored-by: KernelDeimos <eric.alex.dube@gmail.com>
2024-04-19 15:52:59 +01:00
KernelDeimos
da208e23f5 Add a valve and internal pipe to commands 2024-04-19 15:52:59 +01:00
Sam Atkins
222a617c44 Phoenix: Use regular code path to run built-in apps
Now launchApp() can always be awaited, we can run built-in apps using
the same code path for other apps, and eventually have SIGINT close
them.
2024-04-19 15:52:59 +01:00
Sam Atkins
e355c77a4a Phoenix: Wait for apps to finish executing, and connect stdio to them
After launching an app, if successful, we connect stdio streams to it,
and wait for it to exit before we return to the prompt.

stdio is implemented as regular AppConnection messages:
- stdin:  `{ $: 'stdin',  data: Uint8Array }` from phoenix -> child
- stdout: `{ $: 'stdout', data: Uint8Array }` from child -> phoenix

Terminal and Phoenix now communicate with each other using the same
style, instead of 'input' and 'output' messages. This will help with
eventually running subshells.

SIGINT currently is not sent. We also suffer from the same "one more
read from stdin happens after app exits" bug that's in
PathCommandProvider where I copied the stdin code from.
2024-04-19 15:52:59 +01:00
Sam Atkins
0aa5543397 Let AppConnection know if its target app uses the Puter SDK
Apps are not required to use the Puter SDK. If they don't, then we can
still launch them, close them, and listen to their close event, but are
unable to send messages to them.
2024-04-19 15:52:59 +01:00
Eric Lighthall
4783e3eae4 Optimize console redraw by tracking widget changes
Instead of redrawing the widget area every 2 seconds, only auto redraw when the widget area has changed, reducing unecessary redraw operations.
2024-04-19 00:48:36 -07:00
Eric Dubé
4931ad3960
Merge pull request #297 from AtkinsSJ/test-minimum-version
Make tests work in Node 16.x
2024-04-18 14:41:20 -04:00
Sam Atkins
dc95f2e065 Phoenix: Support older Node versions in test harness
This brings Phoenix's minimum required version from 20.x down to 16.x.

ReadableStream.from() is deemed experimental, and requires Node 20.x
(or at least, something higher than 18.x). This was the only code that
made us require version 20.x.

ReadableStream and WritableStream are available from Node 16.5, but
require that they be explicitly imported.
2024-04-18 14:41:06 +01:00
KernelDeimos
0361ceba6c Normalize session objects to have both user_uid and user_id 2024-04-17 23:22:10 -04:00
KernelDeimos
4ecc7372f9 Fix issue with use_bundled_gui flag 2024-04-17 22:59:22 -04:00
KernelDeimos
dbcd627815 Apply various small fixes 2024-04-17 20:57:59 -04:00
Nariman Jelveh
6061c81c36 Update get-launch-apps.js 2024-04-17 17:58:11 -07:00
KernelDeimos
f0d3346ca7 Update session.last_touch always 2024-04-17 13:03:32 -04:00
KernelDeimos
e8ca6376be Avoid logging sensitive query params 2024-04-17 12:51:30 -04:00
KernelDeimos
c48c134869 Remove verbose log 2024-04-17 12:42:12 -04:00
KernelDeimos
49e334521d Update timers 2024-04-17 12:41:43 -04:00
Sam Atkins
f2e8b5ee3e Phoenix: Remove unwanted CSS includes 2024-04-17 11:05:03 +01:00
KernelDeimos
7e0c6c6470 Fix last_activity_ts 2024-04-16 19:30:30 -04:00
KernelDeimos
19c49db538 Improve sessions 2024-04-16 18:57:02 -04:00
KernelDeimos
653898b463 Report proper error when an operation is invalid 2024-04-15 22:27:03 -04:00
Eric Dubé
e4f2c4a28b
Merge pull request #280 from vineeth-vk11/#206
fixing on conflict issue in sqlite kv write
2024-04-15 17:55:52 -04:00
KernelDeimos
826ea36502 Add use_bundled_gui option 2024-04-15 17:50:44 -04:00
KernelDeimos
397819d45e Add missing endpoint /down 2024-04-15 16:38:03 -04:00
KernelDeimos
e8dc220981 This is 2.1.0 I decided 2024-04-15 15:37:13 -04:00
KernelDeimos
1c2b05d8f6 Fix phoenix for auto ports 2024-04-15 15:34:58 -04:00
KernelDeimos
f3495f3098 Fix xterm.css not loading 2024-04-15 14:46:16 -04:00
KernelDeimos
081b093e7e Add missing asset for xterm, fix SDK url 2024-04-15 14:43:15 -04:00
KernelDeimos
4d30753958 Fix more phoenix dev issues 2024-04-15 14:25:40 -04:00
KernelDeimos
c72e0cb0e0 Fix phoenix watcher 2024-04-15 14:08:50 -04:00
KernelDeimos
25f8dbf120 Add postinstall for phoenix 2024-04-15 14:02:49 -04:00
KernelDeimos
b21755b5a3 Fix casualty of phoenix due to Docker naming conventions 2024-04-15 12:12:28 -04:00
KernelDeimos
e71b586fe5 Invalidate cached user when the user's email address is changed 2024-04-14 23:50:39 -04:00
KernelDeimos
2fcac12340 Fixg 2024-04-14 23:24:47 -04:00
KernelDeimos
0847395c92 Socket 2024-04-14 23:10:23 -04:00
KernelDeimos
58192cacb3 Try again 2024-04-14 23:00:07 -04:00
KernelDeimos
b81284e2c6 Pass the RIGHT token to email 2024-04-14 22:49:51 -04:00
KernelDeimos
5b39e39e1f Use jwt for email change confirmation 2024-04-14 22:44:04 -04:00
KernelDeimos
b944217410 Fix 2024-04-14 22:29:54 -04:00
KernelDeimos
dca7304be9 Remove requirement of auth from email confirm 2024-04-14 22:23:42 -04:00
KernelDeimos
231878266c Fix 2024-04-14 22:08:31 -04:00
KernelDeimos
51bf8fdde6 Fix 2024-04-14 21:41:08 -04:00
KernelDeimos
18134629d2 Move 2024-04-14 21:37:12 -04:00
KernelDeimos
f6b737e45d Add confirmation email for email change 2024-04-14 21:33:15 -04:00
KernelDeimos
3b7be8a719 Add delete-own-user 2024-04-14 21:32:43 -04:00
KernelDeimos
ef0da306a8 Fix change_email 2024-04-14 20:35:34 -04:00
vineethvk11
5d8d25f370 fixing on conflict issue in sqlite kv write 2024-04-14 16:39:29 +05:30
Nariman Jelveh
255e80d077 Make Puter.js verbosity optional via debug flag. 2024-04-13 17:31:29 -07:00
KernelDeimos
965d99d137 Fix socket auth 2024-04-13 17:19:12 -04:00
KernelDeimos
df45e22813 Make node-pty not required 2024-04-13 13:56:57 -04:00
Nariman Jelveh
8db8ec3574 Update Apps.js 2024-04-12 22:04:28 -07:00
KernelDeimos
4a36670417 Update README.md files for monorepo'd projects 2024-04-12 23:54:41 -04:00
KernelDeimos
77ac503bfc Edit phoenix README.md 2024-04-12 23:49:43 -04:00
Nariman Jelveh
be55e447bb fix issue with two session managers on top of each other 2024-04-12 20:43:15 -07:00
KernelDeimos
00e9f922c0 Fix target version 2024-04-12 23:16:49 -04:00
KernelDeimos
361e51060a Update apps 2024-04-12 22:03:40 -04:00
KernelDeimos
d919b1f312 Register terminal and phoenix builtins 2024-04-12 20:56:16 -04:00
KernelDeimos
cb81579c53 Copy over phoenix 2024-04-12 20:53:44 -04:00
KernelDeimos
0306a395a2 Copy over terminal 2024-04-12 20:53:32 -04:00
KernelDeimos
5fbbfb4c18 Enable background and builtin apps 2024-04-12 20:52:57 -04:00
KernelDeimos
09c3cc6db1 Fix error when session not found 2024-04-12 01:22:33 -04:00
KernelDeimos
356a3284fa Fix mysql incompatibility 2024-04-12 00:10:56 -04:00
KernelDeimos
0eedcf567e Apply some fixes 2024-04-11 23:48:17 -04:00
KernelDeimos
f4f58dbfb9 Fix destructuring 2024-04-11 23:28:40 -04:00
Eric Dubé
8135e076c2
Merge pull request #266 from HeyPuter/eric/session-updates
session management
2024-04-11 22:04:07 -04:00
KernelDeimos
13525c85a0 -dot- 2024-04-11 21:46:43 -04:00
KernelDeimos
2f6f7e39bb Add timestamp 2024-04-11 21:41:19 -04:00
KernelDeimos
2d76025c9c Send cookie on token upgrade 2024-04-11 21:40:10 -04:00
KernelDeimos
bb9edc4f65 Add automatic token migration 2024-04-11 21:33:44 -04:00
KernelDeimos
b8e66cada9 Add puter.js 2024-04-11 19:07:00 -04:00
KernelDeimos
fc5025a2a8 Simplify PuterVersionService 2024-04-11 14:37:34 -04:00
KernelDeimos
e3d238f897 Do not use git to get version number 2024-04-11 13:57:40 -04:00
Nariman Jelveh
9ab3e3ccd8
Merge pull request #244 from HeyPuter/eric/host-storage
Display storage use of host/puter separately
2024-04-11 10:14:45 -07:00
KernelDeimos
09bf422686 Add session manager ui 2024-04-11 00:29:39 -04:00
KernelDeimos
18b3e06fe8 Add session listing and revocation 2024-04-10 23:00:37 -04:00
KernelDeimos
e436693d3e Improve session mgmt (part 1) 2024-04-10 21:54:16 -04:00
KernelDeimos
eb66848aee Update database version when creating a new one 2024-04-10 12:25:44 -04:00
KernelDeimos
0eded34c8c Add indented logs and fix a bug 2024-04-10 12:22:21 -04:00
KernelDeimos
367c18bfc5 Add endpoint to list permissions 2024-04-10 12:16:08 -04:00
KernelDeimos
cb4b8c5914 Add minor fixes 2024-04-07 00:06:11 -04:00
KernelDeimos
dc5a7ca431 Display storage use of host/puter separately 2024-04-06 23:26:18 -04:00
KernelDeimos
674cebd9e1 Add Linux support to HostDiskUsageService 2024-04-06 05:33:46 -04:00
Eric Dubé
0dd66463df
Merge pull request #241 from vineeth-vk11/#233
Implementing HostDiskUsageService removing diskusage dependency
2024-04-06 05:29:21 -04:00
vineethvk11
bf4bc214b2 Implementing HostDiskUsageService removing diskusage dependency 2024-04-06 13:03:09 +05:30
Eric Dubé
c6fb75c65f
Merge pull request #231 from HeyPuter/eric/user-to-user-permissions
User-to-User Permission Granting
2024-04-05 23:11:32 -04:00
KernelDeimos
38e8b19b50 Cleanup 2024-04-05 23:05:20 -04:00
KernelDeimos
90ce840234 Add revoke-user-user endpoint 2024-04-05 23:01:50 -04:00
KernelDeimos
fc6eda392b Allow granting user-to-user permissions 2024-04-05 22:11:36 -04:00
KernelDeimos
343edbff51 Use weak CORS policy for experimental_no_subdomain 2024-04-05 16:51:57 -04:00
KernelDeimos
fe88880486 Add experimental_no_subdomain flag 2024-04-05 16:21:19 -04:00
KernelDeimos
1c2e4968e2 Remove console log 2024-04-05 14:38:50 -04:00
KernelDeimos
f9b375a39b Fix case when main domain is a subdomain 2024-04-05 14:38:33 -04:00
KernelDeimos
207fa139d4 Add user-to-user permissions table 2024-04-05 03:23:31 -04:00
vineethvk11
6006767a9f fixing issues in copy while overwriting 2024-04-05 09:11:39 +05:30
KernelDeimos
35abf9a6bc Stop printing default password in logs 2024-04-04 22:17:00 -04:00
KernelDeimos
c3a4223bbf Add service to check EOL date of node 2024-04-04 22:10:56 -04:00
KernelDeimos
17a323298c Make dismiss command print what was dismissed 2024-04-04 20:46:03 -04:00
KernelDeimos
27c99fd90a Use OR IGNORE when sqlite 2024-04-04 20:02:35 -04:00
KernelDeimos
6c7175c109 NOOP legacy share fetch 2024-04-04 19:26:29 -04:00
Eric Dubé
3e1c7eb434
Merge pull request #223 from vineeth-vk11/#211
removing storage limit for self hosters
2024-04-04 16:12:31 -04:00
KernelDeimos
2125367683 Avoid predicate.values not iterable error 2024-04-04 14:20:30 -04:00
KernelDeimos
809e33b053 Remove unused code 2024-04-04 14:18:34 -04:00
vineethvk11
0da9e1fab3 removing storage limit for self hosters 2024-04-04 22:31:37 +05:30
KernelDeimos
b055c5cdad Fix change_username 2024-04-03 22:06:06 -04:00
KernelDeimos
b7a1f21e31 Fix puter sites errors 2024-04-03 22:05:33 -04:00
KernelDeimos
a04cac60e6 Fix db migration error in SQLES 2024-04-03 17:38:42 -04:00
KernelDeimos
274b69d017 Fix /file and /setItem 2024-04-03 17:21:25 -04:00
KernelDeimos
369037e269 Fix incorrect asset urls 2024-04-02 04:19:22 -04:00
KernelDeimos
9881fecacd Fix error caused by fixing kv 2024-04-02 03:40:58 -04:00
KernelDeimos
0651aab1be Fix DBKVStore value format 2024-04-02 00:47:14 -04:00
KernelDeimos
a973f66092 Only load from source in dev environment 2024-04-01 22:26:09 -04:00
KernelDeimos
5d81ff4cbe Fix dev console bar when columns has small value 2024-04-01 22:01:34 -04:00
KernelDeimos
7442b48157 Fix undefined instead of null in db query 2024-04-01 19:41:16 -04:00
KernelDeimos
59003a9ab9 Make dev-console use in WebServerService optional 2024-04-01 19:40:59 -04:00
KernelDeimos
65b61fc90d Remove unused variable 2024-04-01 17:24:48 -04:00
KernelDeimos
05c6cd6c3d Separate default user into SelfhostedModule 2024-04-01 17:24:07 -04:00
KernelDeimos
92b3f4ff76 Default user random pass, sqlite query patches 2024-04-01 01:23:53 -04:00
KernelDeimos
4845bd28a1 Create default user 2024-03-31 21:21:17 -04:00
KernelDeimos
88bd45cfda Add note about private UID namespace 2024-03-30 22:35:47 -04:00
KernelDeimos
a09d7bcd54 Patch log service 2024-03-30 22:10:18 -04:00
KernelDeimos
752496bfe1 Need to revisit this later 2024-03-30 21:52:31 -04:00
KernelDeimos
007ebdadb1 Center that launch logo 2024-03-30 19:35:11 -04:00
KernelDeimos
26c435c829 Fix port in use message 2024-03-30 19:26:58 -04:00