Fixes#193 and #256
This however requires users to manually set the domain in the config.yaml.
This field currently is optional, but it would probably be better to make it required and not fall back to HTTP_ORIGIN and HTTP_REFERER, which might be inaccurate or not set (especially behind reverse proxies and the like)
server/config: Leave domain empty by default
Co-Authored-By: Shyam Sunder <sgsunder1@gmail.com>
* Packages that are only used in testing or development
have been moved to `dev-requirements.txt`
* Closes#178
* Minor rewrite to drop the `scikit-image` package, which
saves around 200MB in install size
* Users are only authenticated against their password on login,
and to retrieve a token
* Passwords are wiped from the GUI frontend and cookies
after login and token retrieval
* Tokens are revoked at the end of the session/logout
* If the user chooses the "remember me" option,
the token is stored in the cookie
* Tokens correctly delete themselves on logout
* Tokens can expire at user-specified date
* Tokens have their last usage time
* Tokens can have user defined descriptions
* Users can manage login tokens in their account settings
- Changed password setup to use libsodium and argon2id (regular SHA256
hashing for passwords is inadequate as modern GPU's can hash generate
billions of hashes per second).
- Added code to auto migrate old passwords to the new password_hash if
the existing password_hash matches either of the legacy password
generation schemes (SHA1 or SHA256).
- Added migration to support new password_hash format length
- Added column password_revision. This field will default to 0, which
all passwords will have till they're updated. After that each password
hash method has a revision.
- Default setting is false for both conversions, as this will require
additional resources of the server, but is bandwidth friendly for
viewers
- WEBM conversion is slow, but better quality than MP4 conversion with
a typically smaller file size
- Tags are copied over from the original upload
- Snapshots are generated for the new auto posts
Poorly formatted MP4 and WEBM sources can cause ffmpeg to throw a lot
of warnings. However when there is byte ouptut, the generated thumbnail
is valid. Add a bypass for the resize_fill function to allow ffmpeg to
error.
* Added functionality for administrators to directly add users to the
application
* Added permission users:create:any to handle level that users are
allowed to create other users
* Moved old permission users:create to users:create:self
