From d68df88d4e3da89cdc572d802ac69589dac76be4 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Wed, 20 Sep 2017 19:08:20 +0200
Subject: Disable private status federation over OStatus (#5027)

---
 config/initializers/ostatus.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'config/initializers')

diff --git a/config/initializers/ostatus.rb b/config/initializers/ostatus.rb
index c00aba0de..f28eaec1c 100644
--- a/config/initializers/ostatus.rb
+++ b/config/initializers/ostatus.rb
@@ -18,7 +18,7 @@ Rails.application.configure do
 
   config.action_mailer.default_url_options = { host: web_host, protocol: https ? 'https://' : 'http://', trailing_slash: false }
   config.x.streaming_api_base_url          = 'ws://localhost:4000'
-  config.x.use_ostatus_privacy             = true
+  config.x.use_ostatus_privacy             = false
 
   if Rails.env.production?
     config.x.streaming_api_base_url = ENV.fetch('STREAMING_API_BASE_URL') { "ws#{https ? 's' : ''}://#{web_host}" }
-- 
cgit 


From b982d549f440cfebadd5dc8d300a506df213bfee Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Mon, 25 Sep 2017 02:11:14 +0200
Subject: Add strong_migrations gem to warn when creating unsafe migrations
 (#5078)

---
 Gemfile                                  | 1 +
 Gemfile.lock                             | 3 +++
 config/initializers/strong_migrations.rb | 3 +++
 3 files changed, 7 insertions(+)
 create mode 100644 config/initializers/strong_migrations.rb

(limited to 'config/initializers')

diff --git a/Gemfile b/Gemfile
index 4f4861913..6c31e8932 100644
--- a/Gemfile
+++ b/Gemfile
@@ -105,6 +105,7 @@ group :development do
   gem 'brakeman', '~> 3.6', require: false
   gem 'bundler-audit', '~> 0.5', require: false
   gem 'scss_lint', '~> 0.53', require: false
+  gem 'strong_migrations'
 
   gem 'capistrano', '~> 3.8'
   gem 'capistrano-rails', '~> 1.2'
diff --git a/Gemfile.lock b/Gemfile.lock
index 97db3aa9a..b29d32400 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -482,6 +482,8 @@ GEM
       net-scp (>= 1.1.2)
       net-ssh (>= 2.8.0)
     statsd-instrument (2.1.4)
+    strong_migrations (0.1.9)
+      activerecord (>= 3.2.0)
     temple (0.8.0)
     terminal-table (1.8.0)
       unicode-display_width (~> 1.1, >= 1.1.1)
@@ -614,6 +616,7 @@ DEPENDENCIES
   simplecov (~> 0.14)
   sprockets-rails (~> 3.2)
   statsd-instrument (~> 2.1)
+  strong_migrations
   twitter-text (~> 1.14)
   tzinfo-data (~> 1.2017)
   uglifier (~> 3.2)
diff --git a/config/initializers/strong_migrations.rb b/config/initializers/strong_migrations.rb
new file mode 100644
index 000000000..3d7beac9f
--- /dev/null
+++ b/config/initializers/strong_migrations.rb
@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+StrongMigrations.start_after = 20170924022025 if Rails.env.development?
-- 
cgit 


From e528114c53e23c39dd013d39b829ad50f620015b Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Tue, 26 Sep 2017 01:06:27 +0200
Subject: Follow-up to #4582 and #5027, removing dead code (#5101)

---
 app/services/process_mentions_service.rb           |  2 +-
 app/workers/pubsubhubbub/distribution_worker.rb    | 28 +++-------------
 config/initializers/ostatus.rb                     |  1 -
 .../pubsubhubbub/distribution_worker_spec.rb       | 39 +---------------------
 4 files changed, 7 insertions(+), 63 deletions(-)

(limited to 'config/initializers')

diff --git a/app/services/process_mentions_service.rb b/app/services/process_mentions_service.rb
index f123bf869..1c3eea369 100644
--- a/app/services/process_mentions_service.rb
+++ b/app/services/process_mentions_service.rb
@@ -39,7 +39,7 @@ class ProcessMentionsService < BaseService
 
     if mentioned_account.local?
       NotifyService.new.call(mentioned_account, mention)
-    elsif mentioned_account.ostatus? && (Rails.configuration.x.use_ostatus_privacy || !status.stream_entry.hidden?)
+    elsif mentioned_account.ostatus? && !status.stream_entry.hidden?
       NotificationWorker.perform_async(stream_entry_to_xml(status.stream_entry), status.account_id, mentioned_account.id)
     elsif mentioned_account.activitypub?
       ActivityPub::DeliveryWorker.perform_async(build_json(mention.status), mention.status.account_id, mentioned_account.inbox_url)
diff --git a/app/workers/pubsubhubbub/distribution_worker.rb b/app/workers/pubsubhubbub/distribution_worker.rb
index 524f6849f..fed5e917d 100644
--- a/app/workers/pubsubhubbub/distribution_worker.rb
+++ b/app/workers/pubsubhubbub/distribution_worker.rb
@@ -6,45 +6,27 @@ class Pubsubhubbub::DistributionWorker
   sidekiq_options queue: 'push'
 
   def perform(stream_entry_ids)
-    stream_entries = StreamEntry.where(id: stream_entry_ids).includes(:status).reject { |e| e.status.nil? || e.status.direct_visibility? }
+    stream_entries = StreamEntry.where(id: stream_entry_ids).includes(:status).reject { |e| e.status.nil? || e.status.hidden? }
 
     return if stream_entries.empty?
 
     @account       = stream_entries.first.account
     @subscriptions = active_subscriptions.to_a
 
-    distribute_public!(stream_entries.reject(&:hidden?))
-    distribute_hidden!(stream_entries.select(&:hidden?)) if Rails.configuration.x.use_ostatus_privacy
+    distribute_public!(stream_entries)
   end
 
   private
 
   def distribute_public!(stream_entries)
-    return if stream_entries.empty?
-
     @payload = OStatus::AtomSerializer.render(OStatus::AtomSerializer.new.feed(@account, stream_entries))
 
-    Pubsubhubbub::DeliveryWorker.push_bulk(@subscriptions) do |subscription|
-      [subscription.id, @payload]
-    end
-  end
-
-  def distribute_hidden!(stream_entries)
-    return if stream_entries.empty?
-
-    @payload = OStatus::AtomSerializer.render(OStatus::AtomSerializer.new.feed(@account, stream_entries))
-    @domains = @account.followers.domains
-
-    Pubsubhubbub::DeliveryWorker.push_bulk(@subscriptions.select { |s| allowed_to_receive?(s.callback_url, s.domain) }) do |subscription|
-      [subscription.id, @payload]
+    Pubsubhubbub::DeliveryWorker.push_bulk(@subscriptions) do |subscription_id|
+      [subscription_id, @payload]
     end
   end
 
   def active_subscriptions
-    Subscription.where(account: @account).active.select('id, callback_url, domain')
-  end
-
-  def allowed_to_receive?(callback_url, domain)
-    (!domain.nil? && @domains.include?(domain)) || @domains.include?(Addressable::URI.parse(callback_url).host)
+    Subscription.where(account: @account).active.pluck(:id)
   end
 end
diff --git a/config/initializers/ostatus.rb b/config/initializers/ostatus.rb
index f28eaec1c..ba96fda22 100644
--- a/config/initializers/ostatus.rb
+++ b/config/initializers/ostatus.rb
@@ -18,7 +18,6 @@ Rails.application.configure do
 
   config.action_mailer.default_url_options = { host: web_host, protocol: https ? 'https://' : 'http://', trailing_slash: false }
   config.x.streaming_api_base_url          = 'ws://localhost:4000'
-  config.x.use_ostatus_privacy             = false
 
   if Rails.env.production?
     config.x.streaming_api_base_url = ENV.fetch('STREAMING_API_BASE_URL') { "ws#{https ? 's' : ''}://#{web_host}" }
diff --git a/spec/workers/pubsubhubbub/distribution_worker_spec.rb b/spec/workers/pubsubhubbub/distribution_worker_spec.rb
index 5c22e7fa8..584485079 100644
--- a/spec/workers/pubsubhubbub/distribution_worker_spec.rb
+++ b/spec/workers/pubsubhubbub/distribution_worker_spec.rb
@@ -18,48 +18,11 @@ describe Pubsubhubbub::DistributionWorker do
     it 'delivers payload to all subscriptions' do
       allow(Pubsubhubbub::DeliveryWorker).to receive(:push_bulk)
       subject.perform(status.stream_entry.id)
-      expect(Pubsubhubbub::DeliveryWorker).to have_received(:push_bulk).with([anonymous_subscription, subscription_with_follower])
-    end
-  end
-
-  context 'when OStatus privacy is used' do
-    around do |example|
-      before_val = Rails.configuration.x.use_ostatus_privacy
-      Rails.configuration.x.use_ostatus_privacy = true
-      example.run
-      Rails.configuration.x.use_ostatus_privacy = before_val
-    end
-
-    describe 'with private status' do
-      let(:status) { Fabricate(:status, account: alice, text: 'Hello', visibility: :private) }
-
-      it 'delivers payload only to subscriptions with followers' do
-        allow(Pubsubhubbub::DeliveryWorker).to receive(:push_bulk)
-        subject.perform(status.stream_entry.id)
-        expect(Pubsubhubbub::DeliveryWorker).to have_received(:push_bulk).with([subscription_with_follower])
-        expect(Pubsubhubbub::DeliveryWorker).to_not have_received(:push_bulk).with([anonymous_subscription])
-      end
-    end
-
-    describe 'with direct status' do
-      let(:status) { Fabricate(:status, account: alice, text: 'Hello', visibility: :direct) }
-
-      it 'does not deliver payload' do
-        allow(Pubsubhubbub::DeliveryWorker).to receive(:push_bulk)
-        subject.perform(status.stream_entry.id)
-        expect(Pubsubhubbub::DeliveryWorker).to_not have_received(:push_bulk)
-      end
+      expect(Pubsubhubbub::DeliveryWorker).to have_received(:push_bulk).with([anonymous_subscription.id, subscription_with_follower.id])
     end
   end
 
   context 'when OStatus privacy is not used' do
-    around do |example|
-      before_val = Rails.configuration.x.use_ostatus_privacy
-      Rails.configuration.x.use_ostatus_privacy = false
-      example.run
-      Rails.configuration.x.use_ostatus_privacy = before_val
-    end
-
     describe 'with private status' do
       let(:status) { Fabricate(:status, account: alice, text: 'Hello', visibility: :private) }
 
-- 
cgit 


From db3ed498b08d1ff3b1ca16d326a51abef28b9184 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Wed, 27 Sep 2017 23:42:49 +0200
Subject: When OAuth password verification fails, return 401 instead of
 redirect (#5111)

Call to warden.authenticate! in resource_owner_from_credentials would
make the request redirect to sign-in path, which is a bad response for
apps. Now bad credentials just return nil, which leads to HTTP 401
from Doorkeeper. Also, accounts with enabled 2FA cannot be logged into
this way.
---
 config/initializers/doorkeeper.rb | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

(limited to 'config/initializers')

diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
index 689e2ac4a..074f8c410 100644
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -7,15 +7,14 @@ Doorkeeper.configure do
     current_user || redirect_to(new_user_session_url)
   end
 
-  resource_owner_from_credentials do |routes|
-    request.params[:user] = { email: request.params[:username], password: request.params[:password] }
-    request.env["devise.allow_params_authentication"] = true
-    request.env["warden"].authenticate!(scope: :user)
+  resource_owner_from_credentials do |_routes|
+    user = User.find_by(email: request.params[:username])
+    user if !user&.otp_required_for_login? && user&.valid_password?(request.params[:password])
   end
 
   # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
   admin_authenticator do
-    (current_user && current_user.admin?) || redirect_to(new_user_session_url)
+    current_user&.admin? || redirect_to(new_user_session_url)
   end
 
   # Authorization Code expiration time (default 10 minutes).
-- 
cgit