From b58ed0ad01c70247f4ac6f11934b921b1a640ddc Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Sun, 29 Oct 2023 03:04:48 -0600 Subject: [PATCH 1/9] Update pixelfed config --- config/pixelfed.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/pixelfed.php b/config/pixelfed.php index fcdb1a4b7..521ccef71 100644 --- a/config/pixelfed.php +++ b/config/pixelfed.php @@ -286,4 +286,7 @@ return [ 'max_altext_length' => env('PF_MEDIA_MAX_ALTTEXT_LENGTH', 1000), 'allow_app_registration' => env('PF_ALLOW_APP_REGISTRATION', true), + + 'app_registration_rate_limit_attempts' => env('PF_IAR_RL_ATTEMPTS', 3), + 'app_registration_rate_limit_decay' => env('PF_IAR_RL_DECAY', 1800), ]; From 28a808031b0b858d7de26c5c8aa3b1c686188845 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Sun, 29 Oct 2023 03:06:10 -0600 Subject: [PATCH 2/9] Update ApiV1Dot1Controller, allow iar rate limits to be configurable --- app/Http/Controllers/Api/ApiV1Dot1Controller.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Http/Controllers/Api/ApiV1Dot1Controller.php b/app/Http/Controllers/Api/ApiV1Dot1Controller.php index 6ed047af9..f63d69177 100644 --- a/app/Http/Controllers/Api/ApiV1Dot1Controller.php +++ b/app/Http/Controllers/Api/ApiV1Dot1Controller.php @@ -470,7 +470,7 @@ class ApiV1Dot1Controller extends Controller abort_if(BouncerService::checkIp($request->ip()), 404); } - $rl = RateLimiter::attempt('pf:apiv1.1:iar:'.$request->ip(), 3, function(){}, 1800); + $rl = RateLimiter::attempt('pf:apiv1.1:iar:'.$request->ip(), config('pixelfed.app_registration_rate_limit_attempts', 3), function(){}, config('pixelfed.app_registration_rate_limit_decay', 1800)); abort_if(!$rl, 400, 'Too many requests'); $this->validate($request, [ From 1f82d47ce5e73c8679c9412d86101b784875b38a Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Sun, 29 Oct 2023 03:47:06 -0600 Subject: [PATCH 3/9] Update ApiV1Dot1Controller, add domain to iar redirect --- app/Http/Controllers/Api/ApiV1Dot1Controller.php | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/app/Http/Controllers/Api/ApiV1Dot1Controller.php b/app/Http/Controllers/Api/ApiV1Dot1Controller.php index f63d69177..aa63e92e0 100644 --- a/app/Http/Controllers/Api/ApiV1Dot1Controller.php +++ b/app/Http/Controllers/Api/ApiV1Dot1Controller.php @@ -543,10 +543,10 @@ class ApiV1Dot1Controller extends Controller $user->password = Hash::make($password); $user->register_source = 'app'; $user->app_register_ip = $request->ip(); - $user->app_register_token = Str::random(32); + $user->app_register_token = Str::random(40); $user->save(); - $rtoken = Str::random(mt_rand(64, 70)); + $rtoken = Str::random(64); $verify = new EmailVerification(); $verify->user_id = $user->id; @@ -570,12 +570,9 @@ class ApiV1Dot1Controller extends Controller 'ut' => 'required', 'rt' => 'required' ]); - if(config('pixelfed.bouncer.cloud_ips.ban_signups')) { - abort_if(BouncerService::checkIp($request->ip()), 404); - } $ut = $request->input('ut'); $rt = $request->input('rt'); - $url = 'pixelfed://confirm-account/'. $ut . '?rt=' . $rt; + $url = 'pixelfed://confirm-account/'. $ut . '?rt=' . $rt . '&domain=' . config('pixelfed.domain.app'); return redirect()->away($url); } From 432acb491a49f6133cd281db01eac94c4ebaa458 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Sun, 29 Oct 2023 04:07:04 -0600 Subject: [PATCH 4/9] Update ApiV1Dot1Controller, update iar redirect url format --- app/Http/Controllers/Api/ApiV1Dot1Controller.php | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/app/Http/Controllers/Api/ApiV1Dot1Controller.php b/app/Http/Controllers/Api/ApiV1Dot1Controller.php index aa63e92e0..9fdf927cd 100644 --- a/app/Http/Controllers/Api/ApiV1Dot1Controller.php +++ b/app/Http/Controllers/Api/ApiV1Dot1Controller.php @@ -11,6 +11,7 @@ use League\Fractal\Serializer\ArraySerializer; use League\Fractal\Pagination\IlluminatePaginatorAdapter; use App\AccountLog; use App\EmailVerification; +use App\Follower; use App\Place; use App\Status; use App\Report; @@ -21,6 +22,8 @@ use App\UserSetting; use App\Services\AccountService; use App\Services\StatusService; use App\Services\ProfileStatusService; +use App\Services\LikeService; +use App\Services\ReblogService; use App\Services\PublicTimelineService; use App\Services\NetworkTimelineService; use App\Util\Lexer\RestrictedNames; @@ -572,7 +575,12 @@ class ApiV1Dot1Controller extends Controller ]); $ut = $request->input('ut'); $rt = $request->input('rt'); - $url = 'pixelfed://confirm-account/'. $ut . '?rt=' . $rt . '&domain=' . config('pixelfed.domain.app'); + $params = http_build_query([ + 'ut' => $ut, + 'rt' => $rt, + 'domain' => config('pixelfed.domain.app') + ]); + $url = 'pixelfed://confirm-account/'. $ut . '?' . $params; return redirect()->away($url); } From 32496950661982aa3e56b41da7f34c4ebab9a908 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Sun, 29 Oct 2023 04:50:20 -0600 Subject: [PATCH 5/9] Update ApiV1Dot1Controller, update iar redirect url format --- app/Http/Controllers/Api/ApiV1Dot1Controller.php | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/app/Http/Controllers/Api/ApiV1Dot1Controller.php b/app/Http/Controllers/Api/ApiV1Dot1Controller.php index 9fdf927cd..3eaa1d233 100644 --- a/app/Http/Controllers/Api/ApiV1Dot1Controller.php +++ b/app/Http/Controllers/Api/ApiV1Dot1Controller.php @@ -558,7 +558,12 @@ class ApiV1Dot1Controller extends Controller $verify->random_token = $rtoken; $verify->save(); - $appUrl = url('/api/v1.1/auth/iarer?ut=' . $user->app_register_token . '&rt=' . $rtoken); + $params = http_build_query([ + 'ut' => $user->app_register_token, + 'rt' => $rtoken, + 'ea' => base64_encode($user->email) + ]); + $appUrl = url('/api/v1.1/auth/iarer?'. $params); Mail::to($user->email)->send(new ConfirmAppEmail($verify, $appUrl)); @@ -571,14 +576,17 @@ class ApiV1Dot1Controller extends Controller { $this->validate($request, [ 'ut' => 'required', - 'rt' => 'required' + 'rt' => 'required', + 'ea' => 'required' ]); $ut = $request->input('ut'); $rt = $request->input('rt'); + $ea = $request->input('ea'); $params = http_build_query([ 'ut' => $ut, 'rt' => $rt, - 'domain' => config('pixelfed.domain.app') + 'domain' => config('pixelfed.domain.app'), + 'ea' => $ea ]); $url = 'pixelfed://confirm-account/'. $ut . '?' . $params; return redirect()->away($url); From 7cd9fa6e5bceec37ebee5dd24a5f8cb72f2257d9 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Sun, 29 Oct 2023 05:27:12 -0600 Subject: [PATCH 6/9] Update pixelfed config --- config/pixelfed.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/pixelfed.php b/config/pixelfed.php index 521ccef71..b71d81c51 100644 --- a/config/pixelfed.php +++ b/config/pixelfed.php @@ -289,4 +289,6 @@ return [ 'app_registration_rate_limit_attempts' => env('PF_IAR_RL_ATTEMPTS', 3), 'app_registration_rate_limit_decay' => env('PF_IAR_RL_DECAY', 1800), + 'app_registration_confirm_rate_limit_attempts' => env('PF_IARC_RL_ATTEMPTS', 10), + 'app_registration_confirm_rate_limit_decay' => env('PF_IARC_RL_ATTEMPTS', 1800), ]; From 1686fc68e82c57301a779a0a20a7c63822caee18 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Sun, 29 Oct 2023 05:28:13 -0600 Subject: [PATCH 7/9] Update pixelfed config --- config/pixelfed.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pixelfed.php b/config/pixelfed.php index b71d81c51..fc7da598a 100644 --- a/config/pixelfed.php +++ b/config/pixelfed.php @@ -289,6 +289,6 @@ return [ 'app_registration_rate_limit_attempts' => env('PF_IAR_RL_ATTEMPTS', 3), 'app_registration_rate_limit_decay' => env('PF_IAR_RL_DECAY', 1800), - 'app_registration_confirm_rate_limit_attempts' => env('PF_IARC_RL_ATTEMPTS', 10), + 'app_registration_confirm_rate_limit_attempts' => env('PF_IARC_RL_ATTEMPTS', 20), 'app_registration_confirm_rate_limit_decay' => env('PF_IARC_RL_ATTEMPTS', 1800), ]; From 4c6a0719ca6cfb2a508bfa95cf1115f0cd401e2e Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Sun, 29 Oct 2023 05:29:30 -0600 Subject: [PATCH 8/9] Update ApiV1Dot1Controller, add configurable app confirm rate limit ttl --- app/Http/Controllers/Api/ApiV1Dot1Controller.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/Http/Controllers/Api/ApiV1Dot1Controller.php b/app/Http/Controllers/Api/ApiV1Dot1Controller.php index 3eaa1d233..298deb705 100644 --- a/app/Http/Controllers/Api/ApiV1Dot1Controller.php +++ b/app/Http/Controllers/Api/ApiV1Dot1Controller.php @@ -602,8 +602,8 @@ class ApiV1Dot1Controller extends Controller abort_if(BouncerService::checkIp($request->ip()), 404); } - $rl = RateLimiter::attempt('pf:apiv1.1:iarc:'.$request->ip(), 10, function(){}, 1800); - abort_if(!$rl, 400, 'Too many requests'); + $rl = RateLimiter::attempt('pf:apiv1.1:iarc:'.$request->ip(), config('pixelfed.app_registration_confirm_rate_limit_attempts', 20), function(){}, config('pixelfed.app_registration_confirm_rate_limit_decay', 1800)); + abort_if(!$rl, 429, 'Too many requests'); $this->validate($request, [ 'user_token' => 'required', From eb291efe00559bc4f59f46b1df94e1babcb8e06e Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Sun, 29 Oct 2023 05:29:56 -0600 Subject: [PATCH 9/9] Update changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0cf4aa01f..dc2b6cb11 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,9 @@ - Update lexer regex, fix mention regex and add more tests ([778e83d3](https://github.com/pixelfed/pixelfed/commit/778e83d3)) - Update StatusTransformer, generate autolink on request ([dfe2379b](https://github.com/pixelfed/pixelfed/commit/dfe2379b)) - Update ComposeModal component, fix multi filter bug and allow media re-ordering before upload/posting ([56e315f6](https://github.com/pixelfed/pixelfed/commit/56e315f6)) +- Update ApiV1Dot1Controller, allow iar rate limits to be configurable ([28a80803](https://github.com/pixelfed/pixelfed/commit/28a80803)) +- Update ApiV1Dot1Controller, add domain to iar redirect ([1f82d47c](https://github.com/pixelfed/pixelfed/commit/1f82d47c)) +- Update ApiV1Dot1Controller, add configurable app confirm rate limit ttl ([4c6a0719](https://github.com/pixelfed/pixelfed/commit/4c6a0719)) - ([](https://github.com/pixelfed/pixelfed/commit/)) ## [v0.11.9 (2023-08-21)](https://github.com/pixelfed/pixelfed/compare/v0.11.8...v0.11.9)