#3484 homepage: add security token

Signed-off-by: Patrizio Bekerle <patrizio@bekerle.com>

Author: pbek

CHANGELOG.md

@@ -2,6 +2,11 @@
 
 ## 26.3.10
 
+- Added a security token setting for the Homepage-compatible bookmark
+  suggestion API (with encrypted storage, settings dump masking, and
+  token-validated `GET /suggest` requests), and updated Homepage
+  integration docs (`custom.js`) to append the token query parameter
+  (for [#3484](https://github.com/pbek/QOwnNotes/issues/3484))
 - Improved portal handle token generation compatibility for older Qt5
   distributions (e.g. Debian 9.0, SLE 15) by using `QUuid` on Qt5 and
   keeping `QRandomGenerator` on Qt6 builds

docs/homepage/custom.js

@@ -12,6 +12,7 @@
 
   Tune behavior with:
   - QON_URL: QOwnNotes suggestion endpoint
+  - QON_TOKEN: security token configured in QOwnNotes settings
   - QON_LIMIT: number of QOwnNotes suggestions to request
   - QON_LABEL: marker shown in UI for QOwnNotes items
   - DEBUG: set true to print debug logs
@@ -21,6 +22,7 @@
   "use strict";
 
   const QON_URL = "http://127.0.0.1:22224/suggest?q=";
+  const QON_TOKEN = "";
   const QON_LIMIT = 20;
   const QON_LABEL = "[QON] ";
   const BLOCK_QON_TEXT_SEARCH = "__QON_BLOCK_TEXT_SEARCH__";
@@ -107,8 +109,11 @@
 
   async function fetchQown(query) {
     try {
+      const tokenPart = QON_TOKEN
+        ? `&token=${encodeURIComponent(QON_TOKEN)}`
+        : "";
       const r = await origFetch(
-        `${QON_URL}${encodeURIComponent(query)}&limit=${QON_LIMIT}`,
+        `${QON_URL}${encodeURIComponent(query)}&limit=${QON_LIMIT}${tokenPart}`,
       );
       const txt = await r.text();
       const j = JSON.parse(txt);

src/dialogs/settingsdialog.cpp

@@ -174,6 +174,8 @@ SettingsDialog::SettingsDialog(int page, QWidget *parent)
     connect(ui->enableSocketServerCheckBox, SIGNAL(toggled(bool)), this, SLOT(needRestart()));
     connect(ui->bookmarkSuggestionApiEnabledCheckBox, SIGNAL(toggled(bool)), this,
             SLOT(needRestart()));
+    connect(ui->bookmarkSuggestionApiTokenLineEdit, SIGNAL(textChanged(QString)), this,
+            SLOT(needRestart()));
     connect(ui->enableWebApplicationCheckBox, SIGNAL(toggled(bool)), this, SLOT(needRestart()));
     connect(ui->enableNoteTreeCheckBox, SIGNAL(toggled(bool)), this, SLOT(needRestart()));
     connect(ui->aiAutocompleteCheckBox, SIGNAL(toggled(bool)), this, SLOT(needRestart()));
@@ -787,6 +789,13 @@ void SettingsDialog::storeSettings() {
                       ui->bookmarkSuggestionApiEnabledCheckBox->isChecked());
     settings.setValue(QStringLiteral("webSocketServerService/bookmarkSuggestionApiPort"),
                       ui->bookmarkSuggestionApiPortSpinBox->value());
+    QString bookmarkSuggestionApiToken = ui->bookmarkSuggestionApiTokenLineEdit->text().trimmed();
+    if (bookmarkSuggestionApiToken.isEmpty()) {
+        bookmarkSuggestionApiToken = Utils::Misc::generateRandomString(32);
+        ui->bookmarkSuggestionApiTokenLineEdit->setText(bookmarkSuggestionApiToken);
+    }
+    settings.setValue(QStringLiteral("webSocketServerService/bookmarkSuggestionApiToken"),
+                      CryptoService::instance()->encryptToString(bookmarkSuggestionApiToken));
     settings.setValue(QStringLiteral("webSocketServerService/bookmarksTag"),
                       ui->bookmarksTagLineEdit->text());
     settings.setValue(QStringLiteral("webSocketServerService/bookmarksNoteName"),
@@ -1296,6 +1305,8 @@ void SettingsDialog::readSettings() {
         WebSocketServerService::isBookmarkSuggestionApiEnabled());
     ui->bookmarkSuggestionApiPortSpinBox->setValue(
         WebSocketServerService::getBookmarkSuggestionApiPort());
+    ui->bookmarkSuggestionApiTokenLineEdit->setText(
+        WebSocketServerService::getOrGenerateBookmarkSuggestionApiToken());
     on_bookmarkSuggestionApiEnabledCheckBox_toggled(
         ui->bookmarkSuggestionApiEnabledCheckBox->isChecked());
     ui->bookmarksTagLineEdit->setText(WebSocketServerService::getBookmarksTag());
@@ -4242,13 +4253,34 @@ void SettingsDialog::on_bookmarkSuggestionApiEnabledCheckBox_toggled(bool checke
     ui->bookmarkSuggestionApiPortLabel->setEnabled(checked);
     ui->bookmarkSuggestionApiPortSpinBox->setEnabled(checked);
     ui->bookmarkSuggestionApiPortResetButton->setEnabled(checked);
+    ui->bookmarkSuggestionApiTokenLabel->setEnabled(checked);
+    ui->bookmarkSuggestionApiTokenLineEdit->setEnabled(checked);
+    ui->bookmarkSuggestionApiShowTokenButton->setEnabled(checked);
+    ui->bookmarkSuggestionApiCopyTokenButton->setEnabled(checked);
+    ui->bookmarkSuggestionApiGenerateTokenButton->setEnabled(checked);
 }
 
 void SettingsDialog::on_bookmarkSuggestionApiPortResetButton_clicked() {
     ui->bookmarkSuggestionApiPortSpinBox->setValue(
         WebSocketServerService::getBookmarkSuggestionApiDefaultPort());
 }
 
+void SettingsDialog::on_bookmarkSuggestionApiShowTokenButton_clicked() {
+    ui->bookmarkSuggestionApiTokenLineEdit->setEchoMode(
+        ui->bookmarkSuggestionApiTokenLineEdit->echoMode() == QLineEdit::EchoMode::Password
+            ? QLineEdit::EchoMode::Normal
+            : QLineEdit::EchoMode::Password);
+}
+
+void SettingsDialog::on_bookmarkSuggestionApiCopyTokenButton_clicked() {
+    QApplication::clipboard()->setText(ui->bookmarkSuggestionApiTokenLineEdit->text());
+}
+
+void SettingsDialog::on_bookmarkSuggestionApiGenerateTokenButton_clicked() {
+    ui->bookmarkSuggestionApiTokenLineEdit->setText(Utils::Misc::generateRandomString(32));
+    ui->bookmarkSuggestionApiTokenLineEdit->setEchoMode(QLineEdit::EchoMode::Normal);
+}
+
 void SettingsDialog::on_internalIconThemeCheckBox_toggled(bool checked) {
     if (checked) {
         const QSignalBlocker blocker(ui->systemIconThemeCheckBox);

src/dialogs/settingsdialog.h

@@ -267,6 +267,12 @@ class SettingsDialog : public MasterDialog {
 
     void on_bookmarkSuggestionApiPortResetButton_clicked();
 
+    void on_bookmarkSuggestionApiShowTokenButton_clicked();
+
+    void on_bookmarkSuggestionApiCopyTokenButton_clicked();
+
+    void on_bookmarkSuggestionApiGenerateTokenButton_clicked();
+
     void on_internalIconThemeCheckBox_toggled(bool checked);
 
     void on_systemIconThemeCheckBox_toggled(bool checked);

src/dialogs/settingsdialog.ui

@@ -6824,13 +6824,13 @@ Just test yourself if you get sync conflicts and set a higher value if so.</stri
                   <property name="title">
                    <string>Bookmark suggestion API</string>
                   </property>
-                  <layout class="QGridLayout" name="gridLayout_96">
-                   <item row="0" column="0" colspan="3">
-                    <widget class="QCheckBox" name="bookmarkSuggestionApiEnabledCheckBox">
-                     <property name="text">
-                      <string>Enable Homepage-compatible bookmark suggestions API</string>
-                     </property>
-                    </widget>
+                   <layout class="QGridLayout" name="gridLayout_96">
+                    <item row="0" column="0" colspan="6">
+                     <widget class="QCheckBox" name="bookmarkSuggestionApiEnabledCheckBox">
+                      <property name="text">
+                       <string>Enable Homepage-compatible bookmark suggestions API</string>
+                      </property>
+                     </widget>
                    </item>
                    <item row="1" column="0">
                     <widget class="QLabel" name="bookmarkSuggestionApiPortLabel">
@@ -6852,23 +6852,88 @@ Just test yourself if you get sync conflicts and set a higher value if so.</stri
                      </property>
                     </widget>
                    </item>
-                   <item row="1" column="2">
-                    <widget class="QToolButton" name="bookmarkSuggestionApiPortResetButton">
-                     <property name="toolTip">
-                      <string>Reset the suggestion API port</string>
+                    <item row="1" column="2">
+                     <widget class="QToolButton" name="bookmarkSuggestionApiPortResetButton">
+                      <property name="toolTip">
+                       <string>Reset the suggestion API port</string>
                      </property>
                      <property name="text">
                       <string notr="true">…</string>
                      </property>
                      <property name="icon">
                       <iconset theme="edit-clear" resource="../breeze-qownnotes.qrc">
                        <normaloff>:/icons/breeze-qownnotes/16x16/edit-clear.svg</normaloff>:/icons/breeze-qownnotes/16x16/edit-clear.svg</iconset>
-                     </property>
-                    </widget>
-                   </item>
-                  </layout>
-                 </widget>
-                </item>
+                      </property>
+                     </widget>
+                    </item>
+                    <item row="2" column="0">
+                     <widget class="QLabel" name="bookmarkSuggestionApiTokenLabel">
+                      <property name="text">
+                       <string>Security token:</string>
+                      </property>
+                     </widget>
+                    </item>
+                    <item row="2" column="1" colspan="2">
+                     <widget class="QLineEdit" name="bookmarkSuggestionApiTokenLineEdit">
+                      <property name="toolTip">
+                       <string>If this is empty when saved, a new security token will be generated automatically.</string>
+                      </property>
+                      <property name="maxLength">
+                       <number>32</number>
+                      </property>
+                      <property name="readOnly">
+                       <bool>false</bool>
+                      </property>
+                      <property name="echoMode">
+                       <enum>QLineEdit::EchoMode::Password</enum>
+                      </property>
+                     </widget>
+                    </item>
+                    <item row="2" column="3">
+                     <widget class="QToolButton" name="bookmarkSuggestionApiShowTokenButton">
+                      <property name="toolTip">
+                       <string>Show security token</string>
+                      </property>
+                      <property name="text">
+                       <string notr="true">…</string>
+                      </property>
+                      <property name="icon">
+                       <iconset theme="document-decrypt" resource="../breeze-qownnotes.qrc">
+                        <normaloff>:/icons/breeze-qownnotes/16x16/document-decrypt.svg</normaloff>:/icons/breeze-qownnotes/16x16/document-decrypt.svg</iconset>
+                      </property>
+                     </widget>
+                    </item>
+                    <item row="2" column="4">
+                     <widget class="QToolButton" name="bookmarkSuggestionApiCopyTokenButton">
+                      <property name="toolTip">
+                       <string>Copy security token to clipboard</string>
+                      </property>
+                      <property name="text">
+                       <string notr="true">…</string>
+                      </property>
+                      <property name="icon">
+                       <iconset theme="edit-copy" resource="../breeze-qownnotes.qrc">
+                        <normaloff>:/icons/breeze-qownnotes/16x16/edit-copy.svg</normaloff>:/icons/breeze-qownnotes/16x16/edit-copy.svg</iconset>
+                      </property>
+                     </widget>
+                    </item>
+                    <item row="2" column="5">
+                     <widget class="QToolButton" name="bookmarkSuggestionApiGenerateTokenButton">
+                      <property name="toolTip">
+                       <string>Generate new security token</string>
+                      </property>
+                      <property name="text">
+                       <string notr="true">…</string>
+                      </property>
+                      <property name="icon">
+                       <iconset theme="view-refresh" resource="../breeze-qownnotes.qrc">
+                        <normaloff>:/icons/breeze-qownnotes/16x16/view-refresh.svg</normaloff>:/icons/breeze-qownnotes/16x16/view-refresh.svg</iconset>
+                      </property>
+                     </widget>
+                    </item>
+                   </layout>
+                  </widget>
+                 </item>
                </layout>
               </widget>
              </item>
@@ -7818,6 +7883,10 @@ Just test yourself if you get sync conflicts and set a higher value if so.</stri
   <tabstop>bookmarkSuggestionApiEnabledCheckBox</tabstop>
   <tabstop>bookmarkSuggestionApiPortSpinBox</tabstop>
   <tabstop>bookmarkSuggestionApiPortResetButton</tabstop>
+  <tabstop>bookmarkSuggestionApiTokenLineEdit</tabstop>
+  <tabstop>bookmarkSuggestionApiShowTokenButton</tabstop>
+  <tabstop>bookmarkSuggestionApiCopyTokenButton</tabstop>
+  <tabstop>bookmarkSuggestionApiGenerateTokenButton</tabstop>
   <tabstop>webSocketServerServicePortSpinBox</tabstop>
   <tabstop>webSocketServerServicePortResetButton</tabstop>
   <tabstop>webSocketTokenButton</tabstop>