Commit Graph

33689 Commits

Author SHA1 Message Date
Anders Kaseorg 7a0a186e5f tsconfig: Remove redundant options.
`--jsx preserve` and `--removeComments false` are already the default.
`--strict` already implies `--noImplicitAny`, `--noImplicitThis`,
`--alwaysStrict`.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-30 13:12:54 -07:00
Anders Kaseorg 70f72a3ae8 security: Send SameSite=Lax cookies.
Send the `csrftoken` and `sessionid` cookies with `SameSite=Lax`.
This adds a layer of defense against CSRF attacks and matches the new
default in Django 2.1:

https://docs.djangoproject.com/en/2.1/releases/2.1/#samesite-cookies

This can be reverted when we upgrade to Django ≥ 2.1.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-30 13:12:11 -07:00
Anders Kaseorg 042c558bb3 eslint: Enable sort-imports rule.
I figure we should enable this before we have lots of imports.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-30 13:10:25 -07:00
Anders Kaseorg 0ae2c5c96e nginx: Enable TLS 1.3 if supported.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-30 13:09:57 -07:00
Anders Kaseorg d577537304 pointer: Fix pointer update.
Commit d17b577d0c (#13321) incorrectly
transformed this line, even though I thought my script had a specific
guard against this.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-30 11:50:15 -07:00
Rafid Aslam 447f74ae63 Upgrade pika to 1.1.*.
Upgrade pika to 1.1.* and make some changes accordingly
to comply with the new version.

Fixes #12899.
2019-10-29 17:01:12 -07:00
Tim Abbott c7c6f01236 docs: Advertise SAML authentication as an official feature.
Fixes #13275.
2019-10-29 16:55:22 -07:00
Mateusz Mandera 4561652513 ldap docs: LDAP backend now works for initial realm creation.
Fixes #9576.

Initial realm creation now works fine with the LDAP backend, so the
part of the docs about needing to create the first realm with the
email backend is unnecessary and just complicates the setup process,
so it seems best to just remove it.
2019-10-29 16:21:58 -07:00
Tim Abbott 18b4a58bc2 docs: Update GSoC/GSoD ideas pages.
The main goal is to correct sections that clearly haven't been updated
since 6+ months ago.
2019-10-29 16:07:10 -07:00
Mateusz Mandera f229839022 docs: Document social_backends in /server_settings.
This updates the docs for the /server_settings endpoint to document the
newly added social_backends structure.
2019-10-29 15:57:29 -07:00
Hemanth V. Alluri ac9008f564 openapi: Update the test and python code example for get-all-users.
This is following the change to the /users endpoint where we allow
an optional parameter "include_custom_profile_fields" which would
allow the client to request for users' custom profile fields along
with their other standard data.
2019-10-29 15:41:35 -07:00
Hemanth V. Alluri c1370547d5 events: Only send bot_type for bots and thus remove the for_api param. 2019-10-29 15:41:35 -07:00
Hemanth V. Alluri fa6bd42f4c docs: Update the example for /users for custom profile fields.
The previous example no longer gives a good enough idea of what the user
can expect when the `include_custom_profile_fields` boolean parameter is
set to true.
2019-10-29 15:41:35 -07:00
Hemanth V. Alluri 5b3e346369 users: Send custom profile fields with the /profile endpoint. 2019-10-29 15:41:35 -07:00
Anders Kaseorg d6377b00c0 node_cache: Don’t retry copying node_modules; let yarn do its thing.
`copytree` throws an error if the target already exists, and we don’t
really want to rerun the copy anyway.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-29 12:30:28 -07:00
Anders Kaseorg d4443bc4f8 requirements: Upgrade Python requirements.
Addresses a potential Pillow DoS vulnerability, among other things.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 16:42:20 -07:00
Anders Kaseorg 2bbcd6ab34 bundles: Factor out portico bundle.
This adds translations.js to the digest entrypoint.  Presumably that’s
fine.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 15:53:15 -07:00
Anders Kaseorg fda70a5458 templates: Use just one webpack entry point per page.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 15:53:15 -07:00
Anders Kaseorg f245fcf408 webpack: Enable code splitting and deduplication.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 15:53:15 -07:00
Anders Kaseorg d1a3bf424a requirements: Use webpack4 fork of django-webpack-loader.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 15:53:15 -07:00
Anders Kaseorg ee9a6071fd 5xx.html: Build with webpack.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 15:53:15 -07:00
Anders Kaseorg f077508c6d test-backend, run-casper: Remove proxy vars instead of setting to "".
Setting http_proxy to the empty string caused a spurious error from
xmlsec:

>>> import os
>>> os.environ["http_proxy"] = ""
>>> import xmlsec
error : Unknown IO error

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 15:47:45 -07:00
Anders Kaseorg c3bf7c6889 webpack: Consolidate production and development plugin configuration.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 15:39:34 -07:00
Anders Kaseorg 27fac76da8 styles: Move media queries into the files they override.
Webpack code splitting will make the inclusion order of CSS files less
obvious, and we need to guarantee that these rules follow the rules
they override.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 15:39:17 -07:00
Anders Kaseorg 3216dca6bb styles: Remove dead .screen-{full,medium,narrow}-show classes.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 15:33:02 -07:00
Anders Kaseorg 51de011c07 styles: Remove conflicting .guest-avatar rules.
These were fighting with #avatar, #user-avatar-block,
.inline_profile_picture, .popover-avatar.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 15:33:02 -07:00
Tim Abbott 7a66dfa133 auth: Tweak docs now that SAML supports multiple IdPs. 2019-10-28 15:22:29 -07:00
Mateusz Mandera 9d14b50186 auth: Support not using an icon when rendering social login buttons.
Since we were using a placeholder emote for SAML, we change the
defaults to no icon now that it's possible.
2019-10-28 15:14:57 -07:00
Mateusz Mandera b870816a75 saml: Sanity-check configuration in both login and signup codepaths. 2019-10-28 15:11:19 -07:00
Mateusz Mandera db29fcbbc4 auth: Add social_backends to /server_settings. 2019-10-28 15:11:19 -07:00
Mateusz Mandera 892d25faa1 auth: Change SAML login url scheme, enabling multiple IdP support.
The url scheme is now /accounts/login/social/saml/{idp_name} to initiate
login using the IdP configured under "idp_name" name.

display_name and display_logo (the name and icon to show on the "Log in
with" button) can be customized by adding the apprioprate settings in
the configured IdP dictionaries.
2019-10-28 15:09:42 -07:00
Mateusz Mandera 28dd1b34f2 auth: Refactor social login rendering.
login_context now gets the social_backends list through
get_social_backend_dicts and we  move display_logo customization
to backend class definition.

This prepares for easily adding multiple IdP support in SAML
authentication - there will be a social_backend dict for each configured
IdP, also allowing display_name and icon customization per IdP.
2019-10-28 15:06:26 -07:00
Mateusz Mandera 9532e99800 saml: Give SAMLAuthBackend highest sort_order. 2019-10-28 15:06:26 -07:00
David Rosa 3fb2339511 docs: Fix formatting of warnings.
Fixes warning formatting in testing.md and setup-advanced.md
with reStructured Text so that the warnings stand out.
2019-10-28 15:03:55 -07:00
Anders Kaseorg ed607bee2c emoji_picker: Clear search_results by assigning 0 to its length.
This will allow `search_results` to be `const`, which works around a
future ESLint complaint.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 15:02:43 -07:00
Anders Kaseorg 02004c9b0f js: Convert self-referential vars to const.
ESLint won’t convert these automatically because it can’t rule out a
behavior difference arising from an access to a self-referential var
before it’s initialized:

> var x = (f => f())(() => x);
undefined
> let y = (f => f())(() => y);
Thrown:
ReferenceError: Cannot access 'y' before initialization
    at repl:1:26
    at repl:1:15

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 15:02:43 -07:00
Anders Kaseorg 7ae84d5ce1 js: Break lines that become too long after converting var to const.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 15:02:43 -07:00
Anders Kaseorg 4d37dfcf85 js: Convert vars declared separately and assigned once to const.
Because of the separate declarations, ESLint would convert them to
`let` and then trigger the `prefer-const` error.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 15:02:43 -07:00
Anders Kaseorg c3b4c0a229 frontend_tests: Use let with explicit null in components test.
Even though this variable was only assigned once, it was accessed
before its initialization, so it couldn’t be converted directly to
`let` or `const`.  Use `let` with an explicit `null` to make it
clearer what’s going on and satisfy ESLint.  (Why not `undefined`?
There’s an ESLint rule against that too.)

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 15:02:43 -07:00
Anders Kaseorg a547413347 js: Add braces to case blocks declaring variables.
This helps to prepare for the migration of `var` to `let` and `const`.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-28 15:02:43 -07:00
Jan Koscisz 12bd3c04c0 integration: Fix missing taiga test action.
Previously testing webhook from taiga site would result in error.
This adds missing 'test' action to taiga webhooks.

Fixes #13317.
2019-10-28 14:58:24 -07:00
Anders Kaseorg d17b577d0c js: Purge useless IIFEs.
With webpack, variables declared in each file are already file-local
(Global variables need to be explicitly exported), so these IIFEs are
no longer needed.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2019-10-25 13:51:21 -07:00
Anders Kaseorg 5f590d3500 js: Remove /* eslint indent: "off" */ comments.
The time has come to dedent these files.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-25 13:21:43 -07:00
Mateusz Mandera 8c065d1fcd ldap: Ensure django_to_ldap_username returns username that is in ldap.
This changes the way django_to_ldap_username works to make sure the ldap
username it returns actually has a corresponding ldap entry and raise an
exception if that's not possible. It seems to be a more sound approach
than just having it return its best guess - which was the case so far.
Now there is a guarantee that what it returns is the username of an
actual ldap user.

This allows communicating to the registration flow when the email being
registered doesn't belong to ldap, which then will proceed to register
it via the normal email backend flow - finally fixing the bug where you
couldn't register a non-ldap email even with the email backend enabled.

These changes to the behavior of django_to_ldap_username require small
refactorings in a couple of other functions that call it, as well as
adapting some tests to these changes. Finally, additional tests are
added for the above-mentioned registration flow behavior and some
related corner-cases.
2019-10-25 12:14:51 -07:00
Greg Price 3a74de2ade shared: Bump version to 0.0.2.
This will let us update mobile to use this version.
2019-10-24 14:56:56 -07:00
Greg Price 71596648c2 typing_status: Switch sentinel "recipient" value to `null`.
This feels a bit more semantically appropriate: it more clearly says
"here's some information: there is no (relevant) recipient", rather
than "no information available".  (Both `null` and `undefined` in JS
can have either meaning, but `undefined` especially commonly means
the latter.)

Concretely, it ensures a bit more explicitness where the value
originates: a bare `return;` becomes `return null;`, reflecting the
fact that it is returning a quite informative value.

Also make the implementation more explicit about what's expected here,
replacing truthiness tests with `!== null`.  (A bit more idiomatic
would be `!= null`, which is equivalent when the value is well-typed
and a bit more robust to ill-typing bugs.  But lint complains about
that version.)
2019-10-24 14:56:56 -07:00
Greg Price a191890213 typing_status: Fold `stop` into main method `update`.
It'd already been the case for some while that calling `stop` had the
same effect as calling `update` (previously `handle_text_input`) with
a falsy recipient.  With the API changes in the previous few commits,
this becomes quite natural to make explicit in the API.
2019-10-24 14:56:56 -07:00
Greg Price e639b0a6f8 typing_status: Write jsdoc for main entry point, and rename.
This was named after when it gets called from the UI, rather than
after what it can be expected to do.

Naming it after what it's meant to do -- and giving a summary line to
expand on that -- provides a more helpful semantic idea for reasoning
about the function.  Doubly so for using the function in a different
client with its own UI, like the mobile app.
2019-10-24 14:56:56 -07:00
Greg Price dcb5bb7914 typing_status: Combine two parameters into one, with a maybe-type.
The main motivation for this change is to simplify this interface
and make it easier to reason about.

The case where it affects the behavior is when
is_valid_conversation() returns false, while current_recipient
and get_recipient() agree on some truthy value.

This means the message-content textarea is empty -- in fact the
user just cleared it, because we got here from an input event on
it -- but the compose box is still open to some PM thread that we
have a typing notification still outstanding for.

The old behavior is that in this situation we would ignore the
fact that the content was empty, and go ahead and prolong the
typing notification, by updating our timer and possibly sending a
"still typing" notice.

This contrasts with the behavior (both old and new) in the case
where the content is empty and we *don't* already have an
outstanding typing notification, or we have one to some other
thread.  In that case, we cancel any existing notification and
don't start a new one, exactly as if `stop` were called
(e.g. because the user closed the compose box.)

The new behavior is that we always treat clearing the input as
"stopped typing": not only in those cases where we already did,
but also in the case where we still have the same recipients.
(Which seems like probably the common case.)

That seems like the preferable behavior; indeed it's hard to see
the point of the "compose_empty" logic if restricted to the other
cases.  It also makes the interface simpler.

Those two properties don't seem like a coincidence, either: the
complicated interface made it difficult to unpack exactly what
logic we actually had, which made it easy for surprising wrinkles
to hang out indefinitely.
2019-10-24 14:56:56 -07:00
Greg Price dcccef9b3a typing_status: Make some test cases slightly less artificial.
All these cases are meant to simulate having a user actually typing a
message to some actual recipients, so the `conversation_is_valid`
parameter would be true.

We make this change so that in an upcoming change that eliminates this
parameter, the adjustments to the test cases can be highly regular and
we don't have to introduce a new wrinkle to correspond to these values
being false.
2019-10-24 14:56:56 -07:00