From 50b3ac89d334f7f7632cee3c8f7395f21ead1df1 Mon Sep 17 00:00:00 2001
From: Peter Thomassen <peter@desec.io>
Date: Mon, 8 Jan 2024 14:42:08 +0100
Subject: [PATCH 1/7] fix(api): use corrects settings object

---
 api/desecapi/management/commands/limit.py         | 5 +----
 api/desecapi/management/commands/stop-abuse.py    | 2 +-
 api/desecapi/serializers/authenticated_actions.py | 2 +-
 api/desecapi/serializers/captcha.py               | 2 +-
 api/desecapi/serializers/domains.py               | 2 +-
 api/desecapi/serializers/records.py               | 2 +-
 api/desecapi/tests/test_captcha.py                | 2 +-
 api/desecapi/tests/test_stop_abuse.py             | 2 +-
 api/desecapi/tests/test_user_management.py        | 2 +-
 9 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/api/desecapi/management/commands/limit.py b/api/desecapi/management/commands/limit.py
index 108a4392d..a83b1e76d 100644
--- a/api/desecapi/management/commands/limit.py
+++ b/api/desecapi/management/commands/limit.py
@@ -1,9 +1,6 @@
 from django.core.management import BaseCommand, CommandError
-from django.db.models import Q
 
-from api import settings
-from desecapi.models import RRset, Domain, User
-from desecapi.pdns_change_tracker import PDNSChangeTracker
+from desecapi.models import Domain, User
 
 
 class Command(BaseCommand):
diff --git a/api/desecapi/management/commands/stop-abuse.py b/api/desecapi/management/commands/stop-abuse.py
index fba6b6a8f..97c13e6f1 100644
--- a/api/desecapi/management/commands/stop-abuse.py
+++ b/api/desecapi/management/commands/stop-abuse.py
@@ -1,8 +1,8 @@
 import dns.resolver
+from django.conf import settings
 from django.core.management import BaseCommand
 from django.db.models import Q
 
-from api import settings
 from desecapi.models import BlockedSubnet, Domain, RR, RRset, User
 from desecapi.pdns_change_tracker import PDNSChangeTracker
 
diff --git a/api/desecapi/serializers/authenticated_actions.py b/api/desecapi/serializers/authenticated_actions.py
index 2ae3aeb3d..275273562 100644
--- a/api/desecapi/serializers/authenticated_actions.py
+++ b/api/desecapi/serializers/authenticated_actions.py
@@ -2,11 +2,11 @@
 import json
 from datetime import timedelta
 
+from django.conf import settings
 from rest_framework import fields, serializers
 from rest_framework.settings import api_settings
 from rest_framework.validators import UniqueValidator, qs_filter
 
-from api import settings
 from desecapi import crypto, models
 
 from .captcha import CaptchaSolutionSerializer
diff --git a/api/desecapi/serializers/captcha.py b/api/desecapi/serializers/captcha.py
index 1c67c3267..19a3d3400 100644
--- a/api/desecapi/serializers/captcha.py
+++ b/api/desecapi/serializers/captcha.py
@@ -2,9 +2,9 @@
 
 from captcha.audio import AudioCaptcha
 from captcha.image import ImageCaptcha
+from django.conf import settings
 from rest_framework import serializers
 
-from api import settings
 from desecapi.models import Captcha
 
 
diff --git a/api/desecapi/serializers/domains.py b/api/desecapi/serializers/domains.py
index b9448e1ab..cbe9c40ad 100644
--- a/api/desecapi/serializers/domains.py
+++ b/api/desecapi/serializers/domains.py
@@ -1,8 +1,8 @@
 import dns.name
 import dns.zone
+from django.conf import settings
 from rest_framework import serializers
 
-from api import settings
 from desecapi.models import Domain, RR_SET_TYPES_AUTOMATIC
 from desecapi.validators import ReadOnlyOnUpdateValidator
 
diff --git a/api/desecapi/serializers/records.py b/api/desecapi/serializers/records.py
index 26b4829d9..09a662e6b 100644
--- a/api/desecapi/serializers/records.py
+++ b/api/desecapi/serializers/records.py
@@ -3,6 +3,7 @@
 import django.core.exceptions
 import dns.name
 import dns.zone
+from django.conf import settings
 from django.core.validators import MinValueValidator
 from django.db.models import F, Q
 from django.utils import timezone
@@ -11,7 +12,6 @@
 from rest_framework.settings import api_settings
 from rest_framework.validators import UniqueTogetherValidator
 
-from api import settings
 from desecapi import metrics, models, validators
 
 
diff --git a/api/desecapi/tests/test_captcha.py b/api/desecapi/tests/test_captcha.py
index 93732fde1..a04665b9b 100644
--- a/api/desecapi/tests/test_captcha.py
+++ b/api/desecapi/tests/test_captcha.py
@@ -3,13 +3,13 @@
 from unittest import mock
 
 from PIL import Image
+from django.conf import settings
 from django.test import TestCase
 from django.utils import timezone
 from rest_framework import status
 from rest_framework.reverse import reverse
 from rest_framework.test import APIClient
 
-from api import settings
 from desecapi.models import Captcha
 from desecapi.serializers import CaptchaSolutionSerializer
 from desecapi.tests.base import DesecTestCase
diff --git a/api/desecapi/tests/test_stop_abuse.py b/api/desecapi/tests/test_stop_abuse.py
index 56e96f130..e96ce3168 100644
--- a/api/desecapi/tests/test_stop_abuse.py
+++ b/api/desecapi/tests/test_stop_abuse.py
@@ -1,6 +1,6 @@
+from django.conf import settings
 from django.core import management
 
-from api import settings
 from desecapi import models
 from desecapi.tests.base import DomainOwnerTestCase
 
diff --git a/api/desecapi/tests/test_user_management.py b/api/desecapi/tests/test_user_management.py
index c674503e6..5f119db4a 100644
--- a/api/desecapi/tests/test_user_management.py
+++ b/api/desecapi/tests/test_user_management.py
@@ -21,6 +21,7 @@
 from urllib.parse import urlparse
 
 from django.contrib.auth.hashers import is_password_usable
+from django.conf import settings
 from django.core import mail
 from django.core.management import call_command
 from django.urls import resolve
@@ -29,7 +30,6 @@
 from rest_framework.reverse import reverse
 from rest_framework.test import APIClient
 
-from api import settings
 from desecapi.models import Domain, User, Captcha
 from desecapi.tests.base import (
     DesecTestCase,

From 4c3a98480f8b2468ef9b485e6d053ab8fdb1c5f6 Mon Sep 17 00:00:00 2001
From: Peter Thomassen <peter@desec.io>
Date: Tue, 26 Dec 2023 14:41:57 +0100
Subject: [PATCH 2/7] feat(api): reduce User.limit_domains to 1 by default

---
 api/api/settings.py               | 4 +++-
 api/api/settings_quick_test.py    | 2 ++
 www/webapp/src/views/HomePage.vue | 8 ++++++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/api/api/settings.py b/api/api/settings.py
index 0b31d6e16..60ed2eb00 100644
--- a/api/api/settings.py
+++ b/api/api/settings.py
@@ -217,7 +217,9 @@
 MINIMUM_TTL_DEFAULT = int(os.environ["DESECSTACK_MINIMUM_TTL_DEFAULT"])
 MAXIMUM_TTL = 86400
 AUTH_USER_MODEL = "desecapi.User"
-LIMIT_USER_DOMAIN_COUNT_DEFAULT = 15
+LIMIT_USER_DOMAIN_COUNT_DEFAULT = int(
+    os.environ.get("DESECSTACK_API_LIMIT_USER_DOMAIN_COUNT_DEFAULT", "1")
+)
 USER_ACTIVATION_REQUIRED = True
 VALIDITY_PERIOD_VERIFICATION_SIGNATURE = timedelta(
     hours=int(os.environ.get("DESECSTACK_API_AUTHACTION_VALIDITY", "0"))
diff --git a/api/api/settings_quick_test.py b/api/api/settings_quick_test.py
index b580dd50c..4fd8cc521 100644
--- a/api/api/settings_quick_test.py
+++ b/api/api/settings_quick_test.py
@@ -36,4 +36,6 @@
 # Carry email backend connection over to test mail outbox
 CELERY_EMAIL_MESSAGE_EXTRA_ATTRIBUTES = ["connection"]
 
+LIMIT_USER_DOMAIN_COUNT_DEFAULT = 15
+
 PCH_API = "http://api.invalid"
diff --git a/www/webapp/src/views/HomePage.vue b/www/webapp/src/views/HomePage.vue
index 6e96dacb9..e460c1931 100644
--- a/www/webapp/src/views/HomePage.vue
+++ b/www/webapp/src/views/HomePage.vue
@@ -487,6 +487,14 @@ export default {
             "have not expired in the meantime are now working when opened. Direct login to the web interface and " +
             "deSEC DNS operations were not affected.",
       },
+      {
+        id: 'news-20231226001',
+        start: new Date(Date.UTC(2023, 12 - 1, 26)),  // first day of showing
+        end: new Date(Date.UTC(2024, 1 - 1, 8)),  // first day of not showing
+        icon: 'mdi-heart-broken',
+        teaser: "Due to a recent spike in abusive domain registrations, new accounts need manual verification before " +
+            "domains can be created. Please contact support explaining your use case to enable domain creation.",
+      },
     ],
   })
 }

From 4026c8ceac9b8dfa5a1e93d53c3d7f007be363c5 Mon Sep 17 00:00:00 2001
From: Peter Thomassen <peter@desec.io>
Date: Tue, 26 Dec 2023 18:42:40 +0100
Subject: [PATCH 3/7] feat(api): allow disabling LPS domain registration during
 sign-up

---
 api/api/settings.py               | 3 +++
 api/desecapi/serializers/users.py | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/api/api/settings.py b/api/api/settings.py
index 60ed2eb00..c073e3d63 100644
--- a/api/api/settings.py
+++ b/api/api/settings.py
@@ -224,6 +224,9 @@
 VALIDITY_PERIOD_VERIFICATION_SIGNATURE = timedelta(
     hours=int(os.environ.get("DESECSTACK_API_AUTHACTION_VALIDITY", "0"))
 )
+REGISTER_LPS_ON_SIGNUP = bool(
+    int(os.environ.get("DESECSTACK_API_REGISTER_LPS_ON_SIGNUP", "1"))
+)
 
 # CAPTCHA
 CAPTCHA_VALIDITY_PERIOD = timedelta(hours=24)
diff --git a/api/desecapi/serializers/users.py b/api/desecapi/serializers/users.py
index a2f2f2660..b20c26526 100644
--- a/api/desecapi/serializers/users.py
+++ b/api/desecapi/serializers/users.py
@@ -1,3 +1,4 @@
+from django.conf import settings
 from django.contrib.auth.password_validation import validate_password
 from rest_framework import serializers
 
@@ -83,6 +84,13 @@ def validate_domain(self, value):
                 serializer.default_error_messages["name_unavailable"],
                 code="name_unavailable",
             )
+        if (
+            not settings.REGISTER_LPS_ON_SIGNUP
+            and DomainSerializer.Meta.model(name=value).is_locally_registrable
+        ):
+            raise serializers.ValidationError(
+                "Registration during sign-up disabled; please create account without a domain name.",
+            )
         return value
 
     def create(self, validated_data):

From 3570ef1f7c60b2d3354bf8a0a0f445e01d428aa0 Mon Sep 17 00:00:00 2001
From: Peter Thomassen <peter@desec.io>
Date: Tue, 2 Jan 2024 15:15:59 +0100
Subject: [PATCH 4/7] feat(webapp): clarify privacy policy scope

---
 www/webapp/src/views/PrivacyPolicy.vue | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/www/webapp/src/views/PrivacyPolicy.vue b/www/webapp/src/views/PrivacyPolicy.vue
index 408dc4ecb..e6c83bcb1 100644
--- a/www/webapp/src/views/PrivacyPolicy.vue
+++ b/www/webapp/src/views/PrivacyPolicy.vue
@@ -5,6 +5,10 @@
         <v-row class="pt-8">
           <v-col class="text-center">
             <h1>Privacy Policy</h1>
+            <p>
+              This privacy policy applies to web content at desec.io. Our forum has a
+              <a href="https://talk.desec.io/privacy">separate privacy policy</a>.
+            </p>
           </v-col>
         </v-row>
         <v-row class="pb-8">

From 66c9056a5970e968558fdb68ac8ca30cef05b58a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 1 Jan 2024 04:31:03 +0000
Subject: [PATCH 5/7] chore(deps): update coverage requirement from ~=7.3.2 to
 ~=7.4.0 in /api

Updates the requirements on [coverage](https://github.com/nedbat/coveragepy) to permit the latest version.
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](https://github.com/nedbat/coveragepy/compare/7.3.2...7.4.0)

---
updated-dependencies:
- dependency-name: coverage
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 api/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/requirements.txt b/api/requirements.txt
index 7d018105c..e5ba134b1 100644
--- a/api/requirements.txt
+++ b/api/requirements.txt
@@ -1,6 +1,6 @@
 captcha~=0.5.0
 celery~=5.3.6
-coverage~=7.3.2
+coverage~=7.4.0
 cryptography~=41.0.7
 Django~=5.0.0
 django-cors-headers~=4.3.1

From cc6f2fbcb9e6bb67a83f70532c4bb5722440470e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 8 Jan 2024 04:43:27 +0000
Subject: [PATCH 6/7] chore(deps): update psycopg requirement in /api

Updates the requirements on [psycopg](https://github.com/psycopg/psycopg) to permit the latest version.
- [Changelog](https://github.com/psycopg/psycopg/blob/master/docs/news.rst)
- [Commits](https://github.com/psycopg/psycopg/compare/3.1.14...3.1.17)

---
updated-dependencies:
- dependency-name: psycopg
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 api/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/requirements.txt b/api/requirements.txt
index e5ba134b1..5c3796b51 100644
--- a/api/requirements.txt
+++ b/api/requirements.txt
@@ -12,7 +12,7 @@ django-prometheus~=2.3.1
 dnspython~=2.4.2
 httpretty~=1.0.5  # 1.1 breaks tests. Does not run in production, so stick to it.
 pyotp~=2.9.0
-psycopg~=3.1.14
+psycopg~=3.1.17
 psl-dns~=1.1.0
 pylibmc~=1.6.3
 pyyaml~=6.0.1

From 68d20ca47aeba58d6a67dc6adf27255c1294b74a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 8 Jan 2024 04:43:33 +0000
Subject: [PATCH 7/7] chore(deps): update django requirement from ~=5.0.0 to
 ~=5.0.1 in /api

Updates the requirements on [django](https://github.com/django/django) to permit the latest version.
- [Commits](https://github.com/django/django/compare/5.0...5.0.1)

---
updated-dependencies:
- dependency-name: django
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 api/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/requirements.txt b/api/requirements.txt
index 5c3796b51..155b1d863 100644
--- a/api/requirements.txt
+++ b/api/requirements.txt
@@ -2,7 +2,7 @@ captcha~=0.5.0
 celery~=5.3.6
 coverage~=7.4.0
 cryptography~=41.0.7
-Django~=5.0.0
+Django~=5.0.1
 django-cors-headers~=4.3.1
 djangorestframework~=3.14.0
 django-celery-email~=3.0.0