about summary refs log tree commit diff
path: root/config/initializers
AgeCommit message (Collapse)Author
2020-11-07Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2020-11-06Fix cookies not having a SameSite attribute (#15098)Eugen Rochko
2020-10-21Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `.github/dependabot.yml`: Updated upstream, we deleted it to not be flooded by Depandabot. Kept deleted. - `Gemfile.lock`: Puma updated on both sides, went for the most recent version. - `app/controllers/api/v1/mutes_controller.rb`: Upstream updated the serializer to support timed mutes, while glitch-soc added a custom API ages ago to get information that is already available elsewhere. Dropped the glitch-soc-specific API, went with upstream changes. - `app/javascript/core/admin.js`: Conflict due to changing how assets are loaded. Went with upstream. - `app/javascript/packs/public.js`: Conflict due to changing how assets are loaded. Went with upstream. - `app/models/mute.rb`: 🤷 - `app/models/user.rb`: New user setting added upstream while we have glitch-soc-specific user settings. Added upstream's user setting. - `config/settings.yml`: Upstream added a new user setting close to a user setting we had changed the defaults for. Added the new upstream setting. - `package.json`: Upstream dependency updated “too close” to a glitch-soc-specific dependency. No real conflict. Updated the dependency.
2020-10-19Add support for Gemini urls (#15013)Josh Leeb-du Toit
This PR updates the `valid_url` regex and sanitizer allowlist to provide support for Gemini urls. Closes #14991
2020-10-12Add IP-based rules (#14963)Eugen Rochko
2020-10-06add S3_READ_TIMEOUT environment variable (#14952)tateisu
2020-08-30Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `app/controllers/accounts_controller.rb`: Upstream change too close to a glitch-soc change related to instance-local toots. Merged upstream changes. - `app/services/fan_out_on_write_service.rb`: Minor conflict due to glitch-soc's handling of Direct Messages, merged upstream changes. - `yarn.lock`: Not really a conflict, caused by glitch-soc-only dependencies being textually too close to updated upstream dependencies. Merged upstream changes.
2020-08-24Add WebAuthn as an alternative 2FA method (#14466)santiagorodriguez96
* feat: add possibility of adding WebAuthn security keys to use as 2FA This adds a basic UI for enabling WebAuthn 2FA. We did a little refactor to the Settings page for editing the 2FA methods – now it will list the methods that are available to the user (TOTP and WebAuthn) and from there they'll be able to add or remove any of them. Also, it's worth mentioning that for enabling WebAuthn it's required to have TOTP enabled, so the first time that you go to the 2FA Settings page, you'll be asked to set it up. This work was inspired by the one donde by Github in their platform, and despite it could be approached in different ways, we decided to go with this one given that we feel that this gives a great UX. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add request for WebAuthn as second factor at login if enabled This commits adds the feature for using WebAuthn as a second factor for login when enabled. If users have WebAuthn enabled, now a page requesting for the use of a WebAuthn credential for log in will appear, although a link redirecting to the old page for logging in using a two-factor code will also be present. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add possibility of deleting WebAuthn Credentials Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: disable WebAuthn when an Admin disables 2FA for a user Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: remove ability to disable TOTP leaving only WebAuthn as 2FA Following examples form other platforms like Github, we decided to make Webauthn 2FA secondary to 2FA with TOTP, so that we removed the possibility of removing TOTP authentication only, leaving users with just WEbAuthn as 2FA. Instead, users will have to click on 'Disable 2FA' in order to remove second factor auth. The reason for WebAuthn being secondary to TOPT is that in that way, users will still be able to log in using their code from their phone's application if they don't have their security keys with them – or maybe even lost them. * We had to change a little the flow for setting up TOTP, given that now it's possible to setting up again if you already had TOTP, in order to let users modify their authenticator app – given that now it's not possible for them to disable TOTP and set it up again with another authenticator app. So, basically, now instead of storing the new `otp_secret` in the user, we store it in the session until the process of set up is finished. This was because, as it was before, when users clicked on 'Edit' in the new two-factor methods lists page, but then went back without finishing the flow, their `otp_secret` had been changed therefore invalidating their previous authenticator app, making them unable to log in again using TOTP. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * refactor: fix eslint errors The PR build was failing given that linting returning some errors. This commit attempts to fix them. * refactor: normalize i18n translations The build was failing given that i18n translations files were not normalized. This commits fixes that. * refactor: avoid having the webauthn gem locked to a specific version * refactor: use symbols for routes without '/' * refactor: avoid sending webauthn disabled email when 2FA is disabled When an admins disable 2FA for users, we were sending two mails to them, one notifying that 2FA was disabled and the other to notify that WebAuthn was disabled. As the second one is redundant since the first email includes it, we can remove it and send just one email to users. * refactor: avoid creating new env variable for webauthn_origin config * refactor: improve flash error messages for webauthn pages Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>
2020-07-07Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `package.json`: Not really a conflict, just some glitch-soc-specific dependency too close to an upstream-updated one.
2020-07-07Change rate limits for various paths (#14253)Eugen Rochko
- Rate limit login attempts by target account - Rate limit password resets and e-mail re-confirmations by target account - Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before
2020-07-07Fix hashtag column options styling (#14247)ThibG
* Enable nonces for stylesheets * Pass nonce to react-select
2020-07-01Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `app/javascript/packs/public.js`: Conflict because part of that file has been split to `app/javascript/core/settings.js`. Ported those changes there.
2020-07-01Change Redis#exists calls to Redis#exists? to avoid deprecation warning (#14191)Eugen Rochko
2020-06-30Fix remote files not using Content-Type header, streaming (#14184)Eugen Rochko
2020-06-30Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `.env.production.sample`: Upstream deleted it, I decided to keep it. - `package.json`: Upstream updated a dependency textually too close to wavesurfer.js which has been deleted from upstream but is kept in glitch-soc for now.
2020-06-27Remove the terms blacklist and whitelist from UX (#14149)Eugen Rochko
Localization strings: - "Whitelist mode" -> "Limited federation mode" - "Blacklist e-mail domain" -> "Block e-mail domain" - "Whitelist domain" -> "Allow domain for federation" ...And so on Environment variables (backwards-compatible): - `WHITELIST_MODE` -> `LIMITED_FEDERATION_MODE` - `EMAIL_DOMAIN_BLACKLIST` -> `EMAIL_DOMAIN_DENYLIST` - `EMAIL_DOMAIN_WHITELIST` -> `EMAIL_DOMAIN_ALLOWLIST` tootctl: - `tootctl domains purge --whitelist-mode` -> `tootctl domains purge --limited-federation-mode` Removed badly maintained and no longer relevant .env.production.sample file
2020-06-17Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `Gemfile.lock`: not a real conflict, upstream update too close to a glitch-soc-specific dependency
2020-06-17Suppress Redis#exists(key) warning (#14067)mayaeh
2020-06-09Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `app/controllers/activitypub/collections_controller.rb`: Conflict due to glitch-soc having to take care of local-only pinned toots in that controller. Took upstream's changes and restored the local-only special handling. - `app/controllers/auth/sessions_controller.rb`: Minor conflicts due to the theming system, applied upstream changes, adapted the following two files for glitch-soc's theming system: - `app/controllers/concerns/sign_in_token_authentication_concern.rb` - `app/controllers/concerns/two_factor_authentication_concern.rb` - `app/services/backup_service.rb`: Minor conflict due to glitch-soc having to handle local-only toots specially. Applied upstream changes and restored the local-only special handling. - `app/views/admin/custom_emojis/index.html.haml`: Minor conflict due to the theming system. - `package.json`: Upstream dependency updated, too close to a glitch-soc-only dependency in the file. - `yarn.lock`: Upstream dependency updated, too close to a glitch-soc-only dependency in the file.
2020-06-02Add E2EE API (#13820)Eugen Rochko
2020-05-30Move glitch-specific ruby-side locales to their own filesThibaut Girka
2020-05-28Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2020-05-24Fix csv upload (#13835)Takeshi Umeda
2020-05-23Fix workaround for Elasticsearch 7.x (#13828)Takeshi Umeda
2020-05-10Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `Gemfile.lock`: Not a real conflict, just a glitch-soc-only dependency too close to a dependency that got updated upstream. Updated as well. - `app/models/status.rb`: Not a real conflict, just a change too close to glitch-soc-changed code for optionally showing boosts in public timelines. Applied upstream changes. - `app/views/layouts/application.html.haml`: Upstream a new, static CSS file, conflict due to glitch-soc's theming system, include the file regardless of the theme. - `config/initializers/content_security_policy.rb`: Upstream dropped 'unsafe-inline' from the 'style-src' directive, but both files are very different. Removed 'unsafe-inline' as well.
2020-05-10Refactor monkey-patching of Goldfinger (#12561)Eugen Rochko
2020-05-09Fix "tootctl media remove-orphans" crashing on “Import” files (#13685)ThibG
* Fix "tootctl media remove-orphans" crashing on “Import” files * Also remove empty directories when removing orphaned media
2020-05-08Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679)ThibG
* Make sure wicg-inert doesn't rely on inline CSS * Remove unsafe-inline from style-src
2020-05-04Fix PgHero Content-Security-Policy when CDN_HOST is used (#13595)ThibG
2020-05-03Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `app/controllers/statuses_controller.rb`: Upstream disabled the embed controller for reblogs. Not a real conflict, but glitch-soc has an extra line to deal with its theming system. Ported upstream changes. - `app/javascript/packs/public.js`: Upstream made changes to get rid of most inline CSS, this changes javascript for public pages, which in glitch are split between different files. Ported those changes. - `app/models/status.rb`: Upstream changed the block check in `Status#permitted_for` to include domain-block checks. Not a real conflict with glitch-soc, but our scope is slightly different, as our scope for unauthenticated access do not include instance-local toots. Ported upstream changes. - `app/serializers/rest/instance_serializer.rb`: Not a real conflict, upstream added a new field to the instance serializer, the conflict is one line above since we added more of that. Ported upstream changes. - `app/views/settings/profiles/show.html.haml`: Upstream got rid of most inline CSS and moved hidden elements to data attributes in the process, in fields were we have different values. Ported upstream changes while keeping our glitch-specific values. - `app/views/statuses/_simple_status.html.haml`: Upstream got rid of inline CSS on an HAML line we treat differently, stripping empty text nodes. Ported upstream changes to the style attribute, keeping the empty text node stripping behavior.
2020-04-27Fix naming issue (#13551)mayaeh
2020-04-26Add separate cache directory for non-local uploads (#12821)Eugen Rochko
2020-04-17Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2020-04-17Fix search not working due to proxy settings when using hidden services (#13488)Eugen Rochko
Fix #13484
2020-04-04Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2020-04-03Add ability to filter audit log in admin UI (#13381)Eugen Rochko
2020-04-02Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `app/javascript/mastodon/features/compose/components/poll_form.js`: Upstream bumped poll option character limit, but we already had a higher one, kept ours. - `app/validators/poll_validator.rb`: Upstream bumped poll option character limit, but we already had a higher one, kept ours. - `config/initializers/content_security_policy.rb`: Upstream added a rule, the way we compute ours is different, but that added rule has been ported. - `package.json`: No real conflict, dependency update. Performed the same update. - `yarn.lock`: No real conflict, dependency update. Performed the same update.
2020-03-31Fix background jobs not using locks like they are supposed to (#13361)Eugen Rochko
Also: - Fix locks not being removed when jobs go to the dead job queue - Add UI for managing locks to the Sidekiq dashboard - Remove unused Sidekiq workers Fix #13349
2020-03-31Fix re-sending of e-mail confirmation not being rate limited (#13360)Eugen Rochko
Fix #13330
2020-03-27Fix OCR not working on Safari because of unsupported worker-src CSP (#13323)ThibG
Fixes #13321
2020-03-22Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `README.md`: Our README.md files are completely different. Discarded upstream changes. - `app/javascript/core/admin.js`: Updating rails-ujs, no real conflict, but a comment to close to changed code. Various glitch-soc-only files have been updated to match those changes, though. - `package.json`: No real conflict, just an additional dependency in glitch-soc that was too close to something updated upstream. Took upstream's changes.
2020-03-21Bump sidekiq from 5.2.7 to 6.0.4 (#11727)dependabot-preview[bot]
* Bump sidekiq from 5.2.7 to 6.0.0 Bumps [sidekiq](https://github.com/mperham/sidekiq) from 5.2.7 to 6.0.0. - [Release notes](https://github.com/mperham/sidekiq/releases) - [Changelog](https://github.com/mperham/sidekiq/blob/master/Changes.md) - [Commits](https://github.com/mperham/sidekiq/compare/v5.2.7...v6.0.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * Sidekiq::Logger.logger -> Sidekiq.logger * Drop support Ruby 2.4 * update Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>
2020-03-08Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `app/controllers/api/v1/statuses_controller.rb`: Conflict due to upstream adding a new parameter (with_rate_limit), too close to glitch-soc's own additional parameter (content_type). Added upstream's parameter. - `app/services/post_status_service.rb`: Conflict due to upstream adding a new parameter (rate_limit), too close to glitch-soc's own additional parameter (content_type). Added upstream's parameter. - `app/views/settings/preferences/appearance/show.html.haml`: Conflict due to us not exposing theme settings here (as we have a different flavour/skin menu). Took upstream change, while still not exposing theme settings. - `config/webpack/shared.js`: Coding style fixes for a part we have rewritten. Discarded upstream changes.
2020-03-08Add specific rate limits for posting and following (#13172)Eugen Rochko
2020-02-10Fix ActiveRecord::Migration.check_pending! failing because of duplicate ↵Thibaut Girka
migrations
2020-02-06Add environment variable to specify extra data hostsThibaut Girka
Fixes #1276
2020-01-24Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `app/controllers/statuses_controller.rb`: Minor conflict due to theming system
2020-01-23Add announcements (#12662)Eugen Rochko
* Add announcements Fix #11006 * Add reactions to announcements * Add admin UI for announcements * Add unit tests * Fix issues - Add `with_dismissed` param to announcements API - Fix end date not being formatted when time range is given - Fix announcement delete causing reactions to send streaming updates - Fix announcements container growing too wide and mascot too small - Fix `all_day` being settable when no time range is given - Change text "Update" to "Announcement" * Fix scheduler unpublishing announcements before they are due * Fix filter params not being passed to announcements filter
2020-01-23Add support for magnet: URIs (#12905)ThibG
2020-01-12Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - `Gemfile.lock`: No real conflict, glitch-soc-only dependency (redcarpet) too close to an upstream one (rdf-normalize) - `README.md`: we have different READMEs, discarded upstream's changes - `app/views/admin/custom_emojis/index.html.haml`: No real conflict, different context because of glitch-soc theming - `lib/mastodon/statuses_cli.rb`: Upstream added code to keep bookmarked statuses, we were already doing so with slightly different code. Discarded upstream's changes. - `package.json`: No real conflict, glitch-soc-only dependency (favico.js) too close to an upstream one