mastodon/app/lib/application_extension.rb

# frozen_string_literal: true

module ApplicationExtension
  extend ActiveSupport::Concern

  APP_NAME_LIMIT = 60
  APP_REDIRECT_URI_LIMIT = 2_000
  APP_WEBSITE_LIMIT = 2_000

  included do
    include Redisable

    has_many :created_users, class_name: 'User', foreign_key: 'created_by_application_id', inverse_of: :created_by_application

    validates :name, length: { maximum: APP_NAME_LIMIT }
    validates :redirect_uri, length: { maximum: APP_REDIRECT_URI_LIMIT }
    validates :website, url: true, length: { maximum: APP_WEBSITE_LIMIT }, if: :website?

    # The relationship used between Applications and AccessTokens is using
    # dependent: delete_all, which means the ActiveRecord callback in
    # AccessTokenExtension is not run, so instead we manually announce to
    # streaming that these tokens are being deleted.
    before_destroy :close_streaming_sessions, prepend: true
  end

  def confirmation_redirect_uri
    redirect_uri.lines.first.strip
  end

  def redirect_uris
    # Doorkeeper stores the redirect_uri value as a newline delimeted list in
    # the database:
    redirect_uri.split
  end

  def close_streaming_sessions(resource_owner = nil)
    # TODO: #28793 Combine into a single topic
    payload = Oj.dump(event: :kill)
    scope = access_tokens
    scope = scope.where(resource_owner_id: resource_owner.id) unless resource_owner.nil?
    scope.in_batches do |tokens|
      redis.pipelined do |pipeline|
        tokens.ids.each do |id|
          pipeline.publish("timeline:access_token:#{id}", payload)
        end
      end
    end
  end
end
Fix tests, add applications to eager loading/cache for statuses, fix application website validation, don't link to app website if website isn't set, also comment out animated boost icon from #464 until it's consistent with non-animated version 2017-01-15 14:01:33 +01:00			`# frozen_string_literal: true`

			`module ApplicationExtension`
			`extend ActiveSupport::Concern`

Refer to constant values from `api/v1/apps` request spec (#33488) 2025-01-07 11:28:54 -05:00			`APP_NAME_LIMIT = 60`
			`APP_REDIRECT_URI_LIMIT = 2_000`
			`APP_WEBSITE_LIMIT = 2_000`

Fix tests, add applications to eager loading/cache for statuses, fix application website validation, don't link to app website if website isn't set, also comment out animated boost icon from #464 until it's consistent with non-animated version 2017-01-15 14:01:33 +01:00			`included do`
Merge pull request from GHSA-7w3c-p9j8-mq3x * Ensure destruction of OAuth Applications notifies streaming Due to doorkeeper using a dependent: delete_all relationship, the destroy of an OAuth Application bypassed the existing AccessTokenExtension callbacks for announcing destructing of access tokens. * Ensure password resets revoke access to Streaming API * Improve performance of deleting OAuth tokens --------- Co-authored-by: Claire <claire.github-309c@sitedethib.com> 2024-02-14 15:15:34 +01:00			`include Redisable`

Clean up unused application records (#24871) 2023-07-21 13:13:16 +02:00			`has_many :created_users, class_name: 'User', foreign_key: 'created_by_application_id', inverse_of: :created_by_application`

Refer to constant values from `api/v1/apps` request spec (#33488) 2025-01-07 11:28:54 -05:00			`validates :name, length: { maximum: APP_NAME_LIMIT }`
			`validates :redirect_uri, length: { maximum: APP_REDIRECT_URI_LIMIT }`
			`validates :website, url: true, length: { maximum: APP_WEBSITE_LIMIT }, if: :website?`
Merge pull request from GHSA-7w3c-p9j8-mq3x * Ensure destruction of OAuth Applications notifies streaming Due to doorkeeper using a dependent: delete_all relationship, the destroy of an OAuth Application bypassed the existing AccessTokenExtension callbacks for announcing destructing of access tokens. * Ensure password resets revoke access to Streaming API * Improve performance of deleting OAuth tokens --------- Co-authored-by: Claire <claire.github-309c@sitedethib.com> 2024-02-14 15:15:34 +01:00
			`# The relationship used between Applications and AccessTokens is using`
			`# dependent: delete_all, which means the ActiveRecord callback in`
			`# AccessTokenExtension is not run, so instead we manually announce to`
			`# streaming that these tokens are being deleted.`
Merge pull request from GHSA-vp5r-5pgw-jwqx * Fix streaming sessions not being closed when revoking access to an app * Add tests for GHSA-7w3c-p9j8-mq3x 2024-07-04 16:11:28 +02:00			`before_destroy :close_streaming_sessions, prepend: true`
Fix tests, add applications to eager loading/cache for statuses, fix application website validation, don't link to app website if website isn't set, also comment out animated boost icon from #464 until it's consistent with non-animated version 2017-01-15 14:01:33 +01:00			`end`
Change authorized applications page (#17656) * Change authorized applications page * Hide revoke button for superapps and suspended accounts * Clean up db/schema.rb 2022-03-01 16:48:58 +01:00
Fix confirmation redirect to app without `Location` header (#18523) 2022-05-26 22:03:54 +02:00			`def confirmation_redirect_uri`
			`redirect_uri.lines.first.strip`
			`end`
Merge pull request from GHSA-7w3c-p9j8-mq3x * Ensure destruction of OAuth Applications notifies streaming Due to doorkeeper using a dependent: delete_all relationship, the destroy of an OAuth Application bypassed the existing AccessTokenExtension callbacks for announcing destructing of access tokens. * Ensure password resets revoke access to Streaming API * Improve performance of deleting OAuth tokens --------- Co-authored-by: Claire <claire.github-309c@sitedethib.com> 2024-02-14 15:15:34 +01:00
Support multiple redirect_uris when creating OAuth 2.0 Applications (#29192) 2024-05-17 15:46:12 +02:00			`def redirect_uris`
			`# Doorkeeper stores the redirect_uri value as a newline delimeted list in`
			`# the database:`
			`redirect_uri.split`
			`end`

Merge pull request from GHSA-vp5r-5pgw-jwqx * Fix streaming sessions not being closed when revoking access to an app * Add tests for GHSA-7w3c-p9j8-mq3x 2024-07-04 16:11:28 +02:00			`def close_streaming_sessions(resource_owner = nil)`
Merge pull request from GHSA-7w3c-p9j8-mq3x * Ensure destruction of OAuth Applications notifies streaming Due to doorkeeper using a dependent: delete_all relationship, the destroy of an OAuth Application bypassed the existing AccessTokenExtension callbacks for announcing destructing of access tokens. * Ensure password resets revoke access to Streaming API * Improve performance of deleting OAuth tokens --------- Co-authored-by: Claire <claire.github-309c@sitedethib.com> 2024-02-14 15:15:34 +01:00			`# TODO: #28793 Combine into a single topic`
			`payload = Oj.dump(event: :kill)`
Merge pull request from GHSA-vp5r-5pgw-jwqx * Fix streaming sessions not being closed when revoking access to an app * Add tests for GHSA-7w3c-p9j8-mq3x 2024-07-04 16:11:28 +02:00			`scope = access_tokens`
			`scope = scope.where(resource_owner_id: resource_owner.id) unless resource_owner.nil?`
			`scope.in_batches do \|tokens\|`
Merge pull request from GHSA-7w3c-p9j8-mq3x * Ensure destruction of OAuth Applications notifies streaming Due to doorkeeper using a dependent: delete_all relationship, the destroy of an OAuth Application bypassed the existing AccessTokenExtension callbacks for announcing destructing of access tokens. * Ensure password resets revoke access to Streaming API * Improve performance of deleting OAuth tokens --------- Co-authored-by: Claire <claire.github-309c@sitedethib.com> 2024-02-14 15:15:34 +01:00			`redis.pipelined do \|pipeline\|`
			`tokens.ids.each do \|id\|`
			`pipeline.publish("timeline:access_token:#{id}", payload)`
			`end`
			`end`
			`end`
			`end`
Fix tests, add applications to eager loading/cache for statuses, fix application website validation, don't link to app website if website isn't set, also comment out animated boost icon from #464 until it's consistent with non-animated version 2017-01-15 14:01:33 +01:00			`end`