fix: remove subpath support for HD_BASE_URL

With this commit we drop the subpath support which results in the constraint that HedgeDoc must always run on the root of a domain. This makes a lot of things in testing, rendering and security much easier. Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2025-05-25 12:34:45 -04:00 · 2023-08-12 20:07:38 +02:00 · 2023-08-12 20:07:38 +02:00 · dccd58f0c1
commit dccd58f0c1
parent 7401791ec8
32 changed files with 111 additions and 116 deletions
--- a/commons/src/parse-url/errors.ts
+++ b/commons/src/parse-url/errors.ts
@ -4,9 +4,9 @@
 * SPDX-License-Identifier: AGPL-3.0-only
 */

-export class MissingTrailingSlashError extends Error {
+export class NoSubdirectoryAllowedError extends Error {
  constructor() {
-    super("Path doesn't end with a trailing slash")
+    super('Subdirectories are not allowed')
  }
 }

--- a/commons/src/parse-url/index.ts
+++ b/commons/src/parse-url/index.ts
@ -5,4 +5,4 @@
 */

 export { parseUrl } from './parse-url.js'
-export { MissingTrailingSlashError, WrongProtocolError } from './errors.js'
+export { NoSubdirectoryAllowedError, WrongProtocolError } from './errors.js'
--- a/commons/src/parse-url/parse-url.spec.ts
+++ b/commons/src/parse-url/parse-url.spec.ts
@ -3,7 +3,7 @@
 *
 * SPDX-License-Identifier: AGPL-3.0-only
 */
-import { MissingTrailingSlashError, WrongProtocolError } from './errors.js'
+import { NoSubdirectoryAllowedError, WrongProtocolError } from './errors.js'
 import { parseUrl } from './parse-url.js'
 import { describe, expect, it } from '@jest/globals'

@ -44,14 +44,14 @@ describe('validate url', () => {
        'http://example.org/'
      )
    })
-    it('accepts urls with with subpath and trailing slash', () => {
-      expect(parseUrl('http://example.org/asd/').get().toString()).toEqual(
-        'http://example.org/asd/'
-      )
+    it('declines urls with with subpath and trailing slash', () => {
+      expect(() =>
+        parseUrl('http://example.org/asd/').get().toString()
+      ).toThrow(NoSubdirectoryAllowedError)
    })
-    it("doesn't accept urls with with subpath and without trailing slash", () => {
+    it('declines urls with with subpath and without trailing slash', () => {
      expect(() => parseUrl('http://example.org/asd').get().toString()).toThrow(
-        MissingTrailingSlashError
+        NoSubdirectoryAllowedError
      )
    })
  })
--- a/commons/src/parse-url/parse-url.ts
+++ b/commons/src/parse-url/parse-url.ts
@ -3,7 +3,7 @@
 *
 * SPDX-License-Identifier: AGPL-3.0-only
 */
-import { MissingTrailingSlashError, WrongProtocolError } from './errors.js'
+import { NoSubdirectoryAllowedError, WrongProtocolError } from './errors.js'
 import { Optional } from '@mrdrogdrog/optional'

 /**
@ -12,7 +12,7 @@ import { Optional } from '@mrdrogdrog/optional'
 * @param {String | undefined} url the raw url
 * @return An {@link Optional} that contains the parsed URL or is empty if the raw value isn't a valid URL
 * @throws WrongProtocolError if the protocol of the URL isn't either http nor https
- * @throws MissingTrailingSlashError if the URL has a path that doesn't end with a trailing slash
+ * @throws NoSubdirectoryAllowedError if the URL has a path that doesn't end with a trailing slash
 */
 export function parseUrl(url: string | undefined): Optional<URL> {
  return createOptionalUrl(url)
@ -21,8 +21,8 @@ export function parseUrl(url: string | undefined): Optional<URL> {
      () => new WrongProtocolError()
    )
    .guard(
-      (value) => value.pathname.endsWith('/'),
-      () => new MissingTrailingSlashError()
+      (value) => value.pathname === '/',
+      () => new NoSubdirectoryAllowedError()
    )
 }