Commit graph

5518 commits

Author SHA1 Message Date
@r3g_5z@plem.sapphic.site
0e4c201f8d HTTP header improvements (#294)
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
- Drop Expect-CT

Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

- Raise HSTS to 2 years and explicitly preload

The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt.
For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain.

- Drop X-Download-Options

This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this.

- Set base-uri to 'none'

This is to specify the domain for relative links (`<base>` HTML tag). pleroma-fe does not use this and it's an incredibly niche tag.

I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed.

I have not compiled my Elixr changes, but I don't see why they'd break.

Co-authored-by: r3g_5z <june@terezi.dev>
Reviewed-on: #294
Co-authored-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
Co-committed-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
2022-11-20 21:20:06 +00:00
e1e0d5d759 microblogpub federation fixes (#288)
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #288
2022-11-18 11:14:35 +00:00
Haelwenn (lanodan) Monnier
3e0a5851e5 Set instance reachable on fetch
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
2022-11-15 17:23:47 +00:00
2a1f17e3ed and i yoink (#275)
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Co-authored-by: Mark Felder <feld@feld.me>
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #275
2022-11-14 15:07:26 +00:00
c1127e321b Add configurable timeline per oban job (#273)
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Heavily inspired by https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3777

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #273
2022-11-13 23:55:51 +00:00
ac0c00cdee Add media sources to connect-src if media proxy is enabled
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
2022-11-10 17:26:51 +00:00
bab1ab5b6c strip \r and \r from content-disposition filenames 2022-11-10 11:54:12 +00:00
cc6a076202 Include requested_by in relationship (#260)
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #260
2022-11-10 03:16:32 +00:00
479aacb1b6 Add fallback for reports that don't have attached activities
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
2022-11-08 11:01:47 +00:00
a0b8e3c842 Don't mess with the cache on metadata update
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
2022-11-08 10:39:01 +00:00
7bbaa8f8e0 automatically trim loading *. prefixes on domain blocks
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
2022-11-07 22:33:18 +00:00
31ad09010e Fix regex usage in MRF (#254)
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
fixes #235
fixes #228

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #254
2022-11-06 23:50:32 +00:00
b7e8ce2350 Scrape instance nodeinfo (#251)
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #251
2022-11-06 22:49:39 +00:00
ccdf55acff Fix instance name in email test
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
2022-11-04 18:42:12 +00:00
4d0a51221a
Fix typo in CSP Report-To header name
Some checks failed
ci/woodpecker/pr/woodpecker Pipeline failed
The header name was Report-To, not Reply-To.

In any case, that's now being changed to the Reporting-Endpoints HTTP
Response Header.
https://w3c.github.io/reporting/#header
https://github.com/w3c/reporting/issues/177

CanIUse says the Report-To header is still supported by current Chrome
and friends.
https://caniuse.com/mdn-http_headers_report-to

It doesn't have any data for the Reporting-Endpoints HTTP header, but
this article says Chrome 96 supports it.
https://web.dev/reporting-api/

(Even though that's come out one year ago, that's not compatible with
Network Error Logging which's still using the Report-To version of the
API)

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-11-04 15:02:13 +01:00
9038da01cc Merge pull request 'Push.Impl: support edits' (#244) from norm/akkoma:push-support-edits into develop
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Reviewed-on: #244
2022-11-01 15:14:08 +00:00
e44e147b54 Merge pull request 'fix flaky test_user_relationship_test.exs:81' (#240) from ilja/akkoma:fix_flaky_test_user_relationship_test.exs_81 into develop
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Reviewed-on: #240
2022-11-01 14:44:23 +00:00
d5bbc3eeb2 Merge pull request 'fix flaky test filter_controller_test.exs:200' (#239) from ilja/akkoma:fix_flaky_filter_controller_test.exs_200 into develop
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Reviewed-on: #239
2022-11-01 14:42:43 +00:00
479542c692 Merge pull request 'fix flaky participation_test.exs' (#238) from ilja/akkoma:fix_erratic_participation_test into develop
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Reviewed-on: #238
2022-11-01 14:37:06 +00:00
be5044f785 fix_flaky_transfer_task_test.exs (#237)
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
There were async calls happening, so they weren't always finished when assert happened.

I also fixed some bugs in the erratic tests that were introduced when removing :shout.:shout is a key where restart is needed, and was changed in the test to use :rate_limit (which also requires a restart). But there was a bug in the syntax that didn't get caught because the test was tagged as erratic and therefor didn't fail. Here I fixed it.

During compilation, we had a warning `:logger is used by the current application but the current application does not depend on :logger` which is now fixed as well (see commit message for complete stacktrace).

Co-authored-by: Ilja <ilja@ilja.space>
Reviewed-on: #237
Co-authored-by: ilja <akkoma.dev@ilja.space>
Co-committed-by: ilja <akkoma.dev@ilja.space>
2022-11-01 14:31:29 +00:00
f1dfd76b98 Fix rate_limiter_test.exs test "it restricts based on config values" (#233)
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Fixes one of the 'erratic' tests

It used a timer to sleep.
But time also goes on when doing other things, so depending on hardware, the timings could be off.
I slightly changed the tests so we still test what we functionally want.
Instead of waiting until the cache expires I now have a function to expire the test and use that.

That means we're not testing any more if the cache really expires after a certain amount of time,
but that's the responsability of the dependency imo, so shouldn't be a problem.

I also changed `Pleroma.Web.Endpoint, :http, :ip` in the tests to `127.0.0.1`
Currently it was set to 8.8.8.8, but I see no reason for that and, while I assume that no calls
are made to it, it may come over as weird or suspicious to people.

Co-authored-by: Ilja <ilja@ilja.space>
Reviewed-on: #233
Co-authored-by: ilja <akkoma.dev@ilja.space>
Co-committed-by: ilja <akkoma.dev@ilja.space>
2022-11-01 14:25:54 +00:00
1bb8b76311 Fix tests in ldap registration
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
2022-11-01 14:21:35 +00:00
marcin mikołajczak
6486211064
Push.Impl: support edits
Some checks failed
ci/woodpecker/pr/woodpecker Pipeline failed
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2022-10-28 01:20:19 -04:00
ilja
3562eaeedc fix flaky test_user_relationship_test.exs:81
Some checks are pending
ci/woodpecker/pr/woodpecker Pipeline is pending
The problem was double. On the one hand, the function didn't actually return what was in the DB.
On the other hand the test was flaky because it used NaiveDateTime.utc_now() so test could fail or pass depending on a difference of microseconds.

Both are fixed now.
2022-10-23 13:31:01 +02:00
Ilja
a59d310982 fix flaky test filter_controller_test.exs:200
Some checks are pending
ci/woodpecker/pr/woodpecker Pipeline is pending
2022-10-23 13:07:02 +02:00
ilja
e6ceea3553 fix flaky participation_test.exs
Some checks are pending
ci/woodpecker/pr/woodpecker Pipeline is pending
It was tested if the updated_at after marking as "read" was equal as the updated_at at insertion, but that seems wrong.
Firstly, if a record is updated, you expect the updated_at to also update.
Secondly, the insert and update happen almost at the same time, so it's flaky regardless.

Here I make sure it has a much older updated_at during insert so we can clealy see the effect after update.
I also check that the updated_at is actually updated because I expect that this is the expected behaviour and it's also the current behaviour.
2022-10-23 12:33:31 +02:00
f36d14818d Unilateral remove from followers (#232)
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
from https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3647/

Co-authored-by: marcin mikołajczak <git@mkljczk.pl>
Co-authored-by: Tusooa Zhu <tusooa@kazv.moe>
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #232
2022-10-19 10:01:14 +00:00
edf7d5089f Merge pull request 'Check that the signature matches the creator' (#230) from domain-blocks into develop
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Reviewed-on: #230
2022-10-14 11:41:34 +00:00
03662501c3 Check that the signature matches the creator
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
ci/woodpecker/pr/woodpecker Pipeline was successful
2022-10-14 11:48:32 +01:00
cb9b0d3720 optimise notifications query
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
ci/woodpecker/pr/woodpecker Pipeline was successful
2022-10-11 11:40:43 +01:00
c6e63aaf6b Backend settings sync (#226)
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #226
2022-10-06 16:22:15 +00:00
b2aa82cee5 Fix false error in meilisearch index (#221)
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
the schema changed

https://docs.meilisearch.com/reference/api/documents.html#add-or-update-documents

this wasn't breaking anything, it would just report errors that were actually successes

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #221
2022-09-20 10:36:21 +00:00
561e1f2470 Make backups require its own scope (#218)
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Pulled from https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3721.

This makes backups require its own scope (`read:backups`) instead of the `read:accounts` scope.

Co-authored-by: Tusooa Zhu <tusooa@kazv.moe>
Reviewed-on: #218
Co-authored-by: Norm <normandy@biribiri.dev>
Co-committed-by: Norm <normandy@biribiri.dev>
2022-09-19 17:31:35 +00:00
77596a3021
User: search: exclude deactivated users from user search
Some checks are pending
ci/woodpecker/pr/woodpecker Pipeline is pending
This way we don't pollute search results with deactivated and deleted users
2022-09-15 21:21:06 -04:00
Tusooa Zhu
2aa8e66527 Fix User.get_or_fetch/1 with usernames starting with http 2022-09-11 20:29:05 +01:00
b4261b0335 Use set of pregenerated RSA keys
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
ci/woodpecker/pr/woodpecker Pipeline was successful
Randomness is a huge resource sink, so let's just use
a some that we made earlier
2022-09-11 20:14:58 +01:00
8683252fc5 Metadata/Utils: use summary as description if set
When generating OpenGraph and TwitterCard metadata for a post, the
summary field will be used first if it is set to generate the post
description.
2022-09-11 19:55:38 +01:00
0b14f02ed2 User: generate private keys on user creation
This fixes a race condition bug where keys could be regenerated
post-federation, causing activities and HTTP signatures from an user to
be dropped due to key differences.
2022-09-11 19:54:37 +01:00
e88f36f72b ObjectView: do not fetch an object for its ID
Non-Create/Listen activities had their associated object field
normalized and fetched, but only to use their `id` field, which is both
slow and redundant. This also failed on Undo activities, which delete
the associated object/activity in database.

Undo activities will now render properly and database loads should
improve ever so slightly.
2022-09-11 19:52:59 +01:00
a6d85003fe Remote interaction with posts (#198)
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Grabbed from https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3587

Co-authored-by: Tusooa Zhu <tusooa@kazv.moe>
Reviewed-on: #198
Co-authored-by: Norm <normandy@biribiri.dev>
Co-committed-by: Norm <normandy@biribiri.dev>
2022-09-08 10:19:22 +00:00
2641dcdd15 Post editing (#202)
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Rebased from #103

Co-authored-by: Tusooa Zhu <tusooa@kazv.moe>
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #202
2022-09-06 19:24:02 +00:00
6c80977b06 turn inlineQuotePolicy on by default
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
2022-09-05 17:22:33 +01:00
f6304cfd78 add extra tests for builder
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
2022-09-05 01:24:40 +01:00
1b826eea54 Allow reacting with remote emoji when they exist on the post (#200)
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #200
2022-09-04 23:31:41 +00:00
7a90d71e8d ensure .exs config is used before default (#197)
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #197
2022-09-02 22:05:39 +00:00
8e4de118c1 Don't persist local undone follow (#194)
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
same deal but backwards this time

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #194
2022-08-31 18:00:36 +00:00
decbca0c91 add seperate source and dest entries in language listing (#193)
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #193
2022-08-30 16:59:33 +00:00
c3fde9577d Allow listing languages, setting source language (#192)
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #192
2022-08-30 14:58:54 +00:00
df39cab9c1 Automatic status translation (#187)
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Fixes #115

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #187
2022-08-29 19:42:22 +00:00
Tusooa Zhu
95e4018c1a Disconnect streaming sessions when token is revoked
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Use Websockex to replace websocket_client

Test that server will disconnect websocket upon token revocation

Lint

Execute session disconnect in background

Refactor streamer test

allow multi-streams

rebase websocket change
2022-08-27 19:07:48 +01:00