From 5f4e402204c9da289d1a6b5e3902bf2c9cfe61c1 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Sun, 5 Mar 2017 17:27:17 +0100
Subject: Improved /api/v1/accounts/:id/statuses with new params: only_media,
 exclude_replies Redirect /:username to /users/:username Redirect
 /:username/:id to /users/:username/updates/:id Updated API documentation and
 sponsors

---
 docs/Using-the-API/API.md | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

(limited to 'docs/Using-the-API')

diff --git a/docs/Using-the-API/API.md b/docs/Using-the-API/API.md
index 07c1b25a9..af7858286 100644
--- a/docs/Using-the-API/API.md
+++ b/docs/Using-the-API/API.md
@@ -75,6 +75,10 @@ Query parameters:
 - `max_id` (optional): Skip statuses younger than ID (e.g. navigate backwards in time)
 - `since_id` (optional): Skip statuses older than ID (e.g. check for updates)
 
+Query parameters for public and tag timelines only:
+
+- `local` (optional): Only return statuses originating from this instance
+
 ### Notifications
 
 **GET /api/v1/notifications**
@@ -115,7 +119,14 @@ Returns authenticated user's account.
 
 **GET /api/v1/accounts/:id/statuses**
 
-Returns statuses by user. Same options as timeline are permitted.
+Returns statuses by user.
+
+Query parameters:
+
+- `max_id` (optional): Skip statuses younger than ID (e.g. navigate backwards in time)
+- `since_id` (optional): Skip statuses older than ID (e.g. check for updates)
+- `only_media` (optional): Only return statuses that have media attachments
+- `exclude_replies` (optional): Skip statuses that reply to other statuses
 
 **GET /api/v1/accounts/:id/following**
 
@@ -127,7 +138,7 @@ Returns users the given user is followed by.
 
 **GET /api/v1/accounts/relationships**
 
-Returns relationships (`following`, `followed_by`, `blocking`) of the current user to a list of given accounts.
+Returns relationships (`following`, `followed_by`, `blocking`, `muting`, `requested`) of the current user to a list of given accounts.
 
 Query parameters:
 
@@ -146,6 +157,14 @@ Query parameters:
 
 Returns accounts blocked by authenticated user.
 
+**GET /api/v1/mutes**
+
+Returns accounts muted by authenticated user.
+
+**GET /api/v1/follow_requests**
+
+Returns accounts that want to follow the authenticated user but are waiting for approval.
+
 **GET /api/v1/favourites**
 
 Returns statuses favourited by authenticated user.
@@ -207,6 +226,13 @@ Returns the updated relationship to the user.
 
 Returns the updated relationship to the user.
 
+# Muting and unmuting users
+
+**POST /api/v1/accounts/:id/mute**
+**POST /api/v1/accounts/:id/unmute**
+
+Returns the updated relationship to the user.
+
 ### OAuth apps
 
 **POST /api/v1/apps**
-- 
cgit 


From 02349b32696d6559ed64dbe4f401892d5fa5ddf7 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Tue, 14 Mar 2017 15:59:21 +0100
Subject: Obfuscate filenames better, double rate limits

---
 app/controllers/concerns/obfuscate_filename.rb | 6 +++++-
 config/initializers/rack-attack.rb             | 4 ++--
 docs/Using-the-API/Push-notifications.md       | 2 +-
 3 files changed, 8 insertions(+), 4 deletions(-)

(limited to 'docs/Using-the-API')

diff --git a/app/controllers/concerns/obfuscate_filename.rb b/app/controllers/concerns/obfuscate_filename.rb
index dde7ce8c6..9c896fb09 100644
--- a/app/controllers/concerns/obfuscate_filename.rb
+++ b/app/controllers/concerns/obfuscate_filename.rb
@@ -13,6 +13,10 @@ module ObfuscateFilename
     file = params.dig(*path)
     return if file.nil?
 
-    file.original_filename = 'media' + File.extname(file.original_filename)
+    file.original_filename = secure_token + File.extname(file.original_filename)
+  end
+
+  def secure_token(length = 16)
+    SecureRandom.hex(length / 2)
   end
 end
diff --git a/config/initializers/rack-attack.rb b/config/initializers/rack-attack.rb
index 3f0ee1d7a..70f7846d1 100644
--- a/config/initializers/rack-attack.rb
+++ b/config/initializers/rack-attack.rb
@@ -1,6 +1,6 @@
 class Rack::Attack
   # Rate limits for the API
-  throttle('api', limit: 150, period: 5.minutes) do |req|
+  throttle('api', limit: 300, period: 5.minutes) do |req|
     req.ip if req.path.match(/\A\/api\/v/)
   end
 
@@ -11,7 +11,7 @@ class Rack::Attack
     headers = {
       'X-RateLimit-Limit'     => match_data[:limit].to_s,
       'X-RateLimit-Remaining' => '0',
-      'X-RateLimit-Reset'     => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6)
+      'X-RateLimit-Reset'     => (now + (match_data[:period] - now.to_i % match_data[:period])).iso8601(6),
     }
 
     [429, headers, [{ error: 'Throttled' }.to_json]]
diff --git a/docs/Using-the-API/Push-notifications.md b/docs/Using-the-API/Push-notifications.md
index d98c8833a..fc373e723 100644
--- a/docs/Using-the-API/Push-notifications.md
+++ b/docs/Using-the-API/Push-notifications.md
@@ -1,4 +1,4 @@
 Push notifications
 ==================
 
-**Note: This push notification design turned out to not be fully operational on the side of Firebase. A different approach is in consideration**
+See <https://github.com/Gargron/tusky-api> for an example of how to create push notifications for a mobile app. It involves using the Mastodon streaming API on behalf of the app's users, as a sort of proxy.
-- 
cgit