Commit Graph

214 Commits (22870985dac47d4162bbe63d445cee8f7a1567bb)

Author SHA1 Message Date
Eugen ff5baa5349 Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079)
* Add rate limits for logins and sign-ups by IP (5 in 5 minutes)
Should be enough for normal attempts

* Add rate limit for forgotten password form as well
2017-04-18 22:29:14 +02:00
Joachim Viide 363de2dffd Leave out the "Expires" header from S3 uploads (#1886) 2017-04-16 04:01:58 +02:00
Naouak 3d3e32befb Check for a custom css file to help customization of instances (#1368)
* User can create a custom.scss to customize their instance without modifying gitted files.

* Add documentation for customization.

* Forgot the helper file

* Fix Style to pass codeclimate

* Requests from maintainer.
2017-04-15 22:47:48 +02:00
Patrick Figel df4ff9a8e1 Add recovery code support for two-factor auth (#1773)
* Add recovery code support for two-factor auth

When users enable two-factor auth, the app now generates ten
single-use recovery codes. Users are encouraged to print the codes
and store them in a safe place.

The two-factor prompt during login now accepts both OTP codes and
recovery codes.

The two-factor settings UI allows users to regenerated lost
recovery codes. Users who have set up two-factor auth prior to
this feature being added can use it to generate recovery codes
for the first time.

Fixes #563 and fixes #987

* Set OTP_SECRET in test enviroment

* add missing .html to view file names
2017-04-15 13:26:03 +02:00
Les Orchard 7609593e48 Add REDIS_DB env variable to configure Redis database (#1366) 2017-04-15 02:21:13 +02:00
ThibG a9529d3b4b Allow running mastodon on a different domain as the one used for identifying users (#1267)
* Allow running mastodon on a different domain as the one used for identifying users

* Alter documentation of WEB_DOMAIN to make clear it shouldn't be used unless the admin knows what they are doing

* Compare to web_domain instead of local_domain when dealing with feeds/API

* Correctly identify mentions to local accounts

Mentions URLs point to the person's web profile, i.e., the user page served on WEB_DOMAIN.
2017-04-15 02:15:46 +02:00
Valentin Lorentz 5ab0ffc6c8 Custom Paperclip path. (#778)
* Custom Paperclip path.

* Document PAPERCLIP_ROOT.

* Add PAPERCLIP_ROOT_URL (and rename PAPERCLIP_ROOT to PAPERCLIP_ROOT_PATH).
2017-04-15 02:07:21 +02:00
Yusuke Abe 169c68a739 Add filename extension to paperclip (#1718) 2017-04-13 21:52:56 +02:00
Matt Jankowski c44a700252 Quick best practice cleanup of views/helpers (#1546)
* Remove trailing whitespace

* Use query methods instead of explicit .blank? checks
2017-04-12 18:24:18 +02:00
Yann GUERN a85d4473aa Avoid user enumeration with devise paranoid mode (#1527) 2017-04-11 14:21:15 +02:00
Matt Jankowski 4ada50985a Pagination improvements (#1445)
* Replace will_paginate with kaminari

* Use #page instead of #paginate in controllers

* Replace will_paginate.page_gap with pagination.truncate in i18n

* Customize kaminari views to match prior styles

* Set kaminari options to match prior behavior

* Replace will_paginate with paginate in views
2017-04-11 01:11:41 +02:00
Matt Jankowski 64dbde0dbf Version bumps for ruby and misc gems (#1159)
* Update rspec-rails to version 3.5.2

* Update addressable to version 2.5.1

* Update autoprefixer-rails to version 6.7.7.1

* Update bullet to version 5.5.1

* Update domain_name to version 0.5.20170404

* Update letter_opener_web to version 1.3.1

* Upate redis-rails to version 5.0.2

* Update active_record_query_trace to version 1.5.4

* Update capistrano-rails to version 1.2.3

* Update dotenv-rails to version 2.2.0

* Update pg to version 0.20.0

* Update tilt to version 2.0.7

* Update warden to version 1.2.7

* Update tins to version 1.13.2

* Update terminal-table to version 1.7.3

* Update oj to version 2.18.5

* Update simplecov to version 0.14.1

* Update uglifier to version 3.1.13

* Update hashdiff to version 0.3.2

* Update webmock to version 2.3.2

* Update devise to version 4.2.1

* Use ruby version 2.4.1

* Update sass to version 3.4.23

* Update puma to version 3.8.2

* Update will_paginate to version 3.1.5

* Update font-awesome-rails to version 4.7.0.1

* Update fuubar to version 2.2.0

* Update pry-rails to version 0.3.6

* Update simple-navigation to version 4.0.5

* Update rubocop to version 0.48.1

* Update doorkeeper to version 4.2.5

* Update faker to version 1.7.3

* Update aws-sdk to version 2.9.5

* Update fabrication to version 2.16.1

* Update hamlit-rails to version 0.2.0

* Update http to version 2.2.1

* Update httplog to version 0.99.2

* Update sidekiq to version 4.2.10

* Update rspec-sidekiq to version 3.0.0

* Update pghero to version 1.6.4

* Update rack-cors to version 0.4.1

* Update i18n-tasks to version 0.9.13

* Update ruby-oembed to version 0.12.0

* Update jquery-rails to version 4.3.1

* Update simple_form to version 3.4.0

* Update react-rails to version 1.11.0

* Update aws-sdk to version 2.9.6

* Update sidekiq-unique-jobs to version 5.0.0

* Update uglifier to version 3.2.0
2017-04-10 22:47:41 +02:00
Eugen Rochko 29ffe1cad3 Make sure Rabl is using Oj 2017-04-05 19:29:30 +02:00
Pete Keen e9a6da6bc7 [#817] Add email whitelist
This adds the ability to filter user signup with a whitelist
instead of or in addition to a blacklist.

Fixes #817
2017-04-04 11:20:15 -04:00
Eugen Rochko 5b12624847 Add proper error page for request timeouts 2017-04-02 19:43:44 +02:00
leopku c46843c65c 🔧 S3 protocol from ENV
add support for reading S3 protocol from ENV
also add S3_HOSTNAME in .env.production.sample
2017-03-23 15:44:55 +08:00
Eugen Rochko 2816b1bf8e Federate header images, fix open-uri http->https redirection error 2017-03-18 22:51:20 +01:00
Eugen Rochko 02349b3269 Obfuscate filenames better, double rate limits 2017-03-14 15:59:21 +01:00
Eugen Rochko 1fb3e8988b Revert earlier fix due to new bug reports 2017-03-06 02:25:41 +01:00
Eugen Rochko ebc01bf0f6 Make the paperclip filename interpolator smarter about the :original style
If an :original gets converted into another format, it would get saved as
original_filename *anyway*, so generating the extension is pointless and
yields bad results for when you change the style definition later. This way,
old gifs will still have correct URLs
2017-03-05 23:03:49 +01:00
Eugen Rochko 138d21aea8 Update service timeout setting from 15s to 90s 2017-02-13 20:42:02 +01:00
Eugen 9d5fb49cd8 Merge pull request #603 from evanminto/activitypub-account
Expose ActivityStreams 2.0 representation of accounts
2017-02-07 02:08:40 +01:00
Evan Minto 94e213c6c1 Reuse existing controller and route 2017-02-06 01:19:26 -08:00
Eugen Rochko ccb8ac8573 Make the streaming API also handle websockets (because trying to get the browser EventSource interface to
work flawlessly was a nightmare). WARNING: This commit makes the web UI connect to the streaming API instead
of ActionCable like before. This means that if you are upgrading, you should set that up beforehand.
2017-02-04 00:34:31 +01:00
Eugen Rochko f4bc9620a9 Update settings to re-use admin layout, one big navigation tree, improve settings forms 2017-01-28 03:56:10 +01:00
Eugen Rochko 76e970c856 Do not automatically login after password reset, as it would circumvent two-factor auth (if enabled)
Do not require e-mail address changes to be re-confirmed, it's only trouble for no real benefit
2017-01-27 20:35:16 +01:00
Eugen Rochko ba192f12e3 Added optional two-factor authentication 2017-01-27 20:35:16 +01:00
Eugen Rochko f6a5977f0b Fix key names in statsd 2017-01-26 19:46:52 +01:00
Eugen Rochko d567f21d4f Improve StatsD instrumentation 2017-01-26 19:08:05 +01:00
Eugen Rochko 7329fbd8a4 Fix up timeout, improve contrast on "show more", add responsive style
for extremely wide monitors
2017-01-26 18:48:56 +01:00
Eugen 956da43e19 Fix error 2017-01-22 23:07:31 +01:00
Eugen Rochko 61aee0006e Override Rack::Request to use the same trusted proxy settings as Rails 2017-01-22 21:01:28 +01:00
Eugen Rochko f0de621e76 Fix #463 - Fetch and display previews of URLs using OpenGraph tags 2017-01-20 01:00:14 +01:00
Eugen Rochko 306eb6e9c9 Add optional StatsD performance tracking 2017-01-18 23:44:29 +01:00
Effy Elden ab4f5f5da5 Add Heroku deployment support 2017-01-17 22:00:03 +11:00
Effy Elden a097dd489b Change default S3 ACL string used by Paperclip from 'public' (which is invalid) to 'public-read' 2017-01-15 20:58:46 +11:00
Eugen Rochko 2e71bb031b Fix Paperclip timeout setting. Fix bug introduced in #437 2017-01-08 19:12:54 +01:00
Eugen Rochko 7ddec6e7c3 Add read timeout to paperclip when it's downloading remote images 2017-01-07 15:43:56 +01:00
Eugen Rochko b891a81008 Follow call on locked account creates follow request instead
Reflect "requested" relationship in API and UI
Reflect inability of private posts to be reblogged in the UI
Disable Webfinger for locked accounts
2016-12-22 23:03:57 +01:00
Eugen Rochko 6d71044c85 Don't use rack timeout in any but production environments 2016-12-21 19:10:40 +01:00
Eugen Rochko 6de079a5af Removing external hub completely, fix #333 fixing digit-only hashtags,
removing web app capability from non-webapp pages
2016-12-18 12:24:37 +01:00
Eugen Rochko 8b93f45f3d Fix paperclip config 2016-12-07 17:19:29 +01:00
Eugen Rochko f114bc7bb7 Update Paperclip config to allow plugging in Minio instead of AWS 2016-12-07 16:59:18 +01:00
Eugen Rochko 1357c1cb3d Add single user mode 2016-12-06 17:19:26 +01:00
Eugen Rochko b362de2232 Adding configurable e-mail blacklist 2016-12-04 19:07:02 +01:00
Eugen Rochko f763e844e8 Do not use expiring links after all 2016-12-04 13:02:43 +01:00
Eugen Rochko 80c44ed9c1 Do not autoplay videos, display play button instead. Use expiring links when using S3. Do not keep originals
for avatars/headers, resize avatars down to 120x120 instead of 300x300. Set cache headers on S3 stuff, also
make it private (aka only accessible via expiring links to prevent hotlinking)
2016-12-04 12:28:10 +01:00
Eugen Rochko 290ffb63cd Fix cloudfront config 2016-12-03 22:12:22 +01:00
Eugen Rochko d3bd10dfe4 Add Cloudfront support 2016-12-03 22:08:15 +01:00
Eugen Rochko 5973ca3d11 Upgrade Paperclip to 5, AWS-SDK to 2, do not generate medium/small versions of avatars 2016-11-29 14:20:15 +01:00
Eugen Rochko cc70f28f19 Adding rack timeout of 30sec, PuSH jobs moved to push queue so they
can be processed separately
2016-11-29 02:07:14 +01:00
Eugen Rochko c0555f2db6 Don't rate-limit PuSH endpoints 2016-11-29 00:44:11 +01:00
Eugen Rochko 4e351baf88 Fix URLs in inline-rendered XML 2016-11-29 00:26:01 +01:00
Eugen 41ef277da3 Fix URLs in ApplicationController.renderer 2016-11-28 21:21:05 +01:00
Eugen Rochko dda9ac9222 Fix reset date format when rate limited 2016-11-25 18:20:47 +01:00
Eugen Rochko 8efa081f21 Remove Neo4J 2016-11-24 23:46:27 +01:00
Eugen Rochko 8e34bed7cc Mini Profiler not working well, remove it 2016-11-24 19:59:11 +01:00
Eugen Rochko fc90d38893 Moving some counter queries out of subqueries in the API 2016-11-22 22:59:54 +01:00
Eugen Rochko 116ab27e08 i18n for devise mailer too 2016-11-16 18:25:21 +01:00
Eugen Rochko 546c4718e7 Localizations for most server-side strings 2016-11-16 00:55:33 +01:00
Eugen Rochko fdc17bea58 Fix rubocop issues, introduce usage of frozen literal to improve performance 2016-11-15 16:56:29 +01:00
Eugen Rochko 86574ea524 Adding Emoji One 2016-11-08 21:46:29 +01:00
Eugen Rochko 2f21f4cc01 Fix region setting for AWS gem 2016-11-08 18:55:46 +01:00
Eugen Rochko dbe00a4156 Improved configuration from ENV, cleaned up timeline filter methods
to be more readable, add extra logging to process feed service
2016-11-07 23:20:52 +01:00
Eugen Rochko b835f4aa1c Fix insecure S3 URLs 2016-11-06 20:59:06 +01:00
Eugen Rochko d14967e1c8 Fix URL configuration when S3 is enabled 2016-11-06 20:43:16 +01:00
Eugen Rochko 45230c56ab Improve S3 config 2016-11-06 18:55:20 +01:00
Eugen Rochko 3ab193bc3f Adding optional S3, fail-mastodon 2016-11-06 18:35:46 +01:00
Eugen Rochko 9467b900a2 Make cookies https-only if LOCAL_HTTPS is true, set X-Frame-Options to DENY,
add permissive CORS to API controllers
2016-11-02 12:58:15 +01:00
Eugen Rochko 720d1f8f3d Restrict access to oauth/applications to admins only 2016-10-23 12:08:52 +02:00
Eugen Rochko a9e40a3d80 Adding OAuth access scopes, fixing OAuth authorization UI, adding rate limiting
to the API
2016-10-22 19:39:44 +02:00
Eugen Rochko 43df35213e Improving all forms 2016-10-18 16:37:15 +02:00
Eugen Rochko d5e086a47b Adding application/jrd+json webfinger resource 2016-10-18 02:54:49 +02:00
Eugen Rochko e21a3fe0cd Adding sync of follow relationships to Neo4J, accounts/suggestions API 2016-10-14 23:10:07 +02:00
Eugen Rochko 3554d638b3 Fix #72 - add follow/unfollow button to public profiles 2016-10-06 21:27:58 +02:00
Eugen Rochko f06f295890 Fix doorkeeper skip_authorization 2016-10-02 22:55:09 +02:00
Eugen Rochko 4909bbf415 Add logging for outgoing http requests 2016-10-02 14:58:06 +02:00
Eugen Rochko 492224b93f Allow non-https redirect URIs for OAuth apps (AndStatus seems to require this) 2016-09-30 22:40:31 +02:00
Eugen Rochko 7e14eefc81 Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app
registration API
2016-09-26 23:56:53 +02:00
Eugen Rochko 3b56350121 Fix #6 - Rate limit GET reqs to 300/5min, POST to 100/5min 2016-09-24 13:53:54 +02:00
Eugen Rochko 1022d682dc Normalized data in Redux, fix for asset URLs when rendered outside request 2016-09-04 14:04:26 +02:00
Eugen Rochko 92afd29650 The frontend will now be an OAuth app, auto-authorized. The frontend will use an access token for API requests
Adding better errors for the API controllers, posting a simple status works from the frontend now
2016-08-26 19:12:19 +02:00
Eugen Rochko 44e57f64dd Improving statuses, adding a composer drawer, which doesn't work yet 2016-08-25 19:52:55 +02:00
Eugen Rochko bc0692d75b Removing mini-profiler that doesn't work, formatting timelines a bit better 2016-08-24 19:23:37 +02:00
Eugen Rochko 68c93f8b85 Final fix for ActionCable origin issues 2016-08-18 18:51:50 +02:00
Eugen Rochko 8985f8e66c Fixing more configuration issues with ActionCable 2016-08-18 18:39:35 +02:00
Eugen Rochko 5a8c149f6b Fix ActionCable origin checking 2016-08-18 18:08:25 +02:00
Eugen Rochko 6426819b6f Fix tests 2016-08-18 17:22:44 +02:00
Eugen Rochko 6deb9f966e Live timelines using ActionCable 2016-08-18 15:49:51 +02:00
Eugen Rochko 10ba09f546 Upgrade to Rails 5.0.0.1 2016-08-17 17:58:00 +02:00
Eugen Rochko 85b00d19b8 Moving Salmon notifications to background processing, fixing mini-profiler
behaviour with Turbolinks enabled, optimizing Rabl for production
2016-03-26 13:42:10 +01:00
Eugen Rochko 5764d52b04 Fix Sidekiq pooling issues. Remove API docs from homepage, replace with
a basic home timeline
2016-03-25 16:10:14 +01:00
Eugen Rochko 318886287b Fixing some stuff for Turbolinks, adding gzip on top, fixing a n+1 query 2016-03-25 15:09:40 +01:00
Eugen Rochko 36f3da3cde Adjust down the number of Sidekiq threads to 5 (default of 25 is way too high) 2016-03-25 14:20:31 +01:00
Eugen Rochko e24bfbde1a Fixing FanOutOnWriteService, fixing Sidekiq not having enough DB connections
in the pool, adding a throttle of 60rpm per IP, adding mini profiler, adding
admin status to users
2016-03-25 14:12:24 +01:00
Eugen Rochko 42dcb0d4cb Adding Sidekiq for background processing (firstly just of mailers) 2016-03-25 02:50:48 +01:00
Eugen Rochko b640f35621 Writing out more tests, fixed some bugs 2016-03-20 13:03:06 +01:00
Eugen Rochko e2b846f630 Adding letter opener for development and Rack::Attack for future rate limiting implementations 2016-03-19 14:57:30 +01:00
Eugen Rochko 9cb690c706 Access tokens no longer expire, case-insensitive local username validation, as well as case-insensitive Webfinger look-up 2016-03-16 18:29:52 +01:00
Eugen Rochko 2c374cd97c Adding e-mail configuration 2016-03-16 12:13:40 +01:00
Eugen Rochko 6fec8afc3f Bind oauth applications to users 2016-03-14 17:49:13 +01:00
Eugen Rochko 3441361568 Adding simple_form, adding profile settings, header image 2016-03-12 20:47:22 +01:00
Eugen Rochko 1aa477ac2f Customized more doorkeeper views, only logged in users can create oauth apps 2016-03-12 19:46:06 +01:00
Eugen Rochko aab9f57e36 Adding config for puma, dashboard layout, fixing some queries 2016-03-12 16:21:53 +01:00
Eugen Rochko 447cfef62d Improving feed queries, switching API to doorkeeper authentication 2016-03-11 16:47:36 +01:00
Eugen Rochko b919f39b31 Customizing doorkeeper views for authorizing app 2016-03-11 01:58:55 +01:00
Eugen Rochko 6c4c84b161 Distrubute statuses as a fan-out-on-write system, with optional precomputing 2016-03-08 20:20:45 +01:00
Eugen Rochko ab6696e855 Adding doorkeeper, adding a REST API
POST /api/statuses                  Params: status (text contents), in_reply_to_id (optional)
GET  /api/statuses/:id
POST /api/statuses/:id/reblog

GET  /api/accounts/:id
GET  /api/accounts/:id/following
GET  /api/accounts/:id/followers
POST /api/accounts/:id/follow
POST /api/accounts/:id/unfollow

POST /api/follows                  Params: uri (e.g. user@domain)

OAuth authentication is currently disabled, but the API can be used with HTTP Auth.
2016-03-07 12:42:33 +01:00
Eugen Rochko 7e93da3f8d Removing grape and adding devise 2016-03-05 13:12:24 +01:00
Eugen Rochko 23d08c6749 Changing the use of config constants to the Rails configuration object 2016-02-29 20:06:39 +01:00
Eugen Rochko ee73d35eea Incoming Salmon requests can be turned into follows and unfollows 2016-02-23 22:17:07 +01:00
Eugen Rochko 1dad72bf13 Fixes and general progress 2016-02-22 18:10:30 +01:00
Eugen Rochko 709c6685a9 Made some progress 2016-02-22 16:00:20 +01:00
Eugen Rochko 9c4856bdb1 Initial commit 2016-02-20 22:53:20 +01:00