* Move access/refresh tokens to secure cookies (#20779)
* feat: adds the `credentials: include` header to all manual requests
* feat: adds `credentials: include` as a configurable option to xhr requests (and sets it by default to true)
* feat: configures the auto-generated fetch client from hey-api to include credentials by default
* Add OpenIddict handler to hide tokens from the back-office client
* Make back-office token redaction optional (default false)
* Clear back-office token cookies on logout
* Add configuration for backoffice cookie settings
* Make cookies forcefully secure + move cookie handler enabling to the BackOfficeTokenCookieSettings
* Use the "__Host-" prefix for cookie names
* docs: adds documentation on cookie settings
* build: sets up launch profile for vscode with new cookie recommended settings
* docs: adds extra note around SameSite settings
* docs: adds extra note around SameSite settings
* Respect sites that do not use HTTPS
* Explicitly invalidate potentially valid, old refresh tokens that should no longer be used
* Removed obsolete const
---------
Co-authored-by: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com>
* Remove configuration option
* Invalidate all existing access tokens on upgrade
* docs: updates recommended settings for development
* build: removes non-existing variable
* Skip flaky test
* Bumped version of our test helpers to fix failing tests
---------
Co-authored-by: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com>
Co-authored-by: Andreas Zerbst <andr317c@live.dk>
* add pickable to vs code dictionary
* set up types for pickable filters in data sources
* pass search pickable filter to search result
* apply filter config in document data source example
* add pickable filters to custom tree example
* Update input-entity-data.context.ts
* remove unused
* Update types.ts
* setup files
* allow Unproviding as a valid word
* setup context
* declare new module
* clean up on destroy
* implement keydown listener
* rename to all
* Revert "rename to all"
This reverts commit 5384408d5f70111b63a5e07b9b20d6536c530c00.
* revert shortcuts revert
* move view initialization to submittable workspace base
* comment on destroy thingy
* submit workspace shortcut
* rename to action
* observe parent activation to make sure children follows along.
* fix comment to make AI happy
* implement modal view and titles
* fix getting title from token
* rename context alias
* use controller not context here
* provide modal view at modal element
* implement view context at app level
* Refactor view inheritance logic
* reverse children to be activated loop
* note on global shortcuts
* additional note
* feat: fix a small-ish nitpick where extensions would reload after login
this could potentially try to re-register all private extensions after each auth signal, which is being prevented anyway because of duplicate aliases, but still nice to remove and not have to listen to
* feat: align login UI extension load with backoffice, i.e. wait for external load before registering core extensions
* build(deps): bump @hey-api to newest and re-generate client
* chore: adds extra error logging
* feat: adds retry logic to the api interceptor
* feat: warn about incomplete actions
* fix: the body was already plain text, but we need to ensure the headers say so as well
* feat: warns the user when actions could not be completed
* build(deps): update @hey-api/client-fetch
* chore: generate new api
* feat: simplify error handling to just UmbApiError and UmbCancelError
* feat: moves error notifications from interceptors into tryExecute, so you more easily can opt out of it and everything is gathered in one place
* feat: recreate responses with correct 'status' and 'statusText'
* build: stop dotnet processes after debug session
* feat: extrapolate common logic into helper method to create responses
* feat: returns a UmbProblemDetails like object on interceptors to be handled by tryExecute
* chore: deprecates duplicate, outdated UmbProblemDetails interface and type guard
* feat: uses the 'title' of the problem details object to convey the main message
* chore: 401 and 403 uses their own interceptors
* feat: show no notification if 401
* feat: uses the real request method and url (instead of the template placeholders) to tell the user what did not succeed
* feat: retry requests with no timeout/race
* feat: throttle and delay signals and disallow them from being updated from the outside
* chore: adds more logging to timeouts
* chore: optimise imports
* test: ignores any test files left in node_modules folder
* feat: uses auditTime to wait a bit before showing the timeout screen
* feat: adds 404 handling to error interceptor
* chore: cleans up after response modification
* feat: preserve only a few headers
this mimicks the v15 behavior
* feat: lets the UI handle 404 errors instead of notifying directly
* test: uses create action menu option instead to find the correct locator, and skips a seemingly unnecessary timeout
* feat: adds new backend-api and http-client packages and generates the api with @hey-api/client-fetch
* feat: maps generic T back to promise to avoid usage of 'any'
* feat: sets up baseUrl and auth for the new client
* feat: gets the api base url from server context instead of the http client
* feat: gets the api base url from server context instead of the http client
* feat: allows undefined token for xhr requests
* feat: changes the response object to be either type T directly (to support @hey-api/client-fetch) or the given type if the response does not contain a 'data' object
* revert interface
* feat: creates an api return type to comply with @hey-api/client-fetch
* feat: maps T back to the data model for non-api types
* feat: simplify api response to return the promise you sent to it with an optional error object
* feat: moves http related modules to the core package
* feat: updates the required type of the client for the api interceptors
* docs: removes invalid property
* feat: adds request parameters to documents
* feat: adds request parameters to imaging
* feat: adds return type to item-server-data-source-base
* feat: adds request parameters to webhooks
* feat: adds request parameters to users
* feat: renames all `requestBody` to `body` to conform with new client-fetch
* feat: uses query to take parameters in
* feat: adds data source response to tree types
* feat: adds request parameters to templating
* feat: adds request parameters to templating
* feat: adds request parameters to telemetry
* feat: adds request parameters to tags
* feat: adds request parameters to examine management
* feat: adds request parameters to relations
* feat: adds request parameters to packages
* feat: catches new api errors that are direct problem details objects
* feat: adds default interceptor to handle Umb-Generated-Resource headers
* feat: uses an error interceptor specifically to catch errors to avoid overhead
* feat: adds request parameters to members
* Revert "feat: uses an error interceptor specifically to catch errors to avoid overhead"
This reverts commit 7ffb7b29bfe4ddbc51736434db78372767731dd1.
* feat: adds request parameters to media
* feat: adds request parameters to log viewer
* feat: adds request parameters to languages
* feat: adds request parameters to health check
* feat: adds request parameters to oembed
* feat: adds request parameters to documents
* feat: adds request parameters to redirect management
* feat: adds request parameters to blueprints
* feat: adds request parameters to dictionary
* feat: adds request parameters to data types
* feat: adds request parameters to temporary file
* feat: instructs delete methods to return an unknown value
* feat: allows default value to be unknown
* feat: adds request parameters to culture
* chore: import path
* feat: adds correct models to mocks
* feat: adds correct models to installer and upgrader
* feat: adds correct models to mocks
* chore: forgot to move ignore line
* chore: ignores generated files in eslint
* chore: removes old generated files
* feat: moves network connection status manager back into the main app to avoid imports from core
* chore: update imports
* feat: generate API for login screen without relying on the backoffice
* feat: uses the generated models on the login screen
* feat: sets 'credentials' to 'include' and adds it back to openapiconfiguration to avoid a breaking change
* adds back in commands moved to a workspace
* chore: vscode workspace settings formatted and useFlatConfig added for better compatibility
* allow for this word
* getMessages
* split inherit and sync method
* sync feature
* rename sync report
* auto report + impl
* remove log
* double inheritance test
* one more test
* create a symlink between local Client .vscode snippets and global snippets for ease of use
* fix: no need to specify `Element` in the snippet as that is pulled from the filename
Because of our convention with `x.element.ts` you would have ended up with `UmbXElementElement`
* feat: adds new component `umb-input-dropzone`
* docs(storybook): more stories
* feat: construct the temporary files centrally along with an `AbortController` and use its signal
* feat: makes UmbInputDropzone form aware
* feat: introduces a change event
* chore: temporary changes before changing upload field
* feat: adds default slot
* docs: adds jsdocs
* feat: adds more properties
* feat: adds dashed styling
* feat: adds multiple support
* feat: allows to cancel file
* feat: separate **cancel** and **remove**
* fix stylibg
* move dropzone element
* move input-dropzone into dropzone package
* feat: introduces a 'dropzone' package
* import for backward compatibility
* remove ambigious export
* reexport everything from dropzone
* fix import
* cleanup test files
* use correct import paths
* test: make sure folder exists before writing to it
* adds export for modals
* adds entrypoint for dropzone package
* use the AbortController directly on the temporary file object
* uses correct icon name
* feat: adds ability to remove all files and cancel the request
* feat: adds styling for the uploader
and enables it to work in multiple mode with classes over id's
* do not let the content exceed its boundaries
* feat: formats progress with 2 decimals
* feat: formats with 0 decimals
* fix: returns cancel error
* fix: maps cancel errors back to the uploadable item
* fix: do not proceed with media items if the request was cancelled
* chore: mark exports from media <- dropzone as deprecated
* fix: use correct attribute and remove a todo with localizations
* fix: use correct attribute and remove a todo with localizations
* fix: allow to specify parent through attribute
* feat: align attribute `disableFolderUpload` between dropzone components
* feat: add two launch tasks to start a vite server and attach to an existing vite server
* build(deps-dev): install and use cross-env for vite commands
* build: add mocked launch task
* build: add prompt to check if msw should be on or off
* build: defaults
* build: rename launch task
* build: add compound to start backend and frontend at the same time
* Remove SQL Server part of the CodeSpace - we have SQLite to use
* Update to use .NET 6 and simplified docker stuff
https://github.com/microsoft/vscode-dev-containers/
* Need to set the SQLite Connection string env variable
* Path to SLN has changed to the root of the repo
* Fix up launch and VSCode tasks
* Created Persistence.SQLite project skeleton.
* SQLite database initialization
* Various changes and hacks to make things work.
* WIP integration tests
* Fix thread safety tests
* Fix tests that relied on tie breaker sorting.
Spent a fair amount of time looking for a less lazy fix but gave up.
* Convert right join to left join ContentTypeRepository.PerformGetByQuery
SQLite doesn't support right join
* Fix test Can_Generate_Delete_SubQuery_Statement
Worth noting that NPoco.DatabaseTypes.SQLiteDatabaseType doesn't override
EscapeSqlIdentifier so NPoco will escape with [].
SQLite docs say > "A keyword enclosed in square brackets is an identifier.
This is not standard SQL.
This quoting mechanism is used by MS Access and SQL Server and is
included in SQLite for compatibility."
Also could have updated SqliteSyntaxProvider to match npoco but
decided against it.
* Fixes for paginated custom order by
* Fix tests broken by lack of unique indexes.
* Fix SqlServerTableByTableTest tests.
These tests didn't actually do anything as the tables already exist so schema creator just returned.
Did however point out that the default implementation for DoesTableExist just returns false so added a default naive implementation.
* Fix ValidateLoginSession - SelectTop must come later
* dry up database cleanup
* Fix up db migration tests.
We can't drop pk in sqlite without recreating table.
Test looks to be testing that add column works as intended which we can test.
* Prevent schema creation errors.
* SQLite ignore lock tests, WAL back on.
* Fix package schema tests
* Fix NPocoFetchTests - case sensitivity not under test
* Fix AdvancedMigrationTests (where possible)
Migrations probably need a good look later.
Maybe nuke old migrations and only support moving to v10 from v9.
If we do that can do some cleanup.
* Cleanup test database configuration
* Run integration tests against SQLite on build agent.
* Drop MS.Data.SQLite
System.Data.SQLite was quicker to roll out due to more CLR type mapping
* YAML
* Skip Umbraco.Tests.Integration.SqlCe
* Drop SqlServerTableByTable tests.
Until this week they did nothing anyway as they with NewSchemaPerTest
so the tests all passed as CreateTable was no op (already exists).
Also all of the tables are created in an empty database by SchemaValidationTest.cs
DatabaseSchemaCreation_Produces_DatabaseSchemaResult_With_Zero_Errors
* Might aswell run against macOS also.
* Copy azure pipelines task header layout
* Delete SQLCe projects
* Remove SQL CE specific code.
* Remove SQL CE NuSpec, template params, build script setup
* Delete umbraco-netcore-only.sln
* Add SkipTests solution configuration and use for codeql
* Remove reference to deleted nuspec file.
* Refactor ConnectionStrings WRT DataDirectory placeholder & ProviderName.
At this point you can try out SQLite support by setting the following
in appsettings.json and then completing the install process.
"ConnectionStrings": {
"umbracoDbDSN": "Data Source=|DataDirectory|/umbraco.sqlite",
"umbracoDbDSN_ProviderName": "System.Data.SQLite"
},
Not currently possible via installer UI without provider name pre-set in
configuration.
* Switch to Microsoft.Data.Sqlite
Some gross hacks but will be good to find out if this works
with apple silicon.
* Enable selection of SQLite via installer UI (also quick install)
* Remove SqlServerDbProviderFactoryCreator to cleanup a TODO
* Move SQL Server support to its own class library
* Add persistence dependencies to Umbraco.CMS metapackage
* Bugfix packages delete query
Created invalid query for SQLite.
* Try out cypress tests Linux + SQLite
* Prevent cypress test artifact upload failure on attempt 2+
* LocalDb bugfixes
* Drop redundant enum
* Move SqlClient constant
* Misc whitespace
* Remove IsSqlCe extension (TODO: drop non 9->10 migrations later).
* Umbraco.Persistence.* -> Umbraco.Cms.Persistence.*
* Display quick install defaults and per provider default database name.
* Misc remove old comment
* little re-arrange
* Remove almost all usages of IsSqlite extension.
* visual adjustments
* Custom Database Configuration is last step and should then say Install.
* use text instead of disabled inputs
* move legend, rename to Install
* Update SqlMainDomLock to work without distributed locks.
* Added IDistributedLockingMechanism interface and in memory impl.
* Drop locking from ISqlSyntaxProvider & wire up scope to abstraction.
* Added SqlServerDistributedLockingMechanism
* Move distributed locking interfaces and exceptions to Core + xmldocs.
* Fix tests, Misc cleanup, Add SQL distributed locking integration tests
* Provide mechanism to specify DistributedLockingMechanism in config
(even if added by composer)
* Nomplementation -> NoImplementation
* Fix misleading comment
* Integration tests use SqlServerDistributedLockingMechanism when possible
* Handle up-gradable locks SqlServerDistributedLockingMechanism.
TODO: InMemoryDistributedLockingMechanism.
Note: Nuked SqlServerDistributedLockingMechanismTests, will still sleep
at night.
Is covered by Umbraco.Cms.Tests.Integration.Umbraco.Infrastructure.Persistence.LockTests
* Make tests pass for InMemoryDistributedLockingMechanism, pretty hacky.
* Tweak constraints on WithCollectionBuilder so i can drop bad constructor
* Added SqliteDistributedLockingMechanism
* Dropped InMemoryDistributedMechanism + magic
InMemoryDistributedMechanism was pretty rubbish and now we have
a decent implementation for SQLite as we no longer block readers
see 8d1f42b.
Also drop the CollectionBuilder setup, instead do the same as we do
for syntax providers etc, it's more automagical so we never require an
explicit selection although we are allowing for it.
However keeping the optional IUmbracoBuilder constructor param for
CollectionBuilders as it's extremely useful.
* Fix quick install "" database name.
* Hide Database Configuration section when a connection string is pre-set.
Doesn't seem worth it to extract db name from connection string.
* Ensure wal test 2+
* Fix logging inconsistencies.
* Ensure in transaction when obtaining locks + no-op the SQLite read lock.
There's no point in running the query just to make a single test pass.
* Fix installer database display names
* Allow SQLite shared cache without losing deferred transactions
* Opt into shared cache for new SQLite databases + fix filename
* Fix misc inconsistency in .gitignore
* Prefer our interceptor interface
* Restore DEBUG_DATABASES code OnConnectionOpened in case it's used.
* Back to private cache.
* Added retry strategy for SQLite + refactor out SQL server specific stuff
* Fix SQL server tests.
* Misc - Orphaned comment, incorrect casing.
* InMemory SQLite test database & turn shared cache back on everywhere.
Co-authored-by: Niels Lyngsø <niels.lyngso@gmail.com>
* .NETCore & SQL Docker Image
https://github.com/microsoft/vscode-dev-containers/tree/master/containers/dotnet-mssql
* Set the C# extension aka Omnisharp to use the umbraco-netcore-only.sln
* A new script in the postCreate of the docker image to npm install client stuff and initial dotnet build of SLN to help just running straight away
* Remove bash script - doing npm install stuff & dotnet build was hard to see log output and taking longer for image to start
* Adds in port 9000 and friendly label
* Ensure user notified about auto port forward with notification
* Comment out image min of assets as causing problems and eating way too much time up atm - need to revisit
* Automated launch & tasks VSCode JSON files - updated to run client npm install and npm run build before running website
* Update .gitattributes for line ending help for codespaces
https://code.visualstudio.com/docs/remote/troubleshooting#_resolving-git-line-ending-issues-in-containers-resulting-in-many-modified-files
* Tidy up
* Remove npm install from the npm run build step - kinda annoying when you re-run it
* Rather everytime attaching the debugger doing a full npm install, gulp dev and dotnet build is overkill, just build the SLN before debugging
* Update gitignore with casing rules
* Revert "Update .gitattributes for line ending help for codespaces"
This reverts commit 28316d1ba8a552751eef2f211b68531484344153.
* Sets the global user for npm as root
https://stackoverflow.com/a/45505787
* File permission stuff for NPM & Gifsicle binary source compilation from gulp-imagemin
* Revert "Comment out image min of assets as causing problems and eating way too much time up atm - need to revisit"
This reverts commit be48db9653bc58a69422d131b65955985e115e29.
* Add chromium-browser to try & get JS tests to run happy in CodeSpaces
* Set DB connection string & unattended install config to true so we can skip installer flow
* Add in ENV variables to setup the unattended install user
* Try to add SMTP4Dev from Bjarke Recommendation
* Need to specify the port mappings for SMTP4Dev
* Lovely syntax error in docker compose file
* Update ENV variables to renamed settings now this feature merged into NETCore branch by Bjarke
* Needed to match the hostname that SMTP4Dev was listening on, had assumed it would be reachable via localhost
* Fix folder naminng to make UNIX happy running JS tests
Co-authored-by: Bjarke Berg <mail@bergmania.dk>
