about summary refs log tree commit diff
path: root/app/views
AgeCommit message (Collapse)Author
2020-08-24Add WebAuthn as an alternative 2FA method (#14466)santiagorodriguez96
* feat: add possibility of adding WebAuthn security keys to use as 2FA This adds a basic UI for enabling WebAuthn 2FA. We did a little refactor to the Settings page for editing the 2FA methods – now it will list the methods that are available to the user (TOTP and WebAuthn) and from there they'll be able to add or remove any of them. Also, it's worth mentioning that for enabling WebAuthn it's required to have TOTP enabled, so the first time that you go to the 2FA Settings page, you'll be asked to set it up. This work was inspired by the one donde by Github in their platform, and despite it could be approached in different ways, we decided to go with this one given that we feel that this gives a great UX. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add request for WebAuthn as second factor at login if enabled This commits adds the feature for using WebAuthn as a second factor for login when enabled. If users have WebAuthn enabled, now a page requesting for the use of a WebAuthn credential for log in will appear, although a link redirecting to the old page for logging in using a two-factor code will also be present. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add possibility of deleting WebAuthn Credentials Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: disable WebAuthn when an Admin disables 2FA for a user Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: remove ability to disable TOTP leaving only WebAuthn as 2FA Following examples form other platforms like Github, we decided to make Webauthn 2FA secondary to 2FA with TOTP, so that we removed the possibility of removing TOTP authentication only, leaving users with just WEbAuthn as 2FA. Instead, users will have to click on 'Disable 2FA' in order to remove second factor auth. The reason for WebAuthn being secondary to TOPT is that in that way, users will still be able to log in using their code from their phone's application if they don't have their security keys with them – or maybe even lost them. * We had to change a little the flow for setting up TOTP, given that now it's possible to setting up again if you already had TOTP, in order to let users modify their authenticator app – given that now it's not possible for them to disable TOTP and set it up again with another authenticator app. So, basically, now instead of storing the new `otp_secret` in the user, we store it in the session until the process of set up is finished. This was because, as it was before, when users clicked on 'Edit' in the new two-factor methods lists page, but then went back without finishing the flow, their `otp_secret` had been changed therefore invalidating their previous authenticator app, making them unable to log in again using TOTP. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * refactor: fix eslint errors The PR build was failing given that linting returning some errors. This commit attempts to fix them. * refactor: normalize i18n translations The build was failing given that i18n translations files were not normalized. This commits fixes that. * refactor: avoid having the webauthn gem locked to a specific version * refactor: use symbols for routes without '/' * refactor: avoid sending webauthn disabled email when 2FA is disabled When an admins disable 2FA for users, we were sending two mails to them, one notifying that 2FA was disabled and the other to notify that WebAuthn was disabled. As the second one is redundant since the first email includes it, we can remove it and send just one email to users. * refactor: avoid creating new env variable for webauthn_origin config * refactor: improve flash error messages for webauthn pages Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>
2020-08-19Fix client-side form validation not accepting handles with uppercase letters ↵ThibG
(#14599)
2020-08-13Fix hardcoded non-breaking space in public view (#14568)ThibG
2020-08-12Add client-side validation in password change forms (#14564)ThibG
* Fix client-side username validation at registration It used the Account::USERNAME_RE regexp which is for *remote* users, local user validation is stricter. Also take into account max username length. * Add client-side form validation for password change * Add client-side form validation to dedicated registration form Previous changes only applied to the /about page, not the dedicated form on /auth
2020-08-11Add HTML form validation for the registration form (#14560)ThibG
* Add HTML-level validation of username in sign-up form * Make required fields with incorrect values more visible * Enable HTML form validation for the registration form * Mark agreement checkbox as required client-side * Add minimum length to password * Add client-side password confirmation validation
2020-08-02Fix audio/video player not using CDN_HOST in media paths on public pages ↵ThibG
(#14486)
2020-07-09Fix videos on public pages not using custom thumbnails (#14273)Eugen Rochko
2020-07-07Fix hashtag column options styling (#14247)ThibG
* Enable nonces for stylesheets * Pass nonce to react-select
2020-07-05Add color extraction for audio thumbnails (#14209)Eugen Rochko
2020-07-01Fix lock icon not being shown when locking account in profile settings (#14190)ThibG
2020-06-29Add customizable thumbnails for audio and video attachments (#14145)Eugen Rochko
- Change audio files to not be stripped of metadata - Automatically extract cover art from audio if it exists - Add `thumbnail` parameter to `POST /api/v1/media`, `POST /api/v2/media` and `PUT /api/v1/media/:id` - Add `icon` to represent it in attachments in ActivityPub - Fix `preview_url` containing URL of missing missing image when there is no thumbnail instead of null - Fix duration of audio not being displayed on public pages until the file is loaded
2020-06-26Improve appearence consistency of settings pages (#13938)Mélanie Chauvel
* Fix header button changing header size in settings pages * Make form buttons look more like a part of the form in settings pages - Put buttons closer, using same distance as between inputs - Make buton font size a bit smaller to blend a bit more - Add the class button to button tags for consisent styling
2020-06-25Add a visibility icon to status (#14123)Takeshi Umeda
* Add a visibility icon to status * Change to using the icon element * Fix RTL * Add a public globe
2020-06-25Fix various issues around OpenGraph representation of media (#14133)Eugen Rochko
- Fix audio attachments not being represented in OpenGraph tags - Fix audio being represented as "1 image" in OpenGraph descriptions - Fix video metadata being overwritten by paperclip-av-transcoder - Fix embedded player not using Mastodon's UI - Fix audio/video progress bars not moving smoothly - Fix audio/video buffered bars not displaying correctly
2020-06-09Improve wording and add titles on moderated servers section in /about/more ↵Mélanie Chauvel
(#13930)
2020-06-09Add e-mail-based sign in challenge for users with disabled 2FA (#14013)Eugen Rochko
2020-06-06Hide sensitive preview cards with blurhash (#13985)ThibG
* Use preview card blurhash in WebUI * Handle sensitive preview cards
2020-06-05Fix unpermitted operations on custom emojis leading to cryptic errors (#13951)ThibG
* Display appropriate error when performing unpermitted operation on custom emoji Fixes #13897 * Remove links to custom emoji actions not performable by moderators
2020-06-03Put “Add new domain block” button on /admin/instances in header (#13934)Mélanie Chauvel
2020-05-13Fix some account avatars on public pages having incorrect size (#13692)ThibG
* Fix some account avatars on public pages having incorrect size * Remove outdated and overridden width and height attributes * Remove more hardcoded width/height attributes
2020-05-10Add ability to remove identity proofs from account (#13682)Eugen Rochko
Fix #12613
2020-05-08Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679)ThibG
* Make sure wicg-inert doesn't rely on inline CSS * Remove unsafe-inline from style-src
2020-05-03Fix use of inline CSS in public pages (#13576)ThibG
Change `account_link_to` to use an image tag rather than some inline CSS. Dropped the `size` parameter in the process, but it wasn't used for anything except the default value of 36px. Dropped CSS rules that were always overriden, and defaulted to 36px width and height instead.
2020-04-28Fix admin-facing uses of inline CSS (#13575)ThibG
* Move .back-button inline styles to CSS file All occurrences of the back-button CSS class used the same inline CSS rules, so moved them over to the CSS file * Fix “Add new domain block” button using inline CSS * Replace common pattern of inline-styled button boxes by a CSS class In particular, switching from `float: left/right` to a flexbox with `justify-content: space-between`. This implied changing the order of a few HTML tags and adding an empty `div` in one case. Also removed a `margin-bottom` rule that wasn't needed due to the margins of surrounding elements. * Move account admin view inline CSS to CSS file
2020-04-28Fix end-user-facing uses of inline CSS (#13438)ThibG
* Move some inline styles to CSS files * Move default_account_display_name span to fix useless tags with duplicate id * Change handling of public pages spoiler text from inline CSS to dataset attribute * Use the `dir` HTML attribute instead of inline CSS * Move status action bar inline CSS to CSS file * Hide logo resources from CSS file, not inline CSS Fixes #11601 * Move translation prompt styling from inline CSS to CSS file * Move “invited by” styling on registration form from inline to CSS file * Use the progress tag to display poll results in JS fallback * Fix poll results JS-less fallback when the user has voted for an option * Change account public page “moved” notice to use img tags instead of inline CSS * Move OTP hint inline CSS to SCSS file * Hide JS-less fallback vote progressbars from accessibility tools Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
2020-04-28Fix /public showing public instead of community timeline for logged-in users ↵ThibG
(#13499)
2020-04-20Allow users to delete their header and avatar (#13234)sternenseemann
This is achieved by sending a DELETE request to /settings/profile/pictures/{avatar,header} via a link that is part of the upload form's hint of the respective picture.
2020-04-18Add local only to hashtag timeline (#13502)Takeshi Umeda
2020-04-15Change delivery failure tracking to work with hostnames instead of URLs (#13437)Eugen Rochko
2020-04-15Fix “Email changed” notification sometimes having wrong e-mail (#13475)ThibG
* Fix “Email changed” notification sometimes having wrong e-mail Fixes #6778 The root of the issue is that `send_devise_notification` was called before the changes were properly commited to the database, causing the mailer to pick previous values if running too early. Devise's documentation provides guidance on how to handle that[1][2], however, I have found it to not be working, as the following happens, in that order: - `send_devise_notification` is called for the `email_changed` notification. In that case, `changed?` is false and `saved_changes?` is true, so if we use the former, we have the same issue. - the `after_commit` hook is called - `send_devise_notification` is called for the `confirmation_instructions` notification. In that case, `changed?` is still false, and `saved_changes?` still true, so if we use the latter, that second notification email is simply not going to be sent (as we would be queuing the notification *after* executing the after_commit hook). This is because it may be called from either an `after_update` or `after_commit` hook, the difference not being a call to `save` but the transaction actually being committed to the database. This may arguably be a bug in Devise, or Devise's notification. The proposed workaround is inspired by Devise's documentation but checks whether a transaction is open to make the call whether to immediately send the notification or defer it to the `after_commit` hook. [1]: https://www.rubydoc.info/github/plataformatec/devise/Devise%2FModels%2FAuthenticatable:send_devise_notification [2]: https://github.com/heartcombo/devise/blob/406915cb781e38255a30ad2a0609e33952b9ec50/lib/devise/models/authenticatable.rb#L133-L194 * Fix cases when sending notifications without changing the model * Defer sending if and only if in transaction including current record
2020-04-13Fix account aliases page (#13452)ThibG
* Fix error not being displayed when adding an account alias, add error for self-references Co-Authored-By: Mélanie Chauvel (ariasuni) <perso@hack-libre.org> * Add “You have no aliases.” note in confusing empty aliases table Co-Authored-By: Mélanie Chauvel (ariasuni) <perso@hack-libre.org> Co-authored-by: Mélanie Chauvel (ariasuni) <perso@hack-libre.org>
2020-04-12Fix API footer link in Web UI (#13441)Leonie
Co-authored-by: koyu <me@koyu.spac>
2020-04-07Fix styling of polls in JS-less fallback on public pages (#13436)ThibG
2020-04-03Add ability to filter audit log in admin UI (#13381)Eugen Rochko
2020-04-02Improve polls: option lengths & redesign (#13257)Sasha Sorokin
This commit redesign the polls and increases characters limit for the options from 25 to 50 characters, giving pollsters more freedom. Summarizing, the redesign is making the polls more adaptive for upcoming changes to the options characters limit: the bar, or a "chart", is now displayed separately from the option itself; vote check mark is moved next to the option text, making the percentages take less space. Option lengths are taken into account and text is wrapped to multiple lines if necessary to avoid overflow.
2020-03-12Add option to include resolved DNS records when blacklisting e-mail domains ↵Eugen Rochko
in admin UI (#13254) * Add shortcuts to blacklist a user's e-mail domain in admin UI * Add option to blacklist resolved MX and IP records for e-mail domains
2020-03-12Add titles to warning presets in admin UI (#13252)Eugen Rochko
2020-03-08Add submit button to the top of preferences pages (#13068)guigeekz
* Move submit button to the top of the edit page * Duplicate save button on long form * Fix click submit on profile spec
2020-03-08Add ability to delete files uploaded for settings in admin UI (#13192)ThibG
* Allow deleting site uploads * Refactor and move links into hints * Fix i18n tests * Fix HTML output of site_upload_delete_hint
2020-03-08Add sorting by username, creation and last activity in moderation view (#13076)ThibG
* Add ability to order accounts in moderation view * Display last status date in “Most recent activity” for remote users
2020-03-08Add specific rate limits for posting and following (#13172)Eugen Rochko
2020-02-24Fix misleading error when attempting to re-send a pending follow request ↵ThibG
(#13133) Fixes #13131
2020-02-17Fix account's bio not being shown if there are no proofs/fields in admin UI ↵ThibG
(#13075)
2020-02-16Fix invite request input not being shown on sign-up error if left empty (#13089)ThibG
If the “Why do you want to join?” textarea is left empty and the entered params do not validate, the textarea isn't shown again, unlike other fields. This commit fixes that by populating an empty `UserInviteRequest` when needed.
2020-02-03Fix punycode being rendered instead of unicode in some places (#13030)Eugen Rochko
2020-01-29Add "Show thread" button to public profiles (#13000)Sasha Sorokin
This adds "Show thread" button to the status view which is used in profiles. The logic to display the button is mimicking logic in web app available at app/javascript/mastodon/components/status.js#L439. * The little change in components CSS required to remove enforced underline for all links on public pages on our button.
2020-01-28Fix design of announcements in admin UI (#12989)Eugen Rochko
2020-01-27Add publish/unpublish controls to announcements in admin UI (#12967)Eugen Rochko
2020-01-26Change last_status_at to be a date, not datetime (#12966)ThibG
* Return last_status_at as date, not datetime * Fix relative timestamp for dates when delay is inferior to 1 day * Also fix public directory * Fix error when last_status_at isn't set
2020-01-24Fix relationships page not showing results in admin UI (#12934)Eugen Rochko
Follow-up to #12927