Merge remote-tracking branch 'parent/main' into upstream-20240122

2024-01-22 10:07:33 +09:00 · 2024-01-22 10:07:33 +09:00 · a4cc73438e
commit a4cc73438e
parent 8793bc286e 9f8e3cca9a
65 changed files with 1150 additions and 707 deletions
--- a/app/controllers/admin/action_logs_controller.rb
+++ b/app/controllers/admin/action_logs_controller.rb
@ -6,7 +6,7 @@ module Admin

    def index
      authorize :audit_log, :index?
-      @auditable_accounts = Account.where(id: Admin::ActionLog.select('distinct account_id')).select(:id, :username)
+      @auditable_accounts = Account.auditable.select(:id, :username)
    end

    private
--- a/app/controllers/api/v1/accounts/follower_accounts_controller.rb
+++ b/app/controllers/api/v1/accounts/follower_accounts_controller.rb
@ -21,7 +21,7 @@ class Api::V1::Accounts::FollowerAccountsController < Api::BaseController
    return [] if hide_results?

    scope = default_accounts
-    scope = scope.where.not(id: current_account.excluded_from_timeline_account_ids) unless current_account.nil? || current_account.id == @account.id
+    scope = scope.not_excluded_by_account(current_account) unless current_account.nil? || current_account.id == @account.id
    scope.merge(paginated_follows).to_a
  end

--- a/app/controllers/api/v1/accounts/following_accounts_controller.rb
+++ b/app/controllers/api/v1/accounts/following_accounts_controller.rb
@ -21,7 +21,7 @@ class Api::V1::Accounts::FollowingAccountsController < Api::BaseController
    return [] if hide_results?

    scope = default_accounts
-    scope = scope.where.not(id: current_account.excluded_from_timeline_account_ids) unless current_account.nil? || current_account.id == @account.id
+    scope = scope.not_excluded_by_account(current_account) unless current_account.nil? || current_account.id == @account.id
    scope.merge(paginated_follows).to_a
  end

--- a/app/controllers/api/v1/peers/search_controller.rb
+++ b/app/controllers/api/v1/peers/search_controller.rb
@ -27,7 +27,7 @@ class Api::V1::Peers::SearchController < Api::BaseController
      @domains = InstancesIndex.query(function_score: {
        query: {
          prefix: {
-            domain: TagManager.instance.normalize_domain(params[:q].strip),
+            domain: normalized_domain,
          },
        },

@ -37,11 +37,18 @@ class Api::V1::Peers::SearchController < Api::BaseController
        },
      }).limit(10).pluck(:domain)
    else
-      domain = params[:q].strip
-      domain = TagManager.instance.normalize_domain(domain)
-      @domains = Instance.searchable.where(Instance.arel_table[:domain].matches("#{Instance.sanitize_sql_like(domain)}%", false, true)).limit(10).pluck(:domain)
+      domain = normalized_domain
+      @domains = Instance.searchable.domain_starts_with(domain).limit(10).pluck(:domain)
    end
  rescue Addressable::URI::InvalidURIError
    @domains = []
  end
+
+  def normalized_domain
+    TagManager.instance.normalize_domain(query_value)
+  end
+
+  def query_value
+    params[:q].strip
+  end
 end
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@ -1,6 +1,10 @@
 # frozen_string_literal: true

 class Auth::SessionsController < Devise::SessionsController
+  include Redisable
+
+  MAX_2FA_ATTEMPTS_PER_HOUR = 10
+
  layout 'auth'

  skip_before_action :check_self_destruct!
@ -130,9 +134,23 @@ class Auth::SessionsController < Devise::SessionsController
    session.delete(:attempt_user_updated_at)
  end

+  def clear_2fa_attempt_from_user(user)
+    redis.del(second_factor_attempts_key(user))
+  end
+
+  def check_second_factor_rate_limits(user)
+    attempts, = redis.multi do |multi|
+      multi.incr(second_factor_attempts_key(user))
+      multi.expire(second_factor_attempts_key(user), 1.hour)
+    end
+
+    attempts >= MAX_2FA_ATTEMPTS_PER_HOUR
+  end
+
  def on_authentication_success(user, security_measure)
    @on_authentication_success_called = true

+    clear_2fa_attempt_from_user(user)
    clear_attempt_from_session

    user.update_sign_in!(new_sign_in: true)
@ -164,4 +182,8 @@ class Auth::SessionsController < Devise::SessionsController
      user_agent: request.user_agent
    )
  end
+
+  def second_factor_attempts_key(user)
+    "2fa_auth_attempts:#{user.id}:#{Time.now.utc.hour}"
+  end
 end
--- a/app/controllers/concerns/auth/two_factor_authentication_concern.rb
+++ b/app/controllers/concerns/auth/two_factor_authentication_concern.rb
@ -66,6 +66,11 @@ module Auth::TwoFactorAuthenticationConcern
  end

  def authenticate_with_two_factor_via_otp(user)
+    if check_second_factor_rate_limits(user)
+      flash.now[:alert] = I18n.t('users.rate_limited')
+      return prompt_for_two_factor(user)
+    end
+
    if valid_otp_attempt?(user)
      on_authentication_success(user, :otp)
    else