thohlt/archtika
1
0
Fork 0
mirror of https://github.com/thiloho/archtika.git synced 2025-11-22 19:01:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: thohlt:v1.2.0
Branches Tags
thohlt:main thohlt:devel
thohlt:v1.2.3 thohlt:v1.2.2 thohlt:v1.2.1 thohlt:v1.2.0 thohlt:v1.1.0 thohlt:v1.0.1 thohlt:v1.0.0
..
compare: thohlt:devel
Branches Tags
thohlt:main thohlt:devel
thohlt:v1.2.3 thohlt:v1.2.2 thohlt:v1.2.1 thohlt:v1.2.0 thohlt:v1.1.0 thohlt:v1.0.1 thohlt:v1.0.0

17 Commits
v1.2.0 ... devel

Author SHA1 Message Date
thiloho
d34a623e39 Trigger actions 2025-04-10 21:21:43 +02:00
thiloho
c738bfbd36 Remove old diff-match-patch import 2025-04-10 20:55:37 +02:00
thiloho
7dcbd5e9d9 Use js-diff instead of diff-match-patch for word level diffs 2025-04-10 20:54:58 +02:00
thiloho
ebff67e8a7 Remove rollback migrations and fix filesystem deletion on user delete 2025-04-10 18:35:09 +02:00
thiloho
1d8f5251aa Use regular expression for logo image test 2025-04-08 12:59:18 +02:00
thiloho
37ba49a4f7 Use english catelog for Postgres full-text search and fix logo scaling on mobile devices 2025-04-08 12:36:39 +02:00
thiloho
5a6214878f Escape user input <ins> and <del> elements in logs 2025-04-06 16:43:12 +02:00
thiloho
70a81158ef Update vite and replace escaped doublequotes with normal representation 2025-04-06 09:41:31 +02:00
thiloho
d06664931a Update npm deps hash 2025-03-23 17:27:25 +01:00
thiloho
9d06ab96cc Update npm dependencies 2025-03-23 17:17:21 +01:00
thiloho
3f59fd4c58 Add more usernames to the blacklist 2025-03-23 14:49:13 +01:00
thiloho
20bcd84d7e Render line breaks in change lot HTML representation 2025-03-23 14:25:15 +01:00
thiloho
f85a7b3023 Update NPM deps hash 2025-03-09 17:24:50 +01:00
thiloho
f5125e11ba Use remote Nix flake module for archtika instead of local one 2025-03-09 16:52:05 +01:00
thiloho
4afd58c24d Update flake 2025-03-09 16:37:01 +01:00
thiloho
c76c5cc0a3 Allow the postgres user to connect to the postgres database 2025-02-07 04:13:50 +01:00
thiloho
c7f912947a Restrict module postgres settings to archtika database 2025-02-07 03:55:28 +01:00
36 changed files with 1243 additions and 1922 deletions
Expand all files Collapse all files

6
flake.lock generated
View File

@@ -2,11 +2,11 @@
"nodes": { "nodes": {
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1735471104, "lastModified": 1741379970,
"narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=", "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4", "rev": "36fd87baa9083f34f7f5027900b62ee6d09b1f2f",
"type": "github" "type": "github"
}, },
"original": { "original": {

2
flake.nix
View File

@@ -38,7 +38,7 @@
web = pkgs.mkShell { web = pkgs.mkShell {
packages = with pkgs; [ nodejs ]; packages = with pkgs; [ nodejs ];
shellHook = '' shellHook = ''
export PLAYWRIGHT_BROWSERS_PATH=${pkgs.playwright-driver.browsers} export PLAYWRIGHT_BROWSERS_PATH=${pkgs.playwright.browsers}
export PLAYWRIGHT_SKIP_VALIDATE_HOST_REQUIREMENTS=true export PLAYWRIGHT_SKIP_VALIDATE_HOST_REQUIREMENTS=true
''; '';
}; };

3
nix/deploy/prod/default.nix
View File

@@ -8,7 +8,6 @@ in
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../shared.nix ../shared.nix
../../module.nix
]; ];
networking.hostName = "archtika-demo"; networking.hostName = "archtika-demo";
@@ -60,4 +59,6 @@ in
}; };
}; };
}; };
services.postgresql.settings.default_text_search_config = "pg_catalog.english";
} }

3
nix/deploy/qs/default.nix
View File

@@ -6,7 +6,6 @@ in
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../shared.nix ../shared.nix
../../module.nix
]; ];
networking.hostName = "archtika-qs"; networking.hostName = "archtika-qs";
@@ -31,4 +30,6 @@ in
group = "nginx"; group = "nginx";
}; };
}; };
services.postgresql.settings.default_text_search_config = "pg_catalog.english";
} }

304
nix/module.nix
View File

@@ -1,304 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mkEnableOption
mkOption
mkIf
mkPackageOption
types
;
cfg = config.services.archtika;
in
{
options.services.archtika = {
enable = mkEnableOption "Whether to enable the archtika service";
package = mkPackageOption pkgs "archtika" { };
user = mkOption {
type = types.str;
default = "archtika";
description = "User account under which archtika runs.";
};
group = mkOption {
type = types.str;
default = "archtika";
description = "Group under which archtika runs.";
};
databaseName = mkOption {
type = types.str;
default = "archtika";
description = "Name of the PostgreSQL database for archtika.";
};
apiPort = mkOption {
type = types.port;
default = 5000;
description = "Port on which the API runs.";
};
apiAdminPort = mkOption {
type = types.port;
default = 7500;
description = "Port on which the API admin server runs.";
};
webAppPort = mkOption {
type = types.port;
default = 10000;
description = "Port on which the web application runs.";
};
domain = mkOption {
type = types.str;
description = "Domain to use for the application.";
};
settings = mkOption {
description = "Settings for the running archtika application.";
type = types.submodule {
options = {
disableRegistration = mkOption {
type = types.bool;
default = false;
description = "By default any user can create an account. That behavior can be disabled with this option.";
};
maxUserWebsites = mkOption {
type = types.ints.positive;
default = 2;
description = "Maximum number of websites allowed per user by default.";
};
maxWebsiteStorageSize = mkOption {
type = types.ints.positive;
default = 50;
description = "Maximum amount of disk space in MB allowed per user website by default.";
};
};
};
};
};
config = mkIf cfg.enable (
let
baseHardenedSystemdOptions = {
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
ReadWritePaths = [ "/var/www/archtika-websites" ];
};
in
{
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
};
users.groups.${cfg.group} = {
members = [
"nginx"
"postgres"
];
};
systemd.tmpfiles.settings."10-archtika" = {
"/var/www" = {
d = {
mode = "0755";
user = "root";
group = "root";
};
};
"/var/www/archtika-websites" = {
d = {
mode = "0770";
user = cfg.user;
group = cfg.group;
};
};
};
systemd.services.archtika-api = {
description = "archtika API service";
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"postgresql.service"
];
path = [ config.services.postgresql.package ];
serviceConfig = baseHardenedSystemdOptions // {
User = cfg.user;
Group = cfg.group;
Restart = "always";
WorkingDirectory = "${cfg.package}/rest-api";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
};
script =
let
dbUrl = user: "postgres://${user}@/${cfg.databaseName}?host=/var/run/postgresql";
in
''
JWT_SECRET=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c64)
psql ${dbUrl "postgres"} \
-c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '$JWT_SECRET'" \
-c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_storage_size\" TO ${toString cfg.settings.maxWebsiteStorageSize}" \
-c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_number_user\" TO ${toString cfg.settings.maxUserWebsites}"
${lib.getExe pkgs.dbmate} --url "${dbUrl "postgres"}&sslmode=disable" --migrations-dir ${cfg.package}/rest-api/db/migrations up
PGRST_SERVER_CORS_ALLOWED_ORIGINS="https://${cfg.domain}" \
PGRST_ADMIN_SERVER_PORT=${toString cfg.apiAdminPort} \
PGRST_SERVER_PORT=${toString cfg.apiPort} \
PGRST_DB_SCHEMAS="api" \
PGRST_DB_ANON_ROLE="anon" \
PGRST_OPENAPI_MODE="ignore-privileges" \
PGRST_DB_URI=${dbUrl "authenticator"} \
PGRST_JWT_SECRET="$JWT_SECRET" \
${lib.getExe pkgs.postgrest}
'';
};
systemd.services.archtika-web = {
description = "archtika Web App service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = baseHardenedSystemdOptions // {
User = cfg.user;
Group = cfg.group;
Restart = "always";
WorkingDirectory = "${cfg.package}/web-app";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
};
environment = {
REGISTRATION_IS_DISABLED = toString cfg.settings.disableRegistration;
BODY_SIZE_LIMIT = "10M";
ORIGIN = "https://${cfg.domain}";
PORT = toString cfg.webAppPort;
};
script = "${lib.getExe pkgs.nodejs} ${cfg.package}/web-app";
};
services.postgresql = {
enable = true;
ensureDatabases = [ cfg.databaseName ];
extensions = ps: with ps; [ pgjwt ];
authentication = lib.mkOverride 11 ''
local all all trust
'';
};
systemd.services.postgresql = {
path = with pkgs; [
gnutar
gzip
];
serviceConfig = {
ReadWritePaths = [ "/var/www/archtika-websites" ];
SystemCallFilter = [ "@system-service" ];
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedZstdSettings = true;
recommendedOptimisation = true;
appendHttpConfig = ''
map $http_cookie $archtika_auth_header {
default "";
"~*session_token=([^;]+)" "Bearer $1";
}
'';
virtualHosts = {
"${cfg.domain}" = {
useACMEHost = cfg.domain;
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:${toString cfg.webAppPort}";
};
"/previews/" = {
alias = "/var/www/archtika-websites/previews/";
index = "index.html";
tryFiles = "$uri $uri/ $uri.html =404";
};
"/api/rpc/export_articles_zip" = {
proxyPass = "http://127.0.0.1:${toString cfg.apiPort}/rpc/export_articles_zip";
extraConfig = ''
default_type application/json;
proxy_set_header Authorization $archtika_auth_header;
'';
};
"/api/" = {
proxyPass = "http://127.0.0.1:${toString cfg.apiPort}/";
extraConfig = ''
default_type application/json;
'';
};
"/api/rpc/register" = mkIf cfg.settings.disableRegistration {
extraConfig = ''
deny all;
'';
};
};
};
"~^(?<subdomain>.+)\\.${cfg.domain}$" = {
useACMEHost = cfg.domain;
forceSSL = true;
locations = {
"/" = {
root = "/var/www/archtika-websites/$subdomain";
index = "index.html";
tryFiles = "$uri $uri/ $uri.html =404";
};
};
};
};
};
}
);
}

2
nix/package.nix
View File

@@ -10,7 +10,7 @@ let
web = buildNpmPackage { web = buildNpmPackage {
name = "web-app"; name = "web-app";
src = ../web-app; src = ../web-app;
npmDepsHash = "sha256-RTyo7K/Hr1hBGtcBKynrziUInl91JqZl84NkJg16ufA="; npmDepsHash = "sha256-ab7MJ5vl6XNaAHTyzRxj/Zpk1nEKQLzGmPGJdDrdemg=";
npmFlags = [ "--legacy-peer-deps" ]; npmFlags = [ "--legacy-peer-deps" ];
installPhase = '' installPhase = ''
mkdir -p $out/web-app mkdir -p $out/web-app

38
rest-api/db/migrations/20240719071602_main_tables.sql
View File

@@ -157,41 +157,3 @@ CREATE TABLE internal.collab (
); );
-- migrate:down -- migrate:down
DROP TABLE internal.collab;
DROP TABLE internal.footer;
DROP TABLE internal.article;
DROP TABLE internal.docs_category;
DROP TABLE internal.home;
DROP TABLE internal.header;
DROP TABLE internal.settings;
DROP TABLE internal.media;
DROP TABLE internal.website;
DROP TABLE internal.user;
DROP SCHEMA api;
DROP FUNCTION internal.generate_slug;
DROP SCHEMA internal;
DROP ROLE anon;
DROP ROLE authenticated_user;
DROP ROLE administrator;
DROP ROLE authenticator;
ALTER DEFAULT PRIVILEGES GRANT EXECUTE ON FUNCTIONS TO PUBLIC;
DROP EXTENSION unaccent;

4
rest-api/db/migrations/20240720073454_automatic_schema_cache_reloading.sql
View File

@@ -13,7 +13,3 @@ CREATE EVENT TRIGGER pgrst_watch ON ddl_command_end
EXECUTE FUNCTION internal.pgrst_watch (); EXECUTE FUNCTION internal.pgrst_watch ();
-- migrate:down -- migrate:down
DROP EVENT TRIGGER pgrst_watch;
DROP FUNCTION internal.pgrst_watch;

20
rest-api/db/migrations/20240720074103_user_management_roles_jwt.sql
View File

@@ -170,23 +170,3 @@ GRANT EXECUTE ON FUNCTION api.login TO anon;
GRANT EXECUTE ON FUNCTION api.delete_account TO authenticated_user; GRANT EXECUTE ON FUNCTION api.delete_account TO authenticated_user;
-- migrate:down -- migrate:down
DROP TRIGGER encrypt_pass ON internal.user;
DROP TRIGGER ensure_user_role_exists ON internal.user;
DROP FUNCTION api.register;
DROP FUNCTION api.login;
DROP FUNCTION api.delete_account;
DROP FUNCTION internal.user_role;
DROP FUNCTION internal.encrypt_pass;
DROP FUNCTION internal.check_role_exists;
DROP EXTENSION pgjwt;
DROP EXTENSION pgcrypto;

22
rest-api/db/migrations/20240720132802_exposed_views_functions.sql
View File

@@ -163,25 +163,3 @@ GRANT SELECT, INSERT (website_id, user_id, permission_level), UPDATE (permission
GRANT SELECT, INSERT, UPDATE, DELETE ON api.collab TO authenticated_user; GRANT SELECT, INSERT, UPDATE, DELETE ON api.collab TO authenticated_user;
-- migrate:down -- migrate:down
DROP FUNCTION api.create_website;
DROP VIEW api.collab;
DROP VIEW api.footer;
DROP VIEW api.home;
DROP VIEW api.docs_category;
DROP VIEW api.article;
DROP VIEW api.header;
DROP VIEW api.settings;
DROP VIEW api.website;
DROP VIEW api.user;
DROP VIEW api.account;

74
rest-api/db/migrations/20240724191017_row_level_security.sql
View File

@@ -170,77 +170,3 @@ CREATE POLICY delete_collaborations ON internal.collab
USING (internal.user_has_website_access (website_id, 30, collaborator_permission_level => permission_level, collaborator_user_id => user_id)); USING (internal.user_has_website_access (website_id, 30, collaborator_permission_level => permission_level, collaborator_user_id => user_id));
-- migrate:down -- migrate:down
DROP POLICY view_user ON internal.user;
DROP POLICY update_user ON internal.user;
DROP POLICY delete_user ON internal.user;
DROP POLICY view_websites ON internal.website;
DROP POLICY delete_website ON internal.website;
DROP POLICY update_website ON internal.website;
DROP POLICY view_settings ON internal.settings;
DROP POLICY update_settings ON internal.settings;
DROP POLICY view_header ON internal.header;
DROP POLICY update_header ON internal.header;
DROP POLICY view_home ON internal.home;
DROP POLICY update_home ON internal.home;
DROP POLICY view_articles ON internal.article;
DROP POLICY update_article ON internal.article;
DROP POLICY delete_article ON internal.article;
DROP POLICY insert_article ON internal.article;
DROP POLICY view_categories ON internal.docs_category;
DROP POLICY update_category ON internal.docs_category;
DROP POLICY delete_category ON internal.docs_category;
DROP POLICY insert_category ON internal.docs_category;
DROP POLICY view_footer ON internal.footer;
DROP POLICY update_footer ON internal.footer;
DROP POLICY view_collaborations ON internal.collab;
DROP POLICY insert_collaborations ON internal.collab;
DROP POLICY update_collaborations ON internal.collab;
DROP POLICY delete_collaborations ON internal.collab;
DROP FUNCTION internal.user_has_website_access;
ALTER TABLE internal.user DISABLE ROW LEVEL SECURITY;
ALTER TABLE internal.website DISABLE ROW LEVEL SECURITY;
ALTER TABLE internal.media DISABLE ROW LEVEL SECURITY;
ALTER TABLE internal.settings DISABLE ROW LEVEL SECURITY;
ALTER TABLE internal.header DISABLE ROW LEVEL SECURITY;
ALTER TABLE internal.home DISABLE ROW LEVEL SECURITY;
ALTER TABLE internal.article DISABLE ROW LEVEL SECURITY;
ALTER TABLE internal.docs_category DISABLE ROW LEVEL SECURITY;
ALTER TABLE internal.footer DISABLE ROW LEVEL SECURITY;
ALTER TABLE internal.collab DISABLE ROW LEVEL SECURITY;

18
rest-api/db/migrations/20240805132306_last_modified_triggers.sql
View File

@@ -74,21 +74,3 @@ CREATE TRIGGER update_collab_last_modified
EXECUTE FUNCTION internal.update_last_modified (); EXECUTE FUNCTION internal.update_last_modified ();
-- migrate:down -- migrate:down
DROP TRIGGER update_website_last_modified ON internal.website;
DROP TRIGGER update_settings_last_modified ON internal.settings;
DROP TRIGGER update_header_last_modified ON internal.header;
DROP TRIGGER update_home_last_modified ON internal.home;
DROP TRIGGER update_article_last_modified ON internal.article;
DROP TRIGGER update_docs_category_modified ON internal.docs_category;
DROP TRIGGER update_footer_last_modified ON internal.footer;
DROP TRIGGER update_collab_last_modified ON internal.collab;
DROP FUNCTION internal.update_last_modified;

4
rest-api/db/migrations/20240808141708_collaborator_not_owner.sql
View File

@@ -24,7 +24,3 @@ CREATE CONSTRAINT TRIGGER check_user_not_website_owner
EXECUTE FUNCTION internal.check_user_not_website_owner (); EXECUTE FUNCTION internal.check_user_not_website_owner ();
-- migrate:down -- migrate:down
DROP TRIGGER check_user_not_website_owner ON internal.collab;
DROP FUNCTION internal.check_user_not_website_owner;

6
rest-api/db/migrations/20240810115846_image_upload_function.sql
View File

@@ -95,9 +95,3 @@ GRANT EXECUTE ON FUNCTION api.retrieve_file TO anon;
GRANT EXECUTE ON FUNCTION api.retrieve_file TO authenticated_user; GRANT EXECUTE ON FUNCTION api.retrieve_file TO authenticated_user;
-- migrate:down -- migrate:down
DROP FUNCTION api.upload_file;
DROP FUNCTION api.retrieve_file;
DROP DOMAIN "*/*";

26
rest-api/db/migrations/20240911070907_change_log.sql
View File

@@ -133,29 +133,3 @@ CREATE TRIGGER track_changes_collab
EXECUTE FUNCTION internal.track_changes (); EXECUTE FUNCTION internal.track_changes ();
-- migrate:down -- migrate:down
DROP TRIGGER track_changes_website ON internal.website;
DROP TRIGGER track_changes_media ON internal.media;
DROP TRIGGER track_changes_settings ON internal.settings;
DROP TRIGGER track_changes_header ON internal.header;
DROP TRIGGER track_changes_home ON internal.home;
DROP TRIGGER track_changes_article ON internal.article;
DROP TRIGGER track_changes_docs_category ON internal.docs_category;
DROP TRIGGER track_changes_footer ON internal.footer;
DROP TRIGGER track_changes_collab ON internal.collab;
DROP FUNCTION internal.track_changes;
DROP VIEW api.change_log;
DROP TABLE internal.change_log;
DROP EXTENSION hstore;

26
rest-api/db/migrations/20241006165029_administrator.sql
View File

@@ -141,29 +141,3 @@ GRANT UPDATE, DELETE ON internal.user TO administrator;
GRANT UPDATE, DELETE ON api.user TO administrator; GRANT UPDATE, DELETE ON api.user TO administrator;
-- migrate:down -- migrate:down
DROP FUNCTION api.user_websites_storage_size;
DROP TRIGGER _prevent_storage_excess_article ON internal.article;
DROP TRIGGER _prevent_storage_excess_collab ON internal.collab;
DROP TRIGGER _prevent_storage_excess_docs_category ON internal.docs_category;
DROP TRIGGER _prevent_storage_excess_footer ON internal.footer;
DROP TRIGGER _prevent_storage_excess_header ON internal.header;
DROP TRIGGER _prevent_storage_excess_home ON internal.home;
DROP TRIGGER _prevent_storage_excess_media ON internal.media;
DROP TRIGGER _prevent_storage_excess_settings ON internal.settings;
DROP FUNCTION internal.prevent_website_storage_size_excess;
REVOKE UPDATE (max_storage_size) ON internal.website FROM administrator;
REVOKE UPDATE, DELETE ON internal.user FROM administrator;
REVOKE UPDATE, DELETE ON api.user FROM administrator;

6
rest-api/db/migrations/20241011092744_filesystem_triggers.sql
View File

@@ -56,9 +56,3 @@ CREATE TRIGGER _cleanup_filesystem_article
EXECUTE FUNCTION internal.cleanup_filesystem (); EXECUTE FUNCTION internal.cleanup_filesystem ();
-- migrate:down -- migrate:down
DROP TRIGGER _cleanup_filesystem_website ON internal.website;
DROP TRIGGER _cleanup_filesystem_article ON internal.article;
DROP FUNCTION internal.cleanup_filesystem;

2
rest-api/db/migrations/20241029160539_export_articles.sql
View File

@@ -39,5 +39,3 @@ SECURITY DEFINER;
GRANT EXECUTE ON FUNCTION api.export_articles_zip TO authenticated_user; GRANT EXECUTE ON FUNCTION api.export_articles_zip TO authenticated_user;
-- migrate:down -- migrate:down
DROP FUNCTION api.export_articles_zip;

3
rest-api/db/migrations/20241206191942_username_blocklist.sql
View File

@@ -3,6 +3,3 @@ ALTER TABLE internal.user
ADD CONSTRAINT username_not_blocked CHECK (LOWER(username) NOT IN ('admin', 'administrator', 'api', 'auth', 'blog', 'cdn', 'docs', 'help', 'login', 'logout', 'profile', 'register', 'settings', 'setup', 'signin', 'signup', 'support', 'test', 'www')); ADD CONSTRAINT username_not_blocked CHECK (LOWER(username) NOT IN ('admin', 'administrator', 'api', 'auth', 'blog', 'cdn', 'docs', 'help', 'login', 'logout', 'profile', 'register', 'settings', 'setup', 'signin', 'signup', 'support', 'test', 'www'));
-- migrate:down -- migrate:down
ALTER TABLE internal.user
DROP CONSTRAINT username_not_blocked;

8
rest-api/db/migrations/20250323134405_username_blocklist.sql Normal file
View File

@@ -0,0 +1,8 @@
-- migrate:up
ALTER TABLE internal.user
DROP CONSTRAINT username_not_blocked;
ALTER TABLE internal.user
ADD CONSTRAINT username_not_blocked CHECK (LOWER(username) NOT IN ('admin', 'administrator', 'api', 'auth', 'blog', 'cdn', 'docs', 'help', 'login', 'logout', 'profile', 'preview', 'previews', 'register', 'settings', 'setup', 'signin', 'signup', 'support', 'test', 'www'));
-- migrate:down

88
rest-api/db/migrations/20250410150518_filesystem_triggers.sql Normal file
View File

@@ -0,0 +1,88 @@
-- migrate:up
DROP TRIGGER _cleanup_filesystem_website ON internal.website;
DROP TRIGGER _cleanup_filesystem_article ON internal.article;
DROP FUNCTION internal.cleanup_filesystem;
CREATE FUNCTION internal.cleanup_filesystem ()
RETURNS TRIGGER
AS $$
DECLARE
_website_id UUID;
_website_user_id UUID;
_website_slug TEXT;
_username TEXT;
_base_path CONSTANT TEXT := '/var/www/archtika-websites';
_preview_path TEXT;
_prod_path TEXT;
_article_slug TEXT;
BEGIN
IF TG_TABLE_NAME = 'website' THEN
_website_id := OLD.id;
_website_user_id = OLD.user_id;
_website_slug := OLD.slug;
ELSE
_website_id := OLD.website_id;
END IF;
SELECT
u.username INTO _username
FROM
internal.user AS u
WHERE
u.id = _website_user_id;
_preview_path := _base_path || '/previews/' || _website_id;
IF TG_TABLE_NAME = 'website' THEN
EXECUTE FORMAT('COPY (SELECT 1) TO PROGRAM ''rm -rf %s''', _preview_path);
IF _username IS NOT NULL THEN
_prod_path := _base_path || '/' || _username || '/' || _website_slug;
EXECUTE FORMAT('COPY (SELECT 1) TO PROGRAM ''rm -rf %s''', _prod_path);
END IF;
ELSIF TG_TABLE_NAME = 'article' THEN
SELECT
a.slug INTO _article_slug
FROM
internal.article AS a
WHERE
a.id = OLD.id;
EXECUTE FORMAT('COPY (SELECT 1) TO PROGRAM ''rm -f %s/articles/%s.html''', _preview_path, _article_slug);
END IF;
RETURN COALESCE(NEW, OLD);
END;
$$
LANGUAGE plpgsql
SECURITY DEFINER;
CREATE FUNCTION internal.cleanup_user_directory ()
RETURNS TRIGGER
AS $$
DECLARE
_username TEXT;
_base_path CONSTANT TEXT := '/var/www/archtika-websites';
_user_path TEXT;
BEGIN
_username := OLD.username;
_user_path := _base_path || '/' || _username;
EXECUTE FORMAT('COPY (SELECT 1) TO PROGRAM ''rm -rf %s''', _user_path);
RETURN OLD;
END;
$$
LANGUAGE plpgsql
SECURITY DEFINER;
CREATE TRIGGER _cleanup_filesystem_website
BEFORE UPDATE OF title OR DELETE ON internal.website
FOR EACH ROW
EXECUTE FUNCTION internal.cleanup_filesystem ();
CREATE TRIGGER _cleanup_filesystem_article
BEFORE UPDATE OF title OR DELETE ON internal.article
FOR EACH ROW
EXECUTE FUNCTION internal.cleanup_filesystem ();
CREATE TRIGGER _cleanup_user_directory
BEFORE DELETE ON internal.user
FOR EACH ROW
EXECUTE FUNCTION internal.cleanup_user_directory ();
-- migrate:down

2357
web-app/package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

48
web-app/package.json
View File

@@ -14,35 +14,35 @@
"gents": "pg-to-ts generate -c postgres://postgres@127.0.0.1:15432/archtika -o src/lib/db-schema.ts -s internal --datesAsStrings" "gents": "pg-to-ts generate -c postgres://postgres@127.0.0.1:15432/archtika -o src/lib/db-schema.ts -s internal --datesAsStrings"
}, },
"devDependencies": { "devDependencies": {
"@playwright/test": "1.47.0", "@playwright/test": "1.50.1",
"@sveltejs/adapter-auto": "3.2.5", "@sveltejs/adapter-auto": "5.0.0",
"@sveltejs/adapter-node": "5.2.3", "@sveltejs/adapter-node": "5.2.12",
"@sveltejs/kit": "2.5.28", "@sveltejs/kit": "2.20.2",
"@sveltejs/vite-plugin-svelte": "4.0.0-next.6", "@sveltejs/vite-plugin-svelte": "5.0.3",
"@types/diff-match-patch": "1.0.36", "@types/diff": "7.0.2",
"@types/eslint": "9.6.1", "@types/eslint": "9.6.1",
"@types/eslint__js": "8.42.3", "@types/eslint__js": "9.14.0",
"@types/eslint-config-prettier": "6.11.3", "@types/eslint-config-prettier": "6.11.3",
"@types/node": "22.5.5", "@types/node": "22.13.11",
"eslint": "9.15.0", "eslint": "9.23.0",
"eslint-config-prettier": "9.1.0", "eslint-config-prettier": "10.1.1",
"eslint-plugin-svelte": "2.44.0", "eslint-plugin-svelte": "3.3.3",
"globals": "15.9.0", "globals": "16.0.0",
"pg-to-ts": "4.1.1", "pg-to-ts": "4.1.1",
"prettier": "3.3.3", "prettier": "3.5.3",
"prettier-plugin-svelte": "3.2.6", "prettier-plugin-svelte": "3.3.3",
"svelte": "5.0.0-next.253", "svelte": "5.25.3",
"svelte-check": "4.0.2", "svelte-check": "4.1.5",
"typescript": "5.6.2", "typescript": "5.8.2",
"typescript-eslint": "8.6.0", "typescript-eslint": "8.27.0",
"vite": "5.4.6" "vite": "6.2.5"
}, },
"dependencies": { "dependencies": {
"diff-match-patch": "1.0.5", "diff": "7.0.0",
"highlight.js": "11.10.0", "highlight.js": "11.11.1",
"isomorphic-dompurify": "2.15.0", "isomorphic-dompurify": "2.22.0",
"marked": "14.1.2", "marked": "15.0.7",
"marked-highlight": "2.1.4" "marked-highlight": "2.2.1"
}, },
"overrides": { "overrides": {
"cookie": "0.7.0" "cookie": "0.7.0"

2
web-app/src/lib/components/Pagination.svelte
View File

@@ -8,7 +8,7 @@
<div class="pagination"> <div class="pagination">
{#snippet commonFilterInputs()} {#snippet commonFilterInputs()}
{#each commonFilters as filter} {#each commonFilters as filter (filter)}
<input type="hidden" name={filter} value={$page.url.searchParams.get(filter)} /> <input type="hidden" name={filter} value={$page.url.searchParams.get(filter)} />
{/each} {/each}
{/snippet} {/snippet}

2
web-app/src/lib/components/WebsiteEditor.svelte
View File

@@ -39,7 +39,7 @@
<nav class="operations__nav"> <nav class="operations__nav">
<ul class="unpadded"> <ul class="unpadded">
{#each tabs.filter((tab) => (tab !== "categories" && contentType === "Blog") || contentType === "Docs") as tab} {#each tabs.filter((tab) => (tab !== "categories" && contentType === "Blog") || contentType === "Docs") as tab (tab)}
<li> <li>
<a <a
href="/website/{id}{tab === 'settings' ? '' : `/${tab}`}" href="/website/{id}{tab === 'settings' ? '' : `/${tab}`}"

1
web-app/src/lib/server/utils.ts
View File

@@ -16,6 +16,7 @@ export const apiRequest = async (
method: "HEAD" | "GET" | "POST" | "PATCH" | "DELETE", method: "HEAD" | "GET" | "POST" | "PATCH" | "DELETE",
options: { options: {
headers?: Record<string, string>; headers?: Record<string, string>;
// eslint-disable-next-line @typescript-eslint/no-explicit-any
body?: any; body?: any;
successMessage?: string; successMessage?: string;
returnData?: boolean; returnData?: boolean;

12
web-app/src/lib/templates/Index.svelte
View File

@@ -54,18 +54,18 @@
</h2> </h2>
<ul class="unpadded"> <ul class="unpadded">
{#each sortedArticles as article} {#each sortedArticles as { id, publication_date, slug, title, meta_description } (id)}
<li> <li>
{#if article.publication_date} {#if publication_date}
<p>{article.publication_date}</p> <p>{publication_date}</p>
{/if} {/if}
<p> <p>
<strong> <strong>
<a href="./articles/{article.slug}">{article.title}</a> <a href="./articles/{slug}">{title}</a>
</strong> </strong>
</p> </p>
{#if article.meta_description} {#if meta_description}
<p>{article.meta_description}</p> <p>{meta_description}</p>
{/if} {/if}
</li> </li>
{/each} {/each}

4
web-app/src/lib/templates/Nav.svelte
View File

@@ -55,11 +55,11 @@
<section id="docs-navigation" class="docs-navigation"> <section id="docs-navigation" class="docs-navigation">
<ul> <ul>
{#each Object.keys(categorizedArticles) as key} {#each Object.keys(categorizedArticles) as key (key)}
<li> <li>
<strong>{key}</strong> <strong>{key}</strong>
<ul> <ul>
{#each categorizedArticles[key] as { title, slug }} {#each categorizedArticles[key] as { title, slug } (slug)}
<li> <li>
<a href="{isIndexPage ? './articles' : '.'}/{slug}">{title}</a> <a href="{isIndexPage ? './articles' : '.'}/{slug}">{title}</a>
</li> </li>

2
web-app/src/routes/(authenticated)/account/+page.svelte
View File

@@ -39,7 +39,7 @@
<a href="#storage">Storage</a> <a href="#storage">Storage</a>
</h2> </h2>
<ul class="unpadded storage-grid"> <ul class="unpadded storage-grid">
{#each data.storageSizes.data as { website_title, storage_size_bytes, max_storage_bytes, max_storage_pretty, diff_storage_pretty }} {#each data.storageSizes.data as { website_id, website_title, storage_size_bytes, max_storage_bytes, max_storage_pretty, diff_storage_pretty } (website_id)}
<li> <li>
<strong>{website_title}</strong> <strong>{website_title}</strong>
<label> <label>

2
web-app/src/routes/(authenticated)/website/[websiteId]/+page.svelte
View File

@@ -136,7 +136,7 @@
</label> </label>
<div class="file-field"> <div class="file-field">
<label> <label>
Logo image: Logo image (height should be &lt;= 32px):
<input type="file" name="logo-image" accept={ALLOWED_MIME_TYPES.join(", ")} /> <input type="file" name="logo-image" accept={ALLOWED_MIME_TYPES.join(", ")} />
</label> </label>
{#if data.header.logo_image} {#if data.header.logo_image}

2
web-app/src/routes/(authenticated)/website/[websiteId]/articles/[articleId]/+page.svelte
View File

@@ -48,7 +48,7 @@
<label> <label>
Category: Category:
<select name="category"> <select name="category">
{#each data.categories as { id, category_name }} {#each data.categories as { id, category_name } (id)}
<option value={id} selected={id === data.article.category}>{category_name}</option> <option value={id} selected={id === data.article.category}>{category_name}</option>
{/each} {/each}
</select> </select>

30
web-app/src/routes/(authenticated)/website/[websiteId]/logs/+page.server.ts
View File

@@ -1,8 +1,8 @@
import type { PageServerLoad, Actions } from "./$types"; import type { PageServerLoad, Actions } from "./$types";
import { API_BASE_PREFIX, apiRequest } from "$lib/server/utils"; import { API_BASE_PREFIX, apiRequest } from "$lib/server/utils";
import type { ChangeLog, User, Collab } from "$lib/db-schema"; import type { ChangeLog, User, Collab } from "$lib/db-schema";
import DiffMatchPatch from "diff-match-patch";
import { PAGINATION_MAX_ITEMS } from "$lib/utils"; import { PAGINATION_MAX_ITEMS } from "$lib/utils";
import * as Diff from "diff";
export const load: PageServerLoad = async ({ parent, fetch, params, url }) => { export const load: PageServerLoad = async ({ parent, fetch, params, url }) => {
const userFilter = url.searchParams.get("user"); const userFilter = url.searchParams.get("user");
@@ -76,21 +76,19 @@ export const actions: Actions = {
computeDiff: async ({ request, fetch }) => { computeDiff: async ({ request, fetch }) => {
const data = await request.formData(); const data = await request.formData();
const dmp = new DiffMatchPatch();
const htmlDiff = (oldValue: string, newValue: string) => { const htmlDiff = (oldValue: string, newValue: string) => {
const diff = dmp.diff_main(oldValue, newValue); const diff = Diff.diffWordsWithSpace(oldValue, newValue);
dmp.diff_cleanupSemantic(diff);
return diff return diff
.map(([op, text]) => { .map((part) => {
switch (op) { const escapedText = part.value.replace(/</g, "&lt;").replace(/>/g, "&gt;");
case 1:
return `<ins>${text}</ins>`; if (part.added) {
case -1: return `<ins>${escapedText}</ins>`;
return `<del>${text}</del>`; } else if (part.removed) {
default: return `<del>${escapedText}</del>`;
return text; } else {
return escapedText;
} }
}) })
.join(""); .join("");
@@ -111,8 +109,12 @@ export const actions: Actions = {
return { return {
logId: data.get("id"), logId: data.get("id"),
currentDiff: htmlDiff( currentDiff: htmlDiff(
JSON.stringify(log.old_value, null, 2), JSON.stringify(log.old_value, null, 2)
.replace(/\\r\\n|\\n|\\r/g, "\n")
.replace(/\\\"/g, '"'),
JSON.stringify(log.new_value, null, 2) JSON.stringify(log.new_value, null, 2)
.replace(/\\r\\n|\\n|\\r/g, "\n")
.replace(/\\\"/g, '"')
) )
}; };
} }

12
web-app/src/routes/(authenticated)/website/[websiteId]/logs/+page.svelte
View File

@@ -63,7 +63,7 @@
/> />
<datalist id="users-{data.website.id}"> <datalist id="users-{data.website.id}">
<option value={data.website.user.username}></option> <option value={data.website.user.username}></option>
{#each data.collaborators as { user: { username } }} {#each data.collaborators as { user: { username } } (username)}
<option value={username}></option> <option value={username}></option>
{/each} {/each}
</datalist> </datalist>
@@ -72,7 +72,7 @@
Resource: Resource:
<select name="resource"> <select name="resource">
<option value="all">Show all</option> <option value="all">Show all</option>
{#each Object.keys(resources) as resource} {#each Object.keys(resources) as resource (resource)}
<option <option
value={resource} value={resource}
selected={resource === $page.url.searchParams.get("resource")}>{resource}</option selected={resource === $page.url.searchParams.get("resource")}>{resource}</option
@@ -141,20 +141,18 @@
<button type="submit">Compute diff</button> <button type="submit">Compute diff</button>
</form> </form>
{#if form?.logId === id && form?.currentDiff} {#if form?.logId === id && form?.currentDiff}
<pre>{@html DOMPurify.sanitize(form.currentDiff, { <pre>{@html form.currentDiff}</pre>
ALLOWED_TAGS: ["ins", "del"]
})}</pre>
{/if} {/if}
{/if} {/if}
{#if new_value && !old_value} {#if new_value && !old_value}
<h4>New value</h4> <h4>New value</h4>
<pre>{DOMPurify.sanitize(newValue)}</pre> <pre>{newValue.replace(/\\\"/g, '"').replace(/\\r\\n|\\n|\\r/g, "\n")}</pre>
{/if} {/if}
{#if old_value && !new_value} {#if old_value && !new_value}
<h4>Old value</h4> <h4>Old value</h4>
<pre>{DOMPurify.sanitize(oldValue)}</pre> <pre>{oldValue.replace(/\\\"/g, '"').replace(/\\r\\n|\\n|\\r/g, "\n")}</pre>
{/if} {/if}
</Modal> </Modal>
</td> </td>

6
web-app/template-styles/blog-styles.css
View File

@@ -33,7 +33,6 @@ header img {
object-position: center; object-position: center;
} }
nav,
header, header,
main { main {
padding-block: var(--space-s); padding-block: var(--space-s);
@@ -71,11 +70,6 @@ section {
scroll-margin-block-start: var(--space-xl); scroll-margin-block-start: var(--space-xl);
} }
.top-nav-logo {
max-block-size: var(--space-xl);
padding-block: var(--space-xs);
}
@media (min-width: 1525px) { @media (min-width: 1525px) {
#table-of-contents { #table-of-contents {
position: fixed; position: fixed;

6
web-app/template-styles/docs-styles.css
View File

@@ -26,7 +26,6 @@ header > .container {
gap: var(--space-s); gap: var(--space-s);
} }
nav,
header, header,
main { main {
padding-block: var(--space-s); padding-block: var(--space-s);
@@ -49,11 +48,6 @@ section {
scroll-margin-block-start: var(--space-xl); scroll-margin-block-start: var(--space-xl);
} }
.top-nav-logo {
max-block-size: var(--space-xl);
padding-block: var(--space-xs);
}
.docs-navigation { .docs-navigation {
display: none; display: none;
position: fixed; position: fixed;

8
web-app/tests/settings.spec.ts
View File

@@ -50,9 +50,9 @@ test.describe("Website owner", () => {
await page.getByLabel("Logo text:").click(); await page.getByLabel("Logo text:").click();
await page.getByLabel("Logo text:").press("ControlOrMeta+a"); await page.getByLabel("Logo text:").press("ControlOrMeta+a");
await page.getByLabel("Logo text:").fill("Logo text"); await page.getByLabel("Logo text:").fill("Logo text");
await page.getByLabel("Logo image:").click(); await page.getByLabel(/Logo image/).click();
await page await page
.getByLabel("Logo image") .getByLabel(/Logo image/)
.setInputFiles(join(__dirname, "sample-files", "archtika-logo-512x512.png")); .setInputFiles(join(__dirname, "sample-files", "archtika-logo-512x512.png"));
await page.getByRole("button", { name: "Update header" }).click(); await page.getByRole("button", { name: "Update header" }).click();
await expect(page.getByText("Successfully updated header")).toBeVisible(); await expect(page.getByText("Successfully updated header")).toBeVisible();
@@ -122,9 +122,9 @@ for (const permissionLevel of permissionLevels) {
await page.getByLabel("Logo text:").click(); await page.getByLabel("Logo text:").click();
await page.getByLabel("Logo text:").press("ControlOrMeta+a"); await page.getByLabel("Logo text:").press("ControlOrMeta+a");
await page.getByLabel("Logo text:").fill("Logo text"); await page.getByLabel("Logo text:").fill("Logo text");
await page.getByLabel("Logo image:").click(); await page.getByLabel(/Logo image/).click();
await page await page
.getByLabel("Logo image") .getByLabel(/Logo image/)
.setInputFiles(join(__dirname, "sample-files", "archtika-logo-512x512.png")); .setInputFiles(join(__dirname, "sample-files", "archtika-logo-512x512.png"));
await page await page
.getByRole("button", { name: "Update header" }) .getByRole("button", { name: "Update header" })