Commit Graph

516 Commits

Author SHA1 Message Date
Stanko Krtalić eceb6c9b43 Add self-service account deletion (#2246)
* Add self-service account deletion

* Disable access to cancelled accounts & implement Stripe interactions

* Add tests

* Fix failing tests

* Remove cancelled accounts from lists

* Fix incorrect redirect

* Use _path instead of _url for consistency

* Don't track how far the inicieration job got

We still want the step tracking so that the job can be interrupted. But, since the scope is idempotent, we don't need to track how far it got.

* Specify the exact time when the data will be deleted

* Fix crash due to unadvancable cursor

* Rename up_for_incineration to due_for_incineration

* Regenrate the schema

* Fix incorrect path check

* Migrate the SQLite schema

* Only show the cancel button on cancellable accounts

* Check that a subscirption method exists before calling it

* Ignore job failures due to missing records when an account gets deleted

* Skip sending notifications on cancelled accounts

* Use collbacks to integrate

* Add a blank line between queue_as and discard_on

* Break checks into methods

* Inline methods

* Rename Account::IncinerateJob

* Run migrations

* Migrate SQLite
2026-01-12 14:21:05 +01:00
Jorge Manrubia f58a1aeb31 Use a dedicated resource for showing cards in draft mode
Mobile team needs this. Also, this lets us get rid from some conditionals for handling
both modes with a single template.

https://3.basecamp.com/2914079/buckets/44843469/messages/9437287330
2026-01-08 10:40:21 +01:00
Jorge Manrubia fb6bcaa18e Merge pull request #2227 from scart88/main
Redirect back to account settings page when the user role is changed …
2026-01-07 16:27:05 +01:00
Rosa Gutierrez 5f390f72df Support local installations where the app is loaded over HTTP
In this case requests won't be performed from a secure context [1] and
the browser won't send the Sec-Fetch-Site header. This means non-GET
requests will be rejected because CSRF protection will fail.

With this change, we allow these requests with missing Sec-Fetch-Site
headers if:
- They happen over HTTP
- The app is not configured to force SSL

The Origin check happens in any case.

[1] https://developer.mozilla.org/en-US/docs/Web/Security/Defenses/Secure_Contexts#potentially_trustworthy_origins
2026-01-05 18:50:14 +01:00
Stanko Krtalić 24c20ad55f Merge pull request #2244 from basecamp/expose-card-ids-on-comments
Expose the card ID and URL on comments
2025-12-24 08:50:47 +01:00
Stanko K.R. 822c3bb2ad Expose the card ID and URL on comments 2025-12-24 08:45:31 +01:00
Rosa Gutierrez 3fcf5a9d08 Require authorization for direct uploads
Respond with 403 to JSON requests that are unauthorized, instead of
redirecting.
2025-12-23 11:08:51 +01:00
scart88 ba887225a5 Redirect back to account settings page when the user role is changed or when the user is removed from an account. 2025-12-22 10:47:23 +02:00
Jason Zimdars bc4745c6ce Add a test 2025-12-20 18:12:42 -06:00
Stanko K.R. e0270c6c49 Clean up interfaces
I talked to the mobile team, and to keep things simple we agreed to send
the token via a cookie.
2025-12-19 19:21:57 +01:00
Stanko K.R. 23fc7b594f Split tests by controller or responsibility 2025-12-19 19:21:57 +01:00
Stanko K.R. 1a1f4a077b Simplify auth logic 2025-12-19 19:21:57 +01:00
Fernando Olivares cddddcf83a Fix due to unit test when creating with invalid emails 2025-12-19 19:21:57 +01:00
Fernando Olivares fb487f598c Restore sessions_controller test on creating invalid email address 2025-12-19 19:21:57 +01:00
Fernando Olivares be447f90ba Move magic link api tests to their own files 2025-12-19 19:21:57 +01:00
Fernando Olivares 6be20e215b Rename test to clarify what they're about 2025-12-19 19:21:57 +01:00
Fernando Olivares 6e8d6a3df0 Update to always return a pending auth token for JSON responses. 2025-12-19 19:21:57 +01:00
Fernando Olivares fbf829b346 Update API test for cross code 2025-12-19 19:21:57 +01:00
Fernando Olivares 9009e0fb49 Change test expectation on single tenant mode account creation 2025-12-19 19:21:57 +01:00
Fernando Olivares a2333623b6 Add unit tests for the new endpoints 2025-12-19 19:21:57 +01:00
Stanko K.R. c0a0786539 Return the session cookie
We had a call about this. In short, we could reuse access tokens but then the user would see access tokens for every mobile device they have without any indication as to what is going on. So, since this really is just logging in instead of an integration which seems to be the primary purpose of access tokens, we can just use our regular session cookie for authentication.
2025-12-19 19:21:57 +01:00
Stanko K.R. 58a92f0bb7 Add tests for sign in via API 2025-12-19 19:21:57 +01:00
Jorge Manrubia eb1d112013 Merge pull request #2203 from basecamp/remove-unused-param
Remove unused `tag_ids` parameter from `CardsController#update`
2025-12-19 12:16:32 +01:00
Jorge Manrubia 33fc239571 Merge pull request #2140 from dilberryhoundog/fix-stale-account-cache
Fix: resolve stale account names in jump menu and page titles
2025-12-19 11:26:23 +01:00
Rosa Gutierrez 1e640643e9 Remove unused tag_ids parameter from CardsController#update
This is no longer used in the normal flow of the app. The tags are added
via `Cards::TaggingsController`.
2025-12-19 11:16:20 +01:00
Mike Dalessio 2b388dd241 Merge pull request #2164 from basecamp/flavorjones/user-validate-name
Validate User name presence and handle blank names gracefully
2025-12-16 10:49:13 -05:00
Jorge Manrubia ee80b87c8c Add billing system with Stripe
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Jason Zimdars <jz@37signals.com>
2025-12-16 16:44:20 +01:00
Mike Dalessio b75d2ae6d8 Validate User name presence and handle blank names gracefully
Addresses an issue where User#familiar_name assumed `name` was always
present, potentially raising an exception during view rendering. Now
User validates name presence, and User#familiar_name handles blank
strings without error, in case any existing invalid records exist.
2025-12-16 10:44:10 -05:00
Kevin McConnell 741eff7bdc Revert "Merge pull request #1865 from basecamp/public-avatar-caching"
This reverts commit c628f14c01, reversing
changes made to 4bafc73236.
2025-12-15 13:07:13 +00:00
Stanko Krtalić 2058743be9 Merge pull request #2146 from basecamp/show-only-published-cards-on-public-boards
Show only public cards on public boards
2025-12-15 13:26:12 +01:00
Kevin McConnell c628f14c01 Merge pull request #1865 from basecamp/public-avatar-caching
Serve own avatar from its own endpoint
2025-12-15 12:20:28 +00:00
Stanko K.R. 87081aa617 Show only public cards on public boards 2025-12-15 13:15:36 +01:00
Dylan f01a648441 🐛 fix: resolve stale account names in jump menu and page titles
Add account data to fresh_when etag arrays so Rails serves fresh responses after account changes.

- Add @accounts to menus controller etag

- Add Current.account to boards controller etag

- Add ETag cache invalidation tests for both controllers
2025-12-15 15:59:25 +08:00
Mike Dalessio cbaf5d245f Merge pull request #2136 from afurm/test/tenancy-timezone
Add focused tests for tenancy middleware and timezone cookie caching
2025-12-14 16:20:56 -05:00
Jorge Manrubia 31542373ee Merge pull request #2112 from JangoCG/feature/rate-limit-join-codes
feat: protect join codes from brute-force attacks
2025-12-14 09:43:28 +01:00
Jorge Manrubia cac9088ad3 Merge pull request #2105 from seuros/main
feat: expose closed boolean in card JSON API
2025-12-14 09:36:32 +01:00
Jorge Manrubia d7e5d4218f Merge pull request #2032 from tomycostantino/update-columns-on-actions
Fix: board columns actions are stale when moving a column moves
2025-12-14 09:28:57 +01:00
Andrii Furmanets f3bd38ea79 Add tests for tenancy middleware and timezone cookie 2025-12-13 22:10:21 +02:00
Mike Dalessio 139bf3cf81 Validate avatar sizes 2025-12-13 13:05:30 -05:00
Mike Dalessio 9cff236f66 Drop staff restriction in beta and staging
because it was preventing testing of signups.
2025-12-12 15:12:46 -05:00
Rosa Gutierrez 7f5fa6d715 Use Sec-Fetch-Site exclusively for CSRF protection
And close the gap with JSON requests, which shouldn't be allowed if
Sec-Fetch-Site is 'cross-site' or 'none', only if it's empty as this
wouldn't be coming from a browser.
2025-12-12 18:37:32 +01:00
Cengiz Guertusgil 09a2e7d7d7 feat: add rate limit to join codes controller 2025-12-12 17:21:57 +01:00
Abdelkader Boudih b5caa8716d feat: expose closed boolean in card JSON API
Adds `closed` field to card JSON response, allowing API consumers
to detect closed status without parsing the status enum or making
additional API calls.
2025-12-12 10:12:21 +01:00
Kevin McConnell eec96ff384 Serve own avatar from its own endpoint
This allows us to have different cache controls depending on whether
you're viewing your own avatar, or someone else's. Your own avatar will
always be fresh, while other folks' avatars can be pulled from the CDN.
2025-12-12 09:03:35 +00:00
Stanko Krtalić c43c184691 Merge pull request #2093 from robzolkos/add-qr-codes-controller-test
Add QrCodesController test
2025-12-12 08:11:51 +01:00
Stanko Krtalić 23425cb67b Merge pull request #2086 from basecamp/harden-magic-links
Pin sign in attempts to the current session
2025-12-12 07:23:19 +01:00
Stanko K.R. f4ef9c9580 Test that you can't go to the magic link screen without an email 2025-12-12 07:16:07 +01:00
Jankees van Woezik 78fc80cf35 API: Allow updates to last_active_at (#2076)
* Allow Card#last_updated_at to be set

This is useful when doing an import from another system. I'm currently
working on a script to import our Github issues into Fizzy.

This is discussed in
https://github.com/basecamp/fizzy/pull/2056#discussion_r2609560246

* Add nil fallback and expand test coverage for last_active_at

Adds a safety fallback to Time.current if created_at is unexpectedly nil
during card creation.

Test coverage to verify:
* last_active_at defaults to created_at when not provided
* last_active_at can be updated via API on existing cards
* import workflow where last_active_at is restored after comments
* publishing doesn't overwrite explicit last_active_at values

---------

Co-authored-by: Jeremy Daer <jeremy@37signals.com>
2025-12-11 19:06:03 -08:00
Rob Zolkos 9ca5e792f1 Add QrCodesController test 2025-12-11 13:51:18 -05:00
Stanko K.R. b6edb93c47 Pin sign in attempts to the current session
This makes it way more difficult to brute-force a magic link.

Original implementation by udiudi. Ref: https://github.com/udiudi/fizzy/pull/1/files

Discussion: https://github.com/basecamp/fizzy/discussions/1981

Co-Authored-By: Udi <udi@udi.codes>
2025-12-11 19:05:54 +01:00