about summary refs log tree commit diff
path: root/app/controllers/api/base_controller.rb
AgeCommit message (Collapse)Author
2022-12-15Change CSP directives on API to be tight and concise (#20960)Claire
2022-11-16Add 'private' to Cache-Control, match Rails expectations (#20608)Daniel Axtens
Several controlers set quite intricate Cache-Control headers in order to hopefully not be cached by any intermediate proxies or local caches. Unfortunately, these headers are processed by ActionDispatch::HTTP::Cache in a way that squashes and discards any values set alongside no-store other than private: https://github.com/rails/rails/blob/8015c2c2cf5c8718449677570f372ceb01318a32/actionpack/lib/action_dispatch/http/cache.rb#L207-L209 We want to preserve no-store on these responses, but we might as well remove parts that are going to be dropped anyway. As many of the endpoints in these controllers are private to a particular user, we should also add "private", which will be preserved alongside no-store.
2022-11-14Fix error when passing unknown filter param in REST API (#20626)Eugen Rochko
Fix #19156
2022-11-05Change `AUTHORIZED_FETCH` to not block unauthenticated REST API access (#19803)Eugen Rochko
New environment variable `DISALLOW_UNAUTHENTICATED_API_ACCESS`
2022-10-27Fix uncaught error when invalid date is supplied to API (#19480)Eugen Rochko
Fix #19213
2022-09-08Fix REST API sometimes returning HTML on error (#19135)Claire
Fixes #19115
2022-05-26Fix suspended users being able to access APIs that don't require a user (#18524)Eugen Rochko
2022-03-22Fix locale not being set in REST API (#17847)Eugen Rochko
2022-03-01Change authorized applications page (#17656)Eugen Rochko
* Change authorized applications page * Hide revoke button for superapps and suspended accounts * Clean up db/schema.rb
2021-07-21Add logging of S3-related errors (#16381)Claire
2020-12-15Add stoplight for object storage failures, return HTTP 503 (#13043)Eugen Rochko
2020-11-12Fix 2FA/sign-in token sessions being valid after password change (#14802)Eugen Rochko
If someone tries logging in to an account and is prompted for a 2FA code or sign-in token, even if the account's password or e-mail is updated in the meantime, the session will show the prompt and allow the login process to complete with a valid 2FA code or sign-in token
2020-09-15Change account suspensions to be reversible by default (#14726)Eugen Rochko
2020-09-01Bump rubocop from 0.86.0 to 0.88.0 (#14412)dependabot[bot]
* Bump rubocop from 0.86.0 to 0.88.0 Bumps [rubocop](https://github.com/rubocop-hq/rubocop) from 0.86.0 to 0.88.0. - [Release notes](https://github.com/rubocop-hq/rubocop/releases) - [Changelog](https://github.com/rubocop-hq/rubocop/blob/master/CHANGELOG.md) - [Commits](https://github.com/rubocop-hq/rubocop/compare/v0.86.0...v0.88.0) Signed-off-by: dependabot[bot] <support@github.com> * Fix for latest RuboCop Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>
2020-06-19Fix functional user requirements in whitelist mode (#14093)ThibG
Fixes #14092
2020-03-08Add specific rate limits for posting and following (#13172)Eugen Rochko
2020-01-23Add announcements (#12662)Eugen Rochko
* Add announcements Fix #11006 * Add reactions to announcements * Add admin UI for announcements * Add unit tests * Fix issues - Add `with_dismissed` param to announcements API - Fix end date not being formatted when time range is given - Fix announcement delete causing reactions to send streaming updates - Fix announcements container growing too wide and mascot too small - Fix `all_day` being settable when no time range is given - Change text "Update" to "Announcement" * Fix scheduler unpublishing announcements before they are due * Fix filter params not being passed to announcements filter
2019-12-06Fix generic HTTP 500 error on duplicate records (#12563)Eugen Rochko
Fix #12551 Fix #12547
2019-08-30Fix uncaught parameter missing exceptions and missing error templates (#11702)Eugen Rochko
2019-08-11Fix ActivityPub and REST API queries setting cookies and preventing caching ↵ThibG
(#11539) Regression from #8657
2019-07-30Add whitelist mode (#11291)Eugen Rochko
2019-07-22Change unconfirmed user login behaviour (#11375)Eugen Rochko
Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
2019-05-03Explicitly disable storage of REST API results (#10655)ThibG
Fixes #10652
2019-03-14Admission-based registrations mode (#10250)Eugen Rochko
Fix #6856 Fix #6951
2018-12-25Add error message with invalid email confirmation (#9625)Takeshi Umeda
2018-12-24Add REST API for creating an account (#9572)Eugen Rochko
* Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account
2018-09-28Support min_id-based pagination in REST API (#8736)Eugen Rochko
* Allow min_id pagination in Feed#get * Add min_id pagination to home and list timeline APIs * Add min_id pagination to account statuses, public and tag APIs * Remove unused stub in reports API * Use min_id pagination in notifications, favourites, and fix order * Fix HomeFeed#from_database not using paginate_by_id
2018-09-09Add force_login option to OAuth authorize page (#8655)Eugen Rochko
* Add force_login option to OAuth authorize page For when a user needs to sign into an app from multiple accounts on the same server * When logging out from modal header, redirect back after re-login
2018-08-23Allow mods to disable login, improve message when login disabled (#8329)Eugen Rochko
* Allow moderators to disable/enable login * Instead of rejecting login, show forbidden error when login disabled Avoid confusion because when login is rejected, the message is that the account is not activated, which is wrong. * Fix tests
2018-07-05Add more granular OAuth scopes (#7929)Eugen Rochko
* Add more granular OAuth scopes * Add human-readable descriptions of the new scopes * Ensure new scopes look good on the app UI * Add tests * Group scopes in screen and color-code dangerous ones * Fix wrong extra scope
2018-04-30Disable API access when login is disabled (#7289)Eugen Rochko
2018-03-01Ensure that boolean params in the API are parsed for truthiness (#6575)Eugen Rochko
Use Rails smart boolean cast to account for values such as "f", "0", "false", etc. Previously, if a param was present in the request, it would count as true.
2018-01-08Refactor /api/web APIs to use the centralized axios instance (#6223)nightpool
Also adds the ability to decouple the centralized axios logic from the state dispatcher
2017-12-09Remove unused function (#5950)abcang
2017-08-18Don't send Link header when don't know prev and next links (#4633)Yamagishi Kazutoshi
2017-08-15Fix require_user! behavior when not logged in (#4604)abcang
2017-07-20Fix webfinger retries (#4275)Eugen Rochko
* Do not raise unretryable exceptions in ResolveRemoteAccountService * Removed fatal exceptions from ResolveRemoteAccountService Exceptions that cannot be retried should not be raised. New exception class for those that can be retried (Mastodon::UnexpectedResponseError)
2017-06-07Clean up for api/base controller (#3629)Matt Jankowski
* Move ApiController to Api/BaseController * API controllers inherit from Api::BaseController * Add coverage for various error cases in api/base controller