feat: uploads config + security admin page

client/components/admin.vue

@@ -89,6 +89,9 @@
             v-list-item(to='/mail', color='primary', v-if='hasPermission(`manage:system`)')
               v-list-item-avatar(size='24', tile): v-icon mdi-email-multiple-outline
               v-list-item-title {{ $t('admin:mail.title') }}
+            v-list-item(to='/security', v-if='hasPermission(`manage:system`)')
+              v-list-item-avatar(size='24', tile): v-icon mdi-lock-check
+              v-list-item-title {{ $t('admin:security.title') }}
             v-list-item(to='/ssl', v-if='hasPermission(`manage:system`)')
               v-list-item-avatar(size='24', tile): v-icon mdi-cloud-lock-outline
               v-list-item-title {{ $t('admin:ssl.title') }}
@@ -172,6 +175,7 @@ const router = new VueRouter({
     { path: '/storage', component: () => import(/* webpackChunkName: "admin" */ './admin/admin-storage.vue') },
     { path: '/api', component: () => import(/* webpackChunkName: "admin" */ './admin/admin-api.vue') },
     { path: '/mail', component: () => import(/* webpackChunkName: "admin" */ './admin/admin-mail.vue') },
+    { path: '/security', component: () => import(/* webpackChunkName: "admin" */ './admin/admin-security.vue') },
     { path: '/ssl', component: () => import(/* webpackChunkName: "admin" */ './admin/admin-ssl.vue') },
     { path: '/system', component: () => import(/* webpackChunkName: "admin" */ './admin/admin-system.vue') },
     { path: '/utilities', component: () => import(/* webpackChunkName: "admin" */ './admin/admin-utilities.vue') },

client/components/admin/admin-general.vue

@@ -167,93 +167,6 @@
                     disabled
                     )
 
-              v-card.mt-5.animated.fadeInUp.wait-p5s
-                v-toolbar(color='red darken-2', dark, dense, flat)
-                  v-toolbar-title.subtitle-1 Security
-                v-card-text
-                  v-alert(outlined, color='red darken-2', icon='mdi-information-outline').body-2 Make sure to understand the implications before turning on / off a security feature.
-                  v-switch.mt-3(
-                    inset
-                    label='Block IFrame Embedding'
-                    color='red darken-2'
-                    v-model='config.securityIframe'
-                    persistent-hint
-                    hint='Prevents other websites from embedding your wiki in an iframe. This provides clickjacking protection.'
-                    )
-
-                  v-divider.mt-3
-                  v-switch(
-                    inset
-                    label='Same Origin Referrer Policy'
-                    color='red darken-2'
-                    v-model='config.securityReferrerPolicy'
-                    persistent-hint
-                    hint='Limits the referrer header to same origin.'
-                    )
-
-                  v-divider.mt-3
-                  v-switch(
-                    inset
-                    label='Trust X-Forwarded-* Proxy Headers'
-                    color='red darken-2'
-                    v-model='config.securityTrustProxy'
-                    persistent-hint
-                    hint='Should be enabled when using a reverse-proxy like nginx, apache, CloudFlare, etc in front of Wiki.js. Turn off otherwise.'
-                    )
-
-                  v-divider.mt-3
-                  v-switch(
-                    inset
-                    label='Subresource Integrity (SRI)'
-                    color='red darken-2'
-                    v-model='config.securitySRI'
-                    persistent-hint
-                    hint='This ensure that resources such as CSS and JS files are not altered during delivery.'
-                    disabled
-                    )
-
-                  v-divider.mt-3
-                  v-switch(
-                    inset
-                    label='Enforce HSTS'
-                    color='red darken-2'
-                    v-model='config.securityHSTS'
-                    persistent-hint
-                    hint='This ensures the connection cannot be established through an insecure HTTP connection.'
-                    )
-                  v-select.mt-5(
-                    outlined
-                    label='HSTS Max Age'
-                    :items='hstsDurations'
-                    v-model='config.securityHSTSDuration'
-                    prepend-icon='mdi-subdirectory-arrow-right'
-                    :disabled='!config.securityHSTS'
-                    hide-details
-                    style='max-width: 450px;'
-                    )
-                  .pl-11.mt-3
-                    .caption Defines the duration for which the server should only deliver content through HTTPS.
-                    .caption It's a good idea to start with small values and make sure that nothing breaks on your wiki before moving to longer values.
-
-                  v-divider.mt-3
-                  v-switch(
-                    inset
-                    label='Enforce CSP'
-                    color='red darken-2'
-                    v-model='config.securityCSP'
-                    persistent-hint
-                    hint='Restricts scripts to pre-approved content sources.'
-                    disabled
-                    )
-                  v-textarea.mt-5(
-                    label='CSP Directives'
-                    outlined
-                    v-model='config.securityCSPDirectives'
-                    prepend-icon='mdi-subdirectory-arrow-right'
-                    persistent-hint
-                    hint='One directive per line.'
-                    disabled
-                  )
     component(:is='activeModal')
 
 </template>
@@ -296,24 +209,8 @@ export default {
         featurePageRatings: false,
         featurePageComments: false,
         featurePersonalWikis: false,
-        featureTinyPNG: false,
-        securityIframe: true,
-        securityReferrerPolicy: true,
-        securityTrustProxy: true,
-        securitySRI: true,
-        securityHSTS: false,
-        securityHSTSDuration: 0,
-        securityCSP: false,
-        securityCSPDirectives: ''
+        featureTinyPNG: false
       },
-      hstsDurations: [
-        { value: 300, text: '5 minutes' },
-        { value: 86400, text: '1 day' },
-        { value: 604800, text: '1 week' },
-        { value: 2592000, text: '1 month' },
-        { value: 31536000, text: '1 year' },
-        { value: 63072000, text: '2 years' }
-      ],
       metaRobots: [
         { text: 'Index', value: 'index' },
         { text: 'Follow', value: 'follow' },
@@ -360,14 +257,6 @@ export default {
               $featurePageRatings: Boolean!
               $featurePageComments: Boolean!
               $featurePersonalWikis: Boolean!
-              $securityIframe: Boolean!
-              $securityReferrerPolicy: Boolean!
-              $securityTrustProxy: Boolean!
-              $securitySRI: Boolean!
-              $securityHSTS: Boolean!
-              $securityHSTSDuration: Int!
-              $securityCSP: Boolean!
-              $securityCSPDirectives: String!
             ) {
               site {
                 updateConfig(
@@ -382,15 +271,7 @@ export default {
                   logoUrl: $logoUrl,
                   featurePageRatings: $featurePageRatings,
                   featurePageComments: $featurePageComments,
-                  featurePersonalWikis: $featurePersonalWikis,
-                  securityIframe: $securityIframe,
-                  securityReferrerPolicy: $securityReferrerPolicy,
-                  securityTrustProxy: $securityTrustProxy,
-                  securitySRI: $securitySRI,
-                  securityHSTS: $securityHSTS,
-                  securityHSTSDuration: $securityHSTSDuration,
-                  securityCSP: $securityCSP,
-                  securityCSPDirectives: $securityCSPDirectives
+                  featurePersonalWikis: $featurePersonalWikis
                 ) {
                   responseResult {
                     succeeded
@@ -414,15 +295,7 @@ export default {
             logoUrl: _.get(this.config, 'logoUrl', ''),
             featurePageRatings: _.get(this.config, 'featurePageRatings', false),
             featurePageComments: _.get(this.config, 'featurePageComments', false),
-            featurePersonalWikis: _.get(this.config, 'featurePersonalWikis', false),
-            securityIframe: _.get(this.config, 'securityIframe', false),
-            securityReferrerPolicy: _.get(this.config, 'securityReferrerPolicy', false),
-            securityTrustProxy: _.get(this.config, 'securityTrustProxy', false),
-            securitySRI: _.get(this.config, 'securitySRI', false),
-            securityHSTS: _.get(this.config, 'securityHSTS', false),
-            securityHSTSDuration: _.get(this.config, 'securityHSTSDuration', 0),
-            securityCSP: _.get(this.config, 'securityCSP', false),
-            securityCSPDirectives: _.get(this.config, 'securityCSPDirectives', '')
+            featurePersonalWikis: _.get(this.config, 'featurePersonalWikis', false)
           },
           watchLoading (isLoading) {
             this.$store.commit(`loading${isLoading ? 'Start' : 'Stop'}`, 'admin-site-update')
@@ -475,14 +348,6 @@ export default {
               featurePageRatings
               featurePageComments
               featurePersonalWikis
-              securityIframe
-              securityReferrerPolicy
-              securityTrustProxy
-              securitySRI
-              securityHSTS
-              securityHSTSDuration
-              securityCSP
-              securityCSPDirectives
             }
           }
         }

client/static/svg/icon-private.svg

+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" width="96px" height="96px"><linearGradient id="sjY3Z3RjS0RqXT5Ds3orNa" x1="35" x2="35" y1="39.75" y2="46.768" gradientUnits="userSpaceOnUse" spreadMethod="reflect"><stop offset="0" stop-color="#6dc7ff"/><stop offset=".216" stop-color="#87c1ff"/><stop offset="1" stop-color="#e6abff"/></linearGradient><path fill="url(#sjY3Z3RjS0RqXT5Ds3orNa)" d="M34,46h-2v-1c0-2.757,2.243-5,5-5h1v2h-1c-1.654,0-3,1.346-3,3V46z"/><linearGradient id="sjY3Z3RjS0RqXT5Ds3orNb" x1="32" x2="32" y1="4" y2="60.514" gradientUnits="userSpaceOnUse" spreadMethod="reflect"><stop offset="0" stop-color="#1a6dff"/><stop offset="1" stop-color="#c822ff"/></linearGradient><path fill="url(#sjY3Z3RjS0RqXT5Ds3orNb)" d="M58,32C58,17.664,46.336,6,32,6S6,17.664,6,32s11.664,26,26,26c3.539,0,6.915-0.713,9.993-2 H42v-0.003C51.387,52.071,58,42.794,58,32z M23,31v1h2v-1v-5.5v-4c0-0.827,0.673-1.5,1.5-1.5s1.5,0.673,1.5,1.5V27v5h2v-5v-5.5V18 c0-1.103,0.897-2,2-2s2,0.897,2,2v4v9v1h2v-1v-9c0-1.103,0.897-2,2-2s2,0.897,2,2v15.755c0,0.801,0.455,1.499,1.187,1.823 c0.731,0.324,1.555,0.19,2.147-0.348l3.252-2.958c0.78-0.779,2.049-0.779,2.828,0C49.792,36.65,50,37.152,50,37.687 c0,0.534-0.208,1.036-0.586,1.414l-6.262,6.262C41.451,47.063,39.19,48,36.785,48H25c-2.757,0-5-2.243-5-5V25.5 c0-0.827,0.673-1.5,1.5-1.5s1.5,0.673,1.5,1.5V31z M30,52v3.91c-0.675-0.056-1.342-0.139-2-0.25V52h-2v3.24 c-1.387-0.358-2.722-0.843-4-1.432v-4.494C22.911,49.75,23.925,50,25,50h11.785c1.106,0,2.186-0.162,3.215-0.475v5.099 c-1.287,0.456-2.624,0.805-4,1.036V52h-2v3.91C33.34,55.965,32.674,56,32,56v-4H30z M42,53.809V48.69 c0.932-0.503,1.796-1.143,2.566-1.913l6.262-6.262C51.584,39.759,52,38.755,52,37.687c0-1.069-0.416-2.073-1.172-2.829 c-0.755-0.755-1.76-1.171-2.828-1.171s-2.073,0.416-2.794,1.138L42,37.755V22c0-2.206-1.794-4-4-4c-0.732,0-1.409,0.212-2,0.556V18 c0-2.206-1.794-4-4-4s-4,1.794-4,4v0.351C27.544,18.133,27.039,18,26.5,18c-1.93,0-3.5,1.57-3.5,3.5v0.851 C22.544,22.133,22.039,22,21.5,22c-1.93,0-3.5,1.57-3.5,3.5V43c0,1.902,0.765,3.627,2,4.89v4.881C12.834,48.615,8,40.864,8,32 C8,18.767,18.767,8,32,8s24,10.767,24,24C56,41.665,50.253,50.009,42,53.809z"/></svg>
\ No newline at end of file

config.sample.yml

@@ -106,18 +106,6 @@ bindIP: 0.0.0.0
 logLevel: info
 
 # ---------------------------------------------------------------------
-# Upload Limits
-# ---------------------------------------------------------------------
-# If you're using a reverse-proxy in front of Wiki.js, you must also
-# change your proxy upload limits!
-
-uploads:
-  # Maximum upload size in bytes per file (default: 5242880 (5 MB))
-  maxFileSize: 5242880
-  # Maximum file uploads per request (default: 10)
-  maxFiles: 10
-
-# ---------------------------------------------------------------------
 # Offline Mode
 # ---------------------------------------------------------------------
 # If your server cannot access the internet. Set to true and manually

server/app/data.yml

@@ -24,9 +24,6 @@ defaults:
       min: 1
     bindIP: 0.0.0.0
     logLevel: info
-    uploads:
-      maxFileSize: 5242880
-      maxFiles: 10
     offline: false
     ha: false
     # DB defaults
@@ -67,6 +64,9 @@ defaults:
       securityCSPDirectives: ''
     server:
       sslRedir: false
+    uploads:
+      maxFileSize: 5242880
+      maxFiles: 10
     flags:
       ldapdebug: false
       sqllog: false

server/controllers/upload.js

@@ -10,13 +10,15 @@ const sanitize = require('sanitize-filename')
 /**
  * Upload files
  */
-router.post('/u', multer({
-  dest: path.resolve(WIKI.ROOTPATH, WIKI.config.dataPath, 'uploads'),
-  limits: {
-    fileSize: WIKI.config.uploads.maxFileSize,
-    files: WIKI.config.uploads.maxFiles
-  }
-}).array('mediaUpload'), async (req, res, next) => {
+router.post('/u', (req, res, next) => {
+  multer({
+    dest: path.resolve(WIKI.ROOTPATH, WIKI.config.dataPath, 'uploads'),
+    limits: {
+      fileSize: WIKI.config.uploads.maxFileSize,
+      files: WIKI.config.uploads.maxFiles
+    }
+  }).array('mediaUpload')(req, res, next)
+}, async (req, res, next) => {
   if (!_.some(req.user.permissions, pm => _.includes(['write:assets', 'manage:system'], pm))) {
     return res.status(403).json({
       succeeded: false,

server/graph/resolvers/site.js

@@ -20,44 +20,69 @@ module.exports = {
         logoUrl: WIKI.config.logoUrl,
         ...WIKI.config.seo,
         ...WIKI.config.features,
-        ...WIKI.config.security
+        ...WIKI.config.security,
+        uploadMaxFileSize: WIKI.config.uploads.maxFileSize,
+        uploadMaxFiles: WIKI.config.uploads.maxFiles
       }
     }
   },
   SiteMutation: {
     async updateConfig(obj, args, context) {
-      let siteHost = _.trim(args.host)
-      if (siteHost.endsWith('/')) {
-        siteHost = siteHost.splice(0, -1)
-      }
       try {
-        WIKI.config.host = siteHost
-        WIKI.config.title = _.trim(args.title)
-        WIKI.config.company = _.trim(args.company)
-        WIKI.config.contentLicense = args.contentLicense
+        if (args.host) {
+          let siteHost = _.trim(args.host)
+          if (siteHost.endsWith('/')) {
+            siteHost = siteHost.splice(0, -1)
+          }
+          WIKI.config.host = siteHost
+        }
+
+        if (args.title) {
+          WIKI.config.title = _.trim(args.title)
+        }
+
+        if (args.company) {
+          WIKI.config.company = _.trim(args.company)
+        }
+
+        if (args.contentLicense) {
+          WIKI.config.contentLicense = args.contentLicense
+        }
+
+        if (args.logoUrl) {
+          WIKI.config.logoUrl = _.trim(args.logoUrl)
+        }
+
         WIKI.config.seo = {
-          description: args.description,
-          robots: args.robots,
-          analyticsService: args.analyticsService,
-          analyticsId: args.analyticsId
+          description: _.get(args, 'description', WIKI.config.seo.description),
+          robots: _.get(args, 'robots', WIKI.config.seo.robots),
+          analyticsService: _.get(args, 'analyticsService', WIKI.config.seo.analyticsService),
+          analyticsId: _.get(args, 'analyticsId', WIKI.config.seo.analyticsId)
         }
-        WIKI.config.logoUrl = _.trim(args.logoUrl)
+
         WIKI.config.features = {
-          featurePageRatings: args.featurePageRatings,
-          featurePageComments: args.featurePageComments,
-          featurePersonalWikis: args.featurePersonalWikis
+          featurePageRatings: _.get(args, 'featurePageRatings', WIKI.config.features.featurePageRatings),
+          featurePageComments: _.get(args, 'featurePageComments', WIKI.config.features.featurePageComments),
+          featurePersonalWikis: _.get(args, 'featurePersonalWikis', WIKI.config.features.featurePersonalWikis)
         }
+
         WIKI.config.security = {
-          securityIframe: args.securityIframe,
-          securityReferrerPolicy: args.securityReferrerPolicy,
-          securityTrustProxy: args.securityTrustProxy,
-          securitySRI: args.securitySRI,
-          securityHSTS: args.securityHSTS,
-          securityHSTSDuration: args.securityHSTSDuration,
-          securityCSP: args.securityCSP,
-          securityCSPDirectives: args.securityCSPDirectives
+          securityIframe: _.get(args, 'securityIframe', WIKI.config.security.securityIframe),
+          securityReferrerPolicy: _.get(args, 'securityReferrerPolicy', WIKI.config.security.securityReferrerPolicy),
+          securityTrustProxy: _.get(args, 'securityTrustProxy', WIKI.config.security.securityTrustProxy),
+          securitySRI: _.get(args, 'securitySRI', WIKI.config.security.securitySRI),
+          securityHSTS: _.get(args, 'securityHSTS', WIKI.config.security.securityHSTS),
+          securityHSTSDuration: _.get(args, 'securityHSTSDuration', WIKI.config.security.securityHSTSDuration),
+          securityCSP: _.get(args, 'securityCSP', WIKI.config.security.securityCSP),
+          securityCSPDirectives: _.get(args, 'securityCSPDirectives', WIKI.config.security.securityCSPDirectives)
+        }
+
+        WIKI.config.uploads = {
+          maxFileSize: _.get(args, 'uploadMaxFileSize', WIKI.config.uploads.maxFileSize),
+          maxFiles: _.get(args, 'uploadMaxFiles', WIKI.config.uploads.maxFiles)
         }
-        await WIKI.configSvc.saveToDb(['host', 'title', 'company', 'contentLicense', 'seo', 'logoUrl', 'features', 'security'])
+
+        await WIKI.configSvc.saveToDb(['host', 'title', 'company', 'contentLicense', 'seo', 'logoUrl', 'features', 'security', 'uploads'])
 
         if (WIKI.config.security.securityTrustProxy) {
           WIKI.app.enable('trust proxy')

server/graph/schemas/site.graphql

@@ -24,26 +24,29 @@ type SiteQuery {
 
 type SiteMutation {
   updateConfig(
-    host: String!
-    title: String!
-    description: String!
-    robots: [String]!
-    analyticsService: String!
-    analyticsId: String!
-    company: String!
-    contentLicense: String!
-    logoUrl: String!
-    featurePageRatings: Boolean!
-    featurePageComments: Boolean!
-    featurePersonalWikis: Boolean!
-    securityIframe: Boolean!
-    securityReferrerPolicy: Boolean!
-    securityTrustProxy: Boolean!
-    securitySRI: Boolean!
-    securityHSTS: Boolean!
-    securityHSTSDuration: Int!
-    securityCSP: Boolean!
-    securityCSPDirectives: String!
+    host: String
+    title: String
+    description: String
+    robots: [String]
+    analyticsService: String
+    analyticsId: String
+    company: String
+    contentLicense: String
+    logoUrl: String
+    featurePageRatings: Boolean
+    featurePageComments: Boolean
+    featurePersonalWikis: Boolean
+    securityIframe: Boolean
+    securityReferrerPolicy: Boolean
+    securityTrustProxy: Boolean
+    securitySRI: Boolean
+    securityHSTS: Boolean
+    securityHSTSDuration: Int
+    securityCSP: Boolean
+    securityCSPDirectives: String
+    uploadMaxFileSize: Int
+    uploadMaxFiles: Int
+
   ): DefaultResponse @auth(requires: ["manage:system"])
 }
 
@@ -72,4 +75,6 @@ type SiteConfig {
   securityHSTSDuration: Int!
   securityCSP: Boolean!
   securityCSPDirectives: String!
+  uploadMaxFileSize: Int!
+  uploadMaxFiles: Int!
 }

server/setup.js

@@ -186,6 +186,7 @@ module.exports = () => {
         'sessionSecret',
         'telemetry',
         'theming',
+        'uploads',
         'title'
       ], false)