Commit Graph

33 Commits

Author SHA1 Message Date
scart88 ba887225a5 Redirect back to account settings page when the user role is changed or when the user is removed from an account. 2025-12-22 10:47:23 +02:00
Kevin McConnell 741eff7bdc Revert "Merge pull request #1865 from basecamp/public-avatar-caching"
This reverts commit c628f14c01, reversing
changes made to 4bafc73236.
2025-12-15 13:07:13 +00:00
Kevin McConnell eec96ff384 Serve own avatar from its own endpoint
This allows us to have different cache controls depending on whether
you're viewing your own avatar, or someone else's. Your own avatar will
always be fresh, while other folks' avatars can be pulled from the CDN.
2025-12-12 09:03:35 +00:00
Jeremy Daer ea8a78cc22 Fix stale-read race when creating push subscriptions
(Caught one such uniqueness exception in the wild)

* 200 OK -> 204 No Content, default status
* No need to touch the subscription when found
* Drop superflous test
2025-12-09 01:34:37 -08:00
Jeremy Daer 49c4f2adc6 Fix ActiveStorage FileNotFoundError with immediate variant processing (#2022)
When ActiveStorage::Record uses `connects_to` for read replica support,
it creates a separate connection pool from ApplicationRecord. This causes
`after_commit` callbacks to fire in non-deterministic order - the
Attachment's `create_variants` callback can fire before the User model's
upload callback completes, resulting in FileNotFoundError.

The fix removes replica connection configuration from ActiveStorage::Record
so it shares the same connection pool as application models, ensuring
proper callback ordering.

Also reverts test workarounds that were added to work around this issue,
since the root cause is now fixed.

See: https://github.com/rails/rails/issues/53694
2025-12-08 14:44:49 -08:00
Jorge Manrubia cb0e9b9962 Immediate avatar and embed variants (#2002)
Reverts #2001
Restores #1955
2025-12-08 14:17:06 -08:00
Jorge Manrubia c8c91259c7 Revert "Immediate avatar and embed variants" 2025-12-07 12:06:03 +01:00
Jorge Manrubia 568783efd1 Merge pull request #1905 from basecamp/web-push-ssrf
Security: Web Push SSRF
2025-12-07 11:58:14 +01:00
Jorge Manrubia 91017c9208 Merge pull request #1955 from basecamp/immediate-variants
Immediate avatar and embed variants
2025-12-07 11:50:02 +01:00
Mike Dalessio 4602cd3cdd Add verified_at timestamp to use for spam prevention
User are marked as verified after a join code is redeemed. The user is
redirected to Users::VerificationsController, either:

- after submitting a valid magic link code,
- or immediately after redeeming the join code (if they're already
  authenticated with the correct identity)

Account owners are automatically verified when the account is
created (because they have already provided a magic link code at that
point).

This sets up for later commits that will backfill existing users and
require verification before sending notification emails.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Jeremy Daer 21f3f72647 Immediate avatar and embed variants
Process variants synchronously on attachment to close the window between
image upload and variant availability, guaranteeing that we won't have
lazy variant processing attempts in GET requests.

Tradeoff is that we do variant processing in upload requests, which is
actually desirable. We're working with images that should take
milliseconds to resize given that we'll already have the file on hand.

References https://github.com/rails/rails/pull/51951
2025-12-04 23:54:37 -08:00
Jeremy Daer 496851b255 Security: Web Push SSRF and IP range bypass
Add SSRF protection for web push endpoints:
- Resolve endpoint IP once and pin it for connection
- Validate endpoints resolve to public IPs
- Whitelist permitted push service hosts

Add missing IP ranges to SsrfProtection:
- 100.64.0.0/10 (Carrier-grade NAT, RFC6598)
- 198.18.0.0/15 (Benchmark testing, RFC2544)

Note: link-local (169.254.0.0/16) is already covered by ip.link_local?
2025-12-04 21:35:55 -08:00
Kevin McConnell 6475ad3425 Don't try to resize non-variable avatars 2025-12-04 13:36:21 +00:00
Jason Zimdars 7a45caa39d Update test 2025-12-03 12:02:23 -06:00
Stanko K.R. 84213265e7 Render friendly error message when using an invalid token 2025-12-03 15:37:27 +01:00
Mike Dalessio edf6b53469 Introduce an "owner" role, and prevent it from being administered
to prevent the owner from being demoted or kicked out.

ref: https://app.fizzy.do/5986089/cards/3213
2025-11-29 14:13:29 -05:00
Stanko K.R. 46d80f2ca2 Serve system user avatar as an asset 2025-11-24 13:16:14 +01:00
Stanko K.R. e85c5736c9 Render system user avatars using redirects 2025-11-24 12:05:32 +01:00
Mike Dalessio 4dc28943da Don't let cloudflare cache avatars
The issue here is that anyone else who views my avatar will cause it
to be cached, and then I can't easily bust the cache if I change my
avatar.
2025-11-22 09:48:28 -05:00
Mike Dalessio 64bac96545 User avatar responses have cache-control "public"
ref: https://app.fizzy.do/5986089/cards/3125
2025-11-21 16:11:39 -05:00
Mike Dalessio bcb43305b6 Improve avatar image handling
- redirect avatar image requests to the rails_blob_url, instead of
  streaming them through the web app
- use a thumbnail variant for avatar images
- only put avatar initials behind the stale? check (not the image
  redirect, which would result in browsers rendering broken images when
  an avatar is changed, until max-age expires)
2025-11-21 15:16:46 -05:00
Stanko K.R. fe909d6dc5 Disable stale while revalidate for own avatar
Locally, having stale_while_revalidate works great, but in production when we are behind CloudFlare, this results in an old image being shown after you upload a new one

See: https://app.fizzy.do/5986089/cards/2978
2025-11-21 19:26:38 +01:00
Stanko K.R. e0693de7c3 Scope jobs and controllers by account 2025-11-17 09:12:41 -05:00
Stanko K.R. 56c41d45eb Reinstate email changes 2025-11-17 09:12:40 -05:00
Stanko K.R. 6858b96619 Simplify join codes 2025-11-17 09:12:17 -05:00
Mike Dalessio 905cf759d8 test: fixing or skipping more tests 2025-11-17 09:11:47 -05:00
Jorge Manrubia 2bb90eab13 Use the sole collection as the root for a better onboarding experience for new accounts 2025-11-04 17:09:35 +01:00
David Heinemeier Hansson c25fcc087a Test avatars controller 2025-11-03 14:21:53 +01:00
David Heinemeier Hansson 43069b1ea4 Extract Users::JoinsController from overloaded UsersController
Good code smell is when the before_action callbacks stack up but can't
be shared across actions
2025-11-02 17:49:25 +01:00
David Heinemeier Hansson bced7405df Extract events loading from overloaded UsersController 2025-11-02 17:31:28 +01:00
Jason Zimdars f6d8d3021d Add controller test 2025-07-21 20:06:41 -05:00
David Heinemeier Hansson dbf61f4fc3 Use _path in all cases where we are not potentially changing the domain 2025-04-13 08:17:36 +02:00
David Heinemeier Hansson a106b1b6a7 Join the two users controllers but split out role setting 2025-04-12 20:30:47 +02:00