mirrors/gotosocial
1
0
Fork 0
mirror of https://github.com/superseriousbusiness/gotosocial.git synced 2025-11-01 16:32:25 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
2459 commits 13 branches 97 tags 518 MiB
Commit graph

60 commits

Author SHA1 Message Date
kim
45aa5f5a26 add further code comment explaining 2025-04-26 12:19:25 +01:00
kim
f9da51e6c5 used a repeated portion of their sucess token 2025-04-26 12:19:25 +01:00
kim
7a6d8dfb14 just use gin GetQuery() function now we don't delete the query param 2025-04-26 12:19:25 +01:00
kim
fcc6af163c add code comment 2025-04-26 12:19:25 +01:00
kim
7f5eac3e7a remove unused code 2025-04-26 12:19:25 +01:00
kim
ef2adf12aa add check for expected cookie in test 2025-04-26 12:19:25 +01:00
kim
d1c8ec46f7 comment 2025-04-26 12:19:25 +01:00
kim
2163633901 add test for nollamas middleware 2025-04-26 12:19:25 +01:00
kim
bfd4d5ab18 remove cookie length check , constant time compare handles this 2025-04-26 12:19:25 +01:00
kim
c34589d281 fix incorrect buffer length 2025-04-26 12:19:25 +01:00
kim
5b41861c9c update code comment, add logging 2025-04-26 12:19:25 +01:00
kim
924280ac0b add config option for scraper deterrence 2025-04-26 12:19:25 +01:00
tobi
db4a6e746c penis 2025-04-26 12:19:25 +01:00
kim
c7c8edd982 formatting 2025-04-26 12:19:25 +01:00
kim
4d1acc477c formatting 2025-04-26 12:19:25 +01:00
kim
b98ed0db3f update to just pass instance account directly to nollamas middleware 2025-04-26 12:19:25 +01:00
kim
86e342c443 finish adding an initial draft of the nollamas security check 2025-04-26 12:19:25 +01:00
kim
2442c6fc41 start adding proof of work middleware 2025-04-26 12:19:25 +01:00
tobi
ffde1b150f
 		[chore] Move deps to code.superseriousbusiness.org (#4054) 2025-04-25 15:15:36 +02:00
tobi
8488ac9286
 		[chore] migrate oauth2 -> codeberg (#3857) 2025-03-02 16:42:51 +01:00
tobi
5d0e3d9c35
 		[chore] github.com/superseriousbusiness/httpsig -> codeberg.org/superseriousbusiness/httpsig (#3854) 2025-03-02 13:28:38 +01:00
tobi
baed591a1d
 		[feature] Use X-Robots-Tag headers to instruct scrapers/crawlers (#3737) 
* [feature] Use `X-Robots-Tag` headers to instruct scrapers/crawlers

* use switch for RobotsHeaders
 2025-02-05 12:47:13 +01:00
tobi
9048290948
 		[chore] skip trusted-proxies warning if ip excepted from rate limiting (#3699) 
* [chore] skip `trusted-proxies` warning if ip excepted from rate limiting

* weep

* typo

* fix env parsing test
 2025-01-27 19:21:13 +01:00
Markus Unterwaditzer
a48cce82b9
 		[chore] Upgrade golangci-lint, ignore existing int overflow warnings (#3420) 
* [chore] Bump tooling versions, bump go -> v1.23.0

* undo silly change

* sign

* bump go version in go.mod

* allow overflow in imaging

* goreleaser deprecation notices

* [chore] Upgrade golangci-lint, ignore existing int overflow warnings

There is a new lint for unchecked int casts. Integer overflows are bad,
but the old code that triggers this lint seems to be perfectly fine.
Instead of disabling the lint entirely for new code as well, grandfather
in existing code.

* fix golangci-lint documentation link

* revert unrelated changes

* revert another unrelated change

* get rid of remaining nolint:gosec

* swagger updates

* apply review feedback

* fix wrong formatting specifier thing

* fix the linter for real

---------

Co-authored-by: tobi <tobi.smethurst@protonmail.com>
 2024-10-16 14:13:58 +02:00
kim
964262b169
 		[chore] header filter improvements (#3329) 
* add error message to gin context on header blocked or not allowed

* remove the unused header filter tracking code (leaving OTEL TODOs in place)

* appease the linter
 2024-09-23 11:36:56 +00:00
kim
77b095a8c3
 		[chore] ensure consistent caller name fetching regardless of compiler inlining (#3323) 
* move logging levels into log package itself

* ensure inconsistent inlining doesn't mess with log calling function name

* remove unused global variable

* fix log level
 2024-09-20 13:30:33 +00:00
Daenney
9b50151f17
 		[feature] Beef up our AI opt-outs (#3165) 
* [chore] Synchronise our robots.txt with upstream

* [feature] Add headers to escape AI crawlers

This adds 2 headers that a number of AI crawlers respect to signal that
content should not be included in their datasets.
 2024-08-02 18:22:39 +02:00
Daenney
02d6e2e3bc
 		[feature] Set some security related headers (#3065) 
* Set frame-ancestors in the CSP
   This ensures we can't be loaded/embedded in an iframe. It also sets the
   older X-Frame-Options for fallback.
* Disable MIME type sniffing
* Set Referrer-Policy
   This sets the policy such that browsers will never send the Referer
   header along with a request, unless it's a request to the same protocol,
   host/domain and port. Basically, only send it when navigating through
   our own UI, but not anything external.

   The default is strict-origin-when-cross-origin when unset, which sends
   the Referer header for requests unless it's going from HTTPS to HTTP
   (i.e a security downgrade, hence the 'strict').
 2024-07-04 10:07:02 +02:00
tobi
b614d33c40
 		[feature] Try HTTP signature validation with and without query params for incoming requests (#2591) 
* [feature] Verify signatures both with + without query params

* Bump to tagged version
 2024-01-31 14:15:28 +00:00
tobi
aad3384c98
 		[feature] Log pubKeyID for http-signed requests (#2501) 2024-01-09 10:41:15 +01:00
kim
31481fad35
 		[bugfix] increases sleep time before check in throttle test, to give more leeway (#2482) 2024-01-03 10:27:55 +00:00
kim
8ebb7775a3
 		[feature] request blocking by http headers (#2409) 2023-12-18 14:18:25 +00:00
kim
d56a8d095e
 		[performance] simpler throttling logic (#2407) 
* reduce complexity of throttling logic to use 1 queue and an atomic int

* use atomic add instead of CAS, add throttling test
 2023-12-16 12:53:42 +01:00
kim
eb170003b8
 		[bugfix] return 400 Bad Request on more cases of malformed AS data (#2399) 2023-11-30 16:22:34 +00:00
kim
ece2e795e0
 		[feature] attach any request errors if found, only set level=ERROR if code >= 500 (#2300) 2023-10-25 16:11:40 +01:00
tobi
8f38dc2e7f
 		[feature] Add rate limit exceptions option, use ISO8601 for rate limit reset (#2151) 
* start updating rate limiting, add exceptions

* tests, comments, tidying up

* add rate limiting exceptions to example config

* envparsing

* nolint

* apply kimbediff

* add examples
 2023-08-23 14:32:27 +02:00
tobi
1e2db7a32f
 		[feature/bugfix] Probe S3 storage for CSP uri, add config flag for extra URIs (#2134) 
* [feature/bugfix] Probe S3 storage for CSP uri, add config flag for extra URIs

* env parsing tests, my coy mistress
 2023-08-20 13:35:55 +02:00
kim
e9c3663cce
 		[chore] ensure worker contexts have request ID (#2120) 2023-08-15 17:01:01 +01:00
f0x52
912a104aed
 		[fix] Update CSP header for blob images (upload preview) and dev livereload (#2109) 
* update CSP header for blob images (upload preview) and dev livereload websocket

* update csp for s3, update csp tests
 2023-08-14 12:30:09 +02:00
Daenney
5e368d3089
 		[bugfix] CSP policy fixes for S3/object storage (#2104) 
* [bugfix] CSP policy fixes for S3 in non-proxied mode

* It should be img-src
* In both img-src and media-src we still need to include 'self'
 2023-08-12 12:21:48 +02:00
tobi
b7274545e0
 		[bugfix] Add s3 endpoint as image-src and media-src for CSP (#2103) 
* [bugfix] Add s3 endpoint as image-src and media-src for CSP

* use https if secure

* reorder comment
 2023-08-11 17:49:17 +02:00
Daenney
3aedd937c3
 		[feature] Set Content-Security-Policy header (#2095) 
This adds the CSP header with a policy of only loading from the same
domain. We don't make use of external media, CSS, JS, fonts, so we don't
ever need external data loaded in our context.

When building a DEBUG build, the policy gets extended to include
localhost:*, i.e localhost on any port. This keeps the live-reloading
flow for JS development working. localhost and 127.0.0.1 are considered
to be the same so mixing and matching those doesn't result in a CSP
violation.
 2023-08-11 13:20:56 +02:00
kim
91cbcd589e
 		[performance] remove last of relational queries to instead rely on caches (#2091) 2023-08-10 15:08:41 +01:00
kim
5f3e095717
 		[performance] retry db queries on busy errors (#2025) 
* catch SQLITE_BUSY errors, wrap bun.DB to use our own busy retrier, remove unnecessary db.Error type

Signed-off-by: kim <grufwub@gmail.com>

* remove dead code

Signed-off-by: kim <grufwub@gmail.com>

* remove more dead code, add missing error arguments

Signed-off-by: kim <grufwub@gmail.com>

* update sqlite to use maxOpenConns()

Signed-off-by: kim <grufwub@gmail.com>

* add uncommitted changes

Signed-off-by: kim <grufwub@gmail.com>

* use direct calls-through for the ConnIface to make sure we don't double query hook

Signed-off-by: kim <grufwub@gmail.com>

* expose underlying bun.DB better

Signed-off-by: kim <grufwub@gmail.com>

* retry on the correct busy error

Signed-off-by: kim <grufwub@gmail.com>

* use longer possible maxRetries for db retry-backoff

Signed-off-by: kim <grufwub@gmail.com>

* remove the note regarding max-open-conns only applying to postgres

Signed-off-by: kim <grufwub@gmail.com>

* improved code commenting

Signed-off-by: kim <grufwub@gmail.com>

* remove unnecessary infof call (just use info)

Signed-off-by: kim <grufwub@gmail.com>

* rename DBConn to WrappedDB to better follow sql package name conventions

Signed-off-by: kim <grufwub@gmail.com>

* update test error string checks

Signed-off-by: kim <grufwub@gmail.com>

* shush linter

Signed-off-by: kim <grufwub@gmail.com>

* update backoff logic to be more transparent

Signed-off-by: kim <grufwub@gmail.com>

---------

Signed-off-by: kim <grufwub@gmail.com>
 2023-07-25 10:34:05 +02:00
tobi
12b6cdcd8c
 		[bugfix] Set Vary header correctly on cache-control (#1988) 
* [bugfix] Set Vary header correctly on cache-control

* Prefer activitypub types on AP endpoints

* use immutable on file server, vary by range

* vary auth on Accept
 2023-07-13 21:27:25 +02:00
tobi
24fbdf2b0a
 		[chore] Refactor AP authentication, other small bits of tidying up (#1874) 2023-06-13 15:47:56 +01:00
tobi
2358cf4e43
 		[bugfix] Overwrite API client closed errors with 499 - Client Closed Request (#1857) 
* [bugfix] Overwrite client closed errors with 499

* bleep bloop

* review changes
 2023-06-02 15:19:43 +02:00
Julian-Samuel Gebühr
9c24dee01f
 		[chore] Replace pinafore with semaphore (#1801) 
* Replace pinafore with semaphore

* Typo
 2023-05-21 22:40:43 +02:00
Daenney
107237c8e8
 		[feature] Make client IP logging configurable (#1799) 2023-05-21 16:12:47 +01:00
Dominik Süß
6392e00653
 		feat: initial tracing support (#1623) 2023-05-09 18:19:48 +01:00