Merge tag 'v4.2.6' into lets-bump-hometown-to-mastodon-4.2

2 years ago · c33c1b7f0c
11 changed files with 104 additions and 24 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,25 @@
 All notable changes to this project will be documented in this file.
 ## [4.2.6] - 2024-02-14
 ### Security
 - Update the `sidekiq-unique-jobs` dependency (see [GHSA-cmh9-rx85-xj38](https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38))
  In addition, we have disabled the web interface for `sidekiq-unique-jobs` out of caution.
  If you need it, you can re-enable it by setting `ENABLE_SIDEKIQ_UNIQUE_JOBS_UI=true`.
  If you only need to clear all locks, you can now use `bundle exec rake sidekiq_unique_jobs:delete_all_locks`.
 - Update the `nokogiri` dependency (see [GHSA-xc9x-jj77-9p9j](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j))
 - Disable administrative Doorkeeper routes ([ThisIsMissEm](https://github.com/mastodon/mastodon/pull/29187))
 - Fix ongoing streaming sessions not being invalidated when applications get deleted in some cases ([GHSA-7w3c-p9j8-mq3x](https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x))
  In some rare cases, the streaming server was not notified of access tokens revocation on application deletion.
 - Change external authentication behavior to never reattach a new identity to an existing user by default ([GHSA-vm39-j3vx-pch3](https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3))
  Up until now, Mastodon has allowed new identities from external authentication providers to attach to an existing local user based on their verified e-mail address.
  This allowed upgrading users from a database-stored password to an external authentication provider, or move from one authentication provider to another.
  However, this behavior may be unexpected, and means that when multiple authentication providers are configured, the overall security would be that of the least secure authentication provider.
  For these reasons, this behavior is now locked under the `ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH` environment variable.
  In addition, regardless of this environment variable, Mastodon will refuse to attach two identities from the same authentication provider to the same account.
 ## [4.2.5] - 2024-02-01
 ### Security
--- a/app/controllers/auth/omniauth_callbacks_controller.rb
+++ b/app/controllers/auth/omniauth_callbacks_controller.rb
@ -6,7 +6,7 @@ class Auth::OmniauthCallbacksController < Devise::OmniauthCallbacksController
  def self.provides_callback_for(provider)
    define_method provider do
      @provider = provider
-      @user = User.find_for_oauth(request.env['omniauth.auth'], current_user)
+      @user = User.find_for_omniauth(request.env['omniauth.auth'], current_user)
      if @user.persisted?
        record_login_activity
--- a/app/lib/application_extension.rb
+++ b/app/lib/application_extension.rb
@ -4,14 +4,34 @@ module ApplicationExtension
  extend ActiveSupport::Concern
  included do
    include Redisable
    has_many :created_users, class_name: 'User', foreign_key: 'created_by_application_id', inverse_of: :created_by_application
    validates :name, length: { maximum: 60 }
    validates :website, url: true, length: { maximum: 2_000 }, if: :website?
    validates :redirect_uri, length: { maximum: 2_000 }
    # The relationship used between Applications and AccessTokens is using
    # dependent: delete_all, which means the ActiveRecord callback in
    # AccessTokenExtension is not run, so instead we manually announce to
    # streaming that these tokens are being deleted.
    before_destroy :push_to_streaming_api, prepend: true
  end
  def confirmation_redirect_uri
    redirect_uri.lines.first.strip
  end
  def push_to_streaming_api
    # TODO: #28793 Combine into a single topic
    payload = Oj.dump(event: :kill)
    access_tokens.in_batches do |tokens|
      redis.pipelined do |pipeline|
        tokens.ids.each do |id|
          pipeline.publish("timeline:access_token:#{id}", payload)
        end
      end
    end
  end
 end
--- a/app/models/concerns/omniauthable.rb
+++ b/app/models/concerns/omniauthable.rb
@ -19,17 +19,18 @@ module Omniauthable
  end
  class_methods do
-    def find_for_oauth(auth, signed_in_resource = nil)
+    def find_for_omniauth(auth, signed_in_resource = nil)
      # EOLE-SSO Patch
      auth.uid = (auth.uid[0][:uid] || auth.uid[0][:user]) if auth.uid.is_a? Hashie::Array
-      identity = Identity.find_for_oauth(auth)
+      identity = Identity.find_for_omniauth(auth)
      # If a signed_in_resource is provided it always overrides the existing user
      # to prevent the identity being locked with accidentally created accounts.
      # Note that this may leave zombie accounts (with no associated identity) which
      # can be cleaned up at a later date.
      user   = signed_in_resource || identity.user
-      user ||= create_for_oauth(auth)
+      user ||= reattach_for_auth(auth)
      user ||= create_for_auth(auth)
      if identity.user.nil?
        identity.user = user
@ -39,19 +40,35 @@ module Omniauthable
      user
    end
-    def create_for_oauth(auth)
+    private
      # Check if the user exists with provided email. If no email was provided,
      # we assign a temporary email and ask the user to verify it on
      # the next step via Auth::SetupController.show
-      strategy          = Devise.omniauth_configs[auth.provider.to_sym].strategy
+    def reattach_for_auth(auth)
-      assume_verified   = strategy&.security&.assume_email_is_verified
+      # If allowed, check if a user exists with the provided email address,
-      email_is_verified = auth.info.verified || auth.info.verified_email || auth.info.email_verified || assume_verified
+      # and return it if they does not have an associated identity with the
-      email             = auth.info.verified_email || auth.info.email
+      # current authentication provider.
      # This can be used to provide a choice of alternative auth providers
      # or provide smooth gradual transition between multiple auth providers,
      # but this is discouraged because any insecure provider will put *all*
      # local users at risk, regardless of which provider they registered with.
      return unless ENV['ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH'] == 'true'
-      user = User.find_by(email: email) if email_is_verified
+      email, email_is_verified = email_from_auth(auth)
      return unless email_is_verified
-      return user unless user.nil?
+      user = User.find_by(email: email)
      return if user.nil? || Identity.exists?(provider: auth.provider, user_id: user.id)
      user
    end
    def create_for_auth(auth)
      # Create a user for the given auth params. If no email was provided,
      # we assign a temporary email and ask the user to verify it on
      # the next step via Auth::SetupController.show
      email, email_is_verified = email_from_auth(auth)
      user = User.new(user_params_from_auth(email, auth))
@ -66,7 +83,14 @@ module Omniauthable
      user
    end
-    private
+    def email_from_auth(auth)
      strategy          = Devise.omniauth_configs[auth.provider.to_sym].strategy
      assume_verified   = strategy&.security&.assume_email_is_verified
      email_is_verified = auth.info.verified || auth.info.verified_email || auth.info.email_verified || assume_verified
      email             = auth.info.verified_email || auth.info.email
      [email, email_is_verified]
    end
    def user_params_from_auth(email, auth)
      {
--- a/app/models/identity.rb
+++ b/app/models/identity.rb
@ -17,7 +17,7 @@ class Identity < ApplicationRecord
  validates :uid, presence: true, uniqueness: { scope: :provider }
  validates :provider, presence: true
-  def self.find_for_oauth(auth)
+  def self.find_for_omniauth(auth)
    find_or_create_by(uid: auth.uid, provider: auth.provider)
  end
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -360,6 +360,16 @@ class User < ApplicationRecord
    Doorkeeper::AccessToken.by_resource_owner(self).in_batches do |batch|
      batch.update_all(revoked_at: Time.now.utc)
      Web::PushSubscription.where(access_token_id: batch).delete_all
      # Revoke each access token for the Streaming API, since `update_all``
      # doesn't trigger ActiveRecord Callbacks:
      # TODO: #28793 Combine into a single topic
      payload = Oj.dump(event: :kill)
      redis.pipelined do |pipeline|
        batch.ids.each do |id|
          pipeline.publish("timeline:access_token:#{id}", payload)
        end
      end
    end
  end
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -56,7 +56,7 @@ services:
  web:
    build: .
-    image: ghcr.io/mastodon/mastodon:v4.2.5
+    image: ghcr.io/mastodon/mastodon:v4.2.6
    restart: always
    env_file: .env.production
    command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
@ -77,7 +77,7 @@ services:
  streaming:
    build: .
-    image: ghcr.io/mastodon/mastodon:v4.2.5
+    image: ghcr.io/mastodon/mastodon:v4.2.6
    restart: always
    env_file: .env.production
    command: node ./streaming
@ -95,7 +95,7 @@ services:
  sidekiq:
    build: .
-    image: ghcr.io/mastodon/mastodon:v4.2.5
+    image: ghcr.io/mastodon/mastodon:v4.2.6
    restart: always
    env_file: .env.production
    command: bundle exec sidekiq
--- a/lib/mastodon/version.rb
+++ b/lib/mastodon/version.rb
@ -13,7 +13,7 @@ module Mastodon
    end
    def patch
-      5
+      6
    end
    def default_prerelease
--- a/spec/models/identity_spec.rb
+++ b/spec/models/identity_spec.rb
@ -3,16 +3,16 @@
 require 'rails_helper'
 RSpec.describe Identity do
-  describe '.find_for_oauth' do
+  describe '.find_for_omniauth' do
    let(:auth) { Fabricate(:identity, user: Fabricate(:user)) }
    it 'calls .find_or_create_by' do
      expect(described_class).to receive(:find_or_create_by).with(uid: auth.uid, provider: auth.provider)
-      described_class.find_for_oauth(auth)
+      described_class.find_for_omniauth(auth)
    end
    it 'returns an instance of Identity' do
-      expect(described_class.find_for_oauth(auth)).to be_instance_of described_class
+      expect(described_class.find_for_omniauth(auth)).to be_instance_of described_class
    end
  end
 end
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@ -438,7 +438,10 @@ RSpec.describe User do
    let!(:access_token) { Fabricate(:access_token, resource_owner_id: user.id) }
    let!(:web_push_subscription) { Fabricate(:web_push_subscription, access_token: access_token) }
    let(:redis_pipeline_stub) { instance_double(Redis::Namespace, publish: nil) }
    before do
      allow(redis).to receive(:pipelined).and_yield(redis_pipeline_stub)
      user.reset_password!
    end
@ -454,6 +457,10 @@ RSpec.describe User do
      expect(Doorkeeper::AccessToken.active_for(user).count).to eq 0
    end
    it 'revokes streaming access for all access tokens' do
      expect(redis_pipeline_stub).to have_received(:publish).with("timeline:access_token:#{access_token.id}", Oj.dump(event: :kill)).once
    end
    it 'removes push subscriptions' do
      expect(Web::PushSubscription.where(user: user).or(Web::PushSubscription.where(access_token: access_token)).count).to eq 0
    end
--- a/spec/requests/omniauth_callbacks_spec.rb
+++ b/spec/requests/omniauth_callbacks_spec.rb
@ -96,7 +96,7 @@ describe 'OmniAuth callbacks' do
    context 'when a user cannot be built' do
      before do
-        allow(User).to receive(:find_for_oauth).and_return(User.new)
+        allow(User).to receive(:find_for_omniauth).and_return(User.new)
      end
      it 'redirects to the new user signup page' do