Merge remote-tracking branch 'parent/main' into kbtopic-remove-quote

db/migrate/20241213130230_create_fasp_subscriptions.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class CreateFaspSubscriptions < ActiveRecord::Migration[7.2]
+  def change
+    create_table :fasp_subscriptions do |t|
+      t.string :category, null: false
+      t.string :subscription_type, null: false
+      t.integer :max_batch_size, null: false
+      t.integer :threshold_timeframe
+      t.integer :threshold_shares
+      t.integer :threshold_likes
+      t.integer :threshold_replies
+      t.references :fasp_provider, null: false, foreign_key: true
+
+      t.timestamps
+    end
+  end
+end

db/migrate/20250103131909_create_fasp_backfill_requests.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class CreateFaspBackfillRequests < ActiveRecord::Migration[7.2]
+  def change
+    create_table :fasp_backfill_requests do |t|
+      t.string :category, null: false
+      t.integer :max_count, null: false, default: 100
+      t.string :cursor
+      t.boolean :fulfilled, null: false, default: false
+      t.references :fasp_provider, null: false, foreign_key: true
+
+      t.timestamps
+    end
+  end
+end

db/migrate/20250428104538_add_require_tos_interstitial_to_users.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddRequireTosInterstitialToUsers < ActiveRecord::Migration[8.0]
+  def change
+    add_column :users, :require_tos_interstitial, :boolean, null: false, default: false
+  end
+end

db/migrate/20250520204643_create_rule_translations.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class CreateRuleTranslations < ActiveRecord::Migration[8.0]
+  def change
+    create_table :rule_translations do |t|
+      t.text :text, null: false, default: ''
+      t.text :hint, null: false, default: ''
+      t.string :language, null: false
+      t.references :rule, null: false, foreign_key: { on_delete: :cascade }, index: false
+
+      t.timestamps
+    end
+
+    add_index :rule_translations, [:rule_id, :language], unique: true
+  end
+end

db/post_migrate/20240307180905_migrate_devise_two_factor_secrets.rb

@@ -3,13 +3,96 @@
 class MigrateDeviseTwoFactorSecrets < ActiveRecord::Migration[7.1]
   disable_ddl_transaction!
 
+  module LegacyOtpSecret
+    extend ActiveSupport::Concern
+
+    private
+
+    # Decrypt and return the `encrypted_otp_secret` attribute which was used in
+    # prior versions of devise-two-factor
+    # @return [String] The decrypted OTP secret
+    def legacy_otp_secret
+      return nil unless self[:encrypted_otp_secret]
+      return nil unless self.class.otp_secret_encryption_key
+
+      hmac_iterations = 2000 # a default set by the Encryptor gem
+      key = self.class.otp_secret_encryption_key
+      salt = Base64.decode64(encrypted_otp_secret_salt)
+      iv = Base64.decode64(encrypted_otp_secret_iv)
+
+      raw_cipher_text = Base64.decode64(encrypted_otp_secret)
+      # The last 16 bytes of the ciphertext are the authentication tag - we use
+      # Galois Counter Mode which is an authenticated encryption mode
+      cipher_text = raw_cipher_text[0..-17]
+      auth_tag =  raw_cipher_text[-16..-1] # rubocop:disable Style/SlicingWithRange
+
+      # this alrorithm lifted from
+      # https://github.com/attr-encrypted/encryptor/blob/master/lib/encryptor.rb#L54
+
+      # create an OpenSSL object which will decrypt the AES cipher with 256 bit
+      # keys in Galois Counter Mode (GCM). See
+      # https://ruby.github.io/openssl/OpenSSL/Cipher.html
+      cipher = OpenSSL::Cipher.new('aes-256-gcm')
+
+      # tell the cipher we want to decrypt. Symmetric algorithms use a very
+      # similar process for encryption and decryption, hence the same object can
+      # do both.
+      cipher.decrypt
+
+      # Use a Password-Based Key Derivation Function to generate the key actually
+      # used for encryptoin from the key we got as input.
+      cipher.key = OpenSSL::PKCS5.pbkdf2_hmac_sha1(key, salt, hmac_iterations, cipher.key_len)
+
+      # set the Initialization Vector (IV)
+      cipher.iv = iv
+
+      # The tag must be set after calling Cipher#decrypt, Cipher#key= and
+      # Cipher#iv=, but before calling Cipher#final. After all decryption is
+      # performed, the tag is verified automatically in the call to Cipher#final.
+      #
+      # If the auth_tag does not verify, then #final will raise OpenSSL::Cipher::CipherError
+      cipher.auth_tag = auth_tag
+
+      # auth_data must be set after auth_tag has been set when decrypting See
+      # http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/Cipher.html#method-i-auth_data-3D
+      # we are not adding any authenticated data but OpenSSL docs say this should
+      # still be called.
+      cipher.auth_data = ''
+
+      # #update is (somewhat confusingly named) the method which actually
+      # performs the decryption on the given chunk of data. Our OTP secret is
+      # short so we only need to call it once.
+      #
+      # It is very important that we call #final because:
+      #
+      # 1. The authentication tag is checked during the call to #final
+      # 2. Block based cipher modes (e.g. CBC) work on fixed size chunks. We need
+      #    to call #final to get it to process the last chunk properly. The output
+      #    of #final should be appended to the decrypted value. This isn't
+      #    required for streaming cipher modes but including it is a best practice
+      #    so that your code will continue to function correctly even if you later
+      #    change to a block cipher mode.
+      cipher.update(cipher_text) + cipher.final
+    end
+  end
+
   class MigrationUser < ApplicationRecord
     self.table_name = :users
 
-    devise :two_factor_authenticatable,
-           otp_secret_encryption_key: Rails.configuration.x.otp_secret
+    LEGACY_OTP_SECRET = begin
+      if Rails.env.test?
+        '100c7faeef00caa29242f6b04156742bf76065771fd4117990c4282b8748ff3d99f8fdae97c982ab5bd2e6756a159121377cce4421f4a8ecd2d67bd7749a3fb4'
+      elsif ENV['SECRET_KEY_BASE_DUMMY']
+        SecureRandom.hex(64)
+      else
+        ENV.fetch('OTP_SECRET')
+      end
+    end
 
-    include LegacyOtpSecret # Must be after the above `devise` line in order to override the legacy method
+    devise :two_factor_authenticatable,
+           otp_secret_encryption_key: LEGACY_OTP_SECRET
+
+    include LegacyOtpSecret
   end
 
   def up

db/post_migrate/20250520192024_remove_legacy_devise_two_factor_secrets_from_users.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class RemoveLegacyDeviseTwoFactorSecretsFromUsers < ActiveRecord::Migration[7.1]
+  def change
+    safety_assured do
+      remove_column :users, :encrypted_otp_secret, :string
+      remove_column :users, :encrypted_otp_secret_iv, :string
+      remove_column :users, :encrypted_otp_secret_salt, :string
+    end
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[8.0].define(version: 2025_05_07_035927) do
+ActiveRecord::Schema[8.0].define(version: 2025_05_20_204643) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "pg_catalog.plpgsql"
 
@@ -609,6 +609,17 @@ ActiveRecord::Schema[8.0].define(version: 2025_05_07_035927) do
     t.index ["uri"], name: "index_emoji_reactions_on_uri", unique: true
   end
 
+  create_table "fasp_backfill_requests", force: :cascade do |t|
+    t.string "category", null: false
+    t.integer "max_count", default: 100, null: false
+    t.string "cursor"
+    t.boolean "fulfilled", default: false, null: false
+    t.bigint "fasp_provider_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["fasp_provider_id"], name: "index_fasp_backfill_requests_on_fasp_provider_id"
+  end
+
   create_table "fasp_debug_callbacks", force: :cascade do |t|
     t.bigint "fasp_provider_id", null: false
     t.string "ip", null: false
@@ -635,6 +646,20 @@ ActiveRecord::Schema[8.0].define(version: 2025_05_07_035927) do
     t.index ["base_url"], name: "index_fasp_providers_on_base_url", unique: true
   end
 
+  create_table "fasp_subscriptions", force: :cascade do |t|
+    t.string "category", null: false
+    t.string "subscription_type", null: false
+    t.integer "max_batch_size", null: false
+    t.integer "threshold_timeframe"
+    t.integer "threshold_shares"
+    t.integer "threshold_likes"
+    t.integer "threshold_replies"
+    t.bigint "fasp_provider_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["fasp_provider_id"], name: "index_fasp_subscriptions_on_fasp_provider_id"
+  end
+
   create_table "favourites", force: :cascade do |t|
     t.datetime "created_at", precision: nil, null: false
     t.datetime "updated_at", precision: nil, null: false
@@ -1246,6 +1271,16 @@ ActiveRecord::Schema[8.0].define(version: 2025_05_07_035927) do
     t.index ["target_account_id"], name: "index_reports_on_target_account_id"
   end
 
+  create_table "rule_translations", force: :cascade do |t|
+    t.text "text", default: "", null: false
+    t.text "hint", default: "", null: false
+    t.string "language", null: false
+    t.bigint "rule_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["rule_id", "language"], name: "index_rule_translations_on_rule_id_and_language", unique: true
+  end
+
   create_table "rules", force: :cascade do |t|
     t.integer "priority", default: 0, null: false
     t.datetime "deleted_at", precision: nil
@@ -1566,9 +1601,6 @@ ActiveRecord::Schema[8.0].define(version: 2025_05_07_035927) do
     t.datetime "confirmation_sent_at", precision: nil
     t.string "unconfirmed_email"
     t.string "locale"
-    t.string "encrypted_otp_secret"
-    t.string "encrypted_otp_secret_iv"
-    t.string "encrypted_otp_secret_salt"
     t.integer "consumed_timestep"
     t.boolean "otp_required_for_login", default: false, null: false
     t.datetime "last_emailed_at", precision: nil
@@ -1589,6 +1621,7 @@ ActiveRecord::Schema[8.0].define(version: 2025_05_07_035927) do
     t.string "time_zone"
     t.string "otp_secret"
     t.datetime "age_verified_at"
+    t.boolean "require_tos_interstitial", default: false, null: false
     t.index ["account_id"], name: "index_users_on_account_id"
     t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
     t.index ["created_by_application_id"], name: "index_users_on_created_by_application_id", where: "(created_by_application_id IS NOT NULL)"
@@ -1709,7 +1742,9 @@ ActiveRecord::Schema[8.0].define(version: 2025_05_07_035927) do
   add_foreign_key "emoji_reactions", "accounts", on_delete: :cascade
   add_foreign_key "emoji_reactions", "custom_emojis", on_delete: :cascade
   add_foreign_key "emoji_reactions", "statuses", on_delete: :cascade
+  add_foreign_key "fasp_backfill_requests", "fasp_providers"
   add_foreign_key "fasp_debug_callbacks", "fasp_providers"
+  add_foreign_key "fasp_subscriptions", "fasp_providers"
   add_foreign_key "favourites", "accounts", name: "fk_5eb6c2b873", on_delete: :cascade
   add_foreign_key "favourites", "statuses", name: "fk_b0e856845e", on_delete: :cascade
   add_foreign_key "featured_tags", "accounts", on_delete: :cascade
@@ -1776,6 +1811,7 @@ ActiveRecord::Schema[8.0].define(version: 2025_05_07_035927) do
   add_foreign_key "reports", "accounts", column: "target_account_id", name: "fk_eb37af34f0", on_delete: :cascade
   add_foreign_key "reports", "accounts", name: "fk_4b81f7522c", on_delete: :cascade
   add_foreign_key "reports", "oauth_applications", column: "application_id", on_delete: :nullify
+  add_foreign_key "rule_translations", "rules", on_delete: :cascade
   add_foreign_key "scheduled_expiration_statuses", "accounts", on_delete: :cascade
   add_foreign_key "scheduled_expiration_statuses", "statuses", on_delete: :cascade
   add_foreign_key "scheduled_statuses", "accounts", on_delete: :cascade