diff options
Diffstat (limited to 'config/initializers')
| -rw-r--r-- | config/initializers/chewy.rb | 30 | ||||
| -rw-r--r-- | config/initializers/devise.rb | 54 | ||||
| -rw-r--r-- | config/initializers/omniauth.rb | 3 | ||||
| -rw-r--r-- | config/initializers/rack_attack.rb | 2 | ||||
| -rw-r--r-- | config/initializers/sidekiq.rb | 2 | ||||
| -rw-r--r-- | config/initializers/twitter_regex.rb | 27 |
6 files changed, 70 insertions, 48 deletions
diff --git a/config/initializers/chewy.rb b/config/initializers/chewy.rb index 9fc9b2f1a..f303fc54d 100644 --- a/config/initializers/chewy.rb +++ b/config/initializers/chewy.rb @@ -1,6 +1,8 @@ enabled = ENV['ES_ENABLED'] == 'true' host = ENV.fetch('ES_HOST') { 'localhost' } port = ENV.fetch('ES_PORT') { 9200 } +user = ENV.fetch('ES_USER') { nil } +password = ENV.fetch('ES_PASS') { nil } fallback_prefix = ENV.fetch('REDIS_NAMESPACE') { nil } prefix = ENV.fetch('ES_PREFIX') { fallback_prefix } @@ -9,11 +11,13 @@ Chewy.settings = { prefix: prefix, enabled: enabled, journal: false, + user: user, + password: password, sidekiq: { queue: 'pull' }, } # We use our own async strategy even outside the request-response -# cycle, which takes care of checking if ElasticSearch is enabled +# cycle, which takes care of checking if Elasticsearch is enabled # or not. However, mind that for the Rails console, the :urgent # strategy is set automatically with no way to override it. Chewy.root_strategy = :custom_sidekiq @@ -28,28 +32,8 @@ module Chewy end end -# ElasticSearch uses Faraday internally. Faraday interprets the +# Elasticsearch uses Faraday internally. Faraday interprets the # http_proxy env variable by default which leads to issues when # Mastodon is run with hidden services enabled, because -# ElasticSearch is *not* supposed to be accessed through a proxy +# Elasticsearch is *not* supposed to be accessed through a proxy Faraday.ignore_env_proxy = true - -# Elasticsearch 7.x workaround -Elasticsearch::Transport::Client.prepend Module.new { - def search(arguments = {}) - arguments[:rest_total_hits_as_int] = true - super arguments - end -} - -Elasticsearch::API::Indices::IndicesClient.prepend Module.new { - def create(arguments = {}) - arguments[:include_type_name] = true - super arguments - end - - def put_mapping(arguments = {}) - arguments[:include_type_name] = true - super arguments - end -} diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index ef612e177..b434c68fa 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -1,9 +1,8 @@ +require 'devise/strategies/authenticatable' + Warden::Manager.after_set_user except: :fetch do |user, warden| - if user.session_active?(warden.cookies.signed['_session_id'] || warden.raw_session['auth_id']) - session_id = warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'] - else - session_id = user.activate_session(warden.request) - end + session_id = warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'] + session_id = user.activate_session(warden.request) unless user.session_activations.active?(session_id) warden.cookies.signed['_session_id'] = { value: session_id, @@ -15,9 +14,13 @@ Warden::Manager.after_set_user except: :fetch do |user, warden| end Warden::Manager.after_fetch do |user, warden| - if user.session_active?(warden.cookies.signed['_session_id'] || warden.raw_session['auth_id']) + session_id = warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'] + + if session_id && (session = user.session_activations.find_by(session_id: session_id)) + session.update(ip: warden.request.remote_ip) if session.ip != warden.request.remote_ip + warden.cookies.signed['_session_id'] = { - value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'], + value: session_id, expires: 1.year.from_now, httponly: true, secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), @@ -72,17 +75,48 @@ module Devise mattr_accessor :ldap_uid_conversion_replace @@ldap_uid_conversion_replace = nil - class Strategies::PamAuthenticatable - def valid? - super && ::Devise.pam_authentication + module Strategies + class PamAuthenticatable + def valid? + super && ::Devise.pam_authentication + end + end + + class SessionActivationRememberable < Authenticatable + def valid? + @session_cookie = nil + session_cookie.present? + end + + def authenticate! + resource = SessionActivation.find_by(session_id: session_cookie)&.user + + unless resource + cookies.delete('_session_id') + return pass + end + + if validate(resource) + success!(resource) + end + end + + private + + def session_cookie + @session_cookie ||= cookies.signed['_session_id'] + end end end end +Warden::Strategies.add(:session_activation_rememberable, Devise::Strategies::SessionActivationRememberable) + Devise.setup do |config| config.warden do |manager| manager.default_strategies(scope: :user).unshift :two_factor_ldap_authenticatable if Devise.ldap_authentication manager.default_strategies(scope: :user).unshift :two_factor_pam_authenticatable if Devise.pam_authentication + manager.default_strategies(scope: :user).unshift :session_activation_rememberable manager.default_strategies(scope: :user).unshift :two_factor_authenticatable manager.default_strategies(scope: :user).unshift :two_factor_backupable end diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb index 9e037f421..19d59f155 100644 --- a/config/initializers/omniauth.rb +++ b/config/initializers/omniauth.rb @@ -5,7 +5,6 @@ end Devise.setup do |config| # Devise omniauth strategies options = {} - options[:redirect_at_sign_in] = ENV['OAUTH_REDIRECT_AT_SIGN_IN'] == 'true' # CAS strategy if ENV['CAS_ENABLED'] == 'true' @@ -30,6 +29,8 @@ Devise.setup do |config| cas_options[:location_key] = ENV['CAS_LOCATION_KEY'] || 'location' cas_options[:image_key] = ENV['CAS_IMAGE_KEY'] || 'image' cas_options[:phone_key] = ENV['CAS_PHONE_KEY'] || 'phone' + cas_options[:security] = {} + cas_options[:security][:assume_email_is_verified] = ENV['CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED'] == 'true' config.omniauth :cas, cas_options end diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb index 2a6cca7dc..964d4266d 100644 --- a/config/initializers/rack_attack.rb +++ b/config/initializers/rack_attack.rb @@ -55,7 +55,7 @@ class Rack::Attack end throttle('throttle_api_media', limit: 30, period: 30.minutes) do |req| - req.authenticated_user_id if req.post? && req.path.start_with?('/api/v1/media') + req.authenticated_user_id if req.post? && req.path.match?('^/api/v\d+/media') end throttle('throttle_media_proxy', limit: 30, period: 10.minutes) do |req| diff --git a/config/initializers/sidekiq.rb b/config/initializers/sidekiq.rb index 219554df4..19a705ce8 100644 --- a/config/initializers/sidekiq.rb +++ b/config/initializers/sidekiq.rb @@ -1,5 +1,7 @@ # frozen_string_literal: true +require_relative '../../lib/sidekiq_error_handler' + Sidekiq.configure_server do |config| config.redis = REDIS_SIDEKIQ_PARAMS diff --git a/config/initializers/twitter_regex.rb b/config/initializers/twitter_regex.rb index 3ff2aa9e5..d2ea5f974 100644 --- a/config/initializers/twitter_regex.rb +++ b/config/initializers/twitter_regex.rb @@ -24,6 +24,9 @@ module Twitter::TwitterText ) \) /iox + UCHARS = '\u{A0}-\u{D7FF}\u{F900}-\u{FDCF}\u{FDF0}-\u{FFEF}\u{10000}-\u{1FFFD}\u{20000}-\u{2FFFD}\u{30000}-\u{3FFFD}\u{40000}-\u{4FFFD}\u{50000}-\u{5FFFD}\u{60000}-\u{6FFFD}\u{70000}-\u{7FFFD}\u{80000}-\u{8FFFD}\u{90000}-\u{9FFFD}\u{A0000}-\u{AFFFD}\u{B0000}-\u{BFFFD}\u{C0000}-\u{CFFFD}\u{D0000}-\u{DFFFD}\u{E1000}-\u{EFFFD}\u{E000}-\u{F8FF}\u{F0000}-\u{FFFFD}\u{100000}-\u{10FFFD}' + REGEXEN[:valid_url_query_chars] = /[a-z0-9!?\*'\(\);:&=\+\$\/%#\[\]\-_\.,~|@#{UCHARS}]/iou + REGEXEN[:valid_url_query_ending_chars] = /[a-z0-9_&=#\/\-#{UCHARS}]/iou REGEXEN[:valid_url_path] = /(?: (?: #{REGEXEN[:valid_general_url_path_chars]}* @@ -53,23 +56,21 @@ module Twitter::TwitterText #{REGEXEN[:validate_url_pct_encoded]}| #{REGEXEN[:validate_url_sub_delims]} )/iox - REGEXEN[:xmpp_uri] = %r{ - (xmpp:) # Protocol - (//#{REGEXEN[:validate_nodeid]}+@#{REGEXEN[:valid_domain]}/)? # Authority (optional) - (#{REGEXEN[:validate_nodeid]}+@)? # Username in path (optional) - (#{REGEXEN[:valid_domain]}) # Domain in path - (/#{REGEXEN[:validate_resid]}+)? # Resource in path (optional) - (\?#{REGEXEN[:valid_url_query_chars]}*#{REGEXEN[:valid_url_query_ending_chars]})? # Query String - }iox - REGEXEN[:magnet_uri] = %r{ - (magnet:) # Protocol - (\?#{REGEXEN[:valid_url_query_chars]}*#{REGEXEN[:valid_url_query_ending_chars]}) # Query String - }iox REGEXEN[:valid_extended_uri] = %r{ ( # $1 total match (#{REGEXEN[:valid_url_preceding_chars]}) # $2 Preceding character ( # $3 URL - (#{REGEXEN[:xmpp_uri]}) | (#{REGEXEN[:magnet_uri]}) + ( + (xmpp:) # Protocol + (//#{REGEXEN[:validate_nodeid]}+@#{REGEXEN[:valid_domain]}/)? # Authority (optional) + (#{REGEXEN[:validate_nodeid]}+@)? # Username in path (optional) + (#{REGEXEN[:valid_domain]}) # Domain in path + (/#{REGEXEN[:validate_resid]}+)? # Resource in path (optional) + (\?#{REGEXEN[:valid_url_query_chars]}*#{REGEXEN[:valid_url_query_ending_chars]})? # Query String + ) | ( + (magnet:) # Protocol + (\?#{REGEXEN[:valid_url_query_chars]}*#{REGEXEN[:valid_url_query_ending_chars]}) # Query String + ) ) ) }iox |