Merge commit '144a406d332b034caa812ade2629df03ed4898d7' into glitch-soc/merge-upstream

Conflicts:
- `app/views/layouts/application.html.haml`:
  Upstream removed the `crossorigin` attribute from `preload_pack_asset`.
  Glitch-soc had different calls to `preload_pack_asset` because of the
  different theming system.
  Ported the change.
- `app/views/layouts/embedded.html.haml`:
  Upstream removed the `crossorigin` attribute from `preload_pack_asset`.
  Glitch-soc had different calls to `preload_pack_asset` because of the
  different theming system.
  Ported the change.

.github/ISSUE_TEMPLATE/1.bug_report.yml

@@ -1,56 +0,0 @@
-name: Bug Report
-description: If something isn't working as expected
-labels: [bug]
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Make sure that you are submitting a new bug that was not previously reported or already fixed.
-
-        Please use a concise and distinct title for the issue.
-  - type: textarea
-    attributes:
-      label: Steps to reproduce the problem
-      description: What were you trying to do?
-      value: |
-        1.
-        2.
-        3.
-        ...
-    validations:
-      required: true
-  - type: input
-    attributes:
-      label: Expected behaviour
-      description: What should have happened?
-    validations:
-      required: true
-  - type: input
-    attributes:
-      label: Actual behaviour
-      description: What happened?
-    validations:
-      required: true
-  - type: textarea
-    attributes:
-      label: Detailed description
-    validations:
-      required: false
-  - type: textarea
-    attributes:
-      label: Specifications
-      description: |
-        What version or commit hash of Mastodon did you find this bug in?
-
-        If a front-end issue, what browser and operating systems were you using?
-      placeholder: |
-        Mastodon 3.5.3 (or Edge)
-        Ruby 2.7.6 (or v3.1.2)
-        Node.js 16.18.0
-
-        Google Chrome 106.0.5249.119
-        Firefox 105.0.3
-
-        etc...
-    validations:
-      required: true

.github/ISSUE_TEMPLATE/1.web_bug_report.yml

@@ -0,0 +1,76 @@
+name: Bug Report (Web Interface)
+description: If you are using Mastodon's web interface and something is not working as expected
+labels: [bug, 'status/to triage', 'area/web interface']
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Make sure that you are submitting a new bug that was not previously reported or already fixed.
+
+        Please use a concise and distinct title for the issue.
+  - type: textarea
+    attributes:
+      label: Steps to reproduce the problem
+      description: What were you trying to do?
+      value: |
+        1.
+        2.
+        3.
+        ...
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Expected behaviour
+      description: What should have happened?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Actual behaviour
+      description: What happened?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Detailed description
+    validations:
+      required: false
+  - type: input
+    attributes:
+      label: Mastodon instance
+      description: The address of the Mastodon instance where you experienced the issue
+      placeholder: mastodon.social
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Mastodon version
+      description: |
+        This is displayed at the bottom of the About page, eg. `v4.1.2+nightly-20230627`
+      placeholder: v4.1.2
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Browser name and version
+      description: |
+        What browser are you using when getting this bug? Please specify the version as well.
+      placeholder: Firefox 105.0.3
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Operating system
+      description: |
+        What OS are you running? Please specify the version as well.
+      placeholder: macOS 13.4.1
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Technical details
+      description: |
+        Any additional technical details you may have. This can include the full error log, inspector's output…
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/2.server_bug_report.yml

@@ -0,0 +1,65 @@
+name: Bug Report (server / API)
+description: |
+  If something is not working as expected, but is not from using the web interface.
+labels: [bug, 'status/to triage']
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Make sure that you are submitting a new bug that was not previously reported or already fixed.
+
+        Please use a concise and distinct title for the issue.
+  - type: textarea
+    attributes:
+      label: Steps to reproduce the problem
+      description: What were you trying to do?
+      value: |
+        1.
+        2.
+        3.
+        ...
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Expected behaviour
+      description: What should have happened?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Actual behaviour
+      description: What happened?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Detailed description
+    validations:
+      required: false
+  - type: input
+    attributes:
+      label: Mastodon instance
+      description: The address of the Mastodon instance where you experienced the issue
+      placeholder: mastodon.social
+    validations:
+      required: false
+  - type: input
+    attributes:
+      label: Mastodon version
+      description: |
+        This is displayed at the bottom of the About page, eg. `v4.1.2+nightly-20230627`
+      placeholder: v4.1.2
+    validations:
+      required: false
+  - type: textarea
+    attributes:
+      label: Technical details
+      description: |
+        Any additional technical details you may have, like logs or error traces
+      value: |
+        If this is happening on your own Mastodon server, please fill out those:
+        - Ruby version: (from `ruby --version`, eg. v3.1.2)
+        - Node.js version: (from `node --version`, eg. v18.16.0)
+    validations:
+      required: false

.rubocop_todo.yml

@@ -291,6 +291,7 @@ RSpec/LetSetup:
     - 'spec/controllers/oauth/tokens_controller_spec.rb'
     - 'spec/controllers/settings/imports_controller_spec.rb'
     - 'spec/lib/activitypub/activity/delete_spec.rb'
+    - 'spec/lib/vacuum/applications_vacuum_spec.rb'
     - 'spec/lib/vacuum/preview_cards_vacuum_spec.rb'
     - 'spec/models/account_spec.rb'
     - 'spec/models/account_statuses_cleanup_policy_spec.rb'

app/lib/application_extension.rb

@@ -4,6 +4,8 @@ module ApplicationExtension
   extend ActiveSupport::Concern
 
   included do
+    has_many :created_users, class_name: 'User', foreign_key: 'created_by_application_id', inverse_of: :created_by_application
+
     validates :name, length: { maximum: 60 }
     validates :website, url: true, length: { maximum: 2_000 }, if: :website?
     validates :redirect_uri, length: { maximum: 2_000 }

app/lib/vacuum/applications_vacuum.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class Vacuum::ApplicationsVacuum
+  def perform
+    Doorkeeper::Application.where(owner_id: nil)
+                           .where.missing(:created_users, :access_tokens, :access_grants)
+                           .where(created_at: ...1.day.ago)
+                           .in_batches.delete_all
+  end
+end

app/models/application_record.rb

@@ -5,7 +5,7 @@ class ApplicationRecord < ActiveRecord::Base
 
   include Remotable
 
-  connects_to database: { writing: :primary, reading: :read }
+  connects_to database: { writing: :primary, reading: ENV['DB_REPLICA_NAME'] || ENV['READ_DATABASE_URL'] ? :read : :primary }
 
   class << self
     def update_index(_type_name, *_args, &_block)

app/views/layouts/application.html.haml

@@ -29,9 +29,9 @@
     = javascript_pack_tag "common", crossorigin: 'anonymous'
     - if @theme
       - if @theme[:supported_locales].include? I18n.locale.to_s
-        = preload_pack_asset "locales/#{@theme[:flavour]}/#{I18n.locale}-json.js", crossorigin: 'anonymous'
+        = preload_pack_asset "locales/#{@theme[:flavour]}/#{I18n.locale}-json.js"
       - elsif @theme[:supported_locales].include? 'en'
-        = preload_pack_asset "locales/#{@theme[:flavour]}/en-json.js", crossorigin: 'anonymous'
+        = preload_pack_asset "locales/#{@theme[:flavour]}/en-json.js"
     = csrf_meta_tags unless skip_csrf_meta_tags?
     %meta{ name: 'style-nonce', content: request.content_security_policy_nonce }
 

app/views/layouts/embedded.html.haml

@@ -15,9 +15,9 @@
     = javascript_pack_tag 'common', crossorigin: 'anonymous'
     - if @theme
       - if @theme[:supported_locales].include? I18n.locale.to_s
-        = preload_pack_asset "locales/#{@theme[:flavour]}/#{I18n.locale}-json.js", crossorigin: 'anonymous'
+        = preload_pack_asset "locales/#{@theme[:flavour]}/#{I18n.locale}-json.js"
       - elsif @theme[:supported_locales].include? 'en'
-        = preload_pack_asset "locales/#{@theme[:flavour]}/en-json.js", crossorigin: 'anonymous'
+        = preload_pack_asset "locales/#{@theme[:flavour]}/en-json.js"
     = render partial: 'layouts/theme', object: @core
     = render partial: 'layouts/theme', object: @theme
 

app/views/media/player.html.haml

@@ -3,9 +3,9 @@
   = javascript_pack_tag 'common', crossorigin: 'anonymous'
   - if @theme
     - if @theme[:supported_locales].include? I18n.locale.to_s
-      = preload_pack_asset "locales/#{@theme[:flavour]}/#{I18n.locale}-json.js", crossorigin: 'anonymous'
+      = preload_pack_asset "locales/#{@theme[:flavour]}/#{I18n.locale}-json.js"
     - elsif @theme[:supported_locales].include? 'en'
-      = preload_pack_asset "locales/#{@theme[:flavour]}/en-json.js", crossorigin: 'anonymous'
+      = preload_pack_asset "locales/#{@theme[:flavour]}/en-json.js"
   = render partial: 'layouts/theme', object: @core
   = render partial: 'layouts/theme', object: @theme
 

app/views/shared/_web_app.html.haml

@@ -1,8 +1,8 @@
 - content_for :header_tags do
   - if user_signed_in?
-    = preload_pack_asset 'features/compose.js', crossorigin: 'anonymous'
-    = preload_pack_asset 'features/home_timeline.js', crossorigin: 'anonymous'
-    = preload_pack_asset 'features/notifications.js', crossorigin: 'anonymous'
+    = preload_pack_asset 'features/compose.js'
+    = preload_pack_asset 'features/home_timeline.js'
+    = preload_pack_asset 'features/notifications.js'
     %meta{ name: 'initialPath', content: request.path }
 
   %meta{ name: 'applicationServerKey', content: Rails.configuration.x.vapid_public_key }

app/workers/scheduler/vacuum_scheduler.rb

@@ -22,6 +22,7 @@ class Scheduler::VacuumScheduler
       preview_cards_vacuum,
       backups_vacuum,
       access_tokens_vacuum,
+      applications_vacuum,
       feeds_vacuum,
       imports_vacuum,
     ]
@@ -55,6 +56,10 @@ class Scheduler::VacuumScheduler
     Vacuum::ImportsVacuum.new
   end
 
+  def applications_vacuum
+    Vacuum::ApplicationsVacuum.new
+  end
+
   def content_retention_policy
     ContentRetentionPolicy.current
   end

config/webpack/shared.js

@@ -60,6 +60,7 @@ module.exports = {
     chunkFilename: 'js/[name]-[chunkhash].chunk.js',
     hotUpdateChunkFilename: 'js/[id]-[hash].hot-update.js',
     hashFunction: 'sha256',
+    crossOriginLoading: 'anonymous',
     path: output.path,
     publicPath: output.publicPath,
   },

lib/webpacker/helper_extensions.rb

@@ -13,7 +13,14 @@ module Webpacker::HelperExtensions
 
   def preload_pack_asset(name, **options)
     src, integrity = current_webpacker_instance.manifest.lookup!(name, with_integrity: true)
-    preload_link_tag(src, options.merge(integrity: integrity))
+
+    # This attribute will only work if the assets are on a different domain.
+    # And Webpack will (correctly) only add it in this case, so we need to conditionally set it here
+    # otherwise the preloaded request and the real request will have different crossorigin values
+    # and the preloaded file wont be loaded
+    crossorigin = 'anonymous' if Rails.configuration.action_controller.asset_host.present?
+
+    preload_link_tag(src, options.merge(integrity: integrity, crossorigin: crossorigin))
   end
 end
 

spec/lib/vacuum/applications_vacuum_spec.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe Vacuum::ApplicationsVacuum do
+  subject { described_class.new }
+
+  describe '#perform' do
+    let!(:app1) { Fabricate(:application, created_at: 1.month.ago) }
+    let!(:app2) { Fabricate(:application, created_at: 1.month.ago) }
+    let!(:app3) { Fabricate(:application, created_at: 1.month.ago) }
+    let!(:app4) { Fabricate(:application, created_at: 1.month.ago, owner: Fabricate(:user)) }
+    let!(:app5) { Fabricate(:application, created_at: 1.month.ago) }
+    let!(:app6) { Fabricate(:application, created_at: 1.hour.ago) }
+
+    let!(:active_access_token) { Fabricate(:access_token, application: app1) }
+    let!(:active_access_grant) { Fabricate(:access_grant, application: app2) }
+    let!(:user) { Fabricate(:user, created_by_application: app3) }
+
+    before do
+      subject.perform
+    end
+
+    it 'does not delete applications with valid access tokens' do
+      expect { app1.reload }.to_not raise_error
+    end
+
+    it 'does not delete applications with valid access grants' do
+      expect { app2.reload }.to_not raise_error
+    end
+
+    it 'does not delete applications that were used to create users' do
+      expect { app3.reload }.to_not raise_error
+    end
+
+    it 'does not delete owned applications' do
+      expect { app4.reload }.to_not raise_error
+    end
+
+    it 'does not delete applications registered less than a day ago' do
+      expect { app6.reload }.to_not raise_error
+    end
+
+    it 'deletes unused applications' do
+      expect { app5.reload }.to raise_error ActiveRecord::RecordNotFound
+    end
+  end
+end