From be3b9f81518196f73f2b9636137732659df8cc5b Mon Sep 17 00:00:00 2001 From: Claire Date: Thu, 11 Feb 2021 01:53:44 +0100 Subject: Fix URI of repeat follow requests not being recorded (#15662) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fix URI of repeat follow requests not being recorded In case we receive a “repeat” or “duplicate” follow request, we automatically fast-forward the accept with the latest received Activity `id`, but we don't record it. In general, a “repeat” or “duplicate” follow request may happen if for some reason (e.g. inconsistent handling of Block or Undo Accept activities, an instance being brought back up from the dead, etc.) the local instance thought the remote actor were following them while the remote actor thought otherwise. In those cases, the remote instance does not know about the older Follow activity `id`, so keeping that record serves no purpose, but knowing the most recent one is useful if the remote implementation at some point refers to it by `id` without inlining it. * Add tests --- app/lib/activitypub/activity/follow.rb | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'app/lib') diff --git a/app/lib/activitypub/activity/follow.rb b/app/lib/activitypub/activity/follow.rb index 0beec68ab..4efb84b8c 100644 --- a/app/lib/activitypub/activity/follow.rb +++ b/app/lib/activitypub/activity/follow.rb @@ -6,7 +6,14 @@ class ActivityPub::Activity::Follow < ActivityPub::Activity def perform target_account = account_from_uri(object_uri) - return if target_account.nil? || !target_account.local? || delete_arrived_first?(@json['id']) || @account.requested?(target_account) + return if target_account.nil? || !target_account.local? || delete_arrived_first?(@json['id']) + + # Update id of already-existing follow requests + existing_follow_request = ::FollowRequest.find_by(account: @account, target_account: target_account) + unless existing_follow_request.nil? + existing_follow_request.update!(uri: @json['id']) + return + end if target_account.blocking?(@account) || target_account.domain_blocking?(@account.domain) || target_account.moved? || target_account.instance_actor? reject_follow_request!(target_account) @@ -14,7 +21,9 @@ class ActivityPub::Activity::Follow < ActivityPub::Activity end # Fast-forward repeat follow requests - if @account.following?(target_account) + existing_follow = ::Follow.find_by(account: @account, target_account: target_account) + unless existing_follow.nil? + existing_follow.update!(uri: @json['id']) AuthorizeFollowService.new.call(@account, target_account, skip_follow_request: true, follow_request_uri: @json['id']) return end -- cgit From e79f8dd85cb63125185fdf711f470c298a0b5dbc Mon Sep 17 00:00:00 2001 From: Cecylia Bocovich Date: Wed, 10 Feb 2021 22:40:13 -0500 Subject: Onion service related changes to HTTPS handling (#15560) * Enable secure cookie flag for https only * Disable force_ssl for .onion hosts only Co-authored-by: Aiden McClelland --- Gemfile | 2 ++ Gemfile.lock | 4 ++++ app/controllers/application_controller.rb | 2 +- app/lib/webfinger.rb | 12 ++++++++++-- config/initializers/devise.rb | 6 ------ config/initializers/makara.rb | 1 - config/initializers/secureheaders.rb | 10 ++++++++++ config/initializers/session_store.rb | 1 - 8 files changed, 27 insertions(+), 11 deletions(-) create mode 100644 config/initializers/secureheaders.rb (limited to 'app/lib') diff --git a/Gemfile b/Gemfile index 78cb44168..8d8542f83 100644 --- a/Gemfile +++ b/Gemfile @@ -161,3 +161,5 @@ gem 'connection_pool', require: false gem 'xorcist', '~> 1.1' gem 'pluck_each', '~> 0.1.3' + +gem 'secure_headers', '~> 3.5' diff --git a/Gemfile.lock b/Gemfile.lock index bd32f72a7..4237d6bba 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -571,6 +571,8 @@ GEM scenic (1.5.4) activerecord (>= 4.0.0) railties (>= 4.0.0) + secure_headers (3.9.0) + useragent securecompare (1.0.0) semantic_range (2.3.0) sidekiq (6.1.3) @@ -652,6 +654,7 @@ GEM unf_ext (0.0.7.7) unicode-display_width (1.7.0) uniform_notifier (1.13.2) + useragent (0.16.10) warden (1.2.9) rack (>= 2.0.9) webauthn (3.0.0.alpha1) @@ -795,6 +798,7 @@ DEPENDENCIES ruby-progressbar (~> 1.11) sanitize (~> 5.2) scenic (~> 1.5) + secure_headers (~> 3.5) sidekiq (~> 6.1) sidekiq-bulk (~> 0.2.0) sidekiq-scheduler (~> 3.0) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 44616d6e5..c9311c1b6 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -43,7 +43,7 @@ class ApplicationController < ActionController::Base private def https_enabled? - Rails.env.production? && !request.path.start_with?('/health') + Rails.env.production? && !request.path.start_with?('/health') && !request.headers["Host"].ends_with?(".onion") end def authorized_fetch_mode? diff --git a/app/lib/webfinger.rb b/app/lib/webfinger.rb index 702365939..40795a7aa 100644 --- a/app/lib/webfinger.rb +++ b/app/lib/webfinger.rb @@ -88,10 +88,18 @@ class Webfinger end def standard_url - "https://#{@domain}/.well-known/webfinger?resource=#{@uri}" + if @domain.ends_with? ".onion" + "http://#{@domain}/.well-known/webfinger?resource=#{@uri}" + else + "https://#{@domain}/.well-known/webfinger?resource=#{@uri}" + end end def host_meta_url - "https://#{@domain}/.well-known/host-meta" + if @domain.ends_with? ".onion" + "http://#{@domain}/.well-known/host-meta" + else + "https://#{@domain}/.well-known/host-meta" + end end end diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index ef612e177..d3757b0d3 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -9,7 +9,6 @@ Warden::Manager.after_set_user except: :fetch do |user, warden| value: session_id, expires: 1.year.from_now, httponly: true, - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } end @@ -20,7 +19,6 @@ Warden::Manager.after_fetch do |user, warden| value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'], expires: 1.year.from_now, httponly: true, - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } else @@ -229,10 +227,6 @@ Devise.setup do |config| # If true, extends the user's remember period when remembered via cookie. # config.extend_remember_period = false - # Options to be passed to the created cookie. For instance, you can set - # secure: true in order to force SSL only cookies. - config.rememberable_options = { secure: true } - # ==> Configuration for :validatable # Range for password length. config.password_length = 8..72 diff --git a/config/initializers/makara.rb b/config/initializers/makara.rb index dc88fa63c..afd29eda8 100644 --- a/config/initializers/makara.rb +++ b/config/initializers/makara.rb @@ -1,2 +1 @@ Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax -Makara::Cookie::DEFAULT_OPTIONS[:secure] = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true' diff --git a/config/initializers/secureheaders.rb b/config/initializers/secureheaders.rb new file mode 100644 index 000000000..6c8ac7fbe --- /dev/null +++ b/config/initializers/secureheaders.rb @@ -0,0 +1,10 @@ +SecureHeaders::Configuration.default do |config| + config.cookies = { + secure: true, + httponly: true, + samesite: { + lax: true + } + } + config.csp = SecureHeaders::OPT_OUT +end diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index e5d1be4c6..7e3471ac4 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -2,6 +2,5 @@ Rails.application.config.session_store :cookie_store, { key: '_mastodon_session', - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } -- cgit