Commit Graph

1560 Commits

Author SHA1 Message Date
Mike Dalessio 95ba2c01b8 Add email validation to Signup 2025-12-06 16:50:39 -05:00
Stanko K.R. 73c2b00211 Rever to using Ssrf instead of SSRF
Ref: https://github.com/basecamp/fizzy/pull/1967#discussion_r2593750027
2025-12-06 11:04:55 +01:00
Mike Dalessio 1ad52d2590 Only send notification emails to verified users
Adds verified? check to bundling_emails? to prevent notification emails
from being sent to users who have never authenticated. This closes the
spam vector where bad actors could create users for known email
addresses and trigger unwanted notifications by mentioning them.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Mike Dalessio 4602cd3cdd Add verified_at timestamp to use for spam prevention
User are marked as verified after a join code is redeemed. The user is
redirected to Users::VerificationsController, either:

- after submitting a valid magic link code,
- or immediately after redeeming the join code (if they're already
  authenticated with the correct identity)

Account owners are automatically verified when the account is
created (because they have already provided a magic link code at that
point).

This sets up for later commits that will backfill existing users and
require verification before sending notification emails.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Stanko K.R. 1b3d7d4276 Fix ipaddr setter 2025-12-05 20:43:56 +01:00
Stanko K.R. cd3751f4c1 Fix Resolv::DNS always returning no results 2025-12-05 20:09:39 +01:00
Jorge Manrubia 59ff50c1cb We can remove ad-hoc handling now that we rely on page refreshes in the card perma 2025-12-05 10:11:24 +01:00
Jorge Manrubia c89db89f2a Only broadcast when the preview changes, use the _later variant for the broadcast, add tests 2025-12-05 10:09:20 +01:00
Andy Smith bcad6b913c Update pinned cards when the title changes 2025-12-05 10:09:20 +01:00
Mike Dalessio 00eee29837 Validate Identity email address
using the "standard" email regexp URI::MailTo::EMAIL_REGEXP. The form
field will validate this in the browser, but if bots are creating
identities, they can put whatever they want in here. So let's add some
protection against that.

The HtmlHelper regex was renamed here to avoid confusing Brakeman,
which does imprecise constant lookup and was confusing the two
constants, one of which uses `\A` and `\z` and the other does
not (intentionally).

ref: https://app.fizzy.do/5986089/cards/3276
2025-12-04 14:01:15 -05:00
Kevin McConnell 2e47749739 Don't allow SVG avatar uploads in the first place 2025-12-04 14:27:28 +00:00
Kevin McConnell 6475ad3425 Don't try to resize non-variable avatars 2025-12-04 13:36:21 +00:00
Jorge Manrubia a0cb25a951 Merge pull request #1881 from basecamp/card-notification-removal-scope
Tighten scope on card notification removals
2025-12-04 08:44:52 +01:00
Jeremy Daer 7af93765a8 Security: close narrow window of exposure to DNS rebinding (#1903) 2025-12-03 23:12:17 -08:00
Jeremy Daer cac0ca1656 Scope the single-board case to just the creator's boards (#1880) 2025-12-03 15:47:04 -08:00
Jeremy Daer f440b0243e Tighten scope on card notification removals
* Iterate each association separately to favor db indexing
* Pluck user IDs rather than select to avoid correlated subquery
2025-12-03 15:46:43 -08:00
Jorge Manrubia 38d86fb17b Merge pull request #1879 from basecamp/scope-tags
Scope tags by account
2025-12-03 23:42:04 +01:00
Jorge Manrubia 4a30663df1 Scope tags by account
We missed this one when we went to MySQL. This can results in cards tagged with cards
from other accounts. No data leaked though: the symptom is that you see the card
tagged as expected but you don't see the tag in the menu.
2025-12-03 23:39:37 +01:00
Jorge Manrubia 6847c001ea Merge pull request #1876 from basecamp/column-reordering-auth
Fix unauthorized column reordering
2025-12-03 22:18:06 +01:00
Jeremy Daer 9f6a4f1cc6 Fix unauthorized column reordering
Users could reorder columns they didn't have access to. Fixed by
limiting ColumnScoped to User::Accessor#accessible_columns.

References https://hackerone.com/reports/3449905
2025-12-03 13:00:49 -08:00
Jorge Manrubia 7fcf660f05 Merge pull request #1854 from MatheusRich/find-by-over-where-first
Prefer find_by! over where + first!
2025-12-03 21:51:18 +01:00
Stanko K.R. 7ab06d1dbd Use cryptographically secure randomness for Magic Link code generation
#sample uses PRNG under the hood which is pseudo random, which means that given enough magic link codes you can predict which code would come next. To fix that we have to switch to CSPRNG - SecureRandom.random_number - which isn't easy to predict based on previous results.
2025-12-03 20:15:27 +01:00
Stanko Krtalić 3520f97e33 Merge pull request #1857 from basecamp/friendly-error-message-when-changing-email-with-an-invalid-code
Render a friendly error message when using an invalid email change token
2025-12-03 20:06:24 +01:00
Jorge Manrubia 60b1fe26e8 Merge pull request #1847 from javier-valencia-arch/patch-1
Refactor with_account and without_account methods
2025-12-03 19:33:31 +01:00
Brian Bailey 30a2149115 Update seeder.rb to fix a few minor things in the onboarding content 2025-12-03 12:20:37 -05:00
Karl Entwistle 59d7229500 Move Eventable concern to app/models/concerns
Aligns with Rails conventions for organizing concerns in a dedicated
concerns directory alongside existing concerns like Attachments,
Mentions, Searchable, etc.
2025-12-03 16:36:15 +00:00
Stanko K.R. 84213265e7 Render friendly error message when using an invalid token 2025-12-03 15:37:27 +01:00
Donal McBreen 13db384648 Auto default for UUID primary keys
Patch load_schmema! to set the default value for UUID primary keys. This
removes the need to patch ApplicationRecord + Rails models individually.

It also means we no longer need to patch the default in for the integer
primary key in Search::Record::SQLite.
2025-12-03 14:27:52 +00:00
Matheus Richard 7e95322776 Prefer find_by! over where + first! 2025-12-03 11:20:02 -03:00
Stanko K.R. 6e9381abb8 Fix crash in join code redemption race condition 2025-12-03 13:29:20 +01:00
Javier Valencia 0d83e9b90c Refactor with_account and without_account methods
Remove variables name for block, not needed from Ruby >= 3.1
2025-12-03 12:26:39 +01:00
Dave Kimura 337af0a575 Merge branch 'basecamp:main' into main 2025-12-02 16:08:26 -05:00
Dave Kimura 2f740c81c0 (account): encode external_account_id in slug
- Use `AccountSlug.encode` to generate slug instead of raw ID
  - Fixes where slug is /1 and will be in the proper format of /0000001
2025-12-02 16:07:04 -05:00
Mike Dalessio a2e024c1b5 Disconnect action cable when user is deactivated
ref: https://app.fizzy.do/5986089/cards/2785
2025-12-02 14:26:04 -05:00
Jorge Manrubia dfe8e7bd5d Scope general broadcasts by account
Because DoS ourselves is not fun
2025-12-02 18:10:49 +01:00
Jorge Manrubia 32fe4339ee Remove general broadcast temporarily 2025-12-02 18:03:19 +01:00
Kevin McConnell f7e2b4e0ba Don't compress attachments in export
Since they are typically images and videos, which are already
compressed.
2025-12-02 10:39:56 +00:00
Kevin McConnell d24726c1d3 Merge pull request #1768 from basecamp/data-exports
Add "data export" feature
2025-12-02 09:56:40 +00:00
Stanko K.R. 78c6751fa0 Prohibit link local addresses 2025-12-02 09:32:15 +01:00
Jason Zimdars 15f4454861 Remove line breaks, update back button copy
Lexxy no longer requires two returns between items
2025-12-01 23:52:21 -06:00
Jorge Manrubia af0113c9ee After touch should trigger board touch too
The change in https://github.com/basecamp/fizzy/commit/c606de7b41f57734c4c859c5fc3d98c952b26d58#diff-1ecde9fb1ee2494e5d94e807f51f861928f77cfcfb0884889911b62a32c2ff4cL4-R23 was preventing marking cards as golden from broadcasting
2025-12-02 05:55:49 +01:00
Kevin McConnell 2c1ab1bb29 Formatting 2025-12-01 17:19:59 +00:00
Kevin McConnell 3eaf9cb350 Put fizzy in the export filename 2025-12-01 16:01:41 +00:00
Kevin McConnell c492e6c4c4 Make the JSON prettier 2025-12-01 15:54:24 +00:00
Kevin McConnell 45afe494ec Skip missing files 2025-12-01 15:40:07 +00:00
Kevin McConnell 12f6dbf79f Handle remote image attachments too 2025-12-01 15:36:35 +00:00
Kevin McConnell e16cc21b0a Add "data export" feature
- Adds a button in Account Settings where you can request a ZIP export of your
  Fizzy data
- Export files are created in the background. When ready, a link to
  download them is sent to the requester.
- Exports expire after 24 hours. And are limited to 10 per day.
2025-12-01 15:23:26 +00:00
Jorge Manrubia 29d07e7326 Fix: not detecting mentions when publishing saved drafts
The problem was that publishing a card with `#publish` was tracking the event
after updating the status, which was clearing the saved changes and preventing the
code from detecting the mention.

See:
https://app.fizzy.do/5986089/cards/2835
2025-12-01 15:39:45 +01:00
Mike Dalessio edf6b53469 Introduce an "owner" role, and prevent it from being administered
to prevent the owner from being demoted or kicked out.

ref: https://app.fizzy.do/5986089/cards/3213
2025-11-29 14:13:29 -05:00
Stanko K.R. 2311efd03e Make sign up Magic Links work across devices
Previously if someone started signing in on their phone, but finished it on their laptop, they'd end up on the menu screen with no account. Bu tracking the purpose of a Magic Link we can always direct the user to sign up if they requested a magic link through sign up. This also makes the logic for changing the copy in the email more robust.
2025-11-29 12:36:00 +01:00