about summary refs log tree commit diff
path: root/config/initializers
AgeCommit message (Collapse)Author
2021-03-17Prepare Mastodon for Rails 6 (#15911)Claire
* Fix misuse of foreign_type * Fix use of removed "add_template_helper" * Use response.media_type instead of response.content_type in tests * Fix CSV export controller test on Rails 6 Rails 6 sets a "filename*" field in the Content-Disposition header to explicitly encode the filename as UTF-8. This changes checks the first part of the Content-Disposition header so it matches in both Rails 5 and Rails 6. * Fix emoji formatting with Rails 6 * Make emoji output more idiomatic and robust * Switch from redis-rails gem to built-in Rails redis cache storage
2021-03-15Fix configuration for sidekiq-unique-jobs after 7.x upgrade (#15908)Eugen Rochko
Remove locks from scheduled jobs
2021-03-02Update twitter-text from 1.14 to 3.1.0 and fix toot character counting (#15382)Claire
* Update twitter-text from 1.14 to 3.1.0 * Disable emoji parsing * Properly depend on twitter-text for url detection * Fix some URLs being wrongly detected client-side * Add test for server-side validation of non-autolinkable URLs * Fix server-side status length counting
2021-03-01Add `POST /api/v1/emails/confirmations` to REST API (#15816)Eugen Rochko
Only available to the application the user originally signed-up with
2021-02-19Delete pagination.rb (#15754)Shlee
2021-02-11Drop dependency on secure_headers, fix response headers (#15712)Claire
* Drop dependency on secure_headers, use always_write_cookie instead * Fix cookies in Tor Hidden Services by moving configuration to application.rb * Instead of setting always_write_cookie at boot, monkey-patch ActionDispatch
2021-02-11Onion service related changes to HTTPS handling (#15560)Cecylia Bocovich
* Enable secure cookie flag for https only * Disable force_ssl for .onion hosts only Co-authored-by: Aiden McClelland <me@drbonez.dev>
2021-01-31Fixed code quality issues (#15541)Shubhendra Singh Chauhan
* Added .deepsource.toml * Removed bad use of `alias` * Fixed operand order in the binary expression * Prefixed unused method arguments with an underscore * Replaced the old OpenSSL algorithmic constants with the newer strings initializers. * Removed unnecessary UTF-8 encoding comment
2021-01-22Optimize some regex matching (#15528)luigi
* Use Regex#match? * Replace =~ too * Avoid to call match? from Nil * Keep value of Regexp.last_match
2021-01-08Support clock drift in Omniauth SAML provider (#15511)kaiyou
The setting is not well documented by the provider, but allows for clock skew between SP and IDP, see: https://github.com/omniauth/omniauth-saml/blob/master/spec/omniauth/strategies/saml_spec.rb Co-authored-by: kaiyou <dev@kaiyou.fr>
2020-12-22Fix unnecessary queries when batch-removing statuses, 100x faster (#15387)Eugen Rochko
2020-12-15Add stoplight for object storage failures, return HTTP 503 (#13043)Eugen Rochko
2020-11-19Add cache buster feature for media files (#15155)Eugen Rochko
Nginx can be configured to bypass proxy cache when a special header is in the request. If the response is cacheable, it will replace the cache for that request. Proxy caching of media files is desirable when using object storage as a way of minimizing bandwidth costs, but has the drawback of leaving deleted media files for a configured amount of cache time. A cache buster can make those media files immediately unavailable. This especially makes sense when suspending and unsuspending an account.
2020-11-06Fix cookies not having a SameSite attribute (#15098)Eugen Rochko
2020-10-19Add support for Gemini urls (#15013)Josh Leeb-du Toit
This PR updates the `valid_url` regex and sanitizer allowlist to provide support for Gemini urls. Closes #14991
2020-10-12Add IP-based rules (#14963)Eugen Rochko
2020-10-06add S3_READ_TIMEOUT environment variable (#14952)tateisu
2020-08-24Add WebAuthn as an alternative 2FA method (#14466)santiagorodriguez96
* feat: add possibility of adding WebAuthn security keys to use as 2FA This adds a basic UI for enabling WebAuthn 2FA. We did a little refactor to the Settings page for editing the 2FA methods – now it will list the methods that are available to the user (TOTP and WebAuthn) and from there they'll be able to add or remove any of them. Also, it's worth mentioning that for enabling WebAuthn it's required to have TOTP enabled, so the first time that you go to the 2FA Settings page, you'll be asked to set it up. This work was inspired by the one donde by Github in their platform, and despite it could be approached in different ways, we decided to go with this one given that we feel that this gives a great UX. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add request for WebAuthn as second factor at login if enabled This commits adds the feature for using WebAuthn as a second factor for login when enabled. If users have WebAuthn enabled, now a page requesting for the use of a WebAuthn credential for log in will appear, although a link redirecting to the old page for logging in using a two-factor code will also be present. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add possibility of deleting WebAuthn Credentials Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: disable WebAuthn when an Admin disables 2FA for a user Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: remove ability to disable TOTP leaving only WebAuthn as 2FA Following examples form other platforms like Github, we decided to make Webauthn 2FA secondary to 2FA with TOTP, so that we removed the possibility of removing TOTP authentication only, leaving users with just WEbAuthn as 2FA. Instead, users will have to click on 'Disable 2FA' in order to remove second factor auth. The reason for WebAuthn being secondary to TOPT is that in that way, users will still be able to log in using their code from their phone's application if they don't have their security keys with them – or maybe even lost them. * We had to change a little the flow for setting up TOTP, given that now it's possible to setting up again if you already had TOTP, in order to let users modify their authenticator app – given that now it's not possible for them to disable TOTP and set it up again with another authenticator app. So, basically, now instead of storing the new `otp_secret` in the user, we store it in the session until the process of set up is finished. This was because, as it was before, when users clicked on 'Edit' in the new two-factor methods lists page, but then went back without finishing the flow, their `otp_secret` had been changed therefore invalidating their previous authenticator app, making them unable to log in again using TOTP. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * refactor: fix eslint errors The PR build was failing given that linting returning some errors. This commit attempts to fix them. * refactor: normalize i18n translations The build was failing given that i18n translations files were not normalized. This commits fixes that. * refactor: avoid having the webauthn gem locked to a specific version * refactor: use symbols for routes without '/' * refactor: avoid sending webauthn disabled email when 2FA is disabled When an admins disable 2FA for users, we were sending two mails to them, one notifying that 2FA was disabled and the other to notify that WebAuthn was disabled. As the second one is redundant since the first email includes it, we can remove it and send just one email to users. * refactor: avoid creating new env variable for webauthn_origin config * refactor: improve flash error messages for webauthn pages Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>
2020-07-07Change rate limits for various paths (#14253)Eugen Rochko
- Rate limit login attempts by target account - Rate limit password resets and e-mail re-confirmations by target account - Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before
2020-07-07Fix hashtag column options styling (#14247)ThibG
* Enable nonces for stylesheets * Pass nonce to react-select
2020-07-01Change Redis#exists calls to Redis#exists? to avoid deprecation warning (#14191)Eugen Rochko
2020-06-30Fix remote files not using Content-Type header, streaming (#14184)Eugen Rochko
2020-06-27Remove the terms blacklist and whitelist from UX (#14149)Eugen Rochko
Localization strings: - "Whitelist mode" -> "Limited federation mode" - "Blacklist e-mail domain" -> "Block e-mail domain" - "Whitelist domain" -> "Allow domain for federation" ...And so on Environment variables (backwards-compatible): - `WHITELIST_MODE` -> `LIMITED_FEDERATION_MODE` - `EMAIL_DOMAIN_BLACKLIST` -> `EMAIL_DOMAIN_DENYLIST` - `EMAIL_DOMAIN_WHITELIST` -> `EMAIL_DOMAIN_ALLOWLIST` tootctl: - `tootctl domains purge --whitelist-mode` -> `tootctl domains purge --limited-federation-mode` Removed badly maintained and no longer relevant .env.production.sample file
2020-06-17Suppress Redis#exists(key) warning (#14067)mayaeh
2020-06-02Add E2EE API (#13820)Eugen Rochko
2020-05-24Fix csv upload (#13835)Takeshi Umeda
2020-05-23Fix workaround for Elasticsearch 7.x (#13828)Takeshi Umeda
2020-05-10Refactor monkey-patching of Goldfinger (#12561)Eugen Rochko
2020-05-09Fix "tootctl media remove-orphans" crashing on “Import” files (#13685)ThibG
* Fix "tootctl media remove-orphans" crashing on “Import” files * Also remove empty directories when removing orphaned media
2020-05-08Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679)ThibG
* Make sure wicg-inert doesn't rely on inline CSS * Remove unsafe-inline from style-src
2020-05-04Fix PgHero Content-Security-Policy when CDN_HOST is used (#13595)ThibG
2020-04-27Fix naming issue (#13551)mayaeh
2020-04-26Add separate cache directory for non-local uploads (#12821)Eugen Rochko
2020-04-17Fix search not working due to proxy settings when using hidden services (#13488)Eugen Rochko
Fix #13484
2020-04-03Add ability to filter audit log in admin UI (#13381)Eugen Rochko
2020-03-31Fix background jobs not using locks like they are supposed to (#13361)Eugen Rochko
Also: - Fix locks not being removed when jobs go to the dead job queue - Add UI for managing locks to the Sidekiq dashboard - Remove unused Sidekiq workers Fix #13349
2020-03-31Fix re-sending of e-mail confirmation not being rate limited (#13360)Eugen Rochko
Fix #13330
2020-03-27Fix OCR not working on Safari because of unsupported worker-src CSP (#13323)ThibG
Fixes #13321
2020-03-21Bump sidekiq from 5.2.7 to 6.0.4 (#11727)dependabot-preview[bot]
* Bump sidekiq from 5.2.7 to 6.0.0 Bumps [sidekiq](https://github.com/mperham/sidekiq) from 5.2.7 to 6.0.0. - [Release notes](https://github.com/mperham/sidekiq/releases) - [Changelog](https://github.com/mperham/sidekiq/blob/master/Changes.md) - [Commits](https://github.com/mperham/sidekiq/compare/v5.2.7...v6.0.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * Sidekiq::Logger.logger -> Sidekiq.logger * Drop support Ruby 2.4 * update Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>
2020-03-08Add specific rate limits for posting and following (#13172)Eugen Rochko
2020-01-23Add announcements (#12662)Eugen Rochko
* Add announcements Fix #11006 * Add reactions to announcements * Add admin UI for announcements * Add unit tests * Fix issues - Add `with_dismissed` param to announcements API - Fix end date not being formatted when time range is given - Fix announcement delete causing reactions to send streaming updates - Fix announcements container growing too wide and mascot too small - Fix `all_day` being settable when no time range is given - Change text "Update" to "Announcement" * Fix scheduler unpublishing announcements before they are due * Fix filter params not being passed to announcements filter
2020-01-23Add support for magnet: URIs (#12905)ThibG
2020-01-11Add support for linking XMPP URIs in toots (#12709)ThibG
* Fix wrong grouping in Twitter valid_url regex * Add support for xmpp URIs Fixes #9776 The difficult part is autolinking, because Twitter-text's extractor does some pretty ad-hoc stuff to find things that “look like” URLs, and XMPP URIs do not really match the assumptions of that lib, so it doesn't sound wise to try to shoehorn it into the existing regex. This is why I used a specific regex (very close, although slightly more permissive than the RFC), and a specific scan function (a simplified version of the generalized one from Twitter). * Remove leading “xmpp:” from auto-linked text
2020-01-04Fix base64-encoded file uploads not being possible (#12748)Eugen Rochko
Fix #3804, Fix #5776
2020-01-03Fix resource_owner_from_credentials in Doorkeeper initializer (#12743)Eugen Rochko
- Nil error when e-mail not found - LDAP authentication used in place of PAM authentication
2020-01-02Fix uncaught query param encoding errors (#12741)Eugen Rochko
2019-12-10Add `S3_OVERRIDE_PATH_STYLE` environment variable (#12594)Eugen Rochko
To support Exoscale
2019-12-08Add `tootctl media remove-orphans` (#12568)Eugen Rochko
2019-12-02add S3_OPEN_TIMEOUT environment variable (#12459)tateisu
2019-12-01:sparkles: Add an LDAP Mail attribute config (#12053)Mathieu Brunot
Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>