about summary refs log tree commit diff
path: root/config/initializers
AgeCommit message (Collapse)Author
2018-09-14Misc. typos (#8694)luzpaz
Found via `codespell -q 3 --skip="./app/javascript/mastodon/locales,./config/locales"`
2018-09-08feat(cookies): Use the same-site attribute to lax (#8626)Sorin Davidoi
CSFR-prevention is already implemented but adding this doesn't hurt. A brief introduction to Same-Site cookies (and the difference between strict and lax) can be found at https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/ TLDR: We use lax since we want the cookies to be sent when the user navigates safely from an external site.
2018-08-25Rename S3_CLOUDFRONT_HOST to S3_ALIAS_HOST. (#8423)M Somerville
Still check for S3_CLOUDFRONT_HOST for existing installs.
2018-08-21Revert to using Paperclip's filesystem storage, and fix dangling records in ↵ThibG
remove_remote (#8339) * Fix uncaching worker * Revert to using Paperclip's filesystem backend instead of fog-local fog-local has lots of concurrency issues, causing failure to delete files, dangling file records, and spurious errors UncacheMediaWorker
2018-08-15Add ldap search filter (#8151)Immae
2018-08-13Add post-deployment migration system (#8182)Eugen Rochko
Adopted from GitLab CE. Generate new migration with: rails g post_deployment_migration name_of_migration_here By default they are run together with db:migrate. To not run them, the env variable SKIP_POST_DEPLOYMENT_MIGRATIONS must be set Code by Yorick Peterse <yorickpeterse@gmail.com>, see also: https://gitlab.com/gitlab-org/gitlab-ce/commit/83c8241160ed48ab066e2c5bd58d0914a745197c
2018-07-25Add secure option to additional cookie (#8069)abcang
2018-07-05Add more granular OAuth scopes (#7929)Eugen Rochko
* Add more granular OAuth scopes * Add human-readable descriptions of the new scopes * Ensure new scopes look good on the app UI * Add tests * Group scopes in screen and color-code dangerous ones * Fix wrong extra scope
2018-06-29Merge `HIDDEN_SERVICE_VIA_TRANSPARENT_PROXY` into ↵MIYAGI Hikaru
`ALLOW_ACCESS_TO_HIDDEN_SERVICE` (#7901) If Mastodon accesses to the hidden service via transparent proxy, it's needed to avoid checking whether it's a private address, since `.onion` is resolved to a private address. I was previously using the `HIDDEN_SERVICE_VIA_TRANSPARENT_PROXY` to provide that function. However, I realized that using `HIDDEN_SERVICE_VIA_TRANSPARENT_PROXY` is redundant, since this specification is always used with `ALLOW_ACCESS_TO_HIDDEN_SERVICE`. Therefore, I decided to integrate the setting of `HIDDEN_SERVICE_VIA_TRANSPARENT_PROXY` into` ALLOW_ACCESS_TO_HIDDEN_SERVICE`.
2018-06-15Add dat, dweb, ipfs, ipns, ssb, gopher protocols to URL extractor (#7810)Eugen Rochko
* Add dat:// and gopher:// to URL extractor Fix #6072 * Fix comment indent * Add dweb, ipfs, ipns, ssb
2018-06-15Remove rack-timeout (#7809)Eugen Rochko
Timeout considered harmful due to leaving the app in a broken state, including unreaped database connections
2018-05-26Disable AMS logging (#7623)Eugen Rochko
Especially in production it's just noise and doesn't mix well with the log format
2018-05-18User agent for WebFinger (#7531)MIYAGI Hikaru
* User agent for WebFinger * local_domain → web_domain * 'http' is away accidentally...
2018-05-11Add REST API for Web Push Notifications subscriptions (#7445)Eugen Rochko
- POST /api/v1/push/subscription - PUT /api/v1/push/subscription - DELETE /api/v1/push/subscription - New OAuth scope: "push" (required for the above methods)
2018-05-07Improve OpenStack v3 compatibility (#7392)Hugo Gameiro
* Update paperclip.rb * Update .env.production.sample * Update paperclip.rb
2018-05-03Add a missing question mark in rack_attack.rb (#7338)Akihiko Odaki
2018-05-03Throttle media post (#7337)Akihiko Odaki
The previous rate limit allowed to post media so fast that it is possible to fill up the disk space even before an administrator notices. The new rate limit is configured so that it takes 24 hours to eat 10 gigabytes: 10 * 1024 / 8 / (24 * 60 / 30) = 27 (which rounded to 30) The period is set long so that it does not prevent from attaching several media to one post, which would happen in a short period. For example, if the period is 5 minutes, the rate limit would be: 10 * 1024 / 8 / (24 * 60 / 5) = 4 This long period allows to lift the limit up.
2018-05-02Slightly reduce RAM usage (#7301)Eugen Rochko
* No need to re-require sidekiq plugins, they are required via Gemfile * Add derailed_benchmarks tool, no need to require TTY gems in Gemfile * Replace ruby-oembed with FetchOEmbedService Reduce startup by 45382 allocated objects * Remove preloaded JSON-LD in favour of caching HTTP responses Reduce boot RAM by about 6 MiB * Fix tests * Fix test suite by stubbing out JSON-LD contexts
2018-04-25HTTP proxy support for outgoing request, manage access to hidden service (#7134)MIYAGI Hikaru
* Add support for HTTP client proxy * Add access control for darknet Supress error when access to darknet via transparent proxy * Fix the codes pointed out * Lint * Fix an omission + lint * any? -> include? * Change detection method to regexp to avoid test fail
2018-04-12Upgrade Rails to version 5.2.0 (#5898)Yamagishi Kazutoshi
2018-04-10Use RAILS_LOG_LEVEL to set log level of Sidekiq, too (#7079)Eugen Rochko
Fix #3565 (oops)
2018-04-10Log rate limit hits (#7096)Eugen Rochko
Fix #7095
2018-04-07Add a circuit breaker for ActivityPub deliveries (#7053)Eugen Rochko
2018-03-24Revert "Revert "Upgrade Paperclip to version 6.0.0" (#6807)" (#6808)Yamagishi Kazutoshi
This reverts commit 40871caa4b06c7ee1c3b07f439ed984ead295ced.
2018-03-20Add LDAP_TLS_NO_VERIFY option, don't require LDAP_ENABLED outside .env (#6845)Eugen Rochko
Fix #6816, fix #6790
2018-03-19rename pam email environment variable to something more understandable and ↵Alexander
default to LOCAL_DOMAIN (better fallback) (#6833)
2018-03-17Revert "Upgrade Paperclip to version 6.0.0" (#6807)Eugen Rochko
* Revert "Bump version to 2.3.2rc1" This reverts commit cdf8b92fea269209cedf38c50bca276cdf47b1fe. * Revert "Downgrade Dockerfile to Ruby 2.4.3 on Alpine 3.6 (#6806)" This reverts commit 0074cad44ffcbbdbc798f57a21829359741e60d9. * Revert "Handle Mastodon::HostValidationError when pulling remoteable assets (#6782)" This reverts commit 4a0a19fe54f1d2d433ad3d72c35f2bbb915279f6. * Revert "Correct the reference to user's password in mastodon:add_user task (#6800)" This reverts commit 338bff8b93fa939c2968818e53386fd0c013d9a9. * Revert "Upgrade Paperclip to version 6.0.0 (#6754)" This reverts commit b88fcd53f711673b21e5ff4a547dbf929866a2ee.
2018-03-17Upgrade Paperclip to version 6.0.0 (#6754)Yamagishi Kazutoshi
2018-03-07Add additional first_name and last_name SAML attribute statement options, ↵Effy Elden
and modify Omniauthable concern to use full_name or first_name + last_name if not available (#6669)
2018-03-02fix logic for pam_controlled_service (#6599)Alexander
2018-02-28Fix #942: Seamless LDAP login (#6556)Eugen Rochko
2018-02-24Raise Mastodon::HostValidationError when host for HTTP request is private ↵Akihiko Odaki
(#6410)
2018-02-23New variable OAUTH_REDIRECT_AT_SIGN_IN + Ref #6538 (not only SAML ↵Ghislain Loaec
strategies) (#6540)
2018-02-22New env variable: SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED + fixes #6533 (#6538)Ghislain Loaec
2018-02-20Fix #6509: Use pull queue for chewy jobs (#6513)Eugen Rochko
2018-02-11Fix URLs incorrectly having trailing hyphen removed (#6465)Daniel King
In cases where a URL has a trailing hyphen the FetchLinkCardService incorrectly removes the hyphen when it is parsed The hyphen is not a reserved character in the URI spec https://tools.ietf.org/html/rfc3986#section-2.2
2018-02-11Fix Chewy trying to update index with the wrong strategy (#6464)Eugen Rochko
2018-02-09Full-text search for authorized statuses (#6423)Eugen Rochko
* Add full-text search for authorized statuses - Search API will return statuses that match the query - Only for logged in users - Only if you are author of the status, - Or you were mentioned in it - Or you favourited or reblogged it - Configuration over `ES_ENABLED`, `ES_HOST`, `ES_PORT`, `ES_PREFIX` - Run `rails chewy:deploy` to create & populate index Fix #5880 Fix #4293 Fix #1152 * Add commented out docker-compose configuration for ES container * Optimize index import, filter search results * Add basic normalization to the index * Add better stemming and normalization to the index * Skip webfinger request if search query includes both @ and a space * Fix code style * Visually separate search result sections * Fix code style issues
2018-02-04Make PAM gem optional, allow configuration over environment (#6415)Eugen Rochko
2018-02-04CAS + SAML authentication feature (#6425)Eugen Rochko
* Cas authentication feature * Config * Remove class_eval + Omniauth initializer * Codeclimate review * Codeclimate review 2 * Codeclimate review 3 * Remove uid/email reconciliation * SAML authentication * Clean up code * Improve login form * Fix code style issues * Add locales
2018-02-02pam authentication (#5303)Alexander
* add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
2018-01-16HTML e-mails for UserMailer (#6256)Eugen Rochko
- premailer gem to turn CSS into inline styles automatically - rework UserMailer templates - reword UserMailer templates
2018-01-15Suppress CSRF token warnings (#6240)Patrick Figel
CSRF token checking was enabled for API controllers in #6223, producing "Can't verify CSRF token authenticity" log spam. This disables logging of failed CSRF checks. This also changes the protection strategy for PushSubscriptionsController to use exceptions, making it consistent with other controllers that use sessions.
2018-01-09Increase rate limit on protected paths (#6229)Eugen Rochko
Previously each protected path had a separate rate limit. Now they're all in the same bucket, so people are more likely to hit one with register->login. Increasing to 25 per 5 minutes should be fine.
2018-01-05Fix enforce HTTPS in production. (#6180)Naoki Kosaka
2018-01-02Add confirmation step for email changes (#6071)Patrick Figel
* Add confirmation step for email changes This adds a confirmation step for email changes of existing users. Like the initial account confirmation, a confirmation link is sent to the new address. Additionally, a notification is sent to the existing address when the change is initiated. This message includes instruction to reset the password immediately or to contact the instance admin if the change was not initiated by the account owner. Fixes #3871 * Add review fixes
2017-12-22enforce LOCAL_HTTPS=true in production (#6061)nightpool
* enforce https in production * note changes in production env sample * typo fix
2017-12-13Change streaming API URL when remote development (#5942)Yamagishi Kazutoshi
* Change streaming API URL when remote development * Use STREAMING_API_BASE_URL when dev env
2017-12-11Apply a 25x rate limit by IP even to authenticated requests (#5948)Eugen Rochko
2017-12-09Missing require 'authorization_decorator'. (#5947)Naoki Kosaka