bab1ab5b6c
strip \r and \r from content-disposition filenames
2022-11-10 11:54:12 +00:00
4d0a51221a
Fix typo in CSP Report-To header name
...
The header name was Report-To, not Reply-To.
In any case, that's now being changed to the Reporting-Endpoints HTTP
Response Header.
https://w3c.github.io/reporting/#header
https://github.com/w3c/reporting/issues/177
CanIUse says the Report-To header is still supported by current Chrome
and friends.
https://caniuse.com/mdn-http_headers_report-to
It doesn't have any data for the Reporting-Endpoints HTTP header, but
this article says Chrome 96 supports it.
https://web.dev/reporting-api/
(Even though that's come out one year ago, that's not compatible with
Network Error Logging which's still using the Report-To version of the
API)
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-11-04 15:02:13 +01:00
03662501c3
Check that the signature matches the creator
2022-10-14 11:48:32 +01:00
1acd38fe7f
OAuthPlug: use user cache instead of joining
...
As this plug is called on every request, this should reduce load on the
database by not requiring to select on the users table every single
time, and to instead use the by-ID user cache whenever possible.
2022-09-11 19:55:55 +01:00
772c209914
GTS: cherry-picks and collection usage ( #186 )
...
https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3725?commit_id=61254111e59f02118cad15de49d1e0704c07030e
what is this, a yoink of a yoink? good times
Co-authored-by: Hélène <pleroma-dev@helene.moe>
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: AkkomaGang/akkoma#186
2022-08-27 18:05:48 +00:00
8d7b63a766
Revert "Fix oauth2 (for real) ( #179 )"
...
This reverts commit aa681d7e15
.
2022-08-21 17:52:02 +01:00
aa681d7e15
Fix oauth2 (for real) ( #179 )
...
Reviewed-on: AkkomaGang/akkoma#179
2022-08-21 16:24:37 +00:00
b0130bfa7b
Revert "oauth2 fixes ( #177 )"
...
This reverts commit 429e2ac832
.
2022-08-21 16:22:15 +01:00
429e2ac832
oauth2 fixes ( #177 )
...
Reviewed-on: AkkomaGang/akkoma#177
2022-08-21 14:46:52 +00:00
55179d4214
set soapbox-fe v2 by default
...
fixes #157
2022-08-11 10:25:03 +01:00
ec162b496b
/notice signing checks on redirect ( #150 )
...
Reviewed-on: AkkomaGang/akkoma#150
2022-08-05 19:31:32 +00:00
d598c7a834
remove anonymous function from plug
2022-07-14 11:17:14 +01:00
37ae047e16
Add swaggerUI options ( #66 )
...
Reviewed-on: AkkomaGang/akkoma#66
2022-07-13 15:09:35 +00:00
364b6969eb
Use finch everywhere ( #33 )
...
Reviewed-on: AkkomaGang/akkoma#33
2022-07-04 16:30:38 +00:00
Tusooa Zhu
3fd87b6a75
Skip cache when /objects or /activities is authenticated
...
Ref: fix-local-public
2022-06-29 20:47:27 +01:00
Tusooa Zhu
932e5df19e
Allow to skip cache in Cache plug
...
Ref: fix-local-public
2022-06-29 20:47:26 +01:00
Tusooa Zhu
07bd35227a
Support multiple locales from userLanguage cookie
2022-06-29 20:47:10 +01:00
Tusooa Zhu
fa95bc8725
Support multiple locales formally
...
elixir gettext current does not fully support fallback to another language [0].
But it might in the future. We adapt it so that all languages in Accept-Language
headers are received by Pleroma.Web.Gettext. User.languages is now a comma-separated
list.
[0]: https://github.com/elixir-gettext/gettext/issues/303
2022-06-29 20:47:10 +01:00
Tusooa Zhu
ef73f61b07
Fallback to a variant if the language in general is not supported
...
For an example, here, zh is not supported, but zh_Hans and zh_Hant
are. If the user asks for zh, we should choose a variant for them
instead of fallbacking to default.
Some browsers (e.g. Firefox) does not allow users to customize
their language codes. For example, there is no zh-Hans, but only
zh, zh-CN, zh-TW, zh-HK, etc. This provides a workaround for
those users suffering from bad design decisions.
2022-06-29 20:47:10 +01:00
Tusooa Zhu
72bdb0640f
Allow user to register with custom language
2022-06-29 20:46:51 +01:00
Tusooa Zhu
7726148472
Send emails i18n'd using backend-stored user language
2022-06-29 20:45:19 +01:00
Tusooa Zhu
8f08c902a5
Make lint happy
2022-06-29 20:44:16 +01:00
Tusooa Zhu
775f997c40
Prefer userLanguage cookie over Accept-Language header in detecting locale
...
https://git.pleroma.social/pleroma/pleroma-meta/-/issues/60
2022-06-29 20:43:41 +01:00
502382da45
cherry-pick security from upstream
2022-06-22 16:25:05 +01:00
Alex Gleason
138f5a4517
EnsureStaffPrivilegedPlug: don't let non-moderators through
2021-12-27 17:18:26 -06:00
f02715c4b2
Fix lint errors
2021-12-27 03:42:03 +03:00
cd1041c3a4
API: optionally restrict moderators from accessing sensitive data
2021-12-27 02:27:48 +03:00
Alex Gleason
44ede0657f
Merge remote-tracking branch 'pleroma/develop' into staff-plug
2021-08-04 11:48:57 -05:00
Alex Gleason
9bc1e79c56
Moderators: add UserIsStaffPlug
2021-07-12 21:57:52 -05:00
Alex Gleason
595bca24ad
Merge remote-tracking branch 'pleroma/develop' into cycles-frontend-static
2021-05-30 12:12:58 -05:00
Alex Gleason
721c966842
FrontendStatic: make Router a runtime dep
...
Speeds up recompilation by removing compile-time cycles
2021-05-30 12:12:16 -05:00
Alex Gleason
39127f15eb
Merge remote-tracking branch 'pleroma/develop' into cycles-router-api-routes
2021-05-28 13:51:21 -05:00
Alex Gleason
c23b81e399
Pleroma.Web.get_api_routes/0 --> Pleroma.Web.Router.get_api_routes/0
...
Reduce recompilation time by breaking compile-time cycles
2021-05-28 13:51:01 -05:00
Sean King
2b4f958b2a
Add opting out of Google FLoC to HTTPSecurityPlug headers
2021-04-18 14:00:18 -06:00
1552179792
Improved recursion through the api route list
2021-02-25 10:07:29 -06:00
cea31df6a6
Attempt to filter out API calls from FrontendStatic plug
2021-02-24 15:27:53 -06:00
rinpatch
2ab9499258
OAuthScopesPlug: remove transform_scopes in favor of explicit admin scope definitions
...
Transforming scopes is no longer necessary since we are dropping
support for accessing admin api without `admin:` prefix in scopes.
2021-02-17 21:37:23 +03:00
Ivan Tashkinov
df89b5019b
[ #2510 ] Improved support for app-bound OAuth tokens. Auth-related refactoring.
2021-02-11 15:02:50 +03:00
Egor Kislitsyn
793fc77b16
Add active user count
2021-01-27 18:20:06 +04:00
eugenijm
7fcaa188a0
Allow to define custom HTTP headers per each frontend
2021-01-21 21:55:23 +03:00
eugenijm
133644dfa2
Ability to set the Service-Worker-Allowed header
2021-01-21 21:55:11 +03:00
Lain Soykaf
39f3683a06
Pbkdf2: Use it everywhere.
2021-01-14 15:06:16 +01:00
lain
9106048c61
Password: Replace Pbkdf2 with Password.
2021-01-13 15:11:11 +01:00
Haelwenn (lanodan) Monnier
c4439c630f
Bump Copyright to 2021
...
grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/ >;'
2021-01-13 07:49:50 +01:00
86dcfb4eb9
More places we should be using Upload.base_url
2021-01-08 17:32:42 -06:00
d69c78ceb9
Remove configurability of upload proxy opts, simplify
2021-01-05 15:06:00 -06:00
lain
713612c377
Cachex: Make caching provider switchable at runtime.
...
Defaults to Cachex.
2020-12-18 17:44:46 +01:00
Ivan Tashkinov
e9859b68fc
[ #3112 ] Ensured presence and consistency of :user and :token assigns (EnsureUserTokenAssignsPlug). Refactored auth info dropping functions.
2020-12-06 13:59:10 +03:00
Ivan Tashkinov
50e47a215f
Merge remote-tracking branch 'remotes/origin/develop' into auth-improvements
2020-11-28 21:51:27 +03:00
Alexander Strizhakov
6aadb1cb40
digest algorithm is taken from header
2020-11-27 08:10:52 +03:00