Commit Graph

1444 Commits

Author SHA1 Message Date
Rob Zolkos 1975a04f14 Add JSON API support for email address changes (#2807) 2026-04-08 09:09:36 -04:00
Rob Zolkos d08aa11bfb Add JSON API support for timezone update (#2806)
* Add JSON API support for timezone update

* Simplify timezone controller to just head :no_content

* Use PUT instead of PATCH in timezone tests to match docs

* Use PATCH instead of PUT for timezone endpoint

Reverts tests to use patch and updates docs heading to PATCH
for consistency.
2026-04-08 08:41:34 -04:00
Rob Zolkos 6a71856b3d Add JSON activities API endpoint (#2783)
* Add JSON events API endpoint

* Add regression test for event particulars defaults

* Move JSON events API to a dedicated ActivitiesController

The events endpoint served both the HTML day timeline and the JSON API
feed, but the two paths shared no data or behavior — the HTML side uses
DayTimelinesScoped while the JSON side built its own query. Splitting
into ActivitiesController gives the API its own home at
GET /:account/activities.json without dragging in the timeline
before_actions.

Also preloads comment creator in Event.preloaded to avoid an N+1 when
rendering comment eventables in the JSON feed.
2026-04-08 08:39:36 -04:00
Rob Zolkos 2a4adf3a2b Add board settings fields to board JSON responses (#2788)
* Add board settings fields to board JSON responses

* Move public_description fields to board partial, gate on published

* Add index test for public_description fields on published boards

* Update app/views/boards/show.json.jbuilder

Prefer `unless` to `if !`

---------

Co-authored-by: Mike Dalessio <mike.dalessio@gmail.com>
2026-04-08 08:31:52 -04:00
Rob Zolkos 8201c2a4bd Add JSON API support for user data exports (#2786) 2026-04-08 08:17:24 -04:00
Rob Zolkos 21981898d2 Add JSON API for webhook deliveries (#2785)
* Add JSON API for webhook deliveries

* Extract sanitized_request method on Webhook::Delivery

* Extract response_summary method on Webhook::Delivery
2026-04-07 15:08:27 -04:00
Donal McBreen e51f0bfee7 Fix account destroy cascade gaps
Account incineration could leave orphaned records due to missing cascade
declarations and async jobs failing when the account was already gone.

Cascade fixes:
- Add Account::Searchable concern to clean up Search::Query (delete_all)
  and Search::Record (destroy_all, respects SQLite FTS dependent: :destroy)
- Add before_destroy in Account::Storage to delete storage entries
- Suppress storage entry recording during incineration so attachment
  purge callbacks don't create entries or enqueue materialize jobs
- Guard Access#clean_inaccessible_data_later with unless user.destroyed?
  to avoid enqueuing pointless jobs during user cascade

Job tenancy:
- Extract AccountTenanted concern from the global ActiveJob initializer
  into ApplicationJob (include) with targeted prepends for
  ActionMailer::MailDeliveryJob and Turbo broadcast jobs
- Defer account resolution from deserialize to perform so that missing
  accounts raise DeserializationError inside the execution path where
  discard_on can handle it

Tests:
- Comprehensive incineration test covering 35 model types with
  before/after assertions and full enqueued job processing
- Mailer deliver_later test verifying account context survives job
  serialization for multi-account users
- Turbo broadcast test verifying account-scoped URLs in rendered partials
2026-04-06 10:04:24 +01:00
Donal McBreen b79c7897e6 Fix export/import losing custom column colors
record.to_json serializes through model accessors. Column::Colored
overrides the color accessor to return a Color struct, which serializes
as {"name":"Blue","value":"var(--color-card-default)"} instead of the
raw CSS string.

Two fixes:
- Export raw DB values via record.attributes.slice(*attributes).to_json
- Color.for_value parses legacy JSON format so columns imported from
  old exports self-heal when read
2026-04-03 10:05:11 +01:00
Donal McBreen b4c4a32205 Return 401 for bearer tokens on non-JSON requests
Rather than silently ignoring bearer tokens on HTML requests
(which breaks the audit console's error handling), explicitly
reject them with 401. Bearer tokens on JSON requests continue
to authenticate normally.
2026-04-01 09:09:00 +01:00
Donal McBreen 13e2c74929 Restrict bearer token authentication to JSON requests
Bearer tokens are for API/SDK/CLI access — they should only
authenticate JSON requests.
2026-04-01 08:55:04 +01:00
Mike Dalessio 7446eed4e1 Add representation proxy public Cache-Control test 2026-03-26 15:38:27 -04:00
Mike Dalessio e12f3e3917 Add representation proxy Cache-Control test 2026-03-26 15:34:54 -04:00
Mike Dalessio 14e6832507 Add regression test for public blob Cache-Control 2026-03-26 15:22:21 -04:00
Mike Dalessio 628571fc79 Don't set public Cache-Control on proxied non-public blobs
Rails' ActiveStorage proxy controllers hardcode `http_cache_forever public: true`,
which sets `Cache-Control: public, immutable`. For non-public blobs behind auth,
this allows CDN caching that serves responses without authorization checks.

Override `http_cache_forever` in the Authorize concern to downgrade `public` to
`false` for non-public blobs.

See https://github.com/basecamp/fizzy/pull/2251 for context
2026-03-26 14:58:40 -04:00
Stanko K.R. 54cb1a140f Add a purpose to challanges 2026-03-25 17:57:37 +01:00
Stanko K.R. 01d66a9463 Change challange expiration based on purpose 2026-03-25 17:31:42 +01:00
Stanko K.R. 5d0f52b57c Update as_json to return string keys 2026-03-25 17:26:50 +01:00
Stanko K.R. 693415bc71 Rename request options to authentication options 2026-03-25 17:26:49 +01:00
Stanko K.R. 1983014be6 Rely solely on the challange signature for verification
The cookie approach seems like the more secure aproach because it ties the authentication or registration attempt to the user's browser session, but it doesn't work reliably on Chrome for Windows. Also, a simila problem pops up on Chrome for Linux if the session is used instead of a separate cookie. It looks like the browser doesn't propagate the state change through fast enough which results in some requests contaiining the new/updated cookie, and others don't, which results in sporadic failures. Since we use a signed and expiring challange we still get protection from replay attacks and tampering which enables us to omit the cookie entierly and rely on the challange's signature to prove expiration and authenticity. The only thing we lose is the ability to tie and attemp to a single browser session.

See: https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-challengeURL which proposes to add the same challange fetching logic as part of the standard

See: https://github.com/w3c/webauthn/issues/1856 which discusses issues that arise from having expiring challanges (which the spec recommends)

See: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-gjjc-pcwp-c74m which is an explot that can happen if the server isn't able to verify the authenticity of challanges that are sent outside of a cookie
2026-03-25 17:26:49 +01:00
Stanko K.R. 49fbb82676 Permit variant records in imports 2026-03-23 12:30:40 +01:00
Zacharias Knudsen 6808250c8f Merge pull request #2745 from basecamp/excert-truncation
Pre-truncate excerpt before running replacement regexes
2026-03-23 10:24:58 +01:00
Zacharias Dyna Knudsen 6c771584d7 Pre-truncate excerpt before running replacement regexes
Also fixes <ol> normalization which was previously a noop.
2026-03-23 10:21:35 +01:00
Mike Dalessio 87c659cd67 Skip auto-linking in very large text nodes
A large comment body was causing Regexp::TimeoutError in production.
The URI regexp isn't catastrophically backtracking — it's linear — but
with a long enough string it exceeds the 1s Regexp.timeout set by
Rails.

Skip scanning text nodes over 10KB, which is well beyond any
reasonable content for auto-linking and still keeps us many orders of
magnitued under the timeout on an unloaded machine.

Fixes FIZZY-Q4

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-20 16:18:19 -04:00
Zacharias Dyna Knudsen 7399ec5bd9 Rescue regexp timeout 2026-03-20 11:55:00 +01:00
Mike Dalessio 11df9c3589 Fix back navigation from activity page to cards (#2727)
Three changes needed to support navigating back from a card to the
activity page:

- Add root_path to the prefer_referrer allowlist on the card show page
- Switch event links from HTML target="_top" to data-turbo-frame="_top"
  so Turbo handles the navigation and turbo:before-visit fires to save
  the referrer
- Normalize trailing slashes in the referrer path comparison so
  /account_id and /account_id/ both match

ref: https://app.fizzy.do/5986089/cards/2390
2026-03-18 22:03:36 -04:00
Mike Dalessio 248fc5d3e7 Fix back navigation from filter views to cards (#2725)
* test: update sign_in_as system test helper to be more generic

and support fixture users with more than one board

* test: backfill a test for the card "back link"

when coming from a board filter page

* Fix back navigation to filter views from cards

When navigating from a filter view to a card, the back link now shows
the filter's label and navigates back to the filter URL instead of the
card's board.

The turbo-navigation Stimulus controller stores the page title alongside
the referrer URL in sessionStorage. On the card show page, a
referrerBackLink target rewrites the back link's href and label from the
stored values. This is scoped only to the card show page to avoid
navigation loops in multi-level deep pages.

* Add referrer allowlist to prevent stale referrer rewrites

The back link is only rewritten when the stored referrer's path matches
an allowlist of paths passed via prefer_referrer. This prevents stale
referrers from unrelated pages (e.g., settings) from overriding the
card's back link.

* Move back link navigation tests to dedicated system test file

Extract back link tests from smoke_test.rb into their own file since
they test specific JavaScript behavior that needs regression coverage.
Move sign_in_as helper to ApplicationSystemTestCase for reuse.

* Move markdown paste tests to dedicated system test file
2026-03-18 17:03:13 -04:00
Daniel Pinto ad1b10368d Fix export size doubling from re-exporting prior export blobs (#2707)
* Exclude export/import blobs and attachments from account exports

Export and import file blobs were being assigned the account's
account_id (via the Current.account default), causing subsequent
exports to include previous export/import ZIP files in the data.
This roughly doubled the export size each time and made imports
fail with an IntegrityError on unrecognized "Account::Export"
record type.

Filter out blobs attached to Export/Import records in
BlobRecordSet, FileRecordSet, and a new AttachmentRecordSet.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Use STI base type for export blob exclusion filter

Rails polymorphic_name returns base_class.name for STI models,
so ActiveStorage stores record_type as "Export" rather than the
concrete subclass names. Filter on the base type accordingly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix export filtering for mixed-use Active Storage blobs

Exclude only internal-only blobs for account export metadata/file sets, scope attachment subqueries by account, and add regression coverage for blobs shared between user records and export attachments.

* Simplify export blob filtering

Exports always create fresh blobs, so a blob can never be legitimately
shared between an Export/Import and a real account record. Replace the
internal_only/external split with a single excluded_blob_ids subquery
and drop the contrived shared-blob test.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-18 11:41:22 -04:00
Peter Baker e0d66b2fd0 Fix ambiguous column in SQLite FTS multi-term search (#2688)
* Fix multi-term SQLite FTS5 search causing a 500 error

When filtering cards by more than one term, `matching` was called
once per term via an association join. Rails did not deduplicate
association joins, resulting in two JOINs to `search_records_fts`
in a single query. SQLite FTS5 then raised "ambiguous column name"
when evaluating the MATCH condition.

Fix by using a string join instead, which Rails deduplicates so
only one JOIN to `search_records_fts` is generated regardless of
how many terms are searched.

Fixes: https://github.com/basecamp/fizzy/discussions/2354

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* test: verify multi-term search requires ALL terms to match

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Mike Dalessio <mike@37signals.com>
2026-03-18 11:38:06 -04:00
Stanko Krtalić 5701aad8d7 Merge pull request #2623 from basecamp/passkeys
Passkeys
2026-03-18 14:54:54 +01:00
Stanko K.R. 1cf1f598e1 Require resident keys by default 2026-03-18 12:14:17 +01:00
Stanko K.R. 017bcc9ce1 Polish up Passkey interface
- Fix indentation
- Split awkward initializer into separate methods
- Rename credentials to passkeys
- Simplify authenticator registry loading
- Flatten nested errors under ActionPack::WebAuthn
- Set passkey current params only requests that use it
- Inline anemic methods
- Replace custom validation with ActiveModel::Validation
- Rename identity to holder in Passkey
- Rename credentials to passkeys in JS
- Extract framework library out of controllers
- Pass params hashes down to ActionPack
- Attempt to simplify public interface
- Push data decoding down to the classes representing the data
- Introduce has_passkeys
- Add CBOR bigint support
- Rename ActionPack::WebAuthn::Passkey to ActionPack::Passkey
- Add create_passkey_button helper
- Rename public-key to creation-options
- Add sign_in_with_passkey_button helper
- Dispatch events for the whole Passkey lifecycle
- Add ED25519 support
- Prevent crash on missing meta tag
- Validate resident key options
- Don't clobber existing ActionPack config options
- Validate cryptographic params
- Move CurrentWebAuthnRequest into ActionPack::Passkey
- Use ActiveModel::Attributes for Options objects
- Implement expiring challanges
- Add lifecycle events
- Extract param helpers into Request
- Add passkey_creation_options and passkey_request_options helpers
- Add create_passkey_challenge to make it easier to override the create method if needed
- Prefix all view helpers with passkey_
- Auto-include ActionPack::Passkey::Holder
- Make the passkey challange url configurable
- Add a reminder about Passkeys to the magic link email
2026-03-18 11:51:10 +01:00
Stanko K.R. fbe9252db1 Auto-suggest name for new Passkeys
- Use plain client data json everywhere
- Expose AAGUID and backed_up on Credentials
- Make attestation verifiers configurable
- Auto-suggest names for passkeys and show icons
2026-03-18 11:49:59 +01:00
Stanko K.R. da69039476 Implement Passkey authentication 2026-03-18 11:49:23 +01:00
Stanko K.R. 6c58fd9bdd Implement Passkey registration
- Create Identity credentials
- Add management UI and registration flow
2026-03-18 11:48:52 +01:00
Stanko K.R. 4bb0a2929c Implement WebAuthn protocol
- Add a CBOR decoder
- Add public key credential options
- Add COSE key decoder
- Add authenticator attestation and assertion
- Add credentials
- Add exclude_credentials
2026-03-18 11:47:48 +01:00
Mike Dalessio 7f65f4aabd Fix card view "M" hotkey using stale user from fragment cache
The hidden "Assign to me" button on the card detail view baked
Current.user.id into the form action at render time. When served from
fragment cache, a stale user ID could be embedded, assigning cards to
the wrong person.

Switch to card_self_assignment_path which resolves the current user at
request time via SelfAssignmentsController, matching the fix already
applied to the board view in 2527f073.

ref: https://app.fizzy.do/5986089/cards/3722
2026-03-17 14:43:05 -04:00
Mike Dalessio c29e785fc1 Merge pull request #2708 from basecamp/dep-lexxy-082
Configure Lexxy to add extra spacing between block elements
2026-03-17 12:42:17 -04:00
Jay Ohms 4d2866dec6 Update additional tests to ensure that the body element contains the correct bridge attributes 2026-03-17 11:04:39 -04:00
Jay Ohms 8920946cb2 Update regex and add test coverage for empty/multiple lists 2026-03-17 10:45:37 -04:00
Mike Dalessio fc18ba8e07 Add system tests for markdown paste in Lexxy editor
Test that pasting markdown with block separators produces extra spacing
between blocks, and that single line breaks are preserved.
2026-03-17 10:31:53 -04:00
Jay Ohms 139f4cb869 Add test coverage for native bridge user agents 2026-03-17 10:12:56 -04:00
Mike Dalessio 1e40457418 Merge pull request #2686 from basecamp/flavorjones/fix-path-traversal
Fix path traversal in ActiveStorage blob key import
2026-03-10 15:40:48 -04:00
Stanko K.R. b4fd22644c Set the list of importable models based on the record sets in the manifest 2026-03-10 15:33:24 -04:00
Mike Dalessio 8fb57ace01 Validate polymorphic types against importable models allowlist
Add IMPORTABLE_MODEL_NAMES to RecordSet and verify polymorphic type
columns during import check against this allowlist before calling
constantize. This prevents arbitrary class instantiation from
untrusted import ZIP data.
2026-03-10 15:33:24 -04:00
Rosa Gutierrez 66039c92f3 Use x_user_agent cookie for platform detection in Hotwire Native
Turbo's offline/service worker sets an x_user_agent cookie with the
original browser user agent. This ensures platform detection works
correctly for Hotwire Native apps where service worker requests may
not carry the overridden user agent header.
2026-03-10 15:34:05 +00:00
Rob Zolkos 8c2318e267 Add JSON response format to entropy endpoints (#2673)
* Add JSON response format to entropy endpoints

Add account settings JSON endpoint returning account info including auto_postpone_period. Add auto_postpone_period to board JSON responses. Add JSON update support to both account and board entropy controllers.

* Add auto_postpone_period to all board response examples in API docs

* Use auto_postpone_period_in_days in JSON responses and API docs

* Use valid period values in permission tests
2026-03-10 11:31:00 -04:00
Mike Dalessio 71b99c1e18 Fix path traversal vulnerability in ActiveStorage blob key import
BlobRecordSet#import_batch preserved blob keys from exported ZIP files
verbatim. A crafted ZIP with a traversal key like "../../config/deploy.yml"
would create a blob whose key resolves to an arbitrary filesystem path
when served by ActiveStorage's DiskService, allowing an attacker to read
local files.

Fix: generate fresh blob keys on import, discarding whatever key was in
the ZIP. This is safe because nothing else in the import pipeline
references blobs by key — attachments use blob_id, ActionText uses GIDs
based on record IDs, and only FileRecordSet used the old key for file
data lookup.

Update FileRecordSet to build an old_key→blob_id mapping from the blob
JSON metadata in the ZIP, then look up blobs by ID instead of by key.
Both check_record and import_batch are now fail-closed: they raise
IntegrityError for unmapped storage files, missing blobs, and duplicate
keys in the export.

Backfill test coverage for BlobRecordSet and FileRecordSet import, and
add a round-trip test verifying blob data survives export/import with
regenerated keys.
2026-03-10 11:03:53 -04:00
Jeremy Daer d33aa8b757 Wrap params coverage nits (#2681)
* Add missing assert_response to signup API test

* Add JSON response format to joins#create
2026-03-09 21:53:43 -07:00
Jeremy Daer a52b6f1c87 Add explicit wrap_parameters to all controllers (#2680)
* Add explicit wrap_parameters to controllers for flat JSON API support

Virtual attributes (has_rich_text, has_one_attached, delegated setters,
ActiveModel attrs) are not in Model.attribute_names, so wrap_parameters
auto-detection silently drops them from flat JSON requests. Add explicit
include: lists matching each controller's permitted params.

* Convert short-form wrap_parameters to explicit include: lists

Defense-in-depth: these controllers only have real-column params today,
so auto-detection works, but explicit lists prevent future regressions
if virtual attributes are added.

* Add flat JSON param tests for all wrap_parameters controllers

17 new tests covering every controller with wrap_parameters, verifying
that flat (unwrapped) JSON payloads are correctly wrapped and processed.
Focuses on virtual attributes that would be silently dropped without
explicit include: lists.
2026-03-09 21:47:05 -07:00
Jeremy Daer 71a1ee7031 Wrap comment params for flat JSON payloads (#2679)
* Wrap comment params for flat JSON payloads

The SDK sends flat JSON ({"body": "..."}) but Rails wrap_parameters
auto-detection misses :body since it's a virtual ActionText attribute,
not in Comment.attribute_names. Explicitly declare wrap_parameters so
params.expect(comment: [...]) works with both wrapped and flat payloads.

* Test comment create and update with flat JSON params
2026-03-09 17:02:08 -07:00