Hi,

I started using webtag daily to organize my bookmarks and while I have some issues, it's the best solution I've found so far. I've noticed that when you add a link, the Title cannot be added/edited on the New Bookmark/Add Bookmark page. webtag actually fetches the page and grabs the title this way. Unfortunately, this method has issues:

1. It cannot fetch titles of password protected pages
2. It cannot fetch titles of pages that are protected with Cloudflare and other captchas
3. If you've use a translation feature to translate a page and its title, it will add original title.

It think all of these issues could be mitigated by allowing bookmark to pass the title of page along with the URL. Something like:

https://webtag.io/bookmark?"+encodeURIComponent(document.location)+"&t="+encodeURIComponent(document.title)

This would also eliminate the need for webtag to fetch the whole page to grab the title.
Thoughts?

Hi,

I've noticed that the bookmarklet fails to load the fields most of the time and it only works when I disable uBO. I use Chrome browser.
Console shows this error:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src http: https:".

Anyone know how to fix this? Thanks so much!

Hello,

Package.json defines ./scripts/postinstall.js as a postinstall script, however this file is not present in the repository.

As a result, npm install currently fails. Would it be possible to include this file, or if it's not needed, remove its definition?

First off, excellent job with keeping the project simple with plain text content. Love the ability to tag other people for social bookmarking!

I can imagine that a lot of people / communities would want to run their own instance of webtag (myself included) and share with others both within and beyond the ecosystem. Integration / federation through ActivityPub or similar protocol would expand reach into the fediverse.

Issue Description

Webtag uses the following code (called by getValidPassword) to store and hash passwords:

const hashString = (str) => {
	return crypto.createHash("sha256", config.SECRET).update(str).digest("hex");
};

I guess this is supposed to include a secret / salt (config.SECRET) in the hash computation. Node's crypto.createHash however does not take a salt. The current code just performs a single vanilla SHA-256 computation:

Notice that the output using a "salt" (supersecret) and using no salt is identical:

> password = 'hunter2'
'hunter2'
> crypto.createHash("sha256", "supersecret").update(password).digest("hex")
'f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7'
> crypto.createHash("sha256").update(password).digest("hex")
'f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7'

Passwords are stored unsalted, hashed just once with SHA-256.

Remediation

Follow proper guidance here and use Argon or at least PBKDF2 with many iterations.