Commit graph

9035 commits

Author SHA1 Message Date
FloatingGhost
9a320ba814 make 2fa UI less awful 2022-12-16 11:50:25 +00:00
FloatingGhost
48d302a60f allow disabling prometheus entirely 2022-12-16 11:17:04 +00:00
FloatingGhost
d1a0d93bf7 document prometheus 2022-12-16 10:24:36 +00:00
FloatingGhost
c2054f82ab allow users with admin:metrics to read app metrics 2022-12-16 03:32:51 +00:00
FloatingGhost
b8be8192fb do not allow non-admins to register tokens with admin scopes
this didn't actually _do_ anything in the past,
the users would be prevented from accessing the resource,
but they shouldn't be able to even create them
2022-12-16 03:25:14 +00:00
FloatingGhost
e2320f870e Add prometheus metrics to router 2022-12-15 02:02:07 +00:00
Tim Buchwaldt
29584197bb Measure stats-data 2022-12-15 01:04:56 +00:00
Tim Buchwaldt
63be819661 Take tesla telemetry 2022-12-15 01:04:56 +00:00
Tim Buchwaldt
0995fa1410 Track oban failures 2022-12-15 01:04:56 +00:00
Tim Buchwaldt
f8d3383179 Fix oban tags 2022-12-15 01:04:56 +00:00
Tim Buchwaldt
a06bb694c1 Listen to loopback 2022-12-15 01:04:56 +00:00
Tim Buchwaldt
1e9c2cd8ef Fix buckets for query timing 2022-12-15 01:04:56 +00:00
Tim Buchwaldt
33243c56e5 Start adding telemetry 2022-12-15 01:04:55 +00:00
floatingghost
07a48b9293 giant massive dep upgrade and dialyxir-found error emporium (#371)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/371
2022-12-14 12:38:48 +00:00
duponin
3e9c0b380a
Return 413 when an actor's banner or background exceeds the size limit 2022-12-12 17:28:14 -05:00
duponin
c9304962c3
Uploading an avatar media exceeding max size returns a 413
Until now it was returning a 500 because the upload plug were going
through the changeset and ending in the JSON encoder, which raised
because struct has to @derive the encoder.
2022-12-12 17:28:09 -05:00
FloatingGhost
77e9a52450 allow http AS profile in ld+json header 2022-12-12 19:06:04 +00:00
FloatingGhost
9c71782861 Test removed HTTP adapter 2022-12-11 23:50:31 +00:00
FloatingGhost
503827a3d9 Allow mock in http adapter checking 2022-12-11 23:33:58 +00:00
FloatingGhost
f752126427 Remove quack, ensure adapter is finch 2022-12-11 23:22:35 +00:00
FloatingGhost
e6da301296 Add diagnostics http 2022-12-11 22:57:18 +00:00
FloatingGhost
9d9c26b833 Ensure Gun is Gone 2022-12-11 19:26:21 +00:00
FloatingGhost
affc910372 Remove hackney/gun in favour of finch 2022-12-11 19:19:31 +00:00
FloatingGhost
68894089e8 Do not fetch anything from blocked instances 2022-12-10 00:09:45 +00:00
FloatingGhost
a1515f9a60 Add some extra info around possible nils 2022-12-09 23:45:51 +00:00
floatingghost
2144ce5188 Merge pull request 'Magical patches' (#357) from magical-patches into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/357
2022-12-09 21:12:49 +00:00
FloatingGhost
739ed14f54 Revert "mandate published on notes"
This reverts commit e49b583147.
2022-12-09 20:59:26 +00:00
FloatingGhost
e49b583147 mandate published on notes
fixes #356
2022-12-09 20:27:54 +00:00
FloatingGhost
f5a315f04c Add URL and code to :not_found errors
Ref #355
2022-12-09 20:13:31 +00:00
FloatingGhost
bc265bfd54 Underscore unused variable 2022-12-09 20:04:48 +00:00
FloatingGhost
dcf58a3c53 Do not pass transient undo-y activities through MRF 2022-12-09 20:01:38 +00:00
FloatingGhost
9db4c2429f Remove FollowBotPolicy 2022-12-09 19:59:27 +00:00
FloatingGhost
6f83ae27aa extend reject MRF to check if originating instance is blocked 2022-12-09 19:57:29 +00:00
sn0w
4c0911592b
Skip posts in indexer where publish date is nil 2022-12-09 20:56:39 +01:00
FloatingGhost
d5828f1c5e Merge remote-tracking branch 'ilja/fix_tagpolicy_to_also_work_on_updates' into develop 2022-12-09 10:31:22 +00:00
FloatingGhost
0eaec57d3f mix format 2022-12-09 10:24:38 +00:00
ilja
1f863f0a36 Fix MRF policies to also work with Update
Objects who got updated would just pass through several of the MRF policies, undoing moderation in some situations.
In the relevant cases we now check not only for Create activities, but also Update activities.

I checked which ones checked explicitly on type Create using `grep '"type" => "Create"' lib/pleroma/web/activity_pub/mrf/*`.

The following from that list have not been changed:
* lib/pleroma/web/activity_pub/mrf/follow_bot_policy.ex
    * Not relevant for moderation
* lib/pleroma/web/activity_pub/mrf/keyword_policy.ex
    * Already had a test for Update
* lib/pleroma/web/activity_pub/mrf/object_age_policy.ex
    * In practice only relevant when fetching old objects (e.g. through Like or Announce). These are always wrapped in a Create.
* lib/pleroma/web/activity_pub/mrf/reject_non_public.ex
    * We don't allow changing scope with Update, so not relevant here
2022-12-08 23:22:05 +01:00
ilja
ce517ff4e5 Fix tagpolicy to also work with Update
Objects who got updated would just pass the TagPolicy, undoing the moderation that was set in place for the Actor.
Now we check not only for Create activities, but also Update activities.
2022-12-08 21:53:42 +01:00
FloatingGhost
cb3ccf5f47 Add check for null reply_to_user 2022-12-07 13:41:12 +00:00
FloatingGhost
1afba64464 Redirect to standard FE if logged in 2022-12-07 13:35:00 +00:00
FloatingGhost
c7369d6d03 GOOGLE 2022-12-07 11:41:24 +00:00
sfr
7c4b415929 static-fe overhaul (#236)
makes static-fe look more like pleroma-fe, with the stylesheets matching pleroma-dark and pleroma-light based on `prefers-color-scheme`.

- [x] navbar
- [x] about sidebar
- [x] background image
- [x] statuses
  - [x] "reply to" or "edited" tags
- [x] accounts
  - [x] show more / show less
  - [x] posts / with replies / media / followers / following
    - [x] followers/following would require user card snippets
  - [x] admin/bot indicators
- [x] attachments
  - [x] nsfw attachments
- [x] fontawesome icons
- [x] clean up and sort css
- [x] add pleroma-light
- [x] replace hardcoded strings

also i forgot
- [x] repeated headers

how it looks + sneak peek at statuses:
![](https://akkoma.dev/attachments/c0d3a025-6987-4630-8eb9-5f4db6858359)

Co-authored-by: Sol Fisher Romanoff <sol@solfisher.com>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/236
Co-authored-by: sfr <sol@solfisher.com>
Co-committed-by: sfr <sol@solfisher.com>
2022-12-07 11:20:53 +00:00
floatingghost
09326ffa56 Diagnostics tasks (#348)
a bunch of ways to get query plans to help with debugging

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/348
2022-12-07 11:12:34 +00:00
FloatingGhost
b058df3faa Allow dashes in domain name search 2022-12-06 10:57:10 +00:00
floatingghost
d55de5debf Remerge of hashtag following (#341)
this time with less idiot

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/341
2022-12-05 12:58:48 +00:00
floatingghost
ec6bf8c3f7 revert 4a94c9a31e
revert Add ability to follow hashtags (#336)

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/336
2022-12-04 20:04:09 +00:00
floatingghost
4a94c9a31e Add ability to follow hashtags (#336)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/336
2022-12-04 17:36:59 +00:00
floatingghost
6b882a2c0b Purge Rejected Follow requests in daily task (#334)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/334
2022-12-03 23:17:43 +00:00
FloatingGhost
1409f91d50 Add maskable to logo 2022-12-02 12:00:56 +00:00
floatingghost
94b469cab0 Merge pull request 'Add PWA config' (#329) from pwa into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/329
2022-12-02 11:13:29 +00:00
floatingghost
8d6cc6cb65 Resolve follow activity from accept/reject without ID (#328)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/328
2022-12-02 11:12:37 +00:00
FloatingGhost
bbf2e3f445 Add PWA info 2022-12-02 11:10:35 +00:00
floatingghost
db60640c5b Fixing up deletes a bit (#327)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/327
2022-12-01 15:00:53 +00:00
floatingghost
0cfd5b4e89 Add ability to set a default post expiry (#321)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/321
2022-11-28 13:34:54 +00:00
FloatingGhost
ee7059c9cf Spin off imports into n oban jobs 2022-11-27 21:45:41 +00:00
floatingghost
98a21debf9 normalise markup by default (#316)
why was this _not_ default?

honestly i'm surprised pleroma hasn't exploded yet

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/316
2022-11-26 21:06:20 +00:00
floatingghost
e3085c495c fix tests broken by relay defaults changing (#314)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/314
2022-11-26 20:45:47 +00:00
@r3g_5z@plem.sapphic.site
565ead8397 minor-changes (#313)
Only real change here is making MRF rejects log as debug instead of info (https://akkoma.dev/AkkomaGang/akkoma/issues/234)

I don't know if it's the best way to do it, but it seems it's just MRF using this and almost always this is intended.

The rest are just minor docs changes and syncing the restricted nicknames stuff.

I compiled and ran my changes with Docker and they all work.

Co-authored-by: r3g_5z <june@terezi.dev>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/313
Co-authored-by: @r3g_5z@plem.sapphic.site <june@girlboss.ceo>
Co-committed-by: @r3g_5z@plem.sapphic.site <june@girlboss.ceo>
2022-11-26 19:27:58 +00:00
@luna@f.l4.pm
a90c45b7e9 Add Signed Fetch Statistics (#312)
Close #304.

Notes:
 - This patch was made on top of Pleroma develop, so I created a separate cachex worker for request signature actions, instead of Akkoma's instance cache. If that is a merge blocker, I can attempt to move logic around for that.
 - Regarding the `has_request_signatures: true -> false` state transition: I think that is a higher level thing (resetting instance state on new instance actor key) which is separate from the changes relevant to this one.

Co-authored-by: Luna <git@l4.pm>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/312
Co-authored-by: @luna@f.l4.pm <akkoma@l4.pm>
Co-committed-by: @luna@f.l4.pm <akkoma@l4.pm>
2022-11-26 19:22:56 +00:00
floatingghost
2fe1484ed3 http timeout config (#307)
Ref https://meta.akkoma.dev/t/increase-timeout-on-libretranslate-request-how/156/2

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/307
2022-11-24 12:27:16 +00:00
ave
1c4ca20ff7 Change follow_operation schema to use type BooleanLike (#301)
Changes follow_operation schema to use BooleanLike instead of :boolean so that strings like "0" and "1" (used by mastodon.py) can be accepted. Rest of file uses the same. For more info please see https://git.pleroma.social/pleroma/pleroma/-/issues/2999

(I'm also sending this here as I'm not hopeful about upstream not ignoring  it)

Co-authored-by: ave <ave@ave.zone>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/301
Co-authored-by: ave <ave@noreply.akkoma>
Co-committed-by: ave <ave@noreply.akkoma>
2022-11-24 11:27:01 +00:00
floatingghost
6223e2ea3e Merge pull request 'Additional timeline query improvements from upstream' (#291) from norm/akkoma:timeline-query-improvements into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/291
2022-11-20 21:53:24 +00:00
@r3g_5z@plem.sapphic.site
0e4c201f8d HTTP header improvements (#294)
- Drop Expect-CT

Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

- Raise HSTS to 2 years and explicitly preload

The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt.
For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain.

- Drop X-Download-Options

This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this.

- Set base-uri to 'none'

This is to specify the domain for relative links (`<base>` HTML tag). pleroma-fe does not use this and it's an incredibly niche tag.

I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed.

I have not compiled my Elixr changes, but I don't see why they'd break.

Co-authored-by: r3g_5z <june@terezi.dev>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/294
Co-authored-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
Co-committed-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
2022-11-20 21:20:06 +00:00
r3g_5z
f90552f62e
Drop XSS auditor
It's deprecated, removed in some, by all modern browsers and is known
to create XSS vulnerabilities in itself.

Signed-off-by: r3g_5z <june@terezi.dev>
2022-11-19 20:40:20 -05:00
Mark Felder
0022fa7d49
Add same optimized join for excluding invisible users 2022-11-19 15:12:24 -05:00
Mark Felder
11fc1beba5
Fix reports which do not have a user
The check for deactivated users was being applied to report activities.
2022-11-19 15:12:16 -05:00
floatingghost
e1e0d5d759 microblogpub federation fixes (#288)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/288
2022-11-18 11:14:35 +00:00
Haelwenn (lanodan) Monnier
3e0a5851e5 Set instance reachable on fetch 2022-11-15 17:23:47 +00:00
floatingghost
2a1f17e3ed and i yoink (#275)
Co-authored-by: Mark Felder <feld@feld.me>
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/275
2022-11-14 15:07:26 +00:00
floatingghost
c1127e321b Add configurable timeline per oban job (#273)
Heavily inspired by https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3777

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/273
2022-11-13 23:55:51 +00:00
FloatingGhost
89dbc7177b Chores for 2022.11 2022-11-11 16:12:04 +00:00
FloatingGhost
ac0c00cdee Add media sources to connect-src if media proxy is enabled 2022-11-10 17:26:51 +00:00
FloatingGhost
bab1ab5b6c strip \r and \r from content-disposition filenames 2022-11-10 11:54:12 +00:00
floatingghost
cc6a076202 Include requested_by in relationship (#260)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/260
2022-11-10 03:16:32 +00:00
FloatingGhost
0681a26dbb Remove unused pattern 2022-11-08 13:54:43 +00:00
FloatingGhost
4e8ab0deeb fix count of poll voters 2022-11-08 13:50:04 +00:00
FloatingGhost
2e895b6c02 make metdata check a debug log 2022-11-08 11:03:43 +00:00
FloatingGhost
479aacb1b6 Add fallback for reports that don't have attached activities 2022-11-08 11:01:47 +00:00
FloatingGhost
a0b8e3c842 Don't mess with the cache on metadata update 2022-11-08 10:39:01 +00:00
FloatingGhost
7bbaa8f8e0 automatically trim loading *. prefixes on domain blocks 2022-11-07 22:33:18 +00:00
floatingghost
31ad09010e Fix regex usage in MRF (#254)
fixes #235
fixes #228

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/254
2022-11-06 23:50:32 +00:00
FloatingGhost
5123b3a5dd Add enabled check on /translation/languages 2022-11-06 22:55:26 +00:00
floatingghost
b7e8ce2350 Scrape instance nodeinfo (#251)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/251
2022-11-06 22:49:39 +00:00
Thomas Citharel
4d0a51221a
Fix typo in CSP Report-To header name
The header name was Report-To, not Reply-To.

In any case, that's now being changed to the Reporting-Endpoints HTTP
Response Header.
https://w3c.github.io/reporting/#header
https://github.com/w3c/reporting/issues/177

CanIUse says the Report-To header is still supported by current Chrome
and friends.
https://caniuse.com/mdn-http_headers_report-to

It doesn't have any data for the Reporting-Endpoints HTTP header, but
this article says Chrome 96 supports it.
https://web.dev/reporting-api/

(Even though that's come out one year ago, that's not compatible with
Network Error Logging which's still using the Report-To version of the
API)

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-11-04 15:02:13 +01:00
floatingghost
9038da01cc Merge pull request 'Push.Impl: support edits' (#244) from norm/akkoma:push-support-edits into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/244
2022-11-01 15:14:08 +00:00
floatingghost
e44e147b54 Merge pull request 'fix flaky test_user_relationship_test.exs:81' (#240) from ilja/akkoma:fix_flaky_test_user_relationship_test.exs_81 into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/240
2022-11-01 14:44:23 +00:00
nullobsi
cbc693f832 Fix LDAP user registration (#229)
Simple fix for LDAP user registration. I'm not sure what changed but I managed to get Akkoma running in a debug session and figured out it was missing a match for an extra value at the end. I don't know Elixir all that well so I'm not sure if this was the correct way to do it... but it works. :)

Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/229
Co-authored-by: nullobsi <me@nullob.si>
Co-committed-by: nullobsi <me@nullob.si>
2022-11-01 14:17:55 +00:00
marcin mikołajczak
6486211064
Push.Impl: support edits
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2022-10-28 01:20:19 -04:00
ilja
3562eaeedc fix flaky test_user_relationship_test.exs:81
The problem was double. On the one hand, the function didn't actually return what was in the DB.
On the other hand the test was flaky because it used NaiveDateTime.utc_now() so test could fail or pass depending on a difference of microseconds.

Both are fixed now.
2022-10-23 13:31:01 +02:00
floatingghost
f36d14818d Unilateral remove from followers (#232)
from https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3647/

Co-authored-by: marcin mikołajczak <git@mkljczk.pl>
Co-authored-by: Tusooa Zhu <tusooa@kazv.moe>
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/232
2022-10-19 10:01:14 +00:00
floatingghost
edf7d5089f Merge pull request 'Check that the signature matches the creator' (#230) from domain-blocks into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/230
2022-10-14 11:41:34 +00:00
FloatingGhost
03662501c3 Check that the signature matches the creator 2022-10-14 11:48:32 +01:00
FloatingGhost
856c57208b Ensure deletes are handled after everything else 2022-10-11 14:30:08 +01:00
FloatingGhost
cb9b0d3720 optimise notifications query 2022-10-11 11:40:43 +01:00
FloatingGhost
8af50dea36 format 2022-10-10 17:13:42 +01:00
FloatingGhost
ca9e6ffc55 Use inner lateral join to not get dropped in :total 2022-10-10 16:45:02 +01:00
FloatingGhost
574f010bc8 Extract deactivated users query to a join 2022-10-10 15:55:58 +01:00
floatingghost
c6e63aaf6b Backend settings sync (#226)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/226
2022-10-06 16:22:15 +00:00
floatingghost
b2aa82cee5 Fix false error in meilisearch index (#221)
the schema changed

https://docs.meilisearch.com/reference/api/documents.html#add-or-update-documents

this wasn't breaking anything, it would just report errors that were actually successes

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/221
2022-09-20 10:36:21 +00:00
Norm
561e1f2470 Make backups require its own scope (#218)
Pulled from https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3721.

This makes backups require its own scope (`read:backups`) instead of the `read:accounts` scope.

Co-authored-by: Tusooa Zhu <tusooa@kazv.moe>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/218
Co-authored-by: Norm <normandy@biribiri.dev>
Co-committed-by: Norm <normandy@biribiri.dev>
2022-09-19 17:31:35 +00:00