Commit Graph

55 Commits (e5bfdb946464d96a6b3f5536ff24af5a381ca3b6)

Author SHA1 Message Date
santiagorodriguez96 f142983484 Add WebAuthn as an alternative 2FA method (#14466)
* feat: add possibility of adding WebAuthn security keys to use as 2FA

This adds a basic UI for enabling WebAuthn 2FA. We did a little refactor
to the Settings page for editing the 2FA methods – now it will list the
methods that are available to the user (TOTP and WebAuthn) and from
there they'll be able to add or remove any of them.
Also, it's worth mentioning that for enabling WebAuthn it's required to
have TOTP enabled, so the first time that you go to the 2FA Settings
page, you'll be asked to set it up.
This work was inspired by the one donde by Github in their platform, and
despite it could be approached in different ways, we decided to go with
this one given that we feel that this gives a great UX.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: add request for WebAuthn as second factor at login if enabled

This commits adds the feature for using WebAuthn as a second factor for
login when enabled.
If users have WebAuthn enabled, now a page requesting for the use of a
WebAuthn credential for log in will appear, although a link redirecting
to the old page for logging in using a two-factor code will also be
present.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: add possibility of deleting WebAuthn Credentials

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: disable WebAuthn when an Admin disables 2FA for a user

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: remove ability to disable TOTP leaving only WebAuthn as 2FA

Following examples form other platforms like Github, we decided to make
Webauthn 2FA secondary to 2FA with TOTP, so that we removed the
possibility of removing TOTP authentication only, leaving users with
just WEbAuthn as 2FA. Instead, users will have to click on 'Disable 2FA'
in order to remove second factor auth.
The reason for WebAuthn being secondary to TOPT is that in that way,
users will still be able to log in using their code from their phone's
application if they don't have their security keys with them – or maybe
even lost them.

* We had to change a little the flow for setting up TOTP, given that now
  it's possible to setting up again if you already had TOTP, in order to
  let users modify their authenticator app – given that now it's not
  possible for them to disable TOTP and set it up again with another
  authenticator app.
  So, basically, now instead of storing the new `otp_secret` in the
  user, we store it in the session until the process of set up is
  finished.
  This was because, as it was before, when users clicked on 'Edit' in
  the new two-factor methods lists page, but then went back without
  finishing the flow, their `otp_secret` had been changed therefore
  invalidating their previous authenticator app, making them unable to
  log in again using TOTP.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* refactor: fix eslint errors

The PR build was failing given that linting returning some errors.
This commit attempts to fix them.

* refactor: normalize i18n translations

The build was failing given that i18n translations files were not
normalized.
This commits fixes that.

* refactor: avoid having the webauthn gem locked to a specific version

* refactor: use symbols for routes without '/'

* refactor: avoid sending webauthn disabled email when 2FA is disabled

When an admins disable 2FA for users, we were sending two mails
to them, one notifying that 2FA was disabled and the other to notify
that WebAuthn was disabled.
As the second one is redundant since the first email includes it, we can
remove it and send just one email to users.

* refactor: avoid creating new env variable for webauthn_origin config

* refactor: improve flash error messages for webauthn pages

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>
2020-08-24 16:46:27 +02:00
Eugen Rochko f95fd62bac Add announcements (#12662)
* Add announcements

Fix #11006

* Add reactions to announcements

* Add admin UI for announcements

* Add unit tests

* Fix issues

- Add `with_dismissed` param to announcements API
- Fix end date not being formatted when time range is given
- Fix announcement delete causing reactions to send streaming updates
- Fix announcements container growing too wide and mascot too small
- Fix `all_day` being settable when no time range is given
- Change text "Update" to "Announcement"

* Fix scheduler unpublishing announcements before they are due

* Fix filter params not being passed to announcements filter
2020-01-23 22:00:13 +01:00
Eugen Rochko 67796a267d Fix relays UI being available in whitelist/secure mode (#11963)
Fix relays UI referencing relay that is not functional
2019-09-27 02:13:34 +02:00
Eugen Rochko a2d3728c36 Add account migration UI (#11846)
Fix #10736

- Change data export to be available for non-functional accounts
- Change non-functional accounts to include redirecting accounts
2019-09-19 20:58:19 +02:00
Eugen Rochko 05e9cd13eb Change admin UI for hashtags and add back whitelisted trends (#11490)
Fix #271

Add back the `GET /api/v1/trends` API with the caveat that it does
not return tags that have not been allowed to trend by the staff.

When a hashtag begins to trend (internally) and that hashtag has
not been previously reviewed by the staff, the staff is notified.

The new admin UI for hashtags allows filtering hashtags by where
they are used (e.g. in the profile directory), whether they have
been reviewed or are pending reviewal, they show by how many people
the hashtag is used in the directory, how many people used it
today, how many statuses with it have been created today, and it
allows fixing the name of the hashtag to make it more readable.

The disallowed hashtags feature has been reworked. It is now
controlled from the admin UI for hashtags instead of from
the file `config/settings.yml`
2019-08-05 19:54:29 +02:00
Eugen Rochko 825dc3ca22 Add whitelist mode (#11291) 2019-07-30 11:10:46 +02:00
ThibG 9000d604e9 Change settings to show restricted accounts only what they have access to (#11394)
Follow-up to 6be7b414e2
2019-07-25 04:22:09 +02:00
Eugen Rochko 4931208dd8 Remove Salmon and PubSubHubbub (#11205)
* Remove Salmon and PubSubHubbub endpoints

* Add error when trying to follow OStatus accounts

* Fix new accounts not being created in ResolveAccountService
2019-07-06 23:26:16 +02:00
Eugen Rochko b788e58ea4 Change /settings/preferences to redirect to appearance, add /settings/preferences/other (#10988) 2019-06-07 16:51:08 +02:00
Eugen Rochko 8bf8d6d9d9 Change preferences page into appearance, notifications, and other (#10977) 2019-06-07 03:39:24 +02:00
Eugen Rochko 75ab8cef8f Change the groupings of menu items in settings navigation (#10533)
* Change the groupings of menu items in settings navigation

Fix #10307

* Remove unused translations
2019-04-10 03:47:11 +02:00
Eugen Rochko c34a7f5bd2 Add batch actions for approving and rejecting pending accounts (#10469) 2019-04-06 17:53:45 +02:00
Eugen Rochko c53f06b2c0 Do not show identity proofs menu item unless there are identity proofs (#10350) 2019-03-23 14:07:46 +01:00
Eugen Rochko c21bdc81d3 Add validations to admin settings (#10348)
* Add validations to admin settings

- Validate correct HTML markup
- Validate presence of contact username & e-mail
- Validate that all usernames are valid
- Validate that enums have expected values

* Fix code style issue

* Fix tests
2019-03-23 14:07:04 +01:00
Eugen Rochko a3c41f3532 Add Keybase integration (#10297)
* create account_identity_proofs table

* add endpoint for keybase to check local proofs

* add async task to update validity and liveness of proofs from keybase

* first pass keybase proof CRUD

* second pass keybase proof creation

* clean up proof list and add badges

* add avatar url to keybase api

* Always highlight the “Identity Proofs” navigation item when interacting with proofs.

* Update translations.

* Add profile URL.

* Reorder proofs.

* Add proofs to bio.

* Update settings/identity_proofs front-end.

* Use `link_to`.

* Only encode query params if they exist.

URLs without params had a trailing `?`.

* Only show live proofs.

* change valid to active in proof list and update liveness before displaying

* minor fixes

* add keybase config at well-known path

* extremely naive feature flagging off the identity proof UI

* fixes for rubocop

* make identity proofs page resilient to potential keybase issues

* normalize i18n

* tweaks for brakeman

* remove two unused translations

* cleanup and add more localizations

* make keybase_contacts an admin setting

* fix ExternalProofService my_domain

* use Addressable::URI in identity proofs

* use active model serializer for keybase proof config

* more cleanup of keybase proof config

* rename proof is_valid and is_live to proof_valid and proof_live

* cleanup

* assorted tweaks for more robust communication with keybase

* Clean up

* Small fixes

* Display verified identity identically to verified links

* Clean up unused CSS

* Add caching for Keybase avatar URLs

* Remove keybase_contacts setting
2019-03-18 21:00:55 +01:00
Eugen Rochko 4fa2d55d4e Add relationship manager UI (#10268) 2019-03-16 11:23:22 +01:00
Eugen Rochko d2d4d38f22 Add featured hashtags to profiles (#9755)
* Add hashtag filter to profiles

GET /@:username/tagged/:hashtag
GET /api/v1/accounts/:id/statuses?tagged=:hashtag

* Display featured hashtags on public profile

* Use separate model for featured tags

* Update featured hashtag counters on-write

* Limit featured tags to 10
2019-02-04 04:25:59 +01:00
Eugen Rochko 0cba7e7ebb Change "federation" admin UI link to point to "limited" domains (#9762) 2019-01-08 17:41:27 +01:00
Eugen Rochko f2ec1803cb Redesign admin instances area (#9645) 2019-01-08 13:39:49 +01:00
Eugen Rochko fd8ca11f19 Add profile directory (#9427)
Fix #5578
2018-12-06 17:36:11 +01:00
Eugen Rochko ad0670fe87 Revert Font Awesome 5 upgrade (#8810)
* Revert "Fix some icon names changed by the Font Awesome 5. (#8796)"

This reverts commit c8a1e945d9.

* Revert "Migrate to font-awesome 5.0. (#8799)"

This reverts commit ae20afbc80.

* Revert "Fix some icons names, unavailable in fontawesome5 (free license). (#8792)"

This reverts commit 30b1bb0704.

* Revert "Update the icon name changed by the Font Awesome 5. (#8776)"

This reverts commit 84bcf89764.

* Revert "Add bot icon to bot avatars and migrate to newer version of Font Awesome (#8484)"

This reverts commit cc784f3c16.
2018-09-28 02:11:14 +02:00
mayaeh 84bcf89764 Update the icon name changed by the Font Awesome 5. (#8776) 2018-09-25 15:52:12 +02:00
Eugen Rochko d0b14eaee2 Add admin dashboard (#8029) 2018-07-16 01:11:53 +02:00
Eugen Rochko 171c20ce72 Add federation relay support (#7998)
* Add federation relay support

* Add admin UI for managing relays

* Include actor on relay-related activities

* Fix i18n
2018-07-13 02:16:06 +02:00
Eugen Rochko d878e3e945 Keyword/phrase filtering (#7905)
* Add keyword filtering

    GET|POST       /api/v1/filters
    GET|PUT|DELETE /api/v1/filters/:id

- Irreversible filters can drop toots from home or notifications
- Other filters can hide toots through the client app
- Filters use a phrase valid in particular contexts, expiration

* Make sure expired filters don't get applied client-side

* Add missing API methods

* Remove "regex filter" from column settings

* Add tests

* Add test for FeedManager

* Add CustomFilter test

* Add UI for managing filters

* Add streaming API event to allow syncing filters

* Fix tests
2018-06-29 15:34:36 +02:00
Sylvhem 18d4e03e6b Add headings to the security settings page (#6661)
* Changes the headings' rank of the security settings section

This commit changes the existing headings' rank of the security settings section from level 6 to level 4.

* Renames the auth.change_password string into auth.security

The "Security" preferences' section used to be called "Change password". When it was renamed, the string name wasn't changed.
This commits changes auth.change_password to auth.security.

* Adds a heading to the password change form

There was previously no heading for the part of the "Security" page that contain the password change form.
This commit adds a rank 4 heading to this section and reintroduces an "auth.change_password" string to be used inside it.

* Removes useless HR elements

The various sections of the "Security" settings page were previously separated by HR elements.
Now that there is proper headings, they're not required anymore.

* Updates CSS

This commit updates CSS in such a way that the same style is applied to all the H4 elements of the settings.

* Correct a mistake

A character went missing on one of the previous commits, broking the CSS.
This new commit fixes it.
2018-03-07 01:39:40 +01:00
Eugen Rochko 55d9abcceb Add UI for setting up account migration (#5832) 2017-11-27 22:47:06 +01:00
Eugen Rochko bc8c951083 Add consumable invites (#5814)
* Add consumable invites

* Add UI for generating invite codes

* Add tests

* Display max uses and expiration in invites table, delete invite

* Remove unused column and redundant validator

- Default follows not used, probably bad idea
- InviteCodeValidator is redundant because RegistrationsController
  checks invite code validity

* Add admin setting to disable invites

* Add admin UI for invites, configurable role for invite creation

- Admin UI that lists everyone's invites, always available
- Admin setting min_invite_role to control who can invite people
- Non-admin invite UI only visible if users are allowed to

* Do not remove invites from database, expire them instantly
2017-11-27 16:07:59 +01:00
Yamagishi Kazutoshi 6a6e49d032 Change navigation link for moderators (#5812) 2017-11-25 05:53:54 +01:00
Eugen Rochko efc97d404c Add logging of admin actions (#5757)
* Add logging of admin actions

* Update brakeman whitelist

* Log creates, updates and destroys with history of changes

* i18n: Update Polish translation (#5782)

Signed-off-by: Marcin Mikołajczak <me@m4sk.in>

* Split admin navigation into moderation and administration

* Redesign audit log page

* 🇵🇱 (#5795)

* Add color coding to audit log

* Change dismiss->resolve, log all outcomes of report as resolve

* Update terminology (e-mail blacklist) (#5796)

* Update terminology (e-mail blacklist)

imho looks better

* Update en.yml

* Fix code style issues

* i18n-tasks normalize
2017-11-24 02:05:53 +01:00
Eugen Rochko 97178b6d86 Add moderator role and add pundit policies for admin actions (#5635)
* Add moderator role and add pundit policies for admin actions

* Add rake task for turning user into mod and revoking it again

* Fix handling of unauthorized exception

* Deliver new report e-mails to staff, not just admins

* Add promote/demote to admin UI, hide some actions conditionally

* Fix unused i18n
2017-11-11 20:23:33 +01:00
utam0k 51f8cbfbeb Implement EmailBlackList (#5109)
* Implement BlacklistedEmailDomain

* Use Faker::Internet.domain_name

* Remove note column

* Add frozen_string_literal comment

* Delete unnecessary codes

* Sort alphabetically

* Change of wording

* Rename BlacklistedEmailDomain to EmailDomainBlock
2017-10-04 15:16:10 +02:00
Yamagishi Kazutoshi 6bd4e3bf97 Separate notifications preferences from general preferences (#4447)
* Separate notifications preferences from general preferences

* Refine settings/notifications/show

* remove preferences.notifications
2017-10-04 10:22:52 +02:00
Eugen Rochko e9bb7e62b1 Admin interface for listing, adding and removing custom emojis (#5002)
* Admin interface for listing, adding and removing custom emojis

* Only display local ones in the list
2017-09-19 03:52:38 +02:00
Eugen Rochko b13501268f Fix up the applications area (#4664)
- Section it into "Development" area
- Improve UI of application form, index, and details
2017-08-23 00:59:35 +02:00
Colin Mitchell 63b98318c5 Application prefs section (#2758)
* Add code for creating/managing apps to settings section

* Add specs for app changes

* Fix controller spec

* Fix view file I pasted over by mistake

* Add locale strings. Add 'my apps' to nav

* Add Client ID/Secret to App page. Add some visual separation

* Fix rubocop warnings

* Fix embarrassing typo

I lost an `end` statement while fixing a merge conflict.

* Add code for creating/managing apps to settings section

- Add specs for app changes
- Add locale strings. Add 'my apps' to nav
- Add Client ID/Secret to App page. Add some visual separation
- Fix some bugs/warnings

* Update to match code standards

* Trigger notification

* Add warning about not sharing API secrets

* Tweak spec a bit

* Cleanup fixture creation by using let!

* Remove unused key

* Add foreign key for application<->user
2017-08-22 18:33:57 +02:00
Eugen Rochko 7814133f0a Rename "Credentials" page to "Security" for clarity (#3941)
* Rename "Credentials" page to "Security" for clarity

* Change "security" icon from cog to lock
2017-06-25 22:13:02 +02:00
Eugen Rochko 1c7e2ddd65 Account deletion (#3728)
* Add form for account deletion

* If avatar or header are gone from source, remove them

* Add option to have SuspendAccountService remove user record, add tests

* Exclude suspended accounts from search
2017-06-14 18:01:27 +02:00
Matt Jankowski 81ce4e4318 Move admin/pubsubhubbub controller to admin/subscriptions (#3442) 2017-05-31 20:39:35 +02:00
Matt Jankowski 232b822d86 Replace best_in_place editor on admin settings page (#2789)
* Remove best_in_place

* Replace best_in_place usage with rails helpers

* Move admin/settings#index to #edit action

* Remove click_to__edit from i18n
2017-05-04 18:12:44 +02:00
Eugen f89e26bdd5 Followers-only post federation (#2111)
* Make private toots get PuSHed to subscription URLs that belong to domains where you have approved followers

* Authorized followers controller, stub for bulk action

* Soft block in the background

* Add simple test for new controller

* Rename Settings::FollowersController to Settings::FollowerDomainsController, paginate results,
rename "private" post setting to "followers-only", fix pagination style, improve post privacy
preferences style, improve warning style

* Extract compose form warnings into own container, show warning when posting to followers-only with unlocked account
2017-04-24 00:38:37 +02:00
Matt Jankowski 502eef6f8d 2FA controller cleanup (#2296)
* Add spec coverage for settings/two_factor_auth area

* extract setup method for qr code

* Move otp required check to before action

* Merge method only used once

* Remove duplicate view

* Consolidate creation of @codes for backup

* Move settings/2fq#recovery_codes to settings/recovery_codes#create

* Rename settings/two_factor_auth#disable to #destroy

* Add coverage for the otp required path on 2fa#show

* Clean up the recovery codes list styles

* Move settings/two_factor_auth to settings/two_factor_authentication

* Reorganize the settings two factor auth area

Updated to use a flow like:

- settings/two_factor_authentication goes to a #show view which has a button
  either enable or disable 2fa on the account
- the disable button turns off the otp requirement for the user
- the enable button cycles the user secret and redirects to a confirmation page
- the confirmation page is a #new view which shows the QR code for user
- that page posts to #create which verifies the code, and creates the recovery
  codes
- that create action shares a view with a recovery codes controller which can be
  used separately to reset codes if needed
2017-04-22 04:23:17 +02:00
Matt Jankowski ce5cb2b81c Instances list in admin (#2095)
* Add admin/instances index action

* Add link to instances admin page

* View lists instances

* Instances, grouped by domain, ordered by count

* Use Account.remote scope

* Extract method: Account.by_domain_accounts
2017-04-18 21:09:07 +02:00
Brad Urani 3a41fe76a3 Open sidekiq and pghero admin pages in new browser tabs (#1596)
* Open sidekiq and pghero admin pages in new tabs

* Add missing comma
2017-04-17 12:26:45 +02:00
Matt Jankowski fff8d92577 I18n health warnings (#1949)
* Rename admin.domain_block to admin.domain_blocks in prep for i18n improvement

* Use implicit controller/action path for i18n in admin/domain_blocks

* Add DomainBlock#accounts has_many

* Avoid i18n health warning for `en` locale by using symbol scope with :count

* Remove unused i18n key: plaintext_secret_html

* Remove unused i18n key two_factor_auth.warning

* Remove final will_paginate i18n keys

* Remove unused key two_factor_auth.recovery_codes

* Remove unused key: admin.reports.comment.none

* Remove unused reports. i18n namespace (moved to admin.reports)

* Ignore keys from locales which override activemodel and activerecord errors

* Revert "Remove unused key: admin.reports.comment.none"

This reverts commit 350ef2685fadc069e619bb6d1066190de195d942.

* Update i18n key reference to match moved location

* Add missing `en` keys to i18n

* Tell i18n-tasks to ignore missing attributes that dont need overwriting

* Add i18n-tasks unused to travis
2017-04-16 19:37:01 +02:00
Thomas Citharel 6524136728 Translate admin (#1702)
* Translate the domain_block panel

Signed-off-by: Thomas Citharel <tcit@tcit.fr>

* Translate PubSubHubbub section

Signed-off-by: Thomas Citharel <tcit@tcit.fr>

* translate account section and correct typos

* move reports translation & translate sidebar

Signed-off-by: Thomas Citharel <tcit@tcit.fr>

* normalize l18n
2017-04-13 21:49:07 +02:00
Eugen b532134503 Fix #795, fix #704, fix #835 - 2FA requires confirmation to be enabled (#1278)
* Fix #795, fix #704, fix #835 - 2FA requires confirmation to be enabled
TOTP secret is not shown again after 2FA is enabled

* Clean up
2017-04-08 22:20:08 +02:00
Eugen Rochko 6ebe31e716 Make default admin UI page reports. Add admin UI for creating a domain block 2017-04-03 18:55:06 +02:00
Eugen Rochko 244da78105 Import feature for following/blocking lists (addresses #62, #177, #201, #454) 2017-03-30 19:42:33 +02:00
Eugen Rochko b339e488fe Export follow/block lists as CSV 2017-03-19 20:29:41 +01:00