6 files changed, 32 insertions, 15 deletions

diff --git a/config/application.rb b/config/application.rb
index 1ce5fd857..569348395 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -27,7 +27,6 @@ require_relative '../lib/sanitize_ext/sanitize_config'
 require_relative '../lib/redis/namespace_extensions'
 require_relative '../lib/paperclip/url_generator_extensions'
 require_relative '../lib/paperclip/attachment_extensions'
-require_relative '../lib/paperclip/storage_extensions'
 require_relative '../lib/paperclip/lazy_thumbnail'
 require_relative '../lib/paperclip/gif_transcoder'
 require_relative '../lib/paperclip/transcoder'
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 4446a9152..77fdb6830 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -91,11 +91,12 @@ Rails.application.configure do
 
   config.action_mailer.default_options = {
     from: outgoing_email_address,
-    reply_to: ENV['SMTP_REPLY_TO'],
-    return_path: ENV['SMTP_RETURN_PATH'],
     message_id: -> { "<#{Mail.random_tag}@#{outgoing_email_domain}>" },
   }
 
+  config.action_mailer.default_options[:reply_to]    = ENV['SMTP_REPLY_TO'] if ENV['SMTP_REPLY_TO'].present?
+  config.action_mailer.default_options[:return_path] = ENV['SMTP_RETURN_PATH'] if ENV['SMTP_RETURN_PATH'].present?
+
   config.action_mailer.smtp_settings = {
     :port                 => ENV['SMTP_PORT'],
     :address              => ENV['SMTP_SERVER'],
diff --git a/config/initializers/paperclip.rb b/config/initializers/paperclip.rb
index e2a045647..26b0a2f7c 100644
--- a/config/initializers/paperclip.rb
+++ b/config/initializers/paperclip.rb
@@ -83,6 +83,26 @@ if ENV['S3_ENABLED'] == 'true'
       s3_host_alias: ENV['S3_ALIAS_HOST'] || ENV['S3_CLOUDFRONT_HOST']
     )
   end
+
+  # Some S3-compatible providers might not actually be compatible with some APIs
+  # used by kt-paperclip, see https://github.com/mastodon/mastodon/issues/16822
+  if ENV['S3_FORCE_SINGLE_REQUEST'] == 'true'
+    module Paperclip
+      module Storage
+        module S3Extensions
+          def copy_to_local_file(style, local_dest_path)
+            log("copying #{path(style)} to local file #{local_dest_path}")
+            s3_object(style).download_file(local_dest_path, { mode: 'single_request' })
+          rescue Aws::Errors::ServiceError => e
+            warn("#{e} - cannot copy #{path(style)} to local file #{local_dest_path}")
+            false
+          end
+        end
+      end
+    end
+
+    Paperclip::Storage::S3.prepend(Paperclip::Storage::S3Extensions)
+  end
 elsif ENV['SWIFT_ENABLED'] == 'true'
   require 'fog/openstack'
 
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 829cd61d0..4fa9abc51 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -199,7 +199,6 @@ en:
       security_measures:
         only_password: Only password
         password_and_2fa: Password and 2FA
-        password_and_sign_in_token: Password and e-mail token
       sensitive: Force-sensitive
       sensitized: Marked as sensitive
       shared_inbox_url: Shared inbox URL
@@ -598,7 +597,7 @@ en:
       action_taken_by: Action taken by
       actions:
         delete_description_html: The reported posts will be deleted and a strike will be recorded to help you escalate on future infractions by the same account.
-        mark_as_sensitive_description_html: The media in the reported posts will be marked as sensitive and a strike will be recorded to help you escalate on future refractions by the same account.
+        mark_as_sensitive_description_html: The media in the reported posts will be marked as sensitive and a strike will be recorded to help you escalate on future infractions by the same account.
         other_description_html: See more options for controlling the account's behaviour and customize communication to the reported account.
         resolve_description_html: No action will be taken against the reported account, no strike recorded, and the report will be closed.
         silence_description_html: The profile will be visible only to those who already follow it or manually look it up, severely limiting its reach. Can always be reverted.
@@ -1634,12 +1633,13 @@ en:
       explanation: You requested a full backup of your Mastodon account. It's now ready for download!
       subject: Your archive is ready for download
       title: Archive takeout
-    sign_in_token:
-      details: 'Here are details of the attempt:'
-      explanation: 'We detected an attempt to sign in to your account from an unrecognized IP address. If this is you, please enter the security code below on the sign in challenge page:'
-      further_actions: 'If this wasn''t you, please change your password and enable two-factor authentication on your account. You can do so here:'
-      subject: Please confirm attempted sign in
-      title: Sign in attempt
+    suspicious_sign_in:
+      change_password: change your password
+      details: 'Here are details of the sign-in:'
+      explanation: We've detected a sign-in to your account from a new IP address.
+      further_actions_html: If this wasn't you, we recommend that you %{action} immediately and enable two-factor authentication to keep your account secure.
+      subject: Your account has been accessed from a new IP address
+      title: A new sign-in
     warning:
       appeal: Submit an appeal
       appeal_description: If you believe this is an error, you can submit an appeal to the staff of %{instance}.
@@ -1690,13 +1690,10 @@ en:
       title: Welcome aboard, %{name}!
   users:
     follow_limit_reached: You cannot follow more than %{limit} people
-    generic_access_help_html: Trouble accessing your account? You may get in touch with %{email} for assistance
     invalid_otp_token: Invalid two-factor code
-    invalid_sign_in_token: Invalid security code
     otp_lost_help_html: If you lost access to both, you may get in touch with %{email}
     seamless_external_login: You are logged in via an external service, so password and e-mail settings are not available.
     signed_in_as: 'Signed in as:'
-    suspicious_sign_in_confirmation: You appear to not have logged in from this device before, so we're sending a security code to your e-mail address to confirm that it's you.
   verification:
     explanation_html: 'You can <strong>verify yourself as the owner of the links in your profile metadata</strong>. For that, the linked website must contain a link back to your Mastodon profile. The link back <strong>must</strong> have a <code>rel="me"</code> attribute. The text content of the link does not matter. Here is an example:'
     verification: Verification
diff --git a/config/routes.rb b/config/routes.rb
index 55e17ab14..574715705 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -298,7 +298,6 @@ Rails.application.routes.draw do
 
     resources :users, only: [] do
       resource :two_factor_authentication, only: [:destroy]
-      resource :sign_in_token_authentication, only: [:create, :destroy]
     end
 
     resources :custom_emojis, only: [:index, :new, :create] do
diff --git a/config/webpack/shared.js b/config/webpack/shared.js
index c2a108a89..bbf9f51f1 100644
--- a/config/webpack/shared.js
+++ b/config/webpack/shared.js
@@ -61,6 +61,7 @@ module.exports = {
     filename: 'js/[name]-[chunkhash].js',
     chunkFilename: 'js/[name]-[chunkhash].chunk.js',
     hotUpdateChunkFilename: 'js/[id]-[hash].hot-update.js',
+    hashFunction: 'sha256',
     path: output.path,
     publicPath: output.publicPath,
   },