Skip to content

feat: add public notes sharing with security hardening #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rui-typelets merged 3 commits into from
Nov 22, 2025
Merged

feat: add public notes sharing with security hardening #32

rui-typelets merged 3 commits into from
Nov 22, 2025

Conversation

@rui-typelets
Copy link
Collaborator

@rui-typelets rui-typelets commented Nov 22, 2025

Summary

  • Add public notes sharing feature allowing users to publish notes as shareable web pages
  • Implement comprehensive security hardening with DOMPurify sanitization (frontend + backend)
  • Add Globe icon indicators, "Public" view filter, and publish/unpublish modal
  • Include SEO support, theme toggle, and collapsible table of contents on public pages

Changes

New Files

  • src/pages/PublicNotePage.tsx - Public note viewer with TipTap rendering
  • src/components/editor/modals/PublishNoteModal.tsx - Publish/unpublish dialog

Modified

  • Added dompurify dependency for XSS protection
  • Updated TabBar and NoteCard with Globe icon for published notes
  • Added "Public" view in sidebar with note count
  • Extended useNotes hook with publish/unpublish operations
  • Updated types and API client for public note fields

Security

  • DOMPurify sanitization on frontend (defense in depth with backend)
  • Internal note IDs stripped from public content
  • Clear E2E bypass warning in publish modal
  • No auth tokens exposed on public page
  • Hard delete on unpublish

Test plan

  • Publish a note and verify public page renders correctly
  • Check Globe icon appears on tabs and note cards
  • Verify theme toggle works (light/dark)
  • Test table of contents collapse/expand
  • Unpublish and confirm 404 returned
  • Verify "Public" filter shows only published notes
  • Test on mobile viewport

@rui-typelets
feat: add public notes sharing with security hardening
97d0b62 
Add ability to publish notes as public, shareable pages while maintaining security for the E2E encrypted notes application.

  Features:
  - Publish/unpublish notes via modal with optional author attribution
  - Public page at /p/:slug with full TipTap rendering support
  - Globe icon indicator on tabs and note cards for published notes
  - "Public" view in sidebar to filter published notes
  - Auto-sync: edits to notes automatically update public version
  - Theme toggle (light/dark) on public page, defaults to system
  - Collapsible table of contents support
  - SEO meta tags (Open Graph, Twitter Cards)

  Security:
  - DOMPurify sanitization on both frontend and backend (defense in depth)
  - Strip internal note IDs from public content
  - Clear warning that publishing bypasses E2E encryption
  - Unguessable slugs (nanoid, 839 quadrillion combinations)
  - Hard delete on unpublish (no soft delete)
  - Rate limiting on public endpoints
  - No auth tokens or sensitive data exposed
@rui-typelets rui-typelets self-assigned this Nov 22, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 22, 2025
View reviewed changes
@rui-typelets rui-typelets merged commit 83e6950 into main Nov 22, 2025
3 checks passed
@github-actions
Copy link
Contributor

github-actions bot commented Nov 22, 2025

🎉 This PR is included in version 1.41.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@rui-typelets rui-typelets

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rui-typelets