Commit Graph

8053 Commits

Author SHA1 Message Date
Jorge Manrubia ffb357becf Merge pull request #1742 from basecamp/latest-lexxy
Update lexxy to latest
2025-12-06 10:31:19 +01:00
gijigae e03c002efd Fix Japanese IME input handling for tags and form fields
When typing in Japanese, the Enter key is used to confirm kanji conversion
during IME composition. Previously, pressing Enter would immediately save
the tag, which prevented users from completing the conversion.

Changes:
- Add isComposing check to navigable_list_controller.js Enter handler
- Add IME composition tracking to form_controller.js
- Add compositionstart/compositionend event handlers to tag, step, and
  reaction input fields
- Add preventComposingSubmit action to prevent form submission during
  composition

This fix supports all IME input methods (Japanese, Chinese, Korean, etc.)
using standard browser composition events.
2025-12-06 17:26:35 +09:00
Jeremy Daer af14feb8fc CSP gives env config precedence (#1976)
Bit clearer, and simpler config wrangling: presence of ENV → use it.
2025-12-05 20:49:41 -08:00
Jeremy Daer ab5964a375 Tune CSP: allow required external sources and user tools (#1977)
External sources:
- challenges.cloudflare.com for Turnstile (script-src, frame-src)
- storage.basecamp.com for Active Storage (connect-src)

User tools: loosen style/img/font/media/worker-src to avoid fighting
accessibility extensions, privacy tools, and custom fonts.
2025-12-05 20:45:48 -08:00
Mike Dalessio 7694ade843 Merge pull request #1975 from basecamp/flavorjones/fix-webhook-view
Pass correct params to webhook reactivation url helper.
2025-12-05 22:47:33 -05:00
Mike Dalessio 69f8216982 Pass correct params to webhook reactivation url helper.
ref: https://app.fizzy.do/5986089/cards/3219
2025-12-05 22:44:34 -05:00
Mike Dalessio 00db048f9e Merge pull request #1968 from basecamp/flavorjones/only-email-confirmed-users
Mark users as "verified" and only send notifications to verified users
2025-12-05 22:15:13 -05:00
Mike Dalessio fc8ef33332 Show unverified status on user profile page
Display "Unverified" with an explanation instead of the email address
for users who haven't confirmed their identity. Hide the card links
and activity timeline since unverified users won't have any activity.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Mike Dalessio 1ad52d2590 Only send notification emails to verified users
Adds verified? check to bundling_emails? to prevent notification emails
from being sent to users who have never authenticated. This closes the
spam vector where bad actors could create users for known email
addresses and trigger unwanted notifications by mentioning them.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Mike Dalessio e174206233 Add backfill script for verified_at timestamps
Identifies users who have demonstrated authentication by looking for
evidence of real activity: owners, content creators (cards, comments,
boards, events), action takers (assigners, closers, postponers,
reactors, pinners, filter creators), board accessors, export requesters,
push subscribers, setup completers, and users with active sessions.

Run this script after deploying the verified_at column to backfill
existing users before enabling the notification guard.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Mike Dalessio 4602cd3cdd Add verified_at timestamp to use for spam prevention
User are marked as verified after a join code is redeemed. The user is
redirected to Users::VerificationsController, either:

- after submitting a valid magic link code,
- or immediately after redeeming the join code (if they're already
  authenticated with the correct identity)

Account owners are automatically verified when the account is
created (because they have already provided a magic link code at that
point).

This sets up for later commits that will backfill existing users and
require verification before sending notification emails.

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-05 21:51:44 -05:00
Mike Dalessio fa549a370b Add a system test for joining an account
Reworked the magic link stimulus controller, because the system test
was causing double-submission of the form (because the event was
bubbling up). I think that change simplifies the form and will still
work well for iOS devices.
2025-12-05 21:51:44 -05:00
Jeremy Daer 345f457513 Tune CSP for user extensions and close implicit-allow gaps (#1974)
Loosen font-src and add media-src to allow browser extensions like
accessibility fonts (OpenDyslexic) and user style managers to work
without CSP violations.

Add default-src and connect-src directives to close security gaps where
unspecified directives were implicitly allowing all sources.
2025-12-05 16:57:03 -08:00
Jeremy Daer db55923fdb Fix lightbox transitionend listener leak
Switch to a Stimulus action for automatic handling
2025-12-05 16:19:01 -08:00
astrid c2935cfa60 Readd padding to VAPID_PUBLIC_KEY/VAPID_PRIVATE_KEY 2025-12-06 00:22:54 +01:00
astrid 1b4fb0db5f Update README.md for more consistent codeblocks 2025-12-06 00:09:59 +01:00
Jeremy Daer 6006491ab4 Content Security Policy (#1964)
Default to a very narrow policy since there are no CDNs or third-party
resources to contend with.

Configurable via:
- config.x.content_security_policy.* for fizzy-saas gem overrides
- DISABLE_CSP to skip entirely
- CSP_REPORT_ONLY to enable report-only mode
- CSP_REPORT_URI for violation reporting
2025-12-05 14:57:50 -08:00
Justin Starner 330be4ec72 Position modal buttons using justify-center. 2025-12-05 15:25:24 -05:00
Stanko Krtalić 4c094107b6 Merge pull request #1969 from basecamp/fix-ipaddr-setter
Fix ipaddr setter
2025-12-05 20:46:34 +01:00
Stanko K.R. 1b3d7d4276 Fix ipaddr setter 2025-12-05 20:43:56 +01:00
astrid fcce276dc9 Update JOB_CONCURRENCY to match upstream Rails 2025-12-05 20:20:13 +01:00
Stanko Krtalić 3c72599381 Merge pull request #1967 from basecamp/fix-dns-resolution
Fix Resolv::DNS always returning no results
2025-12-05 20:13:44 +01:00
Stanko K.R. cd3751f4c1 Fix Resolv::DNS always returning no results 2025-12-05 20:09:39 +01:00
ari 430a0c612b Update config/puma.rb (commit suggestion)
Co-authored-by: Jeremy Daer <jeremydaer@gmail.com>
2025-12-05 19:57:55 +01:00
astrid 3acc58ff41 Add WEB_CONCURRENCY env support for Puma worker count 2025-12-05 19:26:54 +01:00
Kevin McConnell bc16f7582e Merge pull request #1963 from basecamp/update-readme-deploy-info
Document deployment
2025-12-05 17:21:37 +00:00
Andy Smith 2cf718835b Style updates for latest Lexxy version
Style nested lists, highlight dropdown, and link dropdown. Also organizes the CSS file a bit better.
2025-12-05 11:16:11 -06:00
Kevin McConnell 04153038f0 Document deployment
- Update the README with detailed information about how to deploy a
  Fizzy instance
- Reduce the example deploy config
- Add example SMTP configuration in production.rb
2025-12-05 17:03:07 +00:00
Jorge Manrubia 1ac5867d5c These are textareas now 2025-12-05 11:41:11 +01:00
Jorge Manrubia 80a0eb3a4d Fix system test 2025-12-05 11:30:58 +01:00
Jorge Manrubia 48ef7d0b98 Update Lexxy and hide the highlighter for now 2025-12-05 11:24:52 +01:00
Jorge Manrubia 67f36886a1 Update lexxy to latest
Color highlighter, more code languages...
2025-12-05 11:17:29 +01:00
Jorge Manrubia ed6c55adcd Merge pull request #1931 from basecamp/pin-card-refresh
Update pinned cards when the title changes
2025-12-05 10:14:39 +01:00
Jorge Manrubia 59ff50c1cb We can remove ad-hoc handling now that we rely on page refreshes in the card perma 2025-12-05 10:11:24 +01:00
Jorge Manrubia c89db89f2a Only broadcast when the preview changes, use the _later variant for the broadcast, add tests 2025-12-05 10:09:20 +01:00
Andy Smith bcad6b913c Update pinned cards when the title changes 2025-12-05 10:09:20 +01:00
Jeremy Daer 21f3f72647 Immediate avatar and embed variants
Process variants synchronously on attachment to close the window between
image upload and variant availability, guaranteeing that we won't have
lazy variant processing attempts in GET requests.

Tradeoff is that we do variant processing in upload requests, which is
actually desirable. We're working with images that should take
milliseconds to resize given that we'll already have the file on hand.

References https://github.com/rails/rails/pull/51951
2025-12-04 23:54:37 -08:00
Jorge Manrubia 046a42c4f6 Rename to be more consistent 2025-12-05 07:55:11 +01:00
user 7b6dfeced4 Update --font-sans variable for better cross-platform compatibility 2025-12-05 14:59:39 +09:00
Jeremy Daer 496851b255 Security: Web Push SSRF and IP range bypass
Add SSRF protection for web push endpoints:
- Resolve endpoint IP once and pin it for connection
- Validate endpoints resolve to public IPs
- Whitelist permitted push service hosts

Add missing IP ranges to SsrfProtection:
- 100.64.0.0/10 (Carrier-grade NAT, RFC6598)
- 198.18.0.0/15 (Benchmark testing, RFC2544)

Note: link-local (169.254.0.0/16) is already covered by ip.link_local?
2025-12-04 21:35:55 -08:00
luojiyin 437cc1e94f chore: exclude test gems from production bundle 2025-12-05 12:01:36 +08:00
Justin Starner 5cc6bba040 Move card deletion button to partial. 2025-12-04 22:23:21 -05:00
Justin Starner fc3b63bb52 Refactor board deletion to use custom modal
Applies the custom dialog modal pattern to the board deletion workflow, matching the card deletion updates.
2025-12-04 21:49:30 -05:00
Justin Starner d28fbaa101 Refactor card deletion to use custom modal
Replaces the standard turbo_confirm attribute with a custom dialog modal for a better user experience.

- Removes `button_to_delete_card` helper in favor of inline markup.
- Implements `keydown.esc->dialog#close:stop` to prevent the Escape key from inadvertently closing selected card.
2025-12-04 21:47:09 -05:00
David Heinemeier Hansson d729cf59f9 Beautify board watchers list (#1946)
* Beautify board_watchers_list by escaping the concat jungle

* Correct it and clean it

* Latest Rails to get the content tag fix

* Test against original collection
2025-12-04 16:14:52 -08:00
Andy Smith d5337d0689 Merge pull request #1938 from basecamp/add-missing-attr-on-public-boards
Add missing data attribute on public board
2025-12-04 16:10:42 -06:00
Andy Smith 029c151a4e Add missing data-attr on public board 2025-12-04 15:43:19 -06:00
Jorge Manrubia fce6345fa6 Merge pull request #1936 from basecamp/use-self
Use buil-in support for :self in Stimulus
2025-12-04 22:42:55 +01:00
Andy Smith d5f8eeddaa Merge pull request #1937 from basecamp/mobile-polish
Fix hotkey text size on tiny viewports
2025-12-04 15:26:24 -06:00
Andy Smith 34d3383cbd Fix hotkey text size on tiny viewports 2025-12-04 15:23:20 -06:00