Merge branch 'main' into fix_twig_lint

README.md

@@ -34,7 +34,7 @@ For developers:
 - GitHub Security advisories, vulnerability reporting, [Dependabot](https://github.com/features/security) and [Advanced code scanning](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning) enabled. And we run [`local-php-security-checker`](https://github.com/fabpot/local-php-security-checker).
 - Improved **code documentation**
 - **Tight integration** with [Mbin Weblate project](https://hosted.weblate.org/engage/mbin/) for translations (Two way sync)
-- Last but not least, a **community-focus project embracing the Collective Code Construction Contract** (C4). No single maintainer.
+- Last but not least, a **community-focus project embracing the [Collective Code Construction Contract](./C4.md)** (C4). No single maintainer.
 
 ## Instances
 
@@ -209,47 +209,47 @@ For developers:
                 </a>
             </td>
             <td align="center">
-                <a href="https://github.com/ryanmonsen">
-                    <img src="https://avatars.githubusercontent.com/u/55466117?v=4" width="100;" alt="ryanmonsen"/>
+                <a href="https://github.com/lilfade">
+                    <img src="https://avatars.githubusercontent.com/u/4168401?v=4" width="100;" alt="lilfade"/>
                     <br />
-                    <sub><b>ryanmonsen</b></sub>
+                    <sub><b>Bryson</b></sub>
                 </a>
             </td>
             <td align="center">
-                <a href="https://github.com/drupol">
-                    <img src="https://avatars.githubusercontent.com/u/252042?v=4" width="100;" alt="drupol"/>
+                <a href="https://github.com/vpzomtrrfrt">
+                    <img src="https://avatars.githubusercontent.com/u/3528358?v=4" width="100;" alt="vpzomtrrfrt"/>
                     <br />
-                    <sub><b>Pol Dellaiera</b></sub>
+                    <sub><b>vpzomtrrfrt</b></sub>
                 </a>
             </td>
             <td align="center">
-                <a href="https://github.com/jwr1">
-                    <img src="https://avatars.githubusercontent.com/u/47087725?v=4" width="100;" alt="jwr1"/>
+                <a href="https://github.com/cavebob">
+                    <img src="https://avatars.githubusercontent.com/u/75441692?v=4" width="100;" alt="cavebob"/>
                     <br />
-                    <sub><b>John Wesley</b></sub>
+                    <sub><b>cavebob</b></sub>
                 </a>
             </td>
             <td align="center">
-                <a href="https://github.com/cavebob">
-                    <img src="https://avatars.githubusercontent.com/u/75441692?v=4" width="100;" alt="cavebob"/>
+                <a href="https://github.com/jwr1">
+                    <img src="https://avatars.githubusercontent.com/u/47087725?v=4" width="100;" alt="jwr1"/>
                     <br />
-                    <sub><b>cavebob</b></sub>
+                    <sub><b>John Wesley</b></sub>
                 </a>
             </td>
 		</tr>
 		<tr>
             <td align="center">
-                <a href="https://github.com/vpzomtrrfrt">
-                    <img src="https://avatars.githubusercontent.com/u/3528358?v=4" width="100;" alt="vpzomtrrfrt"/>
+                <a href="https://github.com/drupol">
+                    <img src="https://avatars.githubusercontent.com/u/252042?v=4" width="100;" alt="drupol"/>
                     <br />
-                    <sub><b>vpzomtrrfrt</b></sub>
+                    <sub><b>Pol Dellaiera</b></sub>
                 </a>
             </td>
             <td align="center">
-                <a href="https://github.com/lilfade">
-                    <img src="https://avatars.githubusercontent.com/u/4168401?v=4" width="100;" alt="lilfade"/>
+                <a href="https://github.com/ryanmonsen">
+                    <img src="https://avatars.githubusercontent.com/u/55466117?v=4" width="100;" alt="ryanmonsen"/>
                     <br />
-                    <sub><b>Bryson</b></sub>
+                    <sub><b>ryanmonsen</b></sub>
                 </a>
             </td>
             <td align="center">
@@ -266,22 +266,13 @@ For developers:
                     <sub><b>CSDUMMI</b></sub>
                 </a>
             </td>
-            <td align="center">
-                <a href="https://github.com/LoveIsGrief">
-                    <img src="https://avatars.githubusercontent.com/u/2829538?v=4" width="100;" alt="LoveIsGrief"/>
-                    <br />
-                    <sub><b>LoveIsGrief</b></sub>
-                </a>
-            </td>
             <td align="center">
                 <a href="https://github.com/DismalShadowX">
                     <img src="https://avatars.githubusercontent.com/u/24910097?v=4" width="100;" alt="DismalShadowX"/>
                     <br />
                     <sub><b>Nathan Sparrow</b></sub>
                 </a>
             </td>
-		</tr>
-		<tr>
             <td align="center">
                 <a href="https://github.com/privacyguard">
                     <img src="https://avatars.githubusercontent.com/u/92675882?v=4" width="100;" alt="privacyguard"/>

config/packages/antispam.yaml

@@ -7,8 +7,12 @@
 # For more details on the options available visit https://omines.github.io/antispam-bundle/configuration/
 #
 antispam:
+    stealth: false
+
     profiles:
         default:
+            stealth: false
+
             # Insert a honeypot called "email_address" on all forms to lure bots into filling it in
             honeypot: email_address
 

config/packages/framework.yaml

@@ -19,7 +19,7 @@ framework:
     http_client:
         default_options:
             headers:
-                'User-Agent': 'Mbin/1.7.1-rc4 (+https://%kbin_domain%/agent)'
+                'User-Agent': 'Mbin/1.7.1-rc5 (+https://%kbin_domain%/agent)'
 
     #esi: true
     #fragments: true

docs/02-admin/02-configuration/nginx.md

@@ -243,19 +243,57 @@ Restart (or reload) NGINX:
 sudo systemctl restart nginx
 ```
 
+## Trusted Proxies
+
+If you are using a reverse proxy, you need to configure your trusted proxies to use the `X-Forwarded-For` header. Mbin configured the following trusted headers for you already: `x-forwarded-for`, `x-forwarded-proto`, `x-forwarded-port` and `x-forwarded-prefix`.
+
+Trusted proxies can be configured in the `.env` file (or your `.env.local` file):
+
+```sh
+nano /var/www/mbin/.env
+```
+
+You can configure a single IP address and/or a range of IP addresses (this configuration should be sufficient if you are running Nginx yourself):
+
+```dotenv
+# Change the IP range if needed, this is just an example
+TRUSTED_PROXIES=127.0.0.1,192.168.1.0/24
+```
+
+Or if the IP address is dynamic, you can set the `REMOTE_ADDR` string which will be replaced at runtime by `$_SERVER['REMOTE_ADDR']`:
+
+```dotenv
+TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR
+```
+
+> [!WARNING]
+> In this last example be sure that you configure the web server to _not_
+> respond to traffic from _any_ clients other than your trusted load balancers
+> (eg. within AWS this can be achieved via security groups).
+
+Finally run the `post-upgrade` script to dump the `.env` to the `.env.local.php` and clear any cache:
+
+```sh
+./bin/post-upgrade
+```
+
+More detailed info can be found at: [Symfony Trusted Proxies docs](https://symfony.com/doc/current/deployment/proxies.html)
+
 ## Media reverse proxy
 
 we suggest that you do not use this configuration:
+
 ```dotenv
 KBIN_STORAGE_URL=https://mbin.domain.tld/media
 ```
 
 Instead we suggest to use a subdomain for serving your media files:
+
 ```dotenv
 KBIN_STORAGE_URL=https://media.mbin.domain.tld
 ```
 
-That way you can let nginx cache media assets and seamlessly switch to an object storage provider later. 
+That way you can let nginx cache media assets and seamlessly switch to an object storage provider later.
 
 ```bash
 sudo nano /etc/nginx/sites-available/mbin-media.conf
@@ -289,4 +327,3 @@ For it to be a usable https site you have to run `certbot --nginx` and select th
 
 > [!TIP]
 > don't forget to enable http2 by adding `http2 on;` after certbot ran (underneath the `listen 443 ssl;` line)
-

src/Controller/Security/RegisterController.php

@@ -9,6 +9,7 @@
 use App\Service\IpResolver;
 use App\Service\SettingsManager;
 use App\Service\UserManager;
+use Psr\Log\LoggerInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -18,6 +19,7 @@ public function __construct(
         private readonly UserManager $manager,
         private readonly IpResolver $ipResolver,
         private readonly SettingsManager $settingsManager,
+        private readonly LoggerInterface $logger,
     ) {
     }
 
@@ -48,6 +50,10 @@ public function __invoke(Request $request): Response
             );
 
             return $this->redirectToRoute('front');
+        } elseif ($form->isSubmitted() && !$form->isValid()) {
+            $this->logger->error('Registration form submission was invalid.', [
+                'errors' => $form->getErrors(true, false),
+            ]);
         }
 
         return $this->render(

src/MessageHandler/ActivityPub/Inbox/CreateHandler.php

@@ -32,9 +32,6 @@
 #[AsMessageHandler]
 class CreateHandler extends MbinMessageHandler
 {
-    private array $object;
-    private bool $stickyIt;
-
     public function __construct(
         private readonly EntityManagerInterface $entityManager,
         private readonly Note $note,
@@ -61,19 +58,19 @@ public function doWork(MessageInterface $message): void
         if (!($message instanceof CreateMessage)) {
             throw new \LogicException();
         }
-        $this->object = $message->payload;
-        $this->stickyIt = $message->stickyIt;
+        $object = $message->payload;
+        $stickyIt = $message->stickyIt;
         $this->logger->debug('Got a CreateMessage of type {t}, {m}', ['t' => $message->payload['type'], 'm' => $message->payload]);
         $entryTypes = ['Page', 'Article', 'Video'];
         $postTypes = ['Question', 'Note'];
 
         try {
-            if ('ChatMessage' === $this->object['type']) {
-                $this->handlePrivateMessage();
-            } elseif (\in_array($this->object['type'], $postTypes)) {
-                $this->handleChain();
-            } elseif (\in_array($this->object['type'], $entryTypes)) {
-                $this->handlePage();
+            if ('ChatMessage' === $object['type']) {
+                $this->handlePrivateMessage($object);
+            } elseif (\in_array($object['type'], $postTypes)) {
+                $this->handleChain($object, $stickyIt);
+            } elseif (\in_array($object['type'], $entryTypes)) {
+                $this->handlePage($object, $stickyIt);
             }
         } catch (UserBannedException) {
             $this->logger->info('Did not create the post, because the user is banned');
@@ -99,18 +96,18 @@ public function doWork(MessageInterface $message): void
      * @throws UserDeletedException
      * @throws InstanceBannedException
      */
-    private function handleChain(): void
+    private function handleChain(array $object, bool $stickyIt): void
     {
-        if (isset($this->object['inReplyTo']) && $this->object['inReplyTo']) {
-            $existed = $this->repository->findByObjectId($this->object['inReplyTo']);
+        if (isset($object['inReplyTo']) && $object['inReplyTo']) {
+            $existed = $this->repository->findByObjectId($object['inReplyTo']);
             if (!$existed) {
-                $this->bus->dispatch(new ChainActivityMessage([$this->object]));
+                $this->bus->dispatch(new ChainActivityMessage([$object]));
 
                 return;
             }
         }
 
-        $note = $this->note->create($this->object, stickyIt: $this->stickyIt);
+        $note = $this->note->create($object, stickyIt: $stickyIt);
         if ($note instanceof EntryComment || $note instanceof Post || $note instanceof PostComment) {
             if (null !== $note->apId and null === $note->magazine->apId and 'random' !== $note->magazine->name) {
                 // local magazine, but remote post. Random magazine is ignored, as it should not be federated at all
@@ -127,9 +124,9 @@ private function handleChain(): void
      * @throws PostingRestrictedException
      * @throws InstanceBannedException
      */
-    private function handlePage(): void
+    private function handlePage(array $object, bool $stickyIt): void
     {
-        $page = $this->page->create($this->object, stickyIt: $this->stickyIt);
+        $page = $this->page->create($object, stickyIt: $stickyIt);
         if ($page instanceof Entry) {
             if (null !== $page->apId and null === $page->magazine->apId and 'random' !== $page->magazine->name) {
                 // local magazine, but remote post. Random magazine is ignored, as it should not be federated at all
@@ -138,9 +135,9 @@ private function handlePage(): void
         }
     }
 
-    private function handlePrivateMessage(): void
+    private function handlePrivateMessage(array $object): void
     {
-        $this->messageManager->createMessage($this->object);
+        $this->messageManager->createMessage($object);
     }
 
     private function handlePrivateMentions(): void