9113501906
Add PROXY_HEADERS_TRUSTED env ( #12676 )
...
* Add PROXY_HEADERS_TRUSTED env
* Don't trust X-Forwarded-Proto for HTTPS redirect when proxy headers untrusted
---------
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com >
2026-06-12 19:58:16 -04:00
8048b7e530
feat: Add support for configurable proxy IP header in environment settings ( #11595 )
...
* feat: Add support for configurable proxy IP header in environment settings
* Update server/env.ts
Remove mention of Koa from docs
Co-authored-by: Tom Moor <tom.moor@gmail.com >
* Update .env.sample
Remove mention of Koa from env sample.
Co-authored-by: Tom Moor <tom.moor@gmail.com >
---------
Co-authored-by: Tom Moor <tom.moor@gmail.com >
2026-02-27 19:27:24 -05:00
1937043aed
feat: MCP Server ( #11464 )
...
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com >
2026-02-16 20:14:18 -05:00
00fb4d1af7
chore: Update node style imports ( #11277 )
...
- crypto → node:crypto
- fs → node:fs
- fs/promises → node:fs/promises
- path → node:path
- http → node:http
- https → node:https
- stream → node:stream
- buffer → node:buffer
- url → node:url
- os → node:os
- net → node:net
- dns → node:dns
- events → node:events
- readline → node:readline
- querystring → node:querystring
- util → node:util
2026-01-26 20:51:50 -05:00
bf45e97641
chore: Enforce type import consistency ( #10968 )
...
* Update types
* fix circular dep
* type imports
* lint type imports and --fix
2025-12-19 23:07:02 -05:00
76691e8aaa
fix: Add yet another guard against crawlers consuming magic links ( #10457 )
2025-10-23 08:24:10 -04:00
f6315875b4
fix: CSRF validation issues on Firefox ( #10317 )
2025-10-06 19:10:25 -04:00
0a9bd39aac
Add CSRF middleware ( #10051 )
...
ref OUT-Q325-03
2025-08-31 06:35:35 -04:00
04c3d81b1f
chore: Setup missing oxlint configs ( #9862 )
...
* shared
* server
* app
* remove vestigial eslintrc files
* update comment directives
2025-08-06 19:54:22 -04:00
f284a27941
feat: Add OIDC well-known endpoint discovery support ( #9308 )
...
* feat: Add OIDC well-known endpoint discovery support
Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com >
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2025-05-27 07:56:02 -04:00
d2aba1de96
feat: Add POST method option to redirectOnClient ( #9228 )
...
* feat: Add POST method option to redirectOnClient helper
* Applied automatic fixes
* fix: Add missing closing HTML tag in redirectOnClient GET method
* fix: Use lodash escape for form field values to prevent XSS
* Applied automatic fixes
* fix: Add missing lodash/escape import
* Applied automatic fixes
* fix: Escape all URLs in redirectOnClient function
* Update index.ts
* fix: CSP
* Refactor CSP middleware
* docs, only use for email signin
---------
Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com >
2025-05-17 09:06:32 -04:00
a06671e8ce
OAuth provider ( #8884 )
...
This PR contains the necessary work to make Outline an OAuth provider including:
- OAuth app registration
- OAuth app management
- Private / public apps (Public in cloud only)
- Full OAuth 2.0 spec compatible authentication flow
- Granular scopes
- User token management screen in settings
- Associated API endpoints for programatic access
2025-05-03 19:40:18 -04:00
8fec6758b8
fix: Move compression middleware to cover all /api and /auth routes
2025-01-14 19:01:51 -05:00
5d85a3a093
Specify time conversion unit ( #7458 )
...
* fix: specificity in time units
* fix: milliseconds -> ms
2024-08-25 18:57:45 +05:30
c02f7c9c85
Remove gist.github.com, gitlab.com from default CSP ( #7008 )
2024-06-08 07:54:55 -07:00
8f53f3b28c
Allow embedding of GitLab snippets ( #6217 )
2023-11-27 05:35:37 -08:00
a1b52e18dd
chore: Centralize environment detection
2023-11-09 19:24:16 -05:00
a7dd5c6798
fix: allow script injection from react dev tools in dev and stage envs ( #6120 )
2023-11-09 10:40:04 +05:30
fec1a72780
fix: Remove zapier from CSP on self-hosted
2023-10-09 21:11:05 -04:00
f4fd9dae5f
feat: Native video display ( #5866 )
2023-09-28 17:28:09 -07:00
4edfab20fe
fix: Bug with local dynamic reloading since moving to SSL
2023-08-14 20:48:49 +02:00
66331d3d4f
Add csp nonce to all inline script tags ( #5566 )
2023-07-15 07:15:14 -07:00
f843a20a54
chore: Improves linting rule to catch mishandled promises ( #5506 )
2023-07-01 10:25:51 -07:00
89d5527d39
Handle promise linting ( #5488 )
2023-06-28 17:18:18 -07:00
ba2bfc7c89
fix: recursive require in test env
2023-04-27 22:31:12 -04:00
0f8c444af0
Add DD monitoring for simultaneous server connections
2023-04-27 21:48:51 -04:00
8cc4cff0d7
fix: Allow stylesheets to load from CDN
2023-03-27 20:23:54 -04:00
e754f89e5c
Replace Webpack with Vite ( #4765 )
...
Co-authored-by: Tom Moor <tom@getoutline.com >
Co-authored-by: Vio <vio@beanon.com >
2023-02-15 19:39:46 -08:00
a1cefa9771
fix: FORCE_HTTPS setting results in redirect loop when Outline terminates SSL
2023-02-02 21:45:33 -05:00
53414ec3ba
feat: Server side translation setup ( #4657 )
...
* Server side translation setup
* docs
2023-01-07 11:52:09 -08:00
8e4270c321
feat: Add GA integration, support for GA4 ( #4626 )
...
* GA integration settings
* trackingId -> measurementId
Hook up script
* Public page GA tracking
Correct layout of settings
* Remove multiple codepaths for loading GA measurementID, add missing db index
* Remove unneccessary changes, tsc
* test
2023-01-01 07:29:08 -08:00
4047ec73bb
feat: Integrate Zapier App Directory
2022-11-14 18:10:10 -05:00
1e723be556
chore(deps): bump koa-sslify from 2.1.2 to 5.0.0 ( #4424 )
...
* chore(deps): bump koa-sslify from 2.1.2 to 5.0.0
Bumps [koa-sslify](https://github.com/turboMaCk/koa-sslify ) from 2.1.2 to 5.0.0.
- [Release notes](https://github.com/turboMaCk/koa-sslify/releases )
- [Changelog](https://github.com/turboMaCk/koa-sslify/blob/master/CHANGELOG.md )
- [Commits](https://github.com/turboMaCk/koa-sslify/compare/2.1.2...5.0.0 )
---
updated-dependencies:
- dependency-name: koa-sslify
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
* Nice try dependabot
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom.moor@gmail.com >
2022-11-14 14:17:05 -08:00
933fbb2578
feat: Option for separate edit mode ( #4203 )
...
* stash
* wip
* cleanup
* Remove collaborativeEditing toggle, it will always be on in next release.
Flip separateEdit -> seamlessEdit
* Clarify language, hide toggle when collaborative editing is disabled
* Flip boolean to match, easier to reason about
2022-10-02 08:58:33 -07:00
35e82beaf7
chore: Upgrade koa- dependencies ( #3761 )
2022-07-09 10:23:42 -07:00
bf0ff6c823
chore: Casing of logger -> Logger as it's an instantiated class
2022-05-21 13:59:23 +01:00
3c002f82cc
chore: Centralize env parsing, validation, defaults, and deprecation notices ( #3487 )
...
* chore: Centralize env parsing, defaults, deprecation
* wip
* test
* test
* tsc
* docs, more validation
* fix: Allow empty REDIS_URL (defaults to localhost)
* test
* fix: SLACK_MESSAGE_ACTIONS not bool
* fix: Add SMTP port validation
2022-05-19 08:05:11 -07:00
5c24f9e1d5
chore: Email + mailer refactor ( #3342 )
...
* Huge email refactor
* fix: One rename too many
* comments
2022-04-07 16:50:04 -07:00
193ca910f8
Remove Permissions-Policy header, FLOC has now been abandoned
2022-02-08 23:06:04 -08:00
36c0372d62
fix: Loop loading GitHub Gist embeds in Safari
...
closes #2520
2021-12-19 17:38:03 -08:00
15b1069bcc
chore: Move to Typescript ( #2783 )
...
This PR moves the entire project to Typescript. Due to the ~1000 ignores this will lead to a messy codebase for a while, but the churn is worth it – all of those ignore comments are places that were never type-safe previously.
closes #1282
2021-11-29 06:40:55 -08:00
Tom Moor