* fix(bbcode): fix ReDos of imagemap parsing
* fix(bbcode): use `regex` and add timeout to avoid too long time to parse
* feat(bbcode): use `make_tag` to generate HTML tags
* docs(bbcode): add docstrings for BBCodeService
* fix(user): validate BBCode content before processing userpage update
* fix(bbcode): catch timeout errors in BBCode parsing with MaliciousBBCodeError
* fix(bbcode): resolve reviews
* fix(bbcode): use `make_tag` in `_parse_size`
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fix(bbcode): fix using `make_tag` in `_parse_size`
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* feat(custom_ruleset): add custom rulesets support
* feat(custom-ruleset): add version check
* feat(custom-ruleset): add LegacyIO API to get ruleset hashes
* feat(pp): add check for rulesets whose pp cannot be calculated
* docs(readme): update README to include support for custom rulesets
* fix(custom-ruleset): make `rulesets` empty instead of throw a error when version check is disabled
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* chore(custom-ruleset): apply the latest changes of generator
c891bcd159
and
e25041ad3b
* feat(calculator): add fallback performance calculation for unsupported modes
* fix(calculator): remove debug print
* fix: resolve reviews
* feat(calculator): add difficulty calculation checks
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Updated session verification method selection to match osu-web's State.php:36 logic, using SUPPORT_TOTP_VERIFICATION_VER for version checks and prioritizing TOTP when available. Added example environment files for osu-web-master to support local, dusk, and testing setups.
Corrects the logic for the trusted_device parameter when creating login sessions by inverting its value. This ensures that the session accurately reflects whether the device is trusted or not.
Introduces Cloudflare Turnstile verification for registration, OAuth password grant, and password reset endpoints (excluding osu! client). Adds related configuration options and a new service for token validation. Also refactors password change logic to support TOTP or password-based verification, improving security for users with TOTP enabled.
Introduced support for MailerSend as an email provider alongside SMTP, with configuration options in settings. Added Jinja2-based multi-language email templates for verification emails, and refactored the email sending logic to use these templates and support language selection based on user country code. Updated related services and API endpoints to pass country code and handle new response formats. Added dependencies for Jinja2 and MailerSend.
APIs:
- GET `/api/private/user/preferences`: Get current user's preferences.
- PATCH `/api/private/user/preferences`: Modify current user's preferences. (body: Preferences)
- PUT `/api/private/user/preferences`: Overwrite current user's preferences. (body: Preferences)
- DELETE `/api/private/user/preferences`: Reset current user's preferences. (body: list[str])
- body specifies the content to be reset. If body is empty, reset all preferences.
User:
- `User.g0v0_playmode`: show the special ruleset like `OSURX`, and custom rulesets in the future.
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
## APIs Restricted for Restricted Users
A restricted user is blocked from performing the following actions, and will typically receive a `403 Forbidden` error:
* **Chat & Notifications:**
* Sending any chat messages (public or private).
* Joining or leaving chat channels.
* Creating new PM channels.
* **User Profile & Content:**
* Uploading a new avatar.
* Uploading a new profile cover image.
* Changing their username.
* Updating their userpage content.
* **Scores & Gameplay:**
* Submitting scores in multiplayer rooms.
* Deleting their own scores (to prevent hiding evidence of cheating).
* **Beatmaps:**
* Rating beatmaps.
* Taging beatmaps.
* **Relationship:**
* Adding friends or blocking users.
* Removing friends or unblocking users.
* **Teams:**
* Creating, updating, or deleting a team.
* Requesting to join a team.
* Handling join requests for a team they manage.
* Kicking a member from a team they manage.
* **Multiplayer:**
* Creating or deleting multiplayer rooms.
* Joining or leaving multiplayer rooms.
## What is Invisible to Normal Users
* **Leaderboards:**
* Beatmap leaderboards.
* Multiplayer (playlist) room leaderboards.
* **User Search/Lists:**
* Restricted users will not appear in the results of the `/api/v2/users` endpoint.
* They will not appear in the list of a team's members.
* **Relationship:**
* They will not appear in a user's friend list (`/friends`).
* **Profile & History:**
* Attempting to view a restricted user's profile, events, kudosu history, or score history will result in a `404 Not Found` error, effectively making their profile invisible (unless the user viewing the profile is the restricted user themselves).
* **Chat:**
* Normal users cannot start a new PM with a restricted user (they will get a `404 Not Found` error).
* **Ranking:**
* Restricted users are excluded from any rankings.
### How to Restrict a User
Insert into `user_account_history` with `type=restriction`.
```sql
-- length is in seconds
INSERT INTO user_account_history (`description`, `length`, `permanent`, `timestamp`, `type`, `user_id`) VALUE ('some description', 86400, 0, '2025-10-05 01:00:00', 'RESTRICTION', 1);
```
---
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
