v25.4.1

Author: seguinleo

src/.editorconfig renamed to .editorconfig

@@ -0,0 +1,30 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+lerna-debug.log*
+
+node_modules
+.DS_Store
+dist
+dist-ssr
+coverage
+*.local
+
+/cypress/videos/
+/cypress/screenshots/
+
+# Editor directories and files
+.vscode/*
+!.vscode/extensions.json
+.idea
+*.suo
+*.ntvs*
+*.njsproj
+*.sln
+*.sw?
+
+*.tsbuildinfo

.gitignore

@@ -1,3 +1,12 @@
+#----v25.4.1----#
+-Refractor client code in Vue.js 3
+    -Better dependencies management
+    -Better code structure
+    -Better dev environnement
+-Add katex support for math expressions
+-UI/UX and accessibility fixes
+-Change shared notes url
+
 #----v25.3.1----#
 -Add full theme customization
 

CHANGELOG.txt

@@ -0,0 +1,30 @@
+# !!!!!!!!!!!!!!!
+# EDIT DOCKER CONFIGURATION TO YOUR NEEDS FOR PRODUCTION
+# !!!!!!!!!!!!!!!
+
+FROM node:22 AS build-stage
+
+WORKDIR /app
+
+COPY package*.json ./
+
+RUN npm install
+
+COPY . .
+
+RUN npm run build
+
+FROM php:8.3-apache
+
+RUN apt update && apt upgrade -y && apt --purge autoremove -y && apt clean && \
+    groupadd -r myuser && useradd -r -g myuser myuser && \
+    cp /usr/local/etc/php/php.ini-production /usr/local/etc/php/php.ini && \
+    sed -i -e "s/display_errors = On/display_errors = Off/g" /usr/local/etc/php/php.ini && \
+    docker-php-ext-install pdo pdo_mysql
+
+USER myuser
+
+COPY --from=build-stage /app/dist /var/www/html
+COPY --chown=myuser:myuser api /var/www/html/api
+
+EXPOSE 80

Dockerfile

@@ -19,7 +19,7 @@ A fast, private and secure web notebook.
 *   [Self-hosting](#self-hosting)
 
 ## Features
-Users can create task lists, reminders, tables, links, and code blocks using Markdown and HTML. They can add online images, audio, or videos via URL. Notes can be searched, sorted by category, or organized into folders.
+Users can create task lists, reminders, tables, links, math expressions or code blocks using Markdown and HTML. They can add online images, audio, or videos via URL. Notes can be searched, sorted by category, or organized into folders.
 
 Users can sync notes across devices in a secure database after signing in without needing an email address, only a username and strong password. Public notes can be shared via random URLs.
 
@@ -38,9 +38,9 @@ Users can lock the app using biometrics (fingerprints, face, etc.). These biomet
 
 ## Todo
 *   2FA login (may refractor backend to Node.js)
-*   Markdown plugins (may add security or slowness issues)
 *   WEB Notification for reminders
 *   Calendar for reminders (have to find a light and fast library)
+*   Offline mode for cloud notes (security problems)
 
 ## Community
 If you find [issues](https://github.com/seguinleo/Bloc-notes/issues), [vulnerabilities](https://github.com/seguinleo/Bloc-notes/security) or if you have any [suggestions](https://github.com/seguinleo/Bloc-notes/discussions) to improve this project, feel free to discuss!

README.md

@@ -1,5 +1,13 @@
 # Security Policy
 
+## Node version
+
+| Version | Supported          |
+|---------|--------------------|
+| 22.x    | :white_check_mark: |
+| 21.x    | :white_check_mark: |
+| < 20    | :x:                |
+
 ## PHP version
 
 | Version | Supported          |

SECURITY.md

@@ -22,6 +22,7 @@
     'bg-red',
     'bg-orange',
     'bg-yellow',
+    'bg-lime',
     'bg-green',
     'bg-cyan',
     'bg-light-blue',

src/assets/php/addNote.php renamed to api/addNote.php

@@ -18,10 +18,6 @@
     throw new Exception('Connection failed');
     return;
 }
-if (filter_input(INPUT_POST, 'csrf_token', FILTER_DEFAULT) !== $_SESSION['csrf_token']) {
-    throw new Exception('Connection timeout, please reload the page');
-    return;
-}
 
 global $PDO;
 require_once __DIR__ . '/config/config.php';
@@ -63,7 +59,7 @@
 $cookieParams = [
     'path'     => '/',
     'lifetime' => 604800,
-    'secure'   => false,
+    'secure'   => true,
     'httponly' => true,
     'samesite' => 'Lax',
 ];
@@ -72,5 +68,4 @@
 session_regenerate_id();
 $_SESSION['name'] = $row['name'];
 $_SESSION['userId'] = $row['id'];
-$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
 $_SESSION['lockApp'] = false;

src/assets/php/class/Encryption.php renamed to api/class/Encryption.php

@@ -3,7 +3,7 @@
 $cookieParams = [
     'path'     => '/',
     'lifetime' => 604800,
-    'secure'   => false,
+    'secure'   => true,
     'httponly' => true,
     'samesite' => 'Lax',
 ];
@@ -12,5 +12,3 @@
 session_regenerate_id();
 
 $name = $_SESSION['name'] ?? null;
-$csrf_token = bin2hex(random_bytes(32));
-$_SESSION['csrf_token'] = $csrf_token;

src/assets/php/config/config.php renamed to api/config/config.php

@@ -24,12 +24,6 @@
 
 $id = bin2hex(random_bytes(12));
 $psswdCreateHash = password_hash($psswdCreate, PASSWORD_DEFAULT);
-
-/**
- * 
- * Store key in sql database or, use a secure vault like AWS KMS, Azure Key Vault or a self-hosted solution.
- *
- */
 $key = bin2hex(random_bytes(32));
 
 try {

src/assets/php/connectUser.php renamed to api/connectUser.php

@@ -6,10 +6,6 @@
 $userId = $_SESSION['userId'];
 $psswd = filter_input(INPUT_POST, 'psswd', FILTER_DEFAULT);
 
-if (filter_input(INPUT_POST, 'csrf_token', FILTER_DEFAULT) !== $_SESSION['csrf_token']) {
-    throw new Exception('Connection timeout, please reload the page');
-    return;
-}
 if (isset($name, $userId) === false) {
     throw new Exception('Account deletion failed');
     return;

src/assets/php/cookies.php renamed to api/cookies.php

@@ -5,10 +5,6 @@
 $name = $_SESSION['name'];
 $noteId = filter_input(INPUT_POST, 'noteId', FILTER_DEFAULT);
 
-if (filter_input(INPUT_POST, 'csrf_token', FILTER_DEFAULT) !== $_SESSION['csrf_token']) {
-    throw new Exception('Connection timeout, please reload the page');
-    return;
-}
 if (isset($name, $noteId) === false) {
     throw new Exception('Note deletion failed');
     return;

src/assets/php/createUser.php renamed to api/createUser.php

@@ -5,10 +5,6 @@
 $name = $_SESSION['name'];
 $userId = $_SESSION['userId'];
 
-if (filter_input(INPUT_POST, 'csrf_token', FILTER_DEFAULT) !== $_SESSION['csrf_token']) {
-    throw new Exception('Connection timeout, please reload the page');
-    return;
-}
 if (isset($name, $userId) === false) {
     throw new Exception('Key retrieval failed');
     return;
@@ -22,11 +18,6 @@
     return;
 }
 
-/**
- * 
- * Get key from sql database or, using a secure vault like AWS KMS, Azure Key Vault or a self-hosted solution.
- *
- */
 try {
     $query = $PDO->prepare("SELECT oneKey,lastLogin FROM users WHERE name=:CurrentUser AND id=:UserId LIMIT 1");
     $query->execute(

src/assets/php/deleteAccount.php renamed to api/deleteAccount.php

@@ -2,11 +2,6 @@
 session_name('secureNotes');
 session_start();
 
-if (filter_input(INPUT_POST, 'csrf_token', FILTER_DEFAULT) !== $_SESSION['csrf_token']) {
-  throw new Exception('Connection timeout, please reload the page');
-  return;
-}
-
 $lockApp = filter_var($_SESSION['lockApp'], FILTER_VALIDATE_BOOLEAN);
 
 header('Content-Type: application/json');

src/assets/php/deleteNote.php renamed to api/deleteNote.php

@@ -0,0 +1,17 @@
+<?php
+session_name('secureNotes');
+$cookieParams = [
+    'path'     => '/',
+    'lifetime' => 604800,
+    'secure'   => true,
+    'httponly' => true,
+    'samesite' => 'Lax',
+];
+session_set_cookie_params($cookieParams);
+session_start();
+session_regenerate_id();
+
+$name = $_SESSION['name'] ?? false;
+
+header('Content-Type: application/json');
+print_r(json_encode(['name' => $name]));

src/assets/php/getKey.php renamed to api/getKey.php

@@ -0,0 +1,6 @@
+<?php
+session_name('secureNotes');
+session_start();
+
+$lockApp = filter_input(INPUT_POST, 'lock_app', FILTER_VALIDATE_BOOLEAN);
+$_SESSION['lockApp'] = $lockApp;

src/assets/php/getLockApp.php renamed to api/getLockApp.php

@@ -5,10 +5,6 @@
 $name = $_SESSION['name'];
 $noteId = filter_input(INPUT_POST, 'noteId', FILTER_DEFAULT);
 
-if (filter_input(INPUT_POST, 'csrf_token', FILTER_DEFAULT) !== $_SESSION['csrf_token']) {
-    throw new Exception('Connection timeout, please reload the page');
-    return;
-}
 if (isset($name, $noteId) === false) {
     throw new Exception('Pin note failed');
     return;

src/assets/php/getNotes.php renamed to api/getNotes.php

@@ -6,10 +6,6 @@
 $noteId = filter_input(INPUT_POST, 'noteId', FILTER_DEFAULT);
 $noteLink = filter_input(INPUT_POST, 'noteLink', FILTER_DEFAULT);
 
-if (filter_input(INPUT_POST, 'csrf_token', FILTER_DEFAULT) !== $_SESSION['csrf_token']) {
-    throw new Exception('Connection timeout, please reload the page');
-    return;
-}
 if (isset($name, $noteId, $noteLink) === false) {
     throw new Exception('Note modification failed');
     return;

src/assets/php/getSharedNote.php renamed to api/getSharedNote.php

@@ -5,10 +5,6 @@
 $name = $_SESSION['name'];
 $noteId = filter_input(INPUT_POST, 'noteId', FILTER_DEFAULT);
 
-if (filter_input(INPUT_POST, 'csrf_token', FILTER_DEFAULT) !== $_SESSION['csrf_token']) {
-    throw new Exception('Connection timeout, please reload the page');
-    return;
-}
 if (isset($name, $noteId) === false) {
     throw new Exception('Note modification failed');
     return;

api/getUser.php

@@ -22,6 +22,7 @@
     'bg-red',
     'bg-orange',
     'bg-yellow',
+    'bg-lime',
     'bg-green',
     'bg-cyan',
     'bg-light-blue',

api/lockApp.php

@@ -7,10 +7,6 @@
 $psswdOld = filter_input(INPUT_POST, 'psswdOld', FILTER_DEFAULT);
 $psswdNew = filter_input(INPUT_POST, 'psswdNew', FILTER_DEFAULT);
 
-if (filter_input(INPUT_POST, 'csrf_token', FILTER_DEFAULT) !== $_SESSION['csrf_token']) {
-    throw new Exception('Connection timeout, please reload the page');
-    return;
-}
 if (isset($name, $userId, $psswdOld) === false) {
     throw new Exception('Password update failed');
     return;

src/assets/php/logout.php renamed to api/logout.php

@@ -0,0 +1,11 @@
+import { defineConfig } from "eslint/config";
+import globals from "globals";
+import js from "@eslint/js";
+import pluginVue from "eslint-plugin-vue";
+
+export default defineConfig([
+  { files: ["**/*.{js,mjs,cjs,vue}"] },
+  { files: ["**/*.{js,mjs,cjs,vue}"], languageOptions: { globals: globals.browser } },
+  { files: ["**/*.{js,mjs,cjs,vue}"], plugins: { js }, extends: ["js/recommended"] },
+  pluginVue.configs["flat/essential"],
+]);

src/assets/php/pinNote.php renamed to api/pinNote.php

@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html lang="">
+  <head>
+    <meta charset="utf-8">
+    <title>Bloc-notes &#8211; Léo SEGUIN</title>
+    <meta name="description" content="A fast, private and secure notebook with Markdown support.">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta name="theme-color" content="#000" class="theme-color">
+    <meta name="mobile-web-app-capable" content="yes">
+    <meta name="apple-mobile-web-app-capable" content="yes">
+    <meta name="apple-mobile-web-app-status-bar-style" content="#000" class="theme-color">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; connect-src 'self'; font-src 'self' data: https://cdnjs.cloudflare.com/; form-action 'self'; img-src http:; manifest-src 'self'; media-src https:; script-src 'self'; script-src-attr 'none'; style-src 'self' https://cdnjs.cloudflare.com/; style-src-attr 'unsafe-inline' 'self'; worker-src 'self'">
+    <link rel="apple-touch-icon" href="./icons/apple-touch-icon.png">
+    <link rel="icon" href="./favicon.ico">
+    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.7.2/css/all.min.css">
+    <link rel="manifest" href="./app.webmanifest">
+  </head>
+  <body>
+    <div id="app"></div>
+    <script type="module" src="/src/main.js"></script>
+  </body>
+</html>

src/assets/php/privateNote.php renamed to api/privateNote.php

@@ -0,0 +1,8 @@
+{
+  "compilerOptions": {
+    "paths": {
+      "@/*": ["./src/*"]
+    }
+  },
+  "exclude": ["node_modules", "dist"]
+}