Bump rack-attack from 6.6.1 to 6.7.0

Bumps [rack-attack](https://github.com/rack/rack-attack) from 6.6.1 to 6.7.0. - [Release notes](https://github.com/rack/rack-attack/releases) - [Changelog](https://github.com/rack/rack-attack/blob/main/CHANGELOG.md) - [Commits](https://github.com/rack/rack-attack/compare/v6.6.1...v6.7.0) --- updated-dependencies: - dependency-name: rack-attack dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
2023-07-31 14:50:26 +00:00
7 changed files with 20 additions and 104 deletions
--- a/2
+++ b/2
@ -69,7 +69,7 @@ gem 'posix-spawn'
 gem 'public_suffix', '~> 5.0'
 gem 'pundit', '~> 2.3'
 gem 'premailer-rails'
-gem 'rack-attack', '~> 6.6'
+gem 'rack-attack', '~> 6.7'
 gem 'rack-cors', '~> 1.1', require: 'rack/cors'
 gem 'rails-i18n', '~> 6.0'
 gem 'rails-settings-cached', '~> 0.6'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -498,8 +498,8 @@ GEM
    raabro (1.4.0)
    racc (1.6.2)
    rack (2.2.7)
-    rack-attack (6.6.1)
-      rack (>= 1.0, < 3)
+    rack-attack (6.7.0)
+      rack (>= 1.0, < 4)
    rack-cors (1.1.1)
      rack (>= 2.0.0)
    rack-oauth2 (1.21.3)
@ -843,7 +843,7 @@ DEPENDENCIES
  puma (~> 5.6)
  pundit (~> 2.3)
  rack (~> 2.2.6)
-  rack-attack (~> 6.6)
+  rack-attack (~> 6.7)
  rack-cors (~> 1.1)
  rack-test (~> 2.0)
  rails (~> 6.1.7)
--- a/app/controllers/api/v1/json_ld_controller.rb
+++ b/app/controllers/api/v1/json_ld_controller.rb
@ -1,7 +1,6 @@
 # frozen_string_literal: true

 require "faraday"
-require "uri"

 class Api::V1::JsonLdController < Api::BaseController
  include ActionController::Live
@ -10,40 +9,6 @@ class Api::V1::JsonLdController < Api::BaseController
    render json: { error: e.to_s }, status: 422
  end

-  before_action :require_user!
-
-  REQUEST_TARGET = '(request-target)'
-
-  def signature(headers)
-    account = Account.representative
-
-    key_id = ActivityPub::TagManager.instance.key_uri_for(account)
-    algorithm = 'rsa-sha256'
-    signed_string = headers.map { |key, value| "#{key.downcase}: #{value}" }.join("\n")
-    signature = Base64.strict_encode64(account.keypair.sign(OpenSSL::Digest.new('SHA256'), signed_string))
-
-    "keyId=\"#{key_id}\",algorithm=\"#{algorithm}\",headers=\"#{headers.keys.join(' ').downcase}\",signature=\"#{signature}\""
-  end
-
-  def signed_headers(url_string)
-    if url_string.include?(".well-known")
-      return {'Accept': 'application/jrd+json'}
-    end
-
-    url = URI.parse(url_string)
-    tmp_headers = {
-      'Date': Time.now.utc.httpdate,
-      'Host': url.host,
-      'Accept': 'application/activity+json, application/ld+json; profile="https://www.w3.org/ns/activitystreams"',
-    }
-    tmp_headers[REQUEST_TARGET] = "get #{url_string.delete_prefix("#{url.scheme}://#{url.host}")}"
-    additional_headers = {
-      'Signature': signature(tmp_headers),
-      'User-Agent': Mastodon::Version.user_agent,
-    }
-    tmp_headers.merge(additional_headers).except(REQUEST_TARGET)
-  end
-
  def show
    url = params[:url]

@ -52,12 +17,13 @@ class Api::V1::JsonLdController < Api::BaseController
    Thread.new {
      begin
        conn = Faraday::Connection.new
+        conn.options.timeout = 5

-        api_response = conn.get(url, nil, signed_headers(url))
+        api_response = conn.get(url, nil, {'Accept' => 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'})

        max_redirects = 5
        while api_response.status == 301 || api_response.status == 302 and max_redirects > 0 do
-          api_response = conn.get(api_response.headers['Location'], nil, signed_headers(api_response.headers['Location']))
+          api_response = conn.get(api_response.headers['Location'], nil, {'Accept' => 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'})
          max_redirects -= 1
        end

--- a/app/views/shared/_og.html.haml
+++ b/app/views/shared/_og.html.haml
@ -1,14 +1,14 @@
 - thumbnail     = @instance_presenter.thumbnail
- description = 'Learn ActivityPub interactively, by seeing protocol interactions visualized in real time'
+- description ||= @instance_presenter.description.presence || strip_tags(t('about.about_mastodon_html'))

 %meta{ name: 'description', content: description }/

-= opengraph 'og:site_name', 'ActivityPub Academy - A learning resource for ActivityPub'
+= opengraph 'og:site_name', t('about.hosted_on', domain: site_hostname)
 = opengraph 'og:url', url_for(only_path: false)
 = opengraph 'og:type', 'website'
-= opengraph 'og:title', 'ActivityPub Academy'
+= opengraph 'og:title', @instance_presenter.title
 = opengraph 'og:description', description
-= opengraph 'og:image', full_asset_url(thumbnail&.file&.url(:'@1x') || asset_pack_path('media/images/academy-mascot.webp', protocol: :request))
-= opengraph 'og:image:width', thumbnail ? thumbnail.meta['width'] : '500'
-= opengraph 'og:image:height', thumbnail ? thumbnail.meta['height'] : '573'
+= opengraph 'og:image', full_asset_url(thumbnail&.file&.url(:'@1x') || asset_pack_path('media/images/preview.png', protocol: :request))
+= opengraph 'og:image:width', thumbnail ? thumbnail.meta['width'] : '1200'
+= opengraph 'og:image:height', thumbnail ? thumbnail.meta['height'] : '630'
 = opengraph 'twitter:card', 'summary_large_image'
--- a/app/workers/scheduler/old_account_cleanup_scheduler.rb
+++ b/app/workers/scheduler/old_account_cleanup_scheduler.rb
@ -28,13 +28,17 @@ class Scheduler::OldAccountCleanupScheduler
      .where("domain IS NULL")
      # id -99 is the instance actor
      .where("id <> -99")
-      # only delete accounts whose username contains underscores (those are auto-generated)
-      .where("username LIKE '%\\_%'")
+      # don't delete admin
+      .where("username <> 'admin'")
+      # don't delete crepels
+      .where("username <> 'crepels'")
+      # don't delete alice
+      .where("username <> 'alice'")
      .where("created_at < ?", 1.day.ago)
      .order(created_at: :asc)
      .limit(MAX_DELETIONS_PER_JOB)
      .each do |account|
-        AccountDeletionWorker.perform_async(account.id, { 'reserve_username' => false })
+        AccountDeletionWorker.perform_async(account.id, { :reserve_username => false })
      end
  end
 end
--- a/dist/nginx.conf
+++ b/dist/nginx.conf
@ -114,27 +114,6 @@ server {
    tcp_nodelay on;
  }

-  location ^~ /api/v1/json_ld {
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto https;
-    proxy_set_header Proxy "";
-    proxy_pass_header Server;
-
-    proxy_pass http://backend;
-    proxy_redirect off;
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection '';
-
-    proxy_cache off;
-    proxy_buffering off;
-    chunked_transfer_encoding off;
-
-    tcp_nodelay on;
-  }
-
  location ^~ /api/v1/activity_log {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
--- a/spec/workers/scheduler/old_account_cleanup_scheduler_spec.rb
+++ b/spec/workers/scheduler/old_account_cleanup_scheduler_spec.rb
@ -1,33 +0,0 @@
-require 'json'
-require 'rails_helper'
-
-RSpec.describe Scheduler::OldAccountCleanupScheduler do
-  subject { described_class.new }
-  let!(:generated_user) { Fabricate(:account, username: 'containing_underscore', created_at: 25.hours.ago) }
-  let!(:alice) { Fabricate(:account, username: 'alice', created_at: 25.hours.ago) }
-  let!(:generated_user_other_instance) { Fabricate(:account, username: 'containing_underscore', domain: 'example.com', created_at: 25.hours.ago) }
-  let!(:instance_actor) { Fabricate(:account, id: 99, created_at: 25.hours.ago) }
-
-  describe '#perform' do
-    it 'removes auto-generated user-accounts that are older than one day' do
-      expect { subject.perform }.to change { Account.exists?(generated_user.id) }.from(true).to(false)
-    end
-
-    it 'does not remove auto-generated user-accounts that are younger than one day' do
-      generated_user.update!(created_at: 23.hours.ago)
-      expect { subject.perform }.not_to change { Account.exists?(generated_user.id) }.from(true)
-    end
-
-    it 'does not remove accounts with underscores from other instances' do
-      expect { subject.perform }.not_to change { Account.exists?(generated_user_other_instance.id) }.from(true)
-    end
-
-    it 'does not remove accounts without underscores' do
-      expect { subject.perform }.not_to change { Account.exists?(alice.id) }.from(true)
-    end
-
-    it 'does not remove instance actor' do
-      expect { subject.perform }.not_to change { Account.exists?(instance_actor.id) }.from(true)
-    end
-  end
-end