| Age | Commit message (Collapse) | Author | Files |
|---|
|
This adds a proof-of-work based scraper deterrence to GoToSocial's middleware stack on profile and status web pages. Heavily inspired by https://github.com/TecharoHQ/anubis, but massively stripped back for our own usecase.
Todo:
- ~~add configuration option so this is disabled by default~~
- ~~fix whatever weirdness is preventing this working with CSP (even in debug)~~
- ~~use our standard templating mechanism going through apiutil helper func~~
- ~~probably some absurdly small performance improvements to be made in pooling re-used hex encode / hash encode buffers~~ the web endpoints aren't as hot a path as API / ActivityPub, will leave as-is for now as it is already very minimal and well optimized
- ~~verify the cryptographic assumptions re: using a portion of token as challenge data~~ this isn't a serious application of cryptography, if it turns out to be a problem we'll fix it, but it definitely should not be easily possible to guess a SHA256 hash from the first 1/4 of it even if mathematically it might make it a bit easier
- ~~theme / make look nice??~~
- ~~add a spinner~~
- ~~add entry in example configuration~~
- ~~add documentation~~
Verification page originally based on https://github.com/LucienV1/powtect
Co-authored-by: tobi <tobi.smethurst@protonmail.com>
Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4043
Reviewed-by: tobi <tsmethurst@noreply.codeberg.org>
Co-authored-by: kim <grufwub@gmail.com>
Co-committed-by: kim <grufwub@gmail.com>
|
|
|
|
Removes our now unused drone stuff and adds pipelines for our new woodpecker instance.
Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4061
Co-authored-by: tobi <tobi.smethurst@protonmail.com>
Co-committed-by: tobi <tobi.smethurst@protonmail.com>
|
|
Co-authored-by: Daenney <daenney@users.noreply.github.com>
Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4060
Co-authored-by: Daenney <daenney@noreply.codeberg.org>
Co-committed-by: Daenney <daenney@noreply.codeberg.org>
|
|
|
|
|
|
it on the frontend (#4052)
* [feature] Update attachment format, receive + send `focalPoint` prop + use it on the frontend
* whoops
* boop
* restore function signature of ExtractAttachments
|
|
* start work rewriting timeline cache type
* further work rewriting timeline caching
* more work integration new timeline code
* remove old code
* add local timeline, fix up merge conflicts
* remove old use of go-bytes
* implement new timeline code into more areas of codebase, pull in latest go-mangler, go-mutexes, go-structr
* remove old timeline package, add local timeline cache
* remove references to old timeline types that needed starting up in tests
* start adding page validation
* fix test-identified timeline cache package issues
* fix up more tests, fix missing required changes, etc
* add exclusion for test.out in gitignore
* clarify some things better in code comments
* tweak cache size limits
* fix list timeline cache fetching
* further list timeline fixes
* linter, ssssssssshhhhhhhhhhhh please
* fix linter hints
* reslice the output if it's beyond length of 'lim'
* remove old timeline initialization code, bump go-structr to v0.9.4
* continued from previous commit
* improved code comments
* don't allow multiple entries for BoostOfID values to prevent repeated boosts of same boosts
* finish writing more code comments
* some variable renaming, for ease of following
* change the way we update lo,hi paging values during timeline load
* improved code comments for updated / returned lo , hi paging values
* finish writing code comments for the StatusTimeline{} type itself
* fill in more code comments
* update go-structr version to latest with changed timeline unique indexing logic
* have a local and public timeline *per user*
* rewrite calls to public / local timeline calls
* remove the zero length check, as lo, hi values might still be set
* simplify timeline cache loading, fix lo/hi returns, fix timeline invalidation side-effects missing for some federated actions
* swap the lo, hi values :facepalm:
* add (now) missing slice reverse of tag timeline statuses when paging ASC
* remove local / public caches (is out of scope for this work), share more timeline code
* remove unnecessary change
* again, remove more unused code
* remove unused function to appease the linter
* move boost checking to prepare function
* fix use of timeline.lastOrder, fix incorrect range functions used
* remove comments for repeat code
* remove the boost logic from prepare function
* do a maximum of 5 loads, not 10
* add repeat boost filtering logic, update go-structr, general improvements
* more code comments
* add important note
* fix timeline tests now that timelines are returned in page order
* remove unused field
* add StatusTimeline{} tests
* add more status timeline tests
* start adding preloading support
* ensure repeat boosts are marked in preloaded entries
* share a bunch of the database load code in timeline cache, don't clear timelines on relationship change
* add logic to allow dynamic clear / preloading of timelines
* comment-out unused functions, but leave in place as we might end-up using them
* fix timeline preload state check
* much improved status timeline code comments
* more code comments, don't bother inserting statuses if timeline not preloaded
* shift around some logic to make sure things aren't accidentally left set
* finish writing code comments
* remove trim-after-insert behaviour
* fix-up some comments referring to old logic
* remove unsetting of lo, hi
* fix preload repeatBoost checking logic
* don't return on status filter errors, these are usually transient
* better concurrency safety in Clear() and Done()
* fix test broken due to addition of preloader
* fix repeatBoost logic that doesn't account for already-hidden repeatBoosts
* ensure edit submodels are dropped on cache insertion
* update code-comment to expand CAS accronym
* use a plus1hULID() instead of 24h
* remove unused functions
* add note that public / local timeline requester can be nil
* fix incorrect visibility filtering of tag timeline statuses
* ensure we filter home timeline statuses on local only
* some small re-orderings to confirm query params in correct places
* fix the local only home timeline filter func
|
|
|
|
|
|
|
|
* [bugfix] Fix '+'-separated scopes not being recognized
* comment
|
|
|
|
|
|
* fix incorrect endpoint being registered for /token/{id}
* update the maximum page value for tokens endpoint to 100
* update the available tokens page options
* set a default limit of 25 to match the first available settings panel option
* ensure OnInvalidateToken() hook is called during token delete
|
|
little drop down to unclutter status info bar (#4021)
* dick about with stats a bit
* more dicking abuot
* lil tweaks
* more about-dicking
* weee
* comments
* fixie uppie
|
|
* always include headerToken response if provided, because Chrome *sigh*
* wording
* Update internal/api/client/streaming/stream.go
Co-authored-by: Ilia Pozdnyakov <iliazeus@proton.me>
---------
Co-authored-by: Ilia Pozdnyakov <iliazeus@proton.me>
|
|
|
|
* update semantics of when media URL is left unset
* fix test
|
|
possible (#4006)
|
|
* [bugfix] Fix setting bot on/off
* read client messages in tests
* test fix
|
|
|
|
field (#3982)
* add IPPrefixes type so we don't need separate rate limit parsed field
* sshhhh please linter, mommy's working
|
|
* [feature] add TOTP two-factor authentication (2FA)
* use byteutil.S2B to avoid allocations when comparing + generating password hashes
* don't bother with string conversion for consts
* use io.ReadFull
* use MustGenerateSecret for backup codes
* rename util functions
|
|
* [bugfix] Don't assume `"manuallyApprovesFollowers": true` if not set
* whoops, tests
|
|
|
|
`url` and collections (#3928)
* [chore] Migrate accounts to new table, relax uniqueness constraint of actor url and collections
* fiddle with it! (that's what she said)
* remove unused cache fields
* sillyness
* fix tiny whoopsie
|
|
* start implementing editing of existing domain permissions
* [feature] Allow editing domain blocks/allows, fix comment import
* [bugfix] Use "comment" via /api/v1/instance
* fix the stuff
|
|
|
|
* [feature] Use blurhashes in frontend, tidy up gallery view a bit
* weeeeeeeeeeeeeeeee
* beep boop
|
|
|
|
profile (#3917)
* [feature] Allow user to choose "gallery" style web layout
* find a bug and squish it up and all day long you'll have good luck
* just a sec
* [performance] reindex public timeline + tinker with query a bit
* fiddling
* should be good now
* last bit of finagling, i'm done now i prommy
* panic normally
|
|
* bumps our spf13/viper version
* fixes the one breaking change
|
|
* feat: Relax URL matching
Instead of only linkifying things with an explicit http or https scheme,
the xurls.Relaxed also matches links with known TLDs. This means that
text like 'banana.com' will also be matched, despite the missing
http/https scheme. This also works to linkify email addresses, which is
handy.
This should also ensure we catch links without a scheme for the purpose
of spam checking.
|
|
interacting with bandwagon (#3931)
* bump activity version
* parse funkwhale / bandwagon album as statusable
|
|
* [chore] More tests for domain allow + block subscriptions
* [bugfix] Fix set `obfuscate = null` error in adoptPerm
* fmt
|
|
|
|
|
|
* [feature] Application creation + management via API + settings panel
* fix docs links
* add errnorows test
* use known application as shorter
* add comment about side effects
|
|
|
|
* add warning message when wazero compiler not supported, update supported platforms in README
* whoops don't return a reason string for arm64, since it should always be supported
|
|
* [performance] Optimize local timeline + local status count queries
* remove if not exists from create view
|
|
|
|
plaintext (#3876)
* [feature] Parse content warning as HTML, serialize via API to plaintext
* tidy up some cruft
* whoops
* oops
* i'm da joker baybee
* clemency muy lorde
* rename some of the text functions for clarity
* jiggle the opts
* fiddle de deee
* hopefully the last test fix i ever have to do in my beautiful life
|
|
* Add ContentType to internal models
* Add ContentType to API models StatusSource and StatusEdit
* Add helpers to convert between API/internal StatusContentType
* Write status content type on create/edit
* Add migration
* Update API docs
go run github.com/go-swagger/go-swagger/cmd/swagger generate spec --scan-models --exclude-deps --output docs/api/swagger.yaml
* ensure ContentType is updated anywhere Text is
* Update docs, take care of TODOs
* Set ContentType in more places where Text is set
* We don't actually use ContentType on the API status model
* Update StatusSource test
* Remove unused helper function I copied
* Revert change to StatusContentType swagger annotation
I'm going to include this in a follow-on PR instead.
* Add test for updating content type in edits
* Return a value from processContentType instead of modifying the existing status
Fixes an issue that was caught by the test I just added - the recorded edit would be marked with the *new* content type instead of the old one, which is obviously bad
* Add test for handling of statuses with no stored content type
* repurpose an existing test status instead of adding a new one to avoid breaking other tests
* Add test to ensure newly created statuses always have content type saved
* Do include content type on status API model actually
This is mostly important when deleting and redrafting.
The comment on `apimodel.Status.Text` implies that it's not sent except in response to status deletion, but actually this doesn't seem to be the case; it also appears to be present in responses to creations and normal fetches and stuff. So I'm treating `ContentType` the same here.
* Update new tests to check content type on API statuses
* Check content type of API statuses in all tests where text is checked
* update other api tests with status content type field
* Add test ensuring text and content type are returned when deleting a status
* Convert processContentType to free function and remove unused parameter
* check for the correct value in the deletion test
* Be explicit about this test status having an empty content type
* Use omitempty consistently on API models
* clean up the final diff a bit
* one more swagger regen for the road
* Handle nil statuses in processContentType
* Don't pass processContentType the entire edit form, it doesn't need it
* Move processContentType to common.go and use for creation as well
* Remove unused parameters to ContentTypeToAPIContentType
|
|
* [bugfix] Return useful err on `server start` failure
* remove scheduler started func
* remove tryUntil
|
|
|
|
* [bugfix] Fix app migration
* use temporary index during migration
* create temporary index for the migration
* include local = true in temporary index
* tweak migration a bit for SPEED
|
|
* fix refreshed additional media info being ignored when force flag already set
* also update to always iterate through all additional info fields
* make similar changes for emoji, even if not necessary, just to keep in-sync
|
|
* [feature] Refactor tokens, allow multiple app redirect_uris
* move + tweak handlers a bit
* return error for unset oauth2.ClientStore funcs
* wrap UpdateToken with cache
* panic handling
* cheeky little time optimization
* unlock on error
|
kim
Daenney
tobi
Daenney
tobi
kim
Leonid Shevtsov
ewwwin