Commit Graph

720 Commits

Author SHA1 Message Date
Denis Švara b84da94016 Add Hotwire Native Bridge wiring. 2026-01-06 15:46:47 +01:00
Jay Ohms ea43d81850 Support mobile app local development access from devices over nip.io 2026-01-05 09:31:27 -05:00
Mike Dalessio 96dfcb9d4c Add a "*" to the queues handled by the solid queue worker pool
Specifically this is to make sure all queues are managed, like the one
we use for incineration in the fizzy-saas engine.
2026-01-04 14:09:42 -05:00
Mike Dalessio 27093e4e78 Remove unnecessary recurring execution cleanup task
This task is unnecessary because the
`solid_queue_recurring_executions` table has a foreign key to
`solid_queue_jobs` with `on_delete: :cascade`.

This config was cargo-culted from HEY (in 44429644), which *does* need
this task to run because we've omitted the FK constraints there.
2026-01-04 11:12:01 -05:00
Rosa Gutierrez 196d685f8d Implement authorization for Active Storage endpoints
Consider blobs attached to any public records accessible to anyone with
the URL.
2025-12-25 21:22:36 +01:00
Rosa Gutierrez 329e9ef7cb Don't run application recurring jobs in betas
Betas use the same application DB as production, so all these tasks
already take place there. Moreover, since betas have different Solid
Queue instances, we can't prevent simultaneous runs of the same
recurring jobs because each Solid Queue instance is isolated from the
others, so they don't know these jobs are running already, leading to
all sort of issues.
2025-12-23 22:12:08 +01:00
Rosa Gutierrez 3fcf5a9d08 Require authorization for direct uploads
Respond with 403 to JSON requests that are unauthorized, instead of
redirecting.
2025-12-23 11:08:51 +01:00
Jeremy Daer bd6c1cf34f Storage: harden reconcile for concurrent writes and fix board transfer (#2096)
* Storage: harden reconcile for concurrent writes and fix board transfer

Reconcile now uses two-cursor approach: captures cursor before and after
the storage scan, aborting if they differ (entries added during scan).
Job retries 3x with 1-minute waits and limits concurrency to 1 per owner.

Board transfer now correctly moves storage for card description embeds
and comment embeds, not just direct attachments. Uses batched queries
to handle cards with thousands of comments efficiently.

Also fixes N+1 queries in attachment grouping via lookup maps.

* Storage: fix per-attachment reconcile and enforce no blob reuse

The storage ledger tracks per-attachment (not per-blob) as a business
abstraction for quotas. This fixes reconcile to match that model and
adds enforcement to prevent blob reuse in tracked contexts.

* Reconcile now uses joins(:blob).sum() for per-attachment counting
* New validation prevents reusing blobs across tracked attachments
* Race-safe storage_total creation with create_or_find_by
* Job efficiency: skip find_by when object already available
* Backfill script checks per-attachment, not just per-blob
2025-12-19 13:07:32 -08:00
Kevin McConnell 50691ae385 Merge pull request #2205 from basecamp/base-url-env
Add `BASE_URL` environment variable
2025-12-19 14:58:08 +00:00
Mike Dalessio b04dee31d0 Raise a clear exception if libvips is not installed 2025-12-19 09:22:55 -05:00
Mike Dalessio 28250b340c Move the :fatal log setting into the SaaS config
This should only be set if the app is using the
rails-structured-logging gem, which means it should only be set in the
SAAS config. I think this is just something we missed in one of the
decoupling exercises we did.
2025-12-19 09:09:40 -05:00
Kevin McConnell 407f2a3a6a Add BASE_URL environment variable
When running a Docker deployment, we need a way to set the app's base
URL. Otherwise links in emails, or generated in jobs etc., can not be
correctly constructed.
2025-12-19 12:21:37 +00:00
Thiago Youssef bd0a749f22 Bump rails requestjs version 2025-12-17 20:18:38 -03:00
Jeremy Daer c691d39ecf Integrate fizzy-saas as vendored gem at saas/
- Update Gemfile.saas to use path: "saas" instead of GitHub source
- Update config/database.yml to reference local saas/ directory
- Update bin/setup to source saas/bin/setup directly
- Remove redundant dotfiles (ruby-version, gitignore, rubocop, github workflows)
- Add saas/db exclusions to root rubocop config
2025-12-16 12:25:22 -08:00
Jeremy Daer 97ffe00672 My life for a trailing comma 2025-12-16 09:54:04 -08:00
Jeremy Daer a68bd2775d Fix Tailscale host match. Rails wraps the regexp in its own anchors and port-match. 2025-12-16 09:35:26 -08:00
Jorge Manrubia ee80b87c8c Add billing system with Stripe
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Jason Zimdars <jz@37signals.com>
2025-12-16 16:44:20 +01:00
Kevin McConnell 741eff7bdc Revert "Merge pull request #1865 from basecamp/public-avatar-caching"
This reverts commit c628f14c01, reversing
changes made to 4bafc73236.
2025-12-15 13:07:13 +00:00
Kevin McConnell c628f14c01 Merge pull request #1865 from basecamp/public-avatar-caching
Serve own avatar from its own endpoint
2025-12-15 12:20:28 +00:00
Mike Dalessio e9cb2956ee Lightbox uses Stimulus target callbacks instead of data-action
Remove data-action from the sanitizer allowlist to disallow injection
of potentially malicious Stimulus actions in user-provided
content. The lightbox controller now uses imageTarget callbacks to
handle clicks on image links.

Also add the file name as a caption in the light box, and fix the
caption color for dark mode visibility.
2025-12-13 17:06:03 -05:00
nu-wa 472dbeee8c SMTP: support SMTPS on port 465 (#2132)
* Add more configuration options for the SMTP connection

* Add SMTP_TLS option for implicit TLS connections

For SMTPS servers (typically port 465), set SMTP_TLS=true.
Port auto-defaults to 465 when TLS is enabled, 587 otherwise.
STARTTLS is used by default and automatically disabled when TLS is on.

Fixes boolean conversion bug in original PR (string "false" is truthy)
and removes insecure default for certificate verification.

---------

Co-authored-by: Jeremy Daer <jeremy@37signals.com>
2025-12-13 10:57:08 -08:00
Mike Dalessio db4c8c1138 Introduce Vips configuration 2025-12-13 12:41:37 -05:00
Jeremy Daer 82626f020d Tailscale serve support (#2126)
Ensure we can serve the app from multiple hosts without breaking links.
* Switch unnecessary full URLs to paths
* Drop default host/port URL options for controllers

Shell 1
```bash
bin/dev
```

Shell 2
```bash
tailscale serve http://fizzy.localhost:3006
```
2025-12-13 09:29:50 -08:00
Mike Dalessio 7d6cf62665 CSP config to allow Minio in development 2025-12-12 17:00:17 -05:00
Kevin McConnell 4218f2e161 Document Docker image deployment
Also split the README a bit, to move the details under /docs.
2025-12-12 17:26:50 +00:00
Kevin McConnell 0c2d3cccb1 Merge pull request #2084 from basecamp/disable-ssl-env
Add `DSIABLE_SSL` env option
2025-12-12 09:40:21 +00:00
Kevin McConnell eec96ff384 Serve own avatar from its own endpoint
This allows us to have different cache controls depending on whether
you're viewing your own avatar, or someone else's. Your own avatar will
always be fresh, while other folks' avatars can be pulled from the CDN.
2025-12-12 09:03:35 +00:00
Jeremy Daer 586015c3f9 Bundle drift detection and correction (#2101)
Gemfile.saas evals Gemfile, so shared gems should have identical versions
in both lockfiles. This adds bin/bundle-drift to detect and fix drift:

* `bin/bundle-drift check` compares shared gem versions
* `bin/bundle-drift correct` seeds Gemfile.lock from Gemfile.saas.lock
  and re-locks, letting Bundler prune SaaS-only gems while preserving
  shared versions

Adds drift check to bin/ci and GitHub CI. Corrects existing drift.
2025-12-11 21:32:34 -08:00
Javier Valencia 8f68e13707 Fix indentation in multi_db.rb initializer (#2082) 2025-12-11 20:37:28 -08:00
Kevin McConnell 154a3d79ee Add DSIABLE_SSL env option
`assume_ssl` and `force_ssl` are often used together:

- When running behind a terminating proxy (including Thruster) you'll
  want both.
- When running without SSL (like on localhost) you'll want neither.

To simplify setup for those cases, we add the `DISABLE_SSL` option. When
set to `true` all SSL-related behaviour is turned off. When left as the
default, it's on.

We can still use `ASSUME_SSL` and `FORCE_SSL` to set those separately
if required.
2025-12-11 16:11:18 +00:00
Thiago Youssef 36419c3600 Bump rails version to remove svg renderer patch (#2081) 2025-12-11 15:15:54 +01:00
Kevin McConnell 193a28f6c8 Merge pull request #2035 from harisadam/single_tenant
Add env-configurable option to disable public signups
2025-12-11 13:08:19 +00:00
Kevin McConnell 06bfe2c982 Scope the config option
Also use a `configure` block to set it up.
2025-12-11 11:28:32 +00:00
Kevin McConnell 0e443d3602 Use initializer to configure tenant mode 2025-12-11 11:20:43 +00:00
Stanko K.R. 5ee10800a2 Allow direct uploads via API 2025-12-11 11:52:38 +01:00
Adam Haris f76309d116 Merge branch 'main' into single_tenant 2025-12-11 06:08:01 +01:00
Jeremy Daer 22da6dc19d CSP: full config with env vars per source (#2069)
* Configure all sources with CSP_* vars. Space separated source list.
* Fall back to `config.x.content_security_policy.*`
* Move our sources to fizzy-saas

References https://github.com/basecamp/fizzy-saas/pull/24
2025-12-10 17:21:09 -08:00
Jeremy Daer 761d0b4a76 Speedy, auditable, deadlock-resistant storage tracking (#2026)
An append-only storage ledger replaces deadlock-prone synchronous
counter updates and drift-prone async updates.

All content storage (card images, card/comment/board description embeds)
is tracked. Account exports (which expire) and avatars are not tracked.

Storage is accounted for by Account and Board. Both consume the same
event stream independently: no bubble-up storage bumps triggering
deadlocks due to lock sequencing. Each calculates its own total from
the underlying ledger with independent cursors and materialization.

* Storage::Entry: Append-only ledger recording attach/detach/transfer
  events with delta bytes. Single event stream indexed for both
  Account and Board cursor queries.

* Storage::Total: Polymorphic snapshot cache with cursor (last_entry_id)
  tracking which entries have been materialized.

* Storage::Totaled concern: Provides bytes_used (fast snapshot) and
  bytes_used_exact (snapshot + pending) query modes, plus
  materialize_storage! to roll up pending entries.

* Storage::Tracked concern: For models owning attachments (Card,
  Comment, Board). Provides board_for_storage_tracking for models
  where board is determined differently (Board returns self).
  Handles board transfers by recording transfer_out/transfer_in entries.

* Storage::AttachmentTracking: Hooks ActiveStorage::Attachment lifecycle
  to record attach/detach entries. Handles ActionText::RichText embeds
  by traversing to the actual model. Snapshots context in before_destroy
  to handle cascading deletes where parent record may be gone by
  after_destroy_commit.

* MaterializeJob: Rolls up pending entries into snapshot. Concurrency
  limited per owner to prevent duplicate work.

* ReconcileJob: On-demand reconciliation against actual attachment
  storage for support/debugging. Compares ledger total to real bytes
  from card images, card embeds, comment embeds, and board embeds.

Usage:
* account.bytes_used / board.bytes_used: fast, slightly stale bytesize
* account.bytes_used_exact / board.bytes_used_exact: real-time bytesize
* Storage::Entry: audit trail for debugging and point-in-time queries
2025-12-10 16:04:30 -08:00
Hosmel Quintana df9a4b255c make MySQL SSL mode configurable via env var (#2036) 2025-12-10 13:22:38 -08:00
Kevin McConnell 858439a5de Merge pull request #2051 from basecamp/run-jobs-by-default
In non-SaaS, run jobs in container by default
2025-12-10 16:59:24 +00:00
Stanko Krtalić 754aaa5a76 Merge pull request #1766 from basecamp/basic-api
Add basic API
2025-12-10 15:43:58 +01:00
Kevin McConnell 2a3fda02f4 Merge pull request #1939 from hosmelq/active-storage-env-config
Make Active Storage service configurable
2025-12-10 14:36:47 +00:00
Adam Haris eb8655dc8e refactor: use MULTI_TENANT env variable, model concern instead of controller (#accepting_signups?) 2025-12-10 15:14:22 +01:00
Stanko K.R. 5ce71bf941 Move Identities to My::Identities 2025-12-10 15:13:35 +01:00
Kevin McConnell a5396bbb1a Don't overwrite storage service from engine 2025-12-10 14:08:08 +00:00
Kevin McConnell 6f002b66d8 In non-SaaS, run jobs in container by default 2025-12-10 12:32:35 +00:00
Jay Ohms 26fc9ecad4 Add an /identity.json endpoint to obtain the identity accounts and users 2025-12-10 09:23:52 +01:00
Jay Ohms 680f9c0c4d Add top-level API index support for tags 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson 88902485e1 Access tokens are strictly personal 2025-12-10 09:23:52 +01:00
Jason Zimdars 073d1af862 List, create, and revoke access tokens 2025-12-10 09:23:52 +01:00