decidim 0.31.3 → 0.32.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c81ec7ce06cfd596a4048630dcbe51614df567955f5f759f51a7043bb108bf03
-  data.tar.gz: e2fdf633e04a60e034171665997feee612f60bdd54d0713cd19c9609af4476f6
+  metadata.gz: 7e5393f2ef1590443933b8e7d02e6f675e179ea1bbfacaa61db56a28e4088064
+  data.tar.gz: 115b6aece646fecb40b20a576f17c0755a18eae63a6b9f99718ea50cd492b9fa
 SHA512:
-  metadata.gz: d7112880034676d0541e49ff188689a441c2a967713087c29b6d015552d2538505d39f6d932953bd7393ce4f9a2308ecf4e7b760d916762cc362fbd2eea7b95b
-  data.tar.gz: 29f0c8db6df198f8443d1070ef8424299b57d5884ae4b7200d30d2c40a5ad0bd64d88aee5c34e8d310ff7f0802136f815625a105f6bfb73070d8d6f0c5e6f063
+  metadata.gz: 18322a8bfd5c83a75bd74ece70dce9c9b2e7d48cd9668060d2366d38c57c45c9cf4da01e2ee59a1fa11c0127e85869a82ac838df0112db85e07ad0854b40452b
+  data.tar.gz: 4372ae457372cb04333414777d35b3ab34acb1cdfb7b104f5b56805d3c6d7334c11eeb5759829bed821185cc90036b0b03292bf63fa006fa14150e6340a3892a

data/decidim-core/lib/decidim/shakapacker/runner.rb

@@ -7,15 +7,15 @@ module Decidim
         base.alias_method :original_initialize, :initialize
         base.send :private, :original_initialize
 
-        base.define_method :initialize do |argv|
-          decidim_initialize(argv)
-          original_initialize(argv)
+        base.define_method :initialize do |argv, build_config = nil, bundler_override = nil|
+          decidim_initialize(argv, build_config, bundler_override)
+          original_initialize(argv, build_config, bundler_override)
         end
       end
 
       private
 
-      def decidim_initialize(_argv)
+      def decidim_initialize(_argv, _build_config = nil, _bundler_override = nil)
         # Write runtime configuration for Tailwind
         # This method is called here because in Decidim CSS compilation is done via Webpack.
         # If CSS is decoupled from JS in the future, this call should be removed.

data/decidim-core/lib/decidim/shakapacker/shakapacker.yml

@@ -21,8 +21,12 @@ default: &default
   # Reload manifest.json on all requests so we reload latest compiled packs
   cache_manifest: false
 
-  # Select loader to use, available options are 'babel' (default), 'swc' or 'esbuild'
-  webpack_loader: 'esbuild'
+  # Select JavaScript transpiler to use
+  # Available options: 'swc' (default, 20x faster), 'babel', 'esbuild', or 'none'
+  # Use 'none' when providing a completely custom webpack configuration
+  # Note: When using rspack, swc is used automatically regardless of this setting
+  javascript_transpiler: 'esbuild'
+  assets_bundler: "webpack"
 
   # Set to true to enable check for matching versions of shakapacker gem and NPM package - will raise an error if there is a mismatch or wildcard versioning is used
   ensure_consistent_versioning: true
@@ -35,15 +39,36 @@ default: &default
   # https://webpack.js.org/guides/build-performance/#avoid-production-specific-tooling
   useContentHash: false
 
+  # Utilizing webpack-subresource-integrity plugin, will generate integrity hashes for all entries in manifest.json
+  # https://github.com/waysact/webpack-subresource-integrity/tree/main/webpack-subresource-integrity
+  integrity:
+    enabled: false
+    # Which cryptographic function(s) to use, for generating the integrity hash(es). Default sha-384. Other possible values sha256, sha512
+    hash_functions: [ "sha384" ]
+    # Default "anonymous". Other possible value "use-credentials"
+    # https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#cross-origin_resource_sharing_and_subresource_integrity
+    cross_origin: "anonymous"
+
+  # HTTP 103 Early Hints support for faster asset loading
+  # Sends Link headers to browsers so they can preload assets while Rails is rendering
+  # See docs/early_hints_new_api.md for setup instructions and requirements
+  # https://api.rubyonrails.org/classes/ActionDispatch/Request.html#method-i-send_early_hints
+  early_hints:
+    enabled: false
+    # css: "preload" # 'preload' | 'prefetch' | 'none' - default: 'preload'
+    # js: "preload" # 'preload' | 'prefetch' | 'none' - default: 'preload'
+    # debug: false # Output early hints info as HTML comments for troubleshooting
+
 development:
   <<: *default
   compile: true
   compiler_strategy: mtime
   # Compile test packs to decidim decidim-packs folder
 
+  useContentHash: false
+
   # Reference: https://webpack.js.org/configuration/dev-server/
   dev_server:
-    https: false
     host: localhost
     # Notice that we use a different port (to prevent blocking the default one) as
     # there will be at least two webpack servers running

data/decidim.gemspec

@@ -2,11 +2,9 @@
 
 $LOAD_PATH.push File.expand_path("lib", __dir__)
 
-# Maintain your gem's version:
-require "decidim/version"
-
 Gem::Specification.new do |s|
-  s.version = Decidim.version
+  version = "0.32.0.rc1"
+  s.version = version
   s.authors = ["Josep Jaume Rey Peroy", "Marc Riera Casals", "Oriol Gual Oliva"]
   s.email = ["josepjaume@gmail.com", "mrc2407@gmail.com", "oriolgual@gmail.com"]
   s.license = "AGPL-3.0-or-later"
@@ -18,7 +16,7 @@ Gem::Specification.new do |s|
     "homepage_uri" => "https://decidim.org",
     "source_code_uri" => "https://github.com/decidim/decidim"
   }
-  s.required_ruby_version = "~> 3.3.0"
+  s.required_ruby_version = "~> 3.4.0"
 
   s.name = "decidim"
 
@@ -45,25 +43,24 @@ Gem::Specification.new do |s|
 
   s.require_paths = ["lib"]
 
-  s.add_dependency "decidim-accountability", Decidim.version
-  s.add_dependency "decidim-admin", Decidim.version
-  s.add_dependency "decidim-api", Decidim.version
-  s.add_dependency "decidim-assemblies", Decidim.version
-  s.add_dependency "decidim-blogs", Decidim.version
-  s.add_dependency "decidim-budgets", Decidim.version
-  s.add_dependency "decidim-comments", Decidim.version
-  s.add_dependency "decidim-core", Decidim.version
-  s.add_dependency "decidim-debates", Decidim.version
-  s.add_dependency "decidim-forms", Decidim.version
-  s.add_dependency "decidim-generators", Decidim.version
-  s.add_dependency "decidim-meetings", Decidim.version
-  s.add_dependency "decidim-pages", Decidim.version
-  s.add_dependency "decidim-participatory_processes", Decidim.version
-  s.add_dependency "decidim-proposals", Decidim.version
-  s.add_dependency "decidim-sortitions", Decidim.version
-  s.add_dependency "decidim-surveys", Decidim.version
-  s.add_dependency "decidim-system", Decidim.version
-  s.add_dependency "decidim-verifications", Decidim.version
+  s.add_dependency "decidim-accountability", version
+  s.add_dependency "decidim-admin", version
+  s.add_dependency "decidim-api", version
+  s.add_dependency "decidim-assemblies", version
+  s.add_dependency "decidim-blogs", version
+  s.add_dependency "decidim-budgets", version
+  s.add_dependency "decidim-comments", version
+  s.add_dependency "decidim-core", version
+  s.add_dependency "decidim-debates", version
+  s.add_dependency "decidim-forms", version
+  s.add_dependency "decidim-generators", version
+  s.add_dependency "decidim-meetings", version
+  s.add_dependency "decidim-pages", version
+  s.add_dependency "decidim-participatory_processes", version
+  s.add_dependency "decidim-proposals", version
+  s.add_dependency "decidim-surveys", version
+  s.add_dependency "decidim-system", version
+  s.add_dependency "decidim-verifications", version
 
   s.add_development_dependency "bundler", "~> 2.2", ">= 2.2.18"
   s.add_development_dependency "rake", "~> 12.0"

data/docs/antora.yml

@@ -1,6 +1,6 @@
 name: en
 title: "Decidim Documentation"
-version: v0.31
+version: v0.32
 asciidoc:
   attributes:
     page-lang: en@

data/docs/modules/configure/pages/environment_variables.adoc

@@ -175,28 +175,6 @@ Also, be sure to add the line `gem "aws-sdk-s3", require: false` in your Gemfile
 |true
 |No
 
-|*AZURE_STORAGE_ACCESS_KEY*
-|If STORAGE_PROVIDER is set to `azure`, define here your AZURE ACCESS KEY with permissions to access the container for the application. Needs to be encoded in Base64.
-
-Also, be sure to add the line `gem "azure-storage-blob", require: false` in your Gemfile.
-|
-|No
-
-|*AZURE_STORAGE_ACCOUNT_NAME*
-|If STORAGE_PROVIDER is set to `azure`, define here your AZURE ACCOUNT NAME with permissions to access the container for the application.
-|
-|No
-
-|*AZURE_CONTAINER*
-|If STORAGE_PROVIDER is set to `azure`, define here your AZURE CONTAINER used for uploading files and images.
-|
-|No
-
-|*AZURE_PUBLIC*
-|Whether the Azure assets to be public or not. Default is true, which means that no credential strings would be attached to your Azure stored assets, making it easier for components to be cached. If you set this to `false` you may have cache issues (like changing an image and not seeing the change immediately).
-|true
-|No
-
 |*GCS_PROJECT*
 |If STORAGE_PROVIDER is set to `gcs`, define here your GOOGLE CLOUD PROJECT with permissions to access the bucket for the application.
 
@@ -786,10 +764,10 @@ Read more about this at xref:services:pdf.adoc[PDF signing] service page.
 | false
 | No
 
-|API_SCHEMA_MAX_ALIASES
-|This Environment variable instructs Decidim how many aliases should be allowed in a GraphQL query
-|5
-|No
+| API_SCHEMA_MAX_ALIASES
+| This Environment variable instructs Decidim how many aliases should be allowed in a GraphQL query
+| 5
+| No
 
 |PROPOSALS_PARTICIPATORY_SPACE_HIGHLIGHTED_PROPOSALS_LIMIT
 |Number of proposals to be shown in blocks with highlighted content across different participatory spaces.

data/docs/modules/customize/pages/logic.adoc

@@ -87,6 +87,37 @@ This applies to almost all classes you want to change in Decidim but controllers
 . Restart the server to apply these changes, as we changed the configuration of the application.
 
 [#explanation]
+
+== Adding additional data to your form context.
+
+By default, Decidim creates a context that is being passed to the form, containing 4 variables: `current_user`, `current_organization`, `current_participatory_space` and `current_component`.
+When you need, you could add additional context to your form by using the following methods:
+
+=== As a form argument
+
+[source,ruby]
+----
+@form = form(Decidim::MyGem::MyForm).from_params(params, { my_extra: :context })
+# or
+@form = form(Decidim::MyGem::MyForm).from_model(model, { my_extra: :context })
+----
+
+=== As a concern
+
+Sometimes, you may need to add the same parameter to all the forms in your controller, or you may need to override decidim default. You can achieve this by using a concern as follows:
+[source,ruby]
+----
+# frozen_string_literal: true
+module MyOverride
+  def form_context
+    { my_extra: :context }
+  end
+end
+
+# and in an initializer
+Decidim::MyGem::MyController.include(MyOverride)
+----
+
 == Extra notes
 
 The following step would help you find original source code:

data/docs/modules/develop/pages/api/authentication.adoc

@@ -0,0 +1,95 @@
+= Authentication with the API
+
+By default, the GraphQL API in Decidim is publically available for read-only operations and it can also be used by external applications to read data from Decidim. If you want to write data over the API, i.e. perform GraphQL mutations, you need first need to authenticate the API user to perform these operations. Otherwise, it is not possible to perform such operations as most such operations are performed as an actual user in Decidim.
+
+More information regarding implementing the API authentication is available in the API documentation of your Decidim instance.
+
+== Signing in to the API
+
+In case you want to use the API as a sign in user to perform mutations representing a user in Decidim, you have two available options for such integrations through the system administration panel:
+
+1. Creating an OAuth application and implementing the OAuth authentication flow for the users of your application. Use this option for participant-facing applications where the participants represent themselves in Decidim through the API.
+2. Creating API credentials and signing in to the API with these credentials to perform the operations as a signed in machine user. Use this option for machine-to-machine automations where there is no real end user interacting with Decidim.
+
+If you only want to test the GraphQL queries as a signed in user, you can use the normal Decidim authentication functionality to sign in and then use the GraphiQL IDE to perform these queries as a signed in user.
+
+== OAuth flow for participant-facing applications
+
+Participant-facing applications where the participants need to interact with Decidim through GraphQL mutations can be integrated using OAuth applications. In order to configure such integration capability from the system administration panel, create a new OAuth application and provide the necessary details for your integration. Note that the "application type" for such applications would typically be "Public". For more information regarding the application types, refer to https://datatracker.ietf.org/doc/html/rfc6749#section-2.1[RFC 6749 Section 2.1. (OAuth client types)].
+
+In order to use the OAuth access tokens to represent the user through the API, please select the following scopes as "Available" scopes for the application:
+
+* `user` - Authenticated users have the ability to represent a logged in user in Decidim
+* `api:read` - Authenticated users have the ability to read data from the API
+* `api:write` - Authenticated users have the ability to write data through the API (in case your external application needs to perform mutations over the API on behalf of the user)
+
+Once configured, you can now use any OAuth authentication library to perform the OAuth authentication flow with your application users and receive an access token to utilize the Decidim API representing the signed in user. Please note that with public OAuth clients especially (and recommended also for confidential clients), you have to use https://datatracker.ietf.org/doc/html/rfc7636[PKCE] with the authorization flow.
+
+Once the OAuth application is created, you can authenticate against it with the following steps:
+
+1. Send the user to perform an OAuth authorization request at Decidim with the required API scopes (`user`, `api:read` and `api:write` if you want to perform mutations over the API). Along with the authorization request, also send the additional parameters required by PKCE (`code_challenge` and `code_challenge_method`).
+2. Receive an OAuth authorization code back to your application's configured redirect URI.
+3. Utilizing the received authorization code, request an OAuth access token from the OAuth token endpoint. Along with the token request, also send the additional parameter required by PKCE `code_verifier`.
+4. The issued token is a JSON Web Token (JWT) when the authorization request contains the defined scopes. This token can be now used to represent the user in further calls to the API by passing the token with its type (`Bearer`) within the HTTP Authorization header with the request to the API.
+
+When doing the requests to the API, you also need to pass the OAuth client ID within the `X-Jwt-Aud` header of the requests in order for the token to be recognized as a valid token for the issued client. Passing the bearer token to the `Authorization` header and the OAuth client ID to the `X-Jwt-Aud` header, you can send the following HTTP request to the API to validate that the token works and the user is recognized as signed in:
+
+```http
+POST /api HTTP/1.1
+Accept: application/json
+Authorization: Bearer token
+Content-Length: 53
+Content-Type: application/json
+Host: DOMAIN
+X-Jwt-Aud: OAUTH_CLIENT_ID
+
+{"query":"{ session { user { id name nickname } } }"}
+```
+
+You should see the user details in the response in case the token is valid and you have configured the API correctly. If the response does not contain the user details, please refer to the Decidim configuration documentation.
+
+Once the interaction with the API is completed, it is recommended to revoke the tokens, which is similar to the user signing out of the application. This can be done utilizing the OAuth revocation endpoint provided by Decidim. After the token is revoked, it is no longer valid and the user has to perform a re-authorization the next time they want to utilize the API.
+
+In case you need tokens with a longer life span, you can either look into the Decidim documentation to extend the validity period of the access tokens or enable refresh tokens for the OAuth application when configuring it. However, note that tokens with longer lifespan can weaken the security of your system and make your application users vulnerable to security threats. Such use cases should be carefully planned and the security concerns should be addressed seriously.
+
+== API credentials flow for machine-to-machine automations
+
+The API credentials represent an administrative user in Decidim that performs administrative tasks on behalf of the end users. This type of integration flows should never live on devices that the participants have access to. These types of integrations are meant for different types of automations, such as transferring proposal answers or meeting reports back to Decidim from an external system automatically, e.g. once a day.
+
+Note that these credentials are highly sensitive and have elevated permissions, so take good care of the system security where you are planning to store these credentials. If these credentials end up in participants' hands, the whole system is compromised and no longer secure. You should always primarily create OAuth integrations where the end users will manually perform the authorization for the application to perform actions on behalf of them.
+
+Once you have validated that this is the correct way for your integration to operate, you can create the API credentials from the system administration panel. You will receive an API key and API secret after creating the credentials. These credentials should be also manually rotated on a regular basis to prevent unauthorized access to the system with these credentials in case they are leaked. The credentials have to be manually rotated in order to prevent external applications breaking because they cannot rotate the credentials themselves and they are typically statically configured for these applications.
+
+Given you have issued the API key and API secret, you can now send a sign in request to the API using these credentials as follows:
+
+```bash
+curl -s -i -H "Content-type: application/x-www-form-urlencoded" \
+  -d "api_user[key]=PASTE_API_KEY_HERE" \
+  -d "api_user[secret]=PASTE_API_SECRET_HERE" \
+  -X POST https://DOMAIN/api/sign_in | grep 'Authorization' | cut -d ' ' -f2-
+```
+
+After running this command, you should see the following string in the console, where `token` is replaced with the access token:
+
+```bash
+Bearer token
+```
+
+This string is passed to the following requests within the HTTP `Authorization` header to represent the user during API calls. You can use the following example query to test it out and confirm that signing in works as expected:
+
+```bash
+curl -w "\n" -H "Content-Type: application/json" \
+  -H "Authorization: Bearer token" \
+  -d '{"query":"{ session { user { id name nickname } } }"}' \
+  -X POST https://DOMAIN/api
+```
+
+You should see the user details in the response in case the token is valid and you have configured the API correctly. If the response does not contain the user details, please refer to the Decidim configuration documentation.
+
+Once the API interaction is done, you should always make an HTTP DELETE request to `/api/sign_out` with the same token in order to revoke the token from further access as follows:
+
+```bash
+curl -s -o /dev/null -w "HTTP %{http_code}\n" \
+  -H "Authorization: Bearer token" \
+  -X DELETE http://DOMAIN/api/sign_out
+```