From d19f286c11b96f64c8b9a7a5e05fea6dab6c1493 Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Fri, 25 Oct 2024 17:46:47 -0300
Subject: [PATCH 1/3] fix: require authentication for free urls

---
 .env.sample | 1 +
 compose.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.env.sample b/.env.sample
index c6ba74f..8308790 100644
--- a/.env.sample
+++ b/.env.sample
@@ -34,6 +34,7 @@ COMPOSE_FILE="compose.yml"
 # CMD_ALLOW_ANONYMOUS_EDITS=false
 # CMD_ALLOW_EMAIL_REGISTER=true
 # CMD_ALLOW_FREEURL=false
+# CMD_REQUIRE_FREEURL_AUTHENTICATION=true
 # CMD_ALLOW_GRAVATAR=true
 # CMD_ALLOW_ORIGIN=localhost
 # CMD_COOKIE_POLICY=lax
diff --git a/compose.yml b/compose.yml
index f911958..3cee36f 100644
--- a/compose.yml
+++ b/compose.yml
@@ -16,6 +16,7 @@ services:
       - CMD_ALLOW_ANONYMOUS_EDITS
       - CMD_ALLOW_EMAIL_REGISTER
       - CMD_ALLOW_FREEURL
+      - CMD_REQUIRE_FREEURL_AUTHENTICATION
       - CMD_ALLOW_GRAVATAR
       - CMD_ALLOW_ORIGIN
       - CMD_COOKIE_POLICY

From 6a036c4c82bc09d06a7381dfe12e064db66df2c7 Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Fri, 25 Oct 2024 17:47:27 -0300
Subject: [PATCH 2/3] fix: set session secret

---
 .env.sample | 1 +
 compose.yml | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/.env.sample b/.env.sample
index 8308790..47ad531 100644
--- a/.env.sample
+++ b/.env.sample
@@ -9,6 +9,7 @@ DOMAIN=hedgedoc.example.com
 LETS_ENCRYPT_ENV=production
 
 SECRET_DB_PASSWORD_VERSION=v1
+SECRET_SESSION_SECRET_VERSION=v1
 
 COMPOSE_FILE="compose.yml"
 
diff --git a/compose.yml b/compose.yml
index 3cee36f..475c5fd 100644
--- a/compose.yml
+++ b/compose.yml
@@ -27,6 +27,7 @@ services:
       - CMD_DEFAULT_PERMISSION
       - CMD_EMAIL
       - CMD_SESSION_LIFE
+      - CMD_SESSION_SECRET_FILE=/run/secrets/session_secret
       - DOCUMENT_MAX_LENGTH
     depends_on:
       - db
@@ -37,6 +38,7 @@ services:
       - codimd_uploads:/hedgedoc/public/uploads
     secrets:
       - db_password
+      - session_secret
     entrypoint: /docker-entrypoint.sh
     configs:
       - source: entrypoint_conf
@@ -101,6 +103,9 @@ secrets:
   db_password:
     external: true
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+  session_secret:
+    external: true
+    name: ${STACK_NAME}_session_secret_${SECRET_SESSION_SECRET_VERSION}
 networks:
   proxy:
     external: true

From ca5a95bea677edfec011a9220005faabb31f533f Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Sat, 26 Oct 2024 11:01:18 -0300
Subject: [PATCH 3/3] fix: load secret from file into env var

---
 entrypoint.sh.tmpl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index 6692448..c586369 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -24,6 +24,7 @@ file_env() {
 load_vars() {
   file_env "CMD_DB_PASSWORD"
   file_env "CMD_OAUTH2_CLIENT_SECRET"
+  file_env "CMD_SESSION_SECRET"
 }
 
 main() {