Three changes needed to support navigating back from a card to the
activity page:
- Add root_path to the prefer_referrer allowlist on the card show page
- Switch event links from HTML target="_top" to data-turbo-frame="_top"
so Turbo handles the navigation and turbo:before-visit fires to save
the referrer
- Normalize trailing slashes in the referrer path comparison so
/account_id and /account_id/ both match
ref: https://app.fizzy.do/5986089/cards/2390
* test: update sign_in_as system test helper to be more generic
and support fixture users with more than one board
* test: backfill a test for the card "back link"
when coming from a board filter page
* Fix back navigation to filter views from cards
When navigating from a filter view to a card, the back link now shows
the filter's label and navigates back to the filter URL instead of the
card's board.
The turbo-navigation Stimulus controller stores the page title alongside
the referrer URL in sessionStorage. On the card show page, a
referrerBackLink target rewrites the back link's href and label from the
stored values. This is scoped only to the card show page to avoid
navigation loops in multi-level deep pages.
* Add referrer allowlist to prevent stale referrer rewrites
The back link is only rewritten when the stored referrer's path matches
an allowlist of paths passed via prefer_referrer. This prevents stale
referrers from unrelated pages (e.g., settings) from overriding the
card's back link.
* Move back link navigation tests to dedicated system test file
Extract back link tests from smoke_test.rb into their own file since
they test specific JavaScript behavior that needs regression coverage.
Move sign_in_as helper to ApplicationSystemTestCase for reuse.
* Move markdown paste tests to dedicated system test file
- Fix indentation
- Split awkward initializer into separate methods
- Rename credentials to passkeys
- Simplify authenticator registry loading
- Flatten nested errors under ActionPack::WebAuthn
- Set passkey current params only requests that use it
- Inline anemic methods
- Replace custom validation with ActiveModel::Validation
- Rename identity to holder in Passkey
- Rename credentials to passkeys in JS
- Extract framework library out of controllers
- Pass params hashes down to ActionPack
- Attempt to simplify public interface
- Push data decoding down to the classes representing the data
- Introduce has_passkeys
- Add CBOR bigint support
- Rename ActionPack::WebAuthn::Passkey to ActionPack::Passkey
- Add create_passkey_button helper
- Rename public-key to creation-options
- Add sign_in_with_passkey_button helper
- Dispatch events for the whole Passkey lifecycle
- Add ED25519 support
- Prevent crash on missing meta tag
- Validate resident key options
- Don't clobber existing ActionPack config options
- Validate cryptographic params
- Move CurrentWebAuthnRequest into ActionPack::Passkey
- Use ActiveModel::Attributes for Options objects
- Implement expiring challanges
- Add lifecycle events
- Extract param helpers into Request
- Add passkey_creation_options and passkey_request_options helpers
- Add create_passkey_challenge to make it easier to override the create method if needed
- Prefix all view helpers with passkey_
- Auto-include ActionPack::Passkey::Holder
- Make the passkey challange url configurable
- Add a reminder about Passkeys to the magic link email
- Use plain client data json everywhere
- Expose AAGUID and backed_up on Credentials
- Make attestation verifiers configurable
- Auto-suggest names for passkeys and show icons
* main: (33 commits)
Remove payment/subscription system and card/storage limits
Conditionally disable peer verification for ZIP streaming
Prevent HTML injection through filenames
Revert "Configure Lexxy to add extra spacing between block elements"
Configure Lexxy to add extra spacing between block elements
SaaS usage reporting (#2690)
Update app/models/user/named.rb
Prevent line breaks in the middle of familiar_name
Tweak the layout
Set the list of importable models based on the record sets in the manifest
Validate polymorphic types against importable models allowlist
Fix that the "maybe" stream wouldn't be replaced after triaging a card
Use x_user_agent cookie for platform detection in Hotwire Native
Add JSON response format to entropy endpoints (#2673)
Fix path traversal vulnerability in ActiveStorage blob key import
Enable CORS fetch mode for storage requests
Revert CORS fetch mode for Active Storage
Use CORS fetch mode for Active Storage to enable `maxEntrySize` checks
Only start offline mode when signed in
Exclude service worker and edit/pin/watch/new pages from main cache
...
* main: (43 commits)
Remove payment/subscription system and card/storage limits
Conditionally disable peer verification for ZIP streaming
Prevent HTML injection through filenames
Revert "Configure Lexxy to add extra spacing between block elements"
Configure Lexxy to add extra spacing between block elements
SaaS usage reporting (#2690)
Update app/models/user/named.rb
Prevent line breaks in the middle of familiar_name
Tweak the layout
Set the list of importable models based on the record sets in the manifest
Validate polymorphic types against importable models allowlist
Fix that the "maybe" stream wouldn't be replaced after triaging a card
Use x_user_agent cookie for platform detection in Hotwire Native
Add JSON response format to entropy endpoints (#2673)
Fix path traversal vulnerability in ActiveStorage blob key import
Enable CORS fetch mode for storage requests
Revert CORS fetch mode for Active Storage
Use CORS fetch mode for Active Storage to enable `maxEntrySize` checks
Only start offline mode when signed in
Exclude service worker and edit/pin/watch/new pages from main cache
...
Gate Turbo.offline.start() behind Current.user so the service worker
is only registered for authenticated users. This avoids errors on
unauthenticated pages where /service-worker.js requires auth.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Simplify the clear-offline-cache controller to use the new
Turbo.offline.clearCache() API instead of messaging the service
worker directly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Rename logout controller to clear-offline-cache and attach it to the
magic link verification form so the service worker cache is cleared
when a different user signs in.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When the service worker is registered for the first time, resources loaded
before it becomes active won't go through the service worker. These resources
may be served from the browser's HTTP cache on subsequent requests, bypassing
the service worker cache entirely.
The new `preload` option accepts a regex pattern. On first visit (when no
controller exists), it waits for the service worker to take control, then
sends a message with URLs from `performance.getEntriesByType("resource")`
that match the pattern. The service worker fetches and caches these resources.
Adds a logout Stimulus controller that sends a message to the service
worker to clear all cached content when the user logs out. This ensures
that cached data from one user isn't accessible after logout.
The implementation:
- Adds logout_controller.js that posts { action: "clearCache" } to the
service worker via postMessage
- Updates logout buttons to use the controller on form submission
Also fixes data-turbo placement: moved from button to form element where
it actually takes effect for disabling Turbo Drive form submissions.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* main: (56 commits)
Update app/views/cards/container/_closure_buttons.html.erb
Update app/views/columns/show/_add_card_button.html.erb
Update app/views/events/index/_add_card_button.html.erb
Just return the object
Rename is-main-action to display-as-primary-action
Remove debug line
Rename show-label to display-title
Include path in web push payload for backwards compatibility
Add base_url to native push notification payload
Use internal account ID as `account_id` and add `account_slug`
Make APNS and FCM env vars available
Fix devices_path route helper in native devices partial
Fix tests for renamed fixtures and new stacked notifications
Add creator_familiar_name to push notification payload
Add creator initials and avatar color to push notification payload
Add avatar_url so we always get an avatar even when the user hasn't set one
Document --push flag for testing native push notifications
Don't read APNS_TEAM_ID from 1Password
Simplify push.yml to only use B64 encryption keys
Rename apns-dev to push-dev and unify 1Password credentials
...
Revert "Add bridged share button to board and card permas"
This reverts commit 069e165b43.
Revert "Move helper to bridge helper file"
This reverts commit 1ee37f046c.