Commit Graph

1923 Commits

Author SHA1 Message Date
Daenney 02d6e2e3bc
[feature] Set some security related headers (#3065)
* Set frame-ancestors in the CSP
   This ensures we can't be loaded/embedded in an iframe. It also sets the
   older X-Frame-Options for fallback.
* Disable MIME type sniffing
* Set Referrer-Policy
   This sets the policy such that browsers will never send the Referer
   header along with a request, unless it's a request to the same protocol,
   host/domain and port. Basically, only send it when navigating through
   our own UI, but not anything external.

   The default is strict-origin-when-cross-origin when unset, which sends
   the Referer header for requests unless it's going from HTTPS to HTTP
   (i.e a security downgrade, hence the 'strict').
2024-07-04 10:07:02 +02:00
Vyr Cossont fde0c6bc8c
[chore] Allow gtsmodel to depend on util (#3068)
Convert one free function into a gtsmodel.Emoji method so that util does not depend on gtsmodel and can be used from it in the future
2024-07-03 15:53:54 -07:00
Daenney 27bcc1fcbd
[docs] Update how to enable http2 on nginx (#3066)
Since 1.25.1 the newer 'http2 on;' syntax should be used. The previous
syntax still works, but throws warnings when testing the configuration
with 'nginx -t'.

This also updates the certbot template to match what's currently
generated. It removes ipv6only=on as that's the default on a listen
directive binding on a wildcard IPv6 address.
2024-07-03 20:45:46 +02:00
dependabot[bot] 9c44d6aa47
[chore]: Bump github.com/yuin/goldmark from 1.7.3 to 1.7.4 (#3059)
Bumps [github.com/yuin/goldmark](https://github.com/yuin/goldmark) from 1.7.3 to 1.7.4.
- [Release notes](https://github.com/yuin/goldmark/releases)
- [Commits](https://github.com/yuin/goldmark/compare/v1.7.3...v1.7.4)

---
updated-dependencies:
- dependency-name: github.com/yuin/goldmark
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-01 13:41:55 +02:00
CDN 235bea04fd
[bugfix] update SignupURL routing in email template. (#3055) 2024-06-30 01:08:13 +02:00
f0x52 a76670a471
[bugfix] use instance configured emoji maxsize on emoji update validation (#3056) 2024-06-30 01:06:44 +02:00
Daenney 137ef5a9ff
[feature] Default to WASM-based SQLite driver (#3053)
* [feature] Default to WASM-based SQLite driver

With 0.16 out this switches our default SQLite driver to the WASM-based
solution instead. So far the driver seems to perform just as well.
Switching our default should result in it getting a bit more testing
during the 0.17 development cycle.

* add the ol' john hancock

---------

Co-authored-by: tobi <tobi.smethurst@protonmail.com>
2024-06-29 09:35:57 +02:00
tobi 86786ae5b3
[bugfix] Fix typo in instance cache copyF (#3052) 2024-06-28 16:43:00 +02:00
tobi 2ddeb9b514
[chore] Add envparsing test for advanced-header-filter-mode (#3051) 2024-06-28 15:28:00 +02:00
tobi a650f30197
[docs] Tidy up API auth docs a little bit (#3050) 2024-06-28 15:27:47 +02:00
dependabot[bot] 0baab758c7
[chore]: Bump golang.org/x/image from 0.17.0 to 0.18.0 (#3044)
Bumps [golang.org/x/image](https://github.com/golang/image) from 0.17.0 to 0.18.0.
- [Commits](https://github.com/golang/image/compare/v0.17.0...v0.18.0)

---
updated-dependencies:
- dependency-name: golang.org/x/image
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-26 22:06:24 +02:00
kim 21bb324156
[chore] media and emoji refactoring (#3000)
* start updating media manager interface ready for storing attachments / emoji right away

* store emoji and media as uncached immediately, then (re-)cache on Processing{}.Load()

* remove now unused media workers

* fix tests and issues

* fix another test!

* fix emoji activitypub uri setting behaviour, fix remainder of test compilation issues

* fix more tests

* fix (most of) remaining tests, add debouncing to repeatedly failing media / emojis

* whoops, rebase issue

* remove kim's whacky experiments

* do some reshuffling, ensure emoji uri gets set

* ensure marked as not cached on cleanup

* tweaks to media / emoji processing to handle context canceled better

* ensure newly fetched emojis actually get set in returned slice

* use different varnames to be a bit more obvious

* move emoji refresh rate limiting to dereferencer

* add exported dereferencer functions for remote media, use these for recaching in processor

* add check for nil attachment in updateAttachment()

* remove unused emoji and media fields + columns

* see previous commit

* fix old migrations expecting image_updated_at to exists (from copies of old models)

* remove freshness checking code (seems to be broken...)

* fix error arg causing nil ptr exception

* finish documentating functions with comments, slight tweaks to media / emoji deref error logic

* remove some extra unneeded boolean checking

* finish writing documentation (code comments) for exported media manager methods

* undo changes to migration snapshot gtsmodels, updated failing migration to have its own snapshot

* move doesColumnExist() to util.go in migrations package
2024-06-26 16:01:16 +01:00
tobi fa710057c8
[docs] restructure federation section (#3038) 2024-06-25 12:04:45 +02:00
dependabot[bot] 03c5d016a7
[chore]: Bump github.com/gorilla/feeds from 1.1.2 to 1.2.0 (#3035) 2024-06-24 09:04:27 +00:00
COxDE 863c67cb04
[docs] fix: traefik redirect regex (#3032) 2024-06-24 10:53:38 +02:00
dependabot[bot] b9864e83a0
[chore]: Bump github.com/minio/minio-go/v7 from 7.0.71 to 7.0.72 (#3037) 2024-06-24 08:07:15 +00:00
dependabot[bot] ddef307622
[chore]: Bump github.com/yuin/goldmark from 1.7.2 to 1.7.3 (#3034) 2024-06-24 08:06:44 +00:00
ghose 14fda0dbbf
[feature/frontend] Rain Forest Theme (#3021)
* Create sweet-home.css

new green-ish theme

* Rain Forest theme v1

changes since *draft* version:

* lighter green for links (better contrast ratio)
* higher «show more/less» button contrast
* post's border thinner and darker (papaya)
* lighter "glow" (shadow)
* button has not shadow
* polls themed (dark blues)
* papaya scrollbar
* code box border thinner (not rounded)
* accesibility tested in firefox dev options (no issues)
* release ready v1.0

* Rename rain-forest.css to rain-forest.css

delete "theme" folder and move to "themes"
2024-06-23 15:43:05 +02:00
Daenney 4604224c4d
[chore] Update our robots.txt (#3033)
This syncs our copy with the current state of the ai.robots.txt
repository. Upstream has tightened their scope to be AI-only, whereas
before it included a bunch of SEO and "web intelligence" marketing
stuff. I've kept those but moved them into their own section.
2024-06-23 15:34:21 +02:00
Julian c2738474d5
[bugfix] add Date and Message-ID headers for email (#3031)
* [bugfix] add Date and Message-ID headers for email

This should make spam filters more happy, as most of them grant some
negative score for not having those headers. Also the Date is convenient
for the user receiving the mail.

* make golangci-lint happy
2024-06-22 23:36:30 +02:00
kim 15e0bf6e5a
[chore] update github.com/ncruces/go-sqlite3 -> v0.16.3 (#3029) 2024-06-22 11:59:29 +02:00
kim e543fbc80e
update remaining gruf libraries relying on linkname (#3028) 2024-06-21 18:36:58 +00:00
kim 9143ac6fb4
updates go-mutexes to no longer rely on unsafe linkname (#3027) 2024-06-21 17:35:32 +01:00
kim b93087ceb4
[chore] update go-structr and go-mangler to no longer rely on modern-go/reflect2 (#3026)
* updates go-structr and go-mangler to no longer rely on modern-go/reflect2 (*phew* now we're go1.23 safe)

* update go-structr version

* bump go-structr to improve memory usage (v. slightly) in certain conditions
2024-06-21 16:43:17 +01:00
kim 7b1ccbd65a
[feature] add worker task serialization logic (#2989)
* improved server shutdown with more precise shutdown of modules + deferring of ALL of it

* move delivery and workers into separate files

* add worker task model and Serialize() / Deserialize() methods for message types

* start adding message serialize / deserialize tests

* start adding test cases

* update body rewinding to rely on standard library mechanism of r.GetBody()

* remove request rewinding (http.Client{} should already handle this)

* standard library already handles rewinding

* improved code comment

* move the newPOST() function contents to prepare(), fits better with current API

* add Serialize() / Deserialize() implementations for Delivery{} type

* finish writing FromClientAPI sserialize / deserialize tests

* start adding FromFediAPI{} serialize / deserialize test cases

* fix FromFediAPI{} tests

* add tests for delivery message type

* fix repeat code

* missing license header

* use testrig status and accounts for marshal / unmarshaling tests

* add a specific test for checking account RSA keys are preserved
2024-06-20 17:06:20 +00:00
tobi 4ce5c37df5
[bugfix] rename `include_types[]` to `types[]` (#3023) 2024-06-18 18:18:35 +02:00
tobi d2b3d37724
[feature/frontend] Reports frontend v2 (#3022)
* use apiutil + paging in admin processor+handlers

* we're making it happen

* fix little whoopsie

* styling for report list

* don't youuuu forget about meee don't don't don't don't

* last bits

* sanitize content before showing in report statuses

* update report docs
2024-06-18 18:18:00 +02:00
Vyr Cossont b08c1bd0cb
[feature] Implement types[] param for notifications (#3009)
Counterpart of exclude_types[].

Also updates Swagger spec for types[] to use the correct param name and enumerate possible values.

Fixes #3003
2024-06-17 20:50:50 +01:00
dependabot[bot] 7ab404d643
[chore]: Bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#3016) 2024-06-17 08:13:40 +00:00
dependabot[bot] cc64de4dcc
[chore]: Bump golang.org/x/oauth2 from 0.20.0 to 0.21.0 (#3015) 2024-06-17 08:13:14 +00:00
dependabot[bot] 3a01377bcc
[chore]: Bump github.com/miekg/dns from 1.1.59 to 1.1.61 (#3014) 2024-06-17 08:12:25 +00:00
dependabot[bot] b7dede2a47
[chore]: Bump github.com/tdewolff/minify/v2 from 2.20.33 to 2.20.34 (#3017) 2024-06-17 08:11:08 +00:00
dependabot[bot] 76d695d847
[chore]: Bump github.com/yuin/goldmark from 1.7.1 to 1.7.2 (#3018) 2024-06-17 08:10:11 +00:00
tobi f1cbf6fb76
[docs] Update roadmap (#3011) 2024-06-16 14:35:00 +02:00
tobi db803617db
[bugfix] avoid v. long notification clear query (#3007) 2024-06-14 10:14:55 +00:00
Vyr Cossont b789fe2bc7
[feature] filter API v2: Restore keywords_attributes and statuses_attributes (#2995)
These filter API v2 features were cut late in development because the form encoding version is hard to implement correctly and because I thought no clients actually used `keywords_attributes`. Unfortunately, Phanpy does use `keywords_attributes`.
2024-06-14 10:11:41 +02:00
tobi ee6e9b2795
[docs] Rework README a bit, import into docs (#3006) 2024-06-13 23:21:41 +02:00
Daenney 3c86bd890c
[chore] Silence memlimit package (#3002)
The memlimit package started to log any error returned by automemlimit.
This updates our implementation to call SetGoMemLimitWithOpts() instead
which uses the same defaults as automemlimit except for being
initialised with a noop logger.

We check the returned error for a particular substring, as when cgroups
isn't available even when running on a Linux system that's not a
problem. If it's anything but that error, we log it at the warning
level so that admins can still diagnose other cgroup related issues.

Fixes #2983

Co-authored-by: tobi <31960611+tsmethurst@users.noreply.github.com>
2024-06-13 19:02:48 +02:00
Martijn de Boer 38cd889f7b
[docs] Add optional instructions for replicating SQLite for disaster recovery (#2981)
* Add optional instructions for replicating SQLite for disaster recovery

* Remove references to MacOS from replicating-sqlite.md

Resolve comment on review

* Add mention for replicating SQLite in database_maintenance.md

Adds a reference to the replicating sqlite page under database maintenance
2024-06-13 15:09:51 +02:00
tobi 9d9013db4c
[chore] Update move test (#3005) 2024-06-13 15:08:43 +02:00
tobi fbdfce3190
[chore] Don't render sign-up form when registrations closed (#3001) 2024-06-12 15:00:21 +01:00
dependabot[bot] fef9b6a621
Bump braces from 3.0.2 to 3.0.3 in /web/source (#2999)
Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-12 15:00:12 +01:00
tobi 20877c1474
[bugfix] Ensure side effects handled for local unlocked follows (#2998) 2024-06-12 13:23:10 +01:00
Daenney 978b4176f1
[chore] Upgrade wasm-sqlite to v0.16.2 (#2997) 2024-06-12 13:21:34 +01:00
Vyr Cossont dcf825bd87
[bugfix] Correct Swagger path for poll voting (#2996)
Updates the Swagger spec to match the router.

Fixes #2994
2024-06-12 11:16:46 +02:00
tobi 611f9de39b
[bugfix] Deref stats async, serve stub collections if handshaking (#2990)
* [bugfix] Deref stats async, allow peek if handshaking

* don't return totalItems when handshaking or hiding collections

* use GetLimit()

* use StubAccountStats
2024-06-11 11:54:59 +02:00
kim fd6637df4a
[bugfix] boost and account recursion (#2982)
* fix possible infinite recursion if moved accounts are self-referential

* adds a defensive check for a boost being a boost of a boost wrapper

* add checks on input for a boost of a boost

* remove unnecessary check

* add protections on account move to prevent move recursion loops

* separate status conversion without boost logic into separate function to remove risk of recursion

* move boost check to boost function itself

* formatting

* use error 422 instead of 500

* use gtserror not standard errors package for error creation
2024-06-10 19:42:41 +01:00
tobi ebdcb00d0a
[chore] Roll back use of `(created)` pseudo-header pending #2991 (#2992) 2024-06-10 19:42:26 +01:00
dependabot[bot] 69aba377bc
[chore]: Bump golang.org/x/image from 0.16.0 to 0.17.0 (#2985)
Bumps [golang.org/x/image](https://github.com/golang/image) from 0.16.0 to 0.17.0.
- [Commits](https://github.com/golang/image/compare/v0.16.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/image
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-10 08:10:25 +00:00
dependabot[bot] a687f0634c
[chore]: Bump github.com/gorilla/websocket from 1.5.1 to 1.5.2 (#2987)
Bumps [github.com/gorilla/websocket](https://github.com/gorilla/websocket) from 1.5.1 to 1.5.2.
- [Release notes](https://github.com/gorilla/websocket/releases)
- [Commits](https://github.com/gorilla/websocket/compare/v1.5.1...v1.5.2)

---
updated-dependencies:
- dependency-name: github.com/gorilla/websocket
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-10 07:43:38 +00:00