External sources:
- challenges.cloudflare.com for Turnstile (script-src, frame-src)
- storage.basecamp.com for Active Storage (connect-src)
User tools: loosen style/img/font/media/worker-src to avoid fighting
accessibility extensions, privacy tools, and custom fonts.
Display "Unverified" with an explanation instead of the email address
for users who haven't confirmed their identity. Hide the card links
and activity timeline since unverified users won't have any activity.
Co-Authored-By: Claude <noreply@anthropic.com>
Adds verified? check to bundling_emails? to prevent notification emails
from being sent to users who have never authenticated. This closes the
spam vector where bad actors could create users for known email
addresses and trigger unwanted notifications by mentioning them.
Co-Authored-By: Claude <noreply@anthropic.com>
Identifies users who have demonstrated authentication by looking for
evidence of real activity: owners, content creators (cards, comments,
boards, events), action takers (assigners, closers, postponers,
reactors, pinners, filter creators), board accessors, export requesters,
push subscribers, setup completers, and users with active sessions.
Run this script after deploying the verified_at column to backfill
existing users before enabling the notification guard.
Co-Authored-By: Claude <noreply@anthropic.com>
User are marked as verified after a join code is redeemed. The user is
redirected to Users::VerificationsController, either:
- after submitting a valid magic link code,
- or immediately after redeeming the join code (if they're already
authenticated with the correct identity)
Account owners are automatically verified when the account is
created (because they have already provided a magic link code at that
point).
This sets up for later commits that will backfill existing users and
require verification before sending notification emails.
Co-Authored-By: Claude <noreply@anthropic.com>
Reworked the magic link stimulus controller, because the system test
was causing double-submission of the form (because the event was
bubbling up). I think that change simplifies the form and will still
work well for iOS devices.
Loosen font-src and add media-src to allow browser extensions like
accessibility fonts (OpenDyslexic) and user style managers to work
without CSP violations.
Add default-src and connect-src directives to close security gaps where
unspecified directives were implicitly allowing all sources.
Default to a very narrow policy since there are no CDNs or third-party
resources to contend with.
Configurable via:
- config.x.content_security_policy.* for fizzy-saas gem overrides
- DISABLE_CSP to skip entirely
- CSP_REPORT_ONLY to enable report-only mode
- CSP_REPORT_URI for violation reporting
- Update the README with detailed information about how to deploy a
Fizzy instance
- Reduce the example deploy config
- Add example SMTP configuration in production.rb
* Beautify board_watchers_list by escaping the concat jungle
* Correct it and clean it
* Latest Rails to get the content tag fix
* Test against original collection
using the "standard" email regexp URI::MailTo::EMAIL_REGEXP. The form
field will validate this in the browser, but if bots are creating
identities, they can put whatever they want in here. So let's add some
protection against that.
The HtmlHelper regex was renamed here to avoid confusing Brakeman,
which does imprecise constant lookup and was confusing the two
constants, one of which uses `\A` and `\z` and the other does
not (intentionally).
ref: https://app.fizzy.do/5986089/cards/3276