Merge branch 'gitroomhq:main' into main

Author: rafgpereira

.env.example

@@ -1,9 +1,11 @@
 # Configuration reference: http://docs.postiz.com/configuration/reference
 
-# === Required Settings
+# === Required Settings 
 DATABASE_URL="postgresql://postiz-user:postiz-password@localhost:5432/postiz-db-local"
 REDIS_URL="redis://localhost:6379"
 JWT_SECRET="random string for your JWT secret, make it long"
+
+# === This needs to be exactly the URL you're accessing Postiz on.
 FRONTEND_URL="http://localhost:4200"
 NEXT_PUBLIC_BACKEND_URL="http://localhost:3000"
 BACKEND_INTERNAL_URL="http://localhost:3000"
@@ -77,6 +79,7 @@ MASTODON_CLIENT_SECRET=""
 OPENAI_API_KEY=""
 NEXT_PUBLIC_DISCORD_SUPPORT=""
 NEXT_PUBLIC_POLOTNO=""
+NOT_SECURED=false
 
 # Payment settings
 FEE_AMOUNT=0.05

.gitignore

@@ -16,6 +16,7 @@ node_modules
 *.launch
 .settings/
 *.sublime-workspace
+.vscode/*
 
 # IDE - VSCode
 .vscode/*

.vscode/extensions.json

@@ -9,8 +9,7 @@ The Postiz app is committed to ensuring the security and integrity of our users'
 If you discover a security vulnerability in the Postiz app, please report it to us privately via email to one of the maintainers:
 
 * @nevo-david
-* @jamesread ([email](mailto:contact@jread.com))
-* @jonathan-irvin ([email](mailto:offendingcommit@gmail.com))
+* @egelhaus ([email](mailto:gelhausenno@outlook.de))
 
 When reporting a security vulnerability, please provide as much detail as possible, including:
 

SECURITY.md

@@ -28,6 +28,7 @@ import { RootController } from '@gitroom/backend/api/routes/root.controller';
 import { TrackService } from '@gitroom/nestjs-libraries/track/track.service';
 import { ShortLinkService } from '@gitroom/nestjs-libraries/short-linking/short.link.service';
 import { Nowpayments } from '@gitroom/nestjs-libraries/crypto/nowpayments';
+import { WebhookController } from '@gitroom/backend/api/routes/webhooks.controller';
 
 const authenticatedController = [
   UsersController,
@@ -42,6 +43,7 @@ const authenticatedController = [
   MessagesController,
   CopilotController,
   AgenciesController,
+  WebhookController,
 ];
 @Module({
   imports: [

apps/backend/src/api/api.module.ts

@@ -28,6 +28,12 @@ export class AuthController {
     private _authService: AuthService,
     private _emailService: EmailService
   ) {}
+
+  @Get('/can-register')
+  async canRegister() {
+    return { register: await this._authService.canRegister() };
+  }
+
   @Post('/register')
   async register(
     @Req() req: Request,
@@ -60,20 +66,36 @@ export class AuthController {
 
       response.cookie('auth', jwt, {
         domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-        secure: true,
-        httpOnly: true,
-        sameSite: 'none',
+        ...(!process.env.NOT_SECURED
+          ? {
+              secure: true,
+              httpOnly: true,
+              sameSite: 'none',
+            }
+          : {}),
         expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
       });
 
+      if (process.env.NOT_SECURED) {
+        response.header('auth', jwt);
+      }
+
       if (typeof addedOrg !== 'boolean' && addedOrg?.organizationId) {
         response.cookie('showorg', addedOrg.organizationId, {
           domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-          secure: true,
-          httpOnly: true,
-          sameSite: 'none',
+          ...(!process.env.NOT_SECURED
+            ? {
+                secure: true,
+                httpOnly: true,
+                sameSite: 'none',
+              }
+            : {}),
           expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
         });
+
+        if (process.env.NOT_SECURED) {
+          response.header('showorg', addedOrg.organizationId);
+        }
       }
 
       response.header('onboarding', 'true');
@@ -108,20 +130,36 @@ export class AuthController {
 
       response.cookie('auth', jwt, {
         domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-        secure: true,
-        httpOnly: true,
-        sameSite: 'none',
+        ...(!process.env.NOT_SECURED
+          ? {
+              secure: true,
+              httpOnly: true,
+              sameSite: 'none',
+            }
+          : {}),
         expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
       });
 
+      if (process.env.NOT_SECURED) {
+        response.header('auth', jwt);
+      }
+
       if (typeof addedOrg !== 'boolean' && addedOrg?.organizationId) {
         response.cookie('showorg', addedOrg.organizationId, {
           domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-          secure: true,
-          httpOnly: true,
-          sameSite: 'none',
+          ...(!process.env.NOT_SECURED
+            ? {
+                secure: true,
+                httpOnly: true,
+                sameSite: 'none',
+              }
+            : {}),
           expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
         });
+
+        if (process.env.NOT_SECURED) {
+          response.header('showorg', addedOrg.organizationId);
+        }
       }
 
       response.header('reload', 'true');
@@ -172,12 +210,20 @@ export class AuthController {
 
     response.cookie('auth', activate, {
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-      secure: true,
-      httpOnly: true,
-      sameSite: 'none',
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: 'none',
+          }
+        : {}),
       expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
     });
 
+    if (process.env.NOT_SECURED) {
+      response.header('auth', activate);
+    }
+
     response.header('onboarding', 'true');
     return response.status(200).send({ can: true });
   }
@@ -195,12 +241,20 @@ export class AuthController {
 
     response.cookie('auth', jwt, {
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-      secure: true,
-      httpOnly: true,
-      sameSite: 'none',
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: 'none',
+          }
+        : {}),
       expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
     });
 
+    if (process.env.NOT_SECURED) {
+      response.header('auth', jwt);
+    }
+
     response.header('reload', 'true');
 
     response.status(200).json({

apps/backend/src/api/routes/auth.controller.ts

@@ -86,30 +86,37 @@ export class IntegrationsController {
   @Get('/list')
   async getIntegrationList(@GetOrgFromRequest() org: Organization) {
     return {
-      integrations: (
-        await this._integrationService.getIntegrationsList(org.id)
-      ).map((p) => {
-        const findIntegration = this._integrationManager.getSocialIntegration(
-          p.providerIdentifier
-        );
-        return {
-          name: p.name,
-          id: p.id,
-          internalId: p.internalId,
-          disabled: p.disabled,
-          picture: p.picture || '/no-picture.jpg',
-          identifier: p.providerIdentifier,
-          inBetweenSteps: p.inBetweenSteps,
-          refreshNeeded: p.refreshNeeded,
-          display: p.profile,
-          type: p.type,
-          time: JSON.parse(p.postingTimes),
-          changeProfilePicture: !!findIntegration?.changeProfilePicture,
-          changeNickName: !!findIntegration?.changeNickname,
-          customer: p.customer,
-          additionalSettings: p.additionalSettings || '[]',
-        };
-      }),
+      integrations: await Promise.all(
+        (await this._integrationService.getIntegrationsList(org.id)).map(
+          async (p) => {
+            const findIntegration =
+              this._integrationManager.getSocialIntegration(
+                p.providerIdentifier
+              );
+            return {
+              name: p.name,
+              id: p.id,
+              internalId: p.internalId,
+              disabled: p.disabled,
+              picture: p.picture || '/no-picture.jpg',
+              identifier: p.providerIdentifier,
+              inBetweenSteps: p.inBetweenSteps,
+              refreshNeeded: p.refreshNeeded,
+              isCustomFields: !!findIntegration.customFields,
+              ...(findIntegration.customFields
+                ? { customFields: await findIntegration.customFields() }
+                : {}),
+              display: p.profile,
+              type: p.type,
+              time: JSON.parse(p.postingTimes),
+              changeProfilePicture: !!findIntegration?.changeProfilePicture,
+              changeNickName: !!findIntegration?.changeNickname,
+              customer: p.customer,
+              additionalSettings: p.additionalSettings || '[]',
+            };
+          }
+        )
+      ),
     };
   }
 
@@ -612,9 +619,7 @@ export class IntegrationsController {
   }
 
   @Get('/telegram/updates')
-  async getUpdates(
-    @Query() query: { word: string; id?: number },
-  ) {
+  async getUpdates(@Query() query: { word: string; id?: number }) {
     return new TelegramProvider().getBotId(query);
   }
 }

apps/backend/src/api/routes/integrations.controller.ts

@@ -101,8 +101,12 @@ export class PublicController {
     if (!req.cookies.track) {
       res.cookie('track', uniqueId, {
         domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-        secure: true,
-        httpOnly: true,
+        ...(!process.env.NOT_SECURED
+          ? {
+              secure: true,
+              httpOnly: true,
+            }
+          : {}),
         sameSite: 'none',
         expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
       });
@@ -111,8 +115,12 @@ export class PublicController {
     if (body.fbclid && !req.cookies.fbclid) {
       res.cookie('fbclid', body.fbclid, {
         domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-        secure: true,
-        httpOnly: true,
+        ...(!process.env.NOT_SECURED
+          ? {
+              secure: true,
+              httpOnly: true,
+            }
+          : {}),
         sameSite: 'none',
         expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
       });