about summary refs log tree commit diff
path: root/config/initializers
AgeCommit message (Collapse)Author
2019-12-31LDAP & PAM added to OAuth password grant strategy (#7999) (#12390)ntl-purism
When authenticating via OAuth, the resource owner password grant strategy is allowed by Mastodon, but (without this PR), it does not attempt to authenticate against LDAP or PAM. As a result, LDAP or PAM authenticated users cannot sign in to Mastodon with their email/password credentials via OAuth (for instance, for native/mobile app users). This PR fleshes out the authentication strategy supplied to doorkeeper in its initializer by looking up the user with LDAP and/or PAM when devise is configured to use LDAP/PAM backends. It attempts to follow the same logic as the Auth::SessionsController for handling email/password credentials. Note #1: Since this pull request affects an initializer, it's unclear how to add test automation. Note #2: The PAM authentication path has not been manually tested. It was added for completeness sake, and it is hoped that it can be manually tested before merging.
2019-12-03clear out dead sidekiq job locks & add lock manager to sidekiq's dashboard ↵multiple creatures
to let admins get rid of stuck locks
2019-11-29accept mp3s that are actually videosmultiple creatures
2019-11-29remove img tag proxy from csp cause a: we don't use that anymore & b: it's ↵multiple creatures
breaking stuff
2019-11-26fix breaking typomultiple creatures
2019-11-19Fix undefined method error (#10868)Hinaloe
2019-11-19Fix undefined method error. (#10867)mayaeh
2019-11-19Improve rate limiting (#10860)ThibG
* Rate limit based on remote address IP, not on potential reverse proxy * Limit rate of unauthenticated API requests further * Rate-limit paging requests to one every 3 seconds
2019-09-14add jortage proxy to cspmultiple creatures
2019-09-06raise authenticated api limitmultiple creatures
2019-09-01bump up authenticated media api req limitmultiple creatures
2019-08-15relax the the media proxy rate limit when logged in (now with 300% more ↵multiple creatures
relaxation)
2019-08-04allow more media proxy requests when logged inmultiple creatures
2019-08-04update `rack_attack` config from `glitch-soc`multiple creatures
2019-05-21handle importing posts from json dumpsmultiple creatures
2019-05-21update csp for img proxymultiple creatures
2019-05-04Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/models/media_attachment.rb
2019-05-04Fix CSP when PAPERCLIP_ROOT_URL is set to a different hostThibaut Girka
2019-05-04Fix CSP when dealing with S3 hostsThibaut Girka
2019-05-03Bump rack-attack from 5.4.2 to 6.0.0 (#10599)dependabot[bot]
* Bump rack-attack from 5.4.2 to 6.0.0 Bumps [rack-attack](https://github.com/kickstarter/rack-attack) from 5.4.2 to 6.0.0. - [Release notes](https://github.com/kickstarter/rack-attack/releases) - [Changelog](https://github.com/kickstarter/rack-attack/blob/master/CHANGELOG.md) - [Commits](https://github.com/kickstarter/rack-attack/compare/v5.4.2...v6.0.0) Signed-off-by: dependabot[bot] <support@dependabot.com> * fix payload[:request]
2019-04-24Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2019-04-23Fix stoplight logging to stderr separate from Rails logger (#10624)Eugen Rochko
2019-04-08Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - config/locales/pl.yml Conflict caused by new upstream string too close to glitch-specific “flavour” string. Took both strings.
2019-04-07Add rate limit for media proxy requests (#10490)Eugen Rochko
30 per 30 minutes, like media uploads
2019-03-28Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/workers/activitypub/distribute_poll_update_worker.rb - config/locales/pl.yml
2019-03-27Remove unused ActivityPub `@context` values depending on response (#10378)Eugen Rochko
Fix #8078
2019-03-22Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2019-03-21cas_options :validate_url should be :service_validate_url (#10328)Eric
Otherwise, no matter what is given for CAS_VALIDATE_URL the default /serviceValidate path would be used.
2019-02-15Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2019-02-14Add tight rate-limit for API deletions (#10042)Eugen Rochko
Deletions take a lot of resources to execute and cause a lot of federation traffic, so it makes sense to decrease the number someone can queue up through the API. 30 per 30 minutes
2019-02-10Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/controllers/oauth/authorized_applications_controller.rb Two changes too close to each other - app/controllers/settings/sessions_controller.rb - app/lib/user_settings_decorator.rb Two changes too close to each other - app/models/media_attachment.rb New changes too close to glitch-soc only changes. - app/models/user.rb Two changes too close to each other. - app/services/remove_status_service.rb Kept direct timeline code which had been removed upstream. - app/views/settings/preferences/show.html.haml Two changes too close to each other. - config/locales/en.yml Introduction of a new string too close to glitch-soc-only's “flavour” - config/locales/ja.yml Introduction of a new string too close to glitch-soc-only's “flavour” - config/locales/pl.yml Introduction of a new string too close to glitch-soc-only's “flavour” - config/locales/simple_form.en.yml Introduction of a new string too close to glitch-soc-only's “skin” - config/locales/simple_form.pl.yml Introduction of a new string too close to glitch-soc-only's “skin” - config/settings.yml Reverted upstream's decision of enabling posting application by default.
2019-02-09Fix URL linkifier grabbing full-width spaces and quotations (#9997)Eugen Rochko
Fix #9993 Fix #5654
2019-01-19Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
No conflicts.
2019-01-18Add timeouts for S3 (#9842)Eugen Rochko
2019-01-16Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - config/locales/simple_form.pl.yml
2019-01-15Disable Same-Site cookie implementation to fix SSO issues on WebKit browsers ↵Moritz Heiber
(#9819)
2019-01-10Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - .eslintrc.yml Removed, as upstream removed it. - app/controllers/admin/statuses_controller.rb Minor code cleanup when porting one of our features. - app/models/account.rb Note length validation has changed upstream. We now use upstream's validation (dropped legacy glitch-soc account metadata stuff) but with configurable limit. - app/services/post_status_service.rb Upstream has added support for scheduled toots, refactoring the code a bit. Adapted our changes to this refactoring. - app/views/stream_entries/_detailed_status.html.haml Not a real conflict, changes too close. - app/views/stream_entries/_simple_status.html.haml Not a real conflict, changes too close.
2019-01-05Enable immutable caching for S3 objects (#9722)Nolan Lawson
I also added "public" here, as I can't think of a good reason not to add it. Perhaps it has some marginal benefit in that ISPs (or other proxies) can cache it for all users. The assets are certainly publicly available and the same for all users.
2019-01-02Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts manually resolved: - app/services/post_status_service.rb - config/locales/simple_form.pl.yml - config/routes.rb - config/webpack/loaders/sass.js - config/webpack/shared.js - package.json - yarn.lock
2018-12-24Add REST API for creating an account (#9572)Eugen Rochko
* Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account
2018-12-23Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - config/routes.rb Upstream changed some admin routes, conflict was because of an added :show action for statuses on our side. Kept it.
2018-12-21Skip mailer job retries when a record no longer exists (#9590)Eugen Rochko
Fix #8666
2018-12-15Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/controllers/directories_controller.rb - app/controllers/settings/applications_controller.rb - app/controllers/settings/base_controller.rb - app/controllers/settings/deletes_controller.rb - app/controllers/settings/exports_controller.rb - app/controllers/settings/follower_domains_controller.rb - app/controllers/settings/imports_controller.rb - app/controllers/settings/migrations_controller.rb - app/controllers/settings/notifications_controller.rb - app/controllers/settings/preferences_controller.rb - app/controllers/settings/sessions_controller.rb - app/controllers/settings/two_factor_authentication/confirmations_controller.rb - app/controllers/settings/two_factor_authentication/recovery_codes_controller.rb - app/controllers/settings/two_factor_authentications_controller.rb Conflicts were due to some refactoring already made in glitch-soc when introducing flavours.
2018-12-14Remove form_action from CSPRey Tucker
This trips an issue when trying to authenticate through to third-party sites, e.g. bridge.joinmastodon.org: Refused to send form data to 'https://bridge.joinmastodon.org/' because it violates the following Content Security Policy directive: "form-action 'self'". Thread: https://vulpine.club/@digifox/101230933751352042
2018-12-10Use same CORS policy for /@:username and /users/:username (#9485)ThibG
Fixes #8189 rack-cors being called before the application router, it does not follow the redirection, and we need a separate rule for /users/:username.
2018-12-02Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2018-12-02Preload common JSON-LD contexts (#9412)ThibG
Fixes #9411
2018-11-12Tighten CSP a bitThibaut Girka
2018-10-26Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/controllers/admin/base_controller.rb - app/controllers/filters_controller.rb - app/controllers/invites_controller.rb - app/controllers/settings/deletes_controller.rb - app/controllers/settings/exports_controller.rb - app/controllers/settings/follower_domains_controller.rb - app/controllers/settings/migrations_controller.rb - app/controllers/settings/notifications_controller.rb - app/controllers/settings/preferences_controller.rb - app/controllers/settings/two_factor_authentication/recovery_codes_controller.rb - app/javascript/packs/public.js - app/views/settings/profiles/show.html.haml Conflicts were mostly due to the addition of body classes to the settings page, this was caused by rejecting upstream changes for most of those files and modifying Settings::BaseController instead. Another cause of conflicts was the deletion of client-side checking of display name / bio length, this was modified in app/javascript/core/settings.js instead.
2018-10-25Allow cross-origin requests to /.well-known/* URLs. (#9083)Ben Lubar
Right now, this includes three endpoints: host-meta, webfinger, and change-password. host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser. change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled. The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery.