Merge tag 'v4.3.0-rc.1'

2024-10-02 10:34:27 +10:00 · 2024-10-02 10:34:27 +10:00 · 26c9b9ba39
commit 26c9b9ba39
parent a2486e2154 03210085b7
3459 changed files with 130932 additions and 69993 deletions
--- a/app/controllers/auth/challenges_controller.rb
+++ b/app/controllers/auth/challenges_controller.rb
@ -7,6 +7,7 @@ class Auth::ChallengesController < ApplicationController

  before_action :authenticate_user!

+  skip_before_action :check_self_destruct!
  skip_before_action :require_functional!

  def create
--- a/app/controllers/auth/confirmations_controller.rb
+++ b/app/controllers/auth/confirmations_controller.rb
@ -1,17 +1,17 @@
 # frozen_string_literal: true

 class Auth::ConfirmationsController < Devise::ConfirmationsController
-  include CaptchaConcern
+  include Auth::CaptchaConcern

  layout 'auth'

-  before_action :set_body_classes
  before_action :set_confirmation_user!, only: [:show, :confirm_captcha]
-  before_action :require_unconfirmed!
+  before_action :redirect_confirmed_user, if: :signed_in_confirmed_user?

  before_action :extend_csp_for_captcha!, only: [:show, :confirm_captcha]
  before_action :require_captcha_if_needed!, only: [:show]

+  skip_before_action :check_self_destruct!
  skip_before_action :require_functional!

  def show
@ -38,6 +38,12 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController
    show
  end

+  def redirect_to_app?
+    truthy_param?(:redirect_to_app)
+  end
+
+  helper_method :redirect_to_app?
+
  private

  def require_captcha_if_needed!
@ -55,17 +61,15 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController
  end

  def captcha_user_bypass?
-    return true if @confirmation_user.nil? || @confirmation_user.confirmed?
+    @confirmation_user.nil? || @confirmation_user.confirmed?
  end

-  def require_unconfirmed!
-    if user_signed_in? && current_user.confirmed? && current_user.unconfirmed_email.blank?
-      redirect_to(current_user.approved? ? root_path : edit_user_registration_path)
-    end
+  def redirect_confirmed_user
+    redirect_to(current_user.approved? ? root_path : edit_user_registration_path)
  end

-  def set_body_classes
-    @body_classes = 'lighter'
+  def signed_in_confirmed_user?
+    user_signed_in? && current_user.confirmed? && current_user.unconfirmed_email.blank?
  end

  def after_resending_confirmation_instructions_path_for(_resource_name)
@ -81,7 +85,7 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController
  end

  def after_confirmation_path_for(_resource_name, user)
-    if user.created_by_application && truthy_param?(:redirect_to_app)
+    if user.created_by_application && redirect_to_app?
      user.created_by_application.confirmation_redirect_uri
    elsif user_signed_in?
      web_url('start')
--- a/app/controllers/auth/omniauth_callbacks_controller.rb
+++ b/app/controllers/auth/omniauth_callbacks_controller.rb
@ -1,6 +1,7 @@
 # frozen_string_literal: true

 class Auth::OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  skip_before_action :check_self_destruct!
  skip_before_action :verify_authenticity_token

  def self.provides_callback_for(provider)
--- a/app/controllers/auth/passwords_controller.rb
+++ b/app/controllers/auth/passwords_controller.rb
@ -1,8 +1,8 @@
 # frozen_string_literal: true

 class Auth::PasswordsController < Devise::PasswordsController
-  before_action :check_validity_of_reset_password_token, only: :edit
-  before_action :set_body_classes
+  skip_before_action :check_self_destruct!
+  before_action :redirect_invalid_reset_token, only: :edit, unless: :reset_password_token_is_valid?

  layout 'auth'

@ -18,15 +18,9 @@ class Auth::PasswordsController < Devise::PasswordsController

  private

-  def check_validity_of_reset_password_token
-    unless reset_password_token_is_valid?
-      flash[:error] = I18n.t('auth.invalid_reset_password_token')
-      redirect_to new_password_path(resource_name)
-    end
-  end
-
-  def set_body_classes
-    @body_classes = 'lighter'
+  def redirect_invalid_reset_token
+    flash[:error] = I18n.t('auth.invalid_reset_password_token')
+    redirect_to new_password_path(resource_name)
  end

  def reset_password_token_is_valid?
--- a/app/controllers/auth/registrations_controller.rb
+++ b/app/controllers/auth/registrations_controller.rb
@ -1,7 +1,8 @@
 # frozen_string_literal: true

 class Auth::RegistrationsController < Devise::RegistrationsController
-  include RegistrationSpamConcern
+  include RegistrationHelper
+  include Auth::RegistrationSpamConcern

  layout :determine_layout

@ -10,20 +11,27 @@ class Auth::RegistrationsController < Devise::RegistrationsController
  before_action :configure_sign_up_params, only: [:create]
  before_action :set_sessions, only: [:edit, :update]
  before_action :set_strikes, only: [:edit, :update]
-  before_action :set_instance_presenter, only: [:new, :create, :update]
-  before_action :set_body_classes, only: [:new, :create, :edit, :update]
  before_action :require_not_suspended!, only: [:update]
  before_action :set_cache_headers, only: [:edit, :update]
  before_action :set_rules, only: :new
  before_action :require_rules_acceptance!, only: :new
  before_action :set_registration_form_time, only: :new

+  skip_before_action :check_self_destruct!, only: [:edit, :update]
  skip_before_action :require_functional!, only: [:edit, :update]

  def new
    super(&:build_invite_request)
  end

+  def edit # rubocop:disable Lint/UselessMethodDefinition
+    super
+  end
+
+  def create # rubocop:disable Lint/UselessMethodDefinition
+    super
+  end
+
  def update
    super do |resource|
      resource.clear_other_sessions(current_session.session_id) if resource.saved_change_to_encrypted_password?
@ -43,7 +51,7 @@ class Auth::RegistrationsController < Devise::RegistrationsController
  end

  def build_resource(hash = nil)
-    super(hash)
+    super

    resource.locale                 = I18n.locale
    resource.invite_code            = @invite&.code if resource.invite_code.blank?
@ -82,19 +90,7 @@ class Auth::RegistrationsController < Devise::RegistrationsController
  end

  def check_enabled_registrations
-    redirect_to root_path if single_user_mode? || omniauth_only? || !allowed_registrations? || ip_blocked?
-  end
-
-  def allowed_registrations?
-    Setting.registrations_mode != 'none' || @invite&.valid_for_use?
-  end
-
-  def omniauth_only?
-    ENV['OMNIAUTH_ONLY'] == 'true'
-  end
-
-  def ip_blocked?
-    IpBlock.where(severity: :sign_up_block).where('ip >>= ?', request.remote_ip.to_s).exists?
+    redirect_to root_path unless allowed_registration?(request.remote_ip, @invite)
  end

  def invite_code
@ -107,14 +103,6 @@ class Auth::RegistrationsController < Devise::RegistrationsController

  private

-  def set_instance_presenter
-    @instance_presenter = InstancePresenter.new
-  end
-
-  def set_body_classes
-    @body_classes = %w(edit update).include?(action_name) ? 'admin' : 'lighter'
-  end
-
  def set_invite
    @invite = begin
      invite = Invite.find_by(code: invite_code) if invite_code.present?
@ -135,7 +123,7 @@ class Auth::RegistrationsController < Devise::RegistrationsController
  end

  def require_not_suspended!
-    forbidden if current_account.suspended?
+    forbidden if current_account.unavailable?
  end

  def set_rules
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@ -7,26 +7,19 @@ class Auth::SessionsController < Devise::SessionsController

  layout 'auth'

+  skip_before_action :check_self_destruct!
  skip_before_action :require_no_authentication, only: [:create]
  skip_before_action :require_functional!
  skip_before_action :update_user_sign_in

  prepend_before_action :check_suspicious!, only: [:create]

-  include TwoFactorAuthenticationConcern
-
-  before_action :set_instance_presenter, only: [:new]
-  before_action :set_body_classes
+  include Auth::TwoFactorAuthenticationConcern

  content_security_policy only: :new do |p|
    p.form_action(false)
  end

-  def check_suspicious!
-    user = find_user
-    @login_is_suspicious = suspicious_sign_in?(user) unless user.nil?
-  end
-
  def create
    super do |resource|
      # We only need to call this if this hasn't already been
@ -103,12 +96,9 @@ class Auth::SessionsController < Devise::SessionsController

  private

-  def set_instance_presenter
-    @instance_presenter = InstancePresenter.new
-  end
-
-  def set_body_classes
-    @body_classes = 'lighter'
+  def check_suspicious!
+    user = find_user
+    @login_is_suspicious = suspicious_sign_in?(user) unless user.nil?
  end

  def home_paths(resource)
@ -185,6 +175,28 @@ class Auth::SessionsController < Devise::SessionsController
      ip: request.remote_ip,
      user_agent: request.user_agent
    )
+
+    # Only send a notification email every hour at most
+    return if redis.get("2fa_failure_notification:#{user.id}").present?
+
+    redis.set("2fa_failure_notification:#{user.id}", '1', ex: 1.hour)
+
+    UserMailer.failed_2fa(user, request.remote_ip, request.user_agent, Time.now.utc).deliver_later!
+  end
+
+  def second_factor_attempts_key(user)
+    "2fa_auth_attempts:#{user.id}:#{Time.now.utc.hour}"
+  end
+
+  def respond_to_on_destroy
+    respond_to do |format|
+      format.json do
+        render json: {
+          redirect_to: after_sign_out_path_for(resource_name),
+        }, status: 200
+      end
+      format.all { super }
+    end
  end

  def second_factor_attempts_key(user)
--- a/app/controllers/auth/setup_controller.rb
+++ b/app/controllers/auth/setup_controller.rb
@ -5,7 +5,6 @@ class Auth::SetupController < ApplicationController

  before_action :authenticate_user!
  before_action :require_unconfirmed_or_pending!
-  before_action :set_body_classes
  before_action :set_user

  skip_before_action :require_functional!
@ -35,10 +34,6 @@ class Auth::SetupController < ApplicationController
    @user = current_user
  end

-  def set_body_classes
-    @body_classes = 'lighter'
-  end
-
  def user_params
    params.require(:user).permit(:email)
  end