Adds a callout box mentioning that CORS headers must be set if WebFinger requests are being redirected to support a customised WEB_DOMAIN value.
This requirement is not called out in the text (only the nginx config example next to it), and is non-obvious enough that, anecdotally, many servers do not implement it properly.
See: https://github.com/mastodon/mastodon/issues/26995
* Improve deprecation messaging for Application#vapid_key
* Format JSON examples in Instance methods
* Remove vapid_key from Apps API examples, since this property is deprecated on Application entity
* Add documentation for new OAuth 2.0 features added in 4.3.0
* Improve documentation for oauth-scopes
* Update content/en/api/oauth-scopes.md
Co-authored-by: Matt Jankowski <matt@jankowski.online>
* Update content/en/api/oauth-scopes.md
Co-authored-by: Matt Jankowski <matt@jankowski.online>
* Update content/en/api/oauth-scopes.md
Co-authored-by: Matt Jankowski <matt@jankowski.online>
* Update content/en/api/oauth-scopes.md
Co-authored-by: Matt Jankowski <matt@jankowski.online>
* Add deprecated and removed shortcode labels
* Use deprecated and removed shortcodes
* Improve OAuth documentation
* More OAuth documentation improvements
* Correct streaming API documentation after 4.2.0 changes
* Add note about improved Push Subscription API validation in 4.3.0
* Fix inconsistent OAuth label formatting
* Add note that there is a relationship between Accounts and the Application used to create them
* Add note that application registration endpoint also supports JSON bodies
* Be consistent in the formatting of placeholder values for Bearer tokens
* code review changes
* Slight changes in wording
* Add documentation for PKCE
* Removal of crypto oauth scope
* Cross-link authorization's scope with the OAuth Scopes documentation
* Update content/en/methods/oauth.md
* Update content/en/api/oauth-scopes.md
---------
Co-authored-by: Matt Jankowski <matt@jankowski.online>
Co-authored-by: David Roetzel <david@roetzel.de>
This rewrite documents all supported environment variables for the S3
object storage system, and in addition documents the way that Mastodon
constructs URLs that it hands to clients (for them to obtain objects
from the storage provider).
The documentation of the variables lives entirely in the object-storage page
now, instead of being mixed between that page and the main config page. A link
to the object-storage page has been added to the config page.
* Improve the documentation about the parameters of the email sent by mastodon smtp client.
---------
Co-authored-by: lhp22 <louishp@protonmail.com>
Co-authored-by: Andy Piper <andypiper@users.noreply.github.com>
* Improve documentation for TRUSTED_PROXY_IP
The documentation previously only indicated that `localhost` was trusted, but it appears that all private networks are trusted by default. I believe this because:
- I'm running my web and streaming processes within Docker containers and running Nginx on the Docker host. I believe they communicate over a 172.16.0.0/12 network that Docker creates. I tried looking at logs a bit and it _seems_ like things are working correctly. But if anyone has suggestions on how to verify that my Mastodon processes are recording the correct client IP, please let me know! We could include that advice in this documentation.
- I looked at the source code a bit and it appears that both the streaming and web processes use localhost and the private network ranges. But this is really my first time looking at the Mastodon code and I don't even know Ruby, so please double check me!
- I believe the streaming processes uses Express JS. I believe it sets the trusted proxy IP [here](d11d15748c/streaming/index.js (L150)). Express documents the `loopback` and `uniquelocal` values [here](https://expressjs.com/en/guide/behind-proxies.html).
- I'm less certain about web. It looks like the env var is parsed [here](d11d15748c/config/environments/production.rb (L44-L45)). It looks like `trusted_proxies` will be unset if the env var is unset. And maybe that results in [this check](https://github.com/mastodon/mastodon/blob/main/config/initializers/trusted_proxies.rb) getting bypassed? But it looks like Action Dispatch does it's own check [here](https://api.rubyonrails.org/classes/ActionDispatch/RemoteIp.html)?
* Try to improve the phrasing
Specifically I tried to make it less likely that people would do the wrong thing if they're using Cloudflare or a similar proxy service. It does seem pretty wordy now. I'm open to suggestions.
* fix relrefs around trends and related entities
* revert moving caption-links to middle of page
* hide empty menu in table of contents
* clarify edit notifs are only for boosted statuses
* following/followers no longer need auth
* fix typo
* specify cooldown period for account Move
* use the correct cooldown
* add missing parameters to accounts/id/statuses
* link to account_statuses_filter.rb
* fix typo (#1072)
* fix typo (#1073)
* fix link to http sig spec (#1067)
* simply HTTP request examples in api methods docs
* add missing client_secret to oauth/token (#1062)
* Add any, all, none to hashtag timeline
* minor formatting changes
* Update signature requirements and advice
* fix public key -> private key
* clarify use of RSA with SHA256
* Add note about saving your profile after adding rel-me link
* v2 filters api
* comment out params that shouldn't be used in v2 filter api
* admin trends
* remove old todo
* canonical email blocks + scheduled statuses
* remove under-construction warnings from finished pages
* verify api method params with source code
* fix typo (#1088)
* fix broken caption-links (#1100)
* fix formatting of entities (#1094)
* Remove keybase section from user guide (#1093)
* fix typos (#1092)
* Verify limits are accurate (#1086)
* add mention of iframe limitation (#1084)
* Add CORS header to WEB_DOMAIN example (#1083)
* Fix typo (#1081)
* pin http sigs spec at draft 8
* Revert "pin http sigs spec at draft 8"
This reverts commit 9fd5f7032b69b29e77599dd62adfe8d2f5cd4f20.
* add case sensitivity warning to 4.0 roles
* Add url length note to bio (#1087)
* remove follow scope from examples (#1103)
* clarify usage of update_credentials to update profile fields
* add noindex to Account entitity
* remove required hint from technically not required property
