2092f82270
fixup! fix: escape error.message on login failure
2021-07-01 10:43:37 -07:00
22a22a8f7a
fix: escape error.message on login failure
2021-07-01 10:43:37 -07:00
c505fc45a8
feat: add escapeHtml function
...
This can be used to escape any special characters in a string with HTML before
sending from the server back to the client. This is important to prevent a
cross-site scripting attack.
2021-07-01 10:43:36 -07:00
7f12fab3ca
fix(isHashMatch): check that hash starts with $
...
Previously, we used argon2 to verify the hash with the password.
If the hash didn't start with a $, then it would enter the catch block.
Now we check the hash before trying to verify it and we also throw an Error if
the verify fails.
This makes the isHashMatch function more robust.
2021-06-30 15:00:21 -07:00
49c44818d9
Move onLine to utilities
...
This way it can be used by the tests when spawning code-server on a
random port to look for the address.
2021-06-29 12:04:31 -05:00
be7ea8f3f7
refactor: migrate parcel to browserify
...
This also refactors a couple CSS stylesheets to be referenced directly in the
HTML files.
And it removes any CSS imports from src/browser files.
2021-06-28 11:41:45 -07:00
02b9489489
refactor: add func getNlsConfiguration & tests
...
This PR refactors part of vscode.ts and adds a function to get the NLS
Configuration.
This makes the code more readable and easier to test.
And it adds multiple tests for this part of the codebase.
2021-06-23 13:42:06 -07:00
b59b3936d0
Fix incorrect logout base ( #3611 )
...
Fixes #3608 .
2021-06-15 15:11:01 -05:00
dbb34ad710
chore: upgrade to Playwright 1.12 with its new test-runner
2021-06-10 15:09:38 +02:00
1e55a648a5
feat: check for empty str in isHashMatch
2021-06-08 15:10:59 -07:00
3b50bfc17d
fix: sanitize password and cookie key
2021-06-08 14:33:17 -07:00
8c2bb61af9
refactor: parse options with multiple = in cli
...
There was a case with the hashed-password which had multiple equal signs in the
value and it wasn't being parsed correctly. This uses a new function and adds a
few tests.
2021-06-08 14:33:17 -07:00
531b7c0c25
feat: add splitOnFirstEquals function
2021-06-08 14:33:16 -07:00
517aaf71c5
docs: update FAQ with new hashing instructions
2021-06-08 14:33:16 -07:00
923761cd78
refactor: password logic in http w/ isCookieValid
2021-06-08 14:33:16 -07:00
6020480b30
feat: add isCookieValid function and tests
2021-06-08 14:33:16 -07:00
409b473c82
refactor: rewrite password logic at /login
2021-06-08 14:33:15 -07:00
a14ea39c4a
feat: add handlePasswordValidation + tests
2021-06-08 14:33:15 -07:00
7ff4117531
feat: add getPasswordMethod & test for it
2021-06-08 14:33:15 -07:00
ffa5c16e51
feat: update cli and test for hashed-password
2021-06-08 14:33:15 -07:00
1134780b8b
refactor: make wsProxy async
2021-06-08 14:33:14 -07:00
91303d4e40
refactor: make ensureAuthenticated async
2021-06-08 14:33:14 -07:00
0cdbd33b46
refactor: make authenticated async everywhere
...
Since this checks if they are authenticated using the hash/password and it's
async, we need to update authenticated to be async, which means we have to
update it everywhere it's used.
2021-06-08 14:33:14 -07:00
fcc3f0d951
refactor: update login logic with new async hashing
...
This adds the proper await logic for the hashing of passwords.
2021-06-08 14:33:13 -07:00
70197bb2a5
refactor: use argon2 instead of bcrypt
...
This uses argon2 instead of bcrypt.
Note: this means the hash functions are now async which means we have to
refactor a lot of other code around auth.
2021-06-08 14:33:13 -07:00
aaf044728f
refactor: add functions to check hash password
2021-06-08 14:33:12 -07:00
cac667317e
refactor: use bcrypt in hash function
2021-06-08 14:33:11 -07:00
46fe77d464
chore: update CHANGELOG
2021-05-13 12:10:22 -07:00
d7f1415290
refactor: use paths.runtime in socket proxyPipe
2021-05-13 12:10:21 -07:00
a57ee69822
feat: add runtime to getEnvPaths
2021-05-13 12:10:21 -07:00
a882be5748
Refactor integration tests to use main entry point
2021-05-05 12:24:41 -05:00
20e70cfa05
Remove try from main
...
All it does is log and exit which is what the caller will be doing on an
error anyway (see entry).
2021-05-05 12:24:36 -05:00
c96fb65308
Split some entry methods into main
...
This is so they can be unit tested.
2021-05-05 12:24:35 -05:00
083400b50a
Add flag to enable permessage-deflate
2021-05-05 12:24:34 -05:00
92bf2c9760
Add dev mode constant
2021-05-05 10:16:01 -05:00
8b2c78c4a4
Re-enable update tests
2021-05-04 13:29:42 -05:00
10babb4a0c
Replace console with logger in sw register
2021-05-04 13:29:41 -05:00
a48ac5080b
Share common util code with VS Code
...
This lets us re-use the normalized base path so when we expire/clear the
cookie we use the same base path.
2021-05-04 13:29:40 -05:00
49c26f70f7
Add logout route
2021-05-04 13:29:39 -05:00
e7a527514a
Add authed context key
2021-05-03 15:00:54 -05:00
07d682392e
Merge pull request #3169 from cdr/jsjoeio/add-terminal-e2e-test
...
feat(testing): add e2e tests for code-server and terminal
2021-04-26 15:16:06 -07:00
83746c8a1f
refactor: remove null check in register.ts options.base
...
Inside registerServiceWorker, we were originally using the nullash coalescing
operator to check if options.base was null or undefined. However, I realized
this check is not necessary.
If you look at getOptions' return value, we return an object with a key "base"
which is of type "string". We get that value by calling resolveBase which always
returns a string.
As a result, we didn't need to check if options.base was null or undefined
because it never can be.
2021-04-23 17:09:03 -07:00
cb65590b98
refactor: move tmpdir into src/node/constants
2021-04-23 14:35:32 -07:00
b9c80b8520
Merge pull request #3178 from code-asher/connections
...
Minor connections refactor
2021-04-21 12:22:45 -05:00
f0bafa387f
Move connection logic into connection class
...
- Moved everything I could into the class itself.
- Improve the logging situation a bit.
- Switch some trace logs to debug.
- Get debug port from message arguments.
2021-04-21 11:48:45 -05:00
f80d5c3764
refactor: rateLimiter.canTry logic to check >= 1
2021-04-19 13:14:19 -07:00
7a5042176e
fix: update logic for removing token from limiter
2021-04-19 11:12:43 -07:00
a3f18d6158
refactor: change limiter.Try() to .removeToken()
2021-04-19 10:57:50 -07:00
d8e45057c7
refactor: update rateLimiter to check try
...
This changes adds a new method called `.canTry` to the rate limiter to check if
there are tokens remaining in the bucket.
It also adds suggestions from @oxy to make sure the user can brute force past
the rate limiter.
2021-04-19 10:40:59 -07:00
08521077f0
refactor(login): move rate limiter after successful login
...
Before, we weren't checking if a login was successful before counting it
against the rate limiter.
With this change, we only count unsuccessful logins against the rate limiter.
We did this because this was a bug but also because it caused problems with our
e2e tests hitting the rate limit.
2021-04-19 10:40:59 -07:00
4683d8a077
fix: update comment and export rateLimiter
2021-04-19 10:40:58 -07:00
101c2a01f1
Fix tsc watch restarting when it shouldn't
...
It seems reaching into lib/vscode for the types caused tsc to establish
watches that caused it to restart over and over while vscode was
building.
The strategy used here is to symlink it instead which is the same thing
we do for the proxy agent.
2021-04-01 10:58:56 -05:00
df6bfbbeaf
feat: bump ts-node to 9.1.1
2021-03-30 16:46:49 -07:00
e4db80667e
refactor: use stdio correctly in wrapper
2021-03-29 14:05:59 -07:00
18ace7b906
Don't send permessage-deflate header if not supported ( #2993 )
2021-03-29 12:59:36 -05:00
b04104cafe
Merge branch 'main' into jsjoeio/upgrade-vscode-1.54
2021-03-22 10:43:39 -07:00
a8e2ede4f5
chore(deps): bump js-yaml from 3.14.0 to 4.0.0 ( #2920 )
...
* chore(deps): bump js-yaml from 3.14.0 to 4.0.0
Bumps [js-yaml](https://github.com/nodeca/js-yaml ) from 3.14.0 to 4.0.0.
- [Release notes](https://github.com/nodeca/js-yaml/releases )
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md )
- [Commits](https://github.com/nodeca/js-yaml/compare/3.14.0...4.0.0 )
Signed-off-by: dependabot[bot] <support@github.com>
* fix(src/node): replace yaml.safeLoad with load
Also update @types/yaml to ^4.0.0.
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Akash Satheesan <akash@coder.com>
2021-03-18 16:30:10 -05:00
071c8e15fc
Merge branch 'main' into jsjoeio/upgrade-vscode-1.54
2021-03-17 13:51:27 -07:00
45a1713767
Merge pull request #2906 from bpmct/rename-cloud
...
rename references of "coder could"
2021-03-17 18:28:14 +00:00
a097713829
remove references of coder could
2021-03-16 22:59:30 -04:00
0c2708302d
refactor: remove --home flag/feature
...
We are removing this because it was removed upstream in PR~115599.
2021-03-16 14:25:28 -07:00
964ebe8d0a
Replace fs-extra with fs.promises
...
Remove the Mac directory copy instead of refactoring it since we've had
this for a long time now and I think it's safe to assume that users
running code-server on Mac don't have the old directory anymore.
2021-03-16 12:51:08 -05:00
5a1f62a8fb
Support permessage-deflate web socket extension ( #2846 )
2021-03-10 13:14:24 -06:00
f21433a130
Merge pull request #2823 from cdr/vapurrmaid/rm-updatecss
...
chore: Remove pages/update.css
2021-03-05 14:04:33 -07:00
925073db31
Merge pull request #2773 from cdr/upgrade-vscode-1.53
...
feat(vscode): update to version 1.53.2
2021-03-05 14:03:10 -07:00
9e2668ec75
chore: Remove pages/update.css
...
It appears the associated HTML for these styles was removed in
554b6d6fcf
2021-03-05 06:55:05 -05:00
4d3d1b844d
Handle permessage-deflate on sockets
...
With this the extension host is working again.
2021-03-02 17:18:49 -06:00
36136fe70d
chore: formatting
2021-02-26 15:46:31 -07:00
9ea18636d7
Merge branch 'master' into upgrade-vscode-1.53
2021-02-26 14:23:24 -07:00
5f3afbf7a9
fix: refactor performance in vscode.html
2021-02-26 14:16:46 -07:00
ee0973c05a
feat: add logs to serviceWorker
2021-02-26 11:58:29 -07:00
027e8e5adf
refactor: use LogModule from Asher in tests
2021-02-26 11:51:52 -07:00
a44a51462c
refactor: use same syntax as logger spy
2021-02-26 11:51:52 -07:00
7ef630f7a4
refactor(register): use logError instead of logger
2021-02-26 11:51:52 -07:00
21f577d471
refactor: add handleRegisterServiceWorker fn
2021-02-26 11:51:52 -07:00
44b9874fbe
feat: test failure to register service worker
2021-02-26 11:51:52 -07:00
a9f88affa9
refactor: use logger in serviceworker
2021-02-26 11:51:51 -07:00
72b05cacac
refactor: create registerServiceWorker fn
2021-02-26 11:51:51 -07:00
077af0511e
fix: Responsive Sign In Page ( #2770 )
2021-02-25 13:08:54 -06:00
47a05c998a
Gate wtfnode behind WTF_NODE env var
...
After thinking about it some more it's probably mostly only useful to
see the output when the tests are hanging. Otherwise there's a lot of
noise about Jest child processes and pipes.
2021-02-22 13:41:12 -07:00
3fa460c244
refactor: create helpers.ts & add Cookie
2021-02-22 13:41:10 -07:00
d0eece3d8f
refactor: add note to test.sh about --home
2021-02-22 13:41:10 -07:00
b02d2fb3cc
feat: add cookie utils for e2e tests
2021-02-22 13:41:10 -07:00
2d8b785fb8
Fix health socket not getting client messages
...
Forgot to resume. Went ahead and did the same for the test plugin
although it only sends messages and doesn't receive any.
2021-02-16 15:01:46 -06:00
3fc556d4d5
Delegate authentication to plugins
...
Unfortunately since plugins can now override the root this is necessary
or just can't log in.
2021-02-12 16:50:23 -06:00
0abbc9789e
Allow plugins to register at the root
...
Unfortunately we have existing plugins with routes there which we cannot
move.
2021-02-12 15:19:26 -06:00
619934dc29
Authenticate plugin routes ( #2720 )
2021-02-12 14:56:39 -06:00
97c1399401
feat: use compression in express server ( #2680 )
2021-02-12 14:27:33 -06:00
8344e2062a
Merge pull request #2622 from cdr/plugin-additions
2021-02-10 16:45:00 -06:00
e4e0ac43b0
Don't load plugins in tests
...
This can affect the test behavior and results.
2021-02-09 15:39:57 -06:00
e098df0766
Fix code-server module not being provided in Jest
2021-02-09 15:23:08 -06:00
2879bd4c22
Add type alias for required modules
2021-02-09 13:09:41 -06:00
3226d50747
Rename papi to pluginApi
2021-02-09 13:09:40 -06:00
2fe3d57df3
Mount plugins before bodyParser
...
Otherwise it consumes the body and plugins won't be able to do things
like proxy POST requests.
2021-02-09 13:09:39 -06:00
c78f56b334
Expose HttpError to plugins
...
This will let them throw and show nice errors more easily.
2021-02-09 13:09:38 -06:00
22d194515a
Expose replaceTemplates to plugins
...
This is mainly so they can get relative paths in their HTML, in
particular code-server's static base so they can use the favicon and
service worker.
2021-02-09 13:09:37 -06:00
36aad9bdab
Move global express args definition
...
This way tests that import the http utilities but not the routes won't
error due to missing types.
2021-02-09 13:09:36 -06:00
5505959f7e
Expose websocket server to plugins
...
Same reasoning used when exposing Express.
2021-02-09 13:09:34 -06:00
b13db3124b
Add health websocket
...
This is used by some of our services.
2021-02-09 13:09:33 -06:00
f136a60093
Note that we immediately pause websockets
2021-02-09 13:09:32 -06:00
Joe Previte
Asher
Max Schmitt
dependabot[bot]
repo-ranger[bot]
Ben Potter
G r e y
Justin Poehnelt