Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix domains that start with UTF character #3560

Merged
merged 9 commits into from
Dec 4, 2023
Merged

Fix domains that start with UTF character #3560

merged 9 commits into from
Dec 4, 2023

Conversation

ukutaht
Copy link
Contributor

@ukutaht ukutaht commented Nov 27, 2023
edited

Changes

Currently the whole settings are is broken when the site.domain starts with a special character like ä.

The issue seems to be Phoenix itself being a bit too eager in a security check: phoenixframework/phoenix#5508

Unfortunately it hasn't been fixed yet in Phoenix. The fix is to use redirect(external: ) rather than redirect(to: ) since the former will skip the problematic security check.

Tests

  • Automated tests have been added

Changelog

  • Entry has been added to changelog

Documentation

  • This change does not need a documentation update

Dark mode

  • This PR does not change the UI

@ukutaht ukutaht changed the title Fix unicode domains Fix domains that start with UTF character Nov 27, 2023
@zoldar
Copy link
Contributor

zoldar commented Nov 28, 2023

I'm wondering if it wouldn't be better to encode and decode the domain using IDNA encoding (aka punycode) instead 🤔

iex(5)> :idna.encode("zaęółć.pl")
~c"xn--za-6ja4f2d1l.pl"
iex(6)> :idna.encode("zaęółć.pl") |> :idna.decode |> to_string
"zaęółć.pl"

For reference:

@ukutaht
Copy link
Contributor Author

ukutaht commented Nov 28, 2023

I'm wondering if it wouldn't be better to encode and decode the domain using IDNA encoding (aka punycode) instead 🤔

What I like about the current approach is that the domain name is displayed in the most 'native' format for the user.

Screenshot 2023-11-28 at 12 11 36

Also we need to encode / as part of the domain. I don't think punycode supports that?

@zoldar
Copy link
Contributor

zoldar commented Nov 28, 2023

Also we need to encode / as part of the domain. I don't think punycode supports that?

Ah, you are right, I forgot we support that 🤦

@aerosol
Copy link
Member

aerosol commented Nov 28, 2023

I went ahead trying to change the domain from ąęćż.pl to ćććąęćż.pl and upon submitting the domain change form got this:

image

Same with Reset Stats in the Danger Zone.

aerosol
aerosol reviewed Nov 28, 2023
View reviewed changes
test/support/factory.ex Outdated Show resolved Hide resolved
@ukutaht
Copy link
Contributor Author

ukutaht commented Nov 28, 2023

@aerosol Thanks for the review. Fixes for the remaining errors:

92b6a77
cbfb2c7

aerosol
aerosol approved these changes Nov 29, 2023
View reviewed changes
Copy link
Member

@aerosol aerosol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, although there's some conflict now

@ukutaht ukutaht merged commit 44d71c8 into master Dec 4, 2023
5 checks passed
@ukutaht ukutaht deleted the fix-unicode-domains branch December 4, 2023 12:22
@aerosol aerosol mentioned this pull request Dec 4, 2023
Merged
9 tasks
zoldar added a commit that referenced this pull request Dec 4, 2023
@zoldar
Change redirect after login to accept URLs from #3560 (h/t @aerosol)
88a25f6
zoldar added a commit that referenced this pull request Dec 5, 2023
@zoldar
Change redirect after login to accept URLs from #3560 (h/t @aerosol)
c39f116
zoldar added a commit that referenced this pull request Dec 5, 2023
@zoldar
Change redirect after login to accept URLs from #3560 (h/t @aerosol)
7575c0d
zoldar added a commit that referenced this pull request Dec 6, 2023
@zoldar @aerosol
Implement UI for 2FA setup and verification (#3541)
da0fa6c 
* Add 2FA actions to `AuthController`

* Hook up new `AuthController` actions to router

* Add `qr_code` to project dependencies

* Implement generic `qr_code` component rendering SVG QR code from text

* Implement enabled and disabled 2FA setting state in user settings view

* Implement view for initiating 2FA setup

* Implement view for verifying 2FA setup

* Implement view for rendering generated 2FA recovery codes

* Implement view for verifying 2FA code

* Implement view for verifying 2FA recovery code

* Improve `input_with_clipboard` component

* Improve view for initiating 2FA setup

* Improve verify 2FA setup view

* Implement `verify_2fa_input` component

* Improve view for verifying 2FA setup

* Improve view rendering generated 2FA recovery codes

* Use `verify_2fa_input` component in verify 2FA view

* Do not render PA contact on self-hosted instances

* Improve flash message phrasing on generated recovery codes

* Add byline with a warning to disable 2FA modal

* Extract modal to component and move 2FA components to dedicated module

* First pass on loading state for "generate new codes"

* Adjust modal button logic

* Fix button in verify_2fa_input component

* Use button component in activate view

* Implement wait states for recovery code related actions properly

* Apply rate limiting to 2FA verification

* Log failed 2FA code input attempts

* Add ability to trust device and skip 2FA for 30 days

* Improve styling in dark mode

* Fix waiting state under Chrome and Safari

* Delete trust cookie when disabling 2FA

* Put 2FA behind a feature flag

* Extract 2FA cookie deletion

* ff fixup

* Improve session management during 2FA login

* Extract part of 2FA controller logic to a separate module and clean up a bit

* Clear 2FA user session when rate limit hit

* Add id to form in verify 2FA setup view

* Add controller tests for 2FA actions and login action

* Update CHANGELOG.md

* Use `full_build?()` instead of `@is_selfhost` removed after rebase

* Update `Auth.TOTP` moduledoc

* Add TOTP token management and make `TOTP.enable` more test-friendly

* Use TOTP token for device trust feature

* Use zero-deps `eqrcode` instead of deps-heavy `qr_code`

* Improve flash messages copy

Co-authored-by: hq1 <hq@mtod.org>

* Make one more copy improvement

Co-authored-by: hq1 <hq@mtod.org>

* Fix copy in remaining spots

* Change redirect after login to accept URLs from #3560 (h/t @aerosol)

* Add tests checking handling login_dest on login and 2FA verification

* Fix regression in email activation form submit button behavior

* Rename `PlausibleWeb.TwoFactor` -> `PlausibleWeb.TwoFactor.Session`

* Move `qr_code` component under `Components.TwoFactor`

* Set domain and secure options for new cookies

---------

Co-authored-by: hq1 <hq@mtod.org>
@aerosol aerosol mentioned this pull request Mar 20, 2024
Merged
1 task
@zoldar zoldar mentioned this pull request Mar 21, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aerosol aerosol aerosol approved these changes

@zoldar zoldar zoldar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ukutaht @zoldar @aerosol