From d68df88d4e3da89cdc572d802ac69589dac76be4 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Wed, 20 Sep 2017 19:08:20 +0200 Subject: Disable private status federation over OStatus (#5027) --- config/initializers/ostatus.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/initializers') diff --git a/config/initializers/ostatus.rb b/config/initializers/ostatus.rb index c00aba0de..f28eaec1c 100644 --- a/config/initializers/ostatus.rb +++ b/config/initializers/ostatus.rb @@ -18,7 +18,7 @@ Rails.application.configure do config.action_mailer.default_url_options = { host: web_host, protocol: https ? 'https://' : 'http://', trailing_slash: false } config.x.streaming_api_base_url = 'ws://localhost:4000' - config.x.use_ostatus_privacy = true + config.x.use_ostatus_privacy = false if Rails.env.production? config.x.streaming_api_base_url = ENV.fetch('STREAMING_API_BASE_URL') { "ws#{https ? 's' : ''}://#{web_host}" } -- cgit From b982d549f440cfebadd5dc8d300a506df213bfee Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Mon, 25 Sep 2017 02:11:14 +0200 Subject: Add strong_migrations gem to warn when creating unsafe migrations (#5078) --- Gemfile | 1 + Gemfile.lock | 3 +++ config/initializers/strong_migrations.rb | 3 +++ 3 files changed, 7 insertions(+) create mode 100644 config/initializers/strong_migrations.rb (limited to 'config/initializers') diff --git a/Gemfile b/Gemfile index 4f4861913..6c31e8932 100644 --- a/Gemfile +++ b/Gemfile @@ -105,6 +105,7 @@ group :development do gem 'brakeman', '~> 3.6', require: false gem 'bundler-audit', '~> 0.5', require: false gem 'scss_lint', '~> 0.53', require: false + gem 'strong_migrations' gem 'capistrano', '~> 3.8' gem 'capistrano-rails', '~> 1.2' diff --git a/Gemfile.lock b/Gemfile.lock index 97db3aa9a..b29d32400 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -482,6 +482,8 @@ GEM net-scp (>= 1.1.2) net-ssh (>= 2.8.0) statsd-instrument (2.1.4) + strong_migrations (0.1.9) + activerecord (>= 3.2.0) temple (0.8.0) terminal-table (1.8.0) unicode-display_width (~> 1.1, >= 1.1.1) @@ -614,6 +616,7 @@ DEPENDENCIES simplecov (~> 0.14) sprockets-rails (~> 3.2) statsd-instrument (~> 2.1) + strong_migrations twitter-text (~> 1.14) tzinfo-data (~> 1.2017) uglifier (~> 3.2) diff --git a/config/initializers/strong_migrations.rb b/config/initializers/strong_migrations.rb new file mode 100644 index 000000000..3d7beac9f --- /dev/null +++ b/config/initializers/strong_migrations.rb @@ -0,0 +1,3 @@ +# frozen_string_literal: true + +StrongMigrations.start_after = 20170924022025 if Rails.env.development? -- cgit From e528114c53e23c39dd013d39b829ad50f620015b Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 26 Sep 2017 01:06:27 +0200 Subject: Follow-up to #4582 and #5027, removing dead code (#5101) --- app/services/process_mentions_service.rb | 2 +- app/workers/pubsubhubbub/distribution_worker.rb | 28 +++------------- config/initializers/ostatus.rb | 1 - .../pubsubhubbub/distribution_worker_spec.rb | 39 +--------------------- 4 files changed, 7 insertions(+), 63 deletions(-) (limited to 'config/initializers') diff --git a/app/services/process_mentions_service.rb b/app/services/process_mentions_service.rb index f123bf869..1c3eea369 100644 --- a/app/services/process_mentions_service.rb +++ b/app/services/process_mentions_service.rb @@ -39,7 +39,7 @@ class ProcessMentionsService < BaseService if mentioned_account.local? NotifyService.new.call(mentioned_account, mention) - elsif mentioned_account.ostatus? && (Rails.configuration.x.use_ostatus_privacy || !status.stream_entry.hidden?) + elsif mentioned_account.ostatus? && !status.stream_entry.hidden? NotificationWorker.perform_async(stream_entry_to_xml(status.stream_entry), status.account_id, mentioned_account.id) elsif mentioned_account.activitypub? ActivityPub::DeliveryWorker.perform_async(build_json(mention.status), mention.status.account_id, mentioned_account.inbox_url) diff --git a/app/workers/pubsubhubbub/distribution_worker.rb b/app/workers/pubsubhubbub/distribution_worker.rb index 524f6849f..fed5e917d 100644 --- a/app/workers/pubsubhubbub/distribution_worker.rb +++ b/app/workers/pubsubhubbub/distribution_worker.rb @@ -6,45 +6,27 @@ class Pubsubhubbub::DistributionWorker sidekiq_options queue: 'push' def perform(stream_entry_ids) - stream_entries = StreamEntry.where(id: stream_entry_ids).includes(:status).reject { |e| e.status.nil? || e.status.direct_visibility? } + stream_entries = StreamEntry.where(id: stream_entry_ids).includes(:status).reject { |e| e.status.nil? || e.status.hidden? } return if stream_entries.empty? @account = stream_entries.first.account @subscriptions = active_subscriptions.to_a - distribute_public!(stream_entries.reject(&:hidden?)) - distribute_hidden!(stream_entries.select(&:hidden?)) if Rails.configuration.x.use_ostatus_privacy + distribute_public!(stream_entries) end private def distribute_public!(stream_entries) - return if stream_entries.empty? - @payload = OStatus::AtomSerializer.render(OStatus::AtomSerializer.new.feed(@account, stream_entries)) - Pubsubhubbub::DeliveryWorker.push_bulk(@subscriptions) do |subscription| - [subscription.id, @payload] - end - end - - def distribute_hidden!(stream_entries) - return if stream_entries.empty? - - @payload = OStatus::AtomSerializer.render(OStatus::AtomSerializer.new.feed(@account, stream_entries)) - @domains = @account.followers.domains - - Pubsubhubbub::DeliveryWorker.push_bulk(@subscriptions.select { |s| allowed_to_receive?(s.callback_url, s.domain) }) do |subscription| - [subscription.id, @payload] + Pubsubhubbub::DeliveryWorker.push_bulk(@subscriptions) do |subscription_id| + [subscription_id, @payload] end end def active_subscriptions - Subscription.where(account: @account).active.select('id, callback_url, domain') - end - - def allowed_to_receive?(callback_url, domain) - (!domain.nil? && @domains.include?(domain)) || @domains.include?(Addressable::URI.parse(callback_url).host) + Subscription.where(account: @account).active.pluck(:id) end end diff --git a/config/initializers/ostatus.rb b/config/initializers/ostatus.rb index f28eaec1c..ba96fda22 100644 --- a/config/initializers/ostatus.rb +++ b/config/initializers/ostatus.rb @@ -18,7 +18,6 @@ Rails.application.configure do config.action_mailer.default_url_options = { host: web_host, protocol: https ? 'https://' : 'http://', trailing_slash: false } config.x.streaming_api_base_url = 'ws://localhost:4000' - config.x.use_ostatus_privacy = false if Rails.env.production? config.x.streaming_api_base_url = ENV.fetch('STREAMING_API_BASE_URL') { "ws#{https ? 's' : ''}://#{web_host}" } diff --git a/spec/workers/pubsubhubbub/distribution_worker_spec.rb b/spec/workers/pubsubhubbub/distribution_worker_spec.rb index 5c22e7fa8..584485079 100644 --- a/spec/workers/pubsubhubbub/distribution_worker_spec.rb +++ b/spec/workers/pubsubhubbub/distribution_worker_spec.rb @@ -18,48 +18,11 @@ describe Pubsubhubbub::DistributionWorker do it 'delivers payload to all subscriptions' do allow(Pubsubhubbub::DeliveryWorker).to receive(:push_bulk) subject.perform(status.stream_entry.id) - expect(Pubsubhubbub::DeliveryWorker).to have_received(:push_bulk).with([anonymous_subscription, subscription_with_follower]) - end - end - - context 'when OStatus privacy is used' do - around do |example| - before_val = Rails.configuration.x.use_ostatus_privacy - Rails.configuration.x.use_ostatus_privacy = true - example.run - Rails.configuration.x.use_ostatus_privacy = before_val - end - - describe 'with private status' do - let(:status) { Fabricate(:status, account: alice, text: 'Hello', visibility: :private) } - - it 'delivers payload only to subscriptions with followers' do - allow(Pubsubhubbub::DeliveryWorker).to receive(:push_bulk) - subject.perform(status.stream_entry.id) - expect(Pubsubhubbub::DeliveryWorker).to have_received(:push_bulk).with([subscription_with_follower]) - expect(Pubsubhubbub::DeliveryWorker).to_not have_received(:push_bulk).with([anonymous_subscription]) - end - end - - describe 'with direct status' do - let(:status) { Fabricate(:status, account: alice, text: 'Hello', visibility: :direct) } - - it 'does not deliver payload' do - allow(Pubsubhubbub::DeliveryWorker).to receive(:push_bulk) - subject.perform(status.stream_entry.id) - expect(Pubsubhubbub::DeliveryWorker).to_not have_received(:push_bulk) - end + expect(Pubsubhubbub::DeliveryWorker).to have_received(:push_bulk).with([anonymous_subscription.id, subscription_with_follower.id]) end end context 'when OStatus privacy is not used' do - around do |example| - before_val = Rails.configuration.x.use_ostatus_privacy - Rails.configuration.x.use_ostatus_privacy = false - example.run - Rails.configuration.x.use_ostatus_privacy = before_val - end - describe 'with private status' do let(:status) { Fabricate(:status, account: alice, text: 'Hello', visibility: :private) } -- cgit From db3ed498b08d1ff3b1ca16d326a51abef28b9184 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Wed, 27 Sep 2017 23:42:49 +0200 Subject: When OAuth password verification fails, return 401 instead of redirect (#5111) Call to warden.authenticate! in resource_owner_from_credentials would make the request redirect to sign-in path, which is a bad response for apps. Now bad credentials just return nil, which leads to HTTP 401 from Doorkeeper. Also, accounts with enabled 2FA cannot be logged into this way. --- config/initializers/doorkeeper.rb | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'config/initializers') diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb index 689e2ac4a..074f8c410 100644 --- a/config/initializers/doorkeeper.rb +++ b/config/initializers/doorkeeper.rb @@ -7,15 +7,14 @@ Doorkeeper.configure do current_user || redirect_to(new_user_session_url) end - resource_owner_from_credentials do |routes| - request.params[:user] = { email: request.params[:username], password: request.params[:password] } - request.env["devise.allow_params_authentication"] = true - request.env["warden"].authenticate!(scope: :user) + resource_owner_from_credentials do |_routes| + user = User.find_by(email: request.params[:username]) + user if !user&.otp_required_for_login? && user&.valid_password?(request.params[:password]) end # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below. admin_authenticator do - (current_user && current_user.admin?) || redirect_to(new_user_session_url) + current_user&.admin? || redirect_to(new_user_session_url) end # Authorization Code expiration time (default 10 minutes). -- cgit