Sheogorath

@funkyfuture because the app-server/backend is aware of authentication and while you might do an overall rate-limiting in a reverse-proxy, hedgedoc itself should do a rate-limit between unauthenticated users on an...

Let me address your second concern first: > the other one is that in a larger landscape of services i'm not a fan of duplicated functionality. When we look at...

Uhm, please be careful with regexes. [ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) is a thing and can appear easily when people don't know how to avoid them. Rather allow them to define character classes or...

Yes, we should do proper CSRF, the delete-profile-token is pretty much a cheap version of CSRF. There is middleware for express that implements CSRF, I just didn't find the time...

Wouldn't it make sense to just have an API endpoint to request a token, any for guest-enabled instances these tokens can be obtained without authentication? This would reduce the amount...

Isn't the idea to have a pseudo user `anonymous` anyway, then you could assign the access tokens to this pseudo user and remove a lot of the special handling.

Besides, you still need to rate-limit the token issuing for anonymous users by IP address. Otherwise it's trivial to break the rate-limit. So it just moves the target a bit....

as far as I know one of the target pictures we described many moons ago, was to keep the concept of having just one application to start, in order to...

> But imagine a HedgeDoc instance which is using an OIDC authentication that requires a proxy, and an S3 storage backend that requires another proxy. The configuration should be versatile...

I just spend a few minutes on researching how well or unwell UUID types work in postgresql. The result seems to be that inserts can see a performance hit, due...