Merge branch 'main' into change-search-column-types

Author: mattwoberts

README.md

@@ -41,7 +41,7 @@ If you do self-host and enjoy Fider, please [let us know where you're using it](
 
 # 💰 Donations and Sponsors
 
-Supoprt the development of Fider to help us make it the best feedback tool! You can set up donations as small or large as you want to help us keep Fider going. [Donate](https://opencollective.com/fider)
+Support the development of Fider to help us make it the best feedback tool! You can set up donations as small or large as you want to help us keep Fider going. [Donate](https://opencollective.com/fider)
 
 If your organization uses Fider, consider becoming a sponsor - set up a monthly donation and get your logo and link on the README. [Become a sponsor](https://opencollective.com/fider)
 

app/actions/signin.go

@@ -16,11 +16,13 @@ import (
 type SignInByEmail struct {
 	Email            string `json:"email" format:"lower"`
 	VerificationCode string
+	LinkKey          string
 }
 
 func NewSignInByEmail() *SignInByEmail {
 	return &SignInByEmail{
 		VerificationCode: entity.GenerateEmailVerificationCode(),
+		LinkKey:          entity.GenerateEmailVerificationKey(),
 	}
 }
 
@@ -118,11 +120,13 @@ type SignInByEmailWithName struct {
 	Email            string `json:"email" format:"lower"`
 	Name             string `json:"name"`
 	VerificationCode string
+	LinkKey          string
 }
 
 func NewSignInByEmailWithName() *SignInByEmailWithName {
 	return &SignInByEmailWithName{
 		VerificationCode: entity.GenerateEmailVerificationCode(),
+		LinkKey:          entity.GenerateEmailVerificationKey(),
 	}
 }
 

app/handlers/admin.go

@@ -36,10 +36,10 @@ func AdvancedSettingsPage() web.HandlerFunc {
 			Page:  "Administration/pages/AdvancedSettings.page",
 			Title: "Advanced · Site Settings",
 			Data: web.Map{
-				"customCSS":      c.Tenant().CustomCSS,
-				"allowedSchemes": c.Tenant().AllowedSchemes,
-				"licenseKey":     billingState.Result.LicenseKey,
-				"isCommercial":   c.Tenant().IsCommercial,
+				"customCSS":              c.Tenant().CustomCSS,
+				"allowedSchemes":         c.Tenant().AllowedSchemes,
+				"licenseKey":             billingState.Result.LicenseKey,
+				"hasCommercialFeatures": c.Tenant().HasCommercialFeatures,
 			},
 		})
 	}

app/handlers/billing.go

@@ -27,9 +27,9 @@ func ManageBilling() web.HandlerFunc {
 			Data: web.Map{
 				"stripeCustomerID":     billingState.Result.CustomerID,
 				"stripeSubscriptionID": billingState.Result.SubscriptionID,
-				"licenseKey":           billingState.Result.LicenseKey,
-				"paddleSubscriptionID": billingState.Result.PaddleSubscriptionID,
-				"isCommercial":         c.Tenant().IsCommercial,
+				"licenseKey":              billingState.Result.LicenseKey,
+				"paddleSubscriptionID":    billingState.Result.PaddleSubscriptionID,
+				"hasCommercialFeatures":   c.Tenant().HasCommercialFeatures,
 			},
 		})
 	}

app/handlers/signin.go

@@ -87,15 +87,16 @@ func SignInByEmail() web.HandlerFunc {
 		// Only send code if user exists
 		if userExists {
 			err := bus.Dispatch(c, &cmd.SaveVerificationKey{
-				Key:      action.VerificationCode,
+				Key:      action.LinkKey,
+				Code:     action.VerificationCode,
 				Duration: 15 * time.Minute,
 				Request:  action,
 			})
 			if err != nil {
 				return c.Failure(err)
 			}
 
-			c.Enqueue(tasks.SendSignInEmail(action.Email, action.VerificationCode))
+			c.Enqueue(tasks.SendSignInEmail(action.Email, action.LinkKey, action.VerificationCode))
 		}
 
 		return c.Ok(web.Map{
@@ -129,15 +130,16 @@ func SignInByEmailWithName() web.HandlerFunc {
 
 		// Save verification with name
 		err = bus.Dispatch(c, &cmd.SaveVerificationKey{
-			Key:      action.VerificationCode,
+			Key:      action.LinkKey,
+			Code:     action.VerificationCode,
 			Duration: 15 * time.Minute,
 			Request:  action,
 		})
 		if err != nil {
 			return c.Failure(err)
 		}
 
-		c.Enqueue(tasks.SendSignInEmail(action.Email, action.VerificationCode))
+		c.Enqueue(tasks.SendSignInEmail(action.Email, action.LinkKey, action.VerificationCode))
 
 		return c.Ok(web.Map{})
 	}
@@ -169,18 +171,20 @@ func VerifySignInCode() web.HandlerFunc {
 
 		result := verification.Result
 
-		// Check if already verified (with grace period)
+		// Code is single-use: reject if already verified
 		if result.VerifiedAt != nil {
-			if time.Since(*result.VerifiedAt) > 5*time.Minute {
-				return c.Gone()
-			}
-		} else {
-			// Check if expired
-			if time.Now().After(result.ExpiresAt) {
-				// Mark as verified to prevent reuse
-				_ = bus.Dispatch(c, &cmd.SetKeyAsVerified{Key: action.Code})
-				return c.Gone()
-			}
+			return c.BadRequest(web.Map{
+				"code": "Invalid or expired verification code",
+			})
+		}
+
+		// Check if expired
+		if time.Now().After(result.ExpiresAt) {
+			// Mark as verified to prevent reuse
+			_ = bus.Dispatch(c, &cmd.SetKeyAsVerified{Key: result.Key})
+			return c.BadRequest(web.Map{
+				"code": "Invalid or expired verification code",
+			})
 		}
 
 		// Check if user exists
@@ -207,7 +211,7 @@ func VerifySignInCode() web.HandlerFunc {
 					}
 
 					// Mark code as verified
-					err = bus.Dispatch(c, &cmd.SetKeyAsVerified{Key: action.Code})
+					err = bus.Dispatch(c, &cmd.SetKeyAsVerified{Key: result.Key})
 					if err != nil {
 						return c.Failure(err)
 					}
@@ -226,7 +230,7 @@ func VerifySignInCode() web.HandlerFunc {
 		}
 
 		// Mark code as verified
-		err = bus.Dispatch(c, &cmd.SetKeyAsVerified{Key: action.Code})
+		err = bus.Dispatch(c, &cmd.SetKeyAsVerified{Key: result.Key})
 		if err != nil {
 			return c.Failure(err)
 		}
@@ -254,7 +258,8 @@ func ResendSignInCode() web.HandlerFunc {
 
 		// Save new verification code
 		err := bus.Dispatch(c, &cmd.SaveVerificationKey{
-			Key:      action.VerificationCode,
+			Key:      action.LinkKey,
+			Code:     action.VerificationCode,
 			Duration: 15 * time.Minute,
 			Request:  action,
 		})
@@ -263,7 +268,7 @@ func ResendSignInCode() web.HandlerFunc {
 		}
 
 		// Send new email
-		c.Enqueue(tasks.SendSignInEmail(action.Email, action.VerificationCode))
+		c.Enqueue(tasks.SendSignInEmail(action.Email, action.LinkKey, action.VerificationCode))
 
 		return c.Ok(web.Map{})
 	}

app/handlers/signin_test.go

@@ -57,7 +57,8 @@ func TestSignInByEmailHandler_ExistingUser(t *testing.T) {
 		ExecutePost(handlers.SignInByEmail(), `{ "email": "jon.snow@got.com" }`)
 
 	Expect(code).Equals(http.StatusOK)
-	Expect(saveKeyCmd.Key).HasLen(6)
+	Expect(saveKeyCmd.Key).HasLen(64)
+	Expect(saveKeyCmd.Code).HasLen(6)
 	Expect(saveKeyCmd.Request.GetKind()).Equals(enum.EmailVerificationKindSignIn)
 	Expect(saveKeyCmd.Request.GetEmail()).Equals("jon.snow@got.com")
 	Expect(response.Body.String()).ContainsSubstring(`"userExists":true`)
@@ -98,7 +99,8 @@ func TestSignInByEmailWithNameHandler_NewUser(t *testing.T) {
 		ExecutePost(handlers.SignInByEmailWithName(), `{ "email": "new.user@got.com", "name": "New User" }`)
 
 	Expect(code).Equals(http.StatusOK)
-	Expect(saveKeyCmd.Key).HasLen(6)
+	Expect(saveKeyCmd.Key).HasLen(64)
+	Expect(saveKeyCmd.Code).HasLen(6)
 	Expect(saveKeyCmd.Request.GetKind()).Equals(enum.EmailVerificationKindSignIn)
 	Expect(saveKeyCmd.Request.GetEmail()).Equals("new.user@got.com")
 	Expect(saveKeyCmd.Request.GetName()).Equals("New User")
@@ -820,7 +822,7 @@ func TestVerifySignInCodeHandler_ExpiredCode(t *testing.T) {
 		OnTenant(mock.DemoTenant).
 		ExecutePost(handlers.VerifySignInCode(), `{ "email": "jon.snow@got.com", "code": "123456" }`)
 
-	Expect(code).Equals(http.StatusGone)
+	Expect(code).Equals(http.StatusBadRequest)
 }
 
 func TestVerifySignInCodeHandler_CorrectCode_ExistingUser(t *testing.T) {
@@ -951,6 +953,29 @@ func TestVerifySignInCodeHandler_CorrectCode_NewUser_PrivateTenant(t *testing.T)
 	Expect(code).Equals(http.StatusForbidden)
 }
 
+func TestVerifySignInCodeHandler_AlreadyVerifiedCode_ShouldReject(t *testing.T) {
+	RegisterT(t)
+
+	verifiedAt := time.Now().Add(-1 * time.Minute)
+	bus.AddHandler(func(ctx context.Context, q *query.GetVerificationByEmailAndCode) error {
+		q.Result = &entity.EmailVerification{
+			Email:      "jon.snow@got.com",
+			Key:        "some-long-link-key",
+			CreatedAt:  time.Now().Add(-10 * time.Minute),
+			ExpiresAt:  time.Now().Add(5 * time.Minute),
+			VerifiedAt: &verifiedAt,
+		}
+		return nil
+	})
+
+	server := mock.NewServer()
+	code, _ := server.
+		OnTenant(mock.DemoTenant).
+		ExecutePost(handlers.VerifySignInCode(), `{ "email": "jon.snow@got.com", "code": "123456" }`)
+
+	Expect(code).Equals(http.StatusBadRequest)
+}
+
 func TestResendSignInCodeHandler_ValidEmail(t *testing.T) {
 	RegisterT(t)
 
@@ -966,7 +991,8 @@ func TestResendSignInCodeHandler_ValidEmail(t *testing.T) {
 		ExecutePost(handlers.ResendSignInCode(), `{ "email": "jon.snow@got.com" }`)
 
 	Expect(code).Equals(http.StatusOK)
-	Expect(saveKeyCmd.Key).HasLen(6)
+	Expect(saveKeyCmd.Key).HasLen(64)
+	Expect(saveKeyCmd.Code).HasLen(6)
 	Expect(saveKeyCmd.Request.GetKind()).Equals(enum.EmailVerificationKindSignIn)
 	Expect(saveKeyCmd.Request.GetEmail()).Equals("jon.snow@got.com")
 }

app/models/cmd/tenant.go

@@ -47,6 +47,7 @@ type ActivateTenant struct {
 
 type SaveVerificationKey struct {
 	Key      string
+	Code     string
 	Duration time.Duration
 	Request  NewEmailVerification
 }

app/models/entity/tenant.go

@@ -22,8 +22,8 @@ type Tenant struct {
 	IsEmailAuthAllowed  bool              `json:"isEmailAuthAllowed"`
 	IsFeedEnabled       bool              `json:"isFeedEnabled"`
 	PreventIndexing     bool              `json:"preventIndexing"`
-	IsModerationEnabled bool              `json:"isModerationEnabled"`
-	IsCommercial        bool              `json:"isCommercial"`
+	IsModerationEnabled      bool              `json:"isModerationEnabled"`
+	HasCommercialFeatures    bool              `json:"hasCommercialFeatures"`
 }
 
 func (t *Tenant) IsDisabled() bool {

app/pkg/web/testdata/home_ssr.html

@@ -45,7 +45,7 @@ <h2 class="text-display2">Please enable JavaScript</h2>
 
   <script id="server-data" type="application/json">
 
-  {"contextID":"CONTEXT_ID","description":"My Page Description","page":"Test.page","props":{"countPerStatus":{},"posts":[],"tags":[]},"sessionID":"","settings":{"allowAllowedSchemes":true,"assetsURL":"https://demo.test.fider.io:3000","baseURL":"https://demo.test.fider.io:3000","domain":".test.fider.io","environment":"test","googleAnalytics":"","hasLegal":true,"isBillingEnabled":false,"locale":"en","localeDirection":"ltr","mode":"multi","oauth":[],"postWithTags":true},"tenant":{"id":0,"name":"","subdomain":"","invitation":"","welcomeMessage":"","welcomeHeader":"","cname":"","status":0,"locale":"en","isPrivate":false,"logoBlobKey":"","allowedSchemes":"","isEmailAuthAllowed":false,"isFeedEnabled":false,"preventIndexing":false,"isModerationEnabled":false,"isCommercial":false},"title":"My Page Title · "}
+  {"contextID":"CONTEXT_ID","description":"My Page Description","page":"Test.page","props":{"countPerStatus":{},"posts":[],"tags":[]},"sessionID":"","settings":{"allowAllowedSchemes":true,"assetsURL":"https://demo.test.fider.io:3000","baseURL":"https://demo.test.fider.io:3000","domain":".test.fider.io","environment":"test","googleAnalytics":"","hasLegal":true,"isBillingEnabled":false,"locale":"en","localeDirection":"ltr","mode":"multi","oauth":[],"postWithTags":true},"tenant":{"id":0,"name":"","subdomain":"","invitation":"","welcomeMessage":"","welcomeHeader":"","cname":"","status":0,"locale":"en","isPrivate":false,"logoBlobKey":"","allowedSchemes":"","isEmailAuthAllowed":false,"isFeedEnabled":false,"preventIndexing":false,"isModerationEnabled":false,"hasCommercialFeatures":false},"title":"My Page Title · "}
 
   </script>
 

app/pkg/web/testdata/tenant.html

@@ -45,7 +45,7 @@ <h2 class="text-display2">Please enable JavaScript</h2>
 
   <script id="server-data" type="application/json">
 
-  {"contextID":"CONTEXT_ID","page":"","props":{},"sessionID":"","settings":{"allowAllowedSchemes":true,"assetsURL":"https://demo.test.fider.io:3000","baseURL":"https://demo.test.fider.io:3000","domain":".test.fider.io","environment":"test","googleAnalytics":"","hasLegal":true,"isBillingEnabled":false,"locale":"en","localeDirection":"ltr","mode":"multi","oauth":[],"postWithTags":true},"tenant":{"id":0,"name":"Game of Thrones","subdomain":"","invitation":"","welcomeMessage":"","welcomeHeader":"","cname":"","status":0,"locale":"","isPrivate":false,"logoBlobKey":"","allowedSchemes":"","isEmailAuthAllowed":false,"isFeedEnabled":false,"preventIndexing":false,"isModerationEnabled":false,"isCommercial":false},"title":"Game of Thrones"}
+  {"contextID":"CONTEXT_ID","page":"","props":{},"sessionID":"","settings":{"allowAllowedSchemes":true,"assetsURL":"https://demo.test.fider.io:3000","baseURL":"https://demo.test.fider.io:3000","domain":".test.fider.io","environment":"test","googleAnalytics":"","hasLegal":true,"isBillingEnabled":false,"locale":"en","localeDirection":"ltr","mode":"multi","oauth":[],"postWithTags":true},"tenant":{"id":0,"name":"Game of Thrones","subdomain":"","invitation":"","welcomeMessage":"","welcomeHeader":"","cname":"","status":0,"locale":"","isPrivate":false,"logoBlobKey":"","allowedSchemes":"","isEmailAuthAllowed":false,"isFeedEnabled":false,"preventIndexing":false,"isModerationEnabled":false,"hasCommercialFeatures":false},"title":"Game of Thrones"}
 
   </script>