Commits on Apr 13, 2018
  1. Allow third-party apps

    espadrine committed Apr 13, 2018
    Those apps must be explicitly enabled by the current user from their
    allowedApps list in their home folder's metadata.
Commits on Apr 12, 2018
  1. Add appAuth to template parameters

    espadrine committed Apr 12, 2018
    Imagine that Malicious Mary wants to read a file that Gentle Jane keeps
    secret. She therefore crafts an HTML page on, of which
    link she sends to Jane. When Jane opens the page, her browser executes
    the JS code, which runs an XHR in the background to fetch the secret
    page. That sends over her httpOnly token cookie to,
    which authenticates her. The page cannot see the contents of the
    cookies, but it still downloads the secret page, and sends it to Mary.
    To avoid that, we need two pieces of information: user identification,
    and proof of the source of the call. Indeed, apps that Jane approves
    should still be able to perform calls to on her behalf.
    All we'd need is the path of the HTML file making the call; but we
    cannot just send the path in a header, as anyone could craft a request
    for the path of an app they know Jane approved (eg. a default app, like
    However, we can yield a keyed hash (with SHA3 / BLAKE2, or using HMAC)
    of the path, keyed by Jane's secret, to approved apps. It does not leak
    Jane's secret, and cannot be obtained without knowing Jane's secret.
    Also, it is unique to each path, so that one cannot use a well-known
    approved path for a call from a malicious page.
        APP_AUTH: /app/folder blake2b256 65AczoAPRpCxq_EIBv8zRIQ8mAnF6qxO8pGhZyUDUdKY
    The server can compute the keyed hash from the app path and the secret
    received from the cookie, to verify the source of the call. Then, it can
    verify that the app is approved for the user.
Commits on Apr 11, 2018
  1. Add make stopdb

    espadrine committed Apr 11, 2018
Commits on Apr 10, 2018
  1. Fix missing parenthesis

    espadrine committed Apr 10, 2018
Commits on Apr 7, 2018
  1. Normalize account names to Unicode NFC

    espadrine committed Mar 28, 2018
    It avoids having multiple representations of the same strings.
  2. Prevent allowing a script to load private information.

    espadrine committed Mar 26, 2018
    Imagine Alice crafted a Web page on with a script that
    loaded a page from /bob/secret which is ACL'ed to only be readable by
    Bob. It is set up so that the credentials are sent with the XHR call to
    read that page, and to store the contents to a page that Alice can read.
    She maliciously sends the link to Bob, who clicks on it, unknowingly
    leaking the contents of /bob/secret to Alice.
    Here, we prevent this by blocking Ajax for ?app=data page loads. As a
    result, all data that JS code needs must be in the page.
    (Ideally we would want to prevent sending credentials instead.)
    The idea going forward is to apply this policy for ?app=data, and check
    the user's allowed apps for other apps. (Currently, we only allow apps
    from /app, which we control.)
  3. Include database in backup

    espadrine committed Mar 23, 2018
    Also, add `make restore`, which restores data from the latest backup/.
  4. Add username to logs

    espadrine committed Mar 21, 2018
Commits on Mar 26, 2018
  1. Minor changes in (#220)

    sfu365 authored and espadrine committed Mar 26, 2018
Commits on Mar 19, 2018
  1. Unify the format of user app parameters

    espadrine committed Mar 19, 2018
    The account app already had user information in a given format; we simply remove
    fields that are considered too sensitive for other apps (such as the email
    address) and only leave the user name.
Commits on Mar 16, 2018
  1. Upgrade canop to v0.4.1

    espadrine committed Mar 16, 2018
    It includes a fix for named cursors in CodeMirror.
Commits on Mar 15, 2018
  1. Upgrade canop to v0.4.0

    espadrine committed Mar 15, 2018
    Allows setting usernames to cursors.
Commits on Feb 20, 2018
Commits on Feb 19, 2018
  1. Use a single environment file

    espadrine committed Feb 19, 2018
    We used to have an ENV variable that selected either
    admin/private/dev.json or prod.json.
    We now use a single env.json file, that gets populated with development
    data on the developer's machine, and production data on servers.
    It avoids the complexities of managing things in production.
Commits on Feb 18, 2018
Commits on Feb 14, 2018
Commits on Feb 13, 2018
Commits on Feb 11, 2018
Commits on Feb 9, 2018
  1. Remove forbidden files from view

    espadrine committed Feb 9, 2018
    We used to be able to see a whole forbidden subtree by listing folders
    with depth > 0.
    (Being able to view forbidden files and folders with depth ≤ 0 was not a
    good thing either, and we also removed that capability.)
Commits on Feb 7, 2018
Commits on Feb 5, 2018
Commits on Feb 4, 2018
  1. Require owner access to read metadata

    espadrine committed Feb 4, 2018
    This will enable apps to store sensitive information like external token
    secrets in a user’s home folder’s metadata.
Commits on Feb 2, 2018
  1. Log API errors

    espadrine committed Feb 2, 2018
    Also, support both GET and POST for endpoints that are not fully
    converted to JSON.
Commits on Jan 31, 2018
Commits on Jan 28, 2018
Commits on Jan 27, 2018
Commits on Jan 26, 2018
  1. Display interface in readme

    espadrine committed Jan 26, 2018
Commits on Jan 22, 2018
Commits on Jan 17, 2018
  1. Put CockroachDB data in admin/db and admin/private/dbcerts

    espadrine committed Jan 17, 2018
    admin/db holds certs and database storage.
    admin/private/dbcerts holds the private root CA key.
Commits on Jan 16, 2018
  1. Ignore CockroachDB folder

    espadrine committed Jan 16, 2018
Commits on Jan 14, 2018
  1. Send permission as template parameter

    espadrine committed Jan 14, 2018
    It will allow apps to nicely handle readonly scenarios.
Commits on Jan 7, 2018
  1. Add account logout

    espadrine committed Jan 7, 2018