Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add linked account creation from the Discord bot #301

Merged
merged 18 commits into from
Aug 10, 2024

Conversation

daanbreur
Copy link
Contributor

Implements #300

@daanbreur
Copy link
Contributor Author

Start of the implementation of the register and link feature. Migration has been made but needs some tuning and can be further optimized and duplicate code can be removed. Will also require more testing if old features haven't been broken.

…itation_link`.

It is preferred we unique this column however whenever you accidentally dismiss the discord bot and want to make a new token you cant. This is why we removed the unique constraint for now.
Graphql schema updated, hopefully this is right because windows/wsl
version of `yarn run codegen` likes to break the schema sometimes.
This commit implements the base of some utils that are required and the base of the command itself.
@daanbreur
Copy link
Contributor Author

Discovered a little problem. Now you could make multiple invite codes that point to the same user and then use them seperately and have the database error out. Possible to return the old code if this one already exists.

@daanbreur
Copy link
Contributor Author

Another problem, with the convential link command the command will automatically sync permissions for all ctfs after linking. Currently I have no idea how this can be implemented.

@daanbreur
Copy link
Contributor Author

Discovered a little problem. Now you could make multiple invite codes that point to the same user and then use them seperately and have the database error out. Possible to return the old code if this one already exists.

Discord bot now checks if there is already a invitation token for the Discord id. If there is, it returns this token instead of making a new one. The database can now be put back to unique and this eliminates the issue of invitation links for the same account causing errors and issues.

image

This commit implements fixes for the issues talked about in comment: TFNS#301 (comment)
Also changed the migration back to unique
Adds the Environment variables that are needed to configure the register
command and some explanation for them.
@daanbreur
Copy link
Contributor Author

The message when the functionality has not been enabled.
image


Also added the check if you have the required role to create an account.

Message when you DO NOT have the role.
image

Message when you DO have the role
image

daanbreur added a commit to daanbreur/CTFNote that referenced this pull request Jul 25, 2024
Some general cleanup and fixes of todo's.
Also implemented the required checks and used data from the environment variables.
This command implements what showcased in issue message: TFNS#301 (comment)
Some general cleanup and fixes of todo's.
Also implemented the required checks and used data from the environment variables.
This command implements what showcased in issue message: TFNS#301 (comment)
@daanbreur daanbreur force-pushed the 300-account-creation-from-discord branch from 742ba4d to 841941d Compare July 25, 2024 19:23
@daanbreur
Copy link
Contributor Author

Currently stuck at the "account syncing" part. Using the already existing /link your account would, after linking, automatically get all roles and access to ctfs. However with the stack we created we are kinda driven into a corner.

Within the discord-hooks we can hook into the RegisterWithToken graphql query that is being used. There is a problem that arose tho, within this context we are the user user_postgraphile, except this isn't entirely true. The context we are in uses the user we used to call the GraphQL query, since we are on the login we aren't any user and we are user_anonymous. This complicates our situation a bit.

For the discord role sync we need a few things, the ctfnote user-id of the just created user and that this user exists in the database.

With a setTimeout we can run code after the request lifecycle.
This is ugly, but it works. See also the comment in the code about this.

Solves the problem for TFNS#301 (comment)
Variable renaming for consistency.
The `getInvitationUrl` should return null in case of error instead of an empty string in order clarify error state.
It makes more sense to have it there. It was by accident placed in the before hook previously.
@JJ-8 JJ-8 self-requested a review August 4, 2024 15:25
@daanbreur daanbreur marked this pull request as ready for review August 4, 2024 16:22
api/src/discord/commands/register.ts Outdated Show resolved Hide resolved
api/src/plugins/discordHooks.ts Show resolved Hide resolved
Copy link
Collaborator

@JJ-8 JJ-8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to test everything and it works as expected. I made some changes to the code and it looks all good now. I prefer to delay the merging to next Saturday just in case due to time constrains on my side.

@daanbreur
Copy link
Contributor Author

I tried to test everything and it works as expected. I made some changes to the code and it looks all good now. I prefer to delay the merging to next Saturday just in case due to time constrains on my side.

All looks good, should reimplement this some day when we change the backend to something that allows for easier hooking.

LGTM (on Saturday)

@JJ-8 JJ-8 merged commit 7cfff57 into TFNS:main Aug 10, 2024
4 checks passed
ISnackable added a commit to ISnackable/CTFNote that referenced this pull request Aug 23, 2024
* Decreased task switcher density

* Update filled textbox styling

* Updated EditCtfDialog design

* Updated ImportCtfDialog design

* Updated InviteUserDialog design

* Updated ResetPasswordDialog design

* Updated SearchDialog design

* Resolved Vue warnings

* Updated TaskEditDialog design

* Updated solve task dialog design

* Update task and CTF deletion dialog design

* Updated TaskExportDialog design

* Formatted code

* Add delay to tooltips

* Formatted code

* Reduced code duplication for TaskBtnGroup component

* Force category tags to be in a row on TableDense layout

* Updated TaskImportDialog design

* Changed TableDense button group color scheme

* Re-add category tag wrapping

* Updated design of more dialogs

* Small spacing changes

* Added CTFTime icon to CTFTime URL/ID input fields

* Made padding more consistent

* Allow ctrl+k search dialog hotkey inside iframe

Since the iframe is hosted on the same domain as the parent iframe, we can freely inject anything we want in the iframe.
Therefore, we can control script execution and we use that to inject a specially crafted hotkeys-iframe.js file.
This sounds like an exploit, but actually it is just the hotkeys-js library code together with a simple `ctrl+k, command+k` shortcut definition
that posts a message to the parent frame that the search dialog should be shown.
The parent will now act accordingly.

Therefore, the search dialog shortcuts now also work on the Hedgedoc iframe pages.

* Serve hotkeys-iframe.js from a path from Hedgedoc to circumvent CSP

The Hedgedoc CSP is a good thing to have enabled.
But it breaks the JS injection done by CTFNote.
So now we just lie to the frontend that the file is hosted by Hedgedoc while it actually is hosted by CTFNote.

This should circumvent the CSP and allow script execution inside the iframe, even when the CSP is enabled.

* Swap order of import dialog columns to checkbox, title, tags

* Align categories to the right in task import dialog

* Add label to flag submission dialog input

* Replaced q-form with div in task import dialog

* Slightly increased density of task switcher menu

* Solved wrapping in navigation bar caused by category tags

* Hide tags in task switcher on small screens

* Resolved UI compiler warnings for TaskImportDialog

* Set indicator color of all tabs to secondary

* Redesigned login page

* Redesigned registration page

* Redesigned password reset page

* Set static width for all auth pages

* Make auth pages centered

* Hide CTFNote logo next to auth pages on smaller screens

* Always show CTFNote text in navigation bar on login screen

* Increase page padding on auth pages

* Display admin settings page in a single column on small screens

* Adjust padding of cards in registration settings

* Style inputs in registration settings

* Re-organize columns on registration settings to group registration and calendar settings separately

* Hide inputs for registration and calendar passwords when disabled

* Adjust padding of cards in profile settings

* Add icon support to color picker button

* Style inputs in profile settings

* Moved Change password to left column in profile settings

* Fix color picker button being too large in some cases

* Adjust padding for theme settings

* Update styling for registered users settings page

* Removed borders from cards in settings pages

* Added icons to notifications toggle

* Added Discord logo to CTFNote token field

* Undo auth page centering

* Make color picker icon appear white in light mode

* Merge tags list and condensed tags list into a single class

* Changed condensed tags list hidden count color to accent

* Updated task list toolbar design

* Removed rounded corners from CTF pages

* Made CTFTime link smaller

* Disabled weight badge click animation

* Adjusted spacing and layout on CTF info page

* Force tags to be lowercase in the frontend during parsing

The backend already enforces lowercase of the tags, but the frontend did not.
This could result in double challenge imports if you parse again.
Now after the custom parser, all tags are forced to be lower case and unique.

This fixes JJ-8#89

* Merge CTF edit and delete buttons on info page on small screens

* Remove separator between tabs and CTF pages

* Enable contextMenu by default on CTF admin menu

* Upgrade yarn and API dependencies

Two breaking changes:
1. graphql-upload-ts import was changed.
2. ical-generator `serve` method does not exist anymore. Replaced with writing manually to response.

* Update .prettierrc config for trailing comma

Otherwise the API files will all be beautified with extra comma's.

* Vertically stack CTF description and credentials on small screens

* Upgrade frontend dependencies

* Format frontend files

* Fix frontend ESLint warnings

* Update frontend yarn cache

This makes sure that the frontend will live forever, even with npmjs.com downtime.

* Upgrade NodeJS in API and front Docker container

Otherwise it won't build.

* Use alpine NodeJS docker versions

* Fix Docker image format

* Bump @babel/traverse from 7.22.19 to 7.24.1 in /front

Bumps [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) from 7.22.19 to 7.24.1.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.24.1/packages/babel-traverse)

---
updated-dependencies:
- dependency-name: "@babel/traverse"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update install-state.gz due to dependabot upgrade

* Upgrade top most yarn files

* Make start and end time text on CTF info page white on light mode

* Increased width of auth screens to make UUID tokens fit

* Made all table headers lowercase on admin user settings page

* Moved role column in admin user settings to the left of the username column

* Prepended # to pad URL in task iframe, fixes TFNS#96

* Remove newline from last paragraph in descriptions on CTF info page

* Redesigned error page for unknown task IDs

* Redesigned CTF guest settings page

* Adjusted padding for CTF info badges

* Removed description on error page for unknown task IDs

* Focus input before opening animation finishes in global search dialog

* Focus input before opening animation finishes in solve task popup

* Moved edit and delete buttons next to CTF title on info page

* Fixed spacing issues below description/credentials on CTF info page

* Removed description from CTF guest settings

* Increased Discord event link input width

* Made full table rows clickable on past CTFs page

* Removed padding from past CTFs card

* Made past CTFs table dense

* Increased rows per page options for past CTFs table

* Made rows per page setting for past CTFs table persistent

* Added custom shortcuts to HedgeDoc editor

* Hide search dialog when pressing esc

In the old implementation you can only dismiss the search dialog
by stop focussing it and then pressing esc or clicking outside the dialog area.
This is not keyboard friendly so we introduce a new shortcut that hides the search dialog
by just pressing the esc-button.

* Increased Nginx upload limit to 5MB

* Only allow one solve task dialog to be opened at most

* Set nginx upload max size in hosting instructions

This corresponds to the outer-nginx and may also need to be set
before the change will actually be effective.

* Make max upload size a global in the inner-nginx config

With this it will apply to all requests done, so also the /uploads endpoint
and not only the endpoint for Hedgedoc.

* Added shortcut for opening solve task dialog

* Added component to preview key combinations for shortcuts

* Replace modifier keys on macOS with symbols

* Made search dialog use ShortcutPreview component

* Made solve task dialog use custom component

* Renamed ShortcutPreview to ShortcutHint

* Added shortcut hint to solve task dialog when opened on task pages

* Fixed flag not updating in task solve dialog when opened using shortcut

* Insert iframe hotkey script on task page during iframe load instead of onMounted

* Remove no-backdrop-dismiss from task solve dialog

* Fix Discord event link hanging issue

When a sync has been performed, the old implementation causes a release of the database PoolClient, causing any future database operation to fail.
This is due to the event sync code being triggered from the context of GraphQL queries instead of a separate context when an incoming event from Discord is processed.

The code has now been rewritten to take the context.pgClient database client which is the current GraphQL pgClient.
This client is used in all database operations and not released so it can be used in the future.
This will stop the hanging of the server when a Discord event link sync is done.

This issue was only reliable reproducible with quite some members interested in an event. I tested this with 13 people interested.

In the future we should rewrite this code to always take a pgClient in the database code and create a new pgClient at a higher level when not available and otherwise always use the context.pgClient.
At lower levels we should not be caring about releasing or not because this can only cause issues.

* Set docker-compose images back to upstream

* Remove accidental paste in README

* Add back manual workflow trigger

This is useful for testing if a branch builds.

* Update husky dependency

* Update contribution guidelines and mention Discord server

* Fix line endings

* Drop Node 16 test

* Fix `any` return type of discord.js ActionRowBuilder

* Regenerate graphql bindings

* yarn --frozen-lockfile is deprecated

* Fix `any` usage partly

The query results should be type checked properly in the future.

* Run prettier on api

* Upgrade used actions to use node 20

https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/

* Bump postcss from 8.4.29 to 8.4.38 in /front

Bumps [postcss](https://github.com/postcss/postcss) from 8.4.29 to 8.4.38.
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.4.29...8.4.38)

---
updated-dependencies:
- dependency-name: postcss
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Create dependabot.yml

Config was created by @peace-maker through Discord. It should revive the Dependabot.

* Update install-state.gz for Dependabot

This is what I get when I run yarn myself. Don't know why Dependabot does not commit this already.

* Bump tar from 6.2.0 to 6.2.1 in /api

Bumps [tar](https://github.com/isaacs/node-tar) from 6.2.0 to 6.2.1.
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v6.2.0...v6.2.1)

---
updated-dependencies:
- dependency-name: tar
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump express from 4.19.1 to 4.19.2 in /api

Bumps [express](https://github.com/expressjs/express) from 4.19.1 to 4.19.2.
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@4.19.1...4.19.2)

---
updated-dependencies:
- dependency-name: express
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump typescript from 5.4.3 to 5.4.5 in /api

Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.4.3 to 5.4.5.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release.yml)
- [Commits](microsoft/TypeScript@v5.4.3...v5.4.5)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump ip from 2.0.0 to 2.0.1 in /api

Bumps [ip](https://github.com/indutny/node-ip) from 2.0.0 to 2.0.1.
- [Commits](indutny/node-ip@v2.0.0...v2.0.1)

---
updated-dependencies:
- dependency-name: ip
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Rename ECSC parser to ECSC2021

* Add CINI parser (ECSC 2024)

* Bump braces from 3.0.2 to 3.0.3 in /api

Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump @typescript-eslint/parser from 7.3.1 to 7.16.0 in /api

Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 7.3.1 to 7.16.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v7.16.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Add base of the hitcon parser for ctfnote

* import hitcon parser

* Fix HITCON parser

The isValid function has been updated to match the correct data and imports are fixed.

* Fix formatting issues in hitcon.ts

* Fix isValid of CINI parser

* Drop ECSC2021/2022 parser

The parser was introduced in TFNS#184
but I don't think anyone will be using this parser since the project is dead for years
and ENISA is not using this gameboard in the last couple of years.
Since it conflicts with the parsing of the other CTF formats, it is better to drop it and reintroduce it when necessary.

* Bump braces from 3.0.2 to 3.0.3 in /front

Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump tar from 6.2.0 to 6.2.1 in /front

Bumps [tar](https://github.com/isaacs/node-tar) from 6.2.0 to 6.2.1.
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v6.2.0...v6.2.1)

---
updated-dependencies:
- dependency-name: tar
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump webpack-dev-middleware from 5.3.3 to 5.3.4 in /front

Bumps [webpack-dev-middleware](https://github.com/webpack/webpack-dev-middleware) from 5.3.3 to 5.3.4.
- [Release notes](https://github.com/webpack/webpack-dev-middleware/releases)
- [Changelog](https://github.com/webpack/webpack-dev-middleware/blob/v5.3.4/CHANGELOG.md)
- [Commits](webpack/webpack-dev-middleware@v5.3.3...v5.3.4)

---
updated-dependencies:
- dependency-name: webpack-dev-middleware
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Fixed .yarn exlusion rules inside of the .gitignore to make them compliant. Added rules to .gitattributes

* Created .vscode folder with config to hide yarn from search

* Add migration for the discord_integration_enabled field in ctfnote.settings

* Add code to sync the discord use from the config to the database.

* Make sure discord_integration_enabled is not null.

* Maybe its a good idea to grant the correct user....

* Add checks to the pages with Discord

* Run codegen for graphql schema.

For some reason codegen deleted a lot of things, lets hope nothing bad happens

* Spelling fixes.

* Simplified v-if to v-else

* GraphQL schema files fixed.

* Fixes that user_admin could write to ctfnote.settings.discord_integration_enabled

* Bump quasar from 2.15.1 to 2.16.6 in /front

Bumps [quasar](https://github.com/quasarframework/quasar) from 2.15.1 to 2.16.6.
- [Release notes](https://github.com/quasarframework/quasar/releases)
- [Commits](quasarframework/quasar@quasar-v2.15.1...quasar-v2.16.6)

---
updated-dependencies:
- dependency-name: quasar
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Fix Quasar build issues

"@quasar/app-webpack": "^3.13.2",
This package had to be this version to fix the issue.

* Create migration for account invitation with Discord link

* Removes the unique constraint from discord_id in `ctfnote_private.invitation_link`.

It is preferred we unique this column however whenever you accidentally dismiss the discord bot and want to make a new token you cant. This is why we removed the unique constraint for now.

* Update the GraphQL schema

Graphql schema updated, hopefully this is right because windows/wsl
version of `yarn run codegen` likes to break the schema sometimes.

* Add base implementation of register command.

This commit implements the base of some utils that are required and the base of the command itself.

* Add checks to make sure user only has one token.

This commit implements fixes for the issues talked about in comment: TFNS#301 (comment)
Also changed the migration back to unique

* Add ENV vars for configuring register command.

Adds the Environment variables that are needed to configure the register
command and some explanation for them.

* Adds checks to register command and some cleanup

Some general cleanup and fixes of todo's.
Also implemented the required checks and used data from the environment variables.
This command implements what showcased in issue message: TFNS#301 (comment)

* Add role sync after `/register` command

With a setTimeout we can run code after the request lifecycle.
This is ugly, but it works. See also the comment in the code about this.

Solves the problem for TFNS#301 (comment)

* Refactor AllowedRoles to enum of strings

* Rename variables and change signature of functions

Variable renaming for consistency.
The `getInvitationUrl` should return null in case of error instead of an empty string in order clarify error state.

* Move the registerWithToken role sync to the after mutation hook

It makes more sense to have it there. It was by accident placed in the before hook previously.

* Improve Discord messages text

* Add strict 'true' check for Discord registration

* Small text improvements

* Improve `/register` output even more

* Add comments to sql migration file

* Rename registration logic function to match command name

* format fix

* Autofocus username field on login and registration

This makes it possible to have a login / registration flow easily by only keyboard.

* Fix missing environment variables for Discord registration

These were missing in the docker-compose.yml file.
Without these it is not possible to configure the options for the `/register` command.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: markfijneman <48481393+markfijneman@users.noreply.github.com>
Co-authored-by: JJ-8 <34778827+JJ-8@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Peace-Maker <peacemakerctf@gmail.com>
Co-authored-by: Alexandre Iooss <erdnaxe@crans.org>
Co-authored-by: Daan Breur <daanbreur@gmail.com>
Co-authored-by: Daan Breur <git@daanbreur.systems>
ISnackable added a commit to ISnackable/CTFNote that referenced this pull request Aug 23, 2024
* Decreased task switcher density

* Update filled textbox styling

* Updated EditCtfDialog design

* Updated ImportCtfDialog design

* Updated InviteUserDialog design

* Updated ResetPasswordDialog design

* Updated SearchDialog design

* Resolved Vue warnings

* Updated TaskEditDialog design

* Updated solve task dialog design

* Update task and CTF deletion dialog design

* Updated TaskExportDialog design

* Formatted code

* Add delay to tooltips

* Formatted code

* Reduced code duplication for TaskBtnGroup component

* Force category tags to be in a row on TableDense layout

* Updated TaskImportDialog design

* Changed TableDense button group color scheme

* Re-add category tag wrapping

* Updated design of more dialogs

* Small spacing changes

* Added CTFTime icon to CTFTime URL/ID input fields

* Made padding more consistent

* Allow ctrl+k search dialog hotkey inside iframe

Since the iframe is hosted on the same domain as the parent iframe, we can freely inject anything we want in the iframe.
Therefore, we can control script execution and we use that to inject a specially crafted hotkeys-iframe.js file.
This sounds like an exploit, but actually it is just the hotkeys-js library code together with a simple `ctrl+k, command+k` shortcut definition
that posts a message to the parent frame that the search dialog should be shown.
The parent will now act accordingly.

Therefore, the search dialog shortcuts now also work on the Hedgedoc iframe pages.

* Serve hotkeys-iframe.js from a path from Hedgedoc to circumvent CSP

The Hedgedoc CSP is a good thing to have enabled.
But it breaks the JS injection done by CTFNote.
So now we just lie to the frontend that the file is hosted by Hedgedoc while it actually is hosted by CTFNote.

This should circumvent the CSP and allow script execution inside the iframe, even when the CSP is enabled.

* Swap order of import dialog columns to checkbox, title, tags

* Align categories to the right in task import dialog

* Add label to flag submission dialog input

* Replaced q-form with div in task import dialog

* Slightly increased density of task switcher menu

* Solved wrapping in navigation bar caused by category tags

* Hide tags in task switcher on small screens

* Resolved UI compiler warnings for TaskImportDialog

* Set indicator color of all tabs to secondary

* Redesigned login page

* Redesigned registration page

* Redesigned password reset page

* Set static width for all auth pages

* Make auth pages centered

* Hide CTFNote logo next to auth pages on smaller screens

* Always show CTFNote text in navigation bar on login screen

* Increase page padding on auth pages

* Display admin settings page in a single column on small screens

* Adjust padding of cards in registration settings

* Style inputs in registration settings

* Re-organize columns on registration settings to group registration and calendar settings separately

* Hide inputs for registration and calendar passwords when disabled

* Adjust padding of cards in profile settings

* Add icon support to color picker button

* Style inputs in profile settings

* Moved Change password to left column in profile settings

* Fix color picker button being too large in some cases

* Adjust padding for theme settings

* Update styling for registered users settings page

* Removed borders from cards in settings pages

* Added icons to notifications toggle

* Added Discord logo to CTFNote token field

* Undo auth page centering

* Make color picker icon appear white in light mode

* Merge tags list and condensed tags list into a single class

* Changed condensed tags list hidden count color to accent

* Updated task list toolbar design

* Removed rounded corners from CTF pages

* Made CTFTime link smaller

* Disabled weight badge click animation

* Adjusted spacing and layout on CTF info page

* Force tags to be lowercase in the frontend during parsing

The backend already enforces lowercase of the tags, but the frontend did not.
This could result in double challenge imports if you parse again.
Now after the custom parser, all tags are forced to be lower case and unique.

This fixes JJ-8#89

* Merge CTF edit and delete buttons on info page on small screens

* Remove separator between tabs and CTF pages

* Enable contextMenu by default on CTF admin menu

* Upgrade yarn and API dependencies

Two breaking changes:
1. graphql-upload-ts import was changed.
2. ical-generator `serve` method does not exist anymore. Replaced with writing manually to response.

* Update .prettierrc config for trailing comma

Otherwise the API files will all be beautified with extra comma's.

* Vertically stack CTF description and credentials on small screens

* Upgrade frontend dependencies

* Format frontend files

* Fix frontend ESLint warnings

* Update frontend yarn cache

This makes sure that the frontend will live forever, even with npmjs.com downtime.

* Upgrade NodeJS in API and front Docker container

Otherwise it won't build.

* Use alpine NodeJS docker versions

* Fix Docker image format

* Bump @babel/traverse from 7.22.19 to 7.24.1 in /front

Bumps [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) from 7.22.19 to 7.24.1.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.24.1/packages/babel-traverse)

---
updated-dependencies:
- dependency-name: "@babel/traverse"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update install-state.gz due to dependabot upgrade

* Upgrade top most yarn files

* Make start and end time text on CTF info page white on light mode

* Increased width of auth screens to make UUID tokens fit

* Made all table headers lowercase on admin user settings page

* Moved role column in admin user settings to the left of the username column

* Prepended # to pad URL in task iframe, fixes TFNS#96

* Remove newline from last paragraph in descriptions on CTF info page

* Redesigned error page for unknown task IDs

* Redesigned CTF guest settings page

* Adjusted padding for CTF info badges

* Removed description on error page for unknown task IDs

* Focus input before opening animation finishes in global search dialog

* Focus input before opening animation finishes in solve task popup

* Moved edit and delete buttons next to CTF title on info page

* Fixed spacing issues below description/credentials on CTF info page

* Removed description from CTF guest settings

* Increased Discord event link input width

* Made full table rows clickable on past CTFs page

* Removed padding from past CTFs card

* Made past CTFs table dense

* Increased rows per page options for past CTFs table

* Made rows per page setting for past CTFs table persistent

* Added custom shortcuts to HedgeDoc editor

* Hide search dialog when pressing esc

In the old implementation you can only dismiss the search dialog
by stop focussing it and then pressing esc or clicking outside the dialog area.
This is not keyboard friendly so we introduce a new shortcut that hides the search dialog
by just pressing the esc-button.

* Increased Nginx upload limit to 5MB

* Only allow one solve task dialog to be opened at most

* Set nginx upload max size in hosting instructions

This corresponds to the outer-nginx and may also need to be set
before the change will actually be effective.

* Make max upload size a global in the inner-nginx config

With this it will apply to all requests done, so also the /uploads endpoint
and not only the endpoint for Hedgedoc.

* Added shortcut for opening solve task dialog

* Added component to preview key combinations for shortcuts

* Replace modifier keys on macOS with symbols

* Made search dialog use ShortcutPreview component

* Made solve task dialog use custom component

* Renamed ShortcutPreview to ShortcutHint

* Added shortcut hint to solve task dialog when opened on task pages

* Fixed flag not updating in task solve dialog when opened using shortcut

* Insert iframe hotkey script on task page during iframe load instead of onMounted

* Remove no-backdrop-dismiss from task solve dialog

* Fix Discord event link hanging issue

When a sync has been performed, the old implementation causes a release of the database PoolClient, causing any future database operation to fail.
This is due to the event sync code being triggered from the context of GraphQL queries instead of a separate context when an incoming event from Discord is processed.

The code has now been rewritten to take the context.pgClient database client which is the current GraphQL pgClient.
This client is used in all database operations and not released so it can be used in the future.
This will stop the hanging of the server when a Discord event link sync is done.

This issue was only reliable reproducible with quite some members interested in an event. I tested this with 13 people interested.

In the future we should rewrite this code to always take a pgClient in the database code and create a new pgClient at a higher level when not available and otherwise always use the context.pgClient.
At lower levels we should not be caring about releasing or not because this can only cause issues.

* Set docker-compose images back to upstream

* Remove accidental paste in README

* Add back manual workflow trigger

This is useful for testing if a branch builds.

* Update husky dependency

* Update contribution guidelines and mention Discord server

* Fix line endings

* Drop Node 16 test

* Fix `any` return type of discord.js ActionRowBuilder

* Regenerate graphql bindings

* yarn --frozen-lockfile is deprecated

* Fix `any` usage partly

The query results should be type checked properly in the future.

* Run prettier on api

* Upgrade used actions to use node 20

https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/

* Bump postcss from 8.4.29 to 8.4.38 in /front

Bumps [postcss](https://github.com/postcss/postcss) from 8.4.29 to 8.4.38.
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.4.29...8.4.38)

---
updated-dependencies:
- dependency-name: postcss
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Create dependabot.yml

Config was created by @peace-maker through Discord. It should revive the Dependabot.

* Update install-state.gz for Dependabot

This is what I get when I run yarn myself. Don't know why Dependabot does not commit this already.

* Bump tar from 6.2.0 to 6.2.1 in /api

Bumps [tar](https://github.com/isaacs/node-tar) from 6.2.0 to 6.2.1.
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v6.2.0...v6.2.1)

---
updated-dependencies:
- dependency-name: tar
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump express from 4.19.1 to 4.19.2 in /api

Bumps [express](https://github.com/expressjs/express) from 4.19.1 to 4.19.2.
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@4.19.1...4.19.2)

---
updated-dependencies:
- dependency-name: express
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump typescript from 5.4.3 to 5.4.5 in /api

Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.4.3 to 5.4.5.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release.yml)
- [Commits](microsoft/TypeScript@v5.4.3...v5.4.5)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump ip from 2.0.0 to 2.0.1 in /api

Bumps [ip](https://github.com/indutny/node-ip) from 2.0.0 to 2.0.1.
- [Commits](indutny/node-ip@v2.0.0...v2.0.1)

---
updated-dependencies:
- dependency-name: ip
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Rename ECSC parser to ECSC2021

* Add CINI parser (ECSC 2024)

* Bump braces from 3.0.2 to 3.0.3 in /api

Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump @typescript-eslint/parser from 7.3.1 to 7.16.0 in /api

Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 7.3.1 to 7.16.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v7.16.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Add base of the hitcon parser for ctfnote

* import hitcon parser

* Fix HITCON parser

The isValid function has been updated to match the correct data and imports are fixed.

* Fix formatting issues in hitcon.ts

* Fix isValid of CINI parser

* Drop ECSC2021/2022 parser

The parser was introduced in TFNS#184
but I don't think anyone will be using this parser since the project is dead for years
and ENISA is not using this gameboard in the last couple of years.
Since it conflicts with the parsing of the other CTF formats, it is better to drop it and reintroduce it when necessary.

* Bump braces from 3.0.2 to 3.0.3 in /front

Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump tar from 6.2.0 to 6.2.1 in /front

Bumps [tar](https://github.com/isaacs/node-tar) from 6.2.0 to 6.2.1.
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v6.2.0...v6.2.1)

---
updated-dependencies:
- dependency-name: tar
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump webpack-dev-middleware from 5.3.3 to 5.3.4 in /front

Bumps [webpack-dev-middleware](https://github.com/webpack/webpack-dev-middleware) from 5.3.3 to 5.3.4.
- [Release notes](https://github.com/webpack/webpack-dev-middleware/releases)
- [Changelog](https://github.com/webpack/webpack-dev-middleware/blob/v5.3.4/CHANGELOG.md)
- [Commits](webpack/webpack-dev-middleware@v5.3.3...v5.3.4)

---
updated-dependencies:
- dependency-name: webpack-dev-middleware
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Fixed .yarn exlusion rules inside of the .gitignore to make them compliant. Added rules to .gitattributes

* Created .vscode folder with config to hide yarn from search

* Add migration for the discord_integration_enabled field in ctfnote.settings

* Add code to sync the discord use from the config to the database.

* Make sure discord_integration_enabled is not null.

* Maybe its a good idea to grant the correct user....

* Add checks to the pages with Discord

* Run codegen for graphql schema.

For some reason codegen deleted a lot of things, lets hope nothing bad happens

* Spelling fixes.

* Simplified v-if to v-else

* GraphQL schema files fixed.

* Fixes that user_admin could write to ctfnote.settings.discord_integration_enabled

* Bump quasar from 2.15.1 to 2.16.6 in /front

Bumps [quasar](https://github.com/quasarframework/quasar) from 2.15.1 to 2.16.6.
- [Release notes](https://github.com/quasarframework/quasar/releases)
- [Commits](quasarframework/quasar@quasar-v2.15.1...quasar-v2.16.6)

---
updated-dependencies:
- dependency-name: quasar
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Fix Quasar build issues

"@quasar/app-webpack": "^3.13.2",
This package had to be this version to fix the issue.

* Create migration for account invitation with Discord link

* Removes the unique constraint from discord_id in `ctfnote_private.invitation_link`.

It is preferred we unique this column however whenever you accidentally dismiss the discord bot and want to make a new token you cant. This is why we removed the unique constraint for now.

* Update the GraphQL schema

Graphql schema updated, hopefully this is right because windows/wsl
version of `yarn run codegen` likes to break the schema sometimes.

* Add base implementation of register command.

This commit implements the base of some utils that are required and the base of the command itself.

* Add checks to make sure user only has one token.

This commit implements fixes for the issues talked about in comment: TFNS#301 (comment)
Also changed the migration back to unique

* Add ENV vars for configuring register command.

Adds the Environment variables that are needed to configure the register
command and some explanation for them.

* Adds checks to register command and some cleanup

Some general cleanup and fixes of todo's.
Also implemented the required checks and used data from the environment variables.
This command implements what showcased in issue message: TFNS#301 (comment)

* Add role sync after `/register` command

With a setTimeout we can run code after the request lifecycle.
This is ugly, but it works. See also the comment in the code about this.

Solves the problem for TFNS#301 (comment)

* Refactor AllowedRoles to enum of strings

* Rename variables and change signature of functions

Variable renaming for consistency.
The `getInvitationUrl` should return null in case of error instead of an empty string in order clarify error state.

* Move the registerWithToken role sync to the after mutation hook

It makes more sense to have it there. It was by accident placed in the before hook previously.

* Improve Discord messages text

* Add strict 'true' check for Discord registration

* Small text improvements

* Improve `/register` output even more

* Add comments to sql migration file

* Rename registration logic function to match command name

* format fix

* Autofocus username field on login and registration

This makes it possible to have a login / registration flow easily by only keyboard.

* Fix missing environment variables for Discord registration

These were missing in the docker-compose.yml file.
Without these it is not possible to configure the options for the `/register` command.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: markfijneman <48481393+markfijneman@users.noreply.github.com>
Co-authored-by: JJ-8 <34778827+JJ-8@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Peace-Maker <peacemakerctf@gmail.com>
Co-authored-by: Alexandre Iooss <erdnaxe@crans.org>
Co-authored-by: Daan Breur <daanbreur@gmail.com>
Co-authored-by: Daan Breur <git@daanbreur.systems>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants