Commit Graph

211 Commits

Author SHA1 Message Date
Ariadne Conill 88d064d80e http signature plug: remove redundant checks handled by HTTPSignatures library
the redundant checks assumed a POST request, which will not work for signed GETs.
this check was originally needed because the HTTPSignatures adapter assumed that
the requests were also POST requests.  but now, the adapter has been corrected.
2019-07-18 15:11:21 +00:00
Moonman 105f437ce9 formatting 2019-07-15 08:36:51 -07:00
Moonman f98f7ad1b9 detect and use sha512-crypt for stored password hash. 2019-07-14 09:48:42 -07:00
Ivan Tashkinov 369e9bb42f [#1041] Rate-limited status actions (per user and per user+status). 2019-07-13 14:49:39 +03:00
Egor Kislitsyn ed8ce21a22 Fix unused import warning 2019-07-10 18:10:09 +07:00
Egor Kislitsyn a42da8f311 Fix response 2019-07-10 18:10:09 +07:00
Egor Kislitsyn 5104f65b69 Wrap error messages into gettext helpers 2019-07-10 18:10:09 +07:00
Egor Kislitsyn 0d54a571ca Add SetLocalePlug 2019-07-10 18:08:03 +07:00
Egor Kislitsyn 889a9c3a3f Polish IdempotencyPlug 2019-06-27 01:53:58 +07:00
Egor Kislitsyn 159630b21c Fix credo warning 2019-06-26 19:19:07 +07:00
Egor Kislitsyn 825077a5b0 Add Idempotency plug 2019-06-26 18:36:58 +07:00
Alexander Strizhakov c2ca1f22a2 it is changed in compile time
we can't change module attributes and endpoint settings in runtime
2019-06-14 15:45:05 +00:00
Egor Kislitsyn b22b10d3aa Improve rate limiter documentation
Documents how to disable rate limiting
2019-06-14 15:02:10 +07:00
lain 63ab3c30eb Merge branch 'feature/rate-limiter' into 'develop'
Feature/Rate Limiter

Closes #943

See merge request pleroma/pleroma!1266
2019-06-11 11:32:01 +00:00
Egor Kislitsyn ad04d12de6 Replace `MastodonAPIController.account_register/2` rate limiter 2019-06-11 16:06:03 +07:00
Egor Kislitsyn 2e5affce61 Add RateLimiter 2019-06-11 14:27:41 +07:00
rinpatch 92213fb87c Replace Mix.env with Pleroma.Config.get(:env)
Mix.env/0 is not availible in release environments such as distillery or
elixir's built-in releases.
2019-06-06 23:59:51 +03:00
Egor Kislitsyn 99f70c7e20 Use Pleroma.Config everywhere 2019-05-30 15:33:58 +07:00
Alex S aa11fa4864 add report uri and report to 2019-05-16 12:49:40 +07:00
kaniini 62516be9c4 Merge branch 'fix/public-option-not-working' into 'develop'
Fix public option not working

Closes #873

See merge request pleroma/pleroma!1143
2019-05-15 15:42:21 +00:00
Aaron Tinio 7b8dc99ef1 Implement Pleroma.Plugs.EnsurePublicOrAuthenticated 2019-05-15 05:09:29 +08:00
William Pitcock 071f78733a switch to pleroma/http_signatures library 2019-05-14 20:03:13 +00:00
Alexander Strizhakov a2be420f94 differences_in_mastoapi_responses.md: fullname & bio are optionnal
[ci skip]
2019-05-13 18:35:45 +00:00
feld acb04306b6 Standardize construction of websocket URL
This follows up on the change made in d747bd98
2019-05-03 11:45:04 +00:00
AkiraFukushima 533d8cd581 Parse access_token from body parameters and URL parameters 2019-05-02 21:04:00 +09:00
Egor Kislitsyn 88d3cb44c3 replace `Repo.get_by(User, nickname: nickname)` with `User.get_by_nickname(nickname)` 2019-04-02 17:47:02 +07:00
kaniini c708656b5e Merge branch 'robotstxt' into 'develop'
Add robots.txt

Closes #723

See merge request pleroma/pleroma!929
2019-03-15 02:50:27 +00:00
William Pearson 3dadaa4432 robots.txt
Add default robots.txt that allows bots access to all paths.
Add mix task to generate robots.txt taht allows bots access to no paths.
Document custom emojis, MRF and static_dir
static_dir documentation includes docs for the robots.txt Mix task.
2019-03-15 02:28:18 +00:00
rinpatch cbdd11c381 Merge develop to bump elixir version in the CI so I don't get failing formatting 2019-03-14 22:33:20 +03:00
rinpatch e2fe796c63 Add some tests 2019-03-14 22:02:48 +03:00
Haelwenn (lanodan) Monnier c42d34b2ec
[Credo] fix Credo.Check.Readability.MaxLineLength 2019-03-13 04:26:56 +01:00
Haelwenn (lanodan) Monnier a3a9cec483
[Credo] fix Credo.Check.Readability.AliasOrder 2019-03-13 04:26:54 +01:00
rinpatch 92a69bddce escape quotation marks in Content-Disposition header 2019-03-12 09:21:13 +03:00
rinpatch 5a73cae2be WIP: Stop mangling filenames 2019-03-12 09:10:19 +03:00
Haelwenn (lanodan) Monnier fc37e5815f
Plugs.HTTPSecurityPlug: Add static_url to CSP's connect-src
Closes: https://git.pleroma.social/pleroma/pleroma/merge_requests/469
2019-03-05 01:44:24 +01:00
Ivan Tashkinov bc4f77b10b [#468] Merged `upstream/develop`, resolved conflicts. 2019-02-17 14:07:04 +03:00
Ivan Tashkinov 2a4a4f3342 [#468] Defined OAuth restrictions for all applicable routes.
Improved missing "scopes" param handling.
Allowed "any of" / "all of" mode specification in OAuthScopesPlug.
Fixed auth UI / behavior when user selects no permissions at /oauth/authorize.
2019-02-15 19:54:37 +03:00
Ivan Tashkinov 063baca5e4 [#468] User UI for OAuth permissions restriction. Standardized storage format for `scopes` fields, updated usages. 2019-02-14 00:29:29 +03:00
Haelwenn (lanodan) Monnier da4c662af3
Plugs.HTTPSecurityPlug: Add webpacker to connect-src 2019-02-12 22:12:12 +01:00
Haelwenn (lanodan) Monnier 00e8f0b07d
Plugs.HTTPSecurityPlug: Add unsafe-eval to script-src when in dev mode
This is needed to run dev mode mastofe at the same time
2019-02-12 22:12:11 +01:00
shibayashi ea1058929c
Use url[:scheme] instead of protocol to determine if https is enabled 2019-02-12 00:08:52 +01:00
Haelwenn (lanodan) Monnier 6a6a5b3251
de-group alias/es 2019-02-09 16:31:17 +01:00
Ivan Tashkinov 4ad843fb9d [#468] Prototype of OAuth2 scopes support. TwitterAPI scope restrictions. 2019-02-09 17:09:08 +03:00
Haelwenn (lanodan) Monnier 60ea29dfe6
Credo fixes: alias grouping/ordering 2019-02-09 14:59:20 +01:00
Haelwenn (lanodan) Monnier 106f4e7a0f
Credo fixes: parameter consistency 2019-02-09 14:59:20 +01:00
href fa5ec765d9
Serve sw-pleroma.js properly 2019-02-01 11:34:41 +01:00
href 8018ae7ae5
Join on preloads to avoid N+1 queries 2019-01-26 15:55:53 +01:00
William Pitcock 980b5288ed update copyright years to 2019 2018-12-31 15:41:47 +00:00
William Pitcock 2791ce9a1f add license boilerplate to pleroma core 2018-12-23 20:56:42 +00:00
lain f3eb414e28 Add a way to use the admin api without a user. 2018-12-18 21:08:52 +01:00
href b1860fe85a
Instance/Static runtime plug
This allows to set-up an arbitrary directory which overrides most of the
static files: index.html static/ emoji/ packs/ sounds/ images/ instance/
favicon.png.

If the files are not present in the directory, the bundled ones in
priv/static will be used.
2018-12-17 22:50:59 +01:00
href 5dcb7aecea
More put_view. 2018-12-16 17:51:22 +01:00
Egor Kislitsyn 658edb166f
fix and improve web push; add configuration docs 2018-12-14 13:05:29 +01:00
Maksim Pechnikov 074fa790ba fix compile warnings 2018-12-09 20:50:08 +03:00
Egor Kislitsyn 4944498133 Merge branch 'develop' into feature/compat/push-subscriptions
# Conflicts:
#	lib/pleroma/application.ex
#	lib/pleroma/plugs/oauth_plug.ex
2018-12-06 20:15:16 +07:00
Egor Kislitsyn 8b4397c704 Merge branch 'develop' into feature/compat/push-subscriptions
# Conflicts:
#	lib/mix/tasks/sample_config.eex
#	lib/pleroma/web/twitter_api/controllers/util_controller.ex
#	mix.exs
#	mix.lock
2018-12-06 19:55:58 +07:00
Maksim Pechnikov c524c50509 fix/273 2018-12-05 17:32:06 +03:00
lain f18b86fd5f More fixes for Info schema. 2018-12-01 12:46:08 +01:00
lain c443c9bd72 Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into validate-user-info 2018-12-01 09:55:46 +01:00
lain 1c67277c80 Fix admin api. 2018-12-01 09:03:16 +01:00
href b19597f602
reverse proxy / uploads 2018-11-30 18:00:47 +01:00
lain d0ec2812bd Merge remote-tracking branch 'origin' into validate-user-info 2018-11-30 17:34:20 +01:00
Haelwenn (lanodan) Monnier 04daa0fa44
Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https
This fixes running mastofe with MIX_ENV=dev
2018-11-26 21:41:36 +01:00
shibayashi 591b11eafc
Add manifest-src to allow manifest.json 2018-11-26 20:48:24 +01:00
William Pitcock 3356c7d1e9 oauth plug: fix deactivated check 2018-11-20 18:47:00 +00:00
Haelwenn (lanodan) Monnier 4a79b89dba
lib/pleroma/plugs/user_is_admin_plug.ex: change 403 string to “User is not admin.” 2018-11-17 20:25:56 +01:00
Haelwenn (lanodan) Monnier c8b8f1d32c
[Pleroma.Plugs.UserIsAdminPlug]: Check if admin is true instead of false, fix error reporting 2018-11-17 20:25:53 +01:00
Haelwenn (lanodan) Monnier 7076d45cb6
lib/pleroma/plugs/user_is_admin_plug.ex: Create 2018-11-17 20:25:52 +01:00
William Pitcock c07464607d http security: remove form-action from CSP definitions 2018-11-16 17:40:21 +00:00
William Pitcock ee5932a504 http security: allow referrer-policy to be configured 2018-11-12 15:14:46 +00:00
William Pitcock fe67665e19 rename CSPPlug to HTTPSecurityPlug. 2018-11-12 15:08:02 +00:00
William Pitcock df72978dce csp plug: add support for certificate transparency 2018-11-11 06:55:44 +00:00
William Pitcock 331cf6ada1 csp plug: add sts support 2018-11-11 06:50:28 +00:00
William Pitcock f516e317ea plugs: add CSPPlug 2018-11-11 06:10:21 +00:00
href 6fe23c5458
Runtime configured router 2018-11-05 15:19:03 +01:00
Martin Kühl c2d592c9c5 Assign token to connection 2018-09-22 07:04:01 +02:00
lain 44b094908c Update legacy passwords automatically. 2018-09-05 22:30:14 +02:00
lain e601165426 Add UserEnabledPlug. 2018-09-05 21:53:53 +02:00
lain 5ce1ebb179 Add SetUserSessionIdPlug. 2018-09-05 21:42:42 +02:00
lain 12bc73dd28 Add EnsureUserKeyPlug, smaller fixes 2018-09-05 19:06:28 +02:00
lain 32465b9939 Simplify AuthenticationPlug 2018-09-05 18:53:38 +02:00
lain 9a96c93be7 Add SessionAuthenticationPlug. 2018-09-05 18:37:02 +02:00
lain a3f54fca4d Add LegacyAuthenticationPlug 2018-09-05 18:17:33 +02:00
lain 3cf17dc402 Add EnsureAuthenticatedPlug 2018-09-05 17:59:19 +02:00
lain faf5347748 Add UserFetcherPlug. 2018-09-05 17:44:38 +02:00
lain 42bd985e66 Add BasicAuthDecoderPlug 2018-09-05 17:30:05 +02:00
Moon Man 8b020e03a6 change cond to if else 2018-09-05 01:37:48 -04:00
Moon Man 1a8bc26e52 auth against sha512-crypt password hashes, upgrade to pbkdf2 2018-09-05 00:21:44 -04:00
William Pitcock 8da406afa2 activitypub: verify remote http signature digests by recomputing the digest and replacing the digest header 2018-07-31 23:24:30 +00:00
lain dd9bb37893 Rename id helper method. 2018-05-26 13:57:11 +02:00
William Pitcock 4d2c6707c2 activitypub: normalize the actor to ensure we have its URI 2018-05-19 03:28:28 -05:00
Mark Felder ab4aa5720a Fix a bunch of unused variable warnings 2018-05-04 20:59:01 +00:00
lain 0a14d155d6 Fail faster. 2018-04-02 13:13:14 +02:00
lain 4afbef39f4 Format the code. 2018-03-30 15:01:53 +02:00
lain d2099c849d More Jason changes. 2018-03-27 16:45:38 +02:00
lain f29902a241 More signature debugging. 2018-03-11 14:37:23 +01:00
lain 5ea6d96dbe Fix signing bug. 2018-02-25 20:15:04 +01:00
lain ac67453e8a More logging for signature problems. 2018-02-24 17:36:26 +01:00
lain 2757682894 More logging. 2018-02-22 14:57:35 +01:00
lain 38b61fddfe HttpSignature Plug: Skip if already valid. 2018-02-15 19:58:26 +01:00
Roger Braun a9c23e1c32 Add plug to validate signed http requests. 2017-12-12 10:17:21 +01:00
Lain Iwakura 0ec5aeb8a7 Don't log in deactivated users. 2017-12-07 17:41:34 +01:00
eal c1fa1e8844 Fix basic auth for passwords with a colon. 2017-12-04 22:45:16 +02:00
Thog 59770c3f5c
Fix all compilation warnings 2017-11-19 02:22:07 +01:00
Roger Braun d293ceb1b5 Add Mastodon frontend. 2017-11-12 14:23:05 +01:00
Roger Braun 2a298d70f9 Add very basic oauth and mastodon api support. 2017-09-06 19:06:25 +02:00
Roger Braun 70024632ba AP refactoring. 2017-05-16 18:19:04 +02:00
dtluna 6cf7c13228 Refactor code to comply with credo suggestions 2017-04-27 16:18:50 +03:00
Roger Braun 32aa83f3a2 Short circuit user verification if cookie is present. 2017-03-30 15:29:49 +02:00
Roger Braun 142e8f8f3e Don't use fetch access in plug.
This makes it work with structs.
2017-03-20 21:28:38 +01:00
Roger Braun e32dbfc9a5 Add basic auth. 2017-03-20 17:56:45 +01:00