Commit Graph

108 Commits

Author SHA1 Message Date
rinpatch a51284b60a Merge branch 'fix/mediaproxy-bypass-emoji' into 'develop'
Fix profile emojis bypassing mediaproxy and harden CSP

Closes #1810

See merge request pleroma/pleroma!2596
2020-06-08 00:58:30 +03:00
Ivan Tashkinov 862d4886c9 [#1682] Fixed Basic Auth permissions issue by disabling OAuth scopes checks when password is provided. Refactored plugs skipping functionality. 2020-05-01 01:00:37 +03:00
rinpatch da4923f2e5 Merge branch 'authenticated-api-oauth-check-enforcement' into 'develop'
Enforcement of OAuth scopes check for authenticated API endpoints

See merge request pleroma/pleroma!2349
2020-05-01 00:58:40 +03:00
rinpatch c46d035f7b rate limiter: disable based on if remote ip was found, not on if the plug was enabled
The current rate limiter disable logic won't trigger when the remote ip
is not forwarded, only when the remoteip plug is not enabled, which is
not the case on most instances since it's enabled by default. This
changes the behavior to warn and disable  when the remote ip was not forwarded,
even if the RemoteIP plug is enabled.

Also closes #1620
2020-03-16 00:15:21 +03:00
rinpatch 80bc8c2cc9 Revert "Set better Cache-Control header for static content"
On furher investigation it seems like all that did was cause unintuitive
behavior. The emoji request flood that was the reason for introducing it
isn't really that big of a deal either, since Plug.Static only needs to
read file modification time and size to determine the ETag.

Closes #1613
2020-03-15 16:59:39 +03:00
Mark Felder 5592db4757 Older copyright updates 2020-03-03 16:46:45 -06:00
Mark Felder 05da5f5cca Update Copyrights 2020-03-03 16:44:49 -06:00
Haelwenn (lanodan) Monnier 6da6540036
Bump copyright years of files changed after 2020-01-07
Done via the following command:
git diff fcd5dd259a --stat --name-only | xargs sed -i '/Pleroma Authors/c# Copyright © 2017-2020 Pleroma Authors <https:\/\/pleroma.social\/>'
2020-03-02 06:08:45 +01:00
Haelwenn (lanodan) Monnier 6c0d869d9d
Bump copyright years of files changed after 2019-01-01
Done via the following command:
git diff 1e6c102b --stat --name-only | cat - | xargs sed -i 's/2017-2018 Pleroma Authors/2017-2019 Pleroma Authors/'
2020-03-02 05:54:56 +01:00
rinpatch 4d416343fa rate limiter: Fix a race condition
When multiple requests are processed by rate limiter plug at the same
time and the bucket is not yet initialized, both would try to initialize
the bucket resulting in an internal server error.
2020-03-01 01:13:07 +03:00
Ivan Tashkinov c747260989 [#2250] Tiny refactoring per merge request review. 2020-02-29 22:04:09 +03:00
Ivan Tashkinov 6f2efb1c45 Runtime configurability of RateLimiter. Refactoring. Disabled default rate limits in tests. 2020-02-27 18:46:05 +03:00
lain 3eddd9caa6 Merge branch 'require-signature' into 'develop'
Add an option to require fetches to be signed

Closes #1444

See merge request pleroma/pleroma!2071
2020-02-20 12:13:21 +00:00
Ivan Tashkinov 4f8c3462a8 Tweaks to `clear_config` calls in tests in order to prevent side effects on config during test suite execution. 2020-02-13 21:55:47 +03:00
rinpatch 5b62acf6e9 Merge branch 'develop' into fix/disable-rate-limiter-for-socket-localhost 2020-01-30 22:16:55 +03:00
Ivan Tashkinov ead2d18826 Merge remote-tracking branch 'remotes/origin/develop' into oauth-scopes-tweaks-and-tests 2019-12-19 17:24:08 +03:00
Egor Kislitsyn 775212121c
Verify HTTP signatures only when request accepts "activity+json" type 2019-12-19 20:17:18 +07:00
Maxim Filippov 45180d4c60 Merge branch 'develop' into fix/disable-rate-limiter-for-socket-localhost 2019-12-17 12:36:56 +03:00
minibikini e1fa8c11a9 Apply suggestion to test/plugs/http_signature_plug_test.exs 2019-12-16 18:39:59 +00:00
Egor Kislitsyn a12b6454bb
Add an option to require fetches to be signed 2019-12-16 22:24:03 +07:00
rinpatch 54029fe212 tests: remove a useless sleep in rate limiter tests
It was used to check that authenticated and unauthenticated users have
different limits. Instead of sleeping a super low limit for
unauthenticated users was set, preventing them from doing 5 requests in
the first place.
2019-12-16 01:03:13 +03:00
Ivan Tashkinov 7973cbdb9f OAuthScopesPlug: disallowed nil token (unless with :fallback option). WIP: controller tests modification: OAuth scopes usage. 2019-12-15 22:32:42 +03:00
Maxim Filippov eb11c60289 Disable rate limiter for socket/localhost (unless RemoteIp is enabled) 2019-12-14 03:06:43 +03:00
Ivan Tashkinov 3920244be5 [#1427] Fixed `:admin` option handling in OAuthScopesPlug, added tests. 2019-12-11 11:42:02 +03:00
Ivan Tashkinov 1770602747 [#1427] Extra check that admin OAuth scope is used by admin. Adjusted tests. 2019-12-07 17:49:53 +03:00
Ivan Tashkinov 40e1817f70 [#1427] Fixes / improvements of admin scopes support. Added tests. 2019-12-06 20:33:47 +03:00
Egor Kislitsyn 36686f5245
Support authentication via `x-admin-token` HTTP header 2019-11-19 15:58:20 +07:00
rinpatch 22554ac5ca Merge branch 'bugfix/1395-email-activation' into 'develop'
Bugfix/1395 email activation

Closes #1395

See merge request pleroma/pleroma!1965
2019-11-15 14:11:48 +00:00
Egor Kislitsyn 72cf6a76f4
Fix random fails of the rate limiter tests 2019-11-13 18:07:53 +07:00
Steven Fuchs 94627baa5c New rate limiter 2019-11-11 12:13:06 +00:00
lain f6056e9c9c UserEnabledPlug: Don't authenticate unconfirmed users. 2019-11-11 12:43:46 +01:00
rinpatch 84175fe30e Set better Cache-Control header for static content
Closes #1382
2019-11-06 16:41:19 +03:00
Ivan Tashkinov 10ff01acd9 [#1304] Moved all non-mutes / non-blocks fields from User.Info to User. WIP. 2019-10-16 21:59:21 +03:00
Ivan Tashkinov 64095961fe [#1234] Merge remote-tracking branch 'remotes/upstream/develop' into 1234-mastodon-2-4-3-oauth-scopes
# Conflicts:
#	CHANGELOG.md
#	lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
#	lib/pleroma/web/router.ex
2019-10-02 20:42:40 +03:00
minibikini f9380289eb Add `remote_ip` plug 2019-09-27 21:59:23 +00:00
Ivan Tashkinov 6f67aed3ac [#1234] Merge remote-tracking branch 'remotes/upstream/develop' into 1234-mastodon-2-4-3-oauth-scopes
# Conflicts:
#	lib/pleroma/web/admin_api/admin_api_controller.ex
2019-09-19 10:59:09 +03:00
Haelwenn (lanodan) Monnier 447514dfa2
Bump copyright years of files changed in 2019
Done via the following command:
git diff 1e6c102bfc --stat --name-only | cat - | xargs sed -i 's/2017-2018 Pleroma Authors/2017-2019 Pleroma Authors/'
2019-09-18 23:21:11 +02:00
Ivan Tashkinov b17f217bf3 [#1234] Addressed code analysis issue. 2019-09-17 23:31:05 +03:00
Ivan Tashkinov 76068873db [#1234] Defined admin OAuth scopes, refined other scopes. Added tests. 2019-09-17 22:19:39 +03:00
Ivan Tashkinov efbc2edba1 [#1234] Merge remote-tracking branch 'remotes/upstream/develop' into 1234-mastodon-2-4-3-oauth-scopes
# Conflicts:
#	lib/pleroma/web/activity_pub/activity_pub_controller.ex
#	lib/pleroma/web/router.ex
2019-09-15 18:52:27 +03:00
minibikini 11e12b5761 Add Pleroma.Plugs.Cache 2019-09-09 18:53:08 +00:00
Ivan Tashkinov b63faf9819 [#1234] Mastodon 2.4.3 hierarchical scopes initial support (WIP). 2019-09-08 15:00:03 +03:00
Maksim a320358703 added test helpers to clear config after tests 2019-08-19 15:34:29 +00:00
Maksim 55341ac717 tests WebFinger 2019-07-24 15:13:10 +00:00
Sergey Suprunenko 9340896c9e Exclude tests that use :crypt.crypt/2 on macOS 2019-07-22 19:54:22 +00:00
Sergey Suprunenko 43a7cd27fe [tests] Mock :crypt.crypt/2 function in AuthenticationPlugTest 2019-07-20 13:07:51 +00:00
kaniini 716afc83ce Merge branch 'refactor/http-signature-plug' into 'develop'
http signature plug: separation of concerns

See merge request pleroma/pleroma!1449
2019-07-19 16:57:24 +00:00
Ariadne Conill c947cfec5a mapped signature plug: use `user` assign like authentication plug 2019-07-18 20:31:25 +00:00
Maksim f435217e50 tests for Plugs.AuthenticationPlug 2019-07-18 20:29:51 +00:00
Ariadne Conill 621cacf667 tests: add tests for mapped signature plug 2019-07-18 16:28:36 +00:00