David Heinemeier Hansson
ae0eaadcdf
Publish any API card as soon as it is created
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
3c3f098500
Compact
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
0159f369f4
Only authenticate with bearer token if the header is present
2025-12-10 09:23:52 +01:00
Jay Ohms
680f9c0c4d
Add top-level API index support for tags
2025-12-10 09:23:52 +01:00
Jay Ohms
5ad7b973cb
Add API support for users
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
79fc57a82a
Use built-in authenticate_or_request_with_http_token
...
Hat tip to @adrienpoly
2025-12-10 09:23:52 +01:00
Jason Zimdars
d82093c0cd
Complete the view transition loop
2025-12-10 09:23:52 +01:00
Jason Zimdars
fa2eb06992
Design show view
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
983a19fd8a
Create cards via API
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
f0c0a87c74
Return json URLs for API actions
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
129b81984f
Creating a new board will return the location header
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
efbd2cc3da
Allow API JSON requests to sidestep csrf protection
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
0ce3a85778
Only allow writing when the access token has permission
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
d36be764e2
Awaiting JZ's design
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
7bc6ae4fac
Polish
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
96b62d6ec4
Only allow new token to be viewed within 10 seconds
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
d2bdd13909
Inline anemic partial
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
88902485e1
Access tokens are strictly personal
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
caa4cd491e
Smooth out the finder API
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
9254d17359
The magic of it is not needing to manually yield it!
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
7d2c284726
Clarify
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
467843fe22
Inline now anemic helper methods
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
3329008dd8
Handle everything in the same method
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
895b0e13b8
Drop the need for access tokens to have a session
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
660fcff558
Authenticate api requests without needing a session
2025-12-10 09:23:52 +01:00
Jason Zimdars
073d1af862
List, create, and revoke access tokens
2025-12-10 09:23:52 +01:00
Jason Zimdars
48c83f34b0
Add developer section to user profile
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
db29562c4c
Tie access token directly to session
...
We need to present them differently in the session list and prevent them
from being deleted
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
c65cb77ac4
API index for cards
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
a81c681a8d
Add access token authentication via HTTP AUTHORIZATION bearer header
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson
ea697b7143
Add API to boards
2025-12-10 09:23:52 +01:00
Robin Brandt
d60643f5ef
Allow chromium unstable endpoint
2025-12-09 20:24:09 -05:00
Andy Smith
6074ed2347
Add blank slate to the main menu
2025-12-09 15:56:10 -06:00
Andy Smith
fbb0c9d795
Merge pull request #2007 from basecamp/prompt-spacing-fix
...
Fixing Lexxy prompt menu spacing
2025-12-09 15:43:01 -06:00
Zoltan Hosszu
d12eaa4073
Fixing Lexxy prompt menu spacing
2025-12-09 17:36:22 +01:00
Jorge Manrubia
94c59a2399
Merge pull request #2033 from basecamp/limit-webhook-response-size
...
Stream response in webhook request manually to check size
2025-12-09 12:16:42 +01:00
Rosa Gutierrez
29c7926307
Stream response in webhook request manually to check size
...
This addresses a DoS vulnerability where the response might be massive
leading to OOM errors, as the response is read in full in memory by
default.
To prevent this, we need to read the body in chunks, checking the
size of the chunks we've read and raising if we go over a certain limit.
I've set the limit to 100 KB because the responses to these requests
should be fairly small or even empty, and we only care about the status
code in the end.
2025-12-09 11:25:12 +01:00
Jeremy Daer
ea8a78cc22
Fix stale-read race when creating push subscriptions
...
(Caught one such uniqueness exception in the wild)
* 200 OK -> 204 No Content, default status
* No need to touch the subscription when found
* Drop superflous test
2025-12-09 01:34:37 -08:00
Jeremy Daer
bec46e15a9
Drop defunct Account upload attachments ( #2030 )
...
Controller and routes removed in 6a62df470c
2025-12-09 00:36:39 -08:00
Jorge Manrubia
cb0e9b9962
Immediate avatar and embed variants ( #2002 )
...
Reverts #2001
Restores #1955
2025-12-08 14:17:06 -08:00
Jason Zimdars
f8a812f038
Merge pull request #2021 from basecamp/internal/pr-2000
...
Update font stack
2025-12-08 16:10:23 -06:00
Andy Smith
bc8ecc3e91
Account for browser button styled and adjust mobile padding for perma BG
2025-12-08 15:59:58 -06:00
Andy Smith
27585a75b2
Wrap the overflow menu
2025-12-08 15:01:47 -06:00
Mike Dalessio
3c4b838b25
Fix Identity destruction callback ordering
...
ref: #2003
Co-authored-by: Dylan <dylan@restaurantcare.com.au >
2025-12-08 15:12:38 -05:00
Mike Dalessio
abe48f0efa
Ensure user toggles on board edit page are cached properly
...
Not including the disabled flag as part of the cache resulted in
issues like the one described in #1992
2025-12-08 14:21:56 -05:00
Mike Dalessio
c2380dc057
Merge pull request #2013 from basecamp/flavorjones/1992-board-admin
...
Disable board edit buttons for select all/none when not privileged
2025-12-08 13:46:53 -05:00
Mike Dalessio
48730d67e0
Disable board edit buttons for select all/none when not privileged
...
ref: https://github.com/basecamp/fizzy/discussions/1992
2025-12-08 13:32:41 -05:00
Jason Zimdars
bc073a7e79
Merge pull request #2008 from nqst/involvement-button-label-restore
...
Restore "Watch this" / "Stop watching" button labels
2025-12-08 11:57:16 -06:00
Mike Dalessio
642506e79e
Add datetime to the search results
...
I find it helpful (especially when going through a long list of
results) to know how far back in time I'm looking.
A note on the timestamp being used: it's the search index
timestamp. Using the card or comment `updated_at` is fraught because
we do so much touching of records (e.g., comment is touched when a
reaction is added; card is touched when a comment is added). Let's
display the search record's `created_at`, which is the ordering used
for the overall results.
2025-12-08 11:58:54 -05:00
Mike Dalessio
63805aee0f
Merge pull request #1984 from gijigae/fix/japanese-ime-input
...
Fix Japanese IME input handling for tag, step, and reaction fields
2025-12-08 11:09:33 -05:00