In some edge cases (e.g. SSO plugin redirecting the user immediately), with modern browsers, the request is never "completed" for speed. This causes a condition where the session object never persists to the database, even though it has changed. This added line forces a db persist on a successful login.
Context: https://github.com/expressjs/session/pull/484
>
> A plugin wanted to use `response:rotuer.page` to 404 a specific page on some condition. res.render returns early in send404 and so must be awaited otherwise multiple responses will be sent
* feat: wip categories pagination
* feat: add subCategoriesPerPage setting
* feat: add load more sub categories button to category page
* fix: openapi spec
* feat: show sub categories left on category page
hide button when no more categories left
* breaking: rename categories to allCategories on /search
categories contains the search results
* fix: spec
* refactor: remove cidsPerPage
* fix: tests
* feat: use component for subcategories
* fix: prevent negative subCategoriesLeft
* feat: new category filter/search WIP
* feat: remove categories from /tag
* fix: dont load all categories when showing move modal
* feat: allow adding custom categories to list
* breaking: dont load entire category tree on post queue
removed unused code
add hooks to filter/selector
add options to filter/selector
* feat: make selector modal work again
* feat: replace old search module
* fix: topic move selector
* feat: dont load all categories on create category modal
* fix: fix more categorySelectors
* feat: dont load entire category tree on group details page
* feat: dont load all categories on home page and user settings page
* feat: add pagination to /user/:userslug/categories
* fix: update schemas
* fix: more tests
* fix: test
* feat: flags page, dont return entire category tree
* fix: flag test
* feat: categories manage page
dont load all categories
allow changing root category
clear caches properly
* fix: spec
* feat: admins&mods page
dont load all categories
* fix: spec
* fix: dont load all children when opening dropdown
* fix: on search results dont return all children
* refactor: pass all options, rename options.cids to options.selectedCids
* fix: #9266
* fix: index 0
* fix: spec
* feat: #9265, add setObjectBulk
* refactor: shoter updateOrder
* feat: selectors on categories/category
* fix: tests and search filter
* fix: category update test
* feat: pagination on acp categories page
show order in set order modal
* fix: allow drag&drop on pages > 1 in /admin/manage/categories
* fix: teasers for deep nested categories
fix sub category display on /category page
* fix: spec
* refactor: use eslint-disable-next-line
* refactor: shorter
Login route saves the previous page by checking for the X-Return-To header. This header is automatically set by ajaxify.
Login takes this value and saves it to `req.session`.
Up until now, `/register` saved the previous URL in a hidden input, and redirected based on that value, but it occasionally conflicted with req.session.returnTo. It was also confusing because it did not match how login handled the values.
This commit updates the route handling so it works identically to `/login`.
* feat: wip categories pagination
* feat: add subCategoriesPerPage setting
* feat: add load more sub categories button to category page
* fix: openapi spec
* feat: show sub categories left on category page
hide button when no more categories left
* breaking: rename categories to allCategories on /search
categories contains the search results
* fix: spec
* refactor: remove cidsPerPage
* fix: tests
* feat: use component for subcategories
* fix: prevent negative subCategoriesLeft
`/api/post/pid/:pid`, `/api/topic/tid/:tid`, `/api/category/cid/:cid` have now been removed in favour of routes in the Write API (`/api/v3/(posts|topics|categories)/:id`)
These options were originally used when the flag filters were shown in the sidebar. This has seen been removed, and so the information is now superfluous
This change is breaking in the sense that if you have written
interstitial callbacks before that are async functions _with_ a
callback, those are no longer allowed. You will not need to call
next() as that argument will no longer be passed in to async
functions.
Access checks were added for topic GET route, but occasionally a post_uuid is passed in, which is available to everyone, and so checks should be skipped
When you select Custom Route as home you get a 404 error "/custom not found" error.
This because 'homePageRoute' property was used instead of 'homePageCustom'
- Resized thumb no longer skews aspect ratio
- Thumbs resized down to maximum thumb size by WIDTH only
- image.checkDimensions() now returns dimensions
- rename Thumbs.commit to Thumbs.migrate
- new PUT method that calls Thumbs.migrate
- `checkThumbPrivileges` now takes a single object parameter (ins. of req/res)
- addThumb and deleteThumb are now protected routes (duh)
- new getThumbs route GET /api/v3/topics/<tid>/thumbs
- Updated `assert.path` middleware to better handle if relative paths are received with upload_url
- Slight refactor of thumbs lib to use validator to differentiate between tid and UUID
fix category link redirect on cold load
fix helpers.redirect if passed in url is external
fix ajaxify so it doesn't slice first character of external url
* fix: add back topic assert middleware for pin route
* feat: server-side handling of pin expiries
* refactor: togglePin to not require uid parameter [breaking]
* feat: automatic unpinning if pin has expiration set
* feat: client-side modal for setting pin expiration
* refactor: categories.getPinnedTids to accept multiple cids
... in preparation for pin expiry logic, direct access to *:pinned zsets is discouraged
* fix: remove references to since-removed jobs file for topics
* feat: expire pins when getPinnedTids is called
* refactor: make the togglePin change non-breaking
The 'action:topic.pin' hook now sends uid again, as before. However, if it is a system action (that is, a pin that expired), 'system' will be sent in instead of a valid uid
* feat: allow invites in normal registration mode + invite privilege
* feat: select groups to join from an invite
* test: check if groups from invitations have been joined
* fix: remove unused variable
* feat: write API versions of socket calls
* docs: openapi specs for the new routes
* test: iron out mongo redis difference
* refactor: move inviteGroups endpoint into write API
* refactor: use GET /api/v3/users/:uid/invites/groups
Instead of GET /api/v3/users/:uid/inviteGroups
* fix: no need for /api/v3 prefix when using api module
* fix: tests
* refactor: change POST /api/v3/users/invite
To POST /api/v3/users/:uid/invites
* refactor: make helpers.invite awaitable
* fix: restrict invite API to self-use only
* fix: move invite groups controller to write api, +tests
* fix: tests
Co-authored-by: Julian Lam <julian@nodebb.org>
* feat: #7514 Optional timer for registration queue
* feat: show minutes in average time
* fix: don't show total number of minutes
* feat: implement requested changes
* fix: just store minutes instead of milliseconds
* feat: set default values
* feat: allow passwords longer than 73 characters
Context: A bcrypt/blowfish limitation means that password length is capped at 72 characters. We can get around this without compromising on security
by hashing all incoming passwords with SHA512, and then sending that to bcrypt.
https://dropbox.tech/security/how-dropbox-securely-stores-your-passwords
* feat: add additional test for passwords > 73 chars
* fix: remove 'password-too-long' error message and all invocations
* test: added test to show that a super long password won't bring down NodeBB
* fix: remove debug log
* Revert "fix: remove 'password-too-long' error message and all invocations"
This reverts commit 1e312bf7ef7e119fa0f1bd3517d756ca013d5e79.
* fix: added back password length checks, but at 512 chars
As processing a large string still uses a lot of memory
Julian Lam
Barış Soner Uşaklı
Peter Jaszkowiak
Barış Soner Uşaklı
gasoved
Manuel Valle
Opliko