Commit Graph

200 Commits

Author SHA1 Message Date
Jeremy Daer 94e991df07 Gitleaks: ignore legit non-sensitive API keys and tokens in docs/ and test/ (#2068) 2025-12-10 14:23:55 -08:00
Mike Dalessio 3191c4ec1e Get gitleaks-audit green again 2025-12-10 17:05:19 -05:00
David Heinemeier Hansson 895b0e13b8 Drop the need for access tokens to have a session 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson db29562c4c Tie access token directly to session
We need to present them differently in the session list and prevent them
from being deleted
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson d384971ea2 Test the boards API 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson a81c681a8d Add access token authentication via HTTP AUTHORIZATION bearer header 2025-12-10 09:23:52 +01:00
Mike Dalessio 4602cd3cdd Add verified_at timestamp to use for spam prevention
User are marked as verified after a join code is redeemed. The user is
redirected to Users::VerificationsController, either:

- after submitting a valid magic link code,
- or immediately after redeeming the join code (if they're already
  authenticated with the correct identity)

Account owners are automatically verified when the account is
created (because they have already provided a magic link code at that
point).

This sets up for later commits that will backfill existing users and
require verification before sending notification emails.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Kevin McConnell 6475ad3425 Don't try to resize non-variable avatars 2025-12-04 13:36:21 +00:00
Vladimir Dementyev 3832b6230f + connection_test.rb 2025-12-03 16:40:44 +03:00
Kevin McConnell e16cc21b0a Add "data export" feature
- Adds a button in Account Settings where you can request a ZIP export of your
  Fizzy data
- Export files are created in the background. When ready, a link to
  download them is sent to the requester.
- Exports expire after 24 hours. And are limited to 10 per day.
2025-12-01 15:23:26 +00:00
Mike Dalessio edf6b53469 Introduce an "owner" role, and prevent it from being administered
to prevent the owner from being demoted or kicked out.

ref: https://app.fizzy.do/5986089/cards/3213
2025-11-29 14:13:29 -05:00
Jorge Manrubia 8baf5b8abd Make mission control only accessible for staff members 2025-11-28 15:53:58 +01:00
Mike Dalessio 7f46063c25 Introduce gitleaks to the codebase
- `bin/setup` installs gitleaks
- add `gitleaks dir` command to CI
- configure gitleaks to ignore tmp, log, and encrypted files
- tag existing false positives with `gitleaks:allow`
- add historical false positives to the ignore list
2025-11-26 15:46:47 -05:00
Mike Dalessio e0aa1d257e Drop User.system and replace with Account#system_user 2025-11-24 13:23:57 -05:00
Mike Dalessio 4976e4a7bb Update Card::Entropic so its scopes work cross-accounts
with an eye towards making the postpone_all_due recurring job work efficiently.
2025-11-17 09:12:41 -05:00
Mike Dalessio fe6df7085f Finish the rollout of account_id to all core data models
Schema:
- add account_id to tables it was missing from
- make account_id a required column everywhere
- add [account_id] indexes, or add `account_id` to existing indices

Models:
- add `belongs_to :account` to all models (default to using a domain
  model's account whenever possible)
- add account_id in all the necessary fixtures
- add account_id to insert_all hashes
- pass account_id to a few initialize calls

Miscellaneous:
- update the import script to set account_id

Note that I'm not adding account_id to the join tables primarily
because I couldn't think of an easy way to populate it without making
it a full Join model, and that was more work than I have time to take
on right now.
2025-11-17 09:12:40 -05:00
Stanko K.R. 8fa9566c07 Update sign up 2025-11-17 09:12:40 -05:00
Donal McBreen 0e3084f9d3 Fix up join code fixtures and tests 2025-11-17 09:12:36 -05:00
Kevin McConnell e9e68646e3 Fix this test without changing app code 2025-11-17 09:12:31 -05:00
Kevin McConnell 1959e15f7e Fix more tests
These are mainly because the fixture's UUIDs are deterministic rather
than time-sortable, and more places where we need to correct the fixture
IDs as well.
2025-11-17 09:12:31 -05:00
Kevin McConnell c97ea9131f Fix some failing Tests
- Add explicit IDs to fixtures to avoid getting ints
- Remove ordering dependencies in assertions
2025-11-17 09:12:31 -05:00
Mike Dalessio e4011ef211 Update primary keys on customer data to UUIDs
- schema changes to primary and foreign keys
- fixture changes
- customer data models subclass AccountScopedRecord
- import script updated
2025-11-17 09:12:30 -05:00
Stanko K.R. 6858b96619 Simplify join codes 2025-11-17 09:12:17 -05:00
Stanko K.R. 32d96db7d9 Replace card id with card number 2025-11-17 09:12:15 -05:00
Mike Dalessio fbda61f45d Remove TODO comment that I completed 2025-11-17 09:11:57 -05:00
Mike Dalessio ff8d786144 Filter boards by account 2025-11-17 09:11:57 -05:00
Mike Dalessio dbf66f9a50 Constrain user queries to the current or relevant account 2025-11-17 09:11:57 -05:00
Stanko K.R. 8b1ca5e7fb Remove unused account associations 2025-11-17 09:11:42 -05:00
Stanko K.R. 1d6dd09272 Update fixutres 2025-11-17 09:11:42 -05:00
Mike Dalessio 006aa4d6b3 Tests need to set up the script_name properly
which requires tweaking fixtures for the memberships and the account
2025-11-17 09:11:42 -05:00
Mike Dalessio 362427b383 More changes to get setup and tests to run 2025-11-17 09:11:42 -05:00
Jorge Manrubia 80d309cd22 Keep current logical names for colors
So that the db values are not tied to the specific CSS
2025-11-14 11:44:04 +01:00
Jorge Manrubia 1f56adf8aa Reuse logo as avatar 2025-11-07 12:56:43 +01:00
Jorge Manrubia f544dc74f5 Add test 2025-11-07 12:55:04 +01:00
Jorge Manrubia 39ec6cf062 Replace collection with board in the code, tests green 2025-11-05 13:41:12 +01:00
Jorge Manrubia 03a345609e Baseline replacing collection with board across code 2025-11-05 13:31:54 +01:00
Stanko K.R. 5f26690aa1 Redirect to the account you joined after sign in 2025-11-04 07:20:16 +01:00
David Heinemeier Hansson b3474ec97d Rename Entropy::Configuration to just Entropy 2025-11-02 13:11:41 +01:00
Stanko Krtalić 98755844a1 Remove the internal API
* Bind sessions to identities
* Remove references to the identity token
* Move email changes to identity
* Move account menu into a turbo-frame
* Create tenants from a tenanted route
2025-10-31 16:26:08 +01:00
Stanko K.R. 79b012f319 Add Join Codes 2025-10-31 16:24:30 +01:00
Stanko K.R. c8843360fe Clean up and simplify magic links 2025-10-31 16:23:38 +01:00
Stanko K.R. 5cef4ffeb0 Add sign in flow using magic links 2025-10-31 16:22:12 +01:00
Mike Dalessio d0215e9fd2 Introduce untenanted Identity and Membership models
and a script to populate these tables for existing 37id users
2025-10-31 16:22:12 +01:00
Jorge Manrubia 7a1dde1a81 Add tests 2025-10-29 16:41:04 +01:00
Jorge Manrubia 9317a82570 Remove Fizzy Ask
Since we are not going to ship it
2025-10-27 14:45:30 +01:00
Jason Zimdars da413e7540 Remove closure reasons 2025-10-15 16:15:56 -05:00
Jorge Manrubia 7cb575b329 Exclude drafts from filtered cards 2025-10-07 10:32:10 +02:00
Mike Dalessio 48783824ee Fix some small things related to accounts 2025-10-03 16:55:00 -04:00
Mike Dalessio 47370084d2 Remove code related to Launchpad auth or 37id Users 2025-10-02 16:33:23 -04:00
Jorge Manrubia 1bb8de8564 Fix tests 2025-09-29 13:13:40 +02:00