Commit Graph

259 Commits

Author SHA1 Message Date
Egor Kislitsyn 2bd4d6289b
Make the warning more scarier 2020-01-29 18:43:23 +04:00
Egor Kislitsyn 6302b40791
Warn if HTTPSecurityPlug is disabled 2020-01-28 19:14:09 +04:00
Maksim Pechnikov 108a39c876 updated error messages for authentication process 2020-01-17 15:01:37 +03:00
Ivan Tashkinov 39ce894a07 Merge remote-tracking branch 'remotes/origin/develop' into 1478-oauth-admin-scopes-tweaks
# Conflicts:
#	lib/pleroma/user.ex
2020-01-10 16:18:32 +03:00
Ivan Tashkinov 6c94b7498b [#1478] OAuth admin tweaks: enforced OAuth admin scopes usage by default, migrated existing OAuth records. Adjusted tests. 2020-01-10 10:52:21 +03:00
Egor Kislitsyn 775212121c
Verify HTTP signatures only when request accepts "activity+json" type 2019-12-19 20:17:18 +07:00
Egor Kislitsyn a12b6454bb
Add an option to require fetches to be signed 2019-12-16 22:24:03 +07:00
Ivan Tashkinov 7973cbdb9f OAuthScopesPlug: disallowed nil token (unless with :fallback option). WIP: controller tests modification: OAuth scopes usage. 2019-12-15 22:32:42 +03:00
Maxim Filippov eb11c60289 Disable rate limiter for socket/localhost (unless RemoteIp is enabled) 2019-12-14 03:06:43 +03:00
Ivan Tashkinov 3920244be5 [#1427] Fixed `:admin` option handling in OAuthScopesPlug, added tests. 2019-12-11 11:42:02 +03:00
Ivan Tashkinov 835ac2157c Merge remote-tracking branch 'remotes/upstream/develop' into 1427-oauth-admin-scopes
# Conflicts:
#	CHANGELOG.md
2019-12-10 08:55:14 +03:00
rinpatch 3c45ed4f47 OTP: Fix runtime upload limit config being ignored
Closes #1109
2019-12-08 21:08:25 +03:00
Ivan Tashkinov 1770602747 [#1427] Extra check that admin OAuth scope is used by admin. Adjusted tests. 2019-12-07 17:49:53 +03:00
Ivan Tashkinov 40e1817f70 [#1427] Fixes / improvements of admin scopes support. Added tests. 2019-12-06 20:33:47 +03:00
Ivan Tashkinov 93a80ee915 [#1427] Bugfix for `enforce_oauth_admin_scope_usage`. Admin API documentation entry. 2019-12-06 16:56:23 +03:00
Ivan Tashkinov af42c00cff [#1427] Reworked admin scopes support.
Requalified users.is_admin flag as legacy accessor to admin actions in case token lacks admin scope(s).
2019-12-06 00:25:44 +03:00
Egor Kislitsyn 36686f5245
Support authentication via `x-admin-token` HTTP header 2019-11-19 15:58:20 +07:00
rinpatch 22554ac5ca Merge branch 'bugfix/1395-email-activation' into 'develop'
Bugfix/1395 email activation

Closes #1395

See merge request pleroma/pleroma!1965
2019-11-15 14:11:48 +00:00
lain f17e0f8e4f OAuthPlug, Router: Handle deactivated users in the UserEnabledPlug 2019-11-15 14:13:21 +01:00
kaniini 2cc043591c Merge branch 'feature/static-fe' into 'develop'
Static frontend

See merge request pleroma/pleroma!1917
2019-11-11 19:10:44 +00:00
Steven Fuchs 94627baa5c New rate limiter 2019-11-11 12:13:06 +00:00
lain f6056e9c9c UserEnabledPlug: Don't authenticate unconfirmed users. 2019-11-11 12:43:46 +01:00
Phil Hagelberg 886a07ba57 Move static_fe config to its own section instead of in :instance. 2019-11-09 18:08:45 -08:00
Phil Hagelberg 8969c5522d Make many of the improvements suggested in review. 2019-11-09 18:08:08 -08:00
Phil Hagelberg e8bee35578 Static FE plug should only respond to text/html requests. 2019-11-09 18:08:08 -08:00
Phil Hagelberg dc3b87d153 Move static FE routing into its own plug.
Previously it was piggybacking on FallbackRedirectController for users
and OStatusController for notices; now it's all in one place.
2019-11-09 18:08:08 -08:00
rinpatch 365657320c Fix TrailingFormatPlug not being active for /api/oauth_tokens 2019-11-06 17:22:23 +03:00
Ivan Tashkinov 10ff01acd9 [#1304] Moved all non-mutes / non-blocks fields from User.Info to User. WIP. 2019-10-16 21:59:21 +03:00
Ivan Tashkinov 64095961fe [#1234] Merge remote-tracking branch 'remotes/upstream/develop' into 1234-mastodon-2-4-3-oauth-scopes
# Conflicts:
#	CHANGELOG.md
#	lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
#	lib/pleroma/web/router.ex
2019-10-02 20:42:40 +03:00
minibikini f9380289eb Add `remote_ip` plug 2019-09-27 21:59:23 +00:00
Ivan Tashkinov e4f3d7f69d Apply suggestion to lib/pleroma/plugs/oauth_scopes_plug.ex 2019-09-18 10:31:10 +00:00
Ivan Tashkinov 01c1078015 [#1234] Merge remote-tracking branch 'remotes/upstream/develop' into 1234-mastodon-2-4-3-oauth-scopes
# Conflicts:
#	lib/pleroma/web/activity_pub/activity_pub_controller.ex
2019-09-17 22:53:26 +03:00
Ivan Tashkinov efbc2edba1 [#1234] Merge remote-tracking branch 'remotes/upstream/develop' into 1234-mastodon-2-4-3-oauth-scopes
# Conflicts:
#	lib/pleroma/web/activity_pub/activity_pub_controller.ex
#	lib/pleroma/web/router.ex
2019-09-15 18:52:27 +03:00
Ivan Tashkinov e6f43a831b [#1234] Permissions-related fixes / new functionality (Masto 2.4.3 scopes). 2019-09-15 18:22:08 +03:00
rinpatch b0e6058021 Parse http signature for request to objects/activities 2019-09-12 23:03:52 +03:00
rinpatch dabc4a00f5 Put the cache with the right key when using a tracking function 2019-09-12 22:10:15 +03:00
rinpatch 769fb778d4 Track object/create activity fetches 2019-09-12 21:37:36 +03:00
minibikini 11e12b5761 Add Pleroma.Plugs.Cache 2019-09-09 18:53:08 +00:00
Ivan Tashkinov b63faf9819 [#1234] Mastodon 2.4.3 hierarchical scopes initial support (WIP). 2019-09-08 15:00:03 +03:00
rinpatch 3523bdcf26 Call TrailingFormatPlug for /api/pleroma/emoji
Apparently Pleroma-FE still calls it with trailing '.json'
2019-09-05 22:21:20 +03:00
rinpatch cc1d1ee406 Mastdon API: Add ability to get a remote account by nickname to
`/api/v1/accounts/:id`
2019-09-03 19:26:10 +03:00
Maksim 55341ac717 tests WebFinger 2019-07-24 15:13:10 +00:00
kaniini 716afc83ce Merge branch 'refactor/http-signature-plug' into 'develop'
http signature plug: separation of concerns

See merge request pleroma/pleroma!1449
2019-07-19 16:57:24 +00:00
Ariadne Conill c947cfec5a mapped signature plug: use `user` assign like authentication plug 2019-07-18 20:31:25 +00:00
Maksim f435217e50 tests for Plugs.AuthenticationPlug 2019-07-18 20:29:51 +00:00
Ariadne Conill a8af0ac053 mapped signature plug: fix user lookup 2019-07-18 16:27:50 +00:00
Ariadne Conill 5ea0cd69f7 mapped signature plug: don't invalidate in cases where a signature is actually not present (testsuite) 2019-07-18 16:01:21 +00:00
Ariadne Conill 184fa61fb3 plugs: add MappedSignatureToIdentityPlug 2019-07-18 15:38:45 +00:00
Ariadne Conill 88d064d80e http signature plug: remove redundant checks handled by HTTPSignatures library
the redundant checks assumed a POST request, which will not work for signed GETs.
this check was originally needed because the HTTPSignatures adapter assumed that
the requests were also POST requests.  but now, the adapter has been corrected.
2019-07-18 15:11:21 +00:00
Moonman 105f437ce9 formatting 2019-07-15 08:36:51 -07:00
Moonman f98f7ad1b9 detect and use sha512-crypt for stored password hash. 2019-07-14 09:48:42 -07:00
Ivan Tashkinov 369e9bb42f [#1041] Rate-limited status actions (per user and per user+status). 2019-07-13 14:49:39 +03:00
Egor Kislitsyn ed8ce21a22 Fix unused import warning 2019-07-10 18:10:09 +07:00
Egor Kislitsyn a42da8f311 Fix response 2019-07-10 18:10:09 +07:00
Egor Kislitsyn 5104f65b69 Wrap error messages into gettext helpers 2019-07-10 18:10:09 +07:00
Egor Kislitsyn 0d54a571ca Add SetLocalePlug 2019-07-10 18:08:03 +07:00
Egor Kislitsyn 889a9c3a3f Polish IdempotencyPlug 2019-06-27 01:53:58 +07:00
Egor Kislitsyn 159630b21c Fix credo warning 2019-06-26 19:19:07 +07:00
Egor Kislitsyn 825077a5b0 Add Idempotency plug 2019-06-26 18:36:58 +07:00
Alexander Strizhakov c2ca1f22a2 it is changed in compile time
we can't change module attributes and endpoint settings in runtime
2019-06-14 15:45:05 +00:00
Egor Kislitsyn b22b10d3aa Improve rate limiter documentation
Documents how to disable rate limiting
2019-06-14 15:02:10 +07:00
lain 63ab3c30eb Merge branch 'feature/rate-limiter' into 'develop'
Feature/Rate Limiter

Closes #943

See merge request pleroma/pleroma!1266
2019-06-11 11:32:01 +00:00
Egor Kislitsyn ad04d12de6 Replace `MastodonAPIController.account_register/2` rate limiter 2019-06-11 16:06:03 +07:00
Egor Kislitsyn 2e5affce61 Add RateLimiter 2019-06-11 14:27:41 +07:00
rinpatch 92213fb87c Replace Mix.env with Pleroma.Config.get(:env)
Mix.env/0 is not availible in release environments such as distillery or
elixir's built-in releases.
2019-06-06 23:59:51 +03:00
Egor Kislitsyn 99f70c7e20 Use Pleroma.Config everywhere 2019-05-30 15:33:58 +07:00
Alex S aa11fa4864 add report uri and report to 2019-05-16 12:49:40 +07:00
kaniini 62516be9c4 Merge branch 'fix/public-option-not-working' into 'develop'
Fix public option not working

Closes #873

See merge request pleroma/pleroma!1143
2019-05-15 15:42:21 +00:00
Aaron Tinio 7b8dc99ef1 Implement Pleroma.Plugs.EnsurePublicOrAuthenticated 2019-05-15 05:09:29 +08:00
William Pitcock 071f78733a switch to pleroma/http_signatures library 2019-05-14 20:03:13 +00:00
Alexander Strizhakov a2be420f94 differences_in_mastoapi_responses.md: fullname & bio are optionnal
[ci skip]
2019-05-13 18:35:45 +00:00
feld acb04306b6 Standardize construction of websocket URL
This follows up on the change made in d747bd98
2019-05-03 11:45:04 +00:00
AkiraFukushima 533d8cd581 Parse access_token from body parameters and URL parameters 2019-05-02 21:04:00 +09:00
Egor Kislitsyn 88d3cb44c3 replace `Repo.get_by(User, nickname: nickname)` with `User.get_by_nickname(nickname)` 2019-04-02 17:47:02 +07:00
kaniini c708656b5e Merge branch 'robotstxt' into 'develop'
Add robots.txt

Closes #723

See merge request pleroma/pleroma!929
2019-03-15 02:50:27 +00:00
William Pearson 3dadaa4432 robots.txt
Add default robots.txt that allows bots access to all paths.
Add mix task to generate robots.txt taht allows bots access to no paths.
Document custom emojis, MRF and static_dir
static_dir documentation includes docs for the robots.txt Mix task.
2019-03-15 02:28:18 +00:00
rinpatch cbdd11c381 Merge develop to bump elixir version in the CI so I don't get failing formatting 2019-03-14 22:33:20 +03:00
rinpatch e2fe796c63 Add some tests 2019-03-14 22:02:48 +03:00
Haelwenn (lanodan) Monnier c42d34b2ec
[Credo] fix Credo.Check.Readability.MaxLineLength 2019-03-13 04:26:56 +01:00
Haelwenn (lanodan) Monnier a3a9cec483
[Credo] fix Credo.Check.Readability.AliasOrder 2019-03-13 04:26:54 +01:00
rinpatch 92a69bddce escape quotation marks in Content-Disposition header 2019-03-12 09:21:13 +03:00
rinpatch 5a73cae2be WIP: Stop mangling filenames 2019-03-12 09:10:19 +03:00
Haelwenn (lanodan) Monnier fc37e5815f
Plugs.HTTPSecurityPlug: Add static_url to CSP's connect-src
Closes: https://git.pleroma.social/pleroma/pleroma/merge_requests/469
2019-03-05 01:44:24 +01:00
Ivan Tashkinov bc4f77b10b [#468] Merged `upstream/develop`, resolved conflicts. 2019-02-17 14:07:04 +03:00
Ivan Tashkinov 2a4a4f3342 [#468] Defined OAuth restrictions for all applicable routes.
Improved missing "scopes" param handling.
Allowed "any of" / "all of" mode specification in OAuthScopesPlug.
Fixed auth UI / behavior when user selects no permissions at /oauth/authorize.
2019-02-15 19:54:37 +03:00
Ivan Tashkinov 063baca5e4 [#468] User UI for OAuth permissions restriction. Standardized storage format for `scopes` fields, updated usages. 2019-02-14 00:29:29 +03:00
Haelwenn (lanodan) Monnier da4c662af3
Plugs.HTTPSecurityPlug: Add webpacker to connect-src 2019-02-12 22:12:12 +01:00
Haelwenn (lanodan) Monnier 00e8f0b07d
Plugs.HTTPSecurityPlug: Add unsafe-eval to script-src when in dev mode
This is needed to run dev mode mastofe at the same time
2019-02-12 22:12:11 +01:00
shibayashi ea1058929c
Use url[:scheme] instead of protocol to determine if https is enabled 2019-02-12 00:08:52 +01:00
Haelwenn (lanodan) Monnier 6a6a5b3251
de-group alias/es 2019-02-09 16:31:17 +01:00
Ivan Tashkinov 4ad843fb9d [#468] Prototype of OAuth2 scopes support. TwitterAPI scope restrictions. 2019-02-09 17:09:08 +03:00
Haelwenn (lanodan) Monnier 60ea29dfe6
Credo fixes: alias grouping/ordering 2019-02-09 14:59:20 +01:00
Haelwenn (lanodan) Monnier 106f4e7a0f
Credo fixes: parameter consistency 2019-02-09 14:59:20 +01:00
href fa5ec765d9
Serve sw-pleroma.js properly 2019-02-01 11:34:41 +01:00
href 8018ae7ae5
Join on preloads to avoid N+1 queries 2019-01-26 15:55:53 +01:00
William Pitcock 980b5288ed update copyright years to 2019 2018-12-31 15:41:47 +00:00
William Pitcock 2791ce9a1f add license boilerplate to pleroma core 2018-12-23 20:56:42 +00:00
lain f3eb414e28 Add a way to use the admin api without a user. 2018-12-18 21:08:52 +01:00
href b1860fe85a
Instance/Static runtime plug
This allows to set-up an arbitrary directory which overrides most of the
static files: index.html static/ emoji/ packs/ sounds/ images/ instance/
favicon.png.

If the files are not present in the directory, the bundled ones in
priv/static will be used.
2018-12-17 22:50:59 +01:00
href 5dcb7aecea
More put_view. 2018-12-16 17:51:22 +01:00
Egor Kislitsyn 658edb166f
fix and improve web push; add configuration docs 2018-12-14 13:05:29 +01:00
Maksim Pechnikov 074fa790ba fix compile warnings 2018-12-09 20:50:08 +03:00
Egor Kislitsyn 4944498133 Merge branch 'develop' into feature/compat/push-subscriptions
# Conflicts:
#	lib/pleroma/application.ex
#	lib/pleroma/plugs/oauth_plug.ex
2018-12-06 20:15:16 +07:00
Egor Kislitsyn 8b4397c704 Merge branch 'develop' into feature/compat/push-subscriptions
# Conflicts:
#	lib/mix/tasks/sample_config.eex
#	lib/pleroma/web/twitter_api/controllers/util_controller.ex
#	mix.exs
#	mix.lock
2018-12-06 19:55:58 +07:00
Maksim Pechnikov c524c50509 fix/273 2018-12-05 17:32:06 +03:00
lain f18b86fd5f More fixes for Info schema. 2018-12-01 12:46:08 +01:00
lain c443c9bd72 Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into validate-user-info 2018-12-01 09:55:46 +01:00
lain 1c67277c80 Fix admin api. 2018-12-01 09:03:16 +01:00
href b19597f602
reverse proxy / uploads 2018-11-30 18:00:47 +01:00
lain d0ec2812bd Merge remote-tracking branch 'origin' into validate-user-info 2018-11-30 17:34:20 +01:00
Haelwenn (lanodan) Monnier 04daa0fa44
Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https
This fixes running mastofe with MIX_ENV=dev
2018-11-26 21:41:36 +01:00
shibayashi 591b11eafc
Add manifest-src to allow manifest.json 2018-11-26 20:48:24 +01:00
William Pitcock 3356c7d1e9 oauth plug: fix deactivated check 2018-11-20 18:47:00 +00:00
Haelwenn (lanodan) Monnier 4a79b89dba
lib/pleroma/plugs/user_is_admin_plug.ex: change 403 string to “User is not admin.” 2018-11-17 20:25:56 +01:00
Haelwenn (lanodan) Monnier c8b8f1d32c
[Pleroma.Plugs.UserIsAdminPlug]: Check if admin is true instead of false, fix error reporting 2018-11-17 20:25:53 +01:00
Haelwenn (lanodan) Monnier 7076d45cb6
lib/pleroma/plugs/user_is_admin_plug.ex: Create 2018-11-17 20:25:52 +01:00
William Pitcock c07464607d http security: remove form-action from CSP definitions 2018-11-16 17:40:21 +00:00
William Pitcock ee5932a504 http security: allow referrer-policy to be configured 2018-11-12 15:14:46 +00:00
William Pitcock fe67665e19 rename CSPPlug to HTTPSecurityPlug. 2018-11-12 15:08:02 +00:00
William Pitcock df72978dce csp plug: add support for certificate transparency 2018-11-11 06:55:44 +00:00
William Pitcock 331cf6ada1 csp plug: add sts support 2018-11-11 06:50:28 +00:00
William Pitcock f516e317ea plugs: add CSPPlug 2018-11-11 06:10:21 +00:00
href 6fe23c5458
Runtime configured router 2018-11-05 15:19:03 +01:00
Martin Kühl c2d592c9c5 Assign token to connection 2018-09-22 07:04:01 +02:00
lain 44b094908c Update legacy passwords automatically. 2018-09-05 22:30:14 +02:00
lain e601165426 Add UserEnabledPlug. 2018-09-05 21:53:53 +02:00
lain 5ce1ebb179 Add SetUserSessionIdPlug. 2018-09-05 21:42:42 +02:00
lain 12bc73dd28 Add EnsureUserKeyPlug, smaller fixes 2018-09-05 19:06:28 +02:00
lain 32465b9939 Simplify AuthenticationPlug 2018-09-05 18:53:38 +02:00
lain 9a96c93be7 Add SessionAuthenticationPlug. 2018-09-05 18:37:02 +02:00
lain a3f54fca4d Add LegacyAuthenticationPlug 2018-09-05 18:17:33 +02:00
lain 3cf17dc402 Add EnsureAuthenticatedPlug 2018-09-05 17:59:19 +02:00
lain faf5347748 Add UserFetcherPlug. 2018-09-05 17:44:38 +02:00
lain 42bd985e66 Add BasicAuthDecoderPlug 2018-09-05 17:30:05 +02:00
Moon Man 8b020e03a6 change cond to if else 2018-09-05 01:37:48 -04:00
Moon Man 1a8bc26e52 auth against sha512-crypt password hashes, upgrade to pbkdf2 2018-09-05 00:21:44 -04:00
William Pitcock 8da406afa2 activitypub: verify remote http signature digests by recomputing the digest and replacing the digest header 2018-07-31 23:24:30 +00:00
lain dd9bb37893 Rename id helper method. 2018-05-26 13:57:11 +02:00
William Pitcock 4d2c6707c2 activitypub: normalize the actor to ensure we have its URI 2018-05-19 03:28:28 -05:00
Mark Felder ab4aa5720a Fix a bunch of unused variable warnings 2018-05-04 20:59:01 +00:00
lain 0a14d155d6 Fail faster. 2018-04-02 13:13:14 +02:00
lain 4afbef39f4 Format the code. 2018-03-30 15:01:53 +02:00
lain d2099c849d More Jason changes. 2018-03-27 16:45:38 +02:00
lain f29902a241 More signature debugging. 2018-03-11 14:37:23 +01:00
lain 5ea6d96dbe Fix signing bug. 2018-02-25 20:15:04 +01:00
lain ac67453e8a More logging for signature problems. 2018-02-24 17:36:26 +01:00
lain 2757682894 More logging. 2018-02-22 14:57:35 +01:00
lain 38b61fddfe HttpSignature Plug: Skip if already valid. 2018-02-15 19:58:26 +01:00
Roger Braun a9c23e1c32 Add plug to validate signed http requests. 2017-12-12 10:17:21 +01:00
Lain Iwakura 0ec5aeb8a7 Don't log in deactivated users. 2017-12-07 17:41:34 +01:00