Commit Graph

914 Commits

Author SHA1 Message Date
Jorge Manrubia d4ad62109c Rename/extract methods 2025-11-28 15:53:58 +01:00
Jorge Manrubia 4e09352c09 Bring simple signup flow from the fizzy-saas gem
We skip the QB code and we fill external account ids automatically on creation with a sequence

See:
https://github.com/basecamp/fizzy-saas/pull/7
2025-11-28 15:53:58 +01:00
Jorge Manrubia e30709f6a7 Remove structured logging moved to the engine 2025-11-28 15:53:58 +01:00
Jorge Manrubia 8baf5b8abd Make mission control only accessible for staff members 2025-11-28 15:53:58 +01:00
Jorge Manrubia c1334f7ffe Don't choke if no structured logging
Temporary workaround, we need a better solution here.
2025-11-28 15:53:58 +01:00
Mike Dalessio 3f8d10d679 Merge pull request #1747 from basecamp/flavorjones/perf-20251127
Address some N+1 query situations
2025-11-27 12:46:56 -05:00
Stanko K.R. e3d91f4ba2 Fix join codes skipping user setup
If someone joined an account with the same identity as they were signed in with the old logic would skip the user setup step
2025-11-27 17:59:17 +01:00
Mike Dalessio 198e404eb0 Avoid N+1 on account and board settings pages 2025-11-27 11:44:16 -05:00
Mike Dalessio 79c9ea2ce1 Remove a bunch of N+1s
related to notification and comment rendering
2025-11-27 11:08:45 -05:00
Rosa Gutierrez 3e716bfa26 Fix a couple of typos 2025-11-26 13:16:44 +01:00
Rosa Gutierrez fac9f3c369 Clean up a little bit the CSRF reporting code
Small follow-up to https://github.com/basecamp/fizzy/pull/1721
2025-11-25 21:28:50 +01:00
Mike Dalessio 396c1ffdcf Merge pull request #1722 from basecamp/fwt-user-list-improvement
Prioritize current user and assigned users in assignment dropdown
2025-11-25 14:36:14 -05:00
Mike Dalessio 3811088db3 Prioritize current user and assigned users in assignment dropdown
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-25 13:46:14 -05:00
Rosa Gutierrez d88949288c Check and report on Sec-Fetch-Site header for forgery protection
This is a great, solid alternative to CSRF tokens for CSRF protection
when we aren't worried about older browsers or other kind of actors
doing modifying requests in our app, and could be a good test for future
upstreaming to Rails (although there we'd need to continue using CSRF
tokens or at least letting people opt out manually).

Let's start checking the header and reporting on it when CSRF fails or
when it doesn't match the other checks Rails does, and then promote this
to be the only way to defend from CSRF.
2025-11-25 19:19:50 +01:00
Stanko K.R. 4e52f9b9a9 Show tags the card is tagged with first 2025-11-25 11:24:21 +01:00
Jason Zimdars a9da44b575 Merge pull request #1663 from basecamp/not-now-polish
Not now polish
2025-11-24 10:33:25 -06:00
Kevin McConnell bd259f7795 Add optimistic pausing to avoid stale reads
Instead of writer pinning, we'll track the last transaction ID of each
write in the session. Then on each read we'll wait for the replica to
report that this transaction is available.

If it doesn't become available within a reasonable timeout, we'll
proceed anyway, and accept the possibility of a stale read.

The hope here is that most of the time, the replica is caught up in the
time between a write request and the following read request. If it's
not, we now have a little tolerance to wait for it, which hopefully
proves enough to stale reads are not encountered in normal use.

We also disable the writer affinity opt-out mechanism that we had
before, since we will no longer be using writer affinity at the load
balancer.
2025-11-24 13:29:52 +00:00
Stanko K.R. 46d80f2ca2 Serve system user avatar as an asset 2025-11-24 13:16:14 +01:00
Stanko K.R. e85c5736c9 Render system user avatars using redirects 2025-11-24 12:05:32 +01:00
Mike Dalessio b05ecb7809 Update card buttons dynamically
User flows when editing a card look like:
- Click "Edit" → the closure buttons are replaced by "Save changes"
- Submit card form → Saves and restores closure buttons
- Press ESC while editing → Cancels and restores closure buttons

Also, renamed for clarity:
- _title.html.erb → _content.html.erb

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-22 12:14:39 -05:00
Mike Dalessio 4dc28943da Don't let cloudflare cache avatars
The issue here is that anyone else who views my avatar will cause it
to be cached, and then I can't easily bust the cache if I change my
avatar.
2025-11-22 09:48:28 -05:00
Mike Dalessio 64bac96545 User avatar responses have cache-control "public"
ref: https://app.fizzy.do/5986089/cards/3125
2025-11-21 16:11:39 -05:00
Mike Dalessio bcb43305b6 Improve avatar image handling
- redirect avatar image requests to the rails_blob_url, instead of
  streaming them through the web app
- use a thumbnail variant for avatar images
- only put avatar initials behind the stale? check (not the image
  redirect, which would result in browsers rendering broken images when
  an avatar is changed, until max-age expires)
2025-11-21 15:16:46 -05:00
Stanko K.R. fe909d6dc5 Disable stale while revalidate for own avatar
Locally, having stale_while_revalidate works great, but in production when we are behind CloudFlare, this results in an old image being shown after you upload a new one

See: https://app.fizzy.do/5986089/cards/2978
2025-11-21 19:26:38 +01:00
Jason Zimdars 2c4d2df469 Merge pull request #1679 from basecamp/notifications
Cap the max number of unread notifications to 500
2025-11-21 09:34:26 -06:00
Jorge Manrubia 42a39b224c Cap the max number of unread notifications to 500
Simpler than adding 2 levels of pagination here
2025-11-21 15:55:24 +01:00
Jorge Manrubia 93ee8899a0 More robust implementation to prevent method injection attacks 2025-11-21 10:38:16 +01:00
Jorge Manrubia e4558f00ab Merge branch 'main' into expand-activity-columns 2025-11-21 10:25:39 +01:00
Jorge Manrubia e813b7eaf0 Invalidate HTTP caching when the cards change
https://app.fizzy.do/5986089/cards/3067
2025-11-21 09:32:02 +01:00
Mike Dalessio 1341830ed2 Add total counts and restructure admin stats dashboard
- Add total counts for accounts and identities alongside 7-day and 24-hour metrics
- Change layout from horizontal to vertical stacking

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 14:39:19 -05:00
Jason Zimdars 133a17a75e Just pass the column name string, no need to both with numbers 2025-11-20 11:43:17 -06:00
Mike Dalessio c53b56c1db Display a helpful error message when join code is exhausted
ref: https://app.fizzy.do/5986089/cards/3015
2025-11-19 15:53:25 -05:00
Mike Dalessio 2fe578c5e5 Small improvements to the stats dashboard 2025-11-19 14:31:13 -05:00
Mike Dalessio 362be963c0 Add a very rudimentary admin dashboard. 2025-11-19 14:23:47 -05:00
Mike Dalessio 4636b31f06 Authorization ensure_staff uses identity.staff
for use on untenanted routes
2025-11-19 14:23:47 -05:00
Mike Dalessio 47c05e6d6a Restore basic auth on signup
broken in 6e304958
2025-11-19 14:12:59 -05:00
Jason Zimdars eba749a193 Expand activity columns 2025-11-19 12:48:36 -06:00
David Heinemeier Hansson 9ddcfa5c4b Conventional order and remove redundant filtering of actions 2025-11-18 15:49:50 +01:00
David Heinemeier Hansson 7d86aae67e Inline anemic method 2025-11-18 15:48:40 +01:00
David Heinemeier Hansson b63d79d7a2 Style 2025-11-18 15:45:28 +01:00
David Heinemeier Hansson c606de7b41 Instead of trying to suppress from the wrong layer of the stick, just don't touch until published? 2025-11-18 15:35:40 +01:00
David Heinemeier Hansson 444d43f2ac Its been a few days 2025-11-18 14:52:07 +01:00
David Heinemeier Hansson 6e304958be No need to protect local dev/test 2025-11-18 14:32:54 +01:00
Stanko K.R. 0f7b1312eb Fix tests broken by optimizations 2025-11-17 17:45:24 +01:00
Stanko K.R. 0b8c51c2e9 Preload cards for columns 2025-11-17 16:16:19 +01:00
Stanko K.R. e539754e2c Preload cards 2025-11-17 09:12:41 -05:00
Mike Dalessio f5305b2fe6 Use Card number as the model param
instead of the UUID `id`
2025-11-17 09:12:41 -05:00
Kevin McConnell 9615753e1f Add routing header to see who served request 2025-11-17 09:12:41 -05:00
Stanko K.R. e0693de7c3 Scope jobs and controllers by account 2025-11-17 09:12:41 -05:00
Mike Dalessio 5a7f08067a Move setting Current.account into the middleware
so that code called from the Rails controllers can use Current.account
2025-11-17 09:12:40 -05:00