Commit Graph

395 Commits

Author SHA1 Message Date
Mike Dalessio 00eee29837 Validate Identity email address
using the "standard" email regexp URI::MailTo::EMAIL_REGEXP. The form
field will validate this in the browser, but if bots are creating
identities, they can put whatever they want in here. So let's add some
protection against that.

The HtmlHelper regex was renamed here to avoid confusing Brakeman,
which does imprecise constant lookup and was confusing the two
constants, one of which uses `\A` and `\z` and the other does
not (intentionally).

ref: https://app.fizzy.do/5986089/cards/3276
2025-12-04 14:01:15 -05:00
Jason Zimdars d4a50c996a Merge pull request #1894 from Venkat-RK/main
Added 'Back to Home' link on notifications list page
2025-12-04 11:19:55 -06:00
vkagithala a92aab9981 Removed test to verify back button. 2025-12-04 08:44:37 -08:00
Kevin McConnell dfe7095ee6 Merge pull request #1917 from basecamp/dont-resize-svg-avatars
Don't try to resize non-variable avatars
2025-12-04 14:53:00 +00:00
Mike Dalessio 394c5dbf03 Revert "Changing columns requires board admin"
This reverts commit cecccadc14.
2025-12-04 09:46:30 -05:00
Mike Dalessio 89940d36f8 Gracefully handle ill-formed remote images in rich text
A better fix has been proposed upstream at
https://github.com/rails/rails/pull/56283 but this should be fine in
the meantime.

ref: https://app.fizzy.do/5986089/cards/3188
2025-12-04 09:24:52 -05:00
Kevin McConnell 6475ad3425 Don't try to resize non-variable avatars 2025-12-04 13:36:21 +00:00
Stanko K.R. a8f328c921 Sign up new users on sign in 2025-12-04 11:30:21 +01:00
Jeremy Daer cecccadc14 Changing columns requires board admin 2025-12-03 23:24:25 -08:00
vkagithala 8685b62232 Added 'Back to Home' link on notifications list page to improve navigation experience. 2025-12-03 17:21:50 -08:00
Jorge Manrubia 6847c001ea Merge pull request #1876 from basecamp/column-reordering-auth
Fix unauthorized column reordering
2025-12-03 22:18:06 +01:00
Jeremy Daer 9f6a4f1cc6 Fix unauthorized column reordering
Users could reorder columns they didn't have access to. Fixed by
limiting ColumnScoped to User::Accessor#accessible_columns.

References https://hackerone.com/reports/3449905
2025-12-03 13:00:49 -08:00
Jason Zimdars 7a45caa39d Update test 2025-12-03 12:02:23 -06:00
Stanko K.R. 84213265e7 Render friendly error message when using an invalid token 2025-12-03 15:37:27 +01:00
Stanko K.R. 6e9381abb8 Fix crash in join code redemption race condition 2025-12-03 13:29:20 +01:00
Stanko Krtalić 7a0290a4af Merge pull request #1841 from basecamp/fix-access-control-issues
Allow only the owner of a reaction to delete it
2025-12-03 11:33:36 +01:00
Stanko K.R. 77f1110020 Allow only the owner of a reaction to delete it 2025-12-03 11:10:44 +01:00
Stanko K.R. 702865873d Allow only people who can administer a board to delete it 2025-12-03 10:56:05 +01:00
Jeremy Daer b755b3fead Robots, begone (#1812)
* robots.txt: "Please, don't come in." If a page is directly linked, the
  URL can still appear in search results, though.
* X-Robots-Tag: "If you're here, forget what you saw." Works even if the
  crawler ignores robots.txt or reaches a page via external link. Can
  remove already-indexed pages.
* Public boards may not be indexed. They're meant for "anyone with the
  link" private sharing, not worldwide publishing.
2025-12-02 13:35:58 -08:00
Kevin McConnell d24726c1d3 Merge pull request #1768 from basecamp/data-exports
Add "data export" feature
2025-12-02 09:56:40 +00:00
Jorge Manrubia c9ebb79dbd Add some protections around sharing the magic link in development 2025-12-02 10:51:14 +01:00
Kevin McConnell e16cc21b0a Add "data export" feature
- Adds a button in Account Settings where you can request a ZIP export of your
  Fizzy data
- Export files are created in the background. When ready, a link to
  download them is sent to the requester.
- Exports expire after 24 hours. And are limited to 10 per day.
2025-12-01 15:23:26 +00:00
Mike Dalessio edf6b53469 Introduce an "owner" role, and prevent it from being administered
to prevent the owner from being demoted or kicked out.

ref: https://app.fizzy.do/5986089/cards/3213
2025-11-29 14:13:29 -05:00
Stanko K.R. 2311efd03e Make sign up Magic Links work across devices
Previously if someone started signing in on their phone, but finished it on their laptop, they'd end up on the menu screen with no account. Bu tracking the purpose of a Magic Link we can always direct the user to sign up if they requested a magic link through sign up. This also makes the logic for changing the copy in the email more robust.
2025-11-29 12:36:00 +01:00
Stanko K.R. 658b5a07cf Organize everything under Signups 2025-11-29 11:46:09 +01:00
Rosa Gutierrez f8a1e0500d Switch from report-only to actually using Sec-Fetch-Site for CSRF protection
As a fallback for Rails's token-based mechanism. To use Sec-Fetch-Site
exclusively, we'll wait until Rails offers that (when we upstream this).
2025-11-28 16:26:03 +01:00
Jorge Manrubia 2f4a05a39f Format 2025-11-28 15:53:58 +01:00
Jorge Manrubia 3223ba53c3 We need the check in both test/code 2025-11-28 15:53:58 +01:00
Jorge Manrubia 1897cc238f Only staff can access beta/staging
https://app.fizzy.do/5986089/cards/3208
2025-11-28 15:53:58 +01:00
Jorge Manrubia 4e09352c09 Bring simple signup flow from the fizzy-saas gem
We skip the QB code and we fill external account ids automatically on creation with a sequence

See:
https://github.com/basecamp/fizzy-saas/pull/7
2025-11-28 15:53:58 +01:00
Jorge Manrubia 8baf5b8abd Make mission control only accessible for staff members 2025-11-28 15:53:58 +01:00
Jorge Manrubia 0754b0e93c Test moved to the gem 2025-11-28 15:53:58 +01:00
Jorge Manrubia e1e9a01720 Make open source the default, and check for sass instead 2025-11-28 15:53:48 +01:00
Mike Dalessio 3f8d10d679 Merge pull request #1747 from basecamp/flavorjones/perf-20251127
Address some N+1 query situations
2025-11-27 12:46:56 -05:00
Stanko K.R. e3d91f4ba2 Fix join codes skipping user setup
If someone joined an account with the same identity as they were signed in with the old logic would skip the user setup step
2025-11-27 17:59:17 +01:00
Mike Dalessio 79c9ea2ce1 Remove a bunch of N+1s
related to notification and comment rendering
2025-11-27 11:08:45 -05:00
Donal McBreen c4498212dc Merge branch 'main' into sqlite
* main: (116 commits)
  Ensure avatar thumbnails are square
  Update useragent to recognize twitterbot/facebot
  Add defensive styles for non-square avatar images
  Update test for copy changes
  Missed commit
  AI: standardize on https://agents.md
  Make it clear this is just notifications, not comprehensive activity
  AI: configure MCP servers for Chrome, Grafana, and Sentry (#1727)
  Allow requests from Google Image Proxy
  Update to basecamp's useragent fork
  Clean up a little bit the CSRF reporting code
  Claude: production observability guidance (#1725)
  Prevent autoscroll to the root columns container to prevent jump on page load
  Include full name string so you can type your name to filter
  Prioritize current user and assigned users in assignment dropdown
  Check and report on Sec-Fetch-Site header for forgery protection
  bundle update
  Bump bootsnap from 1.18.6 to 1.19.0
  Bump rails from `077c3ad` to `17f6e00`
  Fix cards getting stuck in edit mode
  ...
2025-11-26 10:07:41 +00:00
Mike Dalessio 60e1751cac Update useragent to recognize twitterbot/facebot
This UA was pulled from our logs.

ref: https://app.fizzy.do/5986089/cards/1775
2025-11-25 18:05:21 -05:00
Mike Dalessio b767d6edcb Allow requests from Google Image Proxy
which should fix email notifications' avatars rendering as broken
images in GMail.

ref: https://app.fizzy.do/5986089/cards/1740
2025-11-25 16:26:15 -05:00
Mike Dalessio 0bf62ba4cf Update to basecamp's useragent fork
and assert it's working by testing for Baidu
2025-11-25 16:18:23 -05:00
Rosa Gutierrez d88949288c Check and report on Sec-Fetch-Site header for forgery protection
This is a great, solid alternative to CSRF tokens for CSRF protection
when we aren't worried about older browsers or other kind of actors
doing modifying requests in our app, and could be a good test for future
upstreaming to Rails (although there we'd need to continue using CSRF
tokens or at least letting people opt out manually).

Let's start checking the header and reporting on it when CSRF fails or
when it doesn't match the other checks Rails does, and then promote this
to be the only way to defend from CSRF.
2025-11-25 19:19:50 +01:00
Jason Zimdars a9da44b575 Merge pull request #1663 from basecamp/not-now-polish
Not now polish
2025-11-24 10:33:25 -06:00
Kevin McConnell bd259f7795 Add optimistic pausing to avoid stale reads
Instead of writer pinning, we'll track the last transaction ID of each
write in the session. Then on each read we'll wait for the replica to
report that this transaction is available.

If it doesn't become available within a reasonable timeout, we'll
proceed anyway, and accept the possibility of a stale read.

The hope here is that most of the time, the replica is caught up in the
time between a write request and the following read request. If it's
not, we now have a little tolerance to wait for it, which hopefully
proves enough to stale reads are not encountered in normal use.

We also disable the writer affinity opt-out mechanism that we had
before, since we will no longer be using writer affinity at the load
balancer.
2025-11-24 13:29:52 +00:00
Stanko K.R. 46d80f2ca2 Serve system user avatar as an asset 2025-11-24 13:16:14 +01:00
Stanko K.R. e85c5736c9 Render system user avatars using redirects 2025-11-24 12:05:32 +01:00
Jason Zimdars 56aa3f2a5b Update test 2025-11-24 12:04:33 +01:00
Mike Dalessio b05ecb7809 Update card buttons dynamically
User flows when editing a card look like:
- Click "Edit" → the closure buttons are replaced by "Save changes"
- Submit card form → Saves and restores closure buttons
- Press ESC while editing → Cancels and restores closure buttons

Also, renamed for clarity:
- _title.html.erb → _content.html.erb

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-22 12:14:39 -05:00
Mike Dalessio 4dc28943da Don't let cloudflare cache avatars
The issue here is that anyone else who views my avatar will cause it
to be cached, and then I can't easily bust the cache if I change my
avatar.
2025-11-22 09:48:28 -05:00
Jason Zimdars 0482d3b5ba Update test 2025-11-21 17:08:04 -06:00
Mike Dalessio ec8974640f User avatar responses have cache-control "public"
ref: https://app.fizzy.do/5986089/cards/3125
2025-11-21 16:08:52 -06:00