Commit Graph

772 Commits

Author SHA1 Message Date
Claire b21f3aa21d
Minor memory optimizations (#16507)
Reduce constant memory usage by ~100kB and further reduce boot-up memory
allocations and temporary memory use by a further ~200kB.
2021-10-14 21:04:57 +02:00
Claire 463d23dfd5 Merge branch 'main' into glitch-soc/merge-upstream 2021-08-27 11:29:03 +02:00
Daniel 2ed1c92c63
New env variable: CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED (#16655)
When using a CAS server, the users only have a temporary email
`change@me-foo-cas.com` which can't be changed but by an
administrator.

We need a new environment variable like for SAML to assume the email
from CAS is verified.

* config/initializers/omniauth.rb: define CAS option for assuming
  email are always verified.
* .env.nanobox: add new variable as an example.
2021-08-25 18:41:24 +02:00
Claire d1c87be8cf Merge branch 'main' into glitch-soc/merge-upstream 2021-07-17 17:45:35 +02:00
Claire 211d5c3c30
Fix inefficiencies in auto-linking code (#16506)
The auto-linking code basically rewrote the whole string escaping non-ascii
characters in an inefficient way, and building a full character offset map
between the unescaped and escaped texts before sending the contents to
TwitterText's extractor.

Instead of doing that, this commit changes the TwitterText regexps to include
valid IRI characters in addition to valid URI characters.
2021-07-15 15:56:58 +02:00
Claire 10a31a934f Merge branch 'main' into glitch-soc/merge-upstream
Conflicts:
- `README.md`:
  Upstream's README got updated, but we have a completely different one.
  Kept ours.
2021-05-27 17:58:44 +02:00
Claire b715cede4d
Fix mailer jobs for deleted notifications erroring out (#16294)
Fixes an oversight in the Rails 6 migration
2021-05-24 03:02:46 +02:00
Claire f3d96d4ecb Merge branch 'main' into glitch-soc/merge-upstream 2021-05-18 09:40:17 +02:00
Claire 97539b6a96
Fix host check on healthcheck path not being disabled (#16270)
Fixes #16251

There was a typo in #16243
2021-05-17 22:36:08 +02:00
Claire 69737b703a Merge branch 'main' into glitch-soc/merge-upstream
Conflicts:
- `README.md`: our READMEs are entirely different and
  upstream's has been updated. Kept our README.
2021-05-17 10:30:34 +02:00
Jeong Arm f09322f9cc
Disable host check on healthcheck path (#16243) 2021-05-16 19:48:59 +02:00
Claire 87c3a0d0b3 Merge branch 'main' into glitch-soc/merge-upstream 2021-05-09 10:41:28 +02:00
Takeshi Umeda 9b18914c35
Add a Redis environment variable for sidekiq (#16188) 2021-05-09 10:40:17 +02:00
Claire 50b430d9a2 Merge branch 'main' into glitch-soc/merge-upstream
- `app/views/statuses/_simple_status.html.haml`:
  Small markup change in glitch-soc, on a line that has been modified by
  upstream. Ported upstream changes.
2021-05-07 18:21:59 +02:00
Claire 566fc90913
Add Ruby 3.0 support (#16046)
* Fix issues with POSIX::Spawn, Terrapin and Ruby 3.0

Also improve the Terrapin monkey-patch for the stderr/stdout issue.

* Fix keyword argument handling throughout the codebase

* Monkey-patch Paperclip to fix keyword arguments handling in validators

* Change validation_extensions to please CodeClimate

* Bump microformats from 4.2.1 to 4.3.1

* Allow Ruby 3.0

* Add Ruby 3.0 test target to CircleCI

* Add test for admin dashboard warnings

* Fix admin dashboard warnings on Ruby 3.0
2021-05-06 14:22:54 +02:00
Takeshi Umeda 2360191434
Fix guard against DNS rebinding attacks (#16095) 2021-04-22 20:33:36 +02:00
Takeshi Umeda 8323023464
Add guard against DNS rebinding attacks (#16087)
* Add guard against DNS rebinding attacks

* Fix not to apply to test environment
2021-04-21 17:45:58 +02:00
Claire e2a2bc9021 Merge branch 'main' into glitch-soc/merge-upstream
Conflicts:
- `README.md`:
  Upstream updated copyright year, we don't mention it so kept our version.
- `app/controllers/admin/dashboard_controller.rb`:
  Not really a conflict, upstream change (removing the spam checker) too close
  to glitch-soc changes. Ported upstream changes.
- `app/models/form/admin_settings.rb`:
  Same.
- `app/services/remove_status_service.rb`:
  Same.
- `app/views/admin/settings/edit.html.haml`:
  Same.
- `config/settings.yml`:
  Same.
- `config/environments/production.rb`:
  Not a real conflict, upstream added a default HTTP header, but we have
  extra headers in glitch-soc.
  Added the header.
2021-04-20 12:17:14 +02:00
Eugen Rochko 3b8d085436
Fix app name, website and redirect URIs not having a maximum length (#16042)
Fix app scopes not being validated
2021-04-15 16:28:43 +02:00
Eugen Rochko 3f2533ca8e
Fix autoloading deprecation warnings from Rails 6 (#16010) 2021-04-09 02:31:20 +02:00
Claire c901ae77d4 Merge branch 'main' into glitch-soc/merge-upstream 2021-04-05 14:31:07 +02:00
Eugen Rochko 82cce18227
Change health check (#15988) 2021-04-03 02:39:04 +02:00
Claire 9541605024 Fix ActiveRecord monkey-patching migration hack 2021-03-24 10:55:02 +01:00
Claire f60c99a8fb Merge branch 'main' into glitch-soc/merge-upstream 2021-03-24 10:53:50 +01:00
Claire cbd0ee1d07
Update Mastodon to Rails 6.1 (#15910)
* Update devise-two-factor to unreleased fork for Rails 6 support

Update tests to match new `rotp` version.

* Update nsa gem to unreleased fork for Rails 6 support

* Update rails to 6.1.3 and rails-i18n to 6.0

* Update to unreleased fork of pluck_each for Ruby 6 support

* Run "rails app:update"

* Add missing ActiveStorage config file

* Use config.ssl_options instead of removed ApplicationController#force_ssl

Disabled force_ssl-related tests as they do not seem to be easily testable
anymore.

* Fix nonce directives by removing Rails 5 specific monkey-patching

* Fix fixture_file_upload deprecation warning

* Fix yield-based test failing with Rails 6

* Use Rails 6's index_with when possible

* Use ActiveRecord::Cache::Store#delete_multi from Rails 6

This will yield better performances when deleting an account

* Disable Rails 6.1's automatic preload link headers

Since Rails 6.1, ActionView adds preload links for javascript files
in the Links header per default.

In our case, that will bloat headers too much and potentially cause
issues with reverse proxies. Furhermore, we don't need those links,
as we already output them as HTML link tags.

* Switch to Rails 6.0 default config

* Switch to Rails 6.1 default config

* Do not include autoload paths in the load path
2021-03-24 10:44:31 +01:00
Claire 3ad6ef72cb Merge branch 'main' into glitch-soc/merge-upstream 2021-03-19 13:57:15 +01:00
Claire a4dcaef53b
Prepare Mastodon for zeitwerk autoloader (#15917)
* Prepare Mastodon for zeitwerk autoloader (Rails 6)

Add inflections and rename/move a few classes.

In particular, app/lib/exceptions.rb and app/lib/sanitize_config.rb
were manually loaded while still in autoload paths.

* Add inflection for Url → URL
2021-03-19 02:42:43 +01:00
Claire 43eff898a0
Prepare Mastodon for Rails 6 (#15911)
* Fix misuse of foreign_type

* Fix use of removed "add_template_helper"

* Use response.media_type instead of response.content_type in tests

* Fix CSV export controller test on Rails 6

Rails 6 sets a "filename*" field in the Content-Disposition header to
explicitly encode the filename as UTF-8.

This changes checks the first part of the Content-Disposition header so
it matches in both Rails 5 and Rails 6.

* Fix emoji formatting with Rails 6

* Make emoji output more idiomatic and robust

* Switch from redis-rails gem to built-in Rails redis cache storage
2021-03-17 10:09:55 +01:00
Claire eac4a3e9c8 Merge branch 'main' into glitch-soc/merge-upstream 2021-03-15 11:26:59 +01:00
Eugen Rochko e89e976e92
Fix configuration for sidekiq-unique-jobs after 7.x upgrade (#15908)
Remove locks from scheduled jobs
2021-03-15 11:17:43 +01:00
Claire d8fdbb054e Merge branch 'main' into glitch-soc/merge-upstream
Conflicts:
- `app/validators/status_length_validator.rb`:
  Upstream changes too close to glitch-soc MAX_CHARS changes, but not a real
  conflict.
  Applied upstream changes.
- `package.json`:
  glitch-soc-only dependency textually too close to a dependency updated
  upstream, not a real conflict.
  Applied upstream changes.
2021-03-02 12:06:58 +01:00
Claire 65db262550
Update twitter-text from 1.14 to 3.1.0 and fix toot character counting (#15382)
* Update twitter-text from 1.14 to 3.1.0

* Disable emoji parsing

* Properly depend on twitter-text for url detection

* Fix some URLs being wrongly detected client-side

* Add test for server-side validation of non-autolinkable URLs

* Fix server-side status length counting
2021-03-02 12:02:56 +01:00
Eugen Rochko ee1119208c
Add `POST /api/v1/emails/confirmations` to REST API (#15816)
Only available to the application the user originally signed-up with
2021-03-01 18:39:47 +01:00
Claire 679642e26c Merge branch 'main' into glitch-soc/merge-upstream 2021-02-22 15:23:46 +01:00
Shlee ab9c2ed98d
Delete pagination.rb (#15754) 2021-02-19 09:52:58 +01:00
Claire 21fb3f3684
Drop dependency on secure_headers, fix response headers (#15712)
* Drop dependency on secure_headers, use always_write_cookie instead

* Fix cookies in Tor Hidden Services by moving configuration to application.rb

* Instead of setting always_write_cookie at boot, monkey-patch ActionDispatch
2021-02-11 23:47:05 +01:00
Cecylia Bocovich e79f8dd85c
Onion service related changes to HTTPS handling (#15560)
* Enable secure cookie flag for https only

* Disable force_ssl for .onion hosts only

Co-authored-by: Aiden McClelland <me@drbonez.dev>
2021-02-11 04:40:13 +01:00
Claire 4d40685850 Merge branch 'main' into glitch-soc/merge-upstream 2021-02-03 17:02:48 +01:00
Shubhendra Singh Chauhan c8d11b8bdb
Fixed code quality issues (#15541)
* Added .deepsource.toml

* Removed bad use of `alias`

* Fixed operand order in the binary expression

* Prefixed unused method arguments with an underscore

* Replaced the old OpenSSL algorithmic constants with the newer strings initializers.

* Removed unnecessary UTF-8 encoding comment
2021-01-31 21:26:09 +01:00
Claire b81710c02c Merge branch 'main' into glitch-soc/merge-upstream
Conflicts:
- `CONTRIBUTING.md`:
  Not a real conflict, glitch-soc quotes the upstream file, which has been
  changed. Update the quote.
2021-01-26 14:01:30 +01:00
luigi eb51e43fb4
Optimize some regex matching (#15528)
* Use Regex#match?

* Replace =~ too

* Avoid to call match? from Nil

* Keep value of Regexp.last_match
2021-01-22 10:09:08 +01:00
Claire 33d30632fb Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `app/models/public_feed.rb`:
  Upstream refactored a bit, glitch-soc had specific code for local-only
  statuses.
  Updated glitch-soc's specific code accordingly.
2021-01-11 11:55:42 +01:00
kaiyou f47c177eb7
Support clock drift in Omniauth SAML provider (#15511)
The setting is not well documented by the provider, but allows for
clock skew between SP and IDP, see:
https://github.com/omniauth/omniauth-saml/blob/master/spec/omniauth/strategies/saml_spec.rb

Co-authored-by: kaiyou <dev@kaiyou.fr>
2021-01-08 07:07:08 +01:00
Claire 537afa00f3 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `app/lib/feed_manager.rb`:
  Not a real conflict, glitch-soc-only DM-related method
  too close to changed upstream stuff.
  Ported upstream changes.
- `app/services/batched_remove_status_service.rb`:
  Additional logic in glitch-soc to clear DMs from timelines.
  Ported upstream changes and fixed the DM TL clearing logic.
- `app/workers/scheduler/feed_cleanup_scheduler.rb`:
  Additional code in glitch-soc to clear DM timelines.
  Ported upstream changes.
2020-12-23 01:47:45 +01:00
Eugen Rochko 9915d11c0d
Fix unnecessary queries when batch-removing statuses, 100x faster (#15387) 2020-12-22 17:13:55 +01:00
Claire e4f8679eae Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `app/models/form/admin_settings.rb`:
  New setting added upstream. Ported it.
- `app/views/statuses/_simple_status.html.haml`:
  Upstream removed RTL classes. Did the same.
- `config/settings.yml`:
  New setting added upstream. Ported it.
2020-12-15 14:27:06 +01:00
Eugen Rochko 1045549f85
Add stoplight for object storage failures, return HTTP 503 (#13043) 2020-12-15 12:55:29 +01:00
Thibaut Girka 48f0f3ffee Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `.github/ISSUE_TEMPLATE/bug_report.md`:
  Upstream added the `bug` label to bug reports.
  Did the same.
- `app/services/fan_out_on_write_service.rb`:
  Upstream put DMs back into timelines, glitch-soc was already doing it.
  Ignored upstream changes.
2020-11-20 13:27:48 +01:00
Eugen Rochko df1653174b
Add cache buster feature for media files (#15155)
Nginx can be configured to bypass proxy cache when a special header
is in the request. If the response is cacheable, it will replace
the cache for that request. Proxy caching of media files is
desirable when using object storage as a way of minimizing bandwidth
costs, but has the drawback of leaving deleted media files for
a configured amount of cache time. A cache buster can make those
media files immediately unavailable. This especially makes sense
when suspending and unsuspending an account.
2020-11-19 17:38:06 +01:00
Thibaut Girka 412218af2e Merge branch 'master' into glitch-soc/merge-upstream 2020-11-07 18:23:02 +01:00
Eugen Rochko acc1c03861
Fix cookies not having a SameSite attribute (#15098) 2020-11-06 11:57:14 +01:00
Thibaut Girka ec49aa8175 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `.github/dependabot.yml`:
  Updated upstream, we deleted it to not be flooded by Depandabot.
  Kept deleted.
- `Gemfile.lock`:
  Puma updated on both sides, went for the most recent version.
- `app/controllers/api/v1/mutes_controller.rb`:
  Upstream updated the serializer to support timed mutes, while
  glitch-soc added a custom API ages ago to get information that
  is already available elsewhere.
  Dropped the glitch-soc-specific API, went with upstream changes.
- `app/javascript/core/admin.js`:
  Conflict due to changing how assets are loaded. Went with upstream.
- `app/javascript/packs/public.js`:
  Conflict due to changing how assets are loaded. Went with upstream.
- `app/models/mute.rb`:
  🤷
- `app/models/user.rb`:
  New user setting added upstream while we have glitch-soc-specific
  user settings. Added upstream's user setting.
- `config/settings.yml`:
  Upstream added a new user setting close to a user setting we had
  changed the defaults for. Added the new upstream setting.
- `package.json`:
  Upstream dependency updated “too close” to a glitch-soc-specific
  dependency. No real conflict. Updated the dependency.
2020-10-21 19:10:50 +02:00
Josh Leeb-du Toit 0c24f4dce2
Add support for Gemini urls (#15013)
This PR updates the `valid_url` regex and sanitizer allowlist to provide
support for Gemini urls.

Closes #14991
2020-10-19 17:02:13 +02:00
Eugen Rochko 5e1364c448
Add IP-based rules (#14963) 2020-10-12 16:33:49 +02:00
tateisu 7919418e4c
add S3_READ_TIMEOUT environment variable (#14952) 2020-10-06 21:29:22 +02:00
Thibaut Girka 8c3c27bf06 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `app/controllers/accounts_controller.rb`:
  Upstream change too close to a glitch-soc change related to
  instance-local toots. Merged upstream changes.
- `app/services/fan_out_on_write_service.rb`:
  Minor conflict due to glitch-soc's handling of Direct Messages,
  merged upstream changes.
- `yarn.lock`:
  Not really a conflict, caused by glitch-soc-only dependencies
  being textually too close to updated upstream dependencies.
  Merged upstream changes.
2020-08-30 16:13:08 +02:00
santiagorodriguez96 e8d41bc2fe
Add WebAuthn as an alternative 2FA method (#14466)
* feat: add possibility of adding WebAuthn security keys to use as 2FA

This adds a basic UI for enabling WebAuthn 2FA. We did a little refactor
to the Settings page for editing the 2FA methods – now it will list the
methods that are available to the user (TOTP and WebAuthn) and from
there they'll be able to add or remove any of them.
Also, it's worth mentioning that for enabling WebAuthn it's required to
have TOTP enabled, so the first time that you go to the 2FA Settings
page, you'll be asked to set it up.
This work was inspired by the one donde by Github in their platform, and
despite it could be approached in different ways, we decided to go with
this one given that we feel that this gives a great UX.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: add request for WebAuthn as second factor at login if enabled

This commits adds the feature for using WebAuthn as a second factor for
login when enabled.
If users have WebAuthn enabled, now a page requesting for the use of a
WebAuthn credential for log in will appear, although a link redirecting
to the old page for logging in using a two-factor code will also be
present.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: add possibility of deleting WebAuthn Credentials

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: disable WebAuthn when an Admin disables 2FA for a user

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: remove ability to disable TOTP leaving only WebAuthn as 2FA

Following examples form other platforms like Github, we decided to make
Webauthn 2FA secondary to 2FA with TOTP, so that we removed the
possibility of removing TOTP authentication only, leaving users with
just WEbAuthn as 2FA. Instead, users will have to click on 'Disable 2FA'
in order to remove second factor auth.
The reason for WebAuthn being secondary to TOPT is that in that way,
users will still be able to log in using their code from their phone's
application if they don't have their security keys with them – or maybe
even lost them.

* We had to change a little the flow for setting up TOTP, given that now
  it's possible to setting up again if you already had TOTP, in order to
  let users modify their authenticator app – given that now it's not
  possible for them to disable TOTP and set it up again with another
  authenticator app.
  So, basically, now instead of storing the new `otp_secret` in the
  user, we store it in the session until the process of set up is
  finished.
  This was because, as it was before, when users clicked on 'Edit' in
  the new two-factor methods lists page, but then went back without
  finishing the flow, their `otp_secret` had been changed therefore
  invalidating their previous authenticator app, making them unable to
  log in again using TOTP.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* refactor: fix eslint errors

The PR build was failing given that linting returning some errors.
This commit attempts to fix them.

* refactor: normalize i18n translations

The build was failing given that i18n translations files were not
normalized.
This commits fixes that.

* refactor: avoid having the webauthn gem locked to a specific version

* refactor: use symbols for routes without '/'

* refactor: avoid sending webauthn disabled email when 2FA is disabled

When an admins disable 2FA for users, we were sending two mails
to them, one notifying that 2FA was disabled and the other to notify
that WebAuthn was disabled.
As the second one is redundant since the first email includes it, we can
remove it and send just one email to users.

* refactor: avoid creating new env variable for webauthn_origin config

* refactor: improve flash error messages for webauthn pages

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>
2020-08-24 16:46:27 +02:00
Thibaut Girka e9ad99bc93 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `package.json`:
  Not really a conflict, just some glitch-soc-specific dependency
  too close to an upstream-updated one.
2020-07-07 15:58:45 +02:00
Eugen Rochko 81a3db1564
Change rate limits for various paths (#14253)
- Rate limit login attempts by target account
- Rate limit password resets and e-mail re-confirmations by target account
- Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before
2020-07-07 15:26:39 +02:00
ThibG a783bdf4ad
Fix hashtag column options styling (#14247)
* Enable nonces for stylesheets

* Pass nonce to react-select
2020-07-07 01:33:38 +02:00
Thibaut Girka 45deca65b3 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `app/javascript/packs/public.js`:
  Conflict because part of that file has been split to
  `app/javascript/core/settings.js`. Ported those changes
  there.
2020-07-01 19:23:14 +02:00
Eugen Rochko 6d23d40420
Change Redis#exists calls to Redis#exists? to avoid deprecation warning (#14191) 2020-07-01 19:05:21 +02:00
Eugen Rochko 7aaf2b44ec
Fix remote files not using Content-Type header, streaming (#14184) 2020-06-30 23:58:02 +02:00
Thibaut Girka 9c3b9d5ab9 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `.env.production.sample`:
  Upstream deleted it, I decided to keep it.
- `package.json`:
  Upstream updated a dependency textually too close to wavesurfer.js
  which has been deleted from upstream but is kept in glitch-soc for now.
2020-06-30 23:00:20 +02:00
Eugen Rochko 8c04e37b03
Remove the terms blacklist and whitelist from UX (#14149)
Localization strings:

- "Whitelist mode" -> "Limited federation mode"
- "Blacklist e-mail domain" -> "Block e-mail domain"
- "Whitelist domain" -> "Allow domain for federation"

...And so on

Environment variables (backwards-compatible):

- `WHITELIST_MODE` -> `LIMITED_FEDERATION_MODE`
- `EMAIL_DOMAIN_BLACKLIST` -> `EMAIL_DOMAIN_DENYLIST`
- `EMAIL_DOMAIN_WHITELIST` -> `EMAIL_DOMAIN_ALLOWLIST`

tootctl:

- `tootctl domains purge --whitelist-mode` -> `tootctl domains purge --limited-federation-mode`

Removed badly maintained and no longer relevant .env.production.sample file
2020-06-27 20:20:11 +02:00
Thibaut Girka 59e92004b3 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `Gemfile.lock`: not a real conflict, upstream update too close
  to a glitch-soc-specific dependency
2020-06-17 17:10:15 +02:00
mayaeh f56129a947
Suppress Redis#exists(key) warning (#14067) 2020-06-17 10:31:31 +02:00
Thibaut Girka 12c8ac9e14 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `app/controllers/activitypub/collections_controller.rb`:
  Conflict due to glitch-soc having to take care of local-only
  pinned toots in that controller.
  Took upstream's changes and restored the local-only special
  handling.
- `app/controllers/auth/sessions_controller.rb`:
  Minor conflicts due to the theming system, applied upstream
  changes, adapted the following two files for glitch-soc's
  theming system:
  - `app/controllers/concerns/sign_in_token_authentication_concern.rb`
  - `app/controllers/concerns/two_factor_authentication_concern.rb`
- `app/services/backup_service.rb`:
  Minor conflict due to glitch-soc having to handle local-only
  toots specially. Applied upstream changes and restored
  the local-only special handling.
- `app/views/admin/custom_emojis/index.html.haml`:
  Minor conflict due to the theming system.
- `package.json`:
  Upstream dependency updated, too close to a glitch-soc-only
  dependency in the file.
- `yarn.lock`:
  Upstream dependency updated, too close to a glitch-soc-only
  dependency in the file.
2020-06-09 10:39:20 +02:00
Eugen Rochko 5d8398c8b8
Add E2EE API (#13820) 2020-06-02 19:24:53 +02:00
Thibaut Girka 041c769182 Move glitch-specific ruby-side locales to their own files 2020-05-30 12:54:17 +02:00
Thibaut Girka ef6bfaf12e Merge branch 'master' into glitch-soc/merge-upstream 2020-05-28 13:44:57 +02:00
Takeshi Umeda 8e056bd82e
Fix csv upload (#13835) 2020-05-24 09:15:23 +02:00
Takeshi Umeda 1c434615b3
Fix workaround for Elasticsearch 7.x (#13828) 2020-05-23 05:48:14 +02:00
Thibaut Girka 4a70792b4a Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `Gemfile.lock`:
  Not a real conflict, just a glitch-soc-only dependency too close to a
  dependency that got updated upstream. Updated as well.
- `app/models/status.rb`:
  Not a real conflict, just a change too close to glitch-soc-changed code
  for optionally showing boosts in public timelines.
  Applied upstream changes.
- `app/views/layouts/application.html.haml`:
  Upstream a new, static CSS file, conflict due to glitch-soc's theming
  system, include the file regardless of the theme.
- `config/initializers/content_security_policy.rb`:
  Upstream dropped 'unsafe-inline' from the 'style-src' directive, but
  both files are very different. Removed 'unsafe-inline' as well.
2020-05-10 16:19:56 +02:00
Eugen Rochko 4b766f9846
Refactor monkey-patching of Goldfinger (#12561) 2020-05-10 11:41:43 +02:00
ThibG 34756cc4e0
Fix "tootctl media remove-orphans" crashing on “Import” files (#13685)
* Fix "tootctl media remove-orphans" crashing on “Import” files

* Also remove empty directories when removing orphaned media
2020-05-09 21:06:55 +02:00
ThibG e1629a7758
Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679)
* Make sure wicg-inert doesn't rely on inline CSS

* Remove unsafe-inline from style-src
2020-05-08 21:22:57 +02:00
ThibG dea5db0e25
Fix PgHero Content-Security-Policy when CDN_HOST is used (#13595) 2020-05-04 13:52:41 +02:00
Thibaut Girka a22e6a3683 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `app/controllers/statuses_controller.rb`:
  Upstream disabled the embed controller for reblogs.
  Not a real conflict, but glitch-soc has an extra line to deal
  with its theming system.
  Ported upstream changes.
- `app/javascript/packs/public.js`:
  Upstream made changes to get rid of most inline CSS, this changes
  javascript for public pages, which in glitch are split between
  different files. Ported those changes.
- `app/models/status.rb`:
  Upstream changed the block check in `Status#permitted_for` to
  include domain-block checks. Not a real conflict with glitch-soc,
  but our scope is slightly different, as our scope for
  unauthenticated access do not include instance-local toots.
  Ported upstream changes.
- `app/serializers/rest/instance_serializer.rb`:
  Not a real conflict, upstream added a new field to the instance
  serializer, the conflict is one line above since we added more of
  that.
  Ported upstream changes.
- `app/views/settings/profiles/show.html.haml`:
  Upstream got rid of most inline CSS and moved hidden elements
  to data attributes in the process, in fields were we have
  different values.
  Ported upstream changes while keeping our glitch-specific
  values.
- `app/views/statuses/_simple_status.html.haml`:
  Upstream got rid of inline CSS on an HAML line we treat
  differently, stripping empty text nodes.
  Ported upstream changes to the style attribute, keeping
  the empty text node stripping behavior.
2020-05-03 21:23:49 +02:00
mayaeh acc367fd14
Fix naming issue (#13551) 2020-04-27 10:32:05 +02:00
Eugen Rochko c3ca3801f2
Add separate cache directory for non-local uploads (#12821) 2020-04-26 23:29:08 +02:00
Thibaut Girka 81e49ba5c6 Merge branch 'master' into glitch-soc/merge-upstream 2020-04-17 20:16:24 +02:00
Eugen Rochko d18d6c29f3
Fix search not working due to proxy settings when using hidden services (#13488)
Fix #13484
2020-04-17 15:14:24 +02:00
Thibaut Girka 8fef96cbf5 Merge branch 'master' into glitch-soc/merge-upstream 2020-04-04 21:47:37 +02:00
Eugen Rochko f65568f1d4
Add ability to filter audit log in admin UI (#13381) 2020-04-03 13:06:34 +02:00
Thibaut Girka f3eff922a3 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `app/javascript/mastodon/features/compose/components/poll_form.js`:
  Upstream bumped poll option character limit, but we already had
  a higher one, kept ours.
- `app/validators/poll_validator.rb`:
  Upstream bumped poll option character limit, but we already had
  a higher one, kept ours.
- `config/initializers/content_security_policy.rb`:
  Upstream added a rule, the way we compute ours is different, but
  that added rule has been ported.
- `package.json`:
  No real conflict, dependency update. Performed the same update.
- `yarn.lock`:
  No real conflict, dependency update. Performed the same update.
2020-04-02 20:32:00 +02:00
Eugen Rochko 9014367bd8
Fix background jobs not using locks like they are supposed to (#13361)
Also:

- Fix locks not being removed when jobs go to the dead job queue
- Add UI for managing locks to the Sidekiq dashboard
- Remove unused Sidekiq workers

Fix #13349
2020-03-31 21:59:03 +02:00
Eugen Rochko 9241cbf861
Fix re-sending of e-mail confirmation not being rate limited (#13360)
Fix #13330
2020-03-31 18:20:48 +02:00
ThibG 7ddbbdea6d
Fix OCR not working on Safari because of unsupported worker-src CSP (#13323)
Fixes #13321
2020-03-27 22:35:57 +01:00
Thibaut Girka 9abb227250 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `README.md`:
  Our README.md files are completely different. Discarded upstream changes.
- `app/javascript/core/admin.js`:
  Updating rails-ujs, no real conflict, but a comment to close to changed
  code. Various glitch-soc-only files have been updated to match those changes,
  though.
- `package.json`:
  No real conflict, just an additional dependency in glitch-soc that was too
  close to something updated upstream. Took upstream's changes.
2020-03-22 16:10:44 +01:00
dependabot-preview[bot] 56531d646e
Bump sidekiq from 5.2.7 to 6.0.4 (#11727)
* Bump sidekiq from 5.2.7 to 6.0.0

Bumps [sidekiq](https://github.com/mperham/sidekiq) from 5.2.7 to 6.0.0.
- [Release notes](https://github.com/mperham/sidekiq/releases)
- [Changelog](https://github.com/mperham/sidekiq/blob/master/Changes.md)
- [Commits](https://github.com/mperham/sidekiq/compare/v5.2.7...v6.0.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Sidekiq::Logger.logger -> Sidekiq.logger

* Drop support Ruby 2.4

* update

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>
2020-03-21 12:04:54 +09:00
Thibaut Girka c790ecb14d Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `app/controllers/api/v1/statuses_controller.rb`:
  Conflict due to upstream adding a new parameter (with_rate_limit),
  too close to glitch-soc's own additional parameter (content_type).
  Added upstream's parameter.
- `app/services/post_status_service.rb`:
  Conflict due to upstream adding a new parameter (rate_limit),
  too close to glitch-soc's own additional parameter (content_type).
  Added upstream's parameter.
- `app/views/settings/preferences/appearance/show.html.haml`:
  Conflict due to us not exposing theme settings here (as we have
  a different flavour/skin menu).
  Took upstream change, while still not exposing theme settings.
- `config/webpack/shared.js`:
  Coding style fixes for a part we have rewritten.
  Discarded upstream changes.
2020-03-08 19:38:53 +01:00
Eugen Rochko 339ce1c4e9
Add specific rate limits for posting and following (#13172) 2020-03-08 15:17:39 +01:00
Thibaut Girka 2edf317efc Fix ActiveRecord::Migration.check_pending! failing because of duplicate migrations 2020-02-10 20:04:41 +01:00
Thibaut Girka ccaefd139d Add environment variable to specify extra data hosts
Fixes #1276
2020-02-06 12:15:15 +01:00
Thibaut Girka 9adeaf2bfc Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `app/controllers/statuses_controller.rb`:
  Minor conflict due to theming system
2020-01-24 14:37:06 +01:00
Eugen Rochko f52c988e12
Add announcements (#12662)
* Add announcements

Fix #11006

* Add reactions to announcements

* Add admin UI for announcements

* Add unit tests

* Fix issues

- Add `with_dismissed` param to announcements API
- Fix end date not being formatted when time range is given
- Fix announcement delete causing reactions to send streaming updates
- Fix announcements container growing too wide and mascot too small
- Fix `all_day` being settable when no time range is given
- Change text "Update" to "Announcement"

* Fix scheduler unpublishing announcements before they are due

* Fix filter params not being passed to announcements filter
2020-01-23 22:00:13 +01:00
ThibG a8e46cf7a1 Add support for magnet: URIs (#12905) 2020-01-23 21:27:26 +01:00
Thibaut Girka 980c004f06 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `Gemfile.lock`:
  No real conflict, glitch-soc-only dependency (redcarpet) too close to an
  upstream one (rdf-normalize)
- `README.md`:
  we have different READMEs, discarded upstream's changes
- `app/views/admin/custom_emojis/index.html.haml`:
  No real conflict, different context because of glitch-soc theming
- `lib/mastodon/statuses_cli.rb`:
  Upstream added code to keep bookmarked statuses, we were already doing so
  with slightly different code. Discarded upstream's changes.
- `package.json`:
  No real conflict, glitch-soc-only dependency (favico.js) too close to
  an upstream one
2020-01-12 15:57:34 +01:00
ThibG ea436b355b Add support for linking XMPP URIs in toots (#12709)
* Fix wrong grouping in Twitter valid_url regex

* Add support for xmpp URIs

Fixes #9776

The difficult part is autolinking, because Twitter-text's extractor does
some pretty ad-hoc stuff to find things that “look like” URLs, and XMPP
URIs do not really match the assumptions of that lib, so it doesn't sound
wise to try to shoehorn it into the existing regex.

This is why I used a specific regex (very close, although slightly more
permissive than the RFC), and a specific scan function (a simplified version
of the generalized one from Twitter).

* Remove leading “xmpp:” from auto-linked text
2020-01-11 02:15:25 +01:00
Thibaut Girka 01eaeab56d Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- `app/controllers/application_controller.rb`:
  Conflict due to theming system.
- `app/controllers/oauth/authorizations_controller.rb`:
  Conflict due to theming system.
2020-01-04 23:04:42 +01:00
Eugen Rochko 49b2f7c0a2
Fix base64-encoded file uploads not being possible (#12748)
Fix #3804, Fix #5776
2020-01-04 01:54:07 +01:00
Eugen Rochko 59c697a30c
Fix resource_owner_from_credentials in Doorkeeper initializer (#12743)
- Nil error when e-mail not found
- LDAP authentication used in place of PAM authentication
2020-01-03 05:35:46 +01:00
Eugen Rochko 09d54d1f62
Fix uncaught query param encoding errors (#12741) 2020-01-02 17:14:58 +01:00
Thibaut Girka be4849c083 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- app/controllers/application_controller.rb
  Minor conflict due to glitch-soc's theming system
2019-12-12 15:40:06 +01:00
Eugen Rochko 17159625b3
Add `S3_OVERRIDE_PATH_STYLE` environment variable (#12594)
To support Exoscale
2019-12-10 07:40:01 +01:00
Eugen Rochko f3d232381d
Add `tootctl media remove-orphans` (#12568) 2019-12-08 15:37:12 +01:00
Thibaut Girka abcba5c198 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- package.json
  Not really a conflict, caused by an additional dependency in glitch-soc.
- yarn.lock
  Not really a conflict, caused by an additional dependency in glitch-soc.
2019-12-07 12:28:59 +01:00
tateisu f1ef777d40 add S3_OPEN_TIMEOUT environment variable (#12459) 2019-12-02 21:05:27 +01:00
Mathieu Brunot bd8dc9bd0c Add an LDAP Mail attribute config (#12053)
Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
2019-12-01 18:52:21 +01:00
Thibaut Girka 99f1f48741 Merge branch 'master' into glitch-soc/merge-upstream 2019-12-01 12:12:42 +01:00
Mathieu Brunot d70268f099 Convert LDAP username (#12461)
*  Convert LDAP username #12021

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>

* 🐛 Fix conversion var use

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>

* 🐛 Fix LDAP uid conversion test

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>

* 👌 Remove comments with ref to PR

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>

* 👌 Remove unnecessary paranthesis

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>

* 🔧 Move space in conversion string

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
2019-12-01 07:21:28 +01:00
ntl-purism f3a93987b6 LDAP & PAM added to OAuth password grant strategy (#7999) (#12390)
When authenticating via OAuth, the resource owner password grant
strategy is allowed by Mastodon, but (without this PR), it does not
attempt to authenticate against LDAP or PAM. As a result, LDAP or PAM
authenticated users cannot sign in to Mastodon with their
email/password credentials via OAuth (for instance, for native/mobile
app users).

This PR fleshes out the authentication strategy supplied to doorkeeper
in its initializer by looking up the user with LDAP and/or PAM when
devise is configured to use LDAP/PAM backends. It attempts to follow the
same logic as the Auth::SessionsController for handling email/password
credentials.

Note #1: Since this pull request affects an initializer, it's unclear
how to add test automation.

Note #2: The PAM authentication path has not been manually tested. It
was added for completeness sake, and it is hoped that it can be manually
tested before merging.
2019-11-30 19:44:59 +01:00
Thibaut Girka e87cc59811 Fix weird edge case in load_schema 2019-11-20 19:19:57 +01:00
Thibaut Girka 1064a9d827 Override Migrator.new instead of Migrator#initialize, it's easier to understand 2019-11-20 17:31:22 +01:00
Thibaut Girka 33c2a7e23c Add documentation about the migration hack 2019-11-20 17:18:00 +01:00
Thibaut Girka 6475525f31 Monkey-patch Rails' migrator to ignore duplicate migrations across Mastodon and glitch-soc 2019-11-20 17:03:25 +01:00
ThibG dfea7368c9 Add bookmarks (#7107)
* Add backend support for bookmarks

Bookmarks behave like favourites, except they aren't shared with other
users and do not have an associated counter.

* Add spec for bookmark endpoints

* Add front-end support for bookmarks

* Introduce OAuth scopes for bookmarks

* Add bookmarks to archive takeout

* Fix migration

* Coding style fixes

* Fix rebase issue

* Update bookmarked_statuses to latest UI changes

* Update bookmark actions to properly reflect status changes in state

* Add bookmarks item to single-column layout

* Make active bookmarks red
2019-11-13 23:02:10 +01:00
Thibaut Girka 61631f4751 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- README.md
- app/javascript/styles/mastodon/components.scss
  conflicts caused by image URLs being different
- app/models/status.rb
  as_home_timeline removed, kept glitch-soc-only as_direct_timeline
- app/views/statuses/_simple_status.html.haml
- config/locales/en.yml
  some strings were changed upstream
- spec/models/status_spec.rb
  as_home_timeline removed, kept glitch-soc-only as_direct_timeline
2019-10-10 17:26:08 +02:00
Eugen Rochko 45eccaf8c5
Fix preloaded JSON-LD context for identity not being used (#12138)
Regression from #11316
2019-10-10 06:48:53 +02:00
Eugen Rochko 354fdd317e
Fix attachment not being re-downloaded even if file is not stored (#12125)
Change the behaviour of remotable concern. Previously, it would skip
downloading an attachment if the stored remote URL is identical to
the new one. Now it would not be skipped if the attachment is not
actually currently stored by Paperclip.
2019-10-09 07:10:46 +02:00
Eugen Rochko 086fc7ed77
Fix S3 adapter retrying failing uploads with exponential backoff (#12085)
The default limit of 10 retries with exponential backoff meant
that if the S3 server was timing out, you would be stuck with it
for much, much longer than the 5 second read timeout we expect.

The uploading happens within a database transaction, which means
a failing S3 server could negatively affect database performance
2019-10-06 06:20:57 +02:00
Thibaut Girka a84aedb7a7 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- app/models/media_attachment.rb
  Upstream raised max image size from 8MB to 10MB while our limit is
  configurable. Raised the default to 10MB.
2019-10-03 11:10:12 +02:00
Eugen Rochko 5c42f47617
Fix records not being indexed sometimes (#12024)
It's possible that after commit callbacks were not firing when
exceptions occurred in the process. Also, the default Sidekiq
strategy does not push indexing jobs immediately, which is not
necessary and could be part of the issue too.
2019-10-01 01:19:11 +02:00
Thibaut Girka 16ff7c5627 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- Gemfile
- Gemfile.lock
- app/controllers/about_controller.rb
- app/controllers/auth/sessions_controller.rb
2019-09-30 12:23:57 +02:00
Eugen Rochko 5f69eb89e2
Add a nodeinfo endpoint (#12002)
* Add nodeinfo endpoint

* dont commit stuff from my local dev

* consistant naming since we implimented 2.1 schema

* Add some additional node info stuff

* Add nodeinfo endpoint

* dont commit stuff from my local dev

* consistant naming since we implimented 2.1 schema

* expanding this to include federation info

* codeclimate feedback

* CC feedback

* using activeserializers seems like a good idea...

* get rid of draft 2.1 version

* Reimplement 2.1, also fix metaData -> metadata

* Fix metaData -> metadata here too

* Fix nodeinfo 2.1 tests

* Implement cache for monthly user aggregate

* Useless

* Remove ostatus from the list of supported protocols

* Fix nodeinfo's open_registration reading obsolete setting variable

* Only serialize domain blocks with user-facing limitations

* Do not needlessly list noop severity in nodeinfo

* Only serialize domain blocks info in nodeinfo when they are set to be displayed to everyone

* Enable caching for nodeinfo endpoints

* Fix rendering nodeinfo

* CodeClimate fixes

* Please CodeClimate

* Change InstancePresenter#active_user_count_months for clarity

* Refactor NodeInfoSerializer#metadata

* Remove nodeinfo 2.1 support as the schema doesn't exist

* Clean-up
2019-09-29 21:31:51 +02:00
Yamagishi Kazutoshi a5c558f052 Hide error message on /heath (#11947)
* Hide error message on /heath

* update health_check
2019-09-24 20:28:25 +02:00
Yamagishi Kazutoshi b02169f124 Cast multipart threshold to integer (#11944) 2019-09-24 17:32:12 +02:00
Eugen Rochko a1f04c1e34
Fix authentication before 2FA challenge (#11943)
Regression from #11831
2019-09-24 04:35:36 +02:00
Yamagishi Kazutoshi 172eaeba3f Add config of multipart threshold for S3 (#11924) 2019-09-23 15:37:45 +02:00
Thibaut Girka 5cadb47238 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- app/controllers/auth/sessions_controller.rb
  Minor conflict due to glitch-soc's theming code
2019-09-18 17:25:56 +02:00
Eugen Rochko c707ef49d9
Fix 2FA challenge and password challenge for non-database users (#11831)
* Fix 2FA challenge not appearing for non-database users

Fix #11685

* Fix account deletion not working when using external login

Fix #11691
2019-09-15 21:08:39 +02:00
Thibaut Girka 74c5b2bd08 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- Gemfile
- app/controllers/api/v1/search_controller.rb
  Conflict because we changed the number of default results to be
  configurable
- app/lib/settings/scoped_settings.rb
  Addition of a new “noindex” site-wide setting,
  conflict due to our change of the two other site-wide settings
  (default flavour and skin instead of theme)
- spec/controllers/application_controller_spec.rb
  Addition of a new “noindex” site-wide setting,
  conflict due to our change of the two other site-wide settings
  (default flavour and skin instead of theme)
2019-09-13 18:13:43 +02:00
Yamagishi Kazutoshi 4e1b742cb2 Change rate limit for media proxy (#11814) 2019-09-13 16:02:52 +02:00
Yamagishi Kazutoshi d7268befa8 Add healthcheck endpoint for web (#11770) 2019-09-07 02:47:51 +02:00
Thibaut Girka 5088eb8388 Merge branch 'master' into glitch-soc/merge-upstream 2019-09-05 11:36:41 +02:00
ThibG 692c5b439a Fix ActivityPub context not being dynamically computed (#11746)
* Fix contexts not being dynamically included

Fixes #11649

* Refactor Note context in serializer

* Refactor Actor serializer
2019-09-03 22:52:32 +02:00
Thibaut Girka 9e17f9e95a Fix connect-src policy for Tesseract 2019-08-19 22:02:35 +02:00
Thibaut Girka 1488be7d96 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- app/controllers/home_controller.rb
- app/controllers/shares_controller.rb
- app/javascript/packs/public.js
- app/models/status.rb
- app/serializers/initial_state_serializer.rb
- app/views/home/index.html.haml
- app/views/layouts/public.html.haml
- app/views/public_timelines/show.html.haml
- app/views/shares/show.html.haml
- app/views/tags/show.html.haml
- config/initializers/content_security_policy.rb
- config/locales/en.yml
- config/webpack/shared.js
- package.json
2019-08-19 21:49:35 +02:00
ThibG 8203e24cf4 Fix CSP needlessly allowing blob URLs in script-src (#11620) 2019-08-19 20:36:58 +02:00
Eugen Rochko b7f5f0ec10
Fix media host not being included in connect-src for OCR (#11577) 2019-08-16 01:54:36 +02:00
Eugen Rochko 28636f43e4
Add OCR tool to media editing modal (#11566) 2019-08-15 15:13:26 +02:00
Thibaut Girka 24968d20a0 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- app/controllers/directories_controller.rb
- package.json
- yarn.lock
2019-07-30 12:22:33 +02:00
Eugen Rochko 24552b5160
Add whitelist mode (#11291) 2019-07-30 11:10:46 +02:00
Thibaut Girka 6ab84c12a7 Merge branch 'master' into glitch-soc/merge-upstream 2019-07-04 16:21:39 +02:00
Eugen Rochko 3bc0c4a884
Remove unused StatsD code and expose StatsD as a global variable (#11232)
The instrumentation code was used for StatsD metrics collection
prior to the switch to the nsa gem and should have been removed
at that point as it no longer does anything at all
2019-07-02 11:34:39 +02:00
Thibaut Girka ddd875ad99 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- app/models/media_attachment.rb
  Upstream added audio attachment support
- app/serializers/initial_state_serializer.rb
  Upstream added audio attachment support and how mimetypes are returned
- app/serializers/rest/instance_serializer.rb
  Upstream added a few fields
- config/application.rb
  Upstream added a different paperclip transcoder
2019-06-24 15:02:59 +02:00
Eugen Rochko 7696f77245
Add moderation API (#9387)
Fix #8580
Fix #7143
2019-06-20 02:52:34 +02:00
Thibaut Girka 1b0ff4cd69 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- app/controllers/settings/notifications_controller.rb
- app/javascript/packs/public.js
- app/views/settings/preferences/show.html.haml
- app/views/stream_entries/_simple_status.html.haml
- config/locales/simple_form.en.yml
- config/locales/simple_form.pl.yml
- config/navigation.rb
- config/routes.rb
2019-06-10 18:59:53 +02:00
Eugen Rochko 1db4117030
Change preferences page into appearance, notifications, and other (#10977) 2019-06-07 03:39:24 +02:00
Thibaut Girka 3d73d76e55 Merge branch 'master' into glitch-soc/merge-upstream 2019-05-28 17:45:06 +02:00
Hinaloe b793722d7d Fix undefined method error (#10868) 2019-05-28 15:31:51 +03:00
mayaeh afb17b7045 Fix undefined method error. (#10867) 2019-05-28 05:42:04 +02:00
ThibG 0e9b8be18a Improve rate limiting (#10860)
* Rate limit based on remote address IP, not on potential reverse proxy

* Limit rate of unauthenticated API requests further

* Rate-limit paging requests to one every 3 seconds
2019-05-27 21:57:49 +02:00
Thibaut Girka 33c80e0783 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- app/models/media_attachment.rb
2019-05-04 16:37:26 +02:00
Thibaut Girka 2c2f649200 Fix CSP when PAPERCLIP_ROOT_URL is set to a different host 2019-05-04 10:55:56 +02:00
Thibaut Girka 58720aa2bd Fix CSP when dealing with S3 hosts 2019-05-04 00:47:51 +02:00
dependabot[bot] ecbea2e3c6 Bump rack-attack from 5.4.2 to 6.0.0 (#10599)
* Bump rack-attack from 5.4.2 to 6.0.0

Bumps [rack-attack](https://github.com/kickstarter/rack-attack) from 5.4.2 to 6.0.0.
- [Release notes](https://github.com/kickstarter/rack-attack/releases)
- [Changelog](https://github.com/kickstarter/rack-attack/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kickstarter/rack-attack/compare/v5.4.2...v6.0.0)

Signed-off-by: dependabot[bot] <support@dependabot.com>

* fix payload[:request]
2019-05-03 16:16:11 +02:00
Thibaut Girka 7783ec921b Merge branch 'master' into glitch-soc/merge-upstream 2019-04-24 15:25:22 +02:00
Eugen Rochko 8a0d677cde
Fix stoplight logging to stderr separate from Rails logger (#10624) 2019-04-23 04:39:48 +02:00
Thibaut Girka f5f6d23d55 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- config/locales/pl.yml
  Conflict caused by new upstream string too close to glitch-specific
  “flavour” string. Took both strings.
2019-04-08 15:57:56 +02:00
Eugen Rochko 0e8819f0e8
Add rate limit for media proxy requests (#10490)
30 per 30 minutes, like media uploads
2019-04-07 04:26:43 +02:00
Thibaut Girka 050efbc126 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- app/workers/activitypub/distribute_poll_update_worker.rb
- config/locales/pl.yml
2019-03-28 13:01:33 +01:00
Eugen Rochko 11fe293e1b
Remove unused ActivityPub `@context` values depending on response (#10378)
Fix #8078
2019-03-27 15:55:23 +01:00
Thibaut Girka edd5441112 Merge branch 'master' into glitch-soc/merge-upstream 2019-03-22 13:05:17 +01:00
Eric 7169928f96 cas_options :validate_url should be :service_validate_url (#10328)
Otherwise, no matter what is given for CAS_VALIDATE_URL the default /serviceValidate path would be used.
2019-03-21 04:06:41 +01:00
Thibaut Girka 06cc04fd23 Merge branch 'master' into glitch-soc/merge-upstream 2019-02-15 18:02:45 +01:00
Eugen Rochko 99fa1ce93d
Add tight rate-limit for API deletions (#10042)
Deletions take a lot of resources to execute and cause a lot of
federation traffic, so it makes sense to decrease the number
someone can queue up through the API.

30 per 30 minutes
2019-02-14 06:27:54 +01:00
Thibaut Girka bf94a43496 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- app/controllers/oauth/authorized_applications_controller.rb
  Two changes too close to each other
- app/controllers/settings/sessions_controller.rb
- app/lib/user_settings_decorator.rb
  Two changes too close to each other
- app/models/media_attachment.rb
  New changes too close to glitch-soc only changes.
- app/models/user.rb
  Two changes too close to each other.
- app/services/remove_status_service.rb
  Kept direct timeline code which had been removed upstream.
- app/views/settings/preferences/show.html.haml
  Two changes too close to each other.
- config/locales/en.yml
  Introduction of a new string too close to glitch-soc-only's “flavour”
- config/locales/ja.yml
  Introduction of a new string too close to glitch-soc-only's “flavour”
- config/locales/pl.yml
  Introduction of a new string too close to glitch-soc-only's “flavour”
- config/locales/simple_form.en.yml
  Introduction of a new string too close to glitch-soc-only's “skin”
- config/locales/simple_form.pl.yml
  Introduction of a new string too close to glitch-soc-only's “skin”
- config/settings.yml
  Reverted upstream's decision of enabling posting application by default.
2019-02-10 21:10:09 +01:00
Eugen Rochko 016ad37bc8
Fix URL linkifier grabbing full-width spaces and quotations (#9997)
Fix #9993
Fix #5654
2019-02-09 20:13:11 +01:00
Thibaut Girka 5e0cf92fd1 Merge branch 'master' into glitch-soc/merge-upstream
No conflicts.
2019-01-19 18:28:37 +01:00
Eugen Rochko 4699cf853c
Add timeouts for S3 (#9842) 2019-01-18 01:36:59 +01:00
Thibaut Girka dbe311f0e9 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- config/locales/simple_form.pl.yml
2019-01-16 14:20:07 +01:00
Moritz Heiber ecf40d09ed Disable Same-Site cookie implementation to fix SSO issues on WebKit browsers (#9819) 2019-01-15 23:11:46 +01:00
Thibaut Girka a2a64ecd3e Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- .eslintrc.yml
  Removed, as upstream removed it.
- app/controllers/admin/statuses_controller.rb
  Minor code cleanup when porting one of our features.
- app/models/account.rb
  Note length validation has changed upstream.
  We now use upstream's validation (dropped legacy glitch-soc
  account metadata stuff) but with configurable limit.
- app/services/post_status_service.rb
  Upstream has added support for scheduled toots, refactoring
  the code a bit. Adapted our changes to this refactoring.
- app/views/stream_entries/_detailed_status.html.haml
  Not a real conflict, changes too close.
- app/views/stream_entries/_simple_status.html.haml
  Not a real conflict, changes too close.
2019-01-10 21:00:30 +01:00
Nolan Lawson f05eb67081 Enable immutable caching for S3 objects (#9722)
I also added "public" here, as I can't think of a good reason not to add it. Perhaps it has some marginal benefit in that ISPs (or other proxies) can cache it for all users. The assets are certainly publicly available and the same for all users.
2019-01-05 12:29:53 -05:00
Thibaut Girka 571d219bb9 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts manually resolved:
- app/services/post_status_service.rb
- config/locales/simple_form.pl.yml
- config/routes.rb
- config/webpack/loaders/sass.js
- config/webpack/shared.js
- package.json
- yarn.lock
2019-01-02 15:36:53 +01:00
Eugen Rochko 5d2fc6de32
Add REST API for creating an account (#9572)
* Add REST API for creating an account

The method is available to apps with a token obtained via the client
credentials grant. It creates a user and account records, as well as
an access token for the app that initiated the request. The user is
unconfirmed, and an e-mail is sent as usual.

The method returns the access token, which the app should save for
later. The REST API is not available to users with unconfirmed
accounts, so the app must be smart to wait for the user to click a
link in their e-mail inbox.

The method is rate-limited by IP to 5 requests per 30 minutes.

* Redirect users back to app from confirmation if they were created with an app

* Add tests

* Return 403 on the method if registrations are not open

* Require agreement param to be true in the API when creating an account
2018-12-24 19:12:38 +01:00
Thibaut Girka 3e686beaea Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- config/routes.rb
  Upstream changed some admin routes, conflict was because of an added :show
  action for statuses on our side. Kept it.
2018-12-23 11:28:28 +01:00
Eugen Rochko 240c122767
Skip mailer job retries when a record no longer exists (#9590)
Fix #8666
2018-12-21 06:16:17 +01:00
Thibaut Girka 65e994b29b Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- app/controllers/directories_controller.rb
- app/controllers/settings/applications_controller.rb
- app/controllers/settings/base_controller.rb
- app/controllers/settings/deletes_controller.rb
- app/controllers/settings/exports_controller.rb
- app/controllers/settings/follower_domains_controller.rb
- app/controllers/settings/imports_controller.rb
- app/controllers/settings/migrations_controller.rb
- app/controllers/settings/notifications_controller.rb
- app/controllers/settings/preferences_controller.rb
- app/controllers/settings/sessions_controller.rb
- app/controllers/settings/two_factor_authentication/confirmations_controller.rb
- app/controllers/settings/two_factor_authentication/recovery_codes_controller.rb
- app/controllers/settings/two_factor_authentications_controller.rb

Conflicts were due to some refactoring already made in glitch-soc
when introducing flavours.
2018-12-15 10:45:53 +01:00
Rey Tucker 35b2ba5030 Remove form_action from CSP
This trips an issue when trying to authenticate through to
third-party sites, e.g. bridge.joinmastodon.org:

    Refused to send form data to 'https://bridge.joinmastodon.org/'
    because it violates the following Content Security Policy
    directive: "form-action 'self'".

Thread: https://vulpine.club/@digifox/101230933751352042
2018-12-14 08:02:06 +01:00
ThibG 3f12c07ff5 Use same CORS policy for /@:username and /users/:username (#9485)
Fixes #8189

rack-cors being called before the application router, it does not follow
the redirection, and we need a separate rule for /users/:username.
2018-12-10 21:39:47 +01:00
Thibaut Girka d32d33f408 Merge branch 'master' into glitch-soc/merge-upstream 2018-12-02 20:29:14 +01:00
ThibG 84e5ed43e7 Preload common JSON-LD contexts (#9412)
Fixes #9411
2018-12-02 16:46:13 +01:00
Thibaut Girka 1283e112b9 Tighten CSP a bit 2018-11-12 15:43:02 +01:00
Thibaut Girka 5bb8563f6c Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- app/controllers/admin/base_controller.rb
- app/controllers/filters_controller.rb
- app/controllers/invites_controller.rb
- app/controllers/settings/deletes_controller.rb
- app/controllers/settings/exports_controller.rb
- app/controllers/settings/follower_domains_controller.rb
- app/controllers/settings/migrations_controller.rb
- app/controllers/settings/notifications_controller.rb
- app/controllers/settings/preferences_controller.rb
- app/controllers/settings/two_factor_authentication/recovery_codes_controller.rb
- app/javascript/packs/public.js
- app/views/settings/profiles/show.html.haml

Conflicts were mostly due to the addition of body classes to the settings page,
this was caused by rejecting upstream changes for most of those files and
modifying Settings::BaseController instead.

Another cause of conflicts was the deletion of client-side checking of
display name / bio length, this was modified in app/javascript/core/settings.js
instead.
2018-10-26 20:41:43 +02:00
Ben Lubar 13e049d772 Allow cross-origin requests to /.well-known/* URLs. (#9083)
Right now, this includes three endpoints: host-meta, webfinger, and change-password.

host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser.

change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled.

The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery.
2018-10-25 03:13:35 +02:00
Thibaut Girka dcded13a99 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
- .github/ISSUE_TEMPLATE/bug_report.md
  Took our version.
- CONTRIBUTING.md
  Updated the embedded copy of upstream's version.
- README.md
  Took our version.
- app/policies/status_policy.rb
  Not a real conflict, took code from both.
- app/views/layouts/embedded.html.haml
  Added upstream's changes (dns-prefetch) and fixed
  `%body.embed`
- app/views/settings/preferences/show.html.haml
  Reverted some of upstream changes, as we have a
  page dedicated for flavours and skins.
- config/initializers/content_security_policy.rb
  Kept our version of the CSP.
- config/initializers/doorkeeper.rb
  Not a real conflict, took code from both.
2018-10-22 17:51:38 +02:00
Eugen Rochko a38a452481
Add unread indicator to conversations (#9009) 2018-10-19 01:47:29 +02:00
ThibG 8ab081ec32 Add manifest_src to CSP, add blob to connect_src (#8967) 2018-10-12 19:07:30 +02:00
Eugen Rochko edc7f895be
Fix CSP headers blocking media and development environment (#8962)
Regression from #8957
2018-10-12 01:43:09 +02:00
ThibG 2d27c11061 Set Content-Security-Policy rules through RoR's config (#8957)
* Set CSP rules in RoR's configuration

* Override CSP setting in the embed controller to allow frames
2018-10-11 20:35:46 +02:00
Thibaut Girka 122ac9cd1d Merge branch 'master' into glitch-soc/merge-upstream 2018-10-09 12:12:03 +02:00
Sascha b2a57a5d6f add ffmpeg initializer (#8855)
* add ffmpeg initializer

* use different expression to check for environment var
2018-10-09 03:02:52 +02:00
Thibaut Girka d17844e6d1 Merge branch 'master' into glitch-soc/merge-upstream 2018-10-08 13:51:33 +02:00
ashleyhull-versent f194857ac9 rubocop issues - Cleaning up (#8912)
* cleanup pass

* undo mistakes

* fixed.

* revert
2018-10-08 04:50:11 +02:00
Thibaut Girka 00fcdebed7 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
	db/migrate/20170716191202_add_hide_notifications_to_mute.rb
	spec/controllers/application_controller_spec.rb

Took our version, upstream changes were only minor style linting.
2018-10-05 15:23:57 +02:00
aus-social 0a4739c732 lint pass 2 (#8878)
* Code quality pass

* Typofix

* Update applications_controller_spec.rb

* Update applications_controller_spec.rb
2018-10-04 17:38:04 +02:00
aus-social 1f98eae1cf Lint pass (#8876) 2018-10-04 12:36:53 +02:00
Thibaut Girka c91d9b7389 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
	app/lib/user_settings_decorator.rb
	app/models/user.rb
	app/serializers/initial_state_serializer.rb
	app/views/stream_entries/_simple_status.html.haml
	config/locales/simple_form.en.yml
	config/locales/simple_form.ja.yml
	config/locales/simple_form.pl.yml
	config/routes.rb
2018-10-01 12:43:20 +02:00
Yamagishi Kazutoshi 65f04e6046 Fix that Rails.cache information could not be sent via StatsD (#8831) 2018-09-30 00:05:59 +02:00
Thibaut Girka 91bef4759f Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
	Vagrantfile
	app/javascript/packs/public.js
	app/views/admin/settings/edit.html.haml
	app/views/settings/preferences/show.html.haml
	app/views/settings/profiles/show.html.haml
	config/locales/es.yml
	config/locales/simple_form.en.yml
	config/webpack/configuration.js
	config/webpack/loaders/babel.js
	package.json
	yarn.lock

Split new additions to app/javascript/packs/public.js to
app/javascript/core/settings.js
2018-09-19 21:46:01 +02:00
Eugen Rochko f4d549d300
Redesign forms, verify link ownership with rel="me" (#8703)
* Verify link ownership with rel="me"

* Add explanation about verification to UI

* Perform link verifications

* Add click-to-copy widget for verification HTML

* Redesign edit profile page

* Redesign forms

* Improve responsive design of settings pages

* Restore landing page sign-up form

* Fix typo

* Support <link> tags, add spec

* Fix links not being verified on first discovery and passive updates
2018-09-18 16:45:58 +02:00
luzpaz 40dd19be37 Misc. typos (#8694)
Found via `codespell -q 3 --skip="./app/javascript/mastodon/locales,./config/locales"`
2018-09-14 00:53:09 +02:00
Thibaut Girka cd99255698 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
	app/controllers/oauth/authorizations_controller.rb

Just two changes being too close to one another.
Took both.
2018-09-11 16:51:26 +02:00
Sorin Davidoi 6f3d934bc1 feat(cookies): Use the same-site attribute to lax (#8626)
CSFR-prevention is already implemented but adding this doesn't hurt.

A brief introduction to Same-Site cookies (and the difference between strict and
lax) can be found at
https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/

TLDR: We use lax since we want the cookies to be sent when the user navigates
safely from an external site.
2018-09-08 23:54:28 +02:00
Rey Tucker 40d04a3209 Add manifest_src to CSP
Fixes manifest.json not being loaded because of CSP violation

h/t https://vulpine.club/@binary/100662852252438648
2018-09-03 22:37:54 +02:00
Thibaut Girka c4b3479173 Fix CSP with S3/SWIFT hosts 2018-08-28 22:10:40 +02:00
Thibaut Girka 3fe5029fbe Adjust CSP to fix image resizing 2018-08-28 16:58:55 +02:00
Thibaut Girka 36393e1d2b Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
	app/views/layouts/application.html.haml

Edited:
        app/helpers/application_helper.rb
        app/views/admin/domain_blocks/new.html.haml

Conflict wasn't really one, just two changes too close to one another.
Edition was to adapt the class names for themes to class names for
skins and flavours.

Also edited app/views/admin/domain_blocks/new.html.haml to strip the
duplicate admin pack inclusion thing.
2018-08-26 14:23:24 +02:00
M Somerville 2bba6e582d Rename S3_CLOUDFRONT_HOST to S3_ALIAS_HOST. (#8423)
Still check for S3_CLOUDFRONT_HOST for existing installs.
2018-08-25 13:27:08 +02:00
Thibaut Girka 0ddf439999 Only apply CSP in production mode 2018-08-23 22:58:40 +02:00
Thibaut Girka 48db3b3c99 Tighten CSP while allowing CDN hosts 2018-08-23 22:58:40 +02:00
Thibaut Girka e7a72439f1 Move CSP headers to the appropriate Rails configuration
Also drop dev-static.glitch.social reference.
2018-08-22 20:39:33 +02:00
Thibaut Girka 8b4abaa90d Merge branch 'master' into glitch-soc/master
Conflicts:
	config/routes.rb

Added the “endorsements” route from upstream.
2018-08-21 18:24:48 +02:00
ThibG f06fa09962 Revert to using Paperclip's filesystem storage, and fix dangling records in remove_remote (#8339)
* Fix uncaching worker

* Revert to using Paperclip's filesystem backend instead of fog-local

fog-local has lots of concurrency issues, causing failure to delete files,
dangling file records, and spurious errors UncacheMediaWorker
2018-08-21 17:53:01 +02:00
Thibaut Girka 280d7b1df8 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
	app/models/status.rb
	db/migrate/20180528141303_fix_accounts_unique_index.rb
	db/schema.rb

Resolved by taking upstream changes (no real conflicts, just glitch-soc
specific code too close to actual changes).
2018-08-17 17:43:54 +02:00
Immae b0f4fe456b Add ldap search filter (#8151) 2018-08-15 18:12:44 +02:00
Eugen Rochko fcb527cdd6 Add post-deployment migration system (#8182)
Adopted from GitLab CE. Generate new migration with:

    rails g post_deployment_migration name_of_migration_here

By default they are run together with db:migrate. To not run them,
the env variable SKIP_POST_DEPLOYMENT_MIGRATIONS must be set

Code by Yorick Peterse <yorickpeterse@gmail.com>, see also:

83c8241160
2018-08-13 18:17:20 +02:00
Eugen Rochko 018a9e4e7f
Add post-deployment migration system (#8182)
Adopted from GitLab CE. Generate new migration with:

    rails g post_deployment_migration name_of_migration_here

By default they are run together with db:migrate. To not run them,
the env variable SKIP_POST_DEPLOYMENT_MIGRATIONS must be set

Code by Yorick Peterse <yorickpeterse@gmail.com>, see also:

83c8241160
2018-08-13 13:40:01 +02:00
Thibaut Girka 03afc365d5 Introduce OAuth scopes for bookmarks 2018-08-10 16:49:06 +02:00
Thibaut Girka 6141c2a035 Merge branch 'master' into glitch-soc/merge-upstream 2018-07-26 21:22:43 +02:00
abcang 69bf116345 Add secure option to additional cookie (#8069) 2018-07-25 18:49:47 +02:00
Thibaut Girka d392020da6 Merge branch 'master' into glitch-soc/tentative-merge
Conflicts:
	README.md
	app/controllers/statuses_controller.rb
	app/lib/feed_manager.rb
	config/navigation.rb
	spec/lib/feed_manager_spec.rb

Conflicts were resolved by taking both versions for each change.
This means the two filter systems (glitch-soc's keyword mutes and tootsuite's
custom filters) are in place, which will be changed in a follow-up commit.
2018-07-09 07:13:59 +02:00
Eugen Rochko 1f6ed4f86a
Add more granular OAuth scopes (#7929)
* Add more granular OAuth scopes

* Add human-readable descriptions of the new scopes

* Ensure new scopes look good on the app UI

* Add tests

* Group scopes in screen and color-code dangerous ones

* Fix wrong extra scope
2018-07-05 18:31:35 +02:00
MIYAGI Hikaru ddd0bb69e1 Merge `HIDDEN_SERVICE_VIA_TRANSPARENT_PROXY` into `ALLOW_ACCESS_TO_HIDDEN_SERVICE` (#7901)
If Mastodon accesses to the hidden service via transparent proxy, it's needed to avoid checking whether it's a private address, since `.onion` is resolved to a private address.
I was previously using the `HIDDEN_SERVICE_VIA_TRANSPARENT_PROXY` to provide that function. However, I realized that using `HIDDEN_SERVICE_VIA_TRANSPARENT_PROXY` is redundant, since this specification is always used with `ALLOW_ACCESS_TO_HIDDEN_SERVICE`. Therefore, I decided to integrate the setting of `HIDDEN_SERVICE_VIA_TRANSPARENT_PROXY` into` ALLOW_ACCESS_TO_HIDDEN_SERVICE`.
2018-06-29 15:36:02 +02:00
Thibaut Girka db200226b8 Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
	app/javascript/mastodon/initial_state.js
	db/schema.rb

Upstream added a new field to initial_state.
Not too sure about what happened with db/schema.rb though…
2018-06-15 20:51:39 +02:00
Eugen Rochko 0df91c7b1e
Add dat, dweb, ipfs, ipns, ssb, gopher protocols to URL extractor (#7810)
* Add dat:// and gopher:// to URL extractor

Fix #6072

* Fix comment indent

* Add dweb, ipfs, ipns, ssb
2018-06-15 20:21:47 +02:00
Eugen Rochko 53f0452b70
Remove rack-timeout (#7809)
Timeout considered harmful due to leaving the app in a broken
state, including unreaped database connections
2018-06-15 19:46:25 +02:00
Thibaut Girka 659b8a12ec Merge branch 'master' into glitch-soc/merge-upstream
Conflicts:
	config/locales/ca.yml
	config/locales/nl.yml
	config/locales/oc.yml
	config/locales/pt-BR.yml

Resolved conflicts by removing upstream-specific changes
2018-05-27 13:20:15 +02:00
Eugen Rochko d87649db07
Disable AMS logging (#7623)
Especially in production it's just noise and doesn't mix well with the log format
2018-05-26 01:08:31 +02:00
Jenkins 4c0770d6c8 Merge remote-tracking branch 'tootsuite/master' into glitchsoc/master 2018-05-18 00:17:23 +00:00
MIYAGI Hikaru 919eef3098 User agent for WebFinger (#7531)
* User agent for WebFinger

* local_domain → web_domain

* 'http' is away accidentally...
2018-05-18 01:47:22 +02:00
Thibaut Girka 45fce0e496 Merge branch 'master' into glitch-soc/merge
Conflicts:
	app/controllers/invites_controller.rb
	app/serializers/initial_state_serializer.rb
	config/locales/ko.yml
2018-05-11 18:12:42 +02:00
Eugen Rochko b4fb766b23
Add REST API for Web Push Notifications subscriptions (#7445)
- POST /api/v1/push/subscription
- PUT /api/v1/push/subscription
- DELETE /api/v1/push/subscription
- New OAuth scope: "push" (required for the above methods)
2018-05-11 11:49:12 +02:00
Thibaut Girka 1c9c0167b7 Merge branch 'master' into glitch-soc/master
Conflicts:
	app/models/account.rb
	app/views/accounts/_header.html.haml
2018-05-10 00:03:28 +02:00
Hugo Gameiro ea4e243303 Improve OpenStack v3 compatibility (#7392)
* Update paperclip.rb

* Update .env.production.sample

* Update paperclip.rb
2018-05-07 02:28:28 +02:00
David Yip c816701550
Merge remote-tracking branch 'origin/master' into gs-master
Conflicts:
 	.travis.yml
 	Gemfile.lock
 	README.md
 	app/controllers/settings/follower_domains_controller.rb
 	app/controllers/statuses_controller.rb
 	app/javascript/mastodon/locales/ja.json
 	app/lib/feed_manager.rb
 	app/models/media_attachment.rb
 	app/models/mute.rb
 	app/models/status.rb
 	app/services/mute_service.rb
 	app/views/home/index.html.haml
 	app/views/stream_entries/_simple_status.html.haml
 	config/locales/ca.yml
 	config/locales/en.yml
 	config/locales/es.yml
 	config/locales/fr.yml
 	config/locales/nl.yml
 	config/locales/pl.yml
 	config/locales/pt-BR.yml
 	config/themes.yml
2018-05-03 17:23:44 -05:00
Akihiko Odaki a7e71bbd08 Add a missing question mark in rack_attack.rb (#7338) 2018-05-03 18:51:00 +02:00
Akihiko Odaki b1d4471e36 Throttle media post (#7337)
The previous rate limit allowed to post media so fast that it is possible
to fill up the disk space even before an administrator notices. The new
rate limit is configured so that it takes 24 hours to eat 10 gigabytes:
10 * 1024 / 8 / (24 * 60 / 30) = 27 (which rounded to 30)

The period is set long so that it does not prevent from attaching several
media to one post, which would happen in a short period. For example,
if the period is 5 minutes, the rate limit would be:
10 * 1024 / 8 / (24 * 60 / 5) = 4

This long period allows to lift the limit up.
2018-05-03 17:32:00 +02:00
Eugen Rochko cb5b5cb5f7
Slightly reduce RAM usage (#7301)
* No need to re-require sidekiq plugins, they are required via Gemfile

* Add derailed_benchmarks tool, no need to require TTY gems in Gemfile

* Replace ruby-oembed with FetchOEmbedService

Reduce startup by 45382 allocated objects

* Remove preloaded JSON-LD in favour of caching HTTP responses

Reduce boot RAM by about 6 MiB

* Fix tests

* Fix test suite by stubbing out JSON-LD contexts
2018-05-02 18:58:48 +02:00
MIYAGI Hikaru f58dcbc981 HTTP proxy support for outgoing request, manage access to hidden service (#7134)
* Add support for HTTP client proxy

* Add access control for darknet

Supress error when access to darknet via transparent proxy

* Fix the codes pointed out

* Lint

* Fix an omission + lint

* any? -> include?

* Change detection method to regexp to avoid test fail
2018-04-25 02:14:49 +02:00
David Yip ed490b781f
Merge remote-tracking branch 'origin/master' into gs-master
Conflicts:
 	Gemfile.lock
 	config/application.rb
2018-04-13 16:36:46 -05:00
Yamagishi Kazutoshi 50529cbceb Upgrade Rails to version 5.2.0 (#5898) 2018-04-12 14:45:17 +02:00
Jenkins 33c2bbdda7 Merge remote-tracking branch 'tootsuite/master' into glitchsoc/master 2018-04-11 00:50:09 +00:00
Eugen Rochko 49bbef1202
Use RAILS_LOG_LEVEL to set log level of Sidekiq, too (#7079)
Fix #3565 (oops)
2018-04-10 16:08:28 +02:00
Eugen Rochko 80a944c882
Log rate limit hits (#7096)
Fix #7095
2018-04-10 01:20:18 +02:00
David Yip 67e77f230e
Merge remote-tracking branch 'origin/master' into gs-master
Conflicts:
 	app/serializers/initial_state_serializer.rb

The glitch flavour isn't yet pulling custom emoji data on its own (see
https://github.com/tootsuite/mastodon/pull/7047).  Once that gets into
the glitch flavour, we can eliminate the custom_emojis load.
2018-04-08 19:05:02 -05:00
Eugen Rochko d4de2239b0
Add a circuit breaker for ActivityPub deliveries (#7053) 2018-04-07 21:36:58 +02:00
Jenkins 837b3804bf Merge remote-tracking branch 'tootsuite/master' into glitchsoc/master 2018-03-25 15:17:21 +00:00
Yamagishi Kazutoshi 28384c1771 Revert "Revert "Upgrade Paperclip to version 6.0.0" (#6807)" (#6808)
This reverts commit 40871caa4b.
2018-03-24 12:52:45 +01:00
Jenkins e8aeec4fea Merge remote-tracking branch 'tootsuite/master' into glitchsoc/master 2018-03-20 19:17:20 +00:00
Eugen Rochko ac49c7932d
Add LDAP_TLS_NO_VERIFY option, don't require LDAP_ENABLED outside .env (#6845)
Fix #6816, fix #6790
2018-03-20 19:41:51 +01:00
Jenkins df70571bfe Merge remote-tracking branch 'tootsuite/master' into glitchsoc/master 2018-03-19 20:17:18 +00:00
Alexander 33ee347c99 rename pam email environment variable to something more understandable and default to LOCAL_DOMAIN (better fallback) (#6833) 2018-03-19 20:09:26 +01:00
Eugen Rochko 40871caa4b
Revert "Upgrade Paperclip to version 6.0.0" (#6807)
* Revert "Bump version to 2.3.2rc1"

This reverts commit cdf8b92fea.

* Revert "Downgrade Dockerfile to Ruby 2.4.3 on Alpine 3.6 (#6806)"

This reverts commit 0074cad44f.

* Revert "Handle Mastodon::HostValidationError when pulling remoteable assets (#6782)"

This reverts commit 4a0a19fe54.

* Revert "Correct the reference to user's password in mastodon:add_user task (#6800)"

This reverts commit 338bff8b93.

* Revert "Upgrade Paperclip to version 6.0.0 (#6754)"

This reverts commit b88fcd53f7.
2018-03-17 14:20:35 +01:00
Yamagishi Kazutoshi b88fcd53f7 Upgrade Paperclip to version 6.0.0 (#6754) 2018-03-17 12:37:58 +01:00
Jenkins 447d7e6127 Merge remote-tracking branch 'tootsuite/master' into glitchsoc/master 2018-03-09 00:17:17 +00:00
Effy Elden dd9d00d293 Add additional first_name and last_name SAML attribute statement options, and modify Omniauthable concern to use full_name or first_name + last_name if not available (#6669) 2018-03-07 06:19:10 +01:00
David Yip 1b8fcd4df5
Merge remote-tracking branch 'origin/master' into merge-upstream
Conflicts:
 	README.md
 	app/controllers/follower_accounts_controller.rb
 	app/controllers/following_accounts_controller.rb
 	app/serializers/rest/instance_serializer.rb
 	app/views/stream_entries/_simple_status.html.haml
 	config/locales/simple_form.ja.yml
2018-03-02 21:46:44 -06:00
Alexander 42fe05dea1 fix logic for pam_controlled_service (#6599) 2018-03-02 19:02:50 +01:00
Eugen Rochko 47bdb9b33b
Fix #942: Seamless LDAP login (#6556) 2018-02-28 19:04:53 +01:00
Akihiko Odaki 2e8a492e88 Raise Mastodon::HostValidationError when host for HTTP request is private (#6410) 2018-02-24 19:16:11 +01:00
imncls bb6988a7ac
Merge branch 'master' of https://github.com/tootsuite/mastodon
# Conflicts:
#	app/controllers/settings/exports_controller.rb
#	app/models/media_attachment.rb
#	app/models/status.rb
#	app/views/about/show.html.haml
#	docker_entrypoint.sh
#	spec/views/about/show.html.haml_spec.rb
2018-02-23 23:28:31 +09:00
Ghislain Loaec e668180044 New variable OAUTH_REDIRECT_AT_SIGN_IN + Ref #6538 (not only SAML strategies) (#6540) 2018-02-23 01:16:17 +01:00
Ghislain Loaec 3084fe4959 New env variable: SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED + fixes #6533 (#6538) 2018-02-22 23:31:25 +01:00
Eugen Rochko 02856073f7
Fix #6509: Use pull queue for chewy jobs (#6513) 2018-02-20 17:25:16 +01:00
Jenkins e9052ceaaf Merge remote-tracking branch 'tootsuite/master' into glitchsoc/master 2018-02-11 23:17:11 +00:00
Daniel King 6ef3874b2e Fix URLs incorrectly having trailing hyphen removed (#6465)
In cases where a URL has a trailing hyphen the FetchLinkCardService incorrectly removes the hyphen when it is parsed

The hyphen is not a reserved character in the URI spec https://tools.ietf.org/html/rfc3986#section-2.2
2018-02-11 23:49:18 +01:00
Eugen Rochko e20700fe8f
Fix Chewy trying to update index with the wrong strategy (#6464) 2018-02-11 22:59:44 +01:00
Jenkins efc9ffcb80 Merge remote-tracking branch 'tootsuite/master' into glitchsoc/master 2018-02-11 04:10:16 +00:00
Eugen Rochko 3ebc0ad4d3
Full-text search for authorized statuses (#6423)
* Add full-text search for authorized statuses

- Search API will return statuses that match the query
- Only for logged in users
- Only if you are author of the status,
- Or you were mentioned in it
- Or you favourited or reblogged it
- Configuration over `ES_ENABLED`, `ES_HOST`, `ES_PORT`, `ES_PREFIX`
- Run `rails chewy:deploy` to create & populate index

Fix #5880
Fix #4293
Fix #1152

* Add commented out docker-compose configuration for ES container

* Optimize index import, filter search results

* Add basic normalization to the index

* Add better stemming and normalization to the index

* Skip webfinger request if search query includes both @ and a space

* Fix code style

* Visually separate search result sections

* Fix code style issues
2018-02-09 23:04:47 +01:00
David Yip a6fb1c58ee
Merge remote-tracking branch 'origin/master' into merge-upstream
Conflicts:
	.env.production.sample
	app/controllers/auth/confirmations_controller.rb
	db/schema.rb
2018-02-04 16:36:19 -06:00
Eugen Rochko 38e0133e1b
Make PAM gem optional, allow configuration over environment (#6415) 2018-02-04 15:05:53 +01:00
Eugen Rochko 26f21fd5a0
CAS + SAML authentication feature (#6425)
* Cas authentication feature

* Config

* Remove class_eval + Omniauth initializer

* Codeclimate review

* Codeclimate review 2

* Codeclimate review 3

* Remove uid/email reconciliation

* SAML authentication

* Clean up code

* Improve login form

* Fix code style issues

* Add locales
2018-02-04 05:42:13 +01:00
David Yip 4c1fd9a19c
Merge remote-tracking branch 'tootsuite/master' into merge-upstream
Conflicts:
      app/javascript/styles/mastodon/components.scss
2018-02-02 08:39:52 -06:00
Alexander 04fef7b888 pam authentication (#5303)
* add pam support, without extra column

* bugfixes for pam login

* document options

* fix code style

* fix codestyle

* fix tests

* don't call remember_me without password

* fix codestyle

* improve checks for pam usage (should fix tests)

* fix remember_me part 1

* add remember_token column because :rememberable requires either a password or this column.

* migrate db for remember_token

* move pam_authentication to the right place, fix logic bug in edit.html.haml

* fix tests

* fix pam authentication, improve username lookup, add comment

* valid? is sometimes not honored, return nil instead trying to authenticate with pam

* update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests

* update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user

* codeconvention fixes

* code convention fixes

* fix idention

* update dependency, explicit conflict check

* fix disabled password updates if in pam mode

* fix check password if password is present, fix templates

* block registration if account is maintained by pam

* Revert "block registration if account is maintained by pam"

This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20.

* fix identation error introduced by rebase

* block usernames maintained by pam

* document pam settings better

* fix code style
2018-02-02 10:18:55 +01:00
David Yip 89a9d629f7
Merge remote-tracking branch 'origin/master' into gs-master
Conflicts:
	Gemfile.lock
2018-01-15 22:17:48 -06:00
Eugen Rochko 5276c0a090
HTML e-mails for UserMailer (#6256)
- premailer gem to turn CSS into inline styles automatically
- rework UserMailer templates
- reword UserMailer templates
2018-01-16 03:29:11 +01:00
Jenkins 0c7dc6c781 Merge remote-tracking branch 'tootsuite/master' into glitchsoc/master 2018-01-15 06:17:15 +00:00
Patrick Figel 537d2939b1 Suppress CSRF token warnings (#6240)
CSRF token checking was enabled for API controllers in #6223,
producing "Can't verify CSRF token authenticity" log spam. This
disables logging of failed CSRF checks.

This also changes the protection strategy for
PushSubscriptionsController to use exceptions, making it consistent
with other controllers that use sessions.
2018-01-15 06:51:23 +01:00
David Yip 991371af5f
Merge remote-tracking branch 'origin/master' into merge-upstream
Conflicts:
	db/schema.rb
2018-01-09 14:16:45 -06:00
Eugen Rochko 921b781909
Increase rate limit on protected paths (#6229)
Previously each protected path had a separate rate limit. Now they're all in the same bucket, so people are more likely to hit one with register->login. Increasing to 25 per 5 minutes should be fine.
2018-01-09 17:07:54 +01:00
Jenkins f6adb409fd Merge remote-tracking branch 'tootsuite/master' into glitchsoc/master 2018-01-05 22:17:12 +00:00
Naoki Kosaka 8d51ce4290 Fix enforce HTTPS in production. (#6180) 2018-01-05 20:04:22 +01:00
Jenkins 933840bebf Merge remote-tracking branch 'tootsuite/master' into glitchsoc/master 2018-01-03 04:17:11 +00:00
Patrick Figel 04ecf44c2f Add confirmation step for email changes (#6071)
* Add confirmation step for email changes

This adds a confirmation step for email changes of existing users.
Like the initial account confirmation, a confirmation link is sent
to the new address.

Additionally, a notification is sent to the existing address when
the change is initiated. This message includes instruction to reset
the password immediately or to contact the instance admin if the
change was not initiated by the account owner.

Fixes #3871

* Add review fixes
2018-01-02 16:55:00 +01:00
Jenkins 6d00ca1c71 Merge remote-tracking branch 'tootsuite/master' into glitchsoc/master 2017-12-22 04:17:14 +00:00
nightpool 9592b5e31e enforce LOCAL_HTTPS=true in production (#6061)
* enforce https in production

* note changes in production env sample

* typo fix
2017-12-22 02:17:59 +01:00
Jenkins 82236a3703 Merge remote-tracking branch 'tootsuite/master' into glitchsoc/master 2017-12-13 18:17:16 +00:00
Yamagishi Kazutoshi 6855baa0c5 Change streaming API URL when remote development (#5942)
* Change streaming API URL when remote development

* Use STREAMING_API_BASE_URL when dev env
2017-12-13 12:43:54 +01:00
David Yip a057ed5cfe
Merge remote-tracking branch 'tootsuite/master' into merge-upstream 2017-12-12 02:54:13 -06:00
Eugen Rochko feed07227b
Apply a 25x rate limit by IP even to authenticated requests (#5948) 2017-12-11 15:32:29 +01:00
kibigo! d08d0f9f33 Ruby intl8n for themes 2017-12-10 11:08:04 -08:00
Naoki Kosaka 4bce376fdc Missing require 'authorization_decorator'. (#5947) 2017-12-09 15:12:10 +01:00
Eugen Rochko a865b62efc
Rate limit by user instead of IP when API user is authenticated (#5923)
* Fix #668 - Rate limit by user instead of IP when API user is authenticated

* Fix code style issue

* Use request decorator provided by Doorkeeper
2017-12-09 14:20:02 +01:00
THE BOSS ♨ 17e26f8afe Fix typo in paperclip.rb (#5936) 2017-12-09 13:59:59 +09:00
Yamagishi Kazutoshi b0db4dad79 Revert fog-aws (ref #5604) (#5934) 2017-12-09 00:47:52 +01:00
Eugen Rochko 42bcbd36b7 Remove rabl dependency (#5894)
* Remove rabl dependency

* Replicate old Oj configuration
2017-12-06 15:04:49 +09:00
Eugen Rochko 546257bc7f Allow specifying STATSD_NAMESPACE (#5700) 2017-11-15 07:22:43 +09:00
MitarashiDango cbbeec05be Fix spell miss (SWIIFT_OBJECT_URL -> SWIFT_OBJECT_URL) (#5617) 2017-11-07 19:06:30 +01:00
Yamagishi Kazutoshi 47b0c61853 Unify file upload to using fog (#5604) 2017-11-07 14:30:31 +01:00
Jeong Arm 9d97054fe6 Remove timestamps on any option (#5282) 2017-10-09 17:52:02 +02:00
unarist 7fd66cf2fe Fix migration failure due to StrongMigrations on production env (#5283) 2017-10-09 10:05:35 +02:00
Lynx Kotoura 32e8a87830 adjust public profile pages 2 (#5223) 2017-10-04 22:49:36 +02:00
Nishi, Keisuke 83ffc4dc07 Fix Paperclip::Fog always responds Not Found in OpenStack-v2 like ConoHa (#5155) 2017-09-30 14:28:29 +02:00
Eugen Rochko 35a8cafa35 Replace self-rolled statsd instrumention with localshred/nsa (#5118) 2017-09-29 03:16:44 +02:00
Eugen Rochko db3ed498b0 When OAuth password verification fails, return 401 instead of redirect (#5111)
Call to warden.authenticate! in resource_owner_from_credentials would
make the request redirect to sign-in path, which is a bad response for
apps. Now bad credentials just return nil, which leads to HTTP 401
from Doorkeeper. Also, accounts with enabled 2FA cannot be logged into
this way.
2017-09-27 23:42:49 +02:00
Eugen Rochko e528114c53 Follow-up to #4582 and #5027, removing dead code (#5101) 2017-09-26 01:06:27 +02:00
Eugen Rochko b982d549f4 Add strong_migrations gem to warn when creating unsafe migrations (#5078) 2017-09-25 02:11:14 +02:00
Eugen Rochko d68df88d4e Disable private status federation over OStatus (#5027) 2017-09-20 19:08:20 +02:00
unarist 6db034a866 Re-allow underscore on valid_url_path_ending_chars (#4999)
Limiting allowed characters in the last character of the URL is came from twitter-text, but underscore is allowed on there, and Mastodon before #4941.
2017-09-18 21:25:40 +02:00
ふぁぼ原 3816943e6b Enable to recognize most kinds of characters as URL paths (#4941) 2017-09-14 18:03:20 +02:00
abcang 1aad015bbb Revert unique retry job (#4937)
* Revert "Enable UniqueRetryJobMiddleware even when called from sidekiq worker (#4836)"

This reverts commit 6859d4c028.

* Revert "Do not execute the job with the same arguments as the retry job (#4814)"

This reverts commit be7ffa2d75.
2017-09-14 15:12:43 +02:00
Patrick Figel 3018043fc2 Add OpenStack Keystone V3 support (#4889)
Keystone V2 is deprecated in favour of V3. This adds the necessary
connection parameters for establishing a V3 connection. Connections
to V2 endpoints are still possible and the configuration should
remain compatible.

This also introduces a SWIFT_REGION variable for multi-region
OpenStack environments and a SWIFT_CACHE_TTL that controls how long
tokens and other meta-data is cached for. Caching tokens avoids
rate-limiting errors that would result in media uploads becoming
unavailable during high load or when using tasks like
media:remove_remote. fog-openstack only supports token caching for
V3 endpoints, so a recommendation for using V3 was added.
2017-09-11 15:11:13 +02:00
abcang 6859d4c028 Enable UniqueRetryJobMiddleware even when called from sidekiq worker (#4836) 2017-09-07 16:44:14 +02:00
Adam Thurlow 6994664a13 swift-enable the paperclip! 📎 (#2322) 2017-09-05 23:17:06 +02:00
abcang be7ffa2d75 Do not execute the job with the same arguments as the retry job (#4814) 2017-09-05 20:56:20 +02:00
Eugen Rochko 1b1e025b41 Use updated ActivityStreams context (added: sharedInbox) (#4764) 2017-09-02 14:00:58 +02:00
Eugen Rochko 00840f4f2e Add handling of Linked Data Signatures in payloads (#4687)
* Add handling of Linked Data Signatures in payloads

* Add a way to sign JSON, fix canonicalization of signature options

* Fix signatureValue encoding, send out signed JSON when distributing

* Add missing security context
2017-08-26 13:47:38 +02:00
Eugen Rochko cf615abbf9 Add configuration to disable private status federation over PuSH (#4582) 2017-08-24 17:51:32 +02:00
Colin Mitchell 871c0d251a Application prefs section (#2758)
* Add code for creating/managing apps to settings section

* Add specs for app changes

* Fix controller spec

* Fix view file I pasted over by mistake

* Add locale strings. Add 'my apps' to nav

* Add Client ID/Secret to App page. Add some visual separation

* Fix rubocop warnings

* Fix embarrassing typo

I lost an `end` statement while fixing a merge conflict.

* Add code for creating/managing apps to settings section

- Add specs for app changes
- Add locale strings. Add 'my apps' to nav
- Add Client ID/Secret to App page. Add some visual separation
- Fix some bugs/warnings

* Update to match code standards

* Trigger notification

* Add warning about not sharing API secrets

* Tweak spec a bit

* Cleanup fixture creation by using let!

* Remove unused key

* Add foreign key for application<->user
2017-08-22 18:33:57 +02:00
Eugen Rochko 6df8bd277b Set correct content-type for ActivityPub JSON (#4592) 2017-08-14 04:16:43 +02:00
Eugen Rochko 40be4ea239 Extend Devise remember_me longevity to 1 year instead of 2 weeks (#4587)
Force SSL only cookies for remember_me, adjust confirmation
expiration time to fit with the user cleanup scheduler
2017-08-12 16:30:59 +02:00
Eugen Rochko dd7ef0dc41 Add ActivityPub inbox (#4216)
* Add ActivityPub inbox

* Handle ActivityPub deletes

* Handle ActivityPub creates

* Handle ActivityPub announces

* Stubs for handling all activities that need to be handled

* Add ActivityPub actor resolving

* Handle conversation URI passing in ActivityPub

* Handle content language in ActivityPub

* Send accept header when fetching actor, handle JSON parse errors

* Test for ActivityPub::FetchRemoteAccountService

* Handle public key and icon/image when embedded/as array/as resolvable URI

* Implement ActivityPub::FetchRemoteStatusService

* Add stubs for more interactions

* Undo activities implemented

* Handle out of order activities

* Hook up ActivityPub to ResolveRemoteAccountService, handle
Update Account activities

* Add fragment IDs to all transient activity serializers

* Add tests and fixes

* Add stubs for missing tests

* Add more tests

* Add more tests
2017-08-08 21:52:15 +02:00
unarist b42c018bb8 Add Content-Type header on throttled response to fix mojibake (#4558)
application/json only allows Unicode, so this prevents from wrong charset detection.
2017-08-08 15:47:35 +02:00
Eugen Rochko df605f0f8b Add "signed in as" header to some pages (#4523) 2017-08-05 04:24:58 +02:00
Eugen Rochko 8d6c3cd48a Fix sessions being replaced needlessly (#4292) 2017-07-22 01:09:10 +02:00
Eugen Rochko a5a07da892 Correct OStatus inflection (Ostatus -> OStatus) (#4255) 2017-07-19 01:37:26 +02:00
Eugen Rochko 8c45cd0e36 Improve ActivityPub representations (#3844)
* Improve webfinger templates and make tests more flexible

* Clean up AS2 representation of actor

* Refactor outbox

* Create activities representation

* Add representations of followers/following collections, do not redirect /users/:username route if format is empty

* Remove unused translations

* ActivityPub endpoint for single statuses, add ActivityPub::TagManager for better
URL/URI generation

* Add ActivityPub::TagManager#to

* Represent all attachments as Document instead of Image/Video specifically
(Because for remote ones we may not know for sure)

Add mentions and hashtags representation to AP notes

* Add AP-resolvable hashtag URIs

* Use ActiveModelSerializers for ActivityPub

* Clean up unused translations

* Separate route for object and activity

* Adjust cc/to matrices

* Add to/cc to activities, ensure announce activity embeds target status and
not the wrapper status, add "id" to all collections
2017-07-15 03:01:39 +02:00
Yamagishi Kazutoshi 0fa9dd8527 Add Rake task for generate VAPID key (#4195)
* Add Rake task for generate VAPID key

* edit config/initializers/vapid.rb
2017-07-14 12:13:43 +02:00
Sorin Davidoi 0c7c188c45 Web Push Notifications (#3243)
* feat: Register push subscription

* feat: Notify when mentioned

* feat: Boost, favourite, reply, follow, follow request

* feat: Notification interaction

* feat: Handle change of public key

* feat: Unsubscribe if things go wrong

* feat: Do not send normal notifications if push is enabled

* feat: Focus client if open

* refactor: Move push logic to WebPushSubscription

* feat: Better title and body

* feat: Localize messages

* chore: Fix lint errors

* feat: Settings

* refactor: Lazy load

* fix: Check if push settings exist

* feat: Device-based preferences

* refactor: Simplify logic

* refactor: Pull request feedback

* refactor: Pull request feedback

* refactor: Create /api/web/push_subscriptions endpoint

* feat: Spec PushSubscriptionController

* refactor: WebPushSubscription => Web::PushSubscription

* feat: Spec Web::PushSubscription

* feat: Display first media attachment

* feat: Support direction

* fix: Stuff broken while rebasing

* refactor: Integration with session activations

* refactor: Cleanup

* refactor: Simplify implementation

* feat: Set VAPID keys via environment

* chore: Comments

* fix: Crash when no alerts

* fix: Set VAPID keys in testing environment

* fix: Follow link

* feat: Notification actions

* fix: Delete previous subscription

* chore: Temporary logs

* refactor: Move migration to a later date

* fix: Fetch the correct session activation and misc bugs

* refactor: Move migration to a later date

* fix: Remove follow request (no notifications)

* feat: Send administrator contact to push service

* feat: Set time-to-live

* fix: Do not show sensitive images

* fix: Reducer crash in error handling

* feat: Add badge

* chore: Fix lint error

* fix: Checkbox label overlap

* fix: Check for payload support

* fix: Rename action "type" (crash in latest Chrome)

* feat: Action to expand notification

* fix: Lint errors

* fix: Unescape notification body

* fix: Do not allow boosting if the status is hidden

* feat: Add VAPID keys to the production sample environment

* fix: Strip HTML tags from status

* refactor: Better error messages

* refactor: Handle browser not implementing the VAPID protocol (Samsung Internet)

* fix: Error when target_status is nil

* fix: Handle lack of image

* fix: Delete reference to invalid subscriptions

* feat: Better error handling

* fix: Unescape HTML characters after tags are striped

* refactor: Simpify code

* fix: Modify to work with #4091

* Sort strings alphabetically

* i18n: Updated Polish translation

it annoys me that it's not fully localized :P

* refactor: Use current_session in PushSubscriptionController

* fix: Rebase mistake

* fix: Set cacheName to mastodon

* refactor: Pull request feedback

* refactor: Remove logging statements

* chore(yarn): Fix conflicts with master

* chore(yarn): Copy latest from master

* chore(yarn): Readd offline-plugin

* refactor: Use save! and update!

* refactor: Send notifications async

* fix: Allow retry when push fails

* fix: Save track for failed pushes

* fix: Minify sw.js

* fix: Remove account_id from fabricator
2017-07-13 22:15:32 +02:00
Eugen Rochko 056b5ed72f Improve UI of admin site settings (#4163) 2017-07-12 03:24:04 +02:00
Eugen Rochko 00df69bc89 Fix #4058 - Use a long-lived cookie to keep track of user-level sessions (#4091)
* Fix #4058 - Use a long-lived cookie to keep track of user-level sessions

* Fix tests, smooth migrate from previous session-based identifier
2017-07-07 23:25:15 +02:00
Yamagishi Kazutoshi 76eda2fc21 Add recursive object support to API response (#4095) 2017-07-07 14:12:16 +02:00
Eugen Rochko f7301bd5b9 Add overview of active sessions (#3929)
* Add overview of active sessions

* Better display of browser/platform name

* Improve how browser information is stored and displayed for sessions overview

* Fix test
2017-06-25 16:54:30 +02:00
Sorin Davidoi 2211e8d1cd Revocable sessions (#3616)
* feat: Revocable sessions

* fix: Tests using sign_in

* feat: Configuration entry for the maximum number of session activations
2017-06-23 18:50:53 +02:00
Eugen Rochko f3be605286 Rename FollowRemoteAccountService to ResolveRemoteAccountService (#3847)
Rename Activitypub to ActivityPub
2017-06-19 01:51:04 +02:00
Matt Jankowski 2212dc4aaa Update Rails to version 5.1.1 (#3121)
* Update rails to version 5.1.1

* Run `rails app:update`

* Remove the override of polymorphic activity relationship

* Silence warning about otp_secret attribute being unknown to rails

* We will only introduce form_with where we want to use remote data
2017-06-01 20:53:37 +02:00
Immae a94c152fd3 Allow alternate domains for mastodon handlers (#3187) 2017-05-22 15:40:04 +02:00
Clworld df92f010ad Set config.cache_store in environments file. (#3219)
* Set config.cache_store in application.rb

* Set config.cache_store in environments.

* fix code format.
2017-05-22 15:01:02 +02:00
Eugen Rochko 20c0054460 Adjust REDIS_URL usage in node_redis (#3183)
Resolves #2780
2017-05-20 21:06:09 +02:00
Eugen Rochko d78f555254 Improve language filter preferences look (#3184) 2017-05-20 19:42:44 +02:00
beatrix 5c1f70b5c5 namespace redis usage (#2869)
* add redis-namespace gem

* namespace redis usage

* refactor redis namespace code to be less intrusive

previously : would be prepended to keys when the
REDIS_NAMESPACE env var was not set

now if it is not set the namespacing functions are
not used at all, which should prevent disruptions
when instances update.

* fix redis namespace variable style in streaming js

* remove trailing space

* final redis namespace style fix
2017-05-07 19:42:32 +02:00
alpaca-tc ee3e0a93f4 Fixes unknown mime type (#2822) 2017-05-05 21:32:14 +02:00
Akihiko Odaki 0cdcf32865 Use ws protocol in streaming API base URL (#2606) 2017-05-04 15:55:13 +02:00
alpaca-tc db92eec876 Localize 'throttled' (#2755) 2017-05-03 23:36:19 +02:00
Eugen Rochko c997091166 Clean up redis configuration. Allow using REDIS_URL to set advanced (#2732)
connection options instead of setting REDIS_HOST etc individually

Close #1986
2017-05-03 23:18:13 +02:00
Eugen Rochko f5bf5ebb82 Replace sprockets/browserify with Webpack (#2617)
* Replace browserify with webpack

* Add react-intl-translations-manager

* Do not minify in development, add offline-plugin for ServiceWorker background cache updates

* Adjust tests and dependencies

* Fix production deployments

* Fix tests

* More optimizations

* Improve travis cache for npm stuff

* Re-run travis

* Add back support for custom.scss as before

* Remove offline-plugin and babili

* Fix issue with Immutable.List().unshift(...values) not working as expected

* Make travis load schema instead of running all migrations in sequence

* Fix missing React import in WarningContainer. Optimize rendering performance by using ImmutablePureComponent instead of
React.PureComponent. ImmutablePureComponent uses Immutable.is() to compare props. Replace dynamic callback bindings in
<UI />

* Add react definitions to places that use JSX

* Add Procfile.dev for running rails, webpack and streaming API at the same time
2017-05-03 02:04:16 +02:00