From 4cfa969d71af4a70c0ec7120d9b5f18ff6a0050c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 23 Aug 2021 22:03:23 +0900
Subject: [PATCH 1/9] Bump @babel/plugin-transform-runtime from 7.14.5 to
7.15.0 (#16590)
Bumps [@babel/plugin-transform-runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-runtime) from 7.14.5 to 7.15.0.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.15.0/packages/babel-plugin-transform-runtime)
---
updated-dependencies:
- dependency-name: "@babel/plugin-transform-runtime"
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
package.json | 2 +-
yarn.lock | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/package.json b/package.json
index 757f48327a..8ba52752ef 100644
--- a/package.json
+++ b/package.json
@@ -62,7 +62,7 @@
"@babel/core": "^7.15.0",
"@babel/plugin-proposal-decorators": "^7.14.5",
"@babel/plugin-transform-react-inline-elements": "^7.14.5",
- "@babel/plugin-transform-runtime": "^7.14.5",
+ "@babel/plugin-transform-runtime": "^7.15.0",
"@babel/preset-env": "^7.15.0",
"@babel/preset-react": "^7.14.5",
"@babel/runtime": "^7.15.3",
diff --git a/yarn.lock b/yarn.lock
index c66f79ade5..4efef027d8 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -817,10 +817,10 @@
dependencies:
"@babel/helper-plugin-utils" "^7.14.5"
-"@babel/plugin-transform-runtime@^7.14.5":
- version "7.14.5"
- resolved "https://registry.yarnpkg.com/@babel/plugin-transform-runtime/-/plugin-transform-runtime-7.14.5.tgz#30491dad49c6059f8f8fa5ee8896a0089e987523"
- integrity sha512-fPMBhh1AV8ZyneiCIA+wYYUH1arzlXR1UMcApjvchDhfKxhy2r2lReJv8uHEyihi4IFIGlr1Pdx7S5fkESDQsg==
+"@babel/plugin-transform-runtime@^7.15.0":
+ version "7.15.0"
+ resolved "https://registry.yarnpkg.com/@babel/plugin-transform-runtime/-/plugin-transform-runtime-7.15.0.tgz#d3aa650d11678ca76ce294071fda53d7804183b3"
+ integrity sha512-sfHYkLGjhzWTq6xsuQ01oEsUYjkHRux9fW1iUA68dC7Qd8BS1Unq4aZ8itmQp95zUzIcyR2EbNMTzAicFj+guw==
dependencies:
"@babel/helper-module-imports" "^7.14.5"
"@babel/helper-plugin-utils" "^7.14.5"
From 3f2ddcda8ae1ddc6157cc5bd2d7151a1ce51edb0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 23 Aug 2021 22:03:38 +0900
Subject: [PATCH 2/9] Bump ws from 8.1.0 to 8.2.0 (#16636)
Bumps [ws](https://github.com/websockets/ws) from 8.1.0 to 8.2.0.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](https://github.com/websockets/ws/compare/8.1.0...8.2.0)
---
updated-dependencies:
- dependency-name: ws
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
package.json | 2 +-
yarn.lock | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/package.json b/package.json
index 8ba52752ef..469cdf29b0 100644
--- a/package.json
+++ b/package.json
@@ -168,7 +168,7 @@
"webpack-cli": "^3.3.12",
"webpack-merge": "^5.8.0",
"wicg-inert": "^3.1.1",
- "ws": "^8.1.0"
+ "ws": "^8.2.0"
},
"devDependencies": {
"@testing-library/jest-dom": "^5.14.1",
diff --git a/yarn.lock b/yarn.lock
index 4efef027d8..f489dafb69 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -11773,10 +11773,10 @@ ws@^7.2.3, ws@^7.3.1:
resolved "https://registry.yarnpkg.com/ws/-/ws-7.5.3.tgz#160835b63c7d97bfab418fc1b8a9fced2ac01a74"
integrity sha512-kQ/dHIzuLrS6Je9+uv81ueZomEwH0qVYstcAQ4/Z93K8zeko9gtAbttJWzoC5ukqXY1PpoouV3+VSOqEAFt5wg==
-ws@^8.1.0:
- version "8.1.0"
- resolved "https://registry.yarnpkg.com/ws/-/ws-8.1.0.tgz#75e5ec608f66d3d3934ec6dbc4ebc8a34a68638c"
- integrity sha512-0UWlCD2s3RSclw8FN+D0zDTUyMO+1kHwJQQJzkgUh16S8d3NYON0AKCEQPffE0ez4JyRFu76QDA9KR5bOG/7jw==
+ws@^8.2.0:
+ version "8.2.0"
+ resolved "https://registry.yarnpkg.com/ws/-/ws-8.2.0.tgz#0b738cd484bfc9303421914b11bb4011e07615bb"
+ integrity sha512-uYhVJ/m9oXwEI04iIVmgLmugh2qrZihkywG9y5FfZV2ATeLIzHf93qs+tUNqlttbQK957/VX3mtwAS+UfIwA4g==
xml-name-validator@^3.0.0:
version "3.0.0"
From 9c6cecb7a9d5aba0d258ae1f29ad904235d32a0e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 23 Aug 2021 22:03:53 +0900
Subject: [PATCH 3/9] Bump eslint-plugin-import from 2.24.0 to 2.24.1 (#16635)
Bumps [eslint-plugin-import](https://github.com/import-js/eslint-plugin-import) from 2.24.0 to 2.24.1.
- [Release notes](https://github.com/import-js/eslint-plugin-import/releases)
- [Changelog](https://github.com/import-js/eslint-plugin-import/blob/master/CHANGELOG.md)
- [Commits](https://github.com/import-js/eslint-plugin-import/compare/v2.24.0...v2.24.1)
---
updated-dependencies:
- dependency-name: eslint-plugin-import
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
package.json | 2 +-
yarn.lock | 55 ++++++++++++++++++++++++++--------------------------
2 files changed, 29 insertions(+), 28 deletions(-)
diff --git a/package.json b/package.json
index 469cdf29b0..6142921bf5 100644
--- a/package.json
+++ b/package.json
@@ -176,7 +176,7 @@
"babel-eslint": "^10.1.0",
"babel-jest": "^27.0.6",
"eslint": "^7.32.0",
- "eslint-plugin-import": "~2.24.0",
+ "eslint-plugin-import": "~2.24.1",
"eslint-plugin-jsx-a11y": "~6.4.1",
"eslint-plugin-promise": "~5.1.0",
"eslint-plugin-react": "~7.24.0",
diff --git a/yarn.lock b/yarn.lock
index f489dafb69..8dc3e6bae2 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1581,11 +1581,6 @@
resolved "https://registry.yarnpkg.com/@types/json-schema/-/json-schema-7.0.6.tgz#f4c7ec43e81b319a9815115031709f26987891f0"
integrity sha512-3c+yGKvVP5Y9TYBEibGNR+kLtijnj7mYrXRg+WpFb2X9xm04g/DXYkfg4hmzJQosc9snFNUPkbYIhu+KAm6jJw==
-"@types/json5@^0.0.29":
- version "0.0.29"
- resolved "https://registry.yarnpkg.com/@types/json5/-/json5-0.0.29.tgz#ee28707ae94e11d2b827bcbe5270bcea7f3e71ee"
- integrity sha1-7ihweulOEdK4J7y+UnC86n8+ce4=
-
"@types/minimatch@*":
version "3.0.3"
resolved "https://registry.yarnpkg.com/@types/minimatch/-/minimatch-3.0.3.tgz#3dca0e3f33b200fc7d1139c0cd96c1268cadfd9d"
@@ -4338,10 +4333,10 @@ escope@^3.6.0:
esrecurse "^4.1.0"
estraverse "^4.1.1"
-eslint-import-resolver-node@^0.3.5:
- version "0.3.5"
- resolved "https://registry.yarnpkg.com/eslint-import-resolver-node/-/eslint-import-resolver-node-0.3.5.tgz#939bbb0f74e179e757ca87f7a4a890dabed18ac4"
- integrity sha512-XMoPKjSpXbkeJ7ZZ9icLnJMTY5Mc1kZbCakHquaFsXPpyWOwK0TK6CODO+0ca54UoM9LKOxyUNnoVZRl8TeaAg==
+eslint-import-resolver-node@^0.3.6:
+ version "0.3.6"
+ resolved "https://registry.yarnpkg.com/eslint-import-resolver-node/-/eslint-import-resolver-node-0.3.6.tgz#4048b958395da89668252001dbd9eca6b83bacbd"
+ integrity sha512-0En0w03NRVMn9Uiyn8YRPDKvWjxCWkslUEhGNTdGx15RvPJYQ+lbOlqrlNI2vEAs4pDYK4f/HN2TbDmk5TP0iw==
dependencies:
debug "^3.2.7"
resolve "^1.20.0"
@@ -4354,26 +4349,26 @@ eslint-module-utils@^2.6.2:
debug "^3.2.7"
pkg-dir "^2.0.0"
-eslint-plugin-import@~2.24.0:
- version "2.24.0"
- resolved "https://registry.yarnpkg.com/eslint-plugin-import/-/eslint-plugin-import-2.24.0.tgz#697ffd263e24da5e84e03b282f5fb62251777177"
- integrity sha512-Kc6xqT9hiYi2cgybOc0I2vC9OgAYga5o/rAFinam/yF/t5uBqxQbauNPMC6fgb640T/89P0gFoO27FOilJ/Cqg==
+eslint-plugin-import@~2.24.1:
+ version "2.24.1"
+ resolved "https://registry.yarnpkg.com/eslint-plugin-import/-/eslint-plugin-import-2.24.1.tgz#64aba8b567a1ba9921d5465586e86c491b8e2135"
+ integrity sha512-KSFWhNxPH8OGJwpRJJs+Z7I0a13E2iFQZJIvSnCu6KUs4qmgAm3xN9GYBCSoiGWmwA7gERZPXqYQjcoCROnYhQ==
dependencies:
array-includes "^3.1.3"
array.prototype.flat "^1.2.4"
debug "^2.6.9"
doctrine "^2.1.0"
- eslint-import-resolver-node "^0.3.5"
+ eslint-import-resolver-node "^0.3.6"
eslint-module-utils "^2.6.2"
find-up "^2.0.0"
has "^1.0.3"
- is-core-module "^2.4.0"
+ is-core-module "^2.6.0"
minimatch "^3.0.4"
- object.values "^1.1.3"
+ object.values "^1.1.4"
pkg-up "^2.0.0"
read-pkg-up "^3.0.0"
resolve "^1.20.0"
- tsconfig-paths "^3.9.0"
+ tsconfig-paths "^3.10.1"
eslint-plugin-jsx-a11y@~6.4.1:
version "6.4.1"
@@ -5966,10 +5961,10 @@ is-color-stop@^1.0.0:
rgb-regex "^1.0.1"
rgba-regex "^1.0.0"
-is-core-module@^2.2.0, is-core-module@^2.4.0:
- version "2.4.0"
- resolved "https://registry.yarnpkg.com/is-core-module/-/is-core-module-2.4.0.tgz#8e9fc8e15027b011418026e98f0e6f4d86305cc1"
- integrity sha512-6A2fkfq1rfeQZjxrZJGerpLCTHRNEBiSgnu0+obeJpEPZRUooHgsizvzv0ZjJwOz3iWIHdJtVWJ/tmPr3D21/A==
+is-core-module@^2.2.0, is-core-module@^2.6.0:
+ version "2.6.0"
+ resolved "https://registry.yarnpkg.com/is-core-module/-/is-core-module-2.6.0.tgz#d7553b2526fe59b92ba3e40c8df757ec8a709e19"
+ integrity sha512-wShG8vs60jKfPWpF2KZRaAtvt3a20OAn7+IJ6hLPECpSABLcKtFKTTI4ZtH5QcBruBHlq+WsdHWyz0BCZW7svQ==
dependencies:
has "^1.0.3"
@@ -6910,6 +6905,13 @@ json5@^2.1.2:
dependencies:
minimist "^1.2.5"
+json5@^2.2.0:
+ version "2.2.0"
+ resolved "https://registry.yarnpkg.com/json5/-/json5-2.2.0.tgz#2dfefe720c6ba525d9ebd909950f0515316c89a3"
+ integrity sha512-f+8cldu7X/y7RAJurMEJmdoKXGB/X550w2Nr3tTbezL6RwEE/iMcm+tZnXeoZtKuOq6ft8+CqzEkrIgx1fPoQA==
+ dependencies:
+ minimist "^1.2.5"
+
jsonfile@^3.0.0:
version "3.0.1"
resolved "https://registry.yarnpkg.com/jsonfile/-/jsonfile-3.0.1.tgz#a5ecc6f65f53f662c4415c7675a0331d0992ec66"
@@ -11005,13 +11007,12 @@ ts-essentials@^2.0.3:
resolved "https://registry.yarnpkg.com/ts-essentials/-/ts-essentials-2.0.12.tgz#c9303f3d74f75fa7528c3d49b80e089ab09d8745"
integrity sha512-3IVX4nI6B5cc31/GFFE+i8ey/N2eA0CZDbo6n0yrz0zDX8ZJ8djmU1p+XRz7G3is0F3bB3pu2pAroFdAWQKU3w==
-tsconfig-paths@^3.9.0:
- version "3.9.0"
- resolved "https://registry.yarnpkg.com/tsconfig-paths/-/tsconfig-paths-3.9.0.tgz#098547a6c4448807e8fcb8eae081064ee9a3c90b"
- integrity sha512-dRcuzokWhajtZWkQsDVKbWyY+jgcLC5sqJhg2PSgf4ZkH2aHPvaOY8YWGhmjb68b5qqTfasSsDO9k7RUiEmZAw==
+tsconfig-paths@^3.10.1:
+ version "3.10.1"
+ resolved "https://registry.yarnpkg.com/tsconfig-paths/-/tsconfig-paths-3.10.1.tgz#79ae67a68c15289fdf5c51cb74f397522d795ed7"
+ integrity sha512-rETidPDgCpltxF7MjBZlAFPUHv5aHH2MymyPvh+vEyWAED4Eb/WeMbsnD/JDr4OKPOA1TssDHgIcpTN5Kh0p6Q==
dependencies:
- "@types/json5" "^0.0.29"
- json5 "^1.0.1"
+ json5 "^2.2.0"
minimist "^1.2.0"
strip-bom "^3.0.0"
From eb30899df2fad0cccd756d808a2becfcebebd3a2 Mon Sep 17 00:00:00 2001
From: Daniel <git@baby-gnu.org>
Date: Wed, 25 Aug 2021 15:40:56 +0000
Subject: [PATCH 4/9] Fix undefined variable for
Auth::OmniauthCallbacksController (#16654)
The addition of authentication history broke the omniauth login with
the following error:
method=GET path=/auth/auth/cas/callback format=html
controller=Auth::OmniauthCallbacksController action=cas status=500
error='NameError: undefined local variable or method `user' for
#<Auth::OmniauthCallbacksController:0x00000000036290>
Did you mean? @user' duration=435.93 view=0.00 db=36.19
* app/controllers/auth/omniauth_callbacks_controller.rb: fix variable
name to `@user`
---
app/controllers/auth/omniauth_callbacks_controller.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/app/controllers/auth/omniauth_callbacks_controller.rb b/app/controllers/auth/omniauth_callbacks_controller.rb
index 7925e23cb5..991a50b034 100644
--- a/app/controllers/auth/omniauth_callbacks_controller.rb
+++ b/app/controllers/auth/omniauth_callbacks_controller.rb
@@ -11,7 +11,7 @@ class Auth::OmniauthCallbacksController < Devise::OmniauthCallbacksController
if @user.persisted?
LoginActivity.create(
- user: user,
+ user: @user,
success: true,
authentication_method: :omniauth,
provider: provider,
From 28796d134241f9500d78365aaf1c93579f5e78e8 Mon Sep 17 00:00:00 2001
From: matildepark <matilde.park@pm.me>
Date: Wed, 25 Aug 2021 11:46:29 -0400
Subject: [PATCH 5/9] Fix follow request count to dynamically update (#16652)
---
app/javascript/mastodon/actions/notifications.js | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/app/javascript/mastodon/actions/notifications.js b/app/javascript/mastodon/actions/notifications.js
index 3464ac9959..663cf21e34 100644
--- a/app/javascript/mastodon/actions/notifications.js
+++ b/app/javascript/mastodon/actions/notifications.js
@@ -1,6 +1,6 @@
import api, { getLinks } from '../api';
import IntlMessageFormat from 'intl-messageformat';
-import { fetchRelationships } from './accounts';
+import { fetchFollowRequests, fetchRelationships } from './accounts';
import {
importFetchedAccount,
importFetchedAccounts,
@@ -78,6 +78,10 @@ export function updateNotifications(notification, intlMessages, intlLocale) {
filtered = regex && regex.test(searchIndex);
}
+ if (['follow_request'].includes(notification.type)) {
+ dispatch(fetchFollowRequests());
+ }
+
dispatch(submitMarkers());
if (showInColumn) {
From fc9f57c4422e53738bd6fb884c55d5d89cf88b8b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 26 Aug 2021 01:39:55 +0900
Subject: [PATCH 6/9] Bump rails from 6.1.4 to 6.1.4.1 (#16650)
Bumps [rails](https://github.com/rails/rails) from 6.1.4 to 6.1.4.1.
- [Release notes](https://github.com/rails/rails/releases)
- [Commits](https://github.com/rails/rails/compare/v6.1.4...v6.1.4.1)
---
updated-dependencies:
- dependency-name: rails
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
Gemfile.lock | 116 +++++++++++++++++++++++++--------------------------
1 file changed, 58 insertions(+), 58 deletions(-)
diff --git a/Gemfile.lock b/Gemfile.lock
index 5562cae82d..9171072ad2 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,40 +1,40 @@
GEM
remote: https://rubygems.org/
specs:
- actioncable (6.1.4)
- actionpack (= 6.1.4)
- activesupport (= 6.1.4)
+ actioncable (6.1.4.1)
+ actionpack (= 6.1.4.1)
+ activesupport (= 6.1.4.1)
nio4r (~> 2.0)
websocket-driver (>= 0.6.1)
- actionmailbox (6.1.4)
- actionpack (= 6.1.4)
- activejob (= 6.1.4)
- activerecord (= 6.1.4)
- activestorage (= 6.1.4)
- activesupport (= 6.1.4)
+ actionmailbox (6.1.4.1)
+ actionpack (= 6.1.4.1)
+ activejob (= 6.1.4.1)
+ activerecord (= 6.1.4.1)
+ activestorage (= 6.1.4.1)
+ activesupport (= 6.1.4.1)
mail (>= 2.7.1)
- actionmailer (6.1.4)
- actionpack (= 6.1.4)
- actionview (= 6.1.4)
- activejob (= 6.1.4)
- activesupport (= 6.1.4)
+ actionmailer (6.1.4.1)
+ actionpack (= 6.1.4.1)
+ actionview (= 6.1.4.1)
+ activejob (= 6.1.4.1)
+ activesupport (= 6.1.4.1)
mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 2.0)
- actionpack (6.1.4)
- actionview (= 6.1.4)
- activesupport (= 6.1.4)
+ actionpack (6.1.4.1)
+ actionview (= 6.1.4.1)
+ activesupport (= 6.1.4.1)
rack (~> 2.0, >= 2.0.9)
rack-test (>= 0.6.3)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.2.0)
- actiontext (6.1.4)
- actionpack (= 6.1.4)
- activerecord (= 6.1.4)
- activestorage (= 6.1.4)
- activesupport (= 6.1.4)
+ actiontext (6.1.4.1)
+ actionpack (= 6.1.4.1)
+ activerecord (= 6.1.4.1)
+ activestorage (= 6.1.4.1)
+ activesupport (= 6.1.4.1)
nokogiri (>= 1.8.5)
- actionview (6.1.4)
- activesupport (= 6.1.4)
+ actionview (6.1.4.1)
+ activesupport (= 6.1.4.1)
builder (~> 3.1)
erubi (~> 1.4)
rails-dom-testing (~> 2.0)
@@ -45,22 +45,22 @@ GEM
case_transform (>= 0.2)
jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
active_record_query_trace (1.8)
- activejob (6.1.4)
- activesupport (= 6.1.4)
+ activejob (6.1.4.1)
+ activesupport (= 6.1.4.1)
globalid (>= 0.3.6)
- activemodel (6.1.4)
- activesupport (= 6.1.4)
- activerecord (6.1.4)
- activemodel (= 6.1.4)
- activesupport (= 6.1.4)
- activestorage (6.1.4)
- actionpack (= 6.1.4)
- activejob (= 6.1.4)
- activerecord (= 6.1.4)
- activesupport (= 6.1.4)
+ activemodel (6.1.4.1)
+ activesupport (= 6.1.4.1)
+ activerecord (6.1.4.1)
+ activemodel (= 6.1.4.1)
+ activesupport (= 6.1.4.1)
+ activestorage (6.1.4.1)
+ actionpack (= 6.1.4.1)
+ activejob (= 6.1.4.1)
+ activerecord (= 6.1.4.1)
+ activesupport (= 6.1.4.1)
marcel (~> 1.0.0)
mini_mime (>= 1.1.0)
- activesupport (6.1.4)
+ activesupport (6.1.4.1)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 1.6, < 2)
minitest (>= 5.1)
@@ -243,8 +243,8 @@ GEM
fuubar (2.5.1)
rspec-core (~> 3.0)
ruby-progressbar (~> 1.4)
- globalid (0.4.2)
- activesupport (>= 4.2.0)
+ globalid (0.5.2)
+ activesupport (>= 5.0)
hamlit (2.13.0)
temple (>= 0.8.2)
thor
@@ -353,7 +353,7 @@ GEM
mimemagic (0.3.10)
nokogiri (~> 1)
rake
- mini_mime (1.1.0)
+ mini_mime (1.1.1)
mini_portile2 (2.6.1)
minitest (5.14.4)
msgpack (1.4.2)
@@ -363,7 +363,7 @@ GEM
net-scp (3.0.0)
net-ssh (>= 2.6.5, < 7.0.0)
net-ssh (6.1.0)
- nio4r (2.5.7)
+ nio4r (2.5.8)
nokogiri (1.12.3)
mini_portile2 (~> 2.6.1)
racc (~> 1.4)
@@ -441,20 +441,20 @@ GEM
rack
rack-test (1.1.0)
rack (>= 1.0, < 3)
- rails (6.1.4)
- actioncable (= 6.1.4)
- actionmailbox (= 6.1.4)
- actionmailer (= 6.1.4)
- actionpack (= 6.1.4)
- actiontext (= 6.1.4)
- actionview (= 6.1.4)
- activejob (= 6.1.4)
- activemodel (= 6.1.4)
- activerecord (= 6.1.4)
- activestorage (= 6.1.4)
- activesupport (= 6.1.4)
+ rails (6.1.4.1)
+ actioncable (= 6.1.4.1)
+ actionmailbox (= 6.1.4.1)
+ actionmailer (= 6.1.4.1)
+ actionpack (= 6.1.4.1)
+ actiontext (= 6.1.4.1)
+ actionview (= 6.1.4.1)
+ activejob (= 6.1.4.1)
+ activemodel (= 6.1.4.1)
+ activerecord (= 6.1.4.1)
+ activestorage (= 6.1.4.1)
+ activesupport (= 6.1.4.1)
bundler (>= 1.15.0)
- railties (= 6.1.4)
+ railties (= 6.1.4.1)
sprockets-rails (>= 2.0.0)
rails-controller-testing (1.0.5)
actionpack (>= 5.0.1.rc1)
@@ -463,16 +463,16 @@ GEM
rails-dom-testing (2.0.3)
activesupport (>= 4.2.0)
nokogiri (>= 1.6)
- rails-html-sanitizer (1.3.0)
+ rails-html-sanitizer (1.4.1)
loofah (~> 2.3)
rails-i18n (6.0.0)
i18n (>= 0.7, < 2)
railties (>= 6.0.0, < 7)
rails-settings-cached (0.6.6)
rails (>= 4.2.0)
- railties (6.1.4)
- actionpack (= 6.1.4)
- activesupport (= 6.1.4)
+ railties (6.1.4.1)
+ actionpack (= 6.1.4.1)
+ activesupport (= 6.1.4.1)
method_source
rake (>= 0.13)
thor (~> 1.0)
From 8632cc7dc5b4e26859c31272121a9c4be2cb8190 Mon Sep 17 00:00:00 2001
From: Daniel <git@baby-gnu.org>
Date: Wed, 25 Aug 2021 16:41:24 +0000
Subject: [PATCH 7/9] New env variable: CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED
(#16655)
When using a CAS server, the users only have a temporary email
`change@me-foo-cas.com` which can't be changed but by an
administrator.
We need a new environment variable like for SAML to assume the email
from CAS is verified.
* config/initializers/omniauth.rb: define CAS option for assuming
email are always verified.
* .env.nanobox: add new variable as an example.
---
.env.nanobox | 1 +
config/initializers/omniauth.rb | 2 ++
2 files changed, 3 insertions(+)
diff --git a/.env.nanobox b/.env.nanobox
index 5951777a2d..d61673836b 100644
--- a/.env.nanobox
+++ b/.env.nanobox
@@ -228,6 +228,7 @@ SMTP_FROM_ADDRESS=notifications@${APP_NAME}.nanoapp.io
# CAS_LOCATION_KEY='location'
# CAS_IMAGE_KEY='image'
# CAS_PHONE_KEY='phone'
+# CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
# Optional SAML authentication (cf. omniauth-saml)
# SAML_ENABLED=true
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index 9e037f421f..5039b4c1f0 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -30,6 +30,8 @@ Devise.setup do |config|
cas_options[:location_key] = ENV['CAS_LOCATION_KEY'] || 'location'
cas_options[:image_key] = ENV['CAS_IMAGE_KEY'] || 'image'
cas_options[:phone_key] = ENV['CAS_PHONE_KEY'] || 'phone'
+ cas_options[:security] = {}
+ cas_options[:security][:assume_email_is_verified] = ENV['CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED'] == 'true'
config.omniauth :cas, cas_options
end
From 84566f17dee9f373973b51dfe5e8bea15a3dfb08 Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Wed, 25 Aug 2021 22:52:41 +0200
Subject: [PATCH 8/9] Fix authentication failures after going halfway through a
sign-in attempt (#16607)
* Add tests
* Add security-related tests
My first (unpublished) attempt at fixing the issues introduced (extremely
hard-to-exploit) security vulnerabilities, addressing them in a test.
* Fix authentication failures after going halfway through a sign-in attempt
* Refactor `authenticate_with_sign_in_token` and `authenticate_with_two_factor` to make the two authentication steps more obvious
---
app/controllers/auth/sessions_controller.rb | 16 ++-
.../sign_in_token_authentication_concern.rb | 18 +--
.../two_factor_authentication_concern.rb | 22 ++--
.../auth/sessions_controller_spec.rb | 109 ++++++++++++++++++
4 files changed, 143 insertions(+), 22 deletions(-)
diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/auth/sessions_controller.rb
index 9c73b39e28..7afd09e108 100644
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@@ -58,16 +58,20 @@ class Auth::SessionsController < Devise::SessionsController
protected
def find_user
- if session[:attempt_user_id]
+ if user_params[:email].present?
+ find_user_from_params
+ elsif session[:attempt_user_id]
User.find_by(id: session[:attempt_user_id])
- else
- user = User.authenticate_with_ldap(user_params) if Devise.ldap_authentication
- user ||= User.authenticate_with_pam(user_params) if Devise.pam_authentication
- user ||= User.find_for_authentication(email: user_params[:email])
- user
end
end
+ def find_user_from_params
+ user = User.authenticate_with_ldap(user_params) if Devise.ldap_authentication
+ user ||= User.authenticate_with_pam(user_params) if Devise.pam_authentication
+ user ||= User.find_for_authentication(email: user_params[:email])
+ user
+ end
+
def user_params
params.require(:user).permit(:email, :password, :otp_attempt, :sign_in_token_attempt, credential: {})
end
diff --git a/app/controllers/concerns/sign_in_token_authentication_concern.rb b/app/controllers/concerns/sign_in_token_authentication_concern.rb
index cbee84569b..384c5c50c8 100644
--- a/app/controllers/concerns/sign_in_token_authentication_concern.rb
+++ b/app/controllers/concerns/sign_in_token_authentication_concern.rb
@@ -16,14 +16,18 @@ module SignInTokenAuthenticationConcern
end
def authenticate_with_sign_in_token
- user = self.resource = find_user
+ if user_params[:email].present?
+ user = self.resource = find_user_from_params
+ prompt_for_sign_in_token(user) if user&.external_or_valid_password?(user_params[:password])
+ elsif session[:attempt_user_id]
+ user = self.resource = User.find_by(id: session[:attempt_user_id])
+ return if user.nil?
- if user.present? && session[:attempt_user_id].present? && session[:attempt_user_updated_at] != user.updated_at.to_s
- restart_session
- elsif user_params.key?(:sign_in_token_attempt) && session[:attempt_user_id]
- authenticate_with_sign_in_token_attempt(user)
- elsif user.present? && user.external_or_valid_password?(user_params[:password])
- prompt_for_sign_in_token(user)
+ if session[:attempt_user_updated_at] != user.updated_at.to_s
+ restart_session
+ elsif user_params.key?(:sign_in_token_attempt)
+ authenticate_with_sign_in_token_attempt(user)
+ end
end
end
diff --git a/app/controllers/concerns/two_factor_authentication_concern.rb b/app/controllers/concerns/two_factor_authentication_concern.rb
index 909ab77179..2583d324b5 100644
--- a/app/controllers/concerns/two_factor_authentication_concern.rb
+++ b/app/controllers/concerns/two_factor_authentication_concern.rb
@@ -35,16 +35,20 @@ module TwoFactorAuthenticationConcern
end
def authenticate_with_two_factor
- user = self.resource = find_user
+ if user_params[:email].present?
+ user = self.resource = find_user_from_params
+ prompt_for_two_factor(user) if user&.external_or_valid_password?(user_params[:password])
+ elsif session[:attempt_user_id]
+ user = self.resource = User.find_by(id: session[:attempt_user_id])
+ return if user.nil?
- if user.present? && session[:attempt_user_id].present? && session[:attempt_user_updated_at] != user.updated_at.to_s
- restart_session
- elsif user.webauthn_enabled? && user_params.key?(:credential) && session[:attempt_user_id]
- authenticate_with_two_factor_via_webauthn(user)
- elsif user_params.key?(:otp_attempt) && session[:attempt_user_id]
- authenticate_with_two_factor_via_otp(user)
- elsif user.present? && user.external_or_valid_password?(user_params[:password])
- prompt_for_two_factor(user)
+ if session[:attempt_user_updated_at] != user.updated_at.to_s
+ restart_session
+ elsif user.webauthn_enabled? && user_params.key?(:credential)
+ authenticate_with_two_factor_via_webauthn(user)
+ elsif user_params.key?(:otp_attempt)
+ authenticate_with_two_factor_via_otp(user)
+ end
end
end
diff --git a/spec/controllers/auth/sessions_controller_spec.rb b/spec/controllers/auth/sessions_controller_spec.rb
index d03ae51e86..051a0807db 100644
--- a/spec/controllers/auth/sessions_controller_spec.rb
+++ b/spec/controllers/auth/sessions_controller_spec.rb
@@ -206,6 +206,38 @@ RSpec.describe Auth::SessionsController, type: :controller do
end
end
+ context 'using email and password after an unfinished log-in attempt to a 2FA-protected account' do
+ let!(:other_user) do
+ Fabricate(:user, email: 'z@y.com', password: 'abcdefgh', otp_required_for_login: true, otp_secret: User.generate_otp_secret(32))
+ end
+
+ before do
+ post :create, params: { user: { email: other_user.email, password: other_user.password } }
+ post :create, params: { user: { email: user.email, password: user.password } }
+ end
+
+ it 'renders two factor authentication page' do
+ expect(controller).to render_template("two_factor")
+ expect(controller).to render_template(partial: "_otp_authentication_form")
+ end
+ end
+
+ context 'using email and password after an unfinished log-in attempt with a sign-in token challenge' do
+ let!(:other_user) do
+ Fabricate(:user, email: 'z@y.com', password: 'abcdefgh', otp_required_for_login: false, current_sign_in_at: 1.month.ago)
+ end
+
+ before do
+ post :create, params: { user: { email: other_user.email, password: other_user.password } }
+ post :create, params: { user: { email: user.email, password: user.password } }
+ end
+
+ it 'renders two factor authentication page' do
+ expect(controller).to render_template("two_factor")
+ expect(controller).to render_template(partial: "_otp_authentication_form")
+ end
+ end
+
context 'using upcase email and password' do
before do
post :create, params: { user: { email: user.email.upcase, password: user.password } }
@@ -231,6 +263,21 @@ RSpec.describe Auth::SessionsController, type: :controller do
end
end
+ context 'using a valid OTP, attempting to leverage previous half-login to bypass password auth' do
+ let!(:other_user) do
+ Fabricate(:user, email: 'z@y.com', password: 'abcdefgh', otp_required_for_login: false, current_sign_in_at: 1.month.ago)
+ end
+
+ before do
+ post :create, params: { user: { email: other_user.email, password: other_user.password } }
+ post :create, params: { user: { email: user.email, otp_attempt: user.current_otp } }, session: { attempt_user_updated_at: user.updated_at.to_s }
+ end
+
+ it "doesn't log the user in" do
+ expect(controller.current_user).to be_nil
+ end
+ end
+
context 'when the server has an decryption error' do
before do
allow_any_instance_of(User).to receive(:validate_and_consume_otp!).and_raise(OpenSSL::Cipher::CipherError)
@@ -380,6 +427,52 @@ RSpec.describe Auth::SessionsController, type: :controller do
end
end
+ context 'using email and password after an unfinished log-in attempt to a 2FA-protected account' do
+ let!(:other_user) do
+ Fabricate(:user, email: 'z@y.com', password: 'abcdefgh', otp_required_for_login: true, otp_secret: User.generate_otp_secret(32))
+ end
+
+ before do
+ post :create, params: { user: { email: other_user.email, password: other_user.password } }
+ post :create, params: { user: { email: user.email, password: user.password } }
+ end
+
+ it 'renders sign in token authentication page' do
+ expect(controller).to render_template("sign_in_token")
+ end
+
+ it 'generates sign in token' do
+ expect(user.reload.sign_in_token).to_not be_nil
+ end
+
+ it 'sends sign in token e-mail' do
+ expect(UserMailer).to have_received(:sign_in_token)
+ end
+ end
+
+ context 'using email and password after an unfinished log-in attempt with a sign-in token challenge' do
+ let!(:other_user) do
+ Fabricate(:user, email: 'z@y.com', password: 'abcdefgh', otp_required_for_login: false, current_sign_in_at: 1.month.ago)
+ end
+
+ before do
+ post :create, params: { user: { email: other_user.email, password: other_user.password } }
+ post :create, params: { user: { email: user.email, password: user.password } }
+ end
+
+ it 'renders sign in token authentication page' do
+ expect(controller).to render_template("sign_in_token")
+ end
+
+ it 'generates sign in token' do
+ expect(user.reload.sign_in_token).to_not be_nil
+ end
+
+ it 'sends sign in token e-mail' do
+ expect(UserMailer).to have_received(:sign_in_token).with(user, any_args)
+ end
+ end
+
context 'using a valid sign in token' do
before do
user.generate_sign_in_token && user.save
@@ -395,6 +488,22 @@ RSpec.describe Auth::SessionsController, type: :controller do
end
end
+ context 'using a valid sign in token, attempting to leverage previous half-login to bypass password auth' do
+ let!(:other_user) do
+ Fabricate(:user, email: 'z@y.com', password: 'abcdefgh', otp_required_for_login: false, current_sign_in_at: 1.month.ago)
+ end
+
+ before do
+ user.generate_sign_in_token && user.save
+ post :create, params: { user: { email: other_user.email, password: other_user.password } }
+ post :create, params: { user: { email: user.email, sign_in_token_attempt: user.sign_in_token } }, session: { attempt_user_updated_at: user.updated_at.to_s }
+ end
+
+ it "doesn't log the user in" do
+ expect(controller.current_user).to be_nil
+ end
+ end
+
context 'using an invalid sign in token' do
before do
post :create, params: { user: { sign_in_token_attempt: 'wrongotp' } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
From 567021abebc79d5b37a2f995ba3d58f011210001 Mon Sep 17 00:00:00 2001
From: Truong Nguyen <truongnmt.dev@gmail.com>
Date: Thu, 26 Aug 2021 23:51:22 +0900
Subject: [PATCH 9/9] Explicitly set userVerification to discoraged (#16545)
---
app/controllers/auth/sessions_controller.rb | 5 ++++-
.../webauthn_credentials_controller.rb | 3 ++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/auth/sessions_controller.rb
index 7afd09e108..2c3d510cbf 100644
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@@ -45,7 +45,10 @@ class Auth::SessionsController < Devise::SessionsController
user = find_user
if user&.webauthn_enabled?
- options_for_get = WebAuthn::Credential.options_for_get(allow: user.webauthn_credentials.pluck(:external_id))
+ options_for_get = WebAuthn::Credential.options_for_get(
+ allow: user.webauthn_credentials.pluck(:external_id),
+ user_verification: 'discouraged'
+ )
session[:webauthn_challenge] = options_for_get.challenge
diff --git a/app/controllers/settings/two_factor_authentication/webauthn_credentials_controller.rb b/app/controllers/settings/two_factor_authentication/webauthn_credentials_controller.rb
index 1c557092ba..a50d30f06f 100644
--- a/app/controllers/settings/two_factor_authentication/webauthn_credentials_controller.rb
+++ b/app/controllers/settings/two_factor_authentication/webauthn_credentials_controller.rb
@@ -21,7 +21,8 @@ module Settings
display_name: current_user.account.username,
id: current_user.webauthn_id,
},
- exclude: current_user.webauthn_credentials.pluck(:external_id)
+ exclude: current_user.webauthn_credentials.pluck(:external_id),
+ authenticator_selection: { user_verification: 'discouraged' }
)
session[:webauthn_challenge] = options_for_create.challenge