From: Tom Hughes <tom@compton.nu>
Date: Wed, 8 Nov 2023 18:22:50 +0000 (+0000)
Subject: Merge remote-tracking branch 'upstream/pull/4331'
X-Git-Tag: live~520
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/f5c5aacb209fd209c0b13203c0c7d0259635c671?hp=b834bd70d0e926f8775558742213d88e3ba000b3

Merge remote-tracking branch 'upstream/pull/4331'
---

diff --git a/app/mailers/user_mailer.rb b/app/mailers/user_mailer.rb
index a9c6b70f9..89f8dfdbf 100644
--- a/app/mailers/user_mailer.rb
+++ b/app/mailers/user_mailer.rb
@@ -81,7 +81,7 @@ class UserMailer < ApplicationMailer
 
       attach_user_avatar(message.sender)
 
-      mail :from => from_address(message.sender.display_name, "m", message.id, message.digest),
+      mail :from => from_address(message.sender.display_name, "m", message.id, message.notification_token),
            :to => message.recipient.email,
            :subject => t(".subject", :message_title => message.title)
     end
@@ -102,7 +102,7 @@ class UserMailer < ApplicationMailer
 
       set_references("diary", comment.diary_entry)
 
-      mail :from => from_address(comment.user.display_name, "c", comment.id, comment.digest, recipient.id),
+      mail :from => from_address(comment.user.display_name, "c", comment.id, comment.notification_token(recipient.id), recipient.id),
            :to => recipient.email,
            :subject => t(".subject", :user => comment.user.display_name)
     end
@@ -225,12 +225,12 @@ class UserMailer < ApplicationMailer
     I18n.with_locale(Locale.available.preferred(recipient.preferred_languages), &block)
   end
 
-  def from_address(name, type, id, digest, user_id = nil)
+  def from_address(name, type, id, token, user_id = nil)
     if Settings.key?(:messages_domain) && domain = Settings.messages_domain
       if user_id
-        "#{name} <#{type}-#{id}-#{user_id}-#{digest[0, 6]}@#{domain}>"
+        "#{name} <#{type}-#{id}-#{user_id}-#{token}@#{domain}>"
       else
-        "#{name} <#{type}-#{id}-#{digest[0, 6]}@#{domain}>"
+        "#{name} <#{type}-#{id}-#{token}@#{domain}>"
       end
     else
       Settings.email_from
diff --git a/app/models/diary_comment.rb b/app/models/diary_comment.rb
index 05f5044c5..8663212eb 100644
--- a/app/models/diary_comment.rb
+++ b/app/models/diary_comment.rb
@@ -37,13 +37,12 @@ class DiaryComment < ApplicationRecord
     RichText.new(self[:body_format], self[:body])
   end
 
-  def digest
-    md5 = Digest::MD5.new
-    md5 << diary_entry_id.to_s
-    md5 << user_id.to_s
-    md5 << created_at.xmlschema
-    md5 << body
-    md5.hexdigest
+  def notification_token(subscriber)
+    sha256 = Digest::SHA256.new
+    sha256 << Rails.application.key_generator.generate_key("openstreetmap/diary_comment")
+    sha256 << id.to_s
+    sha256 << subscriber.to_s
+    sha256.base64digest[0, 8]
   end
 
   private
diff --git a/app/models/message.rb b/app/models/message.rb
index 49c11e900..0068bc3de 100644
--- a/app/models/message.rb
+++ b/app/models/message.rb
@@ -59,13 +59,10 @@ class Message < ApplicationRecord
     RichText.new(self[:body_format], self[:body])
   end
 
-  def digest
-    md5 = Digest::MD5.new
-    md5 << from_user_id.to_s
-    md5 << to_user_id.to_s
-    md5 << sent_on.xmlschema
-    md5 << title
-    md5 << body
-    md5.hexdigest
+  def notification_token
+    sha256 = Digest::SHA256.new
+    sha256 << Rails.application.key_generator.generate_key("openstreetmap/message")
+    sha256 << id.to_s
+    sha256.base64digest[0, 8]
   end
 end
diff --git a/config/credentials.yml.enc b/config/credentials.yml.enc
deleted file mode 100644
index e5cfef61e..000000000
--- a/config/credentials.yml.enc
+++ /dev/null
@@ -1 +0,0 @@
-E6VWa9zDZ3CNpJ+ztv1UbvGamyL3N+U7DepOApwj4YE4NNvH2eYr4dqw6hALKKpp2O9OoPmwAzoJy9WarOnAHo67iwkU1ZdxRGoJNPlavsNgmAwFkEMH2AgBT4AkNzAhdHq9+wM32SvwOpxzvfLx9wJ439b0hY4QR3SBgPmp69LrOLjjLgIyUn3SVTendPBJ1fZxyHSxoKjQmmpT6+2YQA94ynfAy/m/6IY9VGbz9sinZBPdwx4krg+AG7qUqx3PDgZ388bl2g8uA35BPIpGnMNBkqQXjuRrFSi1ZkkJdj6NFDqZRkLNsDUDcOfxmYIRWgx3JSDekU8/24NkGeJ1/tOw2xILlQRASi6vdfHXYIqVmbHSrEdXsLQFUqv7FNHzfUtzdTDms6g3+bYhy+ZGpLdsD3maXm36p7/Z--i03uonfXALIIhWbt--6AuvcDUvj0AL5xl8DPeU7g==
\ No newline at end of file
diff --git a/config/master.key b/config/master.key
deleted file mode 100644
index bfcb1791c..000000000
--- a/config/master.key
+++ /dev/null
@@ -1 +0,0 @@
-a895530f14add56693da9a6dbfd3cf97
\ No newline at end of file
diff --git a/script/deliver-message b/script/deliver-message
index 087a117c3..28d755b24 100755
--- a/script/deliver-message
+++ b/script/deliver-message
@@ -4,14 +4,14 @@ require File.join(File.dirname(__FILE__), "..", "config", "environment")
 
 if recipient = ARGV[0].match(/^c-(\d+)-(\d+)-(.*)$/)
   comment = DiaryComment.find(recipient[1])
-  digest = comment.digest
+  expected_token = comment.notification_token(recipient[2])
   date = comment.created_at
   from = comment.diary_entry.subscribers.find(recipient[2])
   to = comment.user
   token = recipient[3]
 elsif recipient = ARGV[0].match(/^m-(\d+)-(.*)$/)
   message = Message.find(recipient[1])
-  digest = message.digest
+  expected_token = message.notification_token
   date = message.sent_on
   from = message.recipient
   to = message.sender
@@ -20,7 +20,7 @@ else
   exit 0
 end
 
-exit 0 unless ActiveSupport::SecurityUtils.secure_compare(token, digest[0, 6])
+exit 0 unless ActiveSupport::SecurityUtils.secure_compare(token, expected_token)
 exit 0 unless from.active?
 exit 0 if date < 1.month.ago