Apply all changes

CHANGES.md

@@ -0,0 +1,80 @@
+# Changes applied to this container
+- Build custom base image to use the full Texlive distribution by applying the following changes to `server-ce/Dockerfile-base`: 
+    - Set `selected_scheme` to `scheme-full`
+    - Update Texlive:
+      ```
+      RUN tlmgr update --self \
+      &&  tlmgr update --all
+      ```
+- Modifications to the main Docker file `server-ce/Dockerfile`:
+    - Use the custom base image
+    - Install pip and some Python modules:
+        ```
+        RUN apt-get update \
+        &&  apt-get install -y python3-pip \
+        &&  python3 -m pip install Flask requests cryptography beautifulsoup4 gunicorn
+        ```
+    - Add some web files:
+        ```
+        COPY server-ce/runit/reverse-proxy/*.js /overleaf/services/web/public/js/
+        COPY server-ce/runit/reverse-proxy/*.css /overleaf/services/web/public/stylesheets/
+        ``` 
+- Add `server-ce/runit/remote-api-server` and `server-ce/runit/reverse-proxy`
+    - Make sure that the `run` files have the executable flag set
+- Modify `server-ce/bin/grunt` as follows:
+    - Add new case entry
+        ```
+        user:create)
+          node modules/server-ce-scripts/scripts/create-user "$@"
+          ;;
+        ```
+      to create regular users via command-line
+- Add `proxy_hide_header X-Frame-Options;` to `server-ce/nginx/sharelatex.conf` for locations `/` and `/socket.io` to allow iframe embedding
+- Add the following setting to `server-ce/config/settings.js`:
+    ```
+    cookieSessionLength: false,
+    ```
+- Redirect `GET` requests to the reverse proxy service through `server-ce/nginx/sharelatex.conf` by adding the following to the `/` location:
+    ```
+    if ($request_method = GET) {
+        proxy_pass http://localhost:9000;
+    }
+    if ($request_method != GET) {
+        proxy_pass http://localhost:3000;
+    }
+    ```
+- Replace all instances of `127.0.0.1` by `localhost` in `server-ce/nginx/sharelatex.conf` 
+- The following changes need to be made in the `web` service:
+  - `frontend/js/features/project-list/components/project-list-root.tsx`:
+    - To remove the *Welcome to Overleaf* screen, change `totalProjectsCount == 0 ?` (around L61) to `totalProjectsCount >= 0 ?`
+
+# How to use
+## Registration/User management service
+A new service called `regsvc` will be launched within the container; it can be reached at the `/regsvc` endpoint.
+
+The service provides various actions, specified through the `action` parameter:
+
+| Action | Description                                                                                                                                                                 | Parameters                                                                                             |
+| --- |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|
+| `create` | Creates a new user; if a user with the specified email already exists, nothing happens                                                                                      | `email` - The user's email address (= username)<br/> `password` - Optionally sets the account password |
+| `login` | Logs the specified in; this will return a link that can be followed afterwards                                                                                              | `email` - The user's email address <br/> `password` - The user's password                              |
+| `create-and-login` | Combines the actions `create` and `login`: The user is created if it doesn't exist yet and is logged in afterwards; the returned data can be used to open the projects page | `email` - The user's email address <br/> `password` - The user's password                              |
+| `open-projects` | Redirects to the projects page after a user has been logged in                                                                                                              | `data` - The data returned by a previous login call                                                    |
+
+For all actions except `open-projects`, an API key needs to be passed via the `apikey` parameter. This needs to match the `REMOTE_API_KEY` environment variable specified during deployment.
+
+An example `GET` request to this service could look like this:
+```
+https://mydomain.com/regsvc?action=create&[email protected]&password=mypass&apikey=123key
+```
+
+Note that leaving out the `action` parameter will default to `create-and-login`.
+
+### Configuration
+The `regsvc` service can be configured by setting various environment variables:
+
+| Variable | Description                                                                                                | Default |
+| --- |------------------------------------------------------------------------------------------------------------| --- |
+| `REMOTE_API_KEY` | This key is used to protect the various endpoints (except for `open-projects`); it is mandatory to specify | `""` |
+| `REMOTE_API_ALLOWED_CLIENTS` | If set, only the specified clients are allowed to issue requests; wildcards are supported                  | `""` |
+| `REMOTE_API_DATA_KEY` | This key is used to encrypt login data; the key _must_ have a length of 32 characters and is mandatory     | `""` |

server-ce/Dockerfile

@@ -2,9 +2,17 @@
 # Overleaf Community Edition (overleaf/overleaf)
 # ---------------------------------------------
 
-ARG SHARELATEX_BASE_TAG=sharelatex/sharelatex-base:latest
+# ARG SHARELATEX_BASE_TAG=sharelatex/sharelatex-base:latest
+# Use a custom base image which provides the "full" Texlive distribution
+ARG SHARELATEX_BASE_TAG=omnivox/overleaf-base:latest
 FROM $SHARELATEX_BASE_TAG
 
+# Install pip and some Python modules
+# -----------------------------------
+RUN apt-get update \
+&&  apt-get install -y python3-pip \
+&&  python3 -m pip install Flask requests cryptography beautifulsoup4 lxml gunicorn
+
 WORKDIR /overleaf
 
 # Add required source files
@@ -71,6 +79,14 @@ COPY server-ce/config/custom-environment-variables.json /overleaf/services/histo
 ADD server-ce/bin/grunt /usr/local/bin/grunt
 RUN chmod +x /usr/local/bin/grunt
 
+# Add missing TeX packages
+# ------------------------
+# tlmgr install <package>
+
+# Copy reverse proxy scripts and stylesheets
+COPY server-ce/runit/reverse-proxy/*.js /overleaf/services/web/public/js/
+COPY server-ce/runit/reverse-proxy/*.css /overleaf/services/web/public/stylesheets/
+
 # File that controls open|closed status of the site
 # -------------------------------------------------
 ENV SITE_MAINTENANCE_FILE "/etc/sharelatex/site_status"

server-ce/Dockerfile-base

@@ -10,7 +10,7 @@ ENV TEXMFVAR=/var/lib/sharelatex/tmp/texmf-var
 
 # Update to ensure dependencies are updated
 # ------------------------------------------
-ENV REBUILT_AFTER="2023-03-13"
+ENV REBUILT_AFTER="2023-05-02"
 
 # Install dependencies
 # --------------------
@@ -54,7 +54,7 @@ RUN mkdir /install-tl-unx \
 &&  echo "tlpdbopt_autobackup 0" >> /install-tl-unx/texlive.profile \
 &&  echo "tlpdbopt_install_docfiles 0" >> /install-tl-unx/texlive.profile \
 &&  echo "tlpdbopt_install_srcfiles 0" >> /install-tl-unx/texlive.profile \
-&&  echo "selected_scheme scheme-basic" >> /install-tl-unx/texlive.profile \
+&&  echo "selected_scheme scheme-full" >> /install-tl-unx/texlive.profile \
     \
 &&  /install-tl-unx/install-tl \
       -profile /install-tl-unx/texlive.profile \
@@ -69,6 +69,10 @@ RUN mkdir /install-tl-unx \
 &&  tlmgr path add \
 &&  rm -rf /install-tl-unx
 
+# Update Texlive
+# --------------
+RUN tlmgr update --self \
+&&  tlmgr update --all
 
 # Set up sharelatex user and home directory
 # -----------------------------------------

server-ce/bin/grunt

@@ -9,6 +9,10 @@ shift 1
 cd /overleaf/services/web
 
 case "$TASK" in
+  user:create)
+    node modules/server-ce-scripts/scripts/create-user "$@"
+    ;;
+
   user:create-admin)
     echo "The grunt command is deprecated, run the create-user script using node instead"
     node modules/server-ce-scripts/scripts/create-user --admin "$@"

server-ce/config/settings.js

@@ -240,6 +240,8 @@ const settings = {
   // cookie with a secure flag (recommended).
   secureCookie: process.env.SHARELATEX_SECURE_COOKIE != null,
 
+  cookieSessionLength: false,
+
   // If you are running ShareLaTeX behind a proxy (like Apache, Nginx, etc)
   // then set this to true to allow it to correctly detect the forwarded IP
   // address and http/https protocol information.

server-ce/nginx/sharelatex.conf

@@ -5,26 +5,34 @@ server {
 	root /overleaf/services/web/public/;
 
 	location / {
-		proxy_pass http://127.0.0.1:3000;
+		if ($request_method = GET) {
+            proxy_pass http://localhost:9000;
+        }
+        if ($request_method != GET) {
+            proxy_pass http://localhost:3000;
+        }
+
 		proxy_http_version 1.1;
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection "upgrade";
 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-Host $host;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_hide_header X-Frame-Options;
 		proxy_read_timeout 10m;
 		proxy_send_timeout 10m;
 	}
 
 	location /socket.io {
-		proxy_pass http://127.0.0.1:3026;
+		proxy_pass http://localhost:3026;
 		proxy_http_version 1.1;
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection "upgrade";
 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-Host $host;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_hide_header X-Frame-Options;
 		proxy_read_timeout 10m;
 		proxy_send_timeout 10m;
 	}
@@ -43,22 +51,22 @@ server {
 
   # handle output files for specific users
   location ~ ^/project/([0-9a-f]+)/user/([0-9a-f]+)/build/([0-9a-f-]+)/output/output\.([a-z]+)$ {
-		proxy_pass http://127.0.0.1:8080; # clsi-nginx.conf
+		proxy_pass http://localhost:8080; # clsi-nginx.conf
 		proxy_http_version 1.1;
   }
   # handle output files for anonymous users
   location ~ ^/project/([0-9a-f]+)/build/([0-9a-f-]+)/output/output\.([a-z]+)$ {
-		proxy_pass http://127.0.0.1:8080; # clsi-nginx.conf
+		proxy_pass http://localhost:8080; # clsi-nginx.conf
 		proxy_http_version 1.1;
   }
   # PDF range for specific users
   location ~ ^/project/([0-9a-f]+)/user/([0-9a-f]+)/content/([0-9a-f-]+/[0-9a-f]+)$ {
-		proxy_pass http://127.0.0.1:8080; # clsi-nginx.conf
+		proxy_pass http://localhost:8080; # clsi-nginx.conf
 		proxy_http_version 1.1;
   }
   # PDF range for anonymous users
   location ~ ^/project/([0-9a-f]+)/content/([0-9a-f-]+/[0-9a-f]+)$ {
-		proxy_pass http://127.0.0.1:8080; # clsi-nginx.conf
+		proxy_pass http://localhost:8080; # clsi-nginx.conf
 		proxy_http_version 1.1;
   }
 

server-ce/runit/remote-api-server/run

@@ -0,0 +1,10 @@
+#!/bin/bash
+if [[ $SERVICE_DEBUG_MODE == "true" ]]; then
+  export FLASK_RUN_PORT=8000
+  export FLASK_APP=server
+  export FLASK_ENV=development;
+  export FLASK_DEBUG=1;
+  exec flask run --host=0.0.0.0
+else
+  exec gunicorn -w 4 -b 0.0.0.0:8000 'server:app'
+fi