about summary refs log tree commit diff
path: root/app/models
AgeCommit message (Collapse)Author
2020-08-30Fix videos with near-60 fps being rejected (#14684)Eugen Rochko
Fix #14668
2020-08-24Add WebAuthn as an alternative 2FA method (#14466)santiagorodriguez96
* feat: add possibility of adding WebAuthn security keys to use as 2FA This adds a basic UI for enabling WebAuthn 2FA. We did a little refactor to the Settings page for editing the 2FA methods – now it will list the methods that are available to the user (TOTP and WebAuthn) and from there they'll be able to add or remove any of them. Also, it's worth mentioning that for enabling WebAuthn it's required to have TOTP enabled, so the first time that you go to the 2FA Settings page, you'll be asked to set it up. This work was inspired by the one donde by Github in their platform, and despite it could be approached in different ways, we decided to go with this one given that we feel that this gives a great UX. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add request for WebAuthn as second factor at login if enabled This commits adds the feature for using WebAuthn as a second factor for login when enabled. If users have WebAuthn enabled, now a page requesting for the use of a WebAuthn credential for log in will appear, although a link redirecting to the old page for logging in using a two-factor code will also be present. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add possibility of deleting WebAuthn Credentials Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: disable WebAuthn when an Admin disables 2FA for a user Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: remove ability to disable TOTP leaving only WebAuthn as 2FA Following examples form other platforms like Github, we decided to make Webauthn 2FA secondary to 2FA with TOTP, so that we removed the possibility of removing TOTP authentication only, leaving users with just WEbAuthn as 2FA. Instead, users will have to click on 'Disable 2FA' in order to remove second factor auth. The reason for WebAuthn being secondary to TOPT is that in that way, users will still be able to log in using their code from their phone's application if they don't have their security keys with them – or maybe even lost them. * We had to change a little the flow for setting up TOTP, given that now it's possible to setting up again if you already had TOTP, in order to let users modify their authenticator app – given that now it's not possible for them to disable TOTP and set it up again with another authenticator app. So, basically, now instead of storing the new `otp_secret` in the user, we store it in the session until the process of set up is finished. This was because, as it was before, when users clicked on 'Edit' in the new two-factor methods lists page, but then went back without finishing the flow, their `otp_secret` had been changed therefore invalidating their previous authenticator app, making them unable to log in again using TOTP. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * refactor: fix eslint errors The PR build was failing given that linting returning some errors. This commit attempts to fix them. * refactor: normalize i18n translations The build was failing given that i18n translations files were not normalized. This commits fixes that. * refactor: avoid having the webauthn gem locked to a specific version * refactor: use symbols for routes without '/' * refactor: avoid sending webauthn disabled email when 2FA is disabled When an admins disable 2FA for users, we were sending two mails to them, one notifying that 2FA was disabled and the other to notify that WebAuthn was disabled. As the second one is redundant since the first email includes it, we can remove it and send just one email to users. * refactor: avoid creating new env variable for webauthn_origin config * refactor: improve flash error messages for webauthn pages Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>
2020-08-09Cache result of SQL (#14534)niwatori24
2020-07-19Fix movie width and frame_rate returning nil (#14357)Takeshi Umeda
* Fix movie width and frame_rate returning nil * Add StreamValidationError and raise * Fix code style
2020-07-14Fix rubocop warning (#14288)abcang
* Fix rubocop warning * use limit variable * use ContextCreatingMethods option
2020-07-14Fix larger video files not being transcoded (#14306)ThibG
Since #14145, the `set_type_and_extension` has been moved from `before_post_process` to `before_file_post_process`, but while the former runs before all validations performed by Paperclip, the latter is dependent on the order validations and hooks are defined. In our case, this meant video files could be checked against the generic 10MB limit, causing validation failures, which, internally, make Paperclip skip post-processing, and thus, transcoding of the video file. The actual validation would then happen after the type is correctly set, so the large file would pass validation, but without being transcoded first. This commit moves the hook definition so that it is run before checking for the file size.
2020-07-05Add color extraction for audio thumbnails (#14209)Eugen Rochko
2020-07-01Change Redis#exists calls to Redis#exists? to avoid deprecation warning (#14191)Eugen Rochko
2020-06-30Fix remote files not using Content-Type header, streaming (#14184)Eugen Rochko
2020-06-30Add user notes on accounts (#14148)ThibG
* Add UserNote model * Add UI for user notes * Put comment in relationships entity * Add API to create user notes * Copy user notes to new account when receiving a Move activity * Address some of the review remarks * Replace modal by inline edition * Please CodeClimate * Button design changes * Change design again * Cancel note edition when pressing Escape * Fixes * Tweak design again * Move “Add note” item, and allow users to add notes to themselves * Rename UserNote into AccountNote, rename “comment” Relationship attribute to “note”
2020-06-29Fix trying to write non-existent image remote URL attribute on preview cards ↵Eugen Rochko
(#14181) Regression from #14145
2020-06-29Add customizable thumbnails for audio and video attachments (#14145)Eugen Rochko
- Change audio files to not be stripped of metadata - Automatically extract cover art from audio if it exists - Add `thumbnail` parameter to `POST /api/v1/media`, `POST /api/v2/media` and `PUT /api/v1/media/:id` - Add `icon` to represent it in attachments in ActivityPub - Fix `preview_url` containing URL of missing missing image when there is no thumbnail instead of null - Fix duration of audio not being displayed on public pages until the file is loaded
2020-06-25Fix various issues around OpenGraph representation of media (#14133)Eugen Rochko
- Fix audio attachments not being represented in OpenGraph tags - Fix audio being represented as "1 image" in OpenGraph descriptions - Fix video metadata being overwritten by paperclip-av-transcoder - Fix embedded player not using Mastodon's UI - Fix audio/video progress bars not moving smoothly - Fix audio/video buffered bars not displaying correctly
2020-06-09Add e-mail-based sign in challenge for users with disabled 2FA (#14013)Eugen Rochko
2020-06-05Add blurhash to preview cards (#13984)ThibG
Fixes #13001
2020-06-02Add E2EE API (#13820)Eugen Rochko
2020-06-01Fix admin page crashing when trying to block an invalid domain name (#13884)ThibG
* Fix admin page crashing when trying to block an invalid domain name Fixes #13880 * Fix trailing and leading spaces not being properly stripped for domain blocks
2020-05-24Fix csv upload (#13835)Takeshi Umeda
2020-05-23Fix searchable status without explicitly mentioning it (#13829)Takeshi Umeda
2020-05-12Bump doorkeeper from 5.3.3 to 5.4.0 (#13733)dependabot-preview[bot]
* Bump doorkeeper from 5.3.3 to 5.4.0 Bumps [doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) from 5.3.3 to 5.4.0. - [Release notes](https://github.com/doorkeeper-gem/doorkeeper/releases) - [Changelog](https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md) - [Commits](https://github.com/doorkeeper-gem/doorkeeper/compare/v5.3.3...v5.4.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * Fix tests * Fix use of Doorkeeper::AccessToken.find_or_create_for * Fix tests? Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Thibaut Girka <thib@sitedethib.com>
2020-05-10Refactor monkey-patching of Goldfinger (#12561)Eugen Rochko
2020-05-10Add remote only to public timeline (#13504)Takeshi Umeda
* Add remote only to public timeline * Fix code style
2020-05-10Improve RSS entries for statuses (#13592)ThibG
* Improve RSS entries for statuses - Render polls in both accounts and tags serializers - Refactor RSS serializers - Change title preview to include ellipsis when truncated - Change title preview to show CW instead of toot text - Add tests * Remove title from OEmbed serialization Twitter doesn't serialize title either, and tihs allows us to move the title formatting code to the RSS serializers.
2020-05-08Fix followings list order | Issue #13538 (#13676)Taras Gogol
2020-05-03Revert "improve status title (#8596)" (#13591)Yamagishi Kazutoshi
This reverts commit 05756c9a14864655ae6777505a4ee5cfa9b0ee93.
2020-05-03Add more tests for ActivityPub controllers (#13585)Eugen Rochko
2020-04-30Only check locally when deduplicating usernames (#13581)kaiyou
When deduplicating account usernames for OAuthable users, the routine did check if any account was known with that username, including remote accounts. This caused some unnecessary deduplication, and usernames ending with unexpected trailing _1. This fixes #13580
2020-04-26Add separate cache directory for non-local uploads (#12821)Eugen Rochko
2020-04-23Fix enable/disable relay failures (#13535)Takeshi Umeda
2020-04-15Fix confusing error when failing to add an alias to an unknown account (#13480)ThibG
Follow-up to #13452, fixing broken `uri.nil?` test. Also remove the separate check for `uri` presence, as that would result in a “Please review 2 errors below” while only one would be listed.
2020-04-15Change delivery failure tracking to work with hostnames instead of URLs (#13437)Eugen Rochko
2020-04-15Fix “Email changed” notification sometimes having wrong e-mail (#13475)ThibG
* Fix “Email changed” notification sometimes having wrong e-mail Fixes #6778 The root of the issue is that `send_devise_notification` was called before the changes were properly commited to the database, causing the mailer to pick previous values if running too early. Devise's documentation provides guidance on how to handle that[1][2], however, I have found it to not be working, as the following happens, in that order: - `send_devise_notification` is called for the `email_changed` notification. In that case, `changed?` is false and `saved_changes?` is true, so if we use the former, we have the same issue. - the `after_commit` hook is called - `send_devise_notification` is called for the `confirmation_instructions` notification. In that case, `changed?` is still false, and `saved_changes?` still true, so if we use the latter, that second notification email is simply not going to be sent (as we would be queuing the notification *after* executing the after_commit hook). This is because it may be called from either an `after_update` or `after_commit` hook, the difference not being a call to `save` but the transaction actually being committed to the database. This may arguably be a bug in Devise, or Devise's notification. The proposed workaround is inspired by Devise's documentation but checks whether a transaction is open to make the call whether to immediately send the notification or defer it to the `after_commit` hook. [1]: https://www.rubydoc.info/github/plataformatec/devise/Devise%2FModels%2FAuthenticatable:send_devise_notification [2]: https://github.com/heartcombo/devise/blob/406915cb781e38255a30ad2a0609e33952b9ec50/lib/devise/models/authenticatable.rb#L133-L194 * Fix cases when sending notifications without changing the model * Defer sending if and only if in transaction including current record
2020-04-13Fix account aliases page (#13452)ThibG
* Fix error not being displayed when adding an account alias, add error for self-references Co-Authored-By: Mélanie Chauvel (ariasuni) <perso@hack-libre.org> * Add “You have no aliases.” note in confusing empty aliases table Co-Authored-By: Mélanie Chauvel (ariasuni) <perso@hack-libre.org> Co-authored-by: Mélanie Chauvel (ariasuni) <perso@hack-libre.org>
2020-04-05Add rate limit for reporting (#13390)Eugen Rochko
2020-04-05Fix PostgreSQL load when linking in announcements (#13250)ThibG
* Fix PostgreSQL load when linking in announcements Fixes #13245 by caching status lookups Since statuses are supposed to be known already and we only need their URLs and a few other things, caching them should be fine. Since it's only used by announcements so far, there won't be much statuses to cache. * Perform status lookup when saving announcements, not when rendering them * Change EntityCache#status to fetch URLs instead of looking into the database * Move announcement link lookup to publishing worker * Address issues pointed out during review
2020-04-03Add ability to filter audit log in admin UI (#13381)Eugen Rochko
2020-03-26Change `tootctl media remove-orphans` to work for all classes (#13316)Eugen Rochko
Change `tootctl media lookup` to not use an interactive prompt
2020-03-21Make bookmarks also searchable (#13271)Jeong Arm
2020-03-21Fix reported accounts not being whitelisted when resolving a spamcheck ↵ThibG
report (#13289)
2020-03-12Add option to include resolved DNS records when blacklisting e-mail domains ↵Eugen Rochko
in admin UI (#13254) * Add shortcuts to blacklist a user's e-mail domain in admin UI * Add option to blacklist resolved MX and IP records for e-mail domains
2020-03-12Add titles to warning presets in admin UI (#13252)Eugen Rochko
2020-03-10Fix videos with unsupported colorspace not being transcoded (#13242)ThibG
2020-03-09Fix MP4 (H264 + AAC) video files being needlessly re-encoded (#13239)ThibG
2020-03-09Change video uploads to always be converted to H264/MP4 (#13220)Eugen Rochko
Even if the container format is the same (.mp4), the codec could be different and not playable in web browsers
2020-03-09Change video uploads to enforce certain limits (#13218)Eugen Rochko
- Dimensions at most 1920x1200 - Frame rate at most 60
2020-03-09Add federation support for the "hide network" preference (#11673)ThibG
* Change ActivityPub follower/following collections to not link first page * Add support for hiding followers and following of remote users * Switch to using a single `hide_collections` column * Address code style remarks
2020-03-08Change local media attachments to perform heavy processing asynchronously ↵Eugen Rochko
(#13210) Fix #9106
2020-03-08Add support for links to statuses in announcements to be opened in web UI ↵ThibG
(#13212) * Add support for links to public statuses in announcements to be opened in WebUI * Please CodeClimate
2020-03-08Add sorting by username, creation and last activity in moderation view (#13076)ThibG
* Add ability to order accounts in moderation view * Display last status date in “Most recent activity” for remote users
2020-03-08Add specific rate limits for posting and following (#13172)Eugen Rochko