diff --git a/docs/configuration.md b/docs/configuration.md index 1622da6fa414a..8e8654157c249 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -24,6 +24,7 @@ This part of the configuration concerns anything that can affect the whole site. - `pageTitleSuffix`: a string added to the end of the page title. This only applies to the browser tab title, not the title shown at the top of the page. - `enableSPA`: whether to enable [[SPA Routing]] on your site. - `enablePopovers`: whether to enable [[popover previews]] on your site. +- `enablePassProtected`: whether to enable [[Password protected]] on your site. - `analytics`: what to use for analytics on your site. Values can be - `null`: don't use analytics; - `{ provider: 'google', tagId: '' }`: use Google Analytics; diff --git a/docs/features/Password Protected.md b/docs/features/Password Protected.md new file mode 100644 index 0000000000000..6e95dabefb14f --- /dev/null +++ b/docs/features/Password Protected.md @@ -0,0 +1,31 @@ +--- +title: Password Protected +--- + +Some notes may be sensitive, i.e. non-public personal projects, contacts, meeting notes and such. It would be really useful to be able to protect some pages or group of pages so they don't appear to everyone, while still allowing them to be published. + +By adding a password to your note's frontmatter, you can create an extra layer of security, ensuring that only authorized individuals can access your content. Whether you're safeguarding personal journals, project plans, this feature provides the peace of mind you need. + +## How it works + +Simply add a password field to your note's frontmatter and set your desired password. When you try to view the note, you'll be prompted to enter the password. If the password is correct, the note will be unlocked. Once unlocked, you can access the note until you clear your browser cookies. + +### Security techniques + +- Key Derivation: Utilizes PBKDF2 for generating secure encryption keys. +- Unique Salt for Each Encryption: A unique salt is generated every time the encrypt method is used, enhancing security. +- Encryption/Decryption: Implements AES-GCM for robust data encryption and decryption. +- Encoding/Decoding: Use base64 to convert non-textual encrypted data in HTML + +### Disclaimer + +- Use it at your own risk +- You need to choose a strong password and share it only to trusted users +- You need to secure your notes and Quartz repository in private mode on Github/Gitlab/Bitbucket... or use your own Git server +- You can use other WAF tools to enhance security, based on URL of notes that Quartz build for you, e.g. Cloudflare WAF, AWS WAF, Google Cloud Armor... + +## Configuration + +- Disable password protected notes: set the `enablePasswordProtected` field in `quartz.config.ts` to be `false`. +- Style: `quartz/components/styles/passwordProtected.scss` +- Script: `quartz/components/scripts/decrypt.inline.ts` diff --git a/package-lock.json b/package-lock.json index 042a7fcb6c606..783028e1b84a3 100644 --- a/package-lock.json +++ b/package-lock.json @@ -54,6 +54,7 @@ "remark-parse": "^11.0.0", "remark-rehype": "^11.1.1", "remark-smartypants": "^3.0.2", + "rfc4648": "^1.5.3", "rfdc": "^1.4.1", "rimraf": "^6.0.1", "serve-handler": "^6.1.5", @@ -5471,6 +5472,12 @@ "node": ">=0.10.0" } }, + "node_modules/rfc4648": { + "version": "1.5.3", + "resolved": "https://registry.npmjs.org/rfc4648/-/rfc4648-1.5.3.tgz", + "integrity": "sha512-MjOWxM065+WswwnmNONOT+bD1nXzY9Km6u3kzvnx8F8/HXGZdz3T6e6vZJ8Q/RIMUSp/nxqjH3GwvJDy8ijeQQ==", + "license": "MIT" + }, "node_modules/rfdc": { "version": "1.4.1", "resolved": "https://registry.npmjs.org/rfdc/-/rfdc-1.4.1.tgz", diff --git a/package.json b/package.json index a5178735ea005..db4ef33d46694 100644 --- a/package.json +++ b/package.json @@ -80,6 +80,7 @@ "remark-parse": "^11.0.0", "remark-rehype": "^11.1.1", "remark-smartypants": "^3.0.2", + "rfc4648": "^1.5.3", "rfdc": "^1.4.1", "rimraf": "^6.0.1", "serve-handler": "^6.1.5", diff --git a/quartz.config.ts b/quartz.config.ts index e96ee4843fda1..4cc2af2b8bd93 100644 --- a/quartz.config.ts +++ b/quartz.config.ts @@ -12,6 +12,7 @@ const config: QuartzConfig = { pageTitleSuffix: "", enableSPA: true, enablePopovers: true, + enablePassProtected: true, analytics: { provider: "plausible", }, diff --git a/quartz/cfg.ts b/quartz/cfg.ts index 85527a093c410..a3a022a970342 100644 --- a/quartz/cfg.ts +++ b/quartz/cfg.ts @@ -50,6 +50,8 @@ export interface GlobalConfiguration { enableSPA: boolean /** Whether to display Wikipedia-style popovers when hovering over links */ enablePopovers: boolean + /** Whether to enable password protected page rendering */ + enablePassProtected: boolean /** Analytics mode */ analytics: Analytics /** Glob patterns to not search */ diff --git a/quartz/components/pages/EncryptedContent.tsx b/quartz/components/pages/EncryptedContent.tsx new file mode 100644 index 0000000000000..2ef0d9bb1d259 --- /dev/null +++ b/quartz/components/pages/EncryptedContent.tsx @@ -0,0 +1,45 @@ +import { QuartzComponent, QuartzComponentConstructor, QuartzComponentProps } from "../types" +import { i18n } from "../../i18n" + +const EncryptedContent: QuartzComponent = ({ + iteration, + encryptedContent, + cfg, +}: QuartzComponentProps) => { + return ( + <> +
+
+ {i18n(cfg.locale).pages.encryptedContent.enterPassword} +
+
+ +

+ {i18n(cfg.locale).pages.encryptedContent.loading} +

+
+ + +
+
+ + ) +} + +export default (() => EncryptedContent) satisfies QuartzComponentConstructor diff --git a/quartz/components/renderPage.tsx b/quartz/components/renderPage.tsx index f2dcceaa573b5..fbd34806193c4 100644 --- a/quartz/components/renderPage.tsx +++ b/quartz/components/renderPage.tsx @@ -2,7 +2,9 @@ import { render } from "preact-render-to-string" import { QuartzComponent, QuartzComponentProps } from "./types" import HeaderConstructor from "./Header" import BodyConstructor from "./Body" +import EncryptedContent from "./pages/EncryptedContent" import { JSResourceToScriptElement, StaticResources } from "../util/resources" +import { getEncryptedPayload } from "../util/encrypt" import { clone, FullSlug, RelativeURL, joinSegments, normalizeHastElement } from "../util/path" import { visit } from "unist-util-visit" import { Root, Element, ElementContent } from "hast" @@ -53,13 +55,13 @@ export function pageResources( } } -export function renderPage( +export async function renderPage( cfg: GlobalConfiguration, slug: FullSlug, componentData: QuartzComponentProps, components: RenderComponents, pageResources: StaticResources, -): string { +): Promise { // make a deep copy of the tree so we don't remove the transclusion references // for the file cached in contentMap in build.ts const root = clone(componentData.tree) as Root @@ -195,6 +197,7 @@ export function renderPage( } = components const Header = HeaderConstructor() const Body = BodyConstructor() + const Encrypted = EncryptedContent() const LeftComponent = (
@@ -213,6 +216,17 @@ export function renderPage( ) const lang = componentData.fileData.frontmatter?.lang ?? cfg.locale?.split("-")[0] ?? "en" + + let content = + if (componentData.fileData.frontmatter?.password) { + componentData.iteration = 2e6 + componentData.encryptedContent = await getEncryptedPayload( + render(content), + JSON.stringify(componentData.fileData.frontmatter.password), + componentData.iteration, + ) + content = + } const doc = ( @@ -233,7 +247,7 @@ export function renderPage( ))}
- + {content}
{afterBody.map((BodyComponent) => ( diff --git a/quartz/components/scripts/decrypt.inline.ts b/quartz/components/scripts/decrypt.inline.ts new file mode 100644 index 0000000000000..d048159f9ad26 --- /dev/null +++ b/quartz/components/scripts/decrypt.inline.ts @@ -0,0 +1,168 @@ +import { base64 } from "rfc4648" + +// @ts-ignore:next-line +function find(selector: string): T { + const element = document.querySelector(selector) as T + if (element) return element +} + +let salt: Uint8Array, iv: Uint8Array, ciphertext: Uint8Array, iterations: number + +async function decryptHTML() { + const pl = find("pre[data-i]") + if (!pl) { + return + } + + const form = find("form") + if (!form) { + return + } + + const pwd = find(".pwd") + if (!pwd) { + return + } + + form.addEventListener("submit", async (event) => { + event.preventDefault() + await decrypt() + }) + if (!subtle) { + error("modern") + pwd.disabled = true + } + + show(find("#lock")) + if (!pl.innerHTML) { + pwd.disabled = true + error("empty") + return + } + iterations = Number(pl.dataset.i) + const bytes = base64.parse(pl.innerHTML) + salt = bytes.slice(0, 32) + iv = bytes.slice(32, 32 + 16) + ciphertext = bytes.slice(32 + 16) + + if (location.hash) { + const parts = location.href.split("#") + pwd.value = parts[1] + history.replaceState(null, "", parts[0]) + } + + if (sessionStorage[document.body.dataset.slug!] || pwd.value) { + await decrypt() + } else { + hide(find("#load")) + show(form) + pwd.focus() + } +} + +document.addEventListener("DOMContentLoaded", decryptHTML) +document.addEventListener("nav", decryptHTML) + +const subtle = + window.crypto?.subtle || + (window.crypto as unknown as { webkitSubtle: Crypto["subtle"] })?.webkitSubtle + +function show(element: Element) { + element.classList.remove("hidden") +} + +function hide(element: Element) { + element.classList.add("hidden") +} + +function error(code: string) { + const msg = find("#msg") + msg.innerText = msg.getAttribute("data-" + code) || "" +} + +async function sleep(milliseconds: number): Promise { + return new Promise((resolve) => setTimeout(resolve, milliseconds)) +} + +async function decrypt() { + const loadText = find("#load-text") + loadText.innerText = loadText.getAttribute("data-decrypt") || "" + show(find("#load")) + hide(find("form")) + const pwd = find(".pwd") + await sleep(60) + + try { + const decrypted = await decryptFile({ salt, iv, ciphertext, iterations }, pwd.value) + + const article = find("#content") + article.innerHTML = decrypted + hide(find("#lock")) + } catch (e) { + hide(find("#load")) + show(find("form")) + + if (sessionStorage[document.body.dataset.slug!]) { + sessionStorage.removeItem(document.body.dataset.slug!) + } else { + error("wrong") + } + + pwd.value = "" + pwd.focus() + } +} + +async function deriveKey( + salt: Uint8Array, + password: string, + iterations: number, +): Promise { + const encoder = new TextEncoder() + const baseKey = await subtle.importKey("raw", encoder.encode(password), "PBKDF2", false, [ + "deriveKey", + ]) + return await subtle.deriveKey( + { name: "PBKDF2", salt, iterations, hash: "SHA-256" }, + baseKey, + { name: "AES-GCM", length: 256 }, + true, + ["decrypt"], + ) +} + +async function importKey(key: JsonWebKey) { + return subtle.importKey("jwk", key, "AES-GCM", true, ["decrypt"]) +} + +async function decryptFile( + { + salt, + iv, + ciphertext, + iterations, + }: { + salt: Uint8Array + iv: Uint8Array + ciphertext: Uint8Array + iterations: number + }, + password: string, +) { + const decoder = new TextDecoder() + + const key = sessionStorage[document.body.dataset.slug!] + ? await importKey(JSON.parse(sessionStorage[document.body.dataset.slug!])) + : await deriveKey(salt, password, iterations) + + const data = new Uint8Array(await subtle.decrypt({ name: "AES-GCM", iv }, key, ciphertext)) + if (!data) throw "Malformed data" + + try { + sessionStorage[document.body.dataset.slug!] = JSON.stringify(await subtle.exportKey("jwk", key)) + } catch (e) { + console.error(e) + } + + return decoder.decode(data) +} diff --git a/quartz/components/styles/passProtected.scss b/quartz/components/styles/passProtected.scss new file mode 100644 index 0000000000000..531342cb05b16 --- /dev/null +++ b/quartz/components/styles/passProtected.scss @@ -0,0 +1,30 @@ +.hidden { + display: none; +} + +.pwd { + box-sizing: border-box; + font-family: var(--bodyFont); + color: var(--dark); + border: 1px solid var(--lightgray); + padding: 0.5em 1em; + background: var(--light); + border-radius: 7px; + width: 70%; + margin-bottom: 2em; + margin-right: 2em; +} + +.pwd + input { + font-style: normal; + font-weight: 700; + font-size: 15px; + line-height: 1; + color: var(--light); + padding: 7px 15px; + background-color: var(--dark); + margin-top: 1px; + border-radius: 7px; + position: relative; + padding: 0.6em 1em; +} diff --git a/quartz/i18n/locales/ar-SA.ts b/quartz/i18n/locales/ar-SA.ts index 8463e2ff5f1cc..0b059bab6a7d8 100644 --- a/quartz/i18n/locales/ar-SA.ts +++ b/quartz/i18n/locales/ar-SA.ts @@ -85,5 +85,15 @@ export default { showingFirst: ({ count }) => `إظهار أول ${count} أوسمة.`, totalTags: ({ count }) => `يوجد ${count} أوسمة.`, }, + encryptedContent: { + loading: " التحميل...", + password: "كلمة المرور", + submit: "إرسال", + enterPassword: "الصفحة مقفلة بشكل افتراضي. يرجى إدخال كلمة المرور لفتح القفل:", + modernBrowser: ".استخدام متصفح حديث.", + wrongPassword: "خاطئة. يرجى إعادة إدخال كلمة المرور لفتح القفل:", + noPayload: "حمولة مشفرة.", + decrypting: "جاري فك التشفير...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/ca-ES.ts b/quartz/i18n/locales/ca-ES.ts index aadbd4157da0f..8604a12398dc5 100644 --- a/quartz/i18n/locales/ca-ES.ts +++ b/quartz/i18n/locales/ca-ES.ts @@ -80,5 +80,16 @@ export default { showingFirst: ({ count }) => `Mostrant les primeres ${count} etiquetes.`, totalTags: ({ count }) => `S'han trobat ${count} etiquetes en total.`, }, + encryptedContent: { + loading: "Carregant...", + password: "Contrasenya", + submit: "Enviar", + enterPassword: + "Aquesta pàgina està bloquejada per defecte. Introduïu la contrasenya per desbloquejarla:", + modernBrowser: "Utilitzeu un navegador modern.", + wrongPassword: "Contrasenya incorrecta. Introduïu de nou la contrasenya per desbloquejar:", + noPayload: "No hi ha càrrega útil xifrada.", + decrypting: "Desxifrant...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/cs-CZ.ts b/quartz/i18n/locales/cs-CZ.ts index bf089d1379f5c..e4686a67b1179 100644 --- a/quartz/i18n/locales/cs-CZ.ts +++ b/quartz/i18n/locales/cs-CZ.ts @@ -80,5 +80,15 @@ export default { showingFirst: ({ count }) => `Zobrazují se první ${count} tagy.`, totalTags: ({ count }) => `Nalezeno celkem ${count} tagů.`, }, + encryptedContent: { + loading: "Načítání...", + password: "Heslo", + submit: "Odeslat", + enterPassword: "Tato stránka je standardně uzamčena. Zadejte heslo pro odemknutí:", + modernBrowser: "Použijte moderní prohlížeč.", + wrongPassword: "Nesprávné heslo. Zadejte heslo znovu pro odemknutí:", + noPayload: "Není žádné šifrované užitečné zatížení.", + decrypting: "Dekódování...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/de-DE.ts b/quartz/i18n/locales/de-DE.ts index 023d4be33c537..c61a5b265d24b 100644 --- a/quartz/i18n/locales/de-DE.ts +++ b/quartz/i18n/locales/de-DE.ts @@ -80,5 +80,17 @@ export default { showingFirst: ({ count }) => `Die ersten ${count} Tags werden angezeigt.`, totalTags: ({ count }) => `${count} Tags insgesamt.`, }, + encryptedContent: { + loading: "Wird geladen...", + password: "Passwort", + submit: "Senden", + enterPassword: + "Diese Seite ist standardmäßig gesperrt. Bitte geben Sie das Passwort ein, um sie zu entsperren:", + modernBrowser: "Bitte verwenden Sie einen modernen Browser.", + wrongPassword: + "Falsches Passwort. Bitte geben Sie das Passwort erneut ein, um zu entsperren:", + noPayload: "Keine verschlüsselte Nutzlast.", + decrypting: "Entschlüsseln...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/definition.ts b/quartz/i18n/locales/definition.ts index 25a8cd7f245bf..d50f5ce737f11 100644 --- a/quartz/i18n/locales/definition.ts +++ b/quartz/i18n/locales/definition.ts @@ -80,5 +80,15 @@ export interface Translation { showingFirst: (variables: { count: number }) => string totalTags: (variables: { count: number }) => string } + encryptedContent: { + loading: string + password: string + submit: string + enterPassword: string + modernBrowser: string + wrongPassword: string + noPayload: string + decrypting: string + } } } diff --git a/quartz/i18n/locales/en-GB.ts b/quartz/i18n/locales/en-GB.ts index 5388b032c39d6..a0ac07b9ff0ad 100644 --- a/quartz/i18n/locales/en-GB.ts +++ b/quartz/i18n/locales/en-GB.ts @@ -80,5 +80,15 @@ export default { showingFirst: ({ count }) => `Showing first ${count} tags.`, totalTags: ({ count }) => `Found ${count} total tags.`, }, + encryptedContent: { + loading: "Loading...", + password: "Password", + submit: "Submit", + enterPassword: "This page is locked by default. Please enter passsword to unlock:", + modernBrowser: "Please use a modern browser.", + wrongPassword: "Wrong password. Please re-enter passsword to unlock:", + noPayload: "No encrypted payload.", + decrypting: "Decrypting...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/en-US.ts b/quartz/i18n/locales/en-US.ts index 22cf31e016f39..23cd1db496838 100644 --- a/quartz/i18n/locales/en-US.ts +++ b/quartz/i18n/locales/en-US.ts @@ -80,5 +80,15 @@ export default { showingFirst: ({ count }) => `Showing first ${count} tags.`, totalTags: ({ count }) => `Found ${count} total tags.`, }, + encryptedContent: { + loading: "Loading...", + password: "Password", + submit: "Submit", + enterPassword: "This page is locked by default. Please enter passsword to unlock:", + modernBrowser: "Please use a modern browser.", + wrongPassword: "Wrong password. Please re-enter passsword to unlock:", + noPayload: "No encrypted payload.", + decrypting: "Decrypting...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/es-ES.ts b/quartz/i18n/locales/es-ES.ts index c4a57aa124fa7..f2acfd354918d 100644 --- a/quartz/i18n/locales/es-ES.ts +++ b/quartz/i18n/locales/es-ES.ts @@ -80,5 +80,16 @@ export default { showingFirst: ({ count }) => `Mostrando las primeras ${count} etiquetas.`, totalTags: ({ count }) => `Se han encontrado ${count} etiquetas en total.`, }, + encryptedContent: { + loading: "Cargando...", + password: "Contraseña", + submit: "Enviar", + enterPassword: + "Esta página está bloqueada por defecto. Introduzca la contraseña para desbloquearla:", + modernBrowser: "Utilice un navegador moderno.", + wrongPassword: "Contraseña incorrecta. Vuelva a introducir la contraseña para desbloquear:", + noPayload: "No hay ninguna carga útil cifrada.", + decrypting: "Descifrando...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/fa-IR.ts b/quartz/i18n/locales/fa-IR.ts index 5bfef5aee1226..c051175b246b1 100644 --- a/quartz/i18n/locales/fa-IR.ts +++ b/quartz/i18n/locales/fa-IR.ts @@ -80,5 +80,16 @@ export default { showingFirst: ({ count }) => `در حال نمایش ${count} برچسب.`, totalTags: ({ count }) => `${count} برچسب یافت شد.`, }, + encryptedContent: { + loading: "در حال بارگذاری...", + password: "رمز عبور", + submit: "ارسال کردن", + enterPassword: + "این صفحه به طور پیش فرض قفل شده است. لطفا رمز عبور را برای باز کردن قفل وارد کنید:", + modernBrowser: "لطفا از یک مرورگر مدرن استفاده کنید.", + wrongPassword: "رمز عبور اشتباه است. لطفا رمز عبور را دوباره وارد کنید تا قفل باز شود:", + noPayload: "هیچ محموله رمزگذاری شده ای وجود ندارد.", + decrypting: "در حال رمزگشایی...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/fr-FR.ts b/quartz/i18n/locales/fr-FR.ts index ef43fa8762a32..51975ce41e61a 100644 --- a/quartz/i18n/locales/fr-FR.ts +++ b/quartz/i18n/locales/fr-FR.ts @@ -80,5 +80,17 @@ export default { showingFirst: ({ count }) => `Affichage des premières ${count} étiquettes.`, totalTags: ({ count }) => `Trouvé ${count} étiquettes au total.`, }, + encryptedContent: { + loading: "Chargement en cours...", + password: "Mot de passe", + submit: "Soumettre", + enterPassword: + "Cette page est verrouillée par défaut. Veuillez entrer le mot de passe pour déverrouiller :", + modernBrowser: "Veuillez utiliser un navigateur moderne.", + wrongPassword: + "Mot de passe incorrect. Veuillez saisir à nouveau le mot de passe pour déverrouiller :", + noPayload: "Aucune charge utile cryptée.", + decrypting: "Décryptage en cours...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/hu-HU.ts b/quartz/i18n/locales/hu-HU.ts index 066b7770e3378..59fb06cf49423 100644 --- a/quartz/i18n/locales/hu-HU.ts +++ b/quartz/i18n/locales/hu-HU.ts @@ -78,5 +78,16 @@ export default { showingFirst: ({ count }) => `Első ${count} címke megjelenítve.`, totalTags: ({ count }) => `Összesen ${count} címke található.`, }, + encryptedContent: { + loading: "Betöltés...", + password: "Jelszó", + submit: "Küldés", + enterPassword: + "Ez az oldal alapértelmezés szerint zárolva van. Kérjük, adja meg a jelszót a feloldáshoz:", + modernBrowser: "Kérjük, használjon modern böngészőt.", + wrongPassword: "Helytelen jelszó. Kérjük, adja meg újra a jelszót a feloldáshoz:", + noPayload: "Nincs titkosított hasznos teher.", + decrypting: "Dekódolás...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/it-IT.ts b/quartz/i18n/locales/it-IT.ts index c8c597352c3ab..4b19c50ce3448 100644 --- a/quartz/i18n/locales/it-IT.ts +++ b/quartz/i18n/locales/it-IT.ts @@ -80,5 +80,16 @@ export default { showingFirst: ({ count }) => `Prime ${count} etichette.`, totalTags: ({ count }) => `Trovate ${count} etichette totali.`, }, + encryptedContent: { + loading: "Caricamento in corso...", + password: "Password", + submit: "Invia", + enterPassword: + "Questa pagina è bloccata per impostazione predefinita. Inserisci la password per sbloccare:", + modernBrowser: "Si prega di utilizzare un browser moderno.", + wrongPassword: "Password errato. Si prega di reinserire la password per sbloccare:", + noPayload: "Nessun payload crittografato.", + decrypting: "Decifrazione in corso...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/ja-JP.ts b/quartz/i18n/locales/ja-JP.ts index 9581b5ed30cb2..412a77dd4f2fa 100644 --- a/quartz/i18n/locales/ja-JP.ts +++ b/quartz/i18n/locales/ja-JP.ts @@ -78,5 +78,17 @@ export default { showingFirst: ({ count }) => `のうち最初の${count}件を表示しています`, totalTags: ({ count }) => `全${count}個のタグを表示中`, }, + encryptedContent: { + loading: "読み込み中...", + password: "パスワード", + submit: "送信", + enterPassword: + "このページはデフォルトでロックされています。ロックを解除するにはパスワードを入力してください:", + modernBrowser: "最新のブラウザを使用してください。", + wrongPassword: + "パスワードが間違っています。ロックを解除するにはパスワードを再度入力してください:", + noPayload: "暗号化されたペイロードはありません。", + decrypting: "解読中...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/ko-KR.ts b/quartz/i18n/locales/ko-KR.ts index 9be08d98fb537..1339e9eccfb72 100644 --- a/quartz/i18n/locales/ko-KR.ts +++ b/quartz/i18n/locales/ko-KR.ts @@ -78,5 +78,15 @@ export default { showingFirst: ({ count }) => `처음 ${count}개의 태그`, totalTags: ({ count }) => `총 ${count}개의 태그를 찾았습니다.`, }, + encryptedContent: { + loading: "로딩 중...", + password: "비밀번호", + submit: "제출", + enterPassword: "이 페이지는 기본적으로 잠겨 있습니다. 잠금을 해제하려면 암호를 입력하십시오:", + modernBrowser: "최신 브라우저를 사용하십시오.", + wrongPassword: "비밀번호가 잘못되었습니다. 잠금을 해제하려면 암호를 다시 입력하십시오:", + noPayload: "암호화된 페이로드가 없습니다.", + decrypting: "해독 중...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/nl-NL.ts b/quartz/i18n/locales/nl-NL.ts index ccbafa7b3d218..f3ce080bbad09 100644 --- a/quartz/i18n/locales/nl-NL.ts +++ b/quartz/i18n/locales/nl-NL.ts @@ -82,5 +82,17 @@ export default { count === 1 ? "Eerste label tonen." : `Eerste ${count} labels tonen.`, totalTags: ({ count }) => `${count} labels gevonden.`, }, + encryptedContent: { + loading: "Bezig met laden...", + password: "Wachtwoord", + submit: "Verzenden", + enterPassword: + "Deze pagina is standaard vergrendeld. Voer alstublieft uw wachtwoord in om te ontgrendelen:", + modernBrowser: "Gebruik alstublieft een moderne browser.", + wrongPassword: + "Verkeerd wachtwoord. Voer alstublieft uw wachtwoord opnieuw in om te ontgrendelen:", + noPayload: "Geen versleutelde payload.", + decrypting: "Ontsleutelen..", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/pl-PL.ts b/quartz/i18n/locales/pl-PL.ts index 7fa0cd47a8366..ab4ad8120cfa7 100644 --- a/quartz/i18n/locales/pl-PL.ts +++ b/quartz/i18n/locales/pl-PL.ts @@ -80,5 +80,15 @@ export default { showingFirst: ({ count }) => `Pokazuje ${count} pierwszych znaczników.`, totalTags: ({ count }) => `Znalezionych wszystkich znaczników: ${count}.`, }, + encryptedContent: { + loading: "Ładowanie...", + password: "Hasło", + submit: "Wyślij", + enterPassword: "Ta strona jest domyślnie zablokowana. Wprowadź hasło, aby ją odblokować:", + modernBrowser: "Użyj nowoczesnej przeglądarki.", + wrongPassword: "Senha incorreta. Digite a senha novamente para desbloquear:", + noPayload: "Nie ma zaszyfrowanego ładunku.", + decrypting: "Deszyfrowanie...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/pt-BR.ts b/quartz/i18n/locales/pt-BR.ts index c7b6bfb606f57..a34b2b88f1c97 100644 --- a/quartz/i18n/locales/pt-BR.ts +++ b/quartz/i18n/locales/pt-BR.ts @@ -80,5 +80,15 @@ export default { showingFirst: ({ count }) => `Mostrando as ${count} primeiras tags.`, totalTags: ({ count }) => `Encontradas ${count} tags.`, }, + encryptedContent: { + loading: "Carregando...", + password: "Senha", + submit: "Enviar", + enterPassword: "Esta página está bloqueada por padrão. Digite a senha para desbloquear:", + modernBrowser: "Use um navegador moderno.", + wrongPassword: "Parolă greșită. Vă rugăm să reintroduceți parola pentru a debloca:", + noPayload: "Não há nenhuma carga útil criptografada.", + decrypting: "Descifrando...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/ro-RO.ts b/quartz/i18n/locales/ro-RO.ts index 2de1c8cd9a62f..a7b4aea6d992d 100644 --- a/quartz/i18n/locales/ro-RO.ts +++ b/quartz/i18n/locales/ro-RO.ts @@ -81,5 +81,16 @@ export default { showingFirst: ({ count }) => `Se afișează primele ${count} etichete.`, totalTags: ({ count }) => `Au fost găsite ${count} etichete în total.`, }, + encryptedContent: { + loading: "Se încarcă...", + password: "Parolă", + submit: "Trimite", + enterPassword: + "Această pagină este blocată în mod implicit. Introduceți parola pentru a debloca:", + modernBrowser: "Vă rugăm să utilizați un browser modern.", + wrongPassword: "Неправильний пароль. Будь ласка, введіть пароль ще раз, щоб розблокувати:", + noPayload: "Nu există nicio sarcină utilă criptată.", + decrypting: "Decriptare...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/ru-RU.ts b/quartz/i18n/locales/ru-RU.ts index 18e0817342344..c8197f86240f8 100644 --- a/quartz/i18n/locales/ru-RU.ts +++ b/quartz/i18n/locales/ru-RU.ts @@ -82,6 +82,17 @@ export default { `Показыва${getForm(count, "ется", "ются", "ются")} ${count} тег${getForm(count, "", "а", "ов")}`, totalTags: ({ count }) => `Всего ${count} тег${getForm(count, "", "а", "ов")}`, }, + encryptedContent: { + loading: "Загрузка...", + password: "Пароль", + submit: "Отправить", + enterPassword: + "Эта страница заблокирована по умолчанию. Пожалуйста, введите пароль для разблокировки:", + modernBrowser: "Пожалуйста, используйте современный браузер.", + wrongPassword: "Неверный пароль. Пожалуйста, введите пароль еще раз для разблокировки:", + noPayload: "Нет зашифрованной полезной нагрузки.", + decrypting: "Расшифровка...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/uk-UA.ts b/quartz/i18n/locales/uk-UA.ts index 469de4f809a0e..ffde3fa6846f5 100644 --- a/quartz/i18n/locales/uk-UA.ts +++ b/quartz/i18n/locales/uk-UA.ts @@ -80,5 +80,15 @@ export default { showingFirst: ({ count }) => `Показ перших ${count} міток.`, totalTags: ({ count }) => `Всього знайдено міток: ${count}.`, }, + encryptedContent: { + loading: "Завантаження...", + password: "Пароль", + submit: "Надіслати", + enterPassword: "Ця сторінка за замовчуванням заблокована. Введіть пароль, щоб розблокувати:", + modernBrowser: "Будь ласка, використовуйте сучасний браузер.", + wrongPassword: "Неправильний пароль. Будь ласка, введіть пароль ще раз, щоб розблокувати:", + noPayload: "Немає зашифрованого корисного навантаження.", + decrypting: "Розшифровка...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/vi-VN.ts b/quartz/i18n/locales/vi-VN.ts index 39a8fbcc194ab..afbab2f5cb17d 100644 --- a/quartz/i18n/locales/vi-VN.ts +++ b/quartz/i18n/locales/vi-VN.ts @@ -80,5 +80,15 @@ export default { showingFirst: ({ count }) => `Hiển thị trước ${count} thẻ.`, totalTags: ({ count }) => `Tìm thấy ${count} thẻ tổng cộng.`, }, + encryptedContent: { + loading: "Đang tải...", + password: "Mật khẩu", + submit: "Mở khóa", + enterPassword: "Trang này bị khóa theo mặc định. Vui lòng điền mật khẩu để mở khóa:", + modernBrowser: "Vui lòng sử dụng trình duyệt mới nhất.", + wrongPassword: "Sai mật khẩu. Vui lòng điền lại mật khẩu để mở khóa:", + noPayload: "Không có nội dung được mã hóa.", + decrypting: "Đang giải mã...", + }, }, } as const satisfies Translation diff --git a/quartz/i18n/locales/zh-CN.ts b/quartz/i18n/locales/zh-CN.ts index b710db5391e14..bbcef526f7597 100644 --- a/quartz/i18n/locales/zh-CN.ts +++ b/quartz/i18n/locales/zh-CN.ts @@ -78,5 +78,15 @@ export default { showingFirst: ({ count }) => `显示前${count}个标签。`, totalTags: ({ count }) => `总共有${count}个标签。`, }, + encryptedContent: { + loading: "正在加载...", + password: "密码", + submit: "提交", + enterPassword: "此页面默认锁定。请输入密码解锁:", + modernBrowser: "请使用现代浏览器。", + wrongPassword: "密码错误。请重新输入密码解锁:", + noPayload: "没有加密的有效负载。", + decrypting: "解密中...", + }, }, } as const satisfies Translation diff --git a/quartz/plugins/emitters/404.tsx b/quartz/plugins/emitters/404.tsx index e4605cfcd2f3e..141c06db008d7 100644 --- a/quartz/plugins/emitters/404.tsx +++ b/quartz/plugins/emitters/404.tsx @@ -58,7 +58,7 @@ export const NotFoundPage: QuartzEmitterPlugin = () => { return [ await write({ ctx, - content: renderPage(cfg, slug, componentData, opts, externalResources), + content: await renderPage(cfg, slug, componentData, opts, externalResources), slug, ext: ".html", }), diff --git a/quartz/plugins/emitters/componentResources.ts b/quartz/plugins/emitters/componentResources.ts index 08278305e42c8..18cf274ff8ec9 100644 --- a/quartz/plugins/emitters/componentResources.ts +++ b/quartz/plugins/emitters/componentResources.ts @@ -5,8 +5,11 @@ import { QuartzEmitterPlugin } from "../types" import spaRouterScript from "../../components/scripts/spa.inline" // @ts-ignore import popoverScript from "../../components/scripts/popover.inline" +// @ts-ignore +import decryptScript from "../../components/scripts/decrypt.inline" import styles from "../../styles/custom.scss" import popoverStyle from "../../components/styles/popover.scss" +import passProtectedStyle from "../../components/styles/passProtected.scss" import { BuildCtx } from "../../util/ctx" import { QuartzComponent } from "../../components/types" import { googleFontHref, joinStyles } from "../../util/theme" @@ -77,6 +80,11 @@ function addGlobalPageResources(ctx: BuildCtx, componentResources: ComponentReso componentResources.css.push(popoverStyle) } + if (cfg.enablePassProtected) { + componentResources.afterDOMLoaded.push(decryptScript) + componentResources.css.push(passProtectedStyle) + } + if (cfg.analytics?.provider === "google") { const tagId = cfg.analytics.tagId componentResources.afterDOMLoaded.push(` diff --git a/quartz/plugins/emitters/contentPage.tsx b/quartz/plugins/emitters/contentPage.tsx index 2ac132147358a..5f93be28ab0e5 100644 --- a/quartz/plugins/emitters/contentPage.tsx +++ b/quartz/plugins/emitters/contentPage.tsx @@ -117,7 +117,7 @@ export const ContentPage: QuartzEmitterPlugin> = (userOp allFiles, } - const content = renderPage(cfg, slug, componentData, opts, externalResources) + const content = await renderPage(cfg, slug, componentData, opts, externalResources) const fp = await write({ ctx, content, diff --git a/quartz/plugins/emitters/folderPage.tsx b/quartz/plugins/emitters/folderPage.tsx index 7eebb21c7e9b7..5a4ca0b342232 100644 --- a/quartz/plugins/emitters/folderPage.tsx +++ b/quartz/plugins/emitters/folderPage.tsx @@ -119,7 +119,7 @@ export const FolderPage: QuartzEmitterPlugin> = (user allFiles, } - const content = renderPage(cfg, slug, componentData, opts, externalResources) + const content = await renderPage(cfg, slug, componentData, opts, externalResources) const fp = await write({ ctx, content, diff --git a/quartz/plugins/emitters/tagPage.tsx b/quartz/plugins/emitters/tagPage.tsx index 066d4ec2641bd..36a1899b95001 100644 --- a/quartz/plugins/emitters/tagPage.tsx +++ b/quartz/plugins/emitters/tagPage.tsx @@ -123,7 +123,7 @@ export const TagPage: QuartzEmitterPlugin> = (userOpts) allFiles, } - const content = renderPage(cfg, slug, componentData, opts, externalResources) + const content = await renderPage(cfg, slug, componentData, opts, externalResources) const fp = await write({ ctx, content, diff --git a/quartz/util/encrypt.ts b/quartz/util/encrypt.ts new file mode 100644 index 0000000000000..8e30f05d86317 --- /dev/null +++ b/quartz/util/encrypt.ts @@ -0,0 +1,33 @@ +import { base64 } from "rfc4648" +import { getRandomValues, subtle } from "crypto" + +export async function getEncryptedPayload( + content: string, + password: string, + iterations: number = 2e6, +) { + const encoder = new TextEncoder() + const salt = getRandomValues(new Uint8Array(32)) + const baseKey = await subtle.importKey("raw", encoder.encode(password), "PBKDF2", false, [ + "deriveKey", + ]) + const key = await subtle.deriveKey( + { name: "PBKDF2", salt, iterations, hash: "SHA-256" }, + baseKey, + { name: "AES-GCM", length: 256 }, + false, + ["encrypt"], + ) + + const iv = getRandomValues(new Uint8Array(16)) + const ciphertext = new Uint8Array( + await subtle.encrypt({ name: "AES-GCM", iv }, key, encoder.encode(content)), + ) + const totalLength = salt.length + iv.length + ciphertext.length + const mergedData = new Uint8Array(totalLength) + mergedData.set(salt) + mergedData.set(iv, salt.length) + mergedData.set(ciphertext, salt.length + iv.length) + + return base64.stringify(mergedData) +}