v0.2.3

make page attachments private

apps/client/package.json

@@ -1,7 +1,7 @@
 {
   "name": "client",
   "private": true,
-  "version": "0.2.2",
+  "version": "0.2.3",
   "scripts": {
     "dev": "vite",
     "build": "tsc && vite build",

apps/client/src/components/common/recent-changes.tsx

@@ -1,4 +1,11 @@
-import { Text, Group, UnstyledButton, Badge, Table } from "@mantine/core";
+import {
+  Text,
+  Group,
+  UnstyledButton,
+  Badge,
+  Table,
+  ScrollArea,
+} from "@mantine/core";
 import { Link } from "react-router-dom";
 import PageListSkeleton from "@/components/ui/page-list-skeleton.tsx";
 import { buildPageUrl } from "@/features/page/page.utils.ts";
@@ -22,46 +29,48 @@ export default function RecentChanges({ spaceId }: Props) {
   }
 
   return pages && pages.items.length > 0 ? (
-    <Table highlightOnHover verticalSpacing="sm">
+    <ScrollArea>
-      <Table.Tbody>
+      <Table highlightOnHover verticalSpacing="sm">
-        {pages.items.map((page) => (
+        <Table.Tbody>
-          <Table.Tr key={page.id}>
+          {pages.items.map((page) => (
-            <Table.Td>
+            <Table.Tr key={page.id}>
-              <UnstyledButton
-                component={Link}
-                to={buildPageUrl(page?.space.slug, page.slugId, page.title)}
-              >
-                <Group wrap="nowrap">
-                  {page.icon || <IconFileDescription size={18} />}
-
-                  <Text fw={500} size="md" lineClamp={1}>
-                    {page.title || "Untitled"}
-                  </Text>
-                </Group>
-              </UnstyledButton>
-            </Table.Td>
-            {!spaceId && (
               <Table.Td>
-                <Badge
+                <UnstyledButton
-                  color="blue"
-                  variant="light"
                   component={Link}
-                  to={getSpaceUrl(page?.space.slug)}
+                  to={buildPageUrl(page?.space.slug, page.slugId, page.title)}
-                  style={{ cursor: "pointer" }}
                 >
-                  {page?.space.name}
+                  <Group wrap="nowrap">
-                </Badge>
+                    {page.icon || <IconFileDescription size={18} />}
+
+                    <Text fw={500} size="md" lineClamp={1}>
+                      {page.title || "Untitled"}
+                    </Text>
+                  </Group>
+                </UnstyledButton>
               </Table.Td>
-            )}
+              {!spaceId && (
-            <Table.Td>
+                <Table.Td>
-              <Text c="dimmed" size="xs" fw={500}>
+                  <Badge
-                {formattedDate(page.updatedAt)}
+                    color="blue"
-              </Text>
+                    variant="light"
-            </Table.Td>
+                    component={Link}
-          </Table.Tr>
+                    to={getSpaceUrl(page?.space.slug)}
-        ))}
+                    style={{ cursor: "pointer" }}
-      </Table.Tbody>
+                  >
-    </Table>
+                    {page?.space.name}
+                  </Badge>
+                </Table.Td>
+              )}
+              <Table.Td>
+                <Text c="dimmed" size="xs" fw={500}>
+                  {formattedDate(page.updatedAt)}
+                </Text>
+              </Table.Td>
+            </Table.Tr>
+          ))}
+        </Table.Tbody>
+      </Table>
+    </ScrollArea>
   ) : (
     <Text size="md" ta="center">
       No pages yet

apps/client/src/features/editor/styles/core.css

@@ -9,7 +9,7 @@
   );
   font-size: var(--mantine-font-size-md);
   line-height: var(--mantine-line-height-xl);
-  font-weight: 415;
+  font-weight: 400;
   width: 100%;
 
   > * + * {

apps/client/src/features/editor/styles/youtube.css

@@ -4,7 +4,7 @@
 
         iframe {
             display: block;
-            outline: 0px solid transparent;
+            outline: 0 solid transparent;
             border-radius: var(--mantine-radius-md);
             width: 100%;
         }

apps/client/src/features/page/tree/components/space-tree.tsx

@@ -88,6 +88,7 @@ export default function SpaceTree({ spaceId, readOnly }: SpaceTreeProps) {
     if (pagesData?.pages && !hasNextPage) {
       const allItems = pagesData.pages.flatMap((page) => page.items);
       const treeData = buildTree(allItems);
+
       if (data.length < 1 || data?.[0].spaceId !== spaceId) {
         //Thoughts
         // don't reset if there is data in state
@@ -106,7 +107,7 @@ export default function SpaceTree({ spaceId, readOnly }: SpaceTreeProps) {
     const fetchData = async () => {
       if (isDataLoaded.current && currentPage) {
         // check if pageId node is present in the tree
-        const node = dfs(treeApiRef.current.root, currentPage.id);
+        const node = dfs(treeApiRef.current?.root, currentPage.id);
         if (node) {
           // if node is found, no need to traverse its ancestors
           return;

apps/client/src/features/page/tree/hooks/use-tree-mutation.ts

@@ -52,6 +52,8 @@ export function useTreeMutation<T>(spaceId: string) {
       slugId: createdPage.slugId,
       name: "",
       position: createdPage.position,
+      spaceId: createdPage.spaceId,
+      parentPageId: createdPage.parentPageId,
       children: [],
     } as any;
 

apps/client/src/features/search/search-spotlight.tsx

@@ -1,17 +1,10 @@
 import { Group, Center, Text } from "@mantine/core";
 import { Spotlight } from "@mantine/spotlight";
-import {
+import { IconFileDescription, IconSearch } from "@tabler/icons-react";
-  IconFileDescription,
-  IconHome,
-  IconSearch,
-  IconSettings,
-} from "@tabler/icons-react";
 import React, { useState } from "react";
 import { useNavigate, useParams } from "react-router-dom";
 import { useDebouncedValue } from "@mantine/hooks";
 import { usePageSearchQuery } from "@/features/search/queries/search-query";
-import { useGetSpaceBySlugQuery } from "@/features/space/queries/space-query.ts";
-import { useRecentChangesQuery } from "@/features/page/queries/page-query.ts";
 import { buildPageUrl } from "@/features/page/page.utils.ts";
 
 interface SearchSpotlightProps {

apps/client/src/lib/api-client.ts

@@ -5,6 +5,7 @@ import { getBackendUrl } from "@/lib/config.ts";
 
 const api: AxiosInstance = axios.create({
   baseURL: getBackendUrl(),
+  withCredentials: true,
 });
 
 api.interceptors.request.use(

apps/server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "server",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "description": "",
   "author": "",
   "private": true,
@@ -31,6 +31,7 @@
     "@aws-sdk/client-s3": "^3.600.0",
     "@aws-sdk/s3-request-presigner": "^3.600.0",
     "@casl/ability": "^6.7.1",
+    "@fastify/cookie": "^9.3.1",
     "@fastify/multipart": "^8.3.0",
     "@fastify/static": "^7.0.4",
     "@nestjs/bullmq": "^10.1.1",

apps/server/src/core/attachment/attachment.controller.ts

@@ -45,7 +45,6 @@ import {
 import WorkspaceAbilityFactory from '../casl/abilities/workspace-ability.factory';
 import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import { AttachmentRepo } from '@docmost/db/repos/attachment/attachment.repo';
-import { Public } from '../../common/decorators/public.decorator';
 import { validate as isValidUUID } from 'uuid';
 
 @Controller()
@@ -129,12 +128,11 @@ export class AttachmentController {
     }
   }
 
-  @Public()
   @UseGuards(JwtAuthGuard)
   @Get('/files/:fileId/:fileName')
   async getFile(
     @Res() res: FastifyReply,
-    //@AuthUser() user: User,
+    @AuthUser() user: User,
     @AuthWorkspace() workspace: Workspace,
     @Param('fileId') fileId: string,
     @Param('fileName') fileName?: string,
@@ -144,18 +142,29 @@ export class AttachmentController {
     }
 
     const attachment = await this.attachmentRepo.findById(fileId);
-    if (attachment.workspaceId !== workspace.id) {
+    if (
+      !attachment ||
+      attachment.workspaceId !== workspace.id ||
+      !attachment.pageId ||
+      !attachment.spaceId
+    ) {
       throw new NotFoundException();
     }
 
-    if (!attachment || !attachment.pageId) {
+    const spaceAbility = await this.spaceAbility.createForUser(
-      throw new NotFoundException('File record not found');
+      user,
+      attachment.spaceId,
+    );
+
+    if (spaceAbility.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
+      throw new ForbiddenException();
     }
 
     try {
       const fileStream = await this.storageService.read(attachment.filePath);
       res.headers({
         'Content-Type': getMimeType(attachment.filePath),
+        'Cache-Control': 'public, max-age=3600',
       });
       return res.send(fileStream);
     } catch (err) {
@@ -268,6 +277,7 @@ export class AttachmentController {
       const fileStream = await this.storageService.read(filePath);
       res.headers({
         'Content-Type': getMimeType(filePath),
+        'Cache-Control': 'public, max-age=86400',
       });
       return res.send(fileStream);
     } catch (err) {

apps/server/src/core/auth/strategies/jwt.strategy.ts

@@ -4,11 +4,12 @@ import {
   UnauthorizedException,
 } from '@nestjs/common';
 import { PassportStrategy } from '@nestjs/passport';
-import { ExtractJwt, Strategy } from 'passport-jwt';
+import { Strategy } from 'passport-jwt';
 import { EnvironmentService } from '../../../integrations/environment/environment.service';
 import { JwtPayload, JwtType } from '../dto/jwt-payload';
 import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
 import { UserRepo } from '@docmost/db/repos/user/user.repo';
+import { FastifyRequest } from 'fastify';
 
 @Injectable()
 export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
@@ -18,7 +19,15 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
     private readonly environmentService: EnvironmentService,
   ) {
     super({
-      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      jwtFromRequest: (req: FastifyRequest) => {
+        let accessToken = null;
+
+        try {
+          accessToken = JSON.parse(req.cookies?.authTokens)?.accessToken;
+        } catch {}
+
+        return accessToken || this.extractTokenFromHeader(req);
+      },
       ignoreExpiration: false,
       secretOrKey: environmentService.getAppSecret(),
       passReqToCallback: true,
@@ -50,4 +59,9 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
 
     return { user, workspace };
   }
+
+  private extractTokenFromHeader(request: FastifyRequest): string | undefined {
+    const [type, token] = request.headers.authorization?.split(' ') ?? [];
+    return type === 'Bearer' ? token : undefined;
+  }
 }

apps/server/src/main.ts

@@ -9,6 +9,7 @@ import { TransformHttpResponseInterceptor } from './common/interceptors/http-res
 import fastifyMultipart from '@fastify/multipart';
 import { WsRedisIoAdapter } from './ws/adapter/ws-redis.adapter';
 import { InternalLogFilter } from './common/logger/internal-log-filter';
+import fastifyCookie from '@fastify/cookie';
 
 async function bootstrap() {
   const app = await NestFactory.create<NestFastifyApplication>(
@@ -31,6 +32,7 @@ async function bootstrap() {
   app.useWebSocketAdapter(redisIoAdapter);
 
   await app.register(fastifyMultipart as any);
+  await app.register(fastifyCookie as any);
 
   app
     .getHttpAdapter()
@@ -56,7 +58,16 @@ async function bootstrap() {
       transform: true,
     }),
   );
-  app.enableCors();
+
+  if (process.env.NODE_ENV !== 'production') {
+    // make development easy
+    app.enableCors({
+      origin: ['http://localhost:5173'],
+      credentials: true,
+    });
+  } else {
+    app.enableCors();
+  }
 
   app.useGlobalInterceptors(new TransformHttpResponseInterceptor());
   app.enableShutdownHooks();

package.json

@@ -1,7 +1,7 @@
 {
   "name": "docmost",
   "homepage": "https://docmost.com",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "private": true,
   "scripts": {
     "build": "nx run-many -t build",

pnpm-lock.yaml

@@ -331,6 +331,9 @@ importers:
       '@casl/ability':
         specifier: ^6.7.1
         version: 6.7.1
+      '@fastify/cookie':
+        specifier: ^9.3.1
+        version: 9.3.1
       '@fastify/multipart':
         specifier: ^8.3.0
         version: 8.3.0
@@ -1875,6 +1878,9 @@ packages:
     resolution: {integrity: sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==}
     engines: {node: '>=14'}
 
+  '@fastify/cookie@9.3.1':
+    resolution: {integrity: sha512-h1NAEhB266+ZbZ0e9qUE6NnNR07i7DnNXWG9VbbZ8uC6O/hxHpl+Zoe5sw1yfdZ2U6XhToUGDnzQtWJdCaPwfg==}
+
   '@fastify/cors@9.0.1':
     resolution: {integrity: sha512-YY9Ho3ovI+QHIL2hW+9X4XqQjXLjJqsU+sMV/xFsxZkE8p3GNnYVFpoOxF7SsP5ZL76gwvbo3V9L+FIekBGU4Q==}
 
@@ -4594,6 +4600,10 @@ packages:
   convert-source-map@2.0.0:
     resolution: {integrity: sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==}
 
+  cookie-signature@1.2.1:
+    resolution: {integrity: sha512-78KWk9T26NhzXtuL26cIJ8/qNHANyJ/ZYrmEXFzUmhZdjpBv+DlWlOANRTGBt48YcyslsLrj0bMLFTmXvLRCOw==}
+    engines: {node: '>=6.6.0'}
+
   cookie@0.4.2:
     resolution: {integrity: sha512-aSWTXFzaKWkvHO1Ny/s+ePFpvKsPnjc551iI41v3ny/ow6tBG5Vd+FuqGNhh1LxOmVzOlGUriIlOaokOvhaStA==}
     engines: {node: '>= 0.6'}
@@ -9789,6 +9799,11 @@ snapshots:
 
   '@fastify/busboy@2.1.1': {}
 
+  '@fastify/cookie@9.3.1':
+    dependencies:
+      cookie-signature: 1.2.1
+      fastify-plugin: 4.5.1
+
   '@fastify/cors@9.0.1':
     dependencies:
       fastify-plugin: 4.5.1
@@ -12947,6 +12962,8 @@ snapshots:
 
   convert-source-map@2.0.0: {}
 
+  cookie-signature@1.2.1: {}
+
   cookie@0.4.2: {}
 
   cookie@0.6.0: {}