Archives/gristlabs_grist-core
1
0
Fork 0
mirror of https://github.com/gristlabs/grist-core.git synced 2024-10-18 15:22:05 +00:00
Code Issues Projects Releases Wiki Activity
a8431c69a7
gristlabs_grist-core/app/client/ui
History
Leslie H 24ce54b586
Improve session ID security (#1059) 
Follow-up of #994. This PR revises the session ID generation logic to improve security in the absence of a secure session secret. It also adds a section in the admin panel "security" section to nag system admins when GRIST_SESSION_SECRET is not set.

Following is an excerpt from internal conversation.

TL;DR: Grist's current implementation generates semi-secure session IDs and uses a publicly known default signing key to sign them when the environment variable GRIST_SESSION_SECRET is not set. This PR generates cryptographically secure session IDs to dismiss security concerns around an insecure signing key, and encourages system admins to configure their own signing key anyway.

> The session secret is required by expressjs/session to sign its session IDs. It's designed as an extra protection against session hijacking by randomly guessing session IDs and hitting a valid one. While it is easy to encourage users to set a distinct session secret, this is unnecessary if session IDs are generated in a cryptographically secure way. As of now Grist uses version 4 UUIDs as session IDs (see app/server/lib/gristSessions.ts - it uses shortUUID.generate which invokes uuid.v4 under the hood). These contain 122 bits of entropy, technically insufficient to be considered cryptographically secure. In practice, this is never considered a real vulnerability. To compare, RSA2048 is still very commonly used in web servers, yet it only has 112 bits of security (>=128 bits = "secure", rule of thumb in cryptography). But for peace of mind I propose using crypto.getRandomValues to generate real 128-bit random values. This should render session ID signing unnecessary and hence dismiss security concerns around an insecure signing key.
2024-06-25 15:43:25 -04:00
..
AccountPage.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
AccountPageCss.ts (core) Polish dark mode and remove beta tag 2023-09-21 13:14:48 -04:00
AccountWidget.ts (core) Customizable stripe plans. 2024-05-19 09:09:19 +02:00
AddNewButton.ts Introduce GRIST_ANON_PLAYGROUND variable #642 (#651) 2023-09-08 09:05:52 -04:00
AddNewTip.ts (core) Forms post-release fixes and improvements 2024-02-14 16:38:16 -05:00
AdminPanel.ts Improve session ID security (#1059) 2024-06-25 15:43:25 -04:00
AdminPanelCss.ts (core) Disable formula timing UI for non-owners 2024-06-18 10:18:38 -04:00
ApiKey.ts i18n: userManager translation + some forgotten translations (#557) 2023-07-16 12:52:13 -04:00
App.css (core) Polish tutorial popups 2023-04-20 12:20:03 -04:00
App.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
AppHeader.ts feat: add new translations (#1004) 2024-05-29 11:02:00 -07:00
AppUI.ts (core) Makes EE frontend behave as core if EE isn't activated 2024-06-14 00:43:51 +01:00
BottomBar.ts (core) Making side bars a bit more usable for narrow screen 2021-01-19 15:22:01 +01:00
buttons.ts (core) move client code to core 2020-10-02 13:24:21 -04:00
CardContextMenu.ts (core) Record Cards 2023-11-19 20:12:37 -05:00
CellContextMenu.ts (core) Record Cards 2023-11-19 20:12:37 -05:00
CodeHighlight.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
ColumnFilterCalendarView.ts (core) Add dark theme to date picker 2023-02-03 10:37:12 -05:00
ColumnFilterMenu.ts fix: cancel when escape (#986) 2024-05-16 17:15:14 +02:00
ColumnFilterMenuUtils.ts (core) Enable search in column pickers 2023-01-04 10:02:12 +01:00
ColumnTitle.ts (core) updates from grist-core 2023-05-15 12:01:19 -04:00
contextMenu.ts (core) Improve context menu placement on narrow screens 2023-10-25 10:35:49 -04:00
createAppPage.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
createPage.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
CreateTeamModal.ts (core) Restoring GRIST_DEFAULT_PRODUCT functionality 2024-06-14 19:56:49 +02:00
cssInput.ts (core) Add dark mode to user preferences 2022-09-05 19:17:32 -07:00
CustomSectionConfig.ts (core) Forms post-release fixes and improvements 2024-02-14 16:38:16 -05:00
CustomThemes.ts (core) Remove a defunct URL constant and a product flavor. 2023-05-05 18:28:04 -04:00
DateRangeOptions.ts fixes #852 (#877) 2024-03-08 01:30:30 -05:00
DefaultActivationPage.ts (core) Makes EE frontend behave as core if EE isn't activated 2024-06-14 00:43:51 +01:00
DescriptionConfig.ts (core) Forms improvements 2024-01-19 10:34:03 +01:00
DocHistory.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
DocMenu.ts (core) Customizable stripe plans. 2024-05-19 09:09:19 +02:00
DocMenuCss.ts (core) Adding tutorial card 2023-03-28 19:57:52 +02:00
DocTour.ts i18n: userManager translation + some forgotten translations (#557) 2023-07-16 12:52:13 -04:00
DocTutorial.css (core) Improve dark mode in tutorials 2023-11-06 13:06:13 -05:00
DocTutorial.ts (core) Add new telemetry events 2023-11-01 10:49:33 -04:00
DocTutorialRenderer.ts (core) Fix browser history bug with tutorials 2023-04-19 00:22:42 -04:00
DocumentSettings.ts (core) Disable formula timing UI for non-owners 2024-06-18 10:18:38 -04:00
DuplicateTable.ts Linting long lines 2023-01-03 17:45:14 +01:00
errorPages.ts make 'contact support' link customisable (#854) 2024-03-06 00:59:46 -05:00
ExampleCard.ts (core) Add dark mode to user preferences 2022-09-05 19:17:32 -07:00
ExampleInfo.ts i18n: userManager translation + some forgotten translations (#557) 2023-07-16 12:52:13 -04:00
FieldConfig.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
FieldContextMenu.ts (core) Record Cards 2023-11-19 20:12:37 -05:00
FieldMenus.ts Change translation keys for simple context keys 2023-01-03 15:50:11 +01:00
FileDialog.ts (core) Faster builds all around. 2022-07-04 10:42:40 -04:00
FilterBar.ts (core) Forms post-release fixes and improvements 2024-02-14 16:38:16 -05:00
FilterConfig.ts Change translation keys for ui directory 2023-01-03 15:50:10 +01:00
FloatingPopup.ts (core) Polish dark mode and remove beta tag 2023-09-21 13:14:48 -04:00
FormAPI.ts (core) New Grist Forms styling and field options 2024-04-11 08:17:42 -07:00
FormContainer.ts (core) New Grist Forms styling and field options 2024-04-11 08:17:42 -07:00
FormErrorPage.ts (core) New Grist Forms styling and field options 2024-04-11 08:17:42 -07:00
FormPage.ts (core) New Grist Forms styling and field options 2024-04-11 08:17:42 -07:00
forms.ts (core) Forms improvements 2024-01-19 10:34:03 +01:00
FormSuccessPage.ts (core) New Grist Forms styling and field options 2024-04-11 08:17:42 -07:00
googleAuth.ts (core) Extending Google Drive integration scope 2021-10-01 10:47:12 +02:00
GridOptions.ts Change translation keys for ui directory 2023-01-03 15:50:10 +01:00
GridViewMenus.ts (core) Better Max and Min shortcut funtions in the new column menu. 2024-03-08 21:59:33 +01:00
GristTooltips.ts (core) Add learn more link to tooltip 2024-04-26 18:28:53 -04:00
HomeImports.ts Bump dependencies versions 2024-04-29 14:54:36 -04:00
HomeIntro.ts (core) Customizable stripe plans. 2024-05-19 09:09:19 +02:00
HomeLeftPane.ts (core) updates from grist-core 2024-05-23 13:27:59 -04:00
inputs.ts (core) Forms improvements 2024-01-19 10:34:03 +01:00
LanguageMenu.ts (core) Fix missing placeholder flag icon 2023-02-26 22:23:04 -05:00
LeftPanelCommon.ts (core) Show tooltips in other Grist flavors 2023-10-31 23:56:27 -04:00
LoginPagesCss.ts (core) Refactor forms implementation 2024-02-22 08:44:25 -05:00
MakeCopyMenu.ts (core) Customizable stripe plans. 2024-05-19 09:09:19 +02:00
MenuToggle.ts (core) Add dark mode to user preferences 2022-09-05 19:17:32 -07:00
mouseDrag.ts (core) Add cell selection summary 2022-09-30 09:11:46 -07:00
MultiSelector.ts (core) Add rules to eslint to better match our coding conventions. 2021-05-24 12:56:18 -04:00
NotifyUI.ts (core) Billing for formula assistant 2023-07-10 13:24:08 +02:00
OnBoardingPopups.ts Adds multiple missing translations (#972) 2024-05-10 14:31:54 +01:00
OpenUserManager.ts (core) Customizable stripe plans. 2024-05-19 09:09:19 +02:00
OpenVideoTour.ts (core) Update video tour 2023-09-19 16:28:36 -04:00
PagePanels.ts (core) Reference and ReferenceList should trigger RightMenu to show up on Column tab and display reference toolitp, if it wasn't dismissed yet 2024-02-13 16:59:59 +01:00
Pages.ts (core) Add additional telemetry events 2024-02-13 13:09:16 -05:00
PageWidgetPicker.ts feat: add translation of vue types when added (#946) 2024-05-17 11:55:24 -07:00
PinnedDocs.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
PredefinedCustomSectionConfig.ts (core) custom widget appear as build-in widget 2023-08-30 09:44:25 +02:00
RelativeDatesOptions.ts (core) Fix date filter for DateTime columns. 2023-01-18 10:18:15 +01:00
RenamePopupStyles.ts feature widget description (#483) 2023-05-12 09:08:28 -04:00
resizeHandle.ts Initial config with a few files that build on client and server side. 2020-05-20 00:50:46 -04:00
RightPanel.ts feat: add translation of vue types when added (#946) 2024-05-17 11:55:24 -07:00
RightPanelStyles.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
RowContextMenu.ts Feat: rename all column label from a given row with right click (#848) 2024-03-20 09:34:09 -04:00
sanitizeHTML.ts (core) Add initial tutorials implementation 2023-03-22 10:09:02 -04:00
searchDropdown.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
selectBy.ts (core) Tests and bug fixes for bidirectional linking 2023-10-10 15:31:48 +02:00
sendToDrive.ts Change translation keys for ui directory 2023-01-03 15:50:10 +01:00
shadowScroll.ts (core) Polish dark mode and remove beta tag 2023-09-21 13:14:48 -04:00
ShareMenu.ts (core) Add TSV and DSV import/export 2024-03-20 10:57:21 -04:00
ShortcutKey.ts (core) Add April Fools easter egg 2023-03-27 14:12:52 -04:00
SiteSwitcher.ts Add createSite feature so user can disable site creation #813 (#814) 2024-01-08 11:26:30 -05:00
SortConfig.ts (core) Support reordering conditional styles 2024-05-13 14:45:11 -07:00
SortFilterConfig.ts Fix tests 2023-01-03 16:01:45 +01:00
SupportGristNudge.ts Create team site for self-hosted instances (#903) 2024-04-15 00:55:57 -07:00
SupportGristPage.ts (core) Admin Panel and InstallAdmin class to identify installation admins. 2024-03-25 12:18:38 -04:00
TemplateDocs.ts (core) Refactor forms implementation 2024-02-22 08:44:25 -05:00
ThemeConfig.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
TimingPage.ts (core) Removing virtual tables when they are not needed 2024-05-29 08:46:49 -07:00
Tools.ts (core) Improve API Console and link from Document Settings. 2024-01-29 10:08:19 -05:00
tooltips.ts (core) Add dropdown conditions 2024-04-26 16:57:55 -04:00
TopBar.ts (core) Customizable stripe plans. 2024-05-19 09:09:19 +02:00
TopBarCss.ts (core) Add dark mode to user preferences 2022-09-05 19:17:32 -07:00
transientInput.ts (core) Add dark mode to user preferences 2022-09-05 19:17:32 -07:00
transitions.ts (core) Speed up and upgrade build. 2022-06-27 16:10:10 -04:00
TreeViewComponent.ts (core) Revealing hidden pages with visible children. 2022-10-31 14:02:38 +01:00
TreeViewComponentCss.ts (core) Add dark mode to user preferences 2022-09-05 19:17:32 -07:00
TriggerFormulas.ts Change translation keys for ui directory 2023-01-03 15:50:10 +01:00
TutorialCard.ts (core) Admin Panel and InstallAdmin class to identify installation admins. 2024-03-25 12:18:38 -04:00
UserImage.ts (core) Adds new view as banner 2023-01-03 12:33:34 +01:00
UserItem.ts Improve input team member (#268) 2022-09-21 10:30:54 -04:00
UserManager.ts (core) Add additional telemetry events 2024-02-13 13:09:16 -05:00
ViewLayoutMenu.ts (core) Polish Record Cards 2024-01-30 13:25:50 -05:00
viewport.ts (core) Make mobile the default mode. 2021-02-25 11:31:43 -05:00
ViewSectionMenu.ts (core) Forms improvements 2024-01-19 10:34:03 +01:00
VisibleFieldsConfig.ts (core) Support reordering conditional styles 2024-05-13 14:45:11 -07:00
WebhookPage.ts (core) Removing virtual tables when they are not needed 2024-05-29 08:46:49 -07:00
WelcomeCoachingCall.ts make 'contact support' link customisable (#854) 2024-03-06 00:59:46 -05:00
WelcomePage.ts (core) Add support for auto-copying docs on signup 2023-09-06 15:12:08 -04:00
WelcomeQuestions.ts (core) Add welcomeQuestionsSubmitted telemetry event 2023-09-13 00:31:04 -04:00
WelcomeSitePicker.ts (core) Refactor forms implementation 2024-02-22 08:44:25 -05:00
WelcomeTour.ts (core) Add additional telemetry events 2024-02-13 13:09:16 -05:00
WidgetTitle.ts (core) Record Cards 2023-11-19 20:12:37 -05:00
widgetTypesMap.ts feat: add translation of vue types when added (#946) 2024-05-17 11:55:24 -07:00
YouTubePlayer.ts (core) Add telemetry 2023-04-06 12:34:54 -04:00