Commit Graph

5547 Commits

Author SHA1 Message Date
Mike Dalessio 0160f215f2 Validate email before creating identity during sign-up and sign-in
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.

Also:

- extract redirect_to_session_magic_link helper
- some controller refactoring and cleanup
2025-12-06 16:52:16 -05:00
Mike Dalessio 95ba2c01b8 Add email validation to Signup 2025-12-06 16:50:39 -05:00
Mike Dalessio 0793400771 Merge pull request #1994 from basecamp/flavorjones/signup-dev-magic-link
Render verification code in dev for signups, too
2025-12-06 15:07:47 -05:00
Mike Dalessio b439a7695b Render verification code in dev for signups, too
Related to 5865d79e / #1991
2025-12-06 15:02:22 -05:00
Mike Dalessio 675600af72 Improve presentation of validation errors 2025-12-06 14:57:27 -05:00
Mike Dalessio c388f5ef20 Display validation errors for user profiles.
Specifically this will help people understand why their SVG avatar
uploads are being rejected, and will keep the RecordInvalid exception
out of Sentry logs.
2025-12-06 14:34:08 -05:00
Mike Dalessio 1883473de1 Remove duplication in the list of supported avatar file types 2025-12-06 14:34:08 -05:00
Mike Dalessio 5865d79ed9 Display the verification code in the dev env
This seems better and easier than the console log.
2025-12-06 13:46:13 -05:00
Jeremy Daer 529f5af5f6 CSP adherence: fix magic links console logging (#1989)
* CSP: fix magic link console logging by including nonce in the script tag

* Remove unused back-nav controller

Unused since c0f842427d

Eliminates a potential CSP violation with javascript: URI
2025-12-06 10:08:22 -08:00
Zoltan Hosszu e562c72ec9 Small visual tweak for indented list style 2025-12-06 17:58:01 +01:00
Stanko K.R. 73c2b00211 Rever to using Ssrf instead of SSRF
Ref: https://github.com/basecamp/fizzy/pull/1967#discussion_r2593750027
2025-12-06 11:04:55 +01:00
Jorge Manrubia ffb357becf Merge pull request #1742 from basecamp/latest-lexxy
Update lexxy to latest
2025-12-06 10:31:19 +01:00
Mike Dalessio 69f8216982 Pass correct params to webhook reactivation url helper.
ref: https://app.fizzy.do/5986089/cards/3219
2025-12-05 22:44:34 -05:00
Mike Dalessio fc8ef33332 Show unverified status on user profile page
Display "Unverified" with an explanation instead of the email address
for users who haven't confirmed their identity. Hide the card links
and activity timeline since unverified users won't have any activity.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Mike Dalessio 1ad52d2590 Only send notification emails to verified users
Adds verified? check to bundling_emails? to prevent notification emails
from being sent to users who have never authenticated. This closes the
spam vector where bad actors could create users for known email
addresses and trigger unwanted notifications by mentioning them.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Mike Dalessio 4602cd3cdd Add verified_at timestamp to use for spam prevention
User are marked as verified after a join code is redeemed. The user is
redirected to Users::VerificationsController, either:

- after submitting a valid magic link code,
- or immediately after redeeming the join code (if they're already
  authenticated with the correct identity)

Account owners are automatically verified when the account is
created (because they have already provided a magic link code at that
point).

This sets up for later commits that will backfill existing users and
require verification before sending notification emails.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Mike Dalessio fa549a370b Add a system test for joining an account
Reworked the magic link stimulus controller, because the system test
was causing double-submission of the form (because the event was
bubbling up). I think that change simplifies the form and will still
work well for iOS devices.
2025-12-05 21:51:44 -05:00
Stanko K.R. 1b3d7d4276 Fix ipaddr setter 2025-12-05 20:43:56 +01:00
Stanko K.R. cd3751f4c1 Fix Resolv::DNS always returning no results 2025-12-05 20:09:39 +01:00
Andy Smith 2cf718835b Style updates for latest Lexxy version
Style nested lists, highlight dropdown, and link dropdown. Also organizes the CSS file a bit better.
2025-12-05 11:16:11 -06:00
Jorge Manrubia 1ac5867d5c These are textareas now 2025-12-05 11:41:11 +01:00
Jorge Manrubia 48ef7d0b98 Update Lexxy and hide the highlighter for now 2025-12-05 11:24:52 +01:00
Jorge Manrubia 67f36886a1 Update lexxy to latest
Color highlighter, more code languages...
2025-12-05 11:17:29 +01:00
Jorge Manrubia 59ff50c1cb We can remove ad-hoc handling now that we rely on page refreshes in the card perma 2025-12-05 10:11:24 +01:00
Jorge Manrubia c89db89f2a Only broadcast when the preview changes, use the _later variant for the broadcast, add tests 2025-12-05 10:09:20 +01:00
Andy Smith bcad6b913c Update pinned cards when the title changes 2025-12-05 10:09:20 +01:00
Jorge Manrubia 046a42c4f6 Rename to be more consistent 2025-12-05 07:55:11 +01:00
David Heinemeier Hansson d729cf59f9 Beautify board watchers list (#1946)
* Beautify board_watchers_list by escaping the concat jungle

* Correct it and clean it

* Latest Rails to get the content tag fix

* Test against original collection
2025-12-04 16:14:52 -08:00
Andy Smith d5337d0689 Merge pull request #1938 from basecamp/add-missing-attr-on-public-boards
Add missing data attribute on public board
2025-12-04 16:10:42 -06:00
Andy Smith 029c151a4e Add missing data-attr on public board 2025-12-04 15:43:19 -06:00
Jorge Manrubia fce6345fa6 Merge pull request #1936 from basecamp/use-self
Use buil-in support for :self in Stimulus
2025-12-04 22:42:55 +01:00
Andy Smith 34d3383cbd Fix hotkey text size on tiny viewports 2025-12-04 15:23:20 -06:00
Jorge Manrubia effb96537a Use buil-in support for :self in Stimulus
Thanks to @brunoprietog for advice https://github.com/basecamp/fizzy/pull/1927/files/9639e07ab88f628f5f37ad2aa9acee2b86d4fb1a#diff-24a46f2ca97f2964d4d8940123b7f76578694567df84256f576aa4bee221179e
2025-12-04 22:16:00 +01:00
Andy Smith 1c5ead0096 Merge pull request #1930 from basecamp/prevent-blank-board-names
Prevent board names with only spaces and show validation message
2025-12-04 14:50:17 -06:00
Jorge Manrubia e3e57a6a7e Merge pull request #1927 from basecamp/speed-up-sorting
Faster D&D by optimistically inserting dropped cards
2025-12-04 21:31:21 +01:00
Jorge Manrubia 9639e07ab8 Save a bunch of invocations on morph events from children elements 2025-12-04 21:27:22 +01:00
Jorge Manrubia 704b5b9788 Fix: memoization was showing stale values when morphing 2025-12-04 21:21:54 +01:00
Mike Dalessio 00eee29837 Validate Identity email address
using the "standard" email regexp URI::MailTo::EMAIL_REGEXP. The form
field will validate this in the browser, but if bots are creating
identities, they can put whatever they want in here. So let's add some
protection against that.

The HtmlHelper regex was renamed here to avoid confusing Brakeman,
which does imprecise constant lookup and was confusing the two
constants, one of which uses `\A` and `\z` and the other does
not (intentionally).

ref: https://app.fizzy.do/5986089/cards/3276
2025-12-04 14:01:15 -05:00
Jorge Manrubia bbec988516 Golden cards should be placed at the top 2025-12-04 19:23:55 +01:00
Jorge Manrubia a380492b32 Animate the column height with a stimulus controller so that it does not depend to the server to update when you D&D 2025-12-04 19:15:38 +01:00
Andy Smith 23ec3f129a Support custom validation messages 2025-12-04 11:43:55 -06:00
Jorge Manrubia 1122556383 Move css bit to the new blank slates CSS 2025-12-04 18:42:44 +01:00
Andy Smith 5c4fe9fe8b Prevent board names with only spaces and show validation message 2025-12-04 11:37:27 -06:00
Mike Dalessio 03e4f86b7a Merge pull request #1878 from basecamp/flavorjones/console1984-v2
Bump fizzy-saas to enable console auditing
2025-12-04 12:31:34 -05:00
Jorge Manrubia 539d3721db Keep the column color when D&D cards 2025-12-04 18:31:23 +01:00
Jorge Manrubia 104bb5faa9 Add container to drop cards when the stream is empty 2025-12-04 18:31:23 +01:00
Jorge Manrubia 3536b6fb32 Modify counters optimistically too 2025-12-04 18:31:23 +01:00
Jorge Manrubia 19051aec3e Append dropped cards instead of relying on server-side rendering to refresh the columns
This implements a simple strategy to optimistically insert cards in columns without waiting for the column refresh. Cards will be placed at the top respecting golden cards.

This uses sorting by "created at" with sorting by "updated at" for the _Not now_ column, so that the treatment everywhere is homogenous.
2025-12-04 18:31:23 +01:00
Mike Dalessio 912bb8a8e5 Bump fizzy-saas to enable console auditing
ref: https://app.fizzy.do/5986089/cards/2469
ref: https://github.com/basecamp/fizzy-saas/pull/20
2025-12-04 12:25:54 -05:00
Jason Zimdars d4a50c996a Merge pull request #1894 from Venkat-RK/main
Added 'Back to Home' link on notifications list page
2025-12-04 11:19:55 -06:00