Commit Graph

8631 Commits

Author SHA1 Message Date
creslinux 40b1bb769c Add CSP_CONNECT_SRC to S3 configuration docs 2025-12-20 00:15:30 -08:00
creslinux 394a5a0081 Clarify triage endpoint works for moving cards between columns 2025-12-20 00:07:55 -08:00
Rosa Gutierrez 641e67dc2e Remove status from allowed parameters in CardsController#update
We don't allow changing the status via this action, and it's confusing
and can lead to cases where someone can set someone's else card as
draft, effectively hiding it.
2025-12-19 22:35:30 +01:00
Jeremy Daer bd6c1cf34f Storage: harden reconcile for concurrent writes and fix board transfer (#2096)
* Storage: harden reconcile for concurrent writes and fix board transfer

Reconcile now uses two-cursor approach: captures cursor before and after
the storage scan, aborting if they differ (entries added during scan).
Job retries 3x with 1-minute waits and limits concurrency to 1 per owner.

Board transfer now correctly moves storage for card description embeds
and comment embeds, not just direct attachments. Uses batched queries
to handle cards with thousands of comments efficiently.

Also fixes N+1 queries in attachment grouping via lookup maps.

* Storage: fix per-attachment reconcile and enforce no blob reuse

The storage ledger tracks per-attachment (not per-blob) as a business
abstraction for quotas. This fixes reconcile to match that model and
adds enforcement to prevent blob reuse in tracked contexts.

* Reconcile now uses joins(:blob).sum() for per-attachment counting
* New validation prevents reusing blobs across tracked attachments
* Race-safe storage_total creation with create_or_find_by
* Job efficiency: skip find_by when object already available
* Backfill script checks per-attachment, not just per-blob
2025-12-19 13:07:32 -08:00
Stanko Krtalić 3a41ac3e23 Merge pull request #1941 from basecamp/mobile/native-log-in
Mobile: Native log in
2025-12-19 19:26:58 +01:00
Stanko K.R. 0cb4822ae0 Document the new sign in method 2025-12-19 19:21:58 +01:00
Stanko K.R. ca388c2b84 Replace handle_ naming 2025-12-19 19:21:58 +01:00
Stanko K.R. df1dfde2b3 Use same constant for fake magic links 2025-12-19 19:21:58 +01:00
Stanko K.R. 3af8bdbe37 Replace FakeMagicLink with a temporary object 2025-12-19 19:21:58 +01:00
Stanko K.R. 52d57c4681 Tidy up session_token 2025-12-19 19:21:57 +01:00
Stanko K.R. e0270c6c49 Clean up interfaces
I talked to the mobile team, and to keep things simple we agreed to send
the token via a cookie.
2025-12-19 19:21:57 +01:00
Stanko K.R. 23fc7b594f Split tests by controller or responsibility 2025-12-19 19:21:57 +01:00
Stanko K.R. 1a1f4a077b Simplify auth logic 2025-12-19 19:21:57 +01:00
Fernando Olivares cddddcf83a Fix due to unit test when creating with invalid emails 2025-12-19 19:21:57 +01:00
Fernando Olivares fb487f598c Restore sessions_controller test on creating invalid email address 2025-12-19 19:21:57 +01:00
Fernando Olivares be447f90ba Move magic link api tests to their own files 2025-12-19 19:21:57 +01:00
Fernando Olivares 6be20e215b Rename test to clarify what they're about 2025-12-19 19:21:57 +01:00
Fernando Olivares b3c8d02709 Cleanup session creation 2025-12-19 19:21:57 +01:00
Fernando Olivares 6e8d6a3df0 Update to always return a pending auth token for JSON responses. 2025-12-19 19:21:57 +01:00
Fernando Olivares fbf829b346 Update API test for cross code 2025-12-19 19:21:57 +01:00
Fernando Olivares 9009e0fb49 Change test expectation on single tenant mode account creation 2025-12-19 19:21:57 +01:00
Fernando Olivares a2333623b6 Add unit tests for the new endpoints 2025-12-19 19:21:57 +01:00
Fernando Olivares 877f82c0cc Pass a server token when creating a magic link via API 2025-12-19 19:21:57 +01:00
Fernando Olivares a75a939289 Simplify code a bit 2025-12-19 19:21:57 +01:00
Fernando Olivares 360e14352f Simplify session create logic for both html and json 2025-12-19 19:21:57 +01:00
Stanko K.R. e5bdb3b071 Add back missing development magic link prompt 2025-12-19 19:21:57 +01:00
Stanko K.R. c0a0786539 Return the session cookie
We had a call about this. In short, we could reuse access tokens but then the user would see access tokens for every mobile device they have without any indication as to what is going on. So, since this really is just logging in instead of an integration which seems to be the primary purpose of access tokens, we can just use our regular session cookie for authentication.
2025-12-19 19:21:57 +01:00
Stanko K.R. 58a92f0bb7 Add tests for sign in via API 2025-12-19 19:21:57 +01:00
Stanko K.R. 54ceb4df7c Remove email address and users from magic link response
The identity endpoint can be used to fetch that information
2025-12-19 19:21:57 +01:00
Stanko K.R. b92982b244 Cleanup & simplify sign in 2025-12-19 19:21:57 +01:00
Fernando Olivares 093240c6f7 Return email and users too 2025-12-19 19:21:57 +01:00
Fernando Olivares ab0f7a3ea5 Dev: Set magic link as header when JSON request in development 2025-12-19 19:21:57 +01:00
Fernando Olivares 7644bb7411 Allow JSON requests submitting a magic link code 2025-12-19 19:21:57 +01:00
Fernando Olivares c8eb592746 Allow JSON requests to send a magic link 2025-12-19 19:21:57 +01:00
Stanko Krtalić f2a41d6552 Merge pull request #2210 from basecamp/bump-aws-sdk-s3
Update aws-sdk-s3
2025-12-19 19:21:22 +01:00
Stanko K.R. 090582cd98 Update SAAS AWS dependencies 2025-12-19 19:16:39 +01:00
Stanko K.R. 6be2f94581 Update aws-sdk-s3
Fixes a security warning raised by gem audit
2025-12-19 19:09:40 +01:00
Mike Dalessio fa21bc9b61 Merge pull request #2169 from basecamp/flavorjones/better-hex-uuid
Extract `hex_to_base36` and `base36_to_hex` methods in `Uuid` type
2025-12-19 10:06:36 -05:00
Kevin McConnell 50691ae385 Merge pull request #2205 from basecamp/base-url-env
Add `BASE_URL` environment variable
2025-12-19 14:58:08 +00:00
Mike Dalessio 711f69d3cc Merge pull request #2209 from basecamp/flavorjones/require-libvips
Raise a clear exception if libvips is not installed
2025-12-19 09:31:30 -05:00
Mike Dalessio b04dee31d0 Raise a clear exception if libvips is not installed 2025-12-19 09:22:55 -05:00
Jorge Manrubia 766cde4775 Tidy up test 2025-12-19 15:15:00 +01:00
Mike Dalessio c52a1593d0 Merge pull request #2208 from basecamp/flavorjones/fix-prod-logging
Move the :fatal log setting into the SaaS config
2025-12-19 09:12:14 -05:00
Mike Dalessio 28250b340c Move the :fatal log setting into the SaaS config
This should only be set if the app is using the
rails-structured-logging gem, which means it should only be set in the
SAAS config. I think this is just something we missed in one of the
decoupling exercises we did.
2025-12-19 09:09:40 -05:00
Kevin McConnell 407f2a3a6a Add BASE_URL environment variable
When running a Docker deployment, we need a way to set the app's base
URL. Otherwise links in emails, or generated in jobs etc., can not be
correctly constructed.
2025-12-19 12:21:37 +00:00
Jorge Manrubia f9409c15a0 Merge pull request #2202 from gchp/doc-fix
Fix fizzy-saas link to point to the vendored gem instead of the archived repo
2025-12-19 12:17:40 +01:00
Jorge Manrubia eb1d112013 Merge pull request #2203 from basecamp/remove-unused-param
Remove unused `tag_ids` parameter from `CardsController#update`
2025-12-19 12:16:32 +01:00
Jorge Manrubia b5ca348eb9 Merge pull request #2195 from Heliem/patch-1
Update API documentation for card retrieval
2025-12-19 12:15:25 +01:00
Jorge Manrubia cb6eb0542c Merge pull request #2193 from fmerinocasallo/docs-s3-wording
Clarify S3 storage wording in Docker deployment guide
2025-12-19 12:06:16 +01:00
Jorge Manrubia fcc426a97b Merge pull request #2192 from italomatos/optimize-card-count-queries
Optimize card count queries to avoid duplicates
2025-12-19 12:05:35 +01:00