sendwheel / tw-receiver Goto Github PK

View Code? Open in Web Editor NEW

34.0 2.0 18.0 33 KB

TiddlyWiki Plugin - save to PHP server

License: GNU General Public License v3.0

JavaScript 38.44% PHP 61.56%

tw-receiver's Introduction

TW Receiver

About

A TiddlyWiki plugin used for saving to a PHP based server.

Features

Simple automated backups -- Backup a definable number of wiki copies with time-stamps. Useful to review an old version, or to back out of a corrupt wiki.
Stale Instance Overwrite Protection -- This ensures the wiki you're working on isn't out of date with the server before saving changes. It avoids a scenario where changes made earlier in another window were not loaded into the current instance of the wiki and would be lost by overwrite.
Challenge Digest Authentication (enhanced security) -- This simple mechanism avoids passing the password in plain text. Instead the server is queried for a challenge token and that token is then combined with the password to form a new string that is both unique and temporary.
Data Integrity Signing (enhanced security) -- This practice creates a unique signature of the wiki text with the secret key. Checking the validity of this signature ensures the integrity of the wiki data and helps prevent tampering in transit.

A note on Security

There is no way to securely transmit over HTTP. Using HTTP your password and content can be viewed and changed. Use of HTTPS (TLS) is strongly recommended. Think of the other security enhancements as low budget security. This will prevent a number of attacks, but it is not a replacement for proper HTTPS. Try out HTTPS, check out https://letsencrypt.org/

Getting Started

Setup

Tools > Import the plugin_sendwheel_tw-receiver.json file into your wiki
Save and refresh your wiki
Enable the plugin in Control Panel > Saving > TW Receiver
and set a strong secret key (password)
place the tw-receiver-server.php file in the same directory as your wiki.html on the server
Set $userpassword on line 20 to the same secret key you used on the plugin screen in step 4

You will likely have to make server side adjustments; things like setting directory permissions or ini configurations like max upload sizes. See Environment Tests for help.

Notes

Most of the default settings can and likely should be used. The security enhancements of this plugin can be disabled, but have minimal cost to use.
While a password can be stored directly in the tw-receiver-server.php file, it is a better practice to use an external ini. This requires placing the ini in a non web accessible folder outside of the web root, and setting it's path in $extSecKeyPath. This is disabled by default only because not setting this up correctly is worse than not using it at all. Using this replaces the use of $userpassword.

Usage

Environment Tests

Accessing tw-receiver-server.php directly will perform some access and configuration tests and report. For example https://example.com/tw-receiver-server.php

Stale Overwrite Protection Configuration

If enabling this on an existing installation, some additional steps are required. These steps can be ignored for new installations.

On the server side in the tw-receiver-server.php file, set staleCheck=false
Enable "Stale Overwrite Protection" client side with checkbox in the UI
Save and reload the wiki
Now set staleCheck=true in the tw-receiver-server.php file server side.
Stale Overwrite Protection is now successfully configured and operational

Requirements

PHP >= 7

Contributing

If you want to contribute to this plugin in any way or want to report any issues, please do.

Credits

Client side components partially based on the upload.js core module which was based on work by bidix.

tw-receiver's People

Contributors

Stargazers

Watchers

Forkers

turbotape rpoulin ichris007 joejenett andjar jcamp weimingqing srivcs miladbarooni cblte laynee rayme wwtipton schulzpin daidalvi cspadacini bogwero

tw-receiver's Issues

file_get_contents()Filename cannot be empty

Hello my tw-receiver-server.php indicates everything is fine but I keep getting this error.

file_get_contents():Filename cannot be empty on line 184 of the server.php file (abbreviated)

it seems a variable is not being passed? all the boxes for the control panel -> saving screen are filled in.

thank you

staleCheck and Server Error: Data Integrity Failure?

Hi,

I cant see this option in the Client side UI
Enable "Static Overwrite Protection" client side with checkbox in the UI

I am trying to resolve a problem I have, perhaps as a result of trying to test staleCheck

tiddlywiki.psat.com.au says
Error while saving:
Error: Server Error: Data Integrity Failure

Thanks
Tony

Secret key not saving

The secret key field keeps blanking out after setting it in the settings and reloading. It is set in the .php but when reloading the html and going into settings it is blank which causes a “missing user credentials” error and the wiki is not saved without re-entering the secret key each time in settings.

TW-receiver set up, works fine but often comes up with Error While Saving issue

I installed plugin_sendwheel_tw-receiver.json to my tiddlywiki successful and put tw-receiver-server.php in same folder with index.html, setup password and first works fine. But as long I use, it starts to come up with an error which can't save to server anymore.
The error message is

Error while saving:

Error:
Server Error: Authentication Failure

I have set chmod 777 to both index.html and tw-receiver-server.php, but error remains.
I use a vhost server with WordPress works perfectly.

"Starting to save wiki...."

environment:

PHP 7.2.27 (cli) (built: Jan 26 2020 15:49:49) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.27, Copyright (c) 1999-2018, by Zend Technologies

nginx version: nginx/1.16.1

debug test:

ini setting: file_uploads	OK
ini setting: upload_max_filesize	200M
ini setting: post_max_size	800M
backups enabled	YES
backups max count	10
backups directory exists	OK
backups directory is writable	OK
this directory is writable	OK
external key enabled	NO
external key reachable	NO
secure connection (https)	NO
challenge digest auth mode	YES
check data integrity signature	YES
check stale overwrite protection	NO

tiddlywiki configuration:

enable: [yes]
secrete key: confirmed to be the same
ServerURl: http://%ip%/tw-receiver-server.php
filename: index.html

file in that directory

index.html tw-receiver-server.php wikibackup

What happend

After i click "save", there is only a popup saying "starting to save wiki".
No other tips, and the wiki is not saved.
I imported the plugin and then deleted everything except the wiki.html itself, does this plugin relay on other files after i imported them? (except the .php in the server side)
Is there any possible problem causing my problem

Idea: Make a public and private version of the wiki

The idea is simple:

Protect the main tiddlywiki file with. htaccess and hardcode the tw-receiver password into the tw
When saving, tw-receiver overwrite the main file as usual and create the backup
But tw-receiver also creates a public file that is accessible to all. Before the output is written to the file, tw-receiver strips away all the tiddlers in the html code that are tagged with "Private"
If we are really advanced, all instances of the titles of private tiddlers are replaced by %%% or something in the public file (links, tags, freelinks, field values... )

How to not use a secret code (password)?

Is it possible to use a password without setting it despite the security risks?

If you can, please let me know how

Any additional troubleshooting? Won't save

I get a message saying it is saving but never does. When I pull up the tw-receiver-server.php page everything is fine. Increased size in php.ini and nginx.conf to 200M. In the php stderr out I see a GET for each time I access the tw..php page but nothing when try to save. In my nginx logs there is no error and a GET request for the save but no POST.

Password checked and verified.