Merge branch 'oidc'

Updated readme with latest version info

Also updated version file to be current

New Crowdin updates (#2980)

* New translations entities.php (Spanish, Argentina)

* New translations activities.php (Spanish, Argentina)

* New translations auth.php (Spanish, Argentina)

* New translations settings.php (Spanish, Argentina)

* New translations validation.php (Spanish, Argentina)

* New translations auth.php (Spanish, Argentina)

Applied latest styleci changes

Updated php dependancies

Fixed guest user email showing in TOTP setup url

- Occured during enforced MFA setup upon login.
- Added test to cover.

Fixes #2971

Merge pull request #2977 from BookStackApp/custom_debug_view

Added custom whoops-based debug view

Added testing to cover debug view

Added custom whoops-based debug view

Provides a simple bookstack focused view that does not rely on JavaScript.
Contains links to BookStack specific resources in addition to commonly
desired debug details.

Fixed lack of oidc discovery filtering during testing

Tested oidc system on okta, Keycloak & Auth0

Fleshed out testing for OIDC system

Renamed OIDC files to all be aligned

Added OIDC basic autodiscovery support

Added further OIDC core class testing

Added positive test case for OIDC implementation

- To continue coverage and spec cases next.

Got OIDC custom solution to a functional state

- Validation of all key/token elements now in place.
- Signing key system updated to work with jwk-style array or with
  file:// path to pem key.

Added token and key handling elements for oidc jwt

- Got basic signing support and structure checking done.
- Need to run through actual claim checking before providing details
  back to app.

Merge pull request #2965 from Haxatron/master

Update DOMPDF chroot directory

Started on a custom oidc oauth provider

Update dompdf.php

base_path => public_path

Added throttling to password reset requests

Updated translator attribution before release v21.08.5

Applied changes from styleci

New Crowdin updates (#2953)

* New translations settings.php (Chinese Simplified)

* New translations entities.php (Slovak)

* New translations entities.php (Portuguese, Brazilian)

* New translations entities.php (Slovenian)

* New translations entities.php (Swedish)

* New translations entities.php (Turkish)

* New translations entities.php (Ukrainian)

* New translations entities.php (Chinese Simplified)

* New translations entities.php (Chinese Traditional)

* New translations entities.php (Indonesian)

* New translations entities.php (Portuguese)

* New translations entities.php (Persian)

* New translations entities.php (Spanish, Argentina)

* New translations entities.php (Croatian)

* New translations entities.php (Latvian)

* New translations entities.php (Bosnian)

* New translations entities.php (Norwegian Bokmal)

* New translations entities.php (Russian)

* New translations entities.php (Polish)

* New translations entities.php (Vietnamese)

* New translations entities.php (Danish)

* New translations entities.php (French)

* New translations entities.php (Spanish)

* New translations entities.php (Arabic)

* New translations entities.php (Bulgarian)

* New translations entities.php (Catalan)

* New translations entities.php (Czech)

* New translations entities.php (German)

* New translations entities.php (Dutch)

* New translations entities.php (Hebrew)

* New translations entities.php (Hungarian)

* New translations entities.php (Italian)

* New translations entities.php (Japanese)

* New translations entities.php (Korean)

* New translations entities.php (Lithuanian)

* New translations entities.php (German Informal)

* New translations entities.php (French)

* New translations entities.php (Spanish)

* New translations settings.php (Czech)

* New translations entities.php (Czech)

* New translations activities.php (Czech)

* New translations auth.php (Czech)

* New translations common.php (Czech)

* New translations validation.php (Czech)

* New translations entities.php (Portuguese)

* New translations settings.php (Portuguese)

* New translations entities.php (Portuguese)

* New translations activities.php (Portuguese)

* New translations auth.php (Portuguese)

* New translations common.php (Portuguese)

* New translations validation.php (Portuguese)

* New translations entities.php (Chinese Simplified)

* New translations entities.php (Chinese Simplified)

* New translations activities.php (Ukrainian)

* New translations activities.php (Ukrainian)

Added testing to cover work done in last commit

Relevant to comments in 7224fbcc89f00f2b71644e36bb1b1d96addd1d5a.
Added test cases. Ensured they failed pre-commit.
Also tested a range of the altered endpoints manually on both local and
s3-like filesystems.

Added protections against path traversal in file system operations

- Files within the storage/ path could be accessed via path traversal
  references in content, accessed upon HTML export.
- This addresses this via two layers:
  - Scoped local flysystem filesystems down to the specific image &
    file folders since flysystem has built-in checking against the
    escaping of the root folder.
  - Added path normalization before enforcement of uploads/{images,file}
    prefix to prevent traversal at a path level.

Thanks to @Haxatron via huntr.dev for discovery and reporting.
Ref: https://huntr.dev/bounties/ac268a17-72b5-446f-a09a-9945ef58607a/

Fixed search query issues when table prefixes are used

- Old raw select query was causing bad select clause in query
  when table prefixes were active.

Forced response cache revalidation on logged-in responses

- Prevents authenticated responses being visible when back button
  pressed in browser.
- Previously, 'no-cache, private' was added by default by Symfony which
  would have prevents proxy cache issues but this adds no-store and a
  max-age option to also invalidate all caching.

Thanks to @haxatron via huntr.dev
Ref: https://huntr.dev/bounties/6cda9df9-4987-4e1c-b48f-855b6901ef53/

Continued review of #2169

- Removed uneeded custom refresh or logout actions for OIDC.
- Restructured how the services and guards are setup for external auth
  systems. SAML2 and OIDC now directly share a lot more logic.
- Renamed any OpenId references to OIDC or OpenIdConnect
- Removed non-required CSRF excemption for OIDC

Not tested, Come to roadblock due to lack of PHP8 support in upstream
dependancies. Certificate was deemed to be non-valid on every test
attempt due to changes in PHP8.

Started refactor for merge of OIDC

- Made oidc config more generic to not be overly reliant on the library
  based upon learnings from saml2 auth.
- Removed any settings that are redundant or not deemed required for
  initial implementation.
- Reduced some methods down where not needed.
- Renamed OpenID to OIDC
- Updated .env.example.complete to align with all options and their
  defaults

Related to #2169

Merge branch 'openid' of https://github.com/jasperweyne/BookStack into jasperweyne-openid

Merge pull request #2957 from BookStackApp/dependabot/composer/composer/composer-2.1.9

Bump composer/composer from 2.1.8 to 2.1.9

Bump composer/composer from 2.1.8 to 2.1.9

Bumps [composer/composer](https://github.com/composer/composer) from 2.1.8 to 2.1.9.
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/master/CHANGELOG.md)
- [Commits](https://github.com/composer/composer/compare/2.1.8...2.1.9)

---
updated-dependencies:
- dependency-name: composer/composer
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <redacted>

Reviewed and refactored additional editor draft save warnings

- Added testing to cover warning cases.
- Refactored logic to be simpler and move much of the business out of
  the controller.
- Added new message that's more suitable to the case this was handling.
- For detecting an outdated draft, checked the draft created_at time
  instead of updated_at to better fit the scenario being checked.
- Updated some method types to align with those potentially being used
  in the logic of the code.
- Added a cache of shown messages on the front-end to prevent them
  re-showing on every save during the session, even if dismissed.

Merge branch 'conflict_warnings' of https://github.com/MatthieuParis/BookStack into MatthieuParis-conflict_warnings

Updated translator attribution before release v21.08.4

New Crowdin updates (#2926)

* New translations settings.php (French)

* New translations auth.php (French)

* New translations settings.php (French)

* New translations entities.php (French)

* New translations activities.php (French)

* New translations common.php (French)

* New translations entities.php (French)

* New translations common.php (French)

* New translations components.php (French)

* New translations settings.php (French)

* New translations auth.php (French)

* New translations settings.php (Russian)

* New translations validation.php (Russian)

* New translations settings.php (Russian)

* New translations auth.php (Russian)

* New translations settings.php (Russian)

* New translations auth.php (Russian)

* New translations entities.php (French)

* New translations auth.php (French)

* New translations entities.php (French)

* New translations auth.php (French)

* New translations settings.php (French)

* New translations validation.php (French)

* New translations settings.php (French)

* New translations entities.php (French)

* New translations errors.php (French)

* New translations passwords.php (French)

* New translations settings.php (French)

* New translations entities.php (French)

* New translations settings.php (French)

* New translations entities.php (German)

* New translations settings.php (German)

* New translations entities.php (German Informal)

* New translations settings.php (German Informal)

* New translations settings.php (German)

* New translations settings.php (German Informal)

* New translations settings.php (French)

* New translations settings.php (Vietnamese)

* New translations settings.php (Slovenian)

* New translations settings.php (Swedish)

* New translations settings.php (Turkish)

* New translations settings.php (Ukrainian)

* New translations settings.php (Chinese Simplified)

* New translations settings.php (Chinese Traditional)

* New translations settings.php (Portuguese, Brazilian)

* New translations settings.php (Portuguese)

* New translations settings.php (Indonesian)

* New translations settings.php (Persian)

* New translations settings.php (Spanish, Argentina)

* New translations settings.php (Croatian)

* New translations settings.php (Latvian)

* New translations settings.php (Bosnian)

* New translations settings.php (Slovak)

* New translations settings.php (Polish)

* New translations settings.php (Russian)

* New translations settings.php (Czech)

* New translations settings.php (German)

* New translations settings.php (German Informal)

* New translations settings.php (Spanish)

* New translations settings.php (Arabic)

* New translations settings.php (Bulgarian)

* New translations settings.php (Catalan)

* New translations settings.php (Danish)

* New translations settings.php (Dutch)

* New translations settings.php (Hebrew)

* New translations settings.php (Hungarian)

* New translations settings.php (Italian)

* New translations settings.php (Japanese)

* New translations settings.php (Korean)

* New translations settings.php (Lithuanian)

* New translations settings.php (Norwegian Bokmal)

* New translations settings.php (Spanish)

* New translations activities.php (Slovak)

* New translations errors.php (Slovak)

* New translations settings.php (Slovak)

* New translations auth.php (Slovak)

* New translations common.php (Slovak)

* New translations entities.php (Slovak)

* New translations settings.php (Slovak)

* New translations activities.php (Slovak)

* New translations settings.php (French)

* New translations settings.php (Russian)

* New translations settings.php (German)

* New translations settings.php (Polish)

* New translations validation.php (Polish)

* New translations auth.php (Vietnamese)

* New translations auth.php (Vietnamese)

* New translations activities.php (Vietnamese)

* New translations common.php (Vietnamese)

* New translations entities.php (Vietnamese)

* New translations settings.php (Chinese Simplified)

* New translations settings.php (Italian)

* New translations auth.php (Italian)

* New translations common.php (Italian)

* New translations common.php (German)

* New translations common.php (German Informal)

* New translations settings.php (German)

* New translations common.php (German)

* New translations common.php (German Informal)

* New translations errors.php (German)

Allowed page includes on custom home

For #2279
Old hold-over for when include content permissions were handled less
delicately.

Applied StyleCI changes

Reviewed addition to db table prefix

Review of #2935

- Removed from .env files and added warnings for use if found in config
  file.
- Updated permission service to use whereColumn queries to auto-handle
  use of prefixes.

Merge branch 'floviolleau-db-prefixes' of https://github.com/floviolleau/BookStack into floviolleau-floviolleau-db-prefixes

Reviewed adding IP recording to activity & audit log

Review of #2936

- Added testing to cover
- Added APP_PROXIES to .env.example.complete with details.
- Renamed migration to better align the name and to set the migration
  date to fit with production deploy order.
- Removed index from IP column in migration since an index does not yet
  provide any value.
- Updated table header text label.
- Prevented IP recording when in demo mode.

Merge branch 'log-ip-address' of https://github.com/johnroyer/BookStack into johnroyer-log-ip-address

Applied style ci changes again

Applied styleci changes

Caught old string helper function usage

Found by Laravel Shift Workbench

Standardised facade usage to use via their FQCN

Done via Laravel Shift Workbench

Fix coding style

Update translation file

Add user IP into audit table

Save user IP to audit log

Add IP column

Allow to use DB tables prefix

Allow to use DB tables prefix

Allow to use DB tables prefix

Allow to use DB tables prefix

Fixed dodgy test helper signature causing tests to fail

Just needed some argument defaults to make them optional for existing
uses.

Merge pull request #2928 from BookStackApp/browserkit_removal

Convert old BrowserKit tests

Applied styleci style changes

Removed browserkit testing from project

Converted last bits of the roles tests and removed dependancies.
Updated other PHP dependancies at the same time.

Started updating RolesTest away from Browserkit

Converted AuthTest away from BrowserKit

Moved some user managment tests out to more relevant classess along the
way.
Found some tweaks to make for email confirmation routing as part of
this.

Rewrote entity permissions tests to be non-browser-kit

Finished moving EntityTests out to new TestCase files

Moved more tests out of EntityTest

Fixed social auth login audit log messages

Was logging the whole social account instance instead of just the
method.
Updated tests to cover.

Fixes #2930

Moved/Updated old Activity tracking tests, started on entity tests

Started moving old EntityTests into more appropriate places within
non-browserkit-test classes. Still many more to do.

Removed browserkit from a couple of classess

Done a little reorganisation while there of misplaced tests.
Moved MarkdownTest to a new PageEditorTest to avoid confusion with
other markdown elements and to align with other page tests.

Added border to generated TOTP QR code

To fix QR code not being scannable when in dark mode due to
lack of border matching background of QR code.

Fixes #2925

Updated translators for v21.08.3

New Crowdin updates (#2915)

* New translations auth.php (Spanish)

* New translations activities.php (Italian)

* New translations settings.php (Italian)

* New translations entities.php (Italian)

* New translations validation.php (Italian)

* New translations activities.php (Danish)

* New translations auth.php (Danish)

* New translations common.php (Danish)

* New translations settings.php (Danish)

* New translations entities.php (Danish)

* New translations auth.php (Danish)

* New translations common.php (Danish)

* New translations errors.php (Danish)

* New translations validation.php (Danish)

* New translations activities.php (Russian)

* New translations auth.php (French)

* New translations auth.php (French)

* New translations settings.php (French)

* New translations entities.php (French)

* New translations auth.php (French)

Altered the parsing of custom head to prevent htmlentities on content

Was causing things like emjoi within script content to be somewhat
mangled. Instead we force UTF8 only parsing via XML declaration.

Added test to cover.

For #2923

Applied latest styleci changes

Fixed issue with HTML tags in custom head scripts

Fixes a strange issue of HTML tags within script tags being malformed
when part of the HTML custom head content due to the PHP parsing we do.
DOMDocument seemed to cause this upon load.
Adding LIBXML_SCHEMA_CREATE to the ->loadHTML call seems to fix this but
not really sure why. Doesn't seem to cause further issues though.
Tested with multiple scripts and styles and comments and meta tags.

- Also added new testing class to cover.
- As part of testing, added new folder within tests to house setting
  specific tests.

For #2914

Merge branch 'html-filtering'

Added a couple of additional CSP rules

As per guidance from google's CSP evaluator.

Finished off script CSP rules

- Added caching for custom html head parsing to add nonce.
- Also moved api docs page into web routes to prevent issues.

Started application of CSP headers

Added filter for xlink:href svg xss

Simply remove all such attributes

Added extra HTML filtering of dangerous content

In particular, That around the casing of dangerous values within
attributes. This uses some xpath translation to handle different casing
in contains searching.

Updated translator attribution before release v21.08.1

New Crowdin updates (#2906)

* New translations auth.php (Chinese Simplified)

* New translations auth.php (Chinese Simplified)

* New translations validation.php (Chinese Simplified)

* New translations activities.php (Latvian)

* New translations auth.php (Latvian)

* New translations common.php (Latvian)

* New translations validation.php (Latvian)

* New translations entities.php (Latvian)

* New translations activities.php (Polish)

Made the TOTP URL visible during setup

Useful for some non-scanner type apps.
Closes #2908

Fixed lack of proper ordering of pages

Added test to cover
Fixes #2905

Updated translator attribution before release v21.08

Applied stylci changes

Merge branch 'master' of github.com:BookStackApp/BookStack

New Crowdin updates (#2893)

* New translations settings.php (Chinese Traditional)

* New translations settings.php (Indonesian)

* New translations settings.php (Swedish)

* New translations settings.php (Turkish)

* New translations settings.php (Ukrainian)

* New translations settings.php (Chinese Simplified)

* New translations settings.php (Vietnamese)

* New translations settings.php (Portuguese, Brazilian)

* New translations settings.php (Persian)

* New translations settings.php (Slovak)

* New translations settings.php (Spanish, Argentina)

* New translations settings.php (Croatian)

* New translations settings.php (Latvian)

* New translations settings.php (Bosnian)

* New translations settings.php (Norwegian Bokmal)

* New translations settings.php (German Informal)

* New translations settings.php (Slovenian)

* New translations settings.php (Russian)

* New translations settings.php (French)

* New translations settings.php (German)

* New translations settings.php (Spanish)

* New translations settings.php (Arabic)

* New translations settings.php (Bulgarian)

* New translations settings.php (Catalan)

* New translations settings.php (Czech)

* New translations settings.php (Danish)

* New translations settings.php (Hebrew)

* New translations settings.php (Portuguese)

* New translations settings.php (Hungarian)

* New translations settings.php (Italian)

* New translations settings.php (Japanese)

* New translations settings.php (Korean)

* New translations settings.php (Dutch)

* New translations settings.php (Polish)

* New translations settings.php (Lithuanian)

* New translations activities.php (German)

* New translations auth.php (German)

* New translations common.php (German)

* New translations settings.php (German)

* New translations validation.php (German)

* New translations settings.php (French)

* New translations validation.php (French)

* New translations activities.php (French)

* New translations auth.php (French)

* New translations common.php (French)

* New translations activities.php (Norwegian Bokmal)

* New translations auth.php (Norwegian Bokmal)

* New translations auth.php (Norwegian Bokmal)

* New translations common.php (Norwegian Bokmal)

* New translations settings.php (Norwegian Bokmal)

* New translations validation.php (Norwegian Bokmal)

* New translations auth.php (French)

* New translations entities.php (Chinese Traditional)

* New translations entities.php (Indonesian)

* New translations entities.php (Swedish)

* New translations entities.php (Turkish)

* New translations entities.php (Ukrainian)

* New translations entities.php (Chinese Simplified)

* New translations entities.php (Vietnamese)

* New translations entities.php (Portuguese, Brazilian)

* New translations entities.php (Persian)

* New translations entities.php (Slovak)

* New translations entities.php (Spanish, Argentina)

* New translations entities.php (Croatian)

* New translations entities.php (Latvian)

* New translations entities.php (Bosnian)

* New translations entities.php (Norwegian Bokmal)

* New translations entities.php (German Informal)

* New translations entities.php (Slovenian)

* New translations entities.php (Russian)

* New translations entities.php (French)

* New translations entities.php (German)

* New translations entities.php (Spanish)

* New translations entities.php (Arabic)

* New translations entities.php (Bulgarian)

* New translations entities.php (Catalan)

* New translations entities.php (Czech)

* New translations entities.php (Danish)

* New translations entities.php (Hebrew)

* New translations entities.php (Portuguese)

* New translations entities.php (Hungarian)

* New translations entities.php (Italian)

* New translations entities.php (Japanese)

* New translations entities.php (Korean)

* New translations entities.php (Dutch)

* New translations entities.php (Polish)

* New translations entities.php (Lithuanian)

* New translations entities.php (Spanish)

* New translations settings.php (Chinese Traditional)

* New translations settings.php (Indonesian)

* New translations settings.php (Swedish)

* New translations settings.php (Turkish)

* New translations settings.php (Ukrainian)

* New translations settings.php (Chinese Simplified)

* New translations settings.php (Vietnamese)

* New translations settings.php (Portuguese, Brazilian)

* New translations settings.php (Persian)

* New translations settings.php (Slovak)

* New translations settings.php (Spanish, Argentina)

* New translations settings.php (Croatian)

* New translations settings.php (Latvian)

* New translations settings.php (Bosnian)

* New translations settings.php (Norwegian Bokmal)

* New translations settings.php (German Informal)

* New translations settings.php (Slovenian)

* New translations settings.php (Russian)

* New translations settings.php (French)

* New translations settings.php (German)

* New translations settings.php (Spanish)

* New translations settings.php (Arabic)

* New translations settings.php (Bulgarian)

* New translations settings.php (Catalan)

* New translations settings.php (Czech)

* New translations settings.php (Danish)

* New translations settings.php (Hebrew)

* New translations settings.php (Portuguese)

* New translations settings.php (Hungarian)

* New translations settings.php (Italian)

* New translations settings.php (Japanese)

* New translations settings.php (Korean)

* New translations settings.php (Dutch)

* New translations settings.php (Polish)

* New translations settings.php (Lithuanian)

* New translations settings.php (Spanish)

* New translations activities.php (Persian)

* New translations auth.php (Persian)

* New translations activities.php (Chinese Simplified)

* New translations auth.php (Chinese Simplified)

* New translations activities.php (Chinese Simplified)

* New translations auth.php (Chinese Simplified)

* New translations common.php (Chinese Simplified)

* New translations settings.php (Chinese Simplified)

* New translations validation.php (Chinese Simplified)

* New translations entities.php (Chinese Simplified)

Swapped injected db instance with facade

Injected db instance was causing the DB connection to be
made a lot earlier than desired or required.
Swapped to a facade for now but ideally this extension of services needs
to be cleaned up with a better approach in general.

Updated php deps again

Updated the login redirect logic to ignore mfa routes

Added untrusted server fetching control

WKHTMLtoPDF provides limited control for external fetching
so that will now be disabled by default unless
ALLOW_UNTRUSTED_SERVER_FETCHING=true is specifically set.
This new option will also control DOMPDF fetching.

Applied styleci changes

Added back email confirmation check in middleware

During writing of the update notes, found that the upgrade path would be
tricky from a security point of view. If people were pending email
confirmation but had an active session, they could technically be
actively logged in after the next release.

Added middlware as an extra precaution for now.

Updated php deps

Merge pull request #2899 from BookStackApp/export_permissions

Added role permissions for exporting content

Cleaned up DB usage in migration

Applied styleci patches

Added role permissions for exporting content

Added notice for lack of shelf permission cascade

Closes #2876