Commit Graph

415 Commits

Author SHA1 Message Date
David Heinemeier Hansson b53c0a5385 Correct 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson d384971ea2 Test the boards API 2025-12-10 09:23:52 +01:00
David Heinemeier Hansson a81c681a8d Add access token authentication via HTTP AUTHORIZATION bearer header 2025-12-10 09:23:52 +01:00
Jeremy Daer ea8a78cc22 Fix stale-read race when creating push subscriptions
(Caught one such uniqueness exception in the wild)

* 200 OK -> 204 No Content, default status
* No need to touch the subscription when found
* Drop superflous test
2025-12-09 01:34:37 -08:00
Jeremy Daer 49c4f2adc6 Fix ActiveStorage FileNotFoundError with immediate variant processing (#2022)
When ActiveStorage::Record uses `connects_to` for read replica support,
it creates a separate connection pool from ApplicationRecord. This causes
`after_commit` callbacks to fire in non-deterministic order - the
Attachment's `create_variants` callback can fire before the User model's
upload callback completes, resulting in FileNotFoundError.

The fix removes replica connection configuration from ActiveStorage::Record
so it shares the same connection pool as application models, ensuring
proper callback ordering.

Also reverts test workarounds that were added to work around this issue,
since the root cause is now fixed.

See: https://github.com/rails/rails/issues/53694
2025-12-08 14:44:49 -08:00
Jorge Manrubia cb0e9b9962 Immediate avatar and embed variants (#2002)
Reverts #2001
Restores #1955
2025-12-08 14:17:06 -08:00
Mike Dalessio abe48f0efa Ensure user toggles on board edit page are cached properly
Not including the disabled flag as part of the cache resulted in
issues like the one described in #1992
2025-12-08 14:21:56 -05:00
Mike Dalessio 48730d67e0 Disable board edit buttons for select all/none when not privileged
ref: https://github.com/basecamp/fizzy/discussions/1992
2025-12-08 13:32:41 -05:00
Mike Dalessio 661a7e5e2d Validate email before creating identity during join code redemption
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.

See similar change in #1996 for sign-in and sign-up
2025-12-07 13:26:34 -05:00
Jorge Manrubia c8c91259c7 Revert "Immediate avatar and embed variants" 2025-12-07 12:06:03 +01:00
Jorge Manrubia 568783efd1 Merge pull request #1905 from basecamp/web-push-ssrf
Security: Web Push SSRF
2025-12-07 11:58:14 +01:00
Jorge Manrubia 91017c9208 Merge pull request #1955 from basecamp/immediate-variants
Immediate avatar and embed variants
2025-12-07 11:50:02 +01:00
Felipe Felix 4c9d8edbc6 Test Notifications::SettingsController 2025-12-07 04:25:11 -03:00
Mike Dalessio 0160f215f2 Validate email before creating identity during sign-up and sign-in
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.

Also:

- extract redirect_to_session_magic_link helper
- some controller refactoring and cleanup
2025-12-06 16:52:16 -05:00
Mike Dalessio b2250b6d35 Ensure test coverage for all branches of JoinCodesController#create 2025-12-06 16:40:51 -05:00
Mike Dalessio c388f5ef20 Display validation errors for user profiles.
Specifically this will help people understand why their SVG avatar
uploads are being rejected, and will keep the RecordInvalid exception
out of Sentry logs.
2025-12-06 14:34:08 -05:00
Mike Dalessio 69f8216982 Pass correct params to webhook reactivation url helper.
ref: https://app.fizzy.do/5986089/cards/3219
2025-12-05 22:44:34 -05:00
Mike Dalessio 4602cd3cdd Add verified_at timestamp to use for spam prevention
User are marked as verified after a join code is redeemed. The user is
redirected to Users::VerificationsController, either:

- after submitting a valid magic link code,
- or immediately after redeeming the join code (if they're already
  authenticated with the correct identity)

Account owners are automatically verified when the account is
created (because they have already provided a magic link code at that
point).

This sets up for later commits that will backfill existing users and
require verification before sending notification emails.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Jeremy Daer 21f3f72647 Immediate avatar and embed variants
Process variants synchronously on attachment to close the window between
image upload and variant availability, guaranteeing that we won't have
lazy variant processing attempts in GET requests.

Tradeoff is that we do variant processing in upload requests, which is
actually desirable. We're working with images that should take
milliseconds to resize given that we'll already have the file on hand.

References https://github.com/rails/rails/pull/51951
2025-12-04 23:54:37 -08:00
Jeremy Daer 496851b255 Security: Web Push SSRF and IP range bypass
Add SSRF protection for web push endpoints:
- Resolve endpoint IP once and pin it for connection
- Validate endpoints resolve to public IPs
- Whitelist permitted push service hosts

Add missing IP ranges to SsrfProtection:
- 100.64.0.0/10 (Carrier-grade NAT, RFC6598)
- 198.18.0.0/15 (Benchmark testing, RFC2544)

Note: link-local (169.254.0.0/16) is already covered by ip.link_local?
2025-12-04 21:35:55 -08:00
Mike Dalessio 00eee29837 Validate Identity email address
using the "standard" email regexp URI::MailTo::EMAIL_REGEXP. The form
field will validate this in the browser, but if bots are creating
identities, they can put whatever they want in here. So let's add some
protection against that.

The HtmlHelper regex was renamed here to avoid confusing Brakeman,
which does imprecise constant lookup and was confusing the two
constants, one of which uses `\A` and `\z` and the other does
not (intentionally).

ref: https://app.fizzy.do/5986089/cards/3276
2025-12-04 14:01:15 -05:00
Jason Zimdars d4a50c996a Merge pull request #1894 from Venkat-RK/main
Added 'Back to Home' link on notifications list page
2025-12-04 11:19:55 -06:00
vkagithala a92aab9981 Removed test to verify back button. 2025-12-04 08:44:37 -08:00
Kevin McConnell dfe7095ee6 Merge pull request #1917 from basecamp/dont-resize-svg-avatars
Don't try to resize non-variable avatars
2025-12-04 14:53:00 +00:00
Mike Dalessio 394c5dbf03 Revert "Changing columns requires board admin"
This reverts commit cecccadc14.
2025-12-04 09:46:30 -05:00
Mike Dalessio 89940d36f8 Gracefully handle ill-formed remote images in rich text
A better fix has been proposed upstream at
https://github.com/rails/rails/pull/56283 but this should be fine in
the meantime.

ref: https://app.fizzy.do/5986089/cards/3188
2025-12-04 09:24:52 -05:00
Kevin McConnell 6475ad3425 Don't try to resize non-variable avatars 2025-12-04 13:36:21 +00:00
Stanko K.R. a8f328c921 Sign up new users on sign in 2025-12-04 11:30:21 +01:00
Jeremy Daer cecccadc14 Changing columns requires board admin 2025-12-03 23:24:25 -08:00
vkagithala 8685b62232 Added 'Back to Home' link on notifications list page to improve navigation experience. 2025-12-03 17:21:50 -08:00
Jorge Manrubia 6847c001ea Merge pull request #1876 from basecamp/column-reordering-auth
Fix unauthorized column reordering
2025-12-03 22:18:06 +01:00
Jeremy Daer 9f6a4f1cc6 Fix unauthorized column reordering
Users could reorder columns they didn't have access to. Fixed by
limiting ColumnScoped to User::Accessor#accessible_columns.

References https://hackerone.com/reports/3449905
2025-12-03 13:00:49 -08:00
Jason Zimdars 7a45caa39d Update test 2025-12-03 12:02:23 -06:00
Stanko K.R. 84213265e7 Render friendly error message when using an invalid token 2025-12-03 15:37:27 +01:00
Stanko K.R. 6e9381abb8 Fix crash in join code redemption race condition 2025-12-03 13:29:20 +01:00
Stanko Krtalić 7a0290a4af Merge pull request #1841 from basecamp/fix-access-control-issues
Allow only the owner of a reaction to delete it
2025-12-03 11:33:36 +01:00
Stanko K.R. 77f1110020 Allow only the owner of a reaction to delete it 2025-12-03 11:10:44 +01:00
Stanko K.R. 702865873d Allow only people who can administer a board to delete it 2025-12-03 10:56:05 +01:00
Jeremy Daer b755b3fead Robots, begone (#1812)
* robots.txt: "Please, don't come in." If a page is directly linked, the
  URL can still appear in search results, though.
* X-Robots-Tag: "If you're here, forget what you saw." Works even if the
  crawler ignores robots.txt or reaches a page via external link. Can
  remove already-indexed pages.
* Public boards may not be indexed. They're meant for "anyone with the
  link" private sharing, not worldwide publishing.
2025-12-02 13:35:58 -08:00
Kevin McConnell d24726c1d3 Merge pull request #1768 from basecamp/data-exports
Add "data export" feature
2025-12-02 09:56:40 +00:00
Jorge Manrubia c9ebb79dbd Add some protections around sharing the magic link in development 2025-12-02 10:51:14 +01:00
Kevin McConnell e16cc21b0a Add "data export" feature
- Adds a button in Account Settings where you can request a ZIP export of your
  Fizzy data
- Export files are created in the background. When ready, a link to
  download them is sent to the requester.
- Exports expire after 24 hours. And are limited to 10 per day.
2025-12-01 15:23:26 +00:00
Mike Dalessio edf6b53469 Introduce an "owner" role, and prevent it from being administered
to prevent the owner from being demoted or kicked out.

ref: https://app.fizzy.do/5986089/cards/3213
2025-11-29 14:13:29 -05:00
Stanko K.R. 2311efd03e Make sign up Magic Links work across devices
Previously if someone started signing in on their phone, but finished it on their laptop, they'd end up on the menu screen with no account. Bu tracking the purpose of a Magic Link we can always direct the user to sign up if they requested a magic link through sign up. This also makes the logic for changing the copy in the email more robust.
2025-11-29 12:36:00 +01:00
Stanko K.R. 658b5a07cf Organize everything under Signups 2025-11-29 11:46:09 +01:00
Rosa Gutierrez f8a1e0500d Switch from report-only to actually using Sec-Fetch-Site for CSRF protection
As a fallback for Rails's token-based mechanism. To use Sec-Fetch-Site
exclusively, we'll wait until Rails offers that (when we upstream this).
2025-11-28 16:26:03 +01:00
Jorge Manrubia 2f4a05a39f Format 2025-11-28 15:53:58 +01:00
Jorge Manrubia 3223ba53c3 We need the check in both test/code 2025-11-28 15:53:58 +01:00
Jorge Manrubia 1897cc238f Only staff can access beta/staging
https://app.fizzy.do/5986089/cards/3208
2025-11-28 15:53:58 +01:00
Jorge Manrubia 4e09352c09 Bring simple signup flow from the fizzy-saas gem
We skip the QB code and we fill external account ids automatically on creation with a sequence

See:
https://github.com/basecamp/fizzy-saas/pull/7
2025-11-28 15:53:58 +01:00