Add ability to disable the suspicious sign in detector

The CatCatNya~ production config has an IP retention period of one day. That will cause suspicious login emails to be sent out simply because we don't have any known IP data.

Therefore, add an option disabling it.
This commit is contained in:
Jeremy Kescher 2024-05-23 01:16:21 +02:00
parent c1054880a3
commit 21a0804210
No known key found for this signature in database
GPG key ID: 80A419A7A613DFA4
4 changed files with 37 additions and 13 deletions

View file

@ -47,3 +47,4 @@ MAX_REACTIONS=3
MAX_SEARCH_RESULTS=1000 MAX_SEARCH_RESULTS=1000
MAX_REMOTE_EMOJI_SIZE=1048576 MAX_REMOTE_EMOJI_SIZE=1048576
IP_RETENTION_PERIOD=86400 IP_RETENTION_PERIOD=86400
ENABLE_SUSPICIOUS_SIGN_IN=false

View file

@ -307,8 +307,14 @@ MAX_REACTIONS=1
# IP and session retention # IP and session retention
# ----------------------- # -----------------------
# Make sure to modify the scheduling of ip_cleanup_scheduler in config/sidekiq.yml # Make sure to modify the scheduling of ip_cleanup_scheduler in config/sidekiq.yml (already applied for Catstodon)
# to be less than daily if you lower IP_RETENTION_PERIOD below two days (172800). # to be less than daily if you lower IP_RETENTION_PERIOD below two days (172800).
# ----------------------- # -----------------------
IP_RETENTION_PERIOD=31556952 IP_RETENTION_PERIOD=31556952
SESSION_RETENTION_PERIOD=31556952 SESSION_RETENTION_PERIOD=31556952
# In case you've shortened IP retention a lot, you may want to disable the suspicious sign in detector entirely,
# in order to avoid spurious "suspicious login detected" emails being sent to users.
# The default is true, because for the default retention period of one year, there is good data for such emails.
# For instances having a retention period of merely a day, that may not be enough, so you may set it to false.
#ENABLE_SUSPICIOUS_SIGN_IN=false

View file

@ -2,10 +2,13 @@
## Introduction ## Introduction
This Mastodon fork is based on the [glitch-soc Fork of Mastodon](https://github.com/glitch-soc/mastodon), with changes made to suit [CatCatNya~](https://catcatnya.com). This Mastodon fork is based on the [glitch-soc Fork of Mastodon](https://github.com/glitch-soc/mastodon), with changes
I intend to contribute some useful differences back to [glitch-soc](https://github.com/glitch-soc/mastodon) and [vanilla Mastodon](https://github.com/mastodon/mastodon). made to suit [CatCatNya~](https://catcatnya.com).
I intend to contribute some useful differences back to [glitch-soc](https://github.com/glitch-soc/mastodon)
and [vanilla Mastodon](https://github.com/mastodon/mastodon).
To install, take a look at [glitch-soc.github.io/docs/](https://glitch-soc.github.io/docs/). The instructions and features are the same, except for the differences outlined below. To install, take a look at [glitch-soc.github.io/docs/](https://glitch-soc.github.io/docs/). The instructions and
features are the same, except for the differences outlined below.
Contributing guidelines are available [here](CONTRIBUTING.md). Contributing guidelines are available [here](CONTRIBUTING.md).
@ -20,22 +23,35 @@ instead, use merge (fast-forward, if possible, with merge commit otherwise).
- Some files are adjusted specifically for the CatCatNya~ instance. Specifically, these: - Some files are adjusted specifically for the CatCatNya~ instance. Specifically, these:
- sounds/boop.mp3 - sounds/boop.mp3
- sounds/boop.ogg - sounds/boop.ogg
<br>You might want to revert these to the upstream files (or your own versions!) if you decide to use this fork for your own instance. <br>You might want to revert these to the upstream files (or your own versions!) if you decide to use this fork for
your own instance.
- The rate limits for authenticated users have been relaxed a bit. - The rate limits for authenticated users have been relaxed a bit.
- The API endpoint `/api/v1/custom_emojis` is no longer affected by AUTHORIZED_FETCH, allowing anyone to copy custom emojis. - The API endpoint `/api/v1/custom_emojis` is no longer affected by AUTHORIZED_FETCH, allowing anyone to copy custom
emojis.
- Allow higher resolution images. (4096x4096 instead of the previous limit of 3840x2160) - Allow higher resolution images. (4096x4096 instead of the previous limit of 3840x2160)
- Allow posting polls with only one poll option (if `MIN_POLL_OPTIONS` is set to 1 on your instance). - Allow posting polls with only one poll option (if `MIN_POLL_OPTIONS` is set to 1 on your instance).
- Added oatstodon flavour (taken from [types.pl fork](https://github.com/ralsei/types.pl), by [@oat@hellsite.site](https://hellsite.site/@oat)), with slight adjustments since. - Added oatstodon flavour (taken from [types.pl fork](https://github.com/ralsei/types.pl),
- Emoji reactions on statuses (with both Unicode and custom emojis, same as for announcements), a feature originally developed for [Nyastodon](https://git.bsd.gay/fef/nyastodon). by [@oat@hellsite.site](https://hellsite.site/@oat)), with slight adjustments since.
Ended up as a Catstodon-maintained patch after its initial two Pull Requests to glitch-soc, but was handed over to [Essem's fork, Chuckya](https://github.com/TheEssem/mastodon) and is now pending [its fourth attempt of merging into glitch-soc](https://github.com/glitch-soc/mastodon/pull/2462). - Emoji reactions on statuses (with both Unicode and custom emojis, same as for announcements), a feature originally
developed for [Nyastodon](https://git.bsd.gay/fef/nyastodon).
Ended up as a Catstodon-maintained patch after its initial two Pull Requests to glitch-soc, but was handed over
to [Essem's fork, Chuckya](https://github.com/TheEssem/mastodon) and is now
pending [its fourth attempt of merging into glitch-soc](https://github.com/glitch-soc/mastodon/pull/2462).
- Lifts the "only federate local favourites" restriction on favourites/likes and emoji reactions. - Lifts the "only federate local favourites" restriction on favourites/likes and emoji reactions.
- Cherry-picks the [activity filter branch](https://github.com/chikorita157/mastodon-sakura/tree/newmain-tmp3-noellabo-filtering) from [Sakurajima Mastodon](https://github.com/chikorita157/mastodon-sakura). - Cherry-picks the
[activity filter branch](https://github.com/chikorita157/mastodon-sakura/tree/newmain-tmp3-noellabo-filtering)
from [Sakurajima Mastodon](https://github.com/chikorita157/mastodon-sakura).
- Adds the ability to disable the suspicious sign in detection entirely.
- Useful for situations where the instance may not have up-to-date IP information, such as when the period of IP
address retention is set to a low value (see *Previous differences now merged into vanilla Mastodon*)
## Previous differences now merged into glitch-soc ## Previous differences now merged into glitch-soc
- Fixed incorrect upload size limit display when adding new a new custom emoji. ([Pull request](https://github.com/glitch-soc/mastodon/pull/1763)) - Fixed incorrect upload size limit display when adding new a new custom
emoji. ([Pull request](https://github.com/glitch-soc/mastodon/pull/1763))
- Everything merged into vanilla Mastodon - Everything merged into vanilla Mastodon
## Previous differences now merged into vanilla Mastodon ## Previous differences now merged into vanilla Mastodon
- The period of retention of IP addresses and sessions was made configurable. ([Pull request](https://github.com/mastodon/mastodon/pull/18757)) - The period of retention of IP addresses and sessions was made
configurable. ([Pull request](https://github.com/mastodon/mastodon/pull/18757))

View file

@ -3,13 +3,14 @@
class SuspiciousSignInDetector class SuspiciousSignInDetector
IPV6_TOLERANCE_MASK = 64 IPV6_TOLERANCE_MASK = 64
IPV4_TOLERANCE_MASK = 16 IPV4_TOLERANCE_MASK = 16
ENABLE_SUSPICIOUS_SIGN_IN = ENV['ENABLE_SUSPICIOUS_SIGN_IN'] != 'false'
def initialize(user) def initialize(user)
@user = user @user = user
end end
def suspicious?(request) def suspicious?(request)
!sufficient_security_measures? && !freshly_signed_up? && !previously_seen_ip?(request) !sufficient_security_measures? && !freshly_signed_up? && !previously_seen_ip?(request) if DISABLE_SUSPICIOUS_SIGN_IN
end end
private private