Commit Graph

669 Commits

Author SHA1 Message Date
Dmitry S
8da89b0a3d (core) Improve behavior to update current time, to allow inactive docs to shut down, and reduce spurious errors.
Summary:
- When sandbox is down, report failing UpdateCurrentTime calls as warnings instead of errors.
- When applying system actions (such as updating current time), don't treat
  them as user activity for the purpose of keeping the doc open.

Test Plan: Added a test case for the fixed behavior.

Reviewers: georgegevoian

Reviewed By: georgegevoian

Differential Revision: https://phab.getgrist.com/D4324
2024-08-29 01:22:57 -04:00
Jordi Gutiérrez Hermoso
54502280de (core) AdminPanel: hide the enterprise toggle in core and grist-ee images
Summary:
In the pure OSS `grist-oss` image, the `ActivationPage` module from
stubs is used, as the `ext` code is completely missing. We can easily
just always return `false` here.

In the case when the `ext` directory exists, this may mean we're in
the standard `grist` image or the `grist-ee` image. The latter is
distinguished by having `GRIST_FORCE_ENABLE_ENTERPRISE` so we check if
that's on, and hide the toggle accordingly if so.

Test Plan:
Use these changes to build the three Docker images
(`grist-oss`, `grist`, and `grist-ee`) and verify that only `grist`
shows the toggle.

Reviewers: jarek

Reviewed By: jarek

Subscribers: jarek

Differential Revision: https://phab.getgrist.com/D4321
2024-08-19 15:51:24 -04:00
Dmitry S
ef4180c8da (core) Fix unhandledRejection caused by exception from verifyClient.
Summary:
This includes two fixes: one to ensure that any exception from websocket
upgrade handlers are handled (by destroying the socket). A test case is
added for this.

The other is to ensure verifyClient returns false instead of failing; this
should lead to a better error to the client (Forbidden, rather than just socket
close). This is only tested manually with a curl request.

Test Plan: Added a test case for the more sensitive half of the fix.

Reviewers: georgegevoian

Reviewed By: georgegevoian

Subscribers: georgegevoian

Differential Revision: https://phab.getgrist.com/D4323
2024-08-15 17:32:44 -04:00
Jordi Gutiérrez Hermoso
a16d76d25d (core) config: rename TEST_ENABLE_ACTIVATION to GRIST_FORCE_ENABLE_ENTERPRISE
Summary:
The name of this env var has bothered me for a little while.
Let's rename it more meaningfully.

Test Plan: No need to test, cosmetic change only.

Reviewers: jarek

Reviewed By: jarek

Differential Revision: https://phab.getgrist.com/D4320
2024-08-14 14:33:06 -04:00
Dmitry S
5ef54b278f (core) When getting error details for on-demand formulas, provide an explanation
Summary:
Since formula errors are typically obtained from the Python data engine, they
were not returning any info for errors in on-demand tables (not loaded into the
data engine). This change implements a detailed message to explain such errors,
mainly to point out that on-demand table is the reason.

Test Plan: Added a check to the OnDemand test that formula error details are shown.

Reviewers: jarek

Reviewed By: jarek

Differential Revision: https://phab.getgrist.com/D4317
2024-08-13 12:34:08 -04:00
Florent
fde6c8142d
Support nonce and acr with OIDC + other improvements and tests (#883)
* Introduces new configuration variables for OIDC:
  - GRIST_OIDC_IDP_ENABLED_PROTECTIONS
  - GRIST_OIDC_IDP_ACR_VALUES
  - GRIST_OIDC_IDP_EXTRA_CLIENT_METADATA
* Implements all supported protections in oidc/Protections.ts
* Includes a better error page for failed OIDC logins
* Includes some other improvements, e.g. to logging, to OIDC
* Adds a large unit test for OIDCConfig
* Adds support for SERVER_NODE_OPTIONS for running tests
* Adds to documentation/develop.md info about GREP_TESTS, VERBOSE, and SERVER_NODE_OPTIONS.
2024-08-08 15:35:37 -04:00
Jordi Gutiérrez Hermoso
960f023618 restart: gracefully handle restart failure
In case Grist isn't running with the supervisor (e.g. it's running
under nodemon instead via `yarn start`), surface the problem to the
frontend.
2024-07-30 13:41:47 -04:00
Jordi Gutiérrez Hermoso
bc8e5f6837 FlexServer: remove config from restart endpoint
The config endpoint now handles changing config values, so we only
need to handle restarts here.
2024-07-30 13:41:47 -04:00
Jordi Gutiérrez Hermoso
2d85ed1bfe config: new API endpoint
This adds PATCH and GET endpoints to handle `config.json`.
2024-07-30 13:41:47 -04:00
Jordi Gutiérrez Hermoso
d57c3f068d configCore: default to enterprise edition if TEST_ENABLE_ACTIVATION is truthy
This will ensure that the grist-ee image will have a consistent config
setting when created from the default value.
2024-07-30 13:41:47 -04:00
Jordi Gutiérrez Hermoso
f0aacc4d96 config: end the file with a newline
Small cosmetic change, POSIX requires final newlines in text files.

https://stackoverflow.com/questions/729692/why-should-text-files-end-with-a-newline
2024-07-30 13:41:47 -04:00
Jordi Gutiérrez Hermoso
fea7c0b536 create: add a comment explaining the session secret situation 2024-07-28 18:52:39 -04:00
Jordi Gutiérrez Hermoso
09871480ba create: add a short docstring for makeSimpleCreator 2024-07-28 18:52:39 -04:00
Jordi Gutiérrez Hermoso
9b3ae08ece create: hard-code the default session secret even more
The problem here is that making it this optional meant that it wasn't
supplied by [the enterprise creation
function](fb22d94878/ext/app/server/lib/create.ts (L10)).
This resulted in an odd situation where the secret was required for
the enterprise edition, even though it offers no additional security.
Without this key, the enterprise code crashes.

The requirement to supply a secret key would make a Grist instance
crash if you start in normal mode but switch to enterprise, as the
enterprise creator does not supply a default secret key.
2024-07-28 18:52:39 -04:00
Paul Fitzpatrick
fc3a7f580c
make access control for ConvertFromColumn action less brutal (#1111)
Access control for ConvertFromColumn in the presence of access rules had previously been left as a TODO. This change allows the action when the user has schema rights. Because schema rights let you create formulas, they let you read anything, so there is currently no value in nuance here.
2024-07-24 11:41:50 -04:00
George Gevoian
4740f1f933 (core) Update onboarding flow
Summary:
A new onboarding page is now shown to all new users visiting the doc
menu for the first time. Tutorial cards on the doc menu have been
replaced with a new version that tracks completion progress, alongside
a new card that opens the orientation video.

Test Plan: Browser tests.

Reviewers: jarek

Reviewed By: jarek

Differential Revision: https://phab.getgrist.com/D4296
2024-07-23 11:49:23 -04:00
Jordi Gutiérrez Hermoso
e30a090a4e config: remove all async/await around config read functions
Now that reading is synchronous, there's no need to have any more
async/await in regards to the those config functions.
2024-07-18 14:32:46 -04:00
Jordi Gutiérrez Hermoso
4013382170 config: replace fse read functions with sync variants
I need to be able to read the config at module load time, which makes
async difficult if not impossible.

This will make read config operations synchronous, which is fine. The
file is tiny and seldom read.
2024-07-18 14:32:46 -04:00
Florent
39eb042ff1
Remove GRIST_SKIP_REDIS_CHECKSUM_MISMATCH (#1098)
Skipping the redis checksum mismatch is now generalized. A warning is
logged when we see a mismatch.
2024-07-10 14:28:20 -04:00
Paul Fitzpatrick
0cdfeeb992 (core) updates from grist-core 2024-07-09 14:33:35 -04:00
Jarosław Sadziński
b8c4b83a8c (core) Updating paths after core changed
Summary: Path for the HomeDbManager has beed updated after merging with core.

Test Plan: Existing

Reviewers: georgegevoian

Reviewed By: georgegevoian

Subscribers: georgegevoian

Differential Revision: https://phab.getgrist.com/D4288
2024-07-09 12:19:25 +02:00
Spoffy
6908807236
Extracts config.json into its own module (#1061)
This adds a config file that's loaded very early on during startup. 

It enables us to save/load settings from within Grist's admin panel, that affect the startup of the FlexServer.

The config file loading:
- Is type-safe, 
- Validates the config file on startup
- Provides a path to upgrade to future versions.

It should be extensible from other versions of Grist (such as desktop), by overriding `getGlobalConfig` in stubs.

----

Some minor refactors needed to occur to make this possible. This includes:
- Extracting config loading into its own module (out of FlexServer).
- Cleaning up the `loadConfig` function in FlexServer into `loadLoginSystem` (which is what its main purpose was before).
2024-07-08 15:40:45 +01:00
Florent
786ba6b31e
Move HomeDBManager to gen-server/lib/homedb (#1076) 2024-07-05 16:02:39 +02:00
CamilleLegeron
0bfdaa9c02
Add authorization header in webhooks stored in secrets table (#941)
Summary:
Adding authorization header support for webhooks.

Issue:  https://github.com/gristlabs/grist-core/issues/827

---------

Co-authored-by: Florent <florent.git@zeteo.me>
2024-07-04 14:17:10 +02:00
Paul Fitzpatrick
5f9ecdcfe4 docstrings, moment import, fix log format 2024-07-03 15:03:14 -04:00
Paul Fitzpatrick
95b8134614 add a getSnapshotProgress implementation to DocStorageManager 2024-07-03 15:03:14 -04:00
Paul Fitzpatrick
4815a007ed log periodic per-document statistics about snapshot generation
This is to facilitate alerting to detect if snapshot generation were to
stall for a document.
2024-07-03 15:03:14 -04:00
Paul Fitzpatrick
919cff0398 (core) updates from grist-core 2024-07-01 09:37:47 -04:00
CamilleLegeron
61421e8251
Create user last connection datetime (#935)
Each time the a Grist page is reload the `last_connection_at` of the user is updated

resolve [#924](https://github.com/gristlabs/grist-core/issues/924)
2024-07-01 15:13:39 +02:00
Jarosław Sadziński
184be9387f (core) Enabling telemetry on /api/version endpoint
Summary:
Version API endpoint wasn't logging telemetry from POST requests. The issue was in registration
order, this endpoint was registered before `expressJson` and it couldn't read json body in the handler.

Test Plan: Added new test

Reviewers: paulfitz

Reviewed By: paulfitz

Subscribers: paulfitz

Differential Revision: https://phab.getgrist.com/D4277
2024-06-27 12:05:15 +02:00
Leslie H
24ce54b586
Improve session ID security (#1059)
Follow-up of #994. This PR revises the session ID generation logic to improve security in the absence of a secure session secret. It also adds a section in the admin panel "security" section to nag system admins when GRIST_SESSION_SECRET is not set.

Following is an excerpt from internal conversation.

TL;DR: Grist's current implementation generates semi-secure session IDs and uses a publicly known default signing key to sign them when the environment variable GRIST_SESSION_SECRET is not set. This PR generates cryptographically secure session IDs to dismiss security concerns around an insecure signing key, and encourages system admins to configure their own signing key anyway.

> The session secret is required by expressjs/session to sign its session IDs. It's designed as an extra protection against session hijacking by randomly guessing session IDs and hitting a valid one. While it is easy to encourage users to set a distinct session secret, this is unnecessary if session IDs are generated in a cryptographically secure way. As of now Grist uses version 4 UUIDs as session IDs (see app/server/lib/gristSessions.ts - it uses shortUUID.generate which invokes uuid.v4 under the hood). These contain 122 bits of entropy, technically insufficient to be considered cryptographically secure. In practice, this is never considered a real vulnerability. To compare, RSA2048 is still very commonly used in web servers, yet it only has 112 bits of security (>=128 bits = "secure", rule of thumb in cryptography). But for peace of mind I propose using crypto.getRandomValues to generate real 128-bit random values. This should render session ID signing unnecessary and hence dismiss security concerns around an insecure signing key.
2024-06-25 15:43:25 -04:00
Jordi Gutiérrez Hermoso
20035fd58f FlexServer: add new admin restart endpoint
This adds an endpoint for the admin user to be able to signal to a
controlling process to restart the server. This is intended for
`docker-runner.mjs`.
2024-06-19 11:56:45 -04:00
Jarosław Sadziński
98176132b0 (core) Renaming installationId metadata for checkUpdateAPI telemetry endpoint.
Summary:
CheckUpdateAPI is now storing client's installation id in a new field called 'deploymentId'.
Previously it was using installationId which is reserved (and overriden) by the home server.

Test Plan: Existing and manual

Reviewers: paulfitz

Reviewed By: paulfitz

Subscribers: paulfitz

Differential Revision: https://phab.getgrist.com/D4268
2024-06-12 16:01:45 +02:00
Paul Fitzpatrick
f071d91a0a (core) updates from grist-core 2024-06-11 09:18:23 -04:00
Jordi Gutiérrez Hermoso
c3e23ca81e admin: fix warning in websocket probe
This is a small thing, but when visiting the admin, the websocket test
doesn't send valid JSON, which the receiving endpoint expects. This
results in a harmless exception being thrown.

While this test should eventually be modified to be run from the
frontend, for now let's just make a small fix and send valid JSON in
order to avoid that JSON parsing exception.
2024-06-06 18:25:27 -04:00
George Gevoian
b555bf5d8d
Add user id middleware to form pages (#1020) 2024-06-05 09:18:02 -07:00
George Gevoian
72066bf0e4 (core) Support user variable in dropdown conditions
Summary:
Dropdown conditions can now reference a `user` variable, similar to the
one available in Access Rules.

Test Plan: Browser test.

Reviewers: jarek, paulfitz

Reviewed By: jarek, paulfitz

Differential Revision: https://phab.getgrist.com/D4255
2024-06-04 06:56:55 -07:00
Leslie H
9c90da7398
Bump minio to v8.0.0 (#991) 2024-06-03 15:20:10 +00:00
Paul Fitzpatrick
06acc47cdb (core) updates from grist-core 2024-05-28 11:43:45 -04:00
Jarosław Sadziński
0262ad7a47 (core) Fix for ACL page for temporary documents.
Summary:
When the ACL page was visited by an anonymous user (for a temporary doc), it
tried to load the "View as" list, which failed. Apart from example users, it was
also trying to load all users the document is shared with by checking the home db.
However, since the document is not persisted, it failed.

Test Plan: Added new test

Reviewers: Spoffy

Reviewed By: Spoffy

Subscribers: Spoffy

Differential Revision: https://phab.getgrist.com/D4257
2024-05-24 15:14:00 +02:00
Spoffy
e56b416c7a
Moves core create object and core getLoginSystem to server/lib (#994)
This enables code in ext/ to be able to access it (e.g for proxying / interception).

Additionally adds getCreate() to enable future refactoring of `const create` away from being a global singleton constant.
2024-05-23 23:07:46 +01:00
Paul Fitzpatrick
5dc4706dc7
reconcile boot and admin pages further (#963)
This adds some remaining parts of the boot page to the admin panel, and then removes the boot page.
2024-05-23 16:40:31 -04:00
Paul Fitzpatrick
76a43129f1 (core) updates from grist-core 2024-05-23 13:27:59 -04:00
Jarosław Sadziński
a6ffa6096a (core) Adding UI for timing API
Summary:
Adding new buttons to control the `timing` API and a way to view the results
using virtual table features.

Test Plan: Added new

Reviewers: georgegevoian

Reviewed By: georgegevoian

Subscribers: paulfitz

Differential Revision: https://phab.getgrist.com/D4252
2024-05-22 14:56:53 +02:00
Jarosław Sadziński
60423edc17 (core) Customizable stripe plans.
Summary:
- Reading plans from Stripe, and allowing Stripe to define custom plans.
- Storing product features (aka limits) in Stripe, that override those in db.
- Adding hierarchical data in Stripe. All features are defined at Product level but can be overwritten on Price levels.
- New options for Support user to
-- Override product for team site (if he is added as a billing manager)
-- Override subscription and customer id for a team site
-- Attach an "offer", an custom plan configured in stripe that a team site can use
-- Enabling wire transfer for subscription by allowing subscription to be created without a payment method (which is customizable)

Test Plan: Updated and new.

Reviewers: georgegevoian

Reviewed By: georgegevoian

Differential Revision: https://phab.getgrist.com/D4201
2024-05-19 09:09:19 +02:00
Spoffy
b4acb157f8
Displays the current authentication mechanism in the admin panel (#981)
* Adds authentication mechanism to admin panel

Adds field to the "Security settings" admin display, showing the
currently configured authentication mechanism.

* Adds 14px margin to admin panel names
2024-05-16 18:09:38 +01:00
Grégoire Cutzach
d8f4e075fe
feat: ADD Terms of service link (#985)
Adds an optional terms of service link for sites that need it.

---------

Co-authored-by: Jonathan Perret <j-github@jonathanperret.net>
2024-05-16 11:31:37 -04:00
Florent
5e3cd94177
Introduce APP_HOME_INTERNAL_URL and fix duplicate docs (#915)
Context:

On self-hosted instances, some places in the code rely on the fact that we resolves public domains while being behind reverse proxies. This leads to cases where features are not available, such as the "Duplicate document" one.

Bugs that are solved - n self-hosted instances:

Impossible to open templates and tutorials right after having converted them;
Impossible to submit forms since version 1.1.13;
Impossible to restore a previous version of a document (snapshot);
Impossible to copy a document;

Solution:

Introduce the APP_HOME_INTERNAL_URL env variable, which is quite the same as APP_DOC_INTERNAL_URL except that it may point to any home worker;
Make /api/worker/:assignmentId([^/]+)/?* return not only the doc worker public url but also the internal one, and adapt the call points like fetchDocs;
Ensure that the home and doc worker internal urls are trusted by trustOrigin;

---------

Co-authored-by: jordigh <jordigh@octave.org>
2024-05-14 12:58:41 -04:00
Paul Fitzpatrick
d431c1eb63 (core) add a sandbox check to admin panel, and start reconciling boot and admin pages
Summary:
This adds a basic sandbox check to the admin panel. It also makes
the "probes" used in the boot page available from the admin panel,
though they are not yet displayed. The sandbox check is built as
a probe.

In the interests of time, a lot of steps had to be deferred:
 * Reconcile fully the admin panel and boot page. Specifically, the
   admin panel should be equally robust to common configuration problems.
 * Add tests for the sandbox check.
 * Generalize to multi-server setups. The read-out will not yet be useful
   for setups where doc workers and home servers are configured
   separately.

Test Plan: Added new test

Reviewers: jarek, georgegevoian

Reviewed By: georgegevoian

Differential Revision: https://phab.getgrist.com/D4241
2024-04-29 20:52:39 -04:00
Jarosław Sadziński
ecf242c6c6 (core) Adding latest version section to the admin panel.
Summary:
Update for the admin page to show the latest available version information.
- Latest version is read from docs.getgrist.com by default
- It sends basic information (installationId, deployment type, and version)
- Checks are done only on the page itself
- The actual request is routed through the API (to avoid CORS)

Test Plan: Added new test

Reviewers: paulfitz

Reviewed By: paulfitz

Subscribers: paulfitz

Differential Revision: https://phab.getgrist.com/D4238
2024-04-29 21:59:36 +02:00