Commit Graph

5599 Commits

Author SHA1 Message Date
David Heinemeier Hansson caa4cd491e Smooth out the finder API 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson 9254d17359 The magic of it is not needing to manually yield it! 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson 7d2c284726 Clarify 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson 467843fe22 Inline now anemic helper methods 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson 3329008dd8 Handle everything in the same method 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson 895b0e13b8 Drop the need for access tokens to have a session 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson 660fcff558 Authenticate api requests without needing a session 2025-12-10 09:23:52 +01:00
Jason Zimdars 073d1af862 List, create, and revoke access tokens 2025-12-10 09:23:52 +01:00
Jason Zimdars 48c83f34b0 Add developer section to user profile 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson db29562c4c Tie access token directly to session
We need to present them differently in the session list and prevent them
from being deleted
2025-12-10 09:23:52 +01:00
David Heinemeier Hansson c65cb77ac4 API index for cards 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson a81c681a8d Add access token authentication via HTTP AUTHORIZATION bearer header 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson ea697b7143 Add API to boards 2025-12-10 09:23:52 +01:00
Robin Brandt d60643f5ef Allow chromium unstable endpoint 2025-12-09 20:24:09 -05:00
Andy Smith 6074ed2347 Add blank slate to the main menu 2025-12-09 15:56:10 -06:00
Andy Smith fbb0c9d795 Merge pull request #2007 from basecamp/prompt-spacing-fix
Fixing Lexxy prompt menu spacing
2025-12-09 15:43:01 -06:00
Zoltan Hosszu d12eaa4073 Fixing Lexxy prompt menu spacing 2025-12-09 17:36:22 +01:00
Jorge Manrubia 94c59a2399 Merge pull request #2033 from basecamp/limit-webhook-response-size
Stream response in webhook request manually to check size
2025-12-09 12:16:42 +01:00
Rosa Gutierrez 29c7926307 Stream response in webhook request manually to check size
This addresses a DoS vulnerability where the response might be massive
leading to OOM errors, as the response is read in full in memory by
default.

To prevent this, we need to read the body in chunks, checking the
size of the chunks we've read and raising if we go over a certain limit.

I've set the limit to 100 KB because the responses to these requests
should be fairly small or even empty, and we only care about the status
code in the end.
2025-12-09 11:25:12 +01:00
Jeremy Daer ea8a78cc22 Fix stale-read race when creating push subscriptions
(Caught one such uniqueness exception in the wild)

* 200 OK -> 204 No Content, default status
* No need to touch the subscription when found
* Drop superflous test
2025-12-09 01:34:37 -08:00
Jeremy Daer bec46e15a9 Drop defunct Account upload attachments (#2030)
Controller and routes removed in 6a62df470c
2025-12-09 00:36:39 -08:00
Jorge Manrubia cb0e9b9962 Immediate avatar and embed variants (#2002)
Reverts #2001
Restores #1955
2025-12-08 14:17:06 -08:00
Jason Zimdars f8a812f038 Merge pull request #2021 from basecamp/internal/pr-2000
Update font stack
2025-12-08 16:10:23 -06:00
Andy Smith bc8ecc3e91 Account for browser button styled and adjust mobile padding for perma BG 2025-12-08 15:59:58 -06:00
Andy Smith 27585a75b2 Wrap the overflow menu 2025-12-08 15:01:47 -06:00
Mike Dalessio 3c4b838b25 Fix Identity destruction callback ordering
ref: #2003

Co-authored-by: Dylan <dylan@restaurantcare.com.au>
2025-12-08 15:12:38 -05:00
Mike Dalessio abe48f0efa Ensure user toggles on board edit page are cached properly
Not including the disabled flag as part of the cache resulted in
issues like the one described in #1992
2025-12-08 14:21:56 -05:00
Mike Dalessio c2380dc057 Merge pull request #2013 from basecamp/flavorjones/1992-board-admin
Disable board edit buttons for select all/none when not privileged
2025-12-08 13:46:53 -05:00
Mike Dalessio 48730d67e0 Disable board edit buttons for select all/none when not privileged
ref: https://github.com/basecamp/fizzy/discussions/1992
2025-12-08 13:32:41 -05:00
Jason Zimdars bc073a7e79 Merge pull request #2008 from nqst/involvement-button-label-restore
Restore "Watch this" / "Stop watching" button labels
2025-12-08 11:57:16 -06:00
Mike Dalessio 642506e79e Add datetime to the search results
I find it helpful (especially when going through a long list of
results) to know how far back in time I'm looking.

A note on the timestamp being used: it's the search index
timestamp. Using the card or comment `updated_at` is fraught because
we do so much touching of records (e.g., comment is touched when a
reaction is added; card is touched when a comment is added). Let's
display the search record's `created_at`, which is the ordering used
for the overall results.
2025-12-08 11:58:54 -05:00
Mike Dalessio 63805aee0f Merge pull request #1984 from gijigae/fix/japanese-ime-input
Fix Japanese IME input handling for tag, step, and reaction fields
2025-12-08 11:09:33 -05:00
Alexander Zaytsev c479235c60 Fix involvement button label 2025-12-08 15:54:36 +01:00
Jorge Manrubia 15983cede3 No need to pass Currentl.user since it is the default value for the param 2025-12-07 20:03:06 +01:00
Mike Dalessio 661a7e5e2d Validate email before creating identity during join code redemption
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.

See similar change in #1996 for sign-in and sign-up
2025-12-07 13:26:34 -05:00
Jorge Manrubia c8c91259c7 Revert "Immediate avatar and embed variants" 2025-12-07 12:06:03 +01:00
Jorge Manrubia 568783efd1 Merge pull request #1905 from basecamp/web-push-ssrf
Security: Web Push SSRF
2025-12-07 11:58:14 +01:00
Jorge Manrubia 91017c9208 Merge pull request #1955 from basecamp/immediate-variants
Immediate avatar and embed variants
2025-12-07 11:50:02 +01:00
Jorge Manrubia 4a6f28b7c5 Merge pull request #1948 from jstarner/custom-delete-modals
Replace turbo confirmation dialogs with custom delete modals
2025-12-07 11:48:58 +01:00
Jorge Manrubia 9f20e8bfbb Merge pull request #1973 from basecamp/lightbox-transitionend-handler
Fix lightbox transitionend listener leak
2025-12-07 11:44:03 +01:00
Jorge Manrubia f2c676e69d Merge pull request #1983 from AmiasYaska/fix-activity-typo
Fix typo in back link: Actvity -> Activity
2025-12-07 11:42:20 +01:00
Jorge Manrubia 31a41e66c2 Make column have a proper ID instead of inferring it from the title 2025-12-07 11:34:54 +01:00
Mike Dalessio 0160f215f2 Validate email before creating identity during sign-up and sign-in
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.

Also:

- extract redirect_to_session_magic_link helper
- some controller refactoring and cleanup
2025-12-06 16:52:16 -05:00
Mike Dalessio 95ba2c01b8 Add email validation to Signup 2025-12-06 16:50:39 -05:00
Mike Dalessio 0793400771 Merge pull request #1994 from basecamp/flavorjones/signup-dev-magic-link
Render verification code in dev for signups, too
2025-12-06 15:07:47 -05:00
Mike Dalessio b439a7695b Render verification code in dev for signups, too
Related to 5865d79e / #1991
2025-12-06 15:02:22 -05:00
Mike Dalessio 675600af72 Improve presentation of validation errors 2025-12-06 14:57:27 -05:00
Mike Dalessio c388f5ef20 Display validation errors for user profiles.
Specifically this will help people understand why their SVG avatar
uploads are being rejected, and will keep the RecordInvalid exception
out of Sentry logs.
2025-12-06 14:34:08 -05:00
Mike Dalessio 1883473de1 Remove duplication in the list of supported avatar file types 2025-12-06 14:34:08 -05:00
Mike Dalessio 5865d79ed9 Display the verification code in the dev env
This seems better and easier than the console log.
2025-12-06 13:46:13 -05:00