Jay Ohms
e04182786c
Merge pull request #2762 from basecamp/mobile/hide-profile-links
...
Mobile: hide profile links in native apps
2026-03-31 09:42:55 -04:00
Adrien Maston
7c3682ec93
Merge pull request #2773 from basecamp/mobile/fix-missing-golden-effect
...
Mobile / Fix missing golden effect
2026-03-30 16:44:46 +02:00
Adrien Maston
a5cc2e8ab5
Change CSS selector
2026-03-30 16:38:32 +02:00
Adrien Maston
f11bb18d93
Tweak alignments
2026-03-30 13:53:14 +02:00
Donal McBreen
fed2996b7c
Merge pull request #2772 from basecamp/provision-queenbee-secret
...
Provision QUEENBEE_SECRET env var
2026-03-30 11:25:20 +01:00
Donal McBreen
6a27853a58
Provision QUEENBEE_SECRET env var
2026-03-30 11:17:38 +01:00
dependabot[bot]
08faa17584
Bump action_text-trix from 2.1.17 to 2.1.18 ( #2771 )
...
* Bump action_text-trix from 2.1.17 to 2.1.18
Bumps [action_text-trix](https://github.com/basecamp/trix ) from 2.1.17 to 2.1.18.
- [Release notes](https://github.com/basecamp/trix/releases )
- [Commits](https://github.com/basecamp/trix/compare/v2.1.17...v2.1.18 )
---
updated-dependencies:
- dependency-name: action_text-trix
dependency-version: 2.1.18
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
* Sync Gemfile.saas.lock
---------
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2026-03-29 14:43:08 -07:00
dependabot[bot]
509d8d158f
Bump the development-dependencies group with 2 updates ( #2765 )
...
* Bump the development-dependencies group with 2 updates
Bumps the development-dependencies group with 2 updates: [webmock](https://github.com/bblimke/webmock ) and [mocha](https://github.com/freerange/mocha ).
Updates `webmock` from 3.26.1 to 3.26.2
- [Release notes](https://github.com/bblimke/webmock/releases )
- [Changelog](https://github.com/bblimke/webmock/blob/master/CHANGELOG.md )
- [Commits](https://github.com/bblimke/webmock/compare/v3.26.1...v3.26.2 )
Updates `mocha` from 3.0.2 to 3.1.0
- [Changelog](https://github.com/freerange/mocha/blob/main/RELEASE.md )
- [Commits](https://github.com/freerange/mocha/compare/v3.0.2...v3.1.0 )
---
updated-dependencies:
- dependency-name: webmock
dependency-version: 3.26.2
dependency-type: direct:development
update-type: version-update:semver-patch
dependency-group: development-dependencies
- dependency-name: mocha
dependency-version: 3.1.0
dependency-type: direct:development
update-type: version-update:semver-minor
dependency-group: development-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com >
* Sync Gemfile.saas.lock
---------
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2026-03-29 12:54:45 -07:00
Stanko Krtalić
0a96799fc7
Merge pull request #2758 from basecamp/fix-yubikeys-getting-stuck-on-sign-in
...
Fix yubikeys getting stuck on sign in
2026-03-27 10:17:09 +01:00
Stanko K.R.
c2fe41d376
Fix sign in flow
2026-03-27 10:13:57 +01:00
Jay Ohms
3ccfb864db
Hide the links to manage passkeys and sign out from the webview in the native apps
2026-03-27 04:41:43 -04:00
Mike Dalessio
6778f9e47d
Merge pull request #2760 from basecamp/cache-control-bypass
...
Don't set public Cache-Control on proxied non-public blobs
2026-03-26 15:56:49 -04:00
Mike Dalessio
7446eed4e1
Add representation proxy public Cache-Control test
2026-03-26 15:38:27 -04:00
Mike Dalessio
e12f3e3917
Add representation proxy Cache-Control test
2026-03-26 15:34:54 -04:00
Mike Dalessio
14e6832507
Add regression test for public blob Cache-Control
2026-03-26 15:22:21 -04:00
Mike Dalessio
628571fc79
Don't set public Cache-Control on proxied non-public blobs
...
Rails' ActiveStorage proxy controllers hardcode `http_cache_forever public: true`,
which sets `Cache-Control: public, immutable`. For non-public blobs behind auth,
this allows CDN caching that serves responses without authorization checks.
Override `http_cache_forever` in the Authorize concern to downgrade `public` to
`false` for non-public blobs.
See https://github.com/basecamp/fizzy/pull/2251 for context
2026-03-26 14:58:40 -04:00
Stanko K.R.
76d00d17c8
Abort conditional mediation when the button disconnects
2026-03-26 16:49:59 +01:00
Stanko K.R.
7ae219ab23
Make the duplicate key error message friendly
2026-03-26 16:00:02 +01:00
Stanko K.R.
9614c1ecfb
Add a button to sign in with a passkey
2026-03-26 15:59:09 +01:00
Stanko Krtalić
09d5b8c92f
Merge pull request #2756 from basecamp/friendly-error-message-on-duplicate-passkey
...
Show separate error message when adding a Passkey twice
2026-03-26 14:19:35 +01:00
Stanko Krtalić
527f2e07ff
Merge pull request #2754 from basecamp/update-aws-gem
...
Update AWS SDK
2026-03-25 18:36:29 +01:00
Stanko K.R.
61580ec58f
Update AWS SDK
2026-03-25 18:30:01 +01:00
Stanko Krtalić
01b4698e13
Merge pull request #2751 from basecamp/passkey-improvements
...
Passkey improvements
2026-03-25 18:19:09 +01:00
Stanko K.R.
6107d3cee1
Add margin ot error messages
2026-03-25 18:16:11 +01:00
Stanko K.R.
5820480c0c
Update SAAS gemfile
2026-03-25 18:10:11 +01:00
Stanko K.R.
54cb1a140f
Add a purpose to challanges
2026-03-25 17:57:37 +01:00
Stanko K.R.
37ff66d552
Fix gemfile drift
2026-03-25 17:42:27 +01:00
Stanko K.R.
01d66a9463
Change challange expiration based on purpose
2026-03-25 17:31:42 +01:00
Stanko K.R.
6ba1814f26
Update bcrypt and loofah
2026-03-25 17:30:39 +01:00
Stanko Krtalić
dac4d9233c
Merge pull request #2741 from basecamp/dependabot/bundler/aws-sdk-s3-1.216.0
...
Bump aws-sdk-s3 from 1.215.0 to 1.216.0
2026-03-25 17:28:50 +01:00
Stanko K.R.
5d0f52b57c
Update as_json to return string keys
2026-03-25 17:26:50 +01:00
Stanko K.R.
f5ae2f8076
Rename extract_passkey_component_options to partition_passkey_options
2026-03-25 17:26:50 +01:00
Stanko K.R.
693415bc71
Rename request options to authentication options
2026-03-25 17:26:49 +01:00
Stanko K.R.
df7c2678f3
Rename create_options to registration_options
2026-03-25 17:26:49 +01:00
Stanko K.R.
8e4f9ce5e7
Cleanup form helpers
2026-03-25 17:26:49 +01:00
Stanko K.R.
1983014be6
Rely solely on the challange signature for verification
...
The cookie approach seems like the more secure aproach because it ties the authentication or registration attempt to the user's browser session, but it doesn't work reliably on Chrome for Windows. Also, a simila problem pops up on Chrome for Linux if the session is used instead of a separate cookie. It looks like the browser doesn't propagate the state change through fast enough which results in some requests contaiining the new/updated cookie, and others don't, which results in sporadic failures. Since we use a signed and expiring challange we still get protection from replay attacks and tampering which enables us to omit the cookie entierly and rely on the challange's signature to prove expiration and authenticity. The only thing we lose is the ability to tie and attemp to a single browser session.
See: https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-challengeURL which proposes to add the same challange fetching logic as part of the standard
See: https://github.com/w3c/webauthn/issues/1856 which discusses issues that arise from having expiring challanges (which the spec recommends)
See: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-gjjc-pcwp-c74m which is an explot that can happen if the server isn't able to verify the authenticity of challanges that are sent outside of a cookie
2026-03-25 17:26:49 +01:00
Stanko K.R.
4fb1cddb4c
Use WebComponents for buttons
...
This simplifies the loading and cleanup logic, while providing ubiquitous support across JS frameworks. Buttons can now be added in any way imaginable and still work without requiring additional initialization. The upside of this aproach is that it doesn't require a mutation observer nor a global click listener, and is supported by all browsers that also support passkeys.
2026-03-25 17:26:49 +01:00
Stanko Krtalić
70c08877b7
Merge pull request #2735 from basecamp/dependabot/bundler/bcrypt-3.1.22
...
Bump bcrypt from 3.1.21 to 3.1.22
2026-03-25 17:23:26 +01:00
Sean Mitchell
4b4454de89
Update colophon icons
2026-03-24 13:32:39 -07:00
Jason Fried
2c60ddb7c7
Added Basecamp + HEY icons/links
2026-03-24 12:12:33 -07:00
Stanko Krtalić
4551952d05
Merge pull request #2749 from basecamp/potential-windows-hello-on-chrome-fix
...
Use Same-site: Lax
2026-03-24 15:23:52 +01:00
Stanko K.R.
c24d4fd7fd
Use Same-site: Lax
...
This is a guess based on a few articles I read where Windows Hello doesn't play nice with Same-Site: Strict. I have no credible evidence to back this up.
2026-03-24 15:17:05 +01:00
Stanko Krtalić
1f63589d7e
Merge pull request #2748 from basecamp/fix-passkey-buttons-not-triggering-sometimes
...
Fix Passkey buttons not triggering sometimes
2026-03-24 14:51:14 +01:00
Stanko K.R.
134a533e28
Fix Passkey buttons not triggering sometimes
2026-03-24 14:36:52 +01:00
Andy Smith
7632802f18
Merge pull request #2682 from nqst/delete-account-improvements
...
Delete account: design improvements
2026-03-23 09:38:23 -05:00
Stanko Krtalić
e3cd789ede
Merge pull request #2746 from basecamp/fix-exports
...
Permit variant records in imports
2026-03-23 12:50:24 +01:00
Stanko K.R.
49fbb82676
Permit variant records in imports
2026-03-23 12:30:40 +01:00
Zacharias Knudsen
6808250c8f
Merge pull request #2745 from basecamp/excert-truncation
...
Pre-truncate excerpt before running replacement regexes
2026-03-23 10:24:58 +01:00
Zacharias Dyna Knudsen
6c771584d7
Pre-truncate excerpt before running replacement regexes
...
Also fixes <ol> normalization which was previously a noop.
2026-03-23 10:21:35 +01:00
Mike Dalessio
bcf6e92131
Merge pull request #2740 from basecamp/autolink-skip-large-text-nodes
...
Skip auto-linking in very large text nodes
2026-03-20 20:02:57 -04:00