From 38f3393e934330454fb942048c19ee5640563a08 Mon Sep 17 00:00:00 2001 From: rinpatch Date: Tue, 14 May 2019 22:47:23 +0300 Subject: [PATCH 1/2] Make rate limiting for Mastodon Registration API less agressive and enable it by default. As discussed on irc. Unlike Mastodon our web interface for registrations is using the same APIs regular apps would be using, so 5 requests per 30 minutes per IP could hurt valid use-cases when Pleroma-FE switches to it. Also enable the endpoint by default, it makes no sense to have it disabled when 1. TwitterAPI endpoint is there and always enabled 2. Unlike Mastodon, there is no way to get an account without using the APIs (makes me wonder why the setting is even there) Also in this commit: minor changelog improvements. --- CHANGELOG.md | 12 ++++++------ config/config.exs | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 17e913648..c563c39da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,16 +22,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Admin API: Endpoints for listing/revoking invite tokens - Admin API: Endpoints for making users follow/unfollow each other - Admin API: added filters (role, tags, email, name) for users endpoint +- AdminFE: initial release with basic user management accessible at /pleroma/admin/ - Mastodon API: [Scheduled statuses](https://docs.joinmastodon.org/api/rest/scheduled-statuses/) - Mastodon API: `/api/v1/notifications/destroy_multiple` (glitch-soc extension) - Mastodon API: `/api/v1/pleroma/accounts/:id/favourites` (API extension) - Mastodon API: [Reports](https://docs.joinmastodon.org/api/rest/reports/) -- Mastodon API: REST API for creating an account +- Mastodon API: `POST /api/v1/accounts` (account creation API) - ActivityPub C2S: OAuth endpoints -- Metadata RelMe provider +- Metadata: RelMe provider - OAuth: added support for refresh tokens - Emoji packs and emoji pack manager -- AdminFE: initial release with basic user management accessible at /pleroma/admin/ ### Changed - **Breaking:** Configuration: move from Pleroma.Mailer to Pleroma.Emails.Mailer @@ -44,8 +44,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Federation: Removed `inReplyToStatusId` from objects - Configuration: Dedupe enabled by default - Configuration: Added `extra_cookie_attrs` for setting non-standard cookie attributes. Defaults to ["SameSite=Lax"] so that remote follows work. -- Pleroma API: Support for emoji tags in `/api/pleroma/emoji` resulting in a breaking API change - Timelines: Messages involving people you have blocked will be excluded from the timeline in all cases instead of just repeats. +- Admin API: Move the user related API to `api/pleroma/admin/users` +- Pleroma API: Support for emoji tags in `/api/pleroma/emoji` resulting in a breaking API change - Mastodon API: Support for `exclude_types`, `limit` and `min_id` in `/api/v1/notifications` - Mastodon API: Add `languages` and `registrations` to `/api/v1/instance` - Mastodon API: Provide plaintext versions of cw/content in the Status entity @@ -63,7 +64,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Deps: Updated Cowboy to 2.6 - Deps: Updated Ecto to 3.0.7 - Don't ship finmoji by default, they can be installed as an emoji pack -- Admin API: Move the user related API to `api/pleroma/admin/users` - Hide deactivated users and their statuses ### Fixed @@ -71,7 +71,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Followers counter not being updated when a follower is blocked - Deactivated users being able to request an access token - Limit on request body in rich media/relme parsers being ignored resulting in a possible memory leak -- proper Twitter Card generation instead of a dummy +- Proper Twitter Card generation instead of a dummy - Deletions failing for users with a large number of posts - NodeInfo: Include admins in `staffAccounts` - ActivityPub: Crashing when requesting empty local user's outbox diff --git a/config/config.exs b/config/config.exs index 8d44c96de..32c7fecb8 100644 --- a/config/config.exs +++ b/config/config.exs @@ -239,7 +239,7 @@ safe_dm_mentions: false, healthcheck: false -config :pleroma, :app_account_creation, enabled: false, max_requests: 5, interval: 1800 +config :pleroma, :app_account_creation, enabled: true, max_requests: 25, interval: 1800 config :pleroma, :markup, # XXX - unfortunately, inline images must be enabled by default right now, because From 2ca8d20053ef2abda070b8aba0e6937cf2f07991 Mon Sep 17 00:00:00 2001 From: rinpatch Date: Tue, 14 May 2019 23:16:34 +0300 Subject: [PATCH 2/2] Fix rate-limiting tests --- config/test.exs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/test.exs b/config/test.exs index f93bc5994..a0c90c371 100644 --- a/config/test.exs +++ b/config/test.exs @@ -59,6 +59,8 @@ total_user_limit: 3, enabled: false +config :pleroma, :app_account_creation, max_requests: 5 + try do import_config "test.secret.exs" rescue