Hi Andreas > * CSRF protection for both the browser messaging (plugin library) > architecture as well as the PUT/DELETE rest api. It is scary to know that > iframes or any other website that I visit can inject javascript tiddlers > while running the server. This might work in tandem with the new > authentication.
Good point. We might consider adding server-side support for CORS as part of the defences too. The code is currently structured with two module types: authenticators and routes. I’m considering refactoring things to a single generic middleware module type that works along the lines of Express.js, which would make it easier to add such things. > (Hint: the plugin library architecture uses the cookie variable already, but > does not include/check for a nonce for some reason when getting a response) Can you point to the code you’re referring to here? > * A module (route) that serves rendered tiddlers, instead of serving them as > json. This is the unique ability of having the wiki run under node and while > possibly obscure, there is a lot of creative things one can do with this with > regards to browser integration (think tampermonkey) or access to formatted > data in the wiki from say bash or other external programs. Yes, I did some experimentation with using the accept-header as part of the route matching parameters, I think it’s something I’d like to come back to. > * HTTPS support would be neat, not sure if its possible to include a self > signed certificate, but node's built in http(s) server is fully able to serve > over https as well. Good idea. It looks easy enough from this SO answer: https://stackoverflow.com/a/21809393 <https://stackoverflow.com/a/21809393> > Thank for tackling the server overhaul and also for reading, Thanks for the feedback. I’m tempted to look at the rendered routes and the HTTPS support but would be inclined to leave the CSRF stuff until later. Best wishes Jeremy > > /Andreas > > -- > You received this message because you are subscribed to the Google Groups > "TiddlyWikiDev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/tiddlywikidev. > To view this discussion on the web visit > https://groups.google.com/d/msgid/tiddlywikidev/d9a8d4dc-ac1d-f535-9643-d68454bae30a%40googlemail.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "TiddlyWikiDev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/tiddlywikidev. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywikidev/DF09E201-0D3D-4198-941B-4947C5D64BD8%40gmail.com. For more options, visit https://groups.google.com/d/optout.
