Maintenance mode failure with wrong encoding/collation

Description

Using our shipped docker images maintenance mode explodes if MySQL is not utf8mb4 but will then continue to normal operation anyways (somehow). This needs to be explored further.

Steps to reproduce

Use docker image with RDS without utf8mb4

Expected behavior

Maintenance mode should complain that the collation/encoding is wrong without errors and stop the user unless the cleanspeak.properties is set to ignore the encoding.### Screenshots

Platform

• Device: AWS Docker EC2
• OS: (whatever our docker is)
• Browser + version: Unrelated

Additional context

See also https://inversoft.zendesk.com/agent/tickets/2523

Mitigate CVE-2021-44228 log4j in Elasticsearch for good measure

Description

CleanSpeak is shipping Java 14 as of version 3.30.0 which was released in May 2021, and in the upcoming 3.32.0 we will be shipping Java 17 LTS.

Elasticsearch has stated that if you are running on Java 9+ - you are not vulnerable. The mitigation to an existing instance of Elasticsearch if you are not running on Java9+ is to add this arg to your VM options: -Dlog4j2.formatMsgNoLookups=true.

https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

As an extra measure of caution, let's add this to the VM args in our bundled Elasticsearch version 7.6.1 which is part of the cleanspeak-search-engine bundle.

Additional context

• https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
• https://cleanspeak.com/blog/2021/12/10/log4j-cleanspeak

URL Filter Enhancement

Description

The url filter currently has trouble detecting exampledotcom because there are no spaces or differences in capitalization. This needs to be explored to find a way to improve this behavior.

Review

• Add quality score tests

Upgrade Apache Tomcat from 8.5.63 to 8.5.72

Description

Upgrade to latest 8.5.x patch release to pick up bug fixes and security updates.

Prometheus Endpoint

Problem

It is not currently easy/possible to integrate with Prometheus metrics.

Solution

Add a new endpoint for a prometheus instance to scrape.

Additional context

See also: https://prometheus.io/, https://prometheus.io/docs/instrumenting/exposition_formats/

Design

Requirements:

• Register Dropwizard with prometheus
  • I am using guice to immediately build a singleton that only registers dropwizard in its constructor, there might be a better way to do this.
• Create a new endpoint in both MI and WS (using /prometheus/metrics)
  • This endpoint will report the metrics in a format that prometheus expects (using its libraries preferably)
• (Optional) Add logback integration for prometheus as well. (This was easy as a new dep and a simple modification to the logback.xml)

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

It appears that in some cases, the latest content is not rendering the newest content for the user, but rather older content. This was reported in the User Alert queue, but it could be in other places as well.

PATCH support

Problem

If you want to change any large objects like system configuration or an application configuration you have to request the entire object, modify the fields you want, and send the whole thing back.

Solution

It would be nice to send in only the required fields to identify a configuration and the fields you want to change to minimize the possibility for racey updates, minimize bandwidth, and minimize complexity on the implementers side. The PATCH method on http would be able to do this, CleanSpeak just has to support it.

Alternatives/workarounds

It doesn't functionally change anything, it just makes it easier to do some things.

Additional context

This feature will be available through our MVC soon so some of the work is already done.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Upgrade logback

The logging framework used by CleanSpeak is logback. While this library does not have the same vulnerability found in Log4J, due to this post on the logback website, we are updating to the latest version out of an abundance of caution.

Description

From: http://logback.qos.ch/news.html

You can receive logback-related announcements by subscribing to the QOS.ch announce mailing list.

16th of December, 2021, Release of version 1.2.9

We note that the vulnerability mentioned in CVE-2021-42550 requires write access to logback's configuration file as a prerequisite. Please understand that log4Shell and CVE-2021-42550 are of different severity levels.
In response to CVE-2021-42550 (aka LOGBACK-1591) we have decided to make the following steps.

1) Hardened logback's JNDI lookup mechanism to only honor requests in the java: namespace. All other types of requests are ignored. Many thanks to Michael Osipov for suggesting this change and providing the relvant PR.

2) SMTPAppender was hardened.

3) Temporarily removed DB support for security reasons.

4) Removed Groovy configuration support. As logging is so pevasive and configuration with Groovy is probably too powerful, this feature is unlikely to be reinstated for security reasons.

We note that the aforementioned vulnerability requires write access to logback's configuration file as a prerequisite. Please understand that log4Shell/CVE-2021-44228 and CVE-2021-42550 are of different severity levels. A successul RCE attack with CVE-2021-42550 requires all of the following conditions to be met:

write access to logback.xml
use of versions < 1.2.9
reloading of poisoned configuration data, which implies application restart or scan="true" set prior to attack
As an additional extra precaution, in addition to upgrading to logback version 1.2.9, we also recommend users to set their logback configuration files as read-only.

16th of December, 2021, Release of version 1.3.0-alpha11

Note that 1.3.0-alpha11 contains the same security related changes as 1.2.9.

The 1.3.x series is JPMS/Jigsaw/Java 9 modularized and requires slf4j-api version 2.0.x. However, the 1.3.x series requires Java 8 or later at runtime.
The 1.3.x series is Jigsaw/Java 9 modularized and requires slf4j-api version 2.0.x. Moreover, the 1.3.x series requires Java 8 or later at runtime whereas building logback from source requires Java 9. 

Joran, logback's configuration system, has been rewritten to use an internal representation model which can be processed separately. As a side-effect, logback configuration scripts are now largely order-free. For example, appenders can now be defined after they are first referenced in a logger. Moreover, unreferenced appenders are no longer instantiated. Given the breadth of the changes in Joran codebase, support for SiftingAppender and Groovy configuration have been dropped temporarily.

• Migrated from javax.servlet to jakarta.servlet. This entails migration to Tomcat version 10.0.10 and Jetty version 11.0.6 in logback-access. This fixes LOGBACK-1575 reported by Daniel Svensson. Note that Jetty version 11 requires Java version 11 or later.

Additional context

• http://logback.qos.ch/news.html

Limited Filter Storage

Problem

Clients that have content volumes in the billions per month cannot easily enable content storage which also prevents getting useful statistics from the reports. This is due to the fact that elastic search would require an enormous amount of ram to power such a large dataset. Even using a reaper to frequently scrub the data is challenging due to the rate that content needs to be deleted (mostly a mysql issue).

Solution

A good solution is to

• Store only filter matches (anything that needs moderation or triggers an alert)
• Store a % of total matches or every N matches (regardless of filter match)

These two companion features would allow the statistics to work using a sampled subset of the total data that would only require a comparable reduction in server resources.

Alternatives/workarounds

Throw server resources at the problem and store everything. (expensive and only vertically scales)

Design

In order to ensure that CleanSpeak keeps working as intended, anything that requires approval or enters the queue will always be recorded. The two new settings allow you to change how any additional content is treated.

1. Keep a percentage of additional content. (Mostly for random searches/reports) (Defaults to 100% (old behavior))
2. Keep any content that triggers the filter at all. (Defaults to false)

Additional Notes:

• If content is not stored and someone then tries to edit it, it will 404.
• If content is not stored on a post, the stored value will be false.

Affected reports:

• Top producers
• Filter (aka top entries and words/phrases)
• Common terms
• Trending terms
• Related terms
• Weekly report

Unaffected reports:

• Actioned users
• Moderator Activity
• Content (aka content counts)

Review

• Discuss alwaysKeepMatches
• Find which reports are unaffected
• Review what happens if content isn't stored but is editable.
• Write a test for that

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Clicking the chain icon to "copy a users link to the clipboard" does not work

Description

When viewing a user (admin page or in popup) and you click on the chain icon the user's link is not copied to the clipboard.

Steps to reproduce

Steps to reproduce the behavior:

1. View a user
2. Click on the chain icon (tooltip should say "copy this user's link to the clipboard")
3. Paste the clipboard content someplace and note that it is not a link

Expected behavior

Expect clipboard to contain a link to the user.

Queue fails to drain when something is longer than 255

Description

The location, receiver_display_name, or sender_display_name is longer than 255, and then gets stuck in the queue.

Need to ensure we are validating these lengths prior to adding to the queue.

### Error updating database.  Cause: org.postgresql.util.PSQLException: ERROR: value too long for type character varying(255)
### The error may involve defaultParameterMap
### The error occurred while setting parameters
### SQL: INSERT INTO content_items (id, content, create_instant, generated_alert, insert_instant, last_update_user_id,                                location, persistent, receiver_display_name, receiver_id, required_approval,                                sender_display_name, sender_id, was_actioned, was_approved, was_dismissed, was_escalated,                                was_rejected, applications_id) VALUES                  (?, ?, ?, ?,       ?, ?, ?, ?,       ?, ?, ?,       ?, ?, ?, ?,       ?, ?, ?, ?)      ,        (?, ?, ?, ?,       ?, ?, ?, ?,       ?, ?, ?,       ?, ?, ?, ?,       ?, ?, ?, ?)      ,        (?, ?, ?, ?,       ?, ?, ?, ?,       ?, ?, ?,       ?, ?, ?, ?,       ?, ?, ?, ?)      ,        (?, ?, ?, ?,       ?, ?, ?, ?,       ?, ?, ?,       ?, ?, ?, ?,       ?, ?, ?, ?)
### Cause: org.postgresql.util.PSQLException: ERROR: value too long for type character varying(255)
        at org.apache.ibatis.exceptions.ExceptionFactory.wrapException(ExceptionFactory.java:30)
        at org.apache.ibatis.session.defaults.DefaultSqlSession.update(DefaultSqlSession.java:200)
        at org.apache.ibatis.session.defaults.DefaultSqlSession.insert(DefaultSqlSession.java:185)
        at sun.reflect.GeneratedMethodAccessor69.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.ibatis.session.SqlSessionManager$SqlSessionInterceptor.invoke(SqlSessionManager.java:350)
        at com.sun.proxy.$Proxy75.insert(Unknown Source)
        at org.apache.ibatis.session.SqlSessionManager.insert(SqlSessionManager.java:236)
        at org.apache.ibatis.binding.MapperMethod.execute(MapperMethod.java:58)
        at org.apache.ibatis.binding.MapperProxy.invoke(MapperProxy.java:59)
        at com.sun.proxy.$Proxy83.createBulk(Unknown Source)
        at com.inversoft.cleanspeak.api.service.content.DefaultContentItemService.createBulk(DefaultContentItemService.java:100)
        at com.inversoft.cleanspeak.api.service.moderation.ContentQueueDrainer.flush(ContentQueueDrainer.java:148)

Steps to reproduce

Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior

A clear and concise description of what you expected to happen.

Screenshots

If applicable, add screenshots to help explain your problem.

Related

• #32

Platform

(Please complete the following information)

• Device: [e.g. Desktop, iPhone X, Pixel 3, etc]
• OS: [e.g. iOS, macOS, Windows ME]
• Browser + version [e.g. chrome, safari plus a version]

Additional context

Add any other context about the problem here.

Improve the audit logs

Ideas

• In code (i.e. method names) and messaging the wording should be restricted to approve, create, delete, revert, and update. Currently there is also add and edit that should be changed to create and update respectively.
• Ensure all the ACDRU methods and messages are called consistently and in all the places that they should be. For example, "blacklist phrase deleted" does not seem to be logged.
• Enhance all "update" methods and messages to show more detailed before and after. This should be a full JSON view of the data before and after the change. Note this will require a DB migration to add new columns
• Change messaging for "update" and "delete" to better show the difference between "deletion approved" and "update approved". The current order for delete is confusing especially when there are other logs between the "delete" and the "approve":

  Blacklist filter entry Id [1289] approved [test1:en] ... 01:09:41 PM
  ...
  Blacklist filter entry Id [1289] deleted [test1:en] ... 01:09:21 PM

• Wording could also be enhanced to describe the difference between a "delete requested" and "delete approved". Same goes for "create" and "update".

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

May be missing some audit entries when modifying an existing blocked phrase

Description

When making changes to the filter in the UI, each approval is supposed to be audited.

Steps to reproduce

Steps to reproduce the behavior:

1. Create a black list phrase
2. Approve it, ensure it shows up as active, and it should be in the audit log.
3. Edit this same phrase
4. Approve the change
5. It is not in the audit log

Expected behavior

The change to this phrase should be recorded in the audit log.

Additional context

Customer reported. An audit should be performed of each create, update, delete for each filter entry type to ensure correct auditing is being performed.

Description

Running a backup and restore via the API doesn't always work. It looks like there are some bugs with JSON parsing.

Here's the stack trace:

Feb 25, 2021 10:25:46.264 AM ERROR com.inversoft.cleanspeak.api.service.system.backup.DefaultBackupService - Failed to load backup file [/tmp/NjE3YmU1NT_cleanspeak.json]
com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of `com.inversoft.cleanspeak.domain.WhitelistedURL` (although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('.*\.example\.com.*')
 at [Source: (File); line: 1, column: 4007468] (through reference chain: com.inversoft.cleanspeak.domain.system.backup.Backup["whitelist"]->com.inversoft.cleanspeak.domain.system.backup.Whitelist["whitelistedURLs"]->java.util.ArrayList[0])
        at com.fasterxml.jackson.databind.exc.MismatchedInputException.from(MismatchedInputException.java:63)
        at com.fasterxml.jackson.databind.DeserializationContext.reportInputMismatch(DeserializationContext.java:1429)
        at com.fasterxml.jackson.databind.DeserializationContext.handleMissingInstantiator(DeserializationContext.java:1059)
        at com.fasterxml.jackson.databind.deser.ValueInstantiator._createFromStringFallbacks(ValueInstantiator.java:371)
        at com.fasterxml.jackson.databind.deser.std.StdValueInstantiator.createFromString(StdValueInstantiator.java:323)
        at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromString(BeanDeserializerBase.java:1373)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeOther(BeanDeserializer.java:171)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:161)
        at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:286)
        at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:245)
        at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:27)
        at com.fasterxml.jackson.databind.deser.impl.FieldProperty.deserializeAndSet(FieldProperty.java:138)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeWithView(BeanDeserializer.java:587)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:359)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:159)
        at com.fasterxml.jackson.databind.deser.impl.FieldProperty.deserializeAndSet(FieldProperty.java:138)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeWithView(BeanDeserializer.java:587)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:359)
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:159)
        at com.fasterxml.jackson.databind.ObjectReader._bindAndClose(ObjectReader.java:1719)
        at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:1310)
        at com.inversoft.cleanspeak.api.service.filter.DefaultListService.loadFromSource(DefaultListService.java:218)
        at com.inversoft.cleanspeak.api.service.system.backup.DefaultBackupService.restore(DefaultBackupService.java:210)
        at com.inversoft.cleanspeak.api.service.system.backup.DefaultBackupService$$EnhancerByGuice$$bf00b1db.CGLIB$restore$0(<generated>)
        at com.inversoft.cleanspeak.api.service.system.backup.DefaultBackupService$$EnhancerByGuice$$bf00b1db$$FastClassByGuice$$f6aa5735.invoke(<generated>)
        at com.google.inject.internal.cglib.proxy.$MethodProxy.invokeSuper(MethodProxy.java:228)
        at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:76)
        at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:96)
        at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:78)
        at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:96)
        at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:78)
        at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:96)
        at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:78)
        at com.google.inject.internal.InterceptorStackCallback.intercept(InterceptorStackCallback.java:54)
        at com.inversoft.cleanspeak.api.service.system.backup.DefaultBackupService$$EnhancerByGuice$$bf00b1db.restore(<generated>)
        at com.inversoft.cleanspeak.webservice.action.system.RestoreAction.post(RestoreAction.java:40)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:414)
        at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:79)
        at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:62)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:47)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:81)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:50)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
        at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:52)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)

Update support library in CleanSpeak

Description

Update the support library with new FTL changes as we have in FusionAuth. @robotdan will know what this means.

Update CleanSpeak MI UI to obscure more things such as SMTP creds, API keys, etc.

Description

See how we do this in FusionAuth, copy over some of the same patterns.

• SMTP credentials
• System users passwords (already obscured, but could use the toggle we have in FusionAuth)
• API keys
• Other?

Feature: Add ignore to the User Queue workflow

Problem

When a moderator is reviewing the User queue, the current design requires the user to be dismissed or actioned before viewing the next user in the queue.

There are times when the moderator reviewing the current user is unable to make a decision on the current user due to insufficient information. In some cases it is possible to escalate the user in order to move to the next user in the queue. In other cases escalating the user is not helpful because additional information may be needed to be collected outside of CleanSpeak.

In these scenarios it would be helpful to be able to "ignore" a user in the queue, continue to the next user w/out dismissing the user from the queue. This would allow this user to be reviewed at a later time.

This type of workflow is supported in the Content Queue, a similar workflow would be desired.

Solution

Add an "Ignore" or "continue" option when working through the User queue similar to the Content Queue.

Alternatives/workarounds

You can optionally use the escalation queue as a holding area for users you wish to review at a later time.

Additional context

Internal reference : https://cleanspeak.zendesk.com/agent/tickets/2682

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Description

It looks like in the most recent releases of CleanSpeak, the approvals for filtering lists are broken. Here's the stack trace:

2021-08-04 3:22:03.190 PM ERROR c.i.cleanspeak.api.primeframework.mvc.error.ExceptionExceptionHandler - An unhandled exception was thrown
java.lang.NullPointerException: null
        at com.inversoft.cleanspeak.api.service.DefaultEventService.lambda$sendToServers$1(DefaultEventService.java:94)
        at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:176)
        at java.base/java.util.HashMap$KeySpliterator.forEachRemaining(HashMap.java:1694)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
        at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)
        at com.inversoft.cleanspeak.api.service.DefaultEventService.sendToServers(DefaultEventService.java:95)
        at com.inversoft.cleanspeak.api.service.DefaultEventService.notify(DefaultEventService.java:65)
        at com.inversoft.cleanspeak.api.service.filter.DefaultApprovalService.notify(DefaultApprovalService.java:1369)
        at com.inversoft.cleanspeak.api.service.filter.DefaultApprovalService.approveFilterEntry(DefaultApprovalService.java:555)
        at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:96)
        at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:96)
        at org.mybatis.guice.transactional.TransactionalMethodInterceptor.invoke(TransactionalMethodInterceptor.java:96)
        at com.inversoft.cleanspeak.mi.action.admin.filter.ApproveAction.get(ApproveAction.java:59)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:564)
        at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:414)
        at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:79)
        at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:62)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
        at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:47)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
        at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:81)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
        at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:50)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
        at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:52)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
        at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:57)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
        at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:102)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
        at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:58)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)

This looks like it is an issue just with DemoSetup.

Paginate Filter Approvals

Problem

When loading a list from another machine which contains 10K+ entries of various types, the filter approvals page becomes extremely large and unmanageable.

Solution

Pagination on the filter approvals page would restrict the maximum size of the page and keep things reasonable for navigation.

Alternatives/workarounds

Click the approve all button before the browser eats all of the ram.

Additional context

N/A

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

This was a request from Nishiki to be able to download a ZIP with:

• All the reports on the current report tabs
• How much content came into the queues
• How much went to alerts
• How much was escalated
• What were the top 10 tags sent to cleanSpeak
• What were the top 5 tags that got reviewed
• What were the top tags that got escalated

An invalid filter username filter state may cause a NullPointerException at runtime

Description

It is unclear how this state occurs, but the username filter rule becomes null and then at runtime a NullPointerException may occur when processing the filter rules.

Stack trace

Dec 14, 2020 12:32:41.334 PM ERROR c.i.cleanspeak.api.primeframework.mvc.error.ExceptionExceptionHandler - An unhandled exception was thrown
java.lang.NullPointerException: null
at com.inversoft.cleanspeak.api.service.moderation.DefaultModerationRulesService.runIterator(DefaultModerationRulesService.java:155)
at com.inversoft.cleanspeak.api.service.moderation.DefaultModerationRulesService.computeAction(DefaultModerationRulesService.java:140)
at com.inversoft.cleanspeak.api.service.moderation.DefaultModerationRulesService.executeRules(DefaultModerationRulesService.java:111)
at com.inversoft.cleanspeak.api.service.moderation.DefaultContentProcessingService.filterAndRunRules(DefaultContentProcessingService.java:414)
at com.inversoft.cleanspeak.api.service.moderation.DefaultContentProcessingService.create(DefaultContentProcessingService.java:142)

Recreate steps

TBD, this has yet to be recreated but we have encountered a few customers that observed this exception.

Work around

1. Open the CleanSpeak admin UI
2. Navigate to Settings > Applications
3. Click on the Username tab
   • If the filter is enabled, ensure you have selected a username scheme.
   • If the filter is not enabled, click enabled and un-select a scheme if one is selected, and then disable the filter again.
4. Save the application changes. If you know which application this exception occurred for - you only need to edit that one, if you are unsure, please follow these steps for each application. This sequence of steps should resolve the error.

This sequence of steps seems to temporarily resolve the issue. It is still possible for the system to get into the error state again which will produce the stack trace.

Additional context

Add any other context about the problem here.

Looks like the z-index is off. See the screenshot.

Unable to change user score from /admin/moderation/user

Description

When viewing a user on /admin/moderation/user (as opposed to a popup) when you click submit to update a user's score you are told "This user is not currently checked out to you" and are unable to change the score. If you are viewing the user in a popup (e.g. from the dashboard) you are able to update the user score.

Steps to reproduce

1. Go to Search -> Users -> Manage (this will forward you to /admin/moderation/user for the user)
2. Click to edit the user's score
3. Click submit

Expected behavior

Submit should succeed and close the "Edit User Score" dialog.

Additional context

This appears to be a problem with the UserRelease.js listening for clicks and releasing the user when the "Edit User Score" dialog opens on /admin/moderation/user pages. This does not happen for /ajax/moderation/user popups.

Unable to action users from the Dashboard

Description

From the Dashboard if you click on a user in the "Top 10 Filtered Users" and then try to "Action User" you can't get the "Submit" button to be enabled.

Steps to reproduce

Steps to reproduce the behavior:

1. Go to "Dashboard"
2. Click on a user in the "Top 10 Filtered Users"
3. Click on "Action User" (orange gavel)
4. Select an "Action" (e.g. Warn)
5. Nothing happens

Observed behavior

Expected behavior

Selecting an "Action" should open up other options and enable the "Submit" button.

Polish nouns ending in ł don't decline properly

Description

The polish word "pedał" should decline in various forms (see wikitionary for a list), but when clicking on the "Show Combinations" button you only see "pedał" in the list. If you change that to "pedal" you get about 11 entries.

Steps to reproduce

Steps to reproduce the behavior:

1. Create a new Polish blacklist entry for "pedał"
2. Click on "Show Combinations"

Upgrade to Java 17

Description

Update from JDK 14 to JDK 17. This is an internal change only, no functional behavior changes.

Client Builder

Description

In FusionAuth we developed a templated client library builder. It would be nice to have the same in CleanSpeak since it only has a python client and is several years old. The client builder would also help keep our clients up to date as they do in FusionAuth.

Languages:

• TypeScript (let it build our node and js clients as well)
• Java
• Python
• PHP
• Go
• Ruby
• C#/.Net Core/.Net Standard

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

New Filter API

Problem

The moderation and filter endpoints are a frequent problem with new and old customers because they each use different approaches and require dev time to switch from one to the other.

Solution

Build a new endpoint that has the functionality of both and any convenience changes we see fit this new API. This will require some exploration and design work.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Editing a web hook form on version 3.30.0 does not pull in existing values

Description

Once a web hook is created, if you edit it in the admin UI, the current values are not populated in the forum.

Expected behavior

To be able to correctly edit a web hook without copying in existing values.

Additional context

Add any other context about the problem here.

Currently, the default image filtering probably for Low matches is 0. This is not changeable unless you put CleanSpeak into Advanced configuration mode. This should default to 30 percent instead.

Go to demo and do these things:

1. Create a new user action called "Auto-ban" that is not time based
2. Go to automated user actions
3. Edit either of the configure tiers and select "Auto-ban"

This returns to the form without any error. The bug must be one of these things:

• Automated user actions can't have a non-time based action selected and we aren't removing the non-time based actions from the select box (not sure why we wouldn't allow non-time based actions here though)
• Automated user actions has some type of validation error that isn't being displayed

Fix Custom Duration for Combined Zip Report

Description

A JavaScript bug causes the custom duration data fields not to show when you select a Custom date range.

Additional context

Add any other context about the problem here.

CleanSpeak Dirty Mind™

CleanSpeak Dirty Mind™ is an artificial intelligence model used to assist the CleanSpeak core filter capability.

Approval Queue Webhook

Problem

It is difficult to detect and monitor changes using the audit log alone.

Solution

Create a webhook that can notify an external endpoint any time something is approved.

Alternatives/workarounds

• Monitor the audit log
• Do scheduled backups and diff between them

Design

• Add a new system wide webhooks panel
• Add a listener to all of the approval workflows that will spit out every changed object
• Make the listener report any changes to the registered webhooks
• Add example to tester

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

URL Whitelist Entry per Application

Problem

It is currently not possible to have different URL whitelist behavior per application.

Solution

Pick one:

• Add a tagging system similar to our existing tags so that the applications can "subscribe" to the tags they wish to use. The migration would put all existing url whitelist entries in a global tag and put that tag in all applications that are using the URL filter.
• Add a checkbox list to every url whitelist entry for all of the applications. Selecting no applications applies it to all and checking any application will only apply it to the selected applications (harder to setup and very limiting if the client has 100s of whitelist entries)

Design

API

• Whitelist URL Tags
  • Create
  • Delete (id)
  • Retrieve by id
  • Retrieve by name
  • RetrieveAll
• Whitelisted URL
  • Create
  • Delete (id)
  • Retrieve by id
  • RetrieveAll
  • Update

UI

• Whitelisted URL (index)
  • Add
  • Edit
• UrlWhitelistTag (index)
  • Add
  • Edit
  • Delete
• Application Configuration (URL Tags)

Internal

• Approval Queue
• Import/Export
• Backup/Restore

Review Notes

• Document tag behavior in application and entry edit/add
• Fix global checkbox hide close
• Add application action test for tags

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Support egress proxy for license callbacks

Description

Add an option to configure the system to use a proxy for all outbound network access to CleanSpeak licensing.

Update prime-email dependency

Description

Fix to prime-email to fix a potential thread leak. Unless you are sending a large volume of transactional emails from CleanSpeak, it is unlikely that anyone will be effected.

Fix queue drainer so that it is properly closed on shutdown

Description

There is a bug in the scheduler that may keep the queue drainer from writing out outstanding queue entries to disk when the queue is failing on shutdown.

Expected behavior

Outstanding queue entries should be written to disk so they can be replayed later.

Additional context

Add any other context about the problem here.

Moderator escalation comment is not displayed in the escalation queue

Description

If you leave a comment when you escalate a user or content item, the comment is not visible in the escalation queue.

Steps to reproduce

1. view a user in the queue
2. Escalate them w/ a comment
3. View the user in the escalation queue

Expected behavior

See the comment.

Additional context

Internal support reference https://cleanspeak.zendesk.com/agent/tickets/2909

Escalation comment is not being validated for length.

Description

When a comment is added to an escalation that is longer than 255, the escalation will fail.

We need to validate this length, and ask the moderator to shorten the comment.

Steps to reproduce

1. Enter the mod queue
2. Escalate an item
3. Leave a comment longer than 255

Expected behavior

A validation error.

Exception

### SQL: UPDATE queued_content_users SET comment = ?, previous_status = ?, status = ?, update_instant = ?, applications_id = ?, last_update_user_id = ? WHERE id = ?
### Cause: org.postgresql.util.PSQLException: ERROR: value too long for type character varying(255)
...com.inversoft.cleanspeak.api.service.moderation.DefaultContentUserModerationService.escalate(DefaultContentUserModerationService.java:716)

Additional context

Add any other context about the problem here.

Related

• #33

All Report Zip bugs

Description

1. The action needs to load all applications to the user can select an application or leave the default of all applications.
2. When leaving the default of "All Applications" - this may not work for all report types. For example the Content Report would normally make you select a specific application. So a null value for the applicationId means we do not return any content in the zip.

We should review each report to see how they handle, or expect the applicationId to ensure correctness.

Additional context

Internal support reference https://cleanspeak.zendesk.com/agent/tickets/2910

Add queue size to the queue drainer health check

Description

It will be helpful to see the current queue size in the health check when it is failing.

Exception may occur if an event is not enabled or disabled for a webhook when the event is sent

Description

If a webhook is configured and an event has never been configured for the webhook, the configuration may not contain a value indicating if the event is enabled or disabled.

When the event is sent, a java.lang.NullPointerException may occur.

2021-10-21 5:50:05.942 PM ERROR c.i.cleanspeak.api.primeframework.mvc.error.ExceptionExceptionHandler - An unhandled exception was thrown
java.lang.NullPointerException: null
        at com.inversoft.cleanspeak.api.service.DefaultEventService.lambda$sendToServers$1(DefaultEventService.java:94)

Steps to reproduce

1. Create a webhook w/out any events enabled.
2. Trigger an event.

Expected behavior

The fact that this event is not explicitly enabled or disabled should be equal to disabled. The event should not be sent to the webhook, and no exception should occur.

Additional context

Add any other context about the problem here.

Not sure if this is a CleanSpeak bug or if it is in the inversoft-style. The user search should not be highlighted when the report is selected.

Click on the nav to recreate the screenshot.

URL TLD Config

Problem

The TLDs are currently baked into CleanSpeak and cannot be modified. TLDs are added all the time so it would be nice to be able to allow clients to add them as they like.

Solution

Expose the TLDs via a new menu and move the configuration to the database (simple tld to quality value table/map)

Alternatives/workarounds

Expose the old configuration as it was written and store it in the database (power user alternative)

Currently the TLD configuration can be manually modified through some command line ninja skills.
https://cleanspeak.com/docs/3.x/tech/reference/url-filter-configuration

Additional context

We may need to merge our default list into the existing one as we update CleanSpeak.

Design

Note: There are no approvals for TLDs as only admins can change them.

UI

• Index - List all of the TLDs (and their quality scores) paginated
• Add - Add a single TLD with a score
• Edit - Edit a single TLD (score only)
• Delete Bulk - Bulk delete TLDs (covers the single case as well)

API

• Retrieve All
• Retrieve by name
• Delete by name
• Edit by name (can only change the score)
• Create - Single TLD object
• Create bulk - List of TLD objects

Internal/Filter

• Load TLDs into the filter directly. (Lowest complexity)
  • The url processor tree holds all of the tlds. It is relatively cheap to load the TLDs on demand.
  • If we change this behavior to actually cache the tlds we will need a new modification table row and any changed to the tlds will trigger a filter reload as well as a cache reload (with the cache reload first!)
• Approval Queue
• Backup/Restore
• Import/Export

Review

• Create TLDModule (used URL Module)
  • Create latest and approved factory
• Standardize CI from TLD
  • Add normalize
  • (Remove CI) DB Schema
  • (Remove CI) Field setter
  • (Remove CI) Service?

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

CleanSpeak should support vv for w in leet speak replacements. Currently, this is not possible because double characters in leet speak cannot be analyzed.

Update PostgresSQL JDBC driver from 42.2.22 to 42.3.1

Description

No known vulnerabilities, but just moving forward to pick up any small features or bug features.

Fix css for wide tooltip that contains h3 - filter mode for example

Description

The h3 in this tooltip is not white so you can't read the text. Fixing the style in fusionauth-style and then bumping our dep here to pick it up.

Expected behavior

The correct font color should be shown.

Additional context

Add any other context about the problem here.

Description

If the weekly report is generated and it contains Unicode characters that are outside of the latin plane, PDFBox fails with an exception.

2021-07-28 6:03:56.695 PM ERROR c.i.cleanspeak.api.primeframework.mvc.error.ExceptionExceptionHandler - An unhandled exception was thrown
java.lang.IllegalArgumentException: U+3067 ('dehiragana') is not available in this font Helvetica (generic: LiberationSans) encoding: WinAnsiEncoding
	at org.apache.pdfbox.pdmodel.font.PDType1Font.encode(PDType1Font.java:401)
	at org.apache.pdfbox.pdmodel.font.PDFont.encode(PDFont.java:316)
	at org.apache.pdfbox.pdmodel.PDPageContentStream.showText(PDPageContentStream.java:414)
	at com.inversoft.pdf.service.pdfbox.BaseRenderer.renderText(BaseRenderer.java:44)
	at com.inversoft.pdf.service.pdfbox.TextListRenderer.render(TextListRenderer.java:21)
	at com.inversoft.pdf.service.pdfbox.TextListRenderer.render(TextListRenderer.java:17)
	at com.inversoft.pdf.service.PDFBoxGeneratorService.renderPage(PDFBoxGeneratorService.java:47)
	at com.inversoft.pdf.service.PDFBoxGeneratorService.generate(PDFBoxGeneratorService.java:35)
	at com.inversoft.cleanspeak.api.service.content.reporting.CleanSpeakReportPDFGenerationService.generate(CleanSpeakReportPDFGenerationService.java:87)
	at com.inversoft.cleanspeak.mi.action.admin.report.WeeklyReportAction.post(WeeklyReportAction.java:69)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:564)
	at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:414)
	at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:79)
	at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:62)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:47)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:81)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:50)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:52)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:57)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:102)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:58)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:44)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:126)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.workflow.StaticResourceWorkflow.perform(StaticResourceWorkflow.java:97)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.parameter.RequestBodyWorkflow.perform(RequestBodyWorkflow.java:91)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:64)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
	at org.primeframework.mvc.workflow.DefaultMVCWorkflow.perform(DefaultMVCWorkflow.java:91)
	at org.primeframework.mvc.workflow.DefaultWorkflowChain.continueWorkflow(DefaultWorkflowChain.java:44)
	at org.primeframework.mvc.servlet.FilterWorkflowChain.continueWorkflow(FilterWorkflowChain.java:50)
	at org.primeframework.mvc.servlet.PrimeFilter.doFilter(PrimeFilter.java:78)
	at com.inversoft.maintenance.servlet.MaintenanceModePrimeFilter.doFilter(MaintenanceModePrimeFilter.java:63)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.inversoft.cleanspeak.mi.security.CleanSpeakLicenseFilter.doFilter(CleanSpeakLicenseFilter.java:74)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.inversoft.servlet.UTF8Filter.doFilter(UTF8Filter.java:27)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:353)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1629)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Thread.java:832)

It appears that this is a font issue but we've tried installing a number of different fonts on various servers and it doesn't appear to work. This might require an upgrade of PDFBox and potentially shipping with specific fonts.

OIDC integration not working

Description

The OIDC integration in CleanSpeak is broken because it generates invalid OAuth redirect URLs when starting the OAuth login process. The URLs have two ? symbols, which make them invalid.

Additionally, CleanSpeak should handle the FusionAuth specific parameters when possible, including userState.