Merge f1d3215d4b into 4b8e60682d

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

app/controllers/auth/omniauth_callbacks_controller.rb

@@ -38,8 +38,7 @@ class Auth::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   private
 
   def record_login_activity
-    LoginActivity.create(
-      user: @user,
+    @user.login_activities.create(
       success: true,
       authentication_method: :omniauth,
       provider: @provider,

app/controllers/auth/sessions_controller.rb

@@ -151,12 +151,11 @@ class Auth::SessionsController < Devise::SessionsController
     sign_in(user)
     flash.delete(:notice)
 
-    LoginActivity.create(
-      user: user,
-      success: true,
-      authentication_method: security_measure,
-      ip: request.remote_ip,
-      user_agent: request.user_agent
+    user.login_activities.create(
+      request_details.merge(
+        authentication_method: security_measure,
+        success: true
+      )
     )
 
     UserMailer.suspicious_sign_in(user, request.remote_ip, request.user_agent, Time.now.utc).deliver_later! if @login_is_suspicious
@@ -167,13 +166,12 @@ class Auth::SessionsController < Devise::SessionsController
   end
 
   def on_authentication_failure(user, security_measure, failure_reason)
-    LoginActivity.create(
-      user: user,
-      success: false,
-      authentication_method: security_measure,
-      failure_reason: failure_reason,
-      ip: request.remote_ip,
-      user_agent: request.user_agent
+    user.login_activities.create(
+      request_details.merge(
+        authentication_method: security_measure,
+        failure_reason: failure_reason,
+        success: false
+      )
     )
 
     # Only send a notification email every hour at most
@@ -182,6 +180,13 @@ class Auth::SessionsController < Devise::SessionsController
     UserMailer.failed_2fa(user, request.remote_ip, request.user_agent, Time.now.utc).deliver_later!
   end
 
+  def request_details
+    {
+      ip: request.remote_ip,
+      user_agent: request.user_agent,
+    }
+  end
+
   def second_factor_attempts_key(user)
     "2fa_auth_attempts:#{user.id}:#{Time.now.utc.hour}"
   end

app/controllers/settings/login_activities_controller.rb

@@ -5,6 +5,6 @@ class Settings::LoginActivitiesController < Settings::BaseController
   skip_before_action :require_functional!
 
   def index
-    @login_activities = LoginActivity.where(user: current_user).order(id: :desc).page(params[:page])
+    @login_activities = current_user.login_activities.order(id: :desc).page(params[:page])
   end
 end

app/lib/activitypub/activity.rb

@@ -78,7 +78,7 @@ class ActivityPub::Activity
   end
 
   def unsupported_object_type?
-    @object.is_a?(String) || !(supported_object_type? || converted_object_type?)
+    @object.is_a?(String) || !(supported_object_type? || converted_object_type? || supported_preview?)
   end
 
   def supported_object_type?
@@ -89,6 +89,10 @@ class ActivityPub::Activity
     equals_or_includes_any?(@object['type'], CONVERTED_TYPES)
   end
 
+  def supported_preview?
+    @object['preview'].is_a?(Hash) && equals_or_includes_any?(@object['preview']['type'], SUPPORTED_TYPES)
+  end
+
   def delete_arrived_first?(uri)
     redis.exists?("delete_upon_arrival:#{@account.id}:#{uri}")
   end

app/lib/activitypub/activity/create.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
 class ActivityPub::Activity::Create < ActivityPub::Activity
-  include FormattingHelper
-
   def perform
     @account.schedule_refresh_if_stale!
 
@@ -90,15 +88,15 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
       object: @object
     )
 
-    attachment_ids = process_attachments.take(Status::MEDIA_ATTACHMENTS_LIMIT).map(&:id)
+    attachment_ids = process_attachments(!supported_object_type? && supported_preview? ? @object['preview'] : @object).take(Status::MEDIA_ATTACHMENTS_LIMIT).map(&:id)
 
     @params = {
       uri: @status_parser.uri,
       url: @status_parser.url || @status_parser.uri,
       account: @account,
-      text: converted_object_type? ? converted_text : (@status_parser.text || ''),
+      text: @status_parser.text || '',
       language: @status_parser.language,
-      spoiler_text: converted_object_type? ? '' : (@status_parser.spoiler_text || ''),
+      spoiler_text: @status_parser.spoiler_text || '',
       created_at: @status_parser.created_at,
       edited_at: @status_parser.edited_at && @status_parser.edited_at != @status_parser.created_at ? @status_parser.edited_at : nil,
       override_timestamps: @options[:override_timestamps],
@@ -112,6 +110,28 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
       poll: process_poll,
       quote_approval_policy: @status_parser.quote_policy,
     }
+
+    # If it's a Note or Question, we're done
+    return if supported_object_type?
+
+    # If it's an unsupported type, rely on the preview from FEP-b2b8 if available
+    if supported_preview?
+      preview_parser = ActivityPub::Parser::StatusParser.new(
+        @json,
+        followers_collection: @account.followers_url,
+        actor_uri: ActivityPub::TagManager.instance.uri_for(@account),
+        object: @object['preview']
+      )
+
+      @params[:text] = preview_parser.text || ''
+      @params[:spoiler_text] = preview_parser.spoiler_text || ''
+
+      return
+    end
+
+    # If there is no preview, fall back to building our own preview
+    @params[:text] = ActivityPub::PreviewBuilder.new(@status_parser).text
+    @params[:spoiler_text] = ''
   end
 
   def process_audience
@@ -277,12 +297,12 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
     end
   end
 
-  def process_attachments
-    return [] if @object['attachment'].nil?
+  def process_attachments(parent)
+    return [] if parent['attachment'].nil?
 
     media_attachments = []
 
-    as_array(@object['attachment']).each do |attachment|
+    as_array(parent['attachment']).each do |attachment|
       media_attachment_parser = ActivityPub::Parser::MediaAttachmentParser.new(attachment)
 
       next if media_attachment_parser.remote_url.blank? || media_attachments.size >= Status::MEDIA_ATTACHMENTS_LIMIT
@@ -405,18 +425,6 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
     value_or_id(@object['inReplyTo'])
   end
 
-  def converted_text
-    [formatted_title, @status_parser.spoiler_text.presence, formatted_url].compact.join("\n\n")
-  end
-
-  def formatted_title
-    "<h2>#{@status_parser.title}</h2>" if @status_parser.title.present?
-  end
-
-  def formatted_url
-    linkify(@status_parser.url || @status_parser.uri)
-  end
-
   def unsupported_media_type?(mime_type)
     mime_type.present? && !MediaAttachment.supported_mime_types.include?(mime_type)
   end

app/lib/activitypub/preview_builder.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+class ActivityPub::PreviewBuilder
+  include FormattingHelper
+
+  def initialize(parser)
+    @parser = parser
+  end
+
+  def text
+    [title, summary, url].compact.join("\n\n")
+  end
+
+  private
+
+  def title
+    "<h2>#{@parser.title}</h2>" if @parser.title.present?
+  end
+
+  def summary
+    @parser.spoiler_text
+  end
+
+  def url
+    linkify(@parser.url || @parser.uri)
+  end
+end

app/models/custom_filter_status.rb

@@ -17,12 +17,14 @@ class CustomFilterStatus < ApplicationRecord
   belongs_to :custom_filter
   belongs_to :status
 
-  validates :status, uniqueness: { scope: :custom_filter }
-  validate :validate_status_access
+  validates :status_id, uniqueness: { scope: :custom_filter_id }
+  validate :validate_status_access, if: [:custom_filter_account, :status]
+
+  delegate :account, to: :custom_filter, prefix: true, allow_nil: true
 
   private
 
   def validate_status_access
-    errors.add(:status_id, :invalid) unless StatusPolicy.new(custom_filter.account, status).show?
+    errors.add(:status_id, :invalid) unless StatusPolicy.new(custom_filter_account, status).show?
   end
 end

app/models/follow_recommendation_mute.rb

@@ -14,7 +14,7 @@ class FollowRecommendationMute < ApplicationRecord
   belongs_to :account
   belongs_to :target_account, class_name: 'Account'
 
-  validates :target_account, uniqueness: { scope: :account_id }
+  validates :target_account_id, uniqueness: { scope: :account_id }
 
   after_commit :invalidate_follow_recommendations_cache
 

app/models/user.rb

@@ -90,6 +90,7 @@ class User < ApplicationRecord
   has_many :applications, class_name: 'Doorkeeper::Application', as: :owner, dependent: nil
   has_many :backups, inverse_of: :user, dependent: nil
   has_many :invites, inverse_of: :user, dependent: nil
+  has_many :login_activities, inverse_of: :user, dependent: :destroy
   has_many :markers, inverse_of: :user, dependent: :destroy
   has_many :webauthn_credentials, dependent: :destroy
   has_many :ips, class_name: 'UserIp', inverse_of: :user, dependent: nil

spec/controllers/auth/sessions_controller_spec.rb

@@ -100,11 +100,14 @@ RSpec.describe Auth::SessionsController do
       let(:user) { Fabricate(:user, email: 'foo@bar.com', password: 'abcdefgh') }
 
       context 'when using a valid password' do
-        before do
+        subject do
           post :create, params: { user: { email: user.email, password: user.password } }
         end
 
         it 'redirects to home and logs the user in' do
+          expect { subject }
+            .to change(user.login_activities.where(success: true), :count).by(1)
+
           expect(response).to redirect_to(root_path)
 
           expect(controller.current_user).to eq user
@@ -265,10 +268,9 @@ RSpec.describe Auth::SessionsController do
 
           it 'does not log the user in, sets a flash message, and sends a suspicious sign in email', :inline_jobs do
             emails = capture_emails do
-              Auth::SessionsController::MAX_2FA_ATTEMPTS_PER_HOUR.times do
-                post :create, params: { user: { otp_attempt: '1234' } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
-                expect(controller.current_user).to be_nil
-              end
+              expect { process_maximum_two_factor_attempts }
+                .to change(user.login_activities.where(success: false), :count).by(1)
+
               post :create, params: { user: { otp_attempt: user.current_otp } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
             end
 
@@ -286,6 +288,13 @@ RSpec.describe Auth::SessionsController do
                 subject: eq(I18n.t('user_mailer.failed_2fa.subject'))
               )
           end
+
+          def process_maximum_two_factor_attempts
+            Auth::SessionsController::MAX_2FA_ATTEMPTS_PER_HOUR.times do
+              post :create, params: { user: { otp_attempt: '1234' } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
+              expect(controller.current_user).to be_nil
+            end
+          end
         end
 
         context 'when using a valid OTP' do

spec/lib/activitypub/activity/create_spec.rb

@@ -887,6 +887,55 @@ RSpec.describe ActivityPub::Activity::Create do
         end
       end
 
+      context 'with preview of an unsupported type' do
+        let(:object_json) do
+          build_object(
+            type: 'Article',
+            summary: 'This is the summary of the article',
+            content: 'This is the long form content',
+            preview: {
+              type: 'Note',
+              content: 'This is the short form',
+            }
+          )
+        end
+
+        it 'creates status from the preview' do
+          expect { subject.perform }.to change(sender.statuses, :count).by(1)
+
+          status = sender.statuses.first
+          expect(status).to_not be_nil
+          expect(status.spoiler_text).to eq ''
+          expect(status.text).to eq 'This is the short form'
+        end
+      end
+
+      context 'with a converted type and no preview' do
+        let(:object_json) do
+          build_object(
+            type: 'Video',
+            name: 'Foo bar',
+            content: 'This is the description of the video',
+            url: [
+              {
+                type: 'Link',
+                mediaType: 'text/html',
+                href: 'https://example.com/video',
+              },
+            ]
+          )
+        end
+
+        it 'creates status' do
+          expect { subject.perform }.to change(sender.statuses, :count).by(1)
+
+          status = sender.statuses.first
+          expect(status).to_not be_nil
+          expect(status.spoiler_text).to eq ''
+          expect(status.text).to eq "<h2>Foo bar</h2>\n\n<p><a href=\"https://example.com/video\" target=\"_blank\" rel=\"nofollow noopener\" translate=\"no\"><span class=\"invisible\">https://</span><span class=\"\">example.com/video</span><span class=\"invisible\"></span></a></p>"
+        end
+      end
+
       context 'with an unverifiable quote of a known post' do
         let(:quoted_status) { Fabricate(:status) }
 

spec/models/custom_filter_status_spec.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe CustomFilterStatus do
+  describe 'Associations' do
+    it { is_expected.to belong_to(:custom_filter) }
+    it { is_expected.to belong_to(:status) }
+  end
+
+  describe 'Validations' do
+    subject { Fabricate.build :custom_filter_status }
+
+    it { is_expected.to validate_uniqueness_of(:status_id).scoped_to(:custom_filter_id) }
+
+    describe 'Status access' do
+      subject { Fabricate.build :custom_filter_status, custom_filter:, status: }
+
+      let(:custom_filter) { Fabricate :custom_filter }
+      let(:status) { Fabricate :status }
+
+      context 'when policy allows filter account to access status' do
+        it { is_expected.to allow_value(status.id).for(:status_id) }
+      end
+
+      context 'when policy does not allow filter account to access status' do
+        before { status.account.touch(:suspended_at) }
+
+        it { is_expected.to_not allow_value(status.id).for(:status_id) }
+      end
+    end
+  end
+end

spec/models/follow_recommendation_mute_spec.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe FollowRecommendationMute do
+  describe 'Associations' do
+    it { is_expected.to belong_to(:account) }
+    it { is_expected.to belong_to(:target_account).class_name('Account') }
+  end
+
+  describe 'Validations' do
+    subject { Fabricate.build :follow_recommendation_mute }
+
+    it { is_expected.to validate_uniqueness_of(:target_account_id).scoped_to(:account_id) }
+  end
+
+  describe 'Callbacks' do
+    describe 'Maintaining the recommendation cache' do
+      let(:account) { Fabricate :account }
+      let(:cache_key) { "follow_recommendations/#{account.id}" }
+
+      before { Rails.cache.write(cache_key, 123) }
+
+      it 'purges on save' do
+        expect { Fabricate :follow_recommendation_mute, account: account }
+          .to(change { Rails.cache.exist?(cache_key) }.from(true).to(false))
+      end
+    end
+  end
+end

spec/models/user_spec.rb

@@ -24,6 +24,7 @@ RSpec.describe User do
 
   describe 'Associations' do
     it { is_expected.to belong_to(:account).required }
+    it { is_expected.to have_many(:login_activities) }
   end
 
   describe 'Validations' do

yarn.lock

@@ -5764,7 +5764,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"chokidar@npm:^3.5.3":
+"chokidar@npm:^3.6.0":
   version: 3.6.0
   resolution: "chokidar@npm:3.6.0"
   dependencies:
@@ -11298,8 +11298,8 @@ __metadata:
   linkType: hard
 
 "react-select@npm:^5.7.3":
-  version: 5.10.1
-  resolution: "react-select@npm:5.10.1"
+  version: 5.10.2
+  resolution: "react-select@npm:5.10.2"
   dependencies:
     "@babel/runtime": "npm:^7.12.0"
     "@emotion/cache": "npm:^11.4.0"
@@ -11313,7 +11313,7 @@ __metadata:
   peerDependencies:
     react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
     react-dom: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
-  checksum: 10c0/0d10a249b96150bd648f2575d59c848b8fac7f4d368a97ae84e4aaba5bbc1035deba4cdc82e49a43904b79ec50494505809618b0e98022b2d51e7629551912ed
+  checksum: 10c0/2027ef57b0a375d1accdad60550329dc0911b31d429ec6eb9ae391ae9baf9f26991b0ff8615eb99de319a55ce6e9382107783e615cb2116522ed0275b214b7f7
   languageName: node
   linkType: hard
 
@@ -13904,17 +13904,17 @@ __metadata:
   linkType: hard
 
 "vite-plugin-static-copy@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "vite-plugin-static-copy@npm:3.1.0"
+  version: 3.1.1
+  resolution: "vite-plugin-static-copy@npm:3.1.1"
   dependencies:
-    chokidar: "npm:^3.5.3"
+    chokidar: "npm:^3.6.0"
     fs-extra: "npm:^11.3.0"
     p-map: "npm:^7.0.3"
     picocolors: "npm:^1.1.1"
     tinyglobby: "npm:^0.2.14"
   peerDependencies:
     vite: ^5.0.0 || ^6.0.0 || ^7.0.0
-  checksum: 10c0/dce43f12ecc71417f1afd530d15b316774fe0441c2502e48e2bfafcd07fd4ae90a5782621f932d8d12a8c8213bed6746e80d5452e2fb216ece2bcf7e80309f82
+  checksum: 10c0/a4dd5d31212b037d4902d55c2ee83866e496857bf948f258599dc24ec61b4628cf0dd23e4a7d7dc189d33ad1489427e976fa95e4db61b394d0be4f63077ef92c
   languageName: node
   linkType: hard