1. 28 Feb, 2020 1 commit
    • ThibG's avatar
      Fix duplicate accounts being created when fetching an account for its key only (#13147) · a2d15bf5
      ThibG authored
      Fixes #13136
      
      When a user's canonical acct domain is different from its id's domain
      (WEB_DOMAIN ≠ LOCAL_DOMAIN), two webfinger queries are required to find the
      canonical domain from the URI. However, we skip webfinger queries when
      updating only the key of a remote user, which led to the creation of a
      duplicate account, using the URI's domain instead of the canonical acct: one.
      a2d15bf5
  2. 29 Aug, 2019 1 commit
  3. 09 Jul, 2019 1 commit
  4. 01 Jul, 2019 1 commit
  5. 21 Jun, 2019 1 commit
    • Eugen Rochko's avatar
      Change domain blocks to automatically support subdomains (#11138) · 707ddf78
      Eugen Rochko authored
      * Change domain blocks to automatically support subdomains
      
      If a more authoritative domain is blocked (example.com), then the
      same block will be applied to a subdomain (foo.example.com)
      
      * Match subdomains of existing accounts when blocking/unblocking domains
      
      * Improve code style
      707ddf78
  6. 14 May, 2019 1 commit
    • ThibG's avatar
      Record account suspend/silence time and keep track of domain blocks (#10660) · 14f6ce28
      ThibG authored
      * Record account suspend/silence time and keep track of domain blocks
      
      * Also unblock users who were suspended/silenced before dates were recorded
      
      * Add tests
      
      * Keep track of suspending date for users suspended through the CLI
      
      * Show accurate number of accounts that would be affected by unsuspending an instance
      
      * Change migration to set silenced_at and suspended_at
      
      * Revert "Also unblock users who were suspended/silenced before dates were recorded"
      
      This reverts commit a015c65d2d1e28c7b7cfab8b3f8cd5fb48b8b71c.
      
      * Switch from using suspended and silenced to suspended_at and silenced_at
      
      * Add post-deployment migration script to remove `suspended` and `silenced` columns
      
      * Use Account#silence! and Account#suspend! instead of updating the underlying property
      
      * Add silenced_at and suspended_at migration to post-migration
      
      * Change account fabricator to translate suspended and silenced attributes
      
      * Minor fixes
      
      * Make unblocking domains always retroactive
      14f6ce28
  7. 30 Mar, 2019 1 commit
  8. 06 Feb, 2019 1 commit
  9. 18 Jan, 2019 1 commit
    • ThibG's avatar
      Add tombstones for remote statuses (#9830) · 75b1488c
      ThibG authored
      * Add Tombstone model to remember object deletion
      
      * Do not recreate a status if it has been deleted
      
      * Record Tombstone for remote deleted items
      
      Also, only record deleted items from same-host actors
      
      * Clear an user's tombstones when their key change
      75b1488c
  10. 07 Jan, 2019 1 commit
    • ThibG's avatar
      Improvements to signature verification (#9667) · 28b48287
      ThibG authored
      * Refactor signature verification a bit
      
      * Rescue signature verification if recorded public key is invalid
      
      Fixes #8822
      
      * Always re-fetch AP signing key when HTTP Signature verification fails
      
      But when the account is not marked as stale, avoid fetching collections and
      media, and avoid webfinger round-trip.
      
      * Apply stoplight to key/account update as well as initial key retrieval
      28b48287
  11. 29 Dec, 2018 1 commit
  12. 10 Nov, 2018 1 commit
  13. 18 Sep, 2018 1 commit
    • Eugen Rochko's avatar
      Redesign forms, verify link ownership with rel="me" (#8703) · f4d549d3
      Eugen Rochko authored
      * Verify link ownership with rel="me"
      
      * Add explanation about verification to UI
      
      * Perform link verifications
      
      * Add click-to-copy widget for verification HTML
      
      * Redesign edit profile page
      
      * Redesign forms
      
      * Improve responsive design of settings pages
      
      * Restore landing page sign-up form
      
      * Fix typo
      
      * Support <link> tags, add spec
      
      * Fix links not being verified on first discovery and passive updates
      f4d549d3
  14. 26 Aug, 2018 1 commit
    • Eugen Rochko's avatar
      Add CLI task for rotating keys (#8466) · cabdbb7f
      Eugen Rochko authored
      * If an Update is signed with known key, skip re-following procedure
      
      Because it means the remote actor did *not* lose their database
      
      * Add CLI method for rotating keys
      
          bin/tootctl accounts rotate [USERNAME]
      
      Generates a new RSA key per account and sends out an Update activity
      signed with the old key.
      
      * Key rotation: Space out Update fan-outs every 5 minutes per 1000 accounts
      
      * Skip suspended accounts in key rotation
      cabdbb7f
  15. 22 Aug, 2018 1 commit
  16. 28 Jul, 2018 1 commit
  17. 16 May, 2018 1 commit
  18. 14 May, 2018 1 commit
  19. 08 May, 2018 1 commit
  20. 07 May, 2018 1 commit
    • Eugen Rochko's avatar
      Bot nameplates (#7391) · 42cd3635
      Eugen Rochko authored
      * Store actor type in database
      
      * Add bot nameplate to web UI, add setting to preferences, API, AP
      Fix #7365
      
      * Fix code style issues
      42cd3635
  21. 02 May, 2018 1 commit
  22. 14 Apr, 2018 1 commit
    • Eugen Rochko's avatar
      Add bio fields (#6645) · 78ed4ab7
      Eugen Rochko authored
      * Add bio fields
      
      - Fix #3211
      - Fix #232
      - Fix #121
      
      * Display bio fields in web UI
      
      * Fix output of links and missing fields
      
      * Federate bio fields over ActivityPub as PropertyValue
      
      * Improve how the fields are stored, add to Edit profile form
      
      * Add rel=me to links in fields
      
      Fix #121
      78ed4ab7
  23. 12 Apr, 2018 1 commit
  24. 03 Apr, 2018 1 commit
  25. 01 Apr, 2018 1 commit
  26. 20 Mar, 2018 1 commit
  27. 04 Mar, 2018 1 commit
    • Eugen Rochko's avatar
      Federate pinned statuses over ActivityPub (#6610) · 9110db41
      Eugen Rochko authored
      * Federate pinned statuses over ActivityPub
      
      * Display pinned toots in web UI
      
      Fix #6117
      
      * Fix migration
      
      * Fix tests
      
      * Update outbox_serializer.rb
      
      * Update remove_serializer.rb
      
      * Update add_serializer.rb
      
      * Update fetch_featured_collection_service.rb
      9110db41
  28. 08 Jan, 2018 1 commit
    • Eugen Rochko's avatar
      Fix bad URL schemes being accepted (#6219) · e4a241ab
      Eugen Rochko authored
      * Fix actors accepting invalid URI schemes or different host between URI and URL
      
      * Fix statuses accepting invalid URI scheme or different host to actor
      
      * Adjust tests to new requirements
      
      * Improve readability of mismatching_origin?/invalid_origin? methods
      e4a241ab
  29. 02 Jan, 2018 1 commit
  30. 30 Nov, 2017 1 commit
    • Eugen Rochko's avatar
      Add semi-support for Video/Image objects in ActivityPub (#5848) · 4c6b5dbe
      Eugen Rochko authored
      * Add semi-support for Video/Image objects in ActivityPub
      
      Video and Image objects will create corresponding status records
      with manually crafted text contents (title + URL)
      
      * Extract html-url-finding logic into JsonLdHelper
      
      * Fallback to id when url missing, extract supported object types
      4c6b5dbe
  31. 18 Nov, 2017 1 commit
    • Eugen Rochko's avatar
      Profile redirect notes (#5746) · 58cede48
      Eugen Rochko authored
      * Serialize moved accounts into REST and ActivityPub APIs
      
      * Parse federated moved accounts from ActivityPub
      
      * Add note about moved accounts to public profiles
      
      * Add moved account message to web UI
      
      * Fix code style issues
      58cede48
  32. 03 Oct, 2017 1 commit
    • Akihiko Odaki's avatar
      Validate id of ActivityPub representations (#5114) · 63f09797
      Akihiko Odaki authored
      Additionally, ActivityPub::FetchRemoteStatusService no longer parses
      activities.
      OStatus::Activity::Creation no longer delegates to ActivityPub because
      the provided ActivityPub representations are not signed while OStatus
      representations are.
      63f09797
  33. 19 Sep, 2017 1 commit
  34. 13 Sep, 2017 1 commit
    • ThibG's avatar
      Fix refollowing (#4931) · af00220d
      ThibG authored
      * Make RefollowWorker ActivityPub-only to avoid potential identifier mismatches
      
      * Don't call RefollowWorker on new accounts
      af00220d
  35. 12 Sep, 2017 1 commit
    • ThibG's avatar
      [WiP] Whenever a remote keypair changes, unfollow them and re-subscribe to … (#4907) · f29918e7
      ThibG authored
      * Whenever a remote keypair changes, unfollow them and re-subscribe to them
      
      In Mastodon (it could be different for other OStatus or AP-enabled software),
      a keypair change is indicative of whole user (or instance) data loss. In this
      situation, the “new” user might be different, and almost certainly has an empty
      followers list. In this case, Mastodon instances will disagree on follower
      lists, leading to unreliable delivery and “shadow followers”, that is users
      believed by a remote instance to be followers, without the affected user
      knowing.
      
      Drawbacks of this change are:
      1. If an user legitimately changes public key for some reason without losing
         data (not possible in Mastodon at the moment), they will have their remote
         followers unsubscribed/re-subscribed needlessly.
      2. Depending of the number of remote followers, this may generate quite some
         traffic.
      3. If the user change is an attempt at usurpation, the remote followers will
         unknowingly follow the usurper. Note that this is *not* a change of
         behavior, Mastodon already behaves like that, although delivery might be
         unreliable, and the usurper would not have known the former user's
         followers.
      
      * Rename ResubscribeWorker to RefollowWorker
      
      * Process followers in batches
      f29918e7
  36. 09 Sep, 2017 1 commit
  37. 08 Sep, 2017 1 commit
  38. 04 Sep, 2017 1 commit
    • Eugen Rochko's avatar
      Fix some ActivityPub JSON bugs (#4796) · 9b50a9dd
      Eugen Rochko authored
      - Fix assumption that `url` is always a string. Handle it if it's an
        array of strings, array of objects, object, or string, both for
        accounts and for objects
      - `sharedInbox` is actually supposed to be under `endpoints`, handle
        both cases and adjust the serializer
      9b50a9dd
  39. 02 Sep, 2017 2 commits