about summary refs log tree commit diff
path: root/config/initializers
AgeCommit message (Collapse)Author
2022-04-28Fix single Redis connection being used across all threads (#18135)Eugen Rochko
* Fix single Redis connection being used across all Sidekiq threads * Fix tests
2022-04-08Fix cookies secure flag being set when served over Tor (#17992)Eugen Rochko
2022-04-01fix: `s3_force_single_request` not parsed (#17922)Holger
2022-03-26Refactor formatter (#17828)Eugen Rochko
* Refactor formatter * Move custom emoji pre-rendering logic to view helpers * Move more methods out of Formatter * Fix code style issues * Remove Formatter * Add inline poll options to RSS feeds * Remove unused helper method * Fix code style issues * Various fixes and improvements * Fix test
2022-03-15Fix PgHero suggesting migrations (#17807)Claire
* Fix PgHero suggesting migrations Fixes #17768 * Keep migration suggestions in development env
2022-03-14Fix LetterOpennerWeb CSP (#17770)Yamagishi Kazutoshi
2022-03-12Bump rack-attack from 6.5.0 to 6.6.0 (#17405)dependabot[bot]
* Bump rack-attack from 6.5.0 to 6.6.0 Bumps [rack-attack](https://github.com/rack/rack-attack) from 6.5.0 to 6.6.0. - [Release notes](https://github.com/rack/rack-attack/releases) - [Changelog](https://github.com/rack/rack-attack/blob/master/CHANGELOG.md) - [Commits](https://github.com/rack/rack-attack/compare/v6.5.0...v6.6.0) --- updated-dependencies: - dependency-name: rack-attack dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Fix usage of deprecated API Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
2022-03-09Allow login through OpenID Connect (#16221)chandrn7
* added OpenID Connect as an SSO option * minor fixes * added comments, removed an option that shouldn't be set * fixed Gemfile.lock * added newline to end of Gemfile.lock * removed tab from Gemfile.lock * remove chomp * codeclimate changes and small name change to make function's purpose clearer * codeclimate fix * added SSO buttons to /about page * minor refactor * minor style change * removed spurious change * removed unecessary conditional from ensure_valid_username and added support for auth.info.name in user_params_from_auth * minor changes
2022-03-06Spelling (#17705)Josh Soref
* spelling: account Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: affiliated Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: appearance Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: autosuggest Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: cacheable Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: component Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: conversations Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: domain.example Clarify what's distinct and use RFC friendly domain space. Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: environment Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: exceeds Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: functional Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: inefficiency Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: not Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: notifications Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: occurring Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: position Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: progress Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: promotable Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: reblogging Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: repetitive Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: resolve Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: saturated Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: similar Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: strategies Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: success Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: targeting Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: thumbnails Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: unauthorized Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: unsensitizes Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: validations Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: various Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
2022-02-22Fix various typos (#17621)luzpaz
Found via `codespell -q 3 -S ./CHANGELOG.md,./AUTHORS.md,./config/locales,./app/javascript/mastodon/locales -L ba,keypair,medias,ro`
2022-02-21Fix error when trying to register (#17600)Claire
2022-02-18Avoid return within block (#17590)zunda
This prevents the error: LocalJumpError (unexpected return)
2022-02-18Throttle IPv6 signup for subnet (#17588)Jeong Arm
2022-01-23Remove support for OAUTH_REDIRECT_AT_SIGN_IN (#17287)Claire
Fixes #15959 Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form to instead redirect to the external OmniAuth login provider. However, it did not prevent the log-in form on /about introduced by #10232 from appearing, and completely broke with the introduction of #15228. As I restoring that previous log-in flow without introducing a security vulnerability may require extensive care and knowledge of how OmniAuth works, this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time being.
2022-01-16Remove IP tracking columns from users table (#16409)Eugen Rochko
2022-01-10Fix media API limit (#17272)Jeong Arm
2021-12-27Fix warnings on Rails boot (#16946)Eugen Rochko
2021-11-26Fix ElasticSearch to Elasticsearch (#17050)Takeshi Umeda
2021-11-18Bump chewy from 5.2.0 to 7.2.3 (supports Elasticsearch 7.x) (#16915)Takeshi Umeda
* Bump chewy from 5.2.0 to 7.2.2 * fix style (codeclimate) * fix style * fix style * Bump chewy from 7.2.2 to 7.2.3
2021-11-06Fix reviving revoked sessions and invalidating login (#16943)Claire
Up until now, we have used Devise's Rememberable mechanism to re-log users after the end of their browser sessions. This mechanism relies on a signed cookie containing a token. That token was stored on the user's record, meaning it was shared across all logged in browsers, meaning truly revoking a browser's ability to auto-log-in involves revoking the token itself, and revoking access from *all* logged-in browsers. We had a session mechanism that dynamically checks whether a user's session has been disabled, and would log out the user if so. However, this would only clear a session being actively used, and a new one could be respawned with the `remember_user_token` cookie. In practice, this caused two issues: - sessions could be revived after being closed from /auth/edit (security issue) - auto-log-in would be disabled for *all* browsers after logging out from one of them This PR removes the `remember_token` mechanism and treats the `_session_id` cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-10-24Support authentication for ElasticSearch (#16890)Jeong Arm
* Support authentication for ElasticSearch * Fix chewy auth settings
2021-10-14Minor memory optimizations (#16507)Claire
Reduce constant memory usage by ~100kB and further reduce boot-up memory allocations and temporary memory use by a further ~200kB.
2021-08-25New env variable: CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED (#16655)Daniel
When using a CAS server, the users only have a temporary email `change@me-foo-cas.com` which can't be changed but by an administrator. We need a new environment variable like for SAML to assume the email from CAS is verified. * config/initializers/omniauth.rb: define CAS option for assuming email are always verified. * .env.nanobox: add new variable as an example.
2021-07-15Fix inefficiencies in auto-linking code (#16506)Claire
The auto-linking code basically rewrote the whole string escaping non-ascii characters in an inefficient way, and building a full character offset map between the unescaped and escaped texts before sending the contents to TwitterText's extractor. Instead of doing that, this commit changes the TwitterText regexps to include valid IRI characters in addition to valid URI characters.
2021-05-24Fix mailer jobs for deleted notifications erroring out (#16294)Claire
Fixes an oversight in the Rails 6 migration
2021-05-17Fix host check on healthcheck path not being disabled (#16270)Claire
Fixes #16251 There was a typo in #16243
2021-05-16Disable host check on healthcheck path (#16243)Jeong Arm
2021-05-09Add a Redis environment variable for sidekiq (#16188)Takeshi Umeda
2021-05-06Add Ruby 3.0 support (#16046)Claire
* Fix issues with POSIX::Spawn, Terrapin and Ruby 3.0 Also improve the Terrapin monkey-patch for the stderr/stdout issue. * Fix keyword argument handling throughout the codebase * Monkey-patch Paperclip to fix keyword arguments handling in validators * Change validation_extensions to please CodeClimate * Bump microformats from 4.2.1 to 4.3.1 * Allow Ruby 3.0 * Add Ruby 3.0 test target to CircleCI * Add test for admin dashboard warnings * Fix admin dashboard warnings on Ruby 3.0
2021-04-22Fix guard against DNS rebinding attacks (#16095)Takeshi Umeda
2021-04-21Add guard against DNS rebinding attacks (#16087)Takeshi Umeda
* Add guard against DNS rebinding attacks * Fix not to apply to test environment
2021-04-15Fix app name, website and redirect URIs not having a maximum length (#16042)Eugen Rochko
Fix app scopes not being validated
2021-04-09Fix autoloading deprecation warnings from Rails 6 (#16010)Eugen Rochko
2021-04-03Change health check (#15988)Eugen Rochko
2021-03-24Update Mastodon to Rails 6.1 (#15910)Claire
* Update devise-two-factor to unreleased fork for Rails 6 support Update tests to match new `rotp` version. * Update nsa gem to unreleased fork for Rails 6 support * Update rails to 6.1.3 and rails-i18n to 6.0 * Update to unreleased fork of pluck_each for Ruby 6 support * Run "rails app:update" * Add missing ActiveStorage config file * Use config.ssl_options instead of removed ApplicationController#force_ssl Disabled force_ssl-related tests as they do not seem to be easily testable anymore. * Fix nonce directives by removing Rails 5 specific monkey-patching * Fix fixture_file_upload deprecation warning * Fix yield-based test failing with Rails 6 * Use Rails 6's index_with when possible * Use ActiveRecord::Cache::Store#delete_multi from Rails 6 This will yield better performances when deleting an account * Disable Rails 6.1's automatic preload link headers Since Rails 6.1, ActionView adds preload links for javascript files in the Links header per default. In our case, that will bloat headers too much and potentially cause issues with reverse proxies. Furhermore, we don't need those links, as we already output them as HTML link tags. * Switch to Rails 6.0 default config * Switch to Rails 6.1 default config * Do not include autoload paths in the load path
2021-03-19Prepare Mastodon for zeitwerk autoloader (#15917)Claire
* Prepare Mastodon for zeitwerk autoloader (Rails 6) Add inflections and rename/move a few classes. In particular, app/lib/exceptions.rb and app/lib/sanitize_config.rb were manually loaded while still in autoload paths. * Add inflection for Url → URL
2021-03-17Prepare Mastodon for Rails 6 (#15911)Claire
* Fix misuse of foreign_type * Fix use of removed "add_template_helper" * Use response.media_type instead of response.content_type in tests * Fix CSV export controller test on Rails 6 Rails 6 sets a "filename*" field in the Content-Disposition header to explicitly encode the filename as UTF-8. This changes checks the first part of the Content-Disposition header so it matches in both Rails 5 and Rails 6. * Fix emoji formatting with Rails 6 * Make emoji output more idiomatic and robust * Switch from redis-rails gem to built-in Rails redis cache storage
2021-03-15Fix configuration for sidekiq-unique-jobs after 7.x upgrade (#15908)Eugen Rochko
Remove locks from scheduled jobs
2021-03-02Update twitter-text from 1.14 to 3.1.0 and fix toot character counting (#15382)Claire
* Update twitter-text from 1.14 to 3.1.0 * Disable emoji parsing * Properly depend on twitter-text for url detection * Fix some URLs being wrongly detected client-side * Add test for server-side validation of non-autolinkable URLs * Fix server-side status length counting
2021-03-01Add `POST /api/v1/emails/confirmations` to REST API (#15816)Eugen Rochko
Only available to the application the user originally signed-up with
2021-02-19Delete pagination.rb (#15754)Shlee
2021-02-11Drop dependency on secure_headers, fix response headers (#15712)Claire
* Drop dependency on secure_headers, use always_write_cookie instead * Fix cookies in Tor Hidden Services by moving configuration to application.rb * Instead of setting always_write_cookie at boot, monkey-patch ActionDispatch
2021-02-11Onion service related changes to HTTPS handling (#15560)Cecylia Bocovich
* Enable secure cookie flag for https only * Disable force_ssl for .onion hosts only Co-authored-by: Aiden McClelland <me@drbonez.dev>
2021-01-31Fixed code quality issues (#15541)Shubhendra Singh Chauhan
* Added .deepsource.toml * Removed bad use of `alias` * Fixed operand order in the binary expression * Prefixed unused method arguments with an underscore * Replaced the old OpenSSL algorithmic constants with the newer strings initializers. * Removed unnecessary UTF-8 encoding comment
2021-01-22Optimize some regex matching (#15528)luigi
* Use Regex#match? * Replace =~ too * Avoid to call match? from Nil * Keep value of Regexp.last_match
2021-01-08Support clock drift in Omniauth SAML provider (#15511)kaiyou
The setting is not well documented by the provider, but allows for clock skew between SP and IDP, see: https://github.com/omniauth/omniauth-saml/blob/master/spec/omniauth/strategies/saml_spec.rb Co-authored-by: kaiyou <dev@kaiyou.fr>
2020-12-22Fix unnecessary queries when batch-removing statuses, 100x faster (#15387)Eugen Rochko
2020-12-15Add stoplight for object storage failures, return HTTP 503 (#13043)Eugen Rochko
2020-11-19Add cache buster feature for media files (#15155)Eugen Rochko
Nginx can be configured to bypass proxy cache when a special header is in the request. If the response is cacheable, it will replace the cache for that request. Proxy caching of media files is desirable when using object storage as a way of minimizing bandwidth costs, but has the drawback of leaving deleted media files for a configured amount of cache time. A cache buster can make those media files immediately unavailable. This especially makes sense when suspending and unsuspending an account.
2020-11-06Fix cookies not having a SameSite attribute (#15098)Eugen Rochko