feat: Remove support for server-side blurhashing

Turns out ruma doesn't have the stable definition yet, will need a version bump.

Reverts 088fa3e725

.pre-commit-config.yaml

@@ -24,7 +24,7 @@ repos:
         - id: check-added-large-files
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.46.0
+    rev: v1.46.1
     hooks:
       - id: typos
       - id: typos

CODE_OF_CONDUCT.md

@@ -1 +1 @@
-Contributors are expected to follow the [Continuwuity Community Guidelines](continuwuity.org/community/guidelines).
+Contributors are expected to follow the [Continuwuity Community Guidelines](https://continuwuity.org/community/guidelines).

Cargo.lock

@@ -39,24 +39,6 @@ dependencies = [
  "memchr",
 ]
 
-[[package]]
-name = "aligned"
-version = "0.4.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ee4508988c62edf04abd8d92897fca0c2995d907ce1dfeaf369dac3716a40685"
-dependencies = [
- "as-slice",
-]
-
-[[package]]
-name = "aligned-vec"
-version = "0.6.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc890384c8602f339876ded803c97ad529f3842aba97f6392b3dba0dd171769b"
-dependencies = [
- "equator",
-]
-
 [[package]]
 name = "alloc-no-stdlib"
 version = "2.0.4"
@@ -119,12 +101,6 @@ version = "1.0.102"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
 
-[[package]]
-name = "arbitrary"
-version = "1.4.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3d036a3c4ab069c7b410a2ce876bd74808d2d0888a82667669f8e783a898bf1"
-
 [[package]]
 name = "arc-swap"
 version = "1.9.1"
@@ -134,17 +110,6 @@ dependencies = [
  "rustversion",
 ]
 
-[[package]]
-name = "arg_enum_proc_macro"
-version = "0.3.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0ae92a5119aa49cdbcf6b9f893fe4e1d98b04ccbf82ee0584ad948a44a734dea"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "argon2"
 version = "0.5.3"
@@ -172,15 +137,6 @@ dependencies = [
  "serde",
 ]
 
-[[package]]
-name = "as-slice"
-version = "0.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "516b6b4f0e40d50dcda9365d53964ec74560ad4284da2e7fc97122cd83174516"
-dependencies = [
- "stable_deref_trait",
-]
-
 [[package]]
 name = "as_variant"
 version = "1.3.0"
@@ -301,49 +257,6 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
 
-[[package]]
-name = "av-scenechange"
-version = "0.14.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0f321d77c20e19b92c39e7471cf986812cbb46659d2af674adc4331ef3f18394"
-dependencies = [
- "aligned",
- "anyhow",
- "arg_enum_proc_macro",
- "arrayvec",
- "log",
- "num-rational",
- "num-traits",
- "pastey",
- "rayon",
- "thiserror",
- "v_frame",
- "y4m",
-]
-
-[[package]]
-name = "av1-grain"
-version = "0.2.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8cfddb07216410377231960af4fcab838eaa12e013417781b78bd95ee22077f8"
-dependencies = [
- "anyhow",
- "arrayvec",
- "log",
- "nom 8.0.0",
- "num-rational",
- "v_frame",
-]
-
-[[package]]
-name = "avif-serialize"
-version = "0.8.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "375082f007bd67184fb9c0374614b29f9aaa604ec301635f72338bb65386a53d"
-dependencies = [
- "arrayvec",
-]
-
 [[package]]
 name = "aws-lc-rs"
 version = "1.16.3"
@@ -552,27 +465,12 @@ dependencies = [
  "syn",
 ]
 
-[[package]]
-name = "bit_field"
-version = "0.10.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e4b40c7323adcfc0a41c4b88143ed58346ff65a288fc144329c5c45e05d70c6"
-
 [[package]]
 name = "bitflags"
 version = "2.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c4512299f36f043ab09a583e57bceb5a5aab7a73db1805848e8fef3c9e8c78b3"
 
-[[package]]
-name = "bitstream-io"
-version = "4.10.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7eff00be299a18769011411c9def0d827e8f2d7bf0c3dbf53633147a8867fd1f"
-dependencies = [
- "no_std_io2",
-]
-
 [[package]]
 name = "blake2"
 version = "0.10.6"
@@ -609,15 +507,6 @@ dependencies = [
  "objc2",
 ]
 
-[[package]]
-name = "blurhash"
-version = "0.2.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e79769241dcd44edf79a732545e8b5cec84c247ac060f5252cd51885d093a8fc"
-dependencies = [
- "image",
-]
-
 [[package]]
 name = "brotli"
 version = "8.0.2"
@@ -1167,7 +1056,6 @@ dependencies = [
  "assign",
  "async-trait",
  "base64 0.22.1",
- "blurhash",
  "bytes",
  "conduwuit_core",
  "conduwuit_database",
@@ -1200,7 +1088,6 @@ dependencies = [
  "serde",
  "serde-saphyr",
  "serde_json",
- "serde_urlencoded",
  "sha2 0.11.0",
  "termimad",
  "tokio",
@@ -1220,29 +1107,18 @@ dependencies = [
  "axum",
  "axum-extra",
  "base64 0.22.1",
- "conduwuit_api",
  "conduwuit_build_metadata",
  "conduwuit_core",
- "conduwuit_database",
  "conduwuit_service",
- "form_urlencoded",
  "futures",
- "lettre",
  "memory-serve",
  "rand 0.10.1",
- "recaptcha-verify",
- "reqwest 0.12.28",
  "ruma",
  "serde",
- "serde_json",
- "serde_urlencoded",
  "thiserror",
  "tower-http",
  "tower-sec-fetch",
- "tower-sessions",
- "tower-sessions-core",
  "tracing",
- "url",
  "validator",
 ]
 
@@ -1505,12 +1381,6 @@ dependencies = [
  "winapi",
 ]
 
-[[package]]
-name = "crunchy"
-version = "0.2.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "460fbee9c2c2f33933d720630a6a0bac33ba7053db5344fac858d4b8952d77d5"
-
 [[package]]
 name = "crypto-common"
 version = "0.1.7"
@@ -1656,7 +1526,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c"
 dependencies = [
  "powerfmt",
- "serde_core",
 ]
 
 [[package]]
@@ -1827,26 +1696,6 @@ dependencies = [
  "syn",
 ]
 
-[[package]]
-name = "equator"
-version = "0.4.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4711b213838dfee0117e3be6ac926007d7f433d7bbe33595975d4190cb07e6fc"
-dependencies = [
- "equator-macro",
-]
-
-[[package]]
-name = "equator-macro"
-version = "0.4.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "44f23cf4b44bfce11a86ace86f8a73ffdec849c9fd00a386a53d278bd9e81fb3"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "equivalent"
 version = "1.0.2"
@@ -1882,33 +1731,12 @@ dependencies = [
  "pin-project-lite",
 ]
 
-[[package]]
-name = "exr"
-version = "1.74.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4300e043a56aa2cb633c01af81ca8f699a321879a7854d3896a0ba89056363be"
-dependencies = [
- "bit_field",
- "half",
- "lebe",
- "miniz_oxide",
- "rayon-core",
- "smallvec",
- "zune-inflate",
-]
-
 [[package]]
 name = "fastrand"
 version = "2.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6"
 
-[[package]]
-name = "fax"
-version = "0.2.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "caf1079563223d5d59d83c85886a56e586cfd5c1a26292e971a0fa266531ac5a"
-
 [[package]]
 name = "fdeflate"
 version = "0.3.7"
@@ -2258,17 +2086,6 @@ dependencies = [
  "tokio-util",
 ]
 
-[[package]]
-name = "half"
-version = "2.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6ea2d84b969582b4b1864a92dc5d27cd2b77b622a8d79306834f1be5ba20d84b"
-dependencies = [
- "cfg-if",
- "crunchy",
- "zerocopy",
-]
-
 [[package]]
 name = "hardened_malloc-rs"
 version = "0.1.2+12"
@@ -2704,17 +2521,11 @@ dependencies = [
  "bytemuck",
  "byteorder-lite",
  "color_quant",
- "exr",
  "gif",
  "image-webp",
  "moxcms",
  "num-traits",
  "png",
- "qoi",
- "ravif",
- "rayon",
- "rgb",
- "tiff",
  "zune-core",
  "zune-jpeg",
 ]
@@ -2729,12 +2540,6 @@ dependencies = [
  "quick-error",
 ]
 
-[[package]]
-name = "imgref"
-version = "1.12.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "40fac9d56ed6437b198fddba683305e8e2d651aa42647f00f5ae542e7f5c94a2"
-
 [[package]]
 name = "indexmap"
 version = "2.14.0"
@@ -2753,17 +2558,6 @@ version = "0.1.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c8fae54786f62fb2918dcfae3d568594e50eb9b5c25bf04371af6fe7516452fb"
 
-[[package]]
-name = "interpolate_name"
-version = "0.2.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c34819042dc3d3971c46c2190835914dfbe0c3c13f61449b2997f4e9722dfa60"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "ipaddress"
 version = "0.1.3"
@@ -2965,12 +2759,6 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
 
-[[package]]
-name = "lebe"
-version = "0.5.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a79a3332a6609480d7d0c9eab957bca6b455b91bb84e66d19f5ff66294b85b8"
-
 [[package]]
 name = "lettre"
 version = "0.11.21"
@@ -3007,16 +2795,6 @@ version = "0.2.186"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "68ab91017fe16c622486840e4c83c9a37afeff978bd239b5293d61ece587de66"
 
-[[package]]
-name = "libfuzzer-sys"
-version = "0.4.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f12a681b7dd8ce12bff52488013ba614b869148d54dd79836ab85aafdd53f08d"
-dependencies = [
- "arbitrary",
- "cc",
-]
-
 [[package]]
 name = "libloading"
 version = "0.8.9"
@@ -3109,15 +2887,6 @@ dependencies = [
  "futures-sink",
 ]
 
-[[package]]
-name = "loop9"
-version = "0.1.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0fae87c125b03c1d2c0150c90365d7d6bcc53fb73a9acaef207d2d065860f062"
-dependencies = [
- "imgref",
-]
-
 [[package]]
 name = "lru-cache"
 version = "0.1.2"
@@ -3196,16 +2965,6 @@ version = "0.8.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "47e1ffaa40ddd1f3ed91f717a33c8c0ee23fff369e3aa8772b9605cc1d22f4c3"
 
-[[package]]
-name = "maybe-rayon"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8ea1f30cedd69f0a2954655f7188c6a834246d2bcf1e315e2ac40c4b24dc9519"
-dependencies = [
- "cfg-if",
- "rayon",
-]
-
 [[package]]
 name = "memchr"
 version = "2.8.0"
@@ -3354,15 +3113,6 @@ dependencies = [
  "libc",
 ]
 
-[[package]]
-name = "no_std_io2"
-version = "0.9.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b51ed7824b6e07d354605f4abb3d9d300350701299da96642ee084f5ce631550"
-dependencies = [
- "memchr",
-]
-
 [[package]]
 name = "nohash-hasher"
 version = "0.2.0"
@@ -3394,12 +3144,6 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "38bf9645c8b145698bb0b18a4637dcacbc421ea49bef2317e4fd8065a387cf21"
 
-[[package]]
-name = "noop_proc_macro"
-version = "0.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0676bb32a98c1a483ce53e500a81ad9c3d5b3f7c920c28c24e9cb0980d0b5bc8"
-
 [[package]]
 name = "nu-ansi-term"
 version = "0.50.3"
@@ -3448,17 +3192,6 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c6673768db2d862beb9b39a78fdcb1a69439615d5794a1be50caa9bc92c81967"
 
-[[package]]
-name = "num-derive"
-version = "0.4.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed3955f1a9c7c0c15e092f9c887db08b1fc683305fdf6eb6684f22555355e202"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "num-integer"
 version = "0.1.46"
@@ -3833,12 +3566,6 @@ version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
 
-[[package]]
-name = "pastey"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "35fb2e5f958ec131621fdd531e9fc186ed768cbe395337403ae56c17a74c68ec"
-
 [[package]]
 name = "pear"
 version = "0.2.9"
@@ -4070,25 +3797,6 @@ dependencies = [
  "yansi",
 ]
 
-[[package]]
-name = "profiling"
-version = "1.0.17"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3eb8486b569e12e2c32ad3e204dbaba5e4b5b216e9367044f25f1dba42341773"
-dependencies = [
- "profiling-procmacros",
-]
-
-[[package]]
-name = "profiling-procmacros"
-version = "1.0.17"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "52717f9a02b6965224f95ca2a81e2e0c5c43baacd28ca057577988930b6c3d5b"
-dependencies = [
- "quote",
- "syn",
-]
-
 [[package]]
 name = "prost"
 version = "0.14.3"
@@ -4145,15 +3853,6 @@ version = "0.1.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e0c5ccf5294c6ccd63a74f1565028353830a9c2f5eb0c682c355c471726a6e3f"
 
-[[package]]
-name = "qoi"
-version = "0.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f6d64c71eb498fe9eae14ce4ec935c555749aef511cca85b5568910d6e48001"
-dependencies = [
- "bytemuck",
-]
-
 [[package]]
 name = "quick-error"
 version = "2.0.1"
@@ -4308,76 +4007,6 @@ version = "0.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "63b8176103e19a2643978565ca18b50549f6101881c443590420e4dc998a3c69"
 
-[[package]]
-name = "rav1e"
-version = "0.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "43b6dd56e85d9483277cde964fd1bdb0428de4fec5ebba7540995639a21cb32b"
-dependencies = [
- "aligned-vec",
- "arbitrary",
- "arg_enum_proc_macro",
- "arrayvec",
- "av-scenechange",
- "av1-grain",
- "bitstream-io",
- "built",
- "cfg-if",
- "interpolate_name",
- "itertools 0.14.0",
- "libc",
- "libfuzzer-sys",
- "log",
- "maybe-rayon",
- "new_debug_unreachable",
- "noop_proc_macro",
- "num-derive",
- "num-traits",
- "paste",
- "profiling",
- "rand 0.9.4",
- "rand_chacha",
- "simd_helpers",
- "thiserror",
- "v_frame",
- "wasm-bindgen",
-]
-
-[[package]]
-name = "ravif"
-version = "0.13.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e52310197d971b0f5be7fe6b57530dcd27beb35c1b013f29d66c1ad73fbbcc45"
-dependencies = [
- "avif-serialize",
- "imgref",
- "loop9",
- "quick-error",
- "rav1e",
- "rayon",
- "rgb",
-]
-
-[[package]]
-name = "rayon"
-version = "1.12.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fb39b166781f92d482534ef4b4b1b2568f42613b53e5b6c160e24cfbfa30926d"
-dependencies = [
- "either",
- "rayon-core",
-]
-
-[[package]]
-name = "rayon-core"
-version = "1.13.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22e18b0f0062d30d4230b2e85ff77fdfe4326feb054b9783a3460d8435c8ab91"
-dependencies = [
- "crossbeam-deque",
- "crossbeam-utils",
-]
-
 [[package]]
 name = "recaptcha-verify"
 version = "0.2.0"
@@ -4518,12 +4147,6 @@ version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e061d1b48cb8d38042de4ae0a7a6401009d6143dc80d2e2d6f31f0bdd6470c7"
 
-[[package]]
-name = "rgb"
-version = "0.8.53"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "47b34b781b31e5d73e9fbc8689c70551fd1ade9a19e3e28cfec8580a79290cc4"
-
 [[package]]
 name = "ring"
 version = "0.17.14"
@@ -4541,7 +4164,7 @@ dependencies = [
 [[package]]
 name = "ruma"
 version = "0.15.1"
-source = "git+https://github.com/ruma/ruma.git?rev=5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c#5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c"
+source = "git+https://github.com/ruma/ruma.git?rev=9c9dccc93f054bbd28f23f630223fffa6289ecbc#9c9dccc93f054bbd28f23f630223fffa6289ecbc"
 dependencies = [
  "assign",
  "js_int",
@@ -4560,7 +4183,7 @@ dependencies = [
 [[package]]
 name = "ruma-appservice-api"
 version = "0.15.0"
-source = "git+https://github.com/ruma/ruma.git?rev=5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c#5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c"
+source = "git+https://github.com/ruma/ruma.git?rev=9c9dccc93f054bbd28f23f630223fffa6289ecbc#9c9dccc93f054bbd28f23f630223fffa6289ecbc"
 dependencies = [
  "js_int",
  "ruma-common",
@@ -4572,7 +4195,7 @@ dependencies = [
 [[package]]
 name = "ruma-client-api"
 version = "0.23.1"
-source = "git+https://github.com/ruma/ruma.git?rev=5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c#5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c"
+source = "git+https://github.com/ruma/ruma.git?rev=9c9dccc93f054bbd28f23f630223fffa6289ecbc#9c9dccc93f054bbd28f23f630223fffa6289ecbc"
 dependencies = [
  "as_variant",
  "assign",
@@ -4594,7 +4217,7 @@ dependencies = [
 [[package]]
 name = "ruma-common"
 version = "0.18.0"
-source = "git+https://github.com/ruma/ruma.git?rev=5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c#5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c"
+source = "git+https://github.com/ruma/ruma.git?rev=9c9dccc93f054bbd28f23f630223fffa6289ecbc#9c9dccc93f054bbd28f23f630223fffa6289ecbc"
 dependencies = [
  "as_variant",
  "base64 0.22.1",
@@ -4627,7 +4250,7 @@ dependencies = [
 [[package]]
 name = "ruma-events"
 version = "0.33.0"
-source = "git+https://github.com/ruma/ruma.git?rev=5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c#5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c"
+source = "git+https://github.com/ruma/ruma.git?rev=9c9dccc93f054bbd28f23f630223fffa6289ecbc#9c9dccc93f054bbd28f23f630223fffa6289ecbc"
 dependencies = [
  "as_variant",
  "indexmap",
@@ -4648,7 +4271,7 @@ dependencies = [
 [[package]]
 name = "ruma-federation-api"
 version = "0.14.0"
-source = "git+https://github.com/ruma/ruma.git?rev=5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c#5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c"
+source = "git+https://github.com/ruma/ruma.git?rev=9c9dccc93f054bbd28f23f630223fffa6289ecbc#9c9dccc93f054bbd28f23f630223fffa6289ecbc"
 dependencies = [
  "bytes",
  "headers",
@@ -4671,7 +4294,7 @@ dependencies = [
 [[package]]
 name = "ruma-identifiers-validation"
 version = "0.12.1"
-source = "git+https://github.com/ruma/ruma.git?rev=5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c#5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c"
+source = "git+https://github.com/ruma/ruma.git?rev=9c9dccc93f054bbd28f23f630223fffa6289ecbc#9c9dccc93f054bbd28f23f630223fffa6289ecbc"
 dependencies = [
  "js_int",
  "thiserror",
@@ -4680,7 +4303,7 @@ dependencies = [
 [[package]]
 name = "ruma-macros"
 version = "0.18.0"
-source = "git+https://github.com/ruma/ruma.git?rev=5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c#5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c"
+source = "git+https://github.com/ruma/ruma.git?rev=9c9dccc93f054bbd28f23f630223fffa6289ecbc#9c9dccc93f054bbd28f23f630223fffa6289ecbc"
 dependencies = [
  "as_variant",
  "cfg-if",
@@ -4696,7 +4319,7 @@ dependencies = [
 [[package]]
 name = "ruma-push-gateway-api"
 version = "0.14.0"
-source = "git+https://github.com/ruma/ruma.git?rev=5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c#5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c"
+source = "git+https://github.com/ruma/ruma.git?rev=9c9dccc93f054bbd28f23f630223fffa6289ecbc#9c9dccc93f054bbd28f23f630223fffa6289ecbc"
 dependencies = [
  "js_int",
  "ruma-common",
@@ -4708,7 +4331,7 @@ dependencies = [
 [[package]]
 name = "ruma-signatures"
 version = "0.20.0"
-source = "git+https://github.com/ruma/ruma.git?rev=5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c#5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c"
+source = "git+https://github.com/ruma/ruma.git?rev=9c9dccc93f054bbd28f23f630223fffa6289ecbc#9c9dccc93f054bbd28f23f630223fffa6289ecbc"
 dependencies = [
  "base64 0.22.1",
  "ed25519-dalek",
@@ -4724,7 +4347,7 @@ dependencies = [
 [[package]]
 name = "ruma-state-res"
 version = "0.16.0"
-source = "git+https://github.com/ruma/ruma.git?rev=5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c#5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c"
+source = "git+https://github.com/ruma/ruma.git?rev=9c9dccc93f054bbd28f23f630223fffa6289ecbc#9c9dccc93f054bbd28f23f630223fffa6289ecbc"
 dependencies = [
  "js_int",
  "ruma-common",
@@ -5384,15 +5007,6 @@ dependencies = [
  "simdutf8",
 ]
 
-[[package]]
-name = "simd_helpers"
-version = "0.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "95890f873bec569a0362c235787f3aca6e1e887302ba4840839bcc6459c42da6"
-dependencies = [
- "quote",
-]
-
 [[package]]
 name = "simdutf8"
 version = "0.1.5"
@@ -5611,20 +5225,6 @@ dependencies = [
  "cfg-if",
 ]
 
-[[package]]
-name = "tiff"
-version = "0.11.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b63feaf3343d35b6ca4d50483f94843803b0f51634937cc2ec519fc32232bc52"
-dependencies = [
- "fax",
- "flate2",
- "half",
- "quick-error",
- "weezl",
- "zune-jpeg",
-]
-
 [[package]]
 name = "tikv-jemalloc-ctl"
 version = "0.6.1"
@@ -5956,22 +5556,6 @@ dependencies = [
  "tracing",
 ]
 
-[[package]]
-name = "tower-cookies"
-version = "0.11.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "151b5a3e3c45df17466454bb74e9ecedecc955269bdedbf4d150dfa393b55a36"
-dependencies = [
- "axum-core",
- "cookie",
- "futures-util",
- "http",
- "parking_lot",
- "pin-project-lite",
- "tower-layer",
- "tower-service",
-]
-
 [[package]]
 name = "tower-http"
 version = "0.6.8"
@@ -6020,44 +5604,6 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"
 
-[[package]]
-name = "tower-sessions"
-version = "0.15.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "518dca34b74a17cadfcee06e616a09d2bd0c3984eff1769e1e76d58df978fc78"
-dependencies = [
- "async-trait",
- "http",
- "time",
- "tokio",
- "tower-cookies",
- "tower-layer",
- "tower-service",
- "tower-sessions-core",
- "tracing",
-]
-
-[[package]]
-name = "tower-sessions-core"
-version = "0.15.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "568531ec3dfcf3ffe493de1958ae5662a0284ac5d767476ecdb6a34ff8c6b06c"
-dependencies = [
- "async-trait",
- "axum-core",
- "base64 0.22.1",
- "futures",
- "http",
- "parking_lot",
- "rand 0.9.4",
- "serde",
- "serde_json",
- "thiserror",
- "time",
- "tokio",
- "tracing",
-]
-
 [[package]]
 name = "tracing"
 version = "0.1.44"
@@ -6279,17 +5825,6 @@ dependencies = [
  "wasm-bindgen",
 ]
 
-[[package]]
-name = "v_frame"
-version = "0.3.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "666b7727c8875d6ab5db9533418d7c764233ac9c0cff1d469aec8fa127597be2"
-dependencies = [
- "aligned-vec",
- "num-traits",
- "wasm-bindgen",
-]
-
 [[package]]
 name = "validator"
 version = "0.20.0"
@@ -6904,12 +6439,6 @@ dependencies = [
  "conduwuit_admin",
 ]
 
-[[package]]
-name = "y4m"
-version = "0.8.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a5a4b21e1a62b67a2970e6831bc091d7b87e119e7f9791aef9702e3bef04448"
-
 [[package]]
 name = "yansi"
 version = "1.0.1"
@@ -7059,15 +6588,6 @@ version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cb8a0807f7c01457d0379ba880ba6322660448ddebc890ce29bb64da71fb40f9"
 
-[[package]]
-name = "zune-inflate"
-version = "0.2.54"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "73ab332fe2f6680068f3582b16a24f90ad7096d5d39b974d1c0aff0125116f02"
-dependencies = [
- "simd-adler32",
-]
-
 [[package]]
 name = "zune-jpeg"
 version = "0.5.15"

Cargo.toml

@@ -180,7 +180,7 @@ version = "0.5.3"
 features = ["alloc", "rand"]
 default-features = false
 
-# Used to generate thumbnails for images & blurhashes
+# Used to generate thumbnails for images
 [workspace.dependencies.image]
 version = "0.25.5"
 default-features = false
@@ -191,14 +191,6 @@ features = [
     "webp",
 ]
 
-[workspace.dependencies.blurhash]
-version = "0.2.3"
-default-features = false
-features = [
-    "fast-linear-to-srgb",
-    "image",
-]
-
 # logging
 [workspace.dependencies.log]
 version = "0.4.27"
@@ -352,7 +344,7 @@ version = "1.1.1"
 [workspace.dependencies.ruma]
 # version = "0.14.1"
 git = "https://github.com/ruma/ruma.git"
-rev = "5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c"
+rev = "9c9dccc93f054bbd28f23f630223fffa6289ecbc"
 features = [
     "appservice-api-c",
     "client-api",
@@ -364,7 +356,6 @@ features = [
     "ring-compat",
     "compat-upload-signatures",
     "compat-optional-txn-pdus",
-    "unstable-msc2448",
     "unstable-msc2666",
     "unstable-msc2867",
     "unstable-msc2870",
@@ -568,9 +559,6 @@ features = ["std"]
 [workspace.dependencies.nonzero_ext]
 version = "0.3.0"
 
-[workspace.dependencies.serde_urlencoded]
-version = "0.7.1"
-
 #
 # Patches
 #

changelog.d/+7865cde6.feature.md

@@ -1 +0,0 @@
-Users may now be forbidden from deactivating their own accounts with the new `allow_deactivation` config option.

changelog.d/+98691708.feature.md

@@ -1 +0,0 @@
-Added support for authenticating clients using the new OAuth 2.0 login API. Contributed by @ginger.

changelog.d/+cbef004c.removal.md

@@ -0,0 +1 @@
+The deprecated `well_known.rtc_focus_server_urls` config option has been removed. MatrixRTC foci should be configured using the `matrix_rtc.foci` config option.

changelog.d/+fe90cdea.removal.md

@@ -0,0 +1 @@
+Support for server-side blurhashing (part of MSC2448) has been removed.

changelog.d/1742.bugfix

@@ -0,0 +1 @@
+fix `!admin query account-data account-data-get` not returning the content

changelog.d/1752.bugfix

@@ -0,0 +1 @@
+Fixed an issue where Continuwuity would only advertise support for the unstable endpoint for Mutual Rooms (MSC2666), despite only supporting the stable endpoint. Contributed by @Henry-Hiles (QuadRadical)

conduwuit-example.toml

@@ -524,15 +524,17 @@
 #
 #recaptcha_private_site_key =
 
-# Controls whether users are allowed to deactivate their own accounts
-# through the account management panel or their Matrix clients. Server
-# admins can always deactivate users using the relevant admin commands.
+# Policy documents, such as terms and conditions or a privacy policy,
+# which users must agree to when registering an account.
 #
-# Note that, in some jurisdictions, you may be legally required to honor
-# users who request to deactivate their accounts if you set this option
-# to `false`.
+# Example:
+# ```ignore
+# [global.registration_terms.privacy_policy]
+# en = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
+# es = { name = "Política de Privacidad", url = "https://homeserver.example/es/privacy_policy.html" }
+# ```
 #
-#allow_deactivation = true
+#registration_terms = {}
 
 # Controls whether encrypted rooms and events are allowed.
 #
@@ -1872,34 +1874,6 @@
 #
 #support_pgp_key =
 
-# **DEPRECATED**: Use `[global.matrix_rtc].foci` instead.
-#
-# A list of MatrixRTC foci URLs which will be served as part of the
-# MSC4143 client endpoint at /.well-known/matrix/client.
-#
-# This option is deprecated and will be removed in a future release.
-# Please migrate to the new `[global.matrix_rtc]` config section.
-#
-#rtc_focus_server_urls = []
-
-[global.blurhashing]
-
-# blurhashing x component, 4 is recommended by https://blurha.sh/
-#
-#components_x = 4
-
-# blurhashing y component, 3 is recommended by https://blurha.sh/
-#
-#components_y = 3
-
-# Max raw size that the server will blurhash, this is the size of the
-# image after converting it to raw data, it should be higher than the
-# upload limit but not too high. The higher it is the higher the
-# potential load will be for clients requesting blurhashes. The default
-# is 33.55MB. Setting it to 0 disables blurhashing.
-#
-#blurhash_max_raw_size = 33554432
-
 [global.matrix_rtc]
 
 # A list of MatrixRTC foci (transports) which will be served via the
@@ -1997,33 +1971,3 @@
 # provide an email address.
 #
 #require_email_for_token_registration = false
-
-#[global.registration-terms]
-
-# The language code to provide to clients along with the policy documents.
-#
-#language = "en"
-
-# Policy documents, such as terms and conditions or a privacy policy,
-# which users must agree to when registering an account.
-#
-# Example:
-# ```ignore
-# [global.registration_terms.documents]
-# privacy_policy = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
-# ```
-#
-#documents = {}
-
-#[global.oauth]
-
-# The compatibility mode to use for OAuth.
-#
-# - "disabled": OAuth will be unavailable. Users will only be able to log
-#   in using legacy authentication.
-# - "hybrid": OAuth and legacy authentication will both be available. Some
-#   clients may only use one or the other.
-# - "exclusive": Only OAuth will be available. Clients which require
-#   legacy authentication will be unable to log in.
-#
-#compatibility_mode = "hybrid"

engage.toml

@@ -146,7 +146,7 @@ cargo clippy \
     --locked \
     --profile test \
     --no-default-features \
-    --features=console,systemd,element_hacks,direct_tls,perf_measurements,brotli_compression,blurhashing \
+    --features=console,systemd,element_hacks,direct_tls,perf_measurements,brotli_compression \
     --color=always \
     -- \
     -D warnings

package-lock.json

@@ -125,13 +125,13 @@
       }
     },
     "node_modules/@rsbuild/core": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.3.tgz",
-      "integrity": "sha512-2myp7jUgGen50saxW8OJD/eMVKp7HnuBN5MUzwRb6mDbRZZVpoorfI4LQqiGSBNjGLB6jltvx/R2yHmcmnchwg==",
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.5.tgz",
+      "integrity": "sha512-KajO50hbXb32S8MsyDh2f+xKcVeRy9Gfzdcy0JjpMLj22djHugly6jrGo7jH7ls9X6/TDcyCTncSuNK4+D2lTw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@rspack/core": "~2.0.1",
+        "@rspack/core": "~2.0.2",
         "@swc/helpers": "^0.5.21"
       },
       "bin": {
@@ -169,28 +169,28 @@
       }
     },
     "node_modules/@rspack/binding": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.1.tgz",
-      "integrity": "sha512-ynV1gw4KqFtQ0P+ZZh76SUj49wBb2FuHW3zSmHverHWuxBhzvrZS6/dZ+fCFQG8bTTPtrPz0RQUTN3uEDbPVBQ==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.2.tgz",
+      "integrity": "sha512-0kZPplW9GWx8mfC6DfsaRY3QBIYPuUs42JfmSM6aSb8tMHZAXQeLeMB8M+h8i4SeI+aFtCgO6UuYGtyWf7+L+A==",
       "dev": true,
       "license": "MIT",
       "optionalDependencies": {
-        "@rspack/binding-darwin-arm64": "2.0.1",
-        "@rspack/binding-darwin-x64": "2.0.1",
-        "@rspack/binding-linux-arm64-gnu": "2.0.1",
-        "@rspack/binding-linux-arm64-musl": "2.0.1",
-        "@rspack/binding-linux-x64-gnu": "2.0.1",
-        "@rspack/binding-linux-x64-musl": "2.0.1",
-        "@rspack/binding-wasm32-wasi": "2.0.1",
-        "@rspack/binding-win32-arm64-msvc": "2.0.1",
-        "@rspack/binding-win32-ia32-msvc": "2.0.1",
-        "@rspack/binding-win32-x64-msvc": "2.0.1"
+        "@rspack/binding-darwin-arm64": "2.0.2",
+        "@rspack/binding-darwin-x64": "2.0.2",
+        "@rspack/binding-linux-arm64-gnu": "2.0.2",
+        "@rspack/binding-linux-arm64-musl": "2.0.2",
+        "@rspack/binding-linux-x64-gnu": "2.0.2",
+        "@rspack/binding-linux-x64-musl": "2.0.2",
+        "@rspack/binding-wasm32-wasi": "2.0.2",
+        "@rspack/binding-win32-arm64-msvc": "2.0.2",
+        "@rspack/binding-win32-ia32-msvc": "2.0.2",
+        "@rspack/binding-win32-x64-msvc": "2.0.2"
       }
     },
     "node_modules/@rspack/binding-darwin-arm64": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.1.tgz",
-      "integrity": "sha512-CGFO5zmajD1Itch1lxAI7+gvKiagzyqXopHv/jHG9Su2WWQ2/Nhn2/rkSpdp6ptE9ri6+6tCOOahf099/v/Xog==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.2.tgz",
+      "integrity": "sha512-0o7lbgBBsDlICWdjIH0q3e0BsSco4GRiImHWVfZSVEG+q2+ykZJvSvYCVhPM1Co375Z0S3VMPa/8SjcY1FHwlw==",
       "cpu": [
         "arm64"
       ],
@@ -202,9 +202,9 @@
       ]
     },
     "node_modules/@rspack/binding-darwin-x64": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.1.tgz",
-      "integrity": "sha512-2vvBNBoS09/PurupBwSrlTZd8283o00B8v20ncsNUdEff41uCR/hzIrYoTIVWnVST+Gt5O1+cfcfORp397lajg==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.2.tgz",
+      "integrity": "sha512-tOwxZpoPlTlRs/w6UyUinXJ4TYRVHMlR7+eQxO1R3muKpixvhXQjtvoaY16HuFyTVky5F0IfOoWr3x9FEsgdLg==",
       "cpu": [
         "x64"
       ],
@@ -216,9 +216,9 @@
       ]
     },
     "node_modules/@rspack/binding-linux-arm64-gnu": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.1.tgz",
-      "integrity": "sha512-uvNXk6ahE3AH3h2avnd1Mgno68YQpS4cfX1OkOGWIC/roL+NrOP2XVXV4yfVAoydPALDO7AfbIfN0QdmBK3rsA==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.2.tgz",
+      "integrity": "sha512-1ZD4YFhG1rmgqj+W8hfwHyKV8xDxGsc/3KgU0FwmiVEX7JfzhCkgBO/xlCG79kRKSrzuVzt4icO/G3cCKn0pag==",
       "cpu": [
         "arm64"
       ],
@@ -233,9 +233,9 @@
       ]
     },
     "node_modules/@rspack/binding-linux-arm64-musl": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.1.tgz",
-      "integrity": "sha512-S/a6uN9PiZ5O/PjSqyIXhuRC1lVzeJkJV69NeLk5sIEUiDQ/aQGZG97uN+tluwpbo1tPbLJkdHYETfjspOX4Pg==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.2.tgz",
+      "integrity": "sha512-/PtTkM/DsDLjeuXTmeJeRfbjCDbcL9jvoVgZrgxYFZ28y2cdLvbChbW9uigOzs5dQEs1CIBQXMTTj7KhdBTuQg==",
       "cpu": [
         "arm64"
       ],
@@ -250,9 +250,9 @@
       ]
     },
     "node_modules/@rspack/binding-linux-x64-gnu": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.1.tgz",
-      "integrity": "sha512-C13Kk0OkZiocZVj187Sf753UH6pDXnuEu6vzUvi3qv9ltibG1ki0H2Y8isXBYL2cHQOV+hk0g1S6/4z3TTB97A==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.2.tgz",
+      "integrity": "sha512-bBjsZxMHRaPo6X9SokApm6ucs+UhXtAJFyJJyuk2BH4XJsLeCU9Dz1vMwioeohFbJUUeTASVPm6/BL+RhSaunw==",
       "cpu": [
         "x64"
       ],
@@ -267,9 +267,9 @@
       ]
     },
     "node_modules/@rspack/binding-linux-x64-musl": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.1.tgz",
-      "integrity": "sha512-TQsiBFpEDGkuvK9tNdGj/Uc+AIytzqhxXH/1jKU6M24cWB1DTw/Cx7DdrkCBDyq3129K3POLdujvbWCGqBzQUw==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.2.tgz",
+      "integrity": "sha512-HjlpInqzabDNkhVsUJpsHPqa9QYVWBViJoyWNjzXCAW0vKMDvwaphyUvokSinX8FGTlZi/sr5UEaHJo6XtQ35g==",
       "cpu": [
         "x64"
       ],
@@ -284,9 +284,9 @@
       ]
     },
     "node_modules/@rspack/binding-wasm32-wasi": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.1.tgz",
-      "integrity": "sha512-wk3gyUgBW/ayP49bI54bkY8+EQnfBHxdoe9dz3oobSTZQc8AOWwmUUDEPltW8rUvPOM6dfHECTOUMnfaf2f5yA==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.2.tgz",
+      "integrity": "sha512-YaRYNFLJRpkGfYjSWR7n9f+nQKtrlmrrffpAn/blc2geHcRvXoBc5SCs1idPtsLhj7H9qWWhs7ucjyHy4csWFg==",
       "cpu": [
         "wasm32"
       ],
@@ -300,9 +300,9 @@
       }
     },
     "node_modules/@rspack/binding-win32-arm64-msvc": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.1.tgz",
-      "integrity": "sha512-rHjLcy3VcAC3+x+PxH+gwhwv6tPe0JdXTNT5eAOs9wgZIM6T9p4wre49+K4Qy98+Fb7TTbLX0ObUitlOkGwTSA==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.2.tgz",
+      "integrity": "sha512-d/3kTEKq+asLjRFPO96t+wfWiM7DLN76VQEPDD9bc1kdsZXlVJBuvyXfsgK8bbEvKplWXYcSsokhmEnuXrLOpg==",
       "cpu": [
         "arm64"
       ],
@@ -314,9 +314,9 @@
       ]
     },
     "node_modules/@rspack/binding-win32-ia32-msvc": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.1.tgz",
-      "integrity": "sha512-Ad1vVqMBBnd4T8rsORngu9sl2kyRTlS4kMlvFudjzl1X2UFArEDBe0YVGNN7ZvahM12CErUx2WiN8Sd8pb+qXQ==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.2.tgz",
+      "integrity": "sha512-161cWineq3RW+Jdm1FAfSpXeUtYWvhB3kAbm46vNT9h/YYz+spwsFMvveAZ1nsVSVL0IC5lDBGUte7yUAY8K2g==",
       "cpu": [
         "ia32"
       ],
@@ -328,9 +328,9 @@
       ]
     },
     "node_modules/@rspack/binding-win32-x64-msvc": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.1.tgz",
-      "integrity": "sha512-oPM2Jtm7HOlmxl/aBfleAVlL6t9VeHx6WvEets7BBJMInemFXAQd4CErRqybf7rXutACzLeUWBOue4Jpd1/ykw==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.2.tgz",
+      "integrity": "sha512-y7Q0S1FE+OlkL5GMqLG0PwxrPw6E1r892KhGrGKE1Vdufe5YTEx6xTPxzZ+b7N2KPD7s9G1/iJmWHQxb1+Bjkg==",
       "cpu": [
         "x64"
       ],
@@ -342,13 +342,13 @@
       ]
     },
     "node_modules/@rspack/core": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.1.tgz",
-      "integrity": "sha512-lgfZiExh8kDR/3obgi3RQKwKG5av1Xf5qDN1aVde777W9pbmx0Pqvrww1qtNvJ+gobEjbrrn5HEZWYGe0VLmcA==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.2.tgz",
+      "integrity": "sha512-VM3UHOo26uC+4QSqY5tU1ybI7KuXY5rTof8nhFOaBY9SYau0Smvr+hMSAPmrmHwknB6dXT8yaNVxrj7I+qxE1Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@rspack/binding": "2.0.1"
+        "@rspack/binding": "2.0.2"
       },
       "engines": {
         "node": "^20.19.0 || >=22.12.0"
@@ -383,20 +383,20 @@
       }
     },
     "node_modules/@rspress/core": {
-      "version": "2.0.10",
-      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.10.tgz",
-      "integrity": "sha512-DvoV7YUW538x0CVAGyYPKfjUHgEuq7Z8LZq1cpfUgBpA1DynFUK3Ls6spvdoAHAl3l0AN+xxOHpu/sRVhzqi/A==",
+      "version": "2.0.11",
+      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.11.tgz",
+      "integrity": "sha512-4YBOFmSMFv5GWrCa80qSIW8VxqZQQS/PknVq2r7Hb7kgfB38Fzciopn3hjb3hNwI4TTRbsi/Jev2HyRWD4bYAQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@mdx-js/mdx": "^3.1.1",
         "@mdx-js/react": "^3.1.1",
-        "@rsbuild/core": "^2.0.2",
+        "@rsbuild/core": "^2.0.5",
         "@rsbuild/plugin-react": "~2.0.0",
-        "@rspress/shared": "2.0.10",
+        "@rspress/shared": "2.0.11",
         "@shikijs/rehype": "^4.0.2",
         "@types/unist": "^3.0.3",
-        "@unhead/react": "^2.1.13",
+        "@unhead/react": "^2.1.15",
         "body-scroll-lock": "4.0.0-beta.0",
         "clsx": "2.1.1",
         "copy-to-clipboard": "^3.3.3",
@@ -407,12 +407,12 @@
         "mdast-util-mdxjs-esm": "^2.0.1",
         "medium-zoom": "1.1.0",
         "nprogress": "^0.2.0",
-        "react": "^19.2.5",
-        "react-dom": "^19.2.5",
+        "react": "^19.2.6",
+        "react-dom": "^19.2.6",
         "react-lazy-with-preload": "^2.2.1",
         "react-reconciler": "0.33.0",
         "react-render-to-markdown": "19.0.1",
-        "react-router-dom": "^7.13.2",
+        "react-router-dom": "^7.15.0",
         "rehype-external-links": "^3.0.0",
         "rehype-raw": "^7.0.0",
         "remark-cjk-friendly": "^2.0.1",
@@ -436,9 +436,9 @@
       }
     },
     "node_modules/@rspress/plugin-client-redirects": {
-      "version": "2.0.10",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.10.tgz",
-      "integrity": "sha512-ImOm3h/cbXiJXIvpwv3Wn9rM91xgdhKbD2WX+WlMlWO4AtQfKR4XFrVhIZZAkrt09eeotRIklA7nu8Nuzzzbsw==",
+      "version": "2.0.11",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.11.tgz",
+      "integrity": "sha512-DI9vod5mGccg57c19CuFpN3mGP1FEEueOUnEUz1UHXSyXg9YTj+ox7Xla4jUUzAzoPVGiWSSsfbtCTwdoxAsbg==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -449,9 +449,9 @@
       }
     },
     "node_modules/@rspress/plugin-sitemap": {
-      "version": "2.0.10",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.10.tgz",
-      "integrity": "sha512-PZLig9+OlnyLcy6x9BlEqWSRef6TzDWB6Dlh2/hY41FtKlhyb7d7U56RGlLselWaQV54SHVa6H/y611A56ZI2g==",
+      "version": "2.0.11",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.11.tgz",
+      "integrity": "sha512-046LCHgbJXdaPipWB2SWMjZcAtIrOjXGZOD92xlTjhZ74D7Mk1Nod1MQdtOEoISWedcHdgpUVXMDbB1doKBpPQ==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -462,13 +462,13 @@
       }
     },
     "node_modules/@rspress/shared": {
-      "version": "2.0.10",
-      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.10.tgz",
-      "integrity": "sha512-Kx10OAHWqi2jvW7ScmBUbkGjnwv4E6rEoelUchcL8It8nQ4nAVk0xvvES7m64knEon55zDbs8JQumCjbHu801Q==",
+      "version": "2.0.11",
+      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.11.tgz",
+      "integrity": "sha512-7l5Pso4s597utJyisVEnd7n/40h053nfE8DwGQMeS8RLGtSwVgxFwNHsSrvQEGtFlLrg2aWWSITqnAVO1wfTew==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@rsbuild/core": "^2.0.2",
+        "@rsbuild/core": "^2.0.5",
         "@shikijs/rehype": "^4.0.2",
         "unified": "^11.0.5"
       }
@@ -610,9 +610,9 @@
       }
     },
     "node_modules/@tybys/wasm-util": {
-      "version": "0.10.1",
-      "resolved": "https://registry.npmjs.org/@tybys/wasm-util/-/wasm-util-0.10.1.tgz",
-      "integrity": "sha512-9tTaPJLSiejZKx+Bmog4uSubteqTvFrVrURwkmHixBo0G4seD0zUxp98E1DzUBJxLQ3NPwXrGKDiVjwx/DpPsg==",
+      "version": "0.10.2",
+      "resolved": "https://registry.npmjs.org/@tybys/wasm-util/-/wasm-util-0.10.2.tgz",
+      "integrity": "sha512-RoBvJ2X0wuKlWFIjrwffGw1IqZHKQqzIchKaadZZfnNpsAYp2mM0h36JtPCjNDAHGgYez/15uMBpfGwchhiMgg==",
       "dev": true,
       "license": "MIT",
       "optional": true,
@@ -707,13 +707,13 @@
       "license": "ISC"
     },
     "node_modules/@unhead/react": {
-      "version": "2.1.13",
-      "resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.13.tgz",
-      "integrity": "sha512-gC48tNJ0UtbithkiKCc2WUlxbVVk5o171EtruS2w2hQUblfYFHzCPu2hljjT1e0tUHXXqN8EMv7mpxHddMB2sg==",
+      "version": "2.1.15",
+      "resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.15.tgz",
+      "integrity": "sha512-5hfAaZ3XJq9JkspRzZdSPsMrXXA8v/SKiEOxZcN9L40o44byF/50bcQuOLgSSCAx8802mI5VG32KZXWTtsLu9Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "unhead": "2.1.13"
+        "unhead": "2.1.15"
       },
       "funding": {
         "url": "https://github.com/sponsors/harlan-zw"
@@ -2753,9 +2753,9 @@
       }
     },
     "node_modules/react": {
-      "version": "19.2.5",
-      "resolved": "https://registry.npmjs.org/react/-/react-19.2.5.tgz",
-      "integrity": "sha512-llUJLzz1zTUBrskt2pwZgLq59AemifIftw4aB7JxOqf1HY2FDaGDxgwpAPVzHU1kdWabH7FauP4i1oEeer2WCA==",
+      "version": "19.2.6",
+      "resolved": "https://registry.npmjs.org/react/-/react-19.2.6.tgz",
+      "integrity": "sha512-sfWGGfavi0xr8Pg0sVsyHMAOziVYKgPLNrS7ig+ivMNb3wbCBw3KxtflsGBAwD3gYQlE/AEZsTLgToRrSCjb0Q==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2763,16 +2763,16 @@
       }
     },
     "node_modules/react-dom": {
-      "version": "19.2.5",
-      "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.5.tgz",
-      "integrity": "sha512-J5bAZz+DXMMwW/wV3xzKke59Af6CHY7G4uYLN1OvBcKEsWOs4pQExj86BBKamxl/Ik5bx9whOrvBlSDfWzgSag==",
+      "version": "19.2.6",
+      "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.6.tgz",
+      "integrity": "sha512-0prMI+hvBbPjsWnxDLxlCGyM8PN6UuWjEUCYmZhO67xIV9Xasa/r/vDnq+Xyq4Lo27g8QSbO5YzARu0D1Sps3g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "scheduler": "^0.27.0"
       },
       "peerDependencies": {
-        "react": "^19.2.5"
+        "react": "^19.2.6"
       }
     },
     "node_modules/react-lazy-with-preload": {
@@ -2822,9 +2822,9 @@
       }
     },
     "node_modules/react-router": {
-      "version": "7.14.2",
-      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.14.2.tgz",
-      "integrity": "sha512-yCqNne6I8IB6rVCH7XUvlBK7/QKyqypBFGv+8dj4QBFJiiRX+FG7/nkdAvGElyvVZ/HQP5N19wzteuTARXi5Gw==",
+      "version": "7.15.0",
+      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.15.0.tgz",
+      "integrity": "sha512-HW9vYwuM8f4yx66Izy8xfrzCM+SBJluoZcCbww9A1TySax11S5Vgw6fi3ZjMONw9J4gQwngL7PzkyIpJJpJ7RQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -2845,13 +2845,13 @@
       }
     },
     "node_modules/react-router-dom": {
-      "version": "7.14.2",
-      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.14.2.tgz",
-      "integrity": "sha512-YZcM5ES8jJSM+KrJ9BdvHHqlnGTg5tH3sC5ChFRj4inosKctdyzBDhOyyHdGk597q2OT6NTrCA1OvB/YDwfekQ==",
+      "version": "7.15.0",
+      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.15.0.tgz",
+      "integrity": "sha512-VcrVg64Fo8nwBvDscajG8gRTLIuTC6N50nb22l2HOOV4PTOHgoGp8mUjy9wLiHYoYTSYI36tUnXZgasSRFZorQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "react-router": "7.14.2"
+        "react-router": "7.15.0"
       },
       "engines": {
         "node": ">=20.0.0"
@@ -3290,9 +3290,9 @@
       }
     },
     "node_modules/unhead": {
-      "version": "2.1.13",
-      "resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.13.tgz",
-      "integrity": "sha512-jO9M1sI6b2h/1KpIu4Jeu+ptumLmUKboRRLxys5pYHFeT+lqTzfNHbYUX9bxVDhC1FBszAGuWcUVlmvIPsah8Q==",
+      "version": "2.1.15",
+      "resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.15.tgz",
+      "integrity": "sha512-MCt5T90mCWyr3Z6pUCdM9lVRXoMoVBlL7z7U4CYVIiaDiuzad/UCfLuMqz5MeNmpZUgoBCQnrucJimU7EZR+XA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {

src/admin/admin.rs

@@ -16,7 +16,7 @@
 };
 
 #[derive(Debug, Parser)]
-#[command(name = conduwuit_core::BRANDING, version = conduwuit_core::version())]
+#[command(name = conduwuit_core::name(), version = conduwuit_core::version())]
 pub enum AdminCommand {
 	#[command(subcommand)]
 	/// Commands for managing appservices

src/admin/query/account_data.rs

@@ -1,7 +1,8 @@
 use clap::Subcommand;
 use conduwuit::Result;
+use conduwuit_database::Deserialized as _;
 use futures::StreamExt;
-use ruma::{OwnedRoomId, OwnedUserId};
+use ruma::{OwnedRoomId, OwnedUserId, exports::serde::Serialize};
 
 use crate::{admin_command, admin_command_dispatch};
 
@@ -58,13 +59,22 @@ async fn account_data_get(
 	room_id: Option<OwnedRoomId>,
 ) -> Result {
 	let timer = tokio::time::Instant::now();
-	let results = self
+	let result = self
 		.services
 		.account_data
 		.get_raw(room_id.as_deref(), &user_id, &kind)
 		.await;
 	let query_time = timer.elapsed();
 
-	self.write_str(&format!("Query completed in {query_time:?}:\n\n```rs\n{results:#?}\n```"))
+	let json = serde_json::to_string_pretty(&match room_id {
+		| None => result
+			.deserialized::<ruma::serde::Raw<ruma::events::AnyGlobalAccountDataEvent>>()?
+			.serialize(serde_json::value::Serializer)?,
+		| Some(_) => result
+			.deserialized::<ruma::serde::Raw<ruma::events::AnyRoomAccountDataEvent>>()?
+			.serialize(serde_json::value::Serializer)?,
+	})?;
+
+	self.write_str(&format!("Query completed in {query_time:?}:\n\n```rs\n{json}\n```"))
 		.await
 }

src/admin/token/commands.rs

@@ -30,37 +30,14 @@ pub(super) async fn issue_token(&self, expires: super::TokenExpires) -> Result {
 		.issue_token(self.sender_or_service_user().into(), expires);
 
 	self.write_str(&format!(
-		"New registration token issued: `{token}` . {}.",
+		"New registration token issued: `{token}`. {}.",
 		if let Some(expires) = info.expires {
 			format!("{expires}")
 		} else {
 			"Never expires".to_owned()
 		}
 	))
-	.await?;
-
-	if self
-		.services
-		.config
-		.oauth
-		.compatibility_mode
-		.oauth_available()
-	{
-		self.write_str(&format!(
-			"\nInvite link using this token: {}",
-			self.services
-				.config
-				.get_client_domain()
-				.join(&format!(
-					"{}/account/register/?flow=trusted&token={token}",
-					conduwuit::ROUTE_PREFIX
-				))
-				.unwrap()
-		))
-		.await?;
-	}
-
-	Ok(())
+	.await
 }
 
 #[admin_command]

src/admin/user/commands.rs

@@ -1,10 +1,13 @@
-use std::collections::{BTreeMap, HashSet};
+use std::{
+	collections::{BTreeMap, HashSet},
+	fmt::Write as _,
+};
 
 use api::client::{
 	full_user_deactivate, leave_room, recreate_push_rules_and_return, remote_leave_room,
 };
 use conduwuit::{
-	Err, Result, debug_warn, info,
+	Err, Result, debug_warn, error, info,
 	matrix::{Event, pdu::PartialPdu},
 	utils::{self, ReadyExt},
 	warn,
@@ -50,22 +53,130 @@ pub(super) async fn list_users(&self) -> Result {
 #[admin_command]
 pub(super) async fn create_user(&self, username: String, password: Option<String>) -> Result {
 	// Validate user id
-	let user_id = self
-		.services
+	let user_id = parse_local_user_id(self.services, &username)?;
+
+	if let Err(e) = user_id.validate_strict() {
+		if self.services.config.emergency_password.is_none() {
+			return Err!("Username {user_id} contains disallowed characters or spaces: {e}");
+		}
+	}
+
+	if self.services.users.exists(&user_id).await {
+		return Err!("User {user_id} already exists");
+	}
+
+	let password = password.unwrap_or_else(|| utils::random_string(AUTO_GEN_PASSWORD_LENGTH));
+
+	// Create user
+	self.services
 		.users
-		.determine_registration_user_id(Some(username), None, None)
+		.create(&user_id, Some(HashedPassword::new(&password)?))
 		.await?;
 
-	let password = HashedPassword::new(
-		&password.unwrap_or_else(|| utils::random_string(AUTO_GEN_PASSWORD_LENGTH)),
-	)?;
+	// Default to pretty displayname
+	let mut displayname = user_id.localpart().to_owned();
+
+	// If `new_user_displayname_suffix` is set, registration will push whatever
+	// content is set to the user's display name with a space before it
+	if !self
+		.services
+		.server
+		.config
+		.new_user_displayname_suffix
+		.is_empty()
+	{
+		write!(displayname, " {}", self.services.server.config.new_user_displayname_suffix)?;
+	}
 
 	self.services
 		.users
-		.create_local_account(&user_id, password, None)
-		.await;
+		.set_displayname(&user_id, Some(displayname));
 
-	self.write_str(&format!("Created user {user_id}")).await
+	// Initial account data
+	self.services
+		.account_data
+		.update(
+			None,
+			&user_id,
+			ruma::events::GlobalAccountDataEventType::PushRules
+				.to_string()
+				.into(),
+			&serde_json::to_value(ruma::events::push_rules::PushRulesEvent::new(
+				ruma::events::push_rules::PushRulesEventContent::new(
+					ruma::push::Ruleset::server_default(&user_id),
+				),
+			))
+			.unwrap(),
+		)
+		.await?;
+
+	if !self.services.server.config.auto_join_rooms.is_empty() {
+		for room in &self.services.server.config.auto_join_rooms {
+			let Ok(room_id) = self.services.rooms.alias.resolve(room).await else {
+				error!(
+					%user_id,
+					"Failed to resolve room alias to room ID when attempting to auto join {room}, skipping"
+				);
+				continue;
+			};
+
+			if !self
+				.services
+				.rooms
+				.state_cache
+				.server_in_room(self.services.globals.server_name(), &room_id)
+				.await
+			{
+				warn!(
+					"Skipping room {room} to automatically join as we have never joined before."
+				);
+				continue;
+			}
+
+			if let Some(room_server_name) = room.server_name() {
+				match self
+					.services
+					.rooms
+					.membership
+					.join_room(
+						&user_id,
+						&room_id,
+						Some("Automatically joining this room upon registration".to_owned()),
+						&[
+							self.services.globals.server_name().to_owned(),
+							room_server_name.to_owned(),
+						],
+					)
+					.await
+				{
+					| Ok(_response) => {
+						info!("Automatically joined room {room} for user {user_id}");
+					},
+					| Err(e) => {
+						// don't return this error so we don't fail registrations
+						error!(
+							"Failed to automatically join room {room} for user {user_id}: {e}"
+						);
+						self.services
+							.admin
+							.send_text(&format!(
+								"Failed to automatically join room {room} for user {user_id}: \
+								 {e}"
+							))
+							.await;
+					},
+				}
+			}
+		}
+	}
+
+	// we dont add a device since we're not the user, just the creator
+
+	// Make the first user to register an administrator and disable first-run mode.
+	self.services.firstrun.empower_first_user(&user_id).await?;
+
+	self.write_str(&format!("Created user with user_id: {user_id} and password: `{password}`"))
+		.await
 }
 
 #[admin_command]
@@ -191,6 +302,31 @@ pub(super) async fn reset_password(
 	Ok(())
 }
 
+#[admin_command]
+pub(super) async fn issue_password_reset_link(&self, username: String) -> Result {
+	use conduwuit_service::password_reset::{PASSWORD_RESET_PATH, RESET_TOKEN_QUERY_PARAM};
+
+	self.bail_restricted()?;
+
+	let mut reset_url = self
+		.services
+		.config
+		.get_client_domain()
+		.join(PASSWORD_RESET_PATH)
+		.unwrap();
+
+	let user_id = parse_local_user_id(self.services, &username)?;
+	let token = self.services.password_reset.issue_token(user_id).await?;
+	reset_url
+		.query_pairs_mut()
+		.append_pair(RESET_TOKEN_QUERY_PARAM, &token.token);
+
+	self.write_str(&format!("Password reset link issued for {username}: {reset_url}"))
+		.await?;
+
+	Ok(())
+}
+
 #[admin_command]
 pub(super) async fn deactivate_all(&self, no_leave_rooms: bool, force: bool) -> Result {
 	if self.body.len() < 2

src/admin/user/mod.rs

@@ -29,6 +29,12 @@ pub enum UserCommand {
 		password: Option<String>,
 	},
 
+	/// Issue a self-service password reset link for a user.
+	IssuePasswordResetLink {
+		/// Username of the user who may use the link
+		username: String,
+	},
+
 	/// Get a user's associated email address.
 	GetEmail {
 		user_id: String,

src/api/client/account/mod.rs

@@ -24,7 +24,7 @@
 		power_levels::RoomPowerLevelsEventContent,
 	},
 };
-use service::{mailer::messages, uiaa::UiaaInitiator, users::HashedPassword};
+use service::{mailer::messages, uiaa::Identity, users::HashedPassword};
 
 use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
 use crate::Ruma;
@@ -121,7 +121,7 @@ pub(crate) async fn change_password_route(
 				&body.auth,
 				vec![AuthFlow::new(vec![AuthType::Password])],
 				Box::default(),
-				Some(UiaaInitiator::new(user_id, body.sender_device())),
+				Some(Identity::from_user_id(user_id)),
 			)
 			.await?
 	} else {
@@ -270,17 +270,10 @@ pub(crate) async fn deactivate_route(
 		.as_ref()
 		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
 
-	if !services.config.allow_deactivation {
-		return Err!(Request(Unauthorized(
-			"You may not deactivate your own account. Contact your server's administrator for \
-			 assistance."
-		)));
-	}
-
 	// Prompt the user to confirm with their password using UIAA
 	let _ = services
 		.uiaa
-		.authenticate_password(&body.auth, sender_user, body.sender_device(), None)
+		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
 		.await?;
 
 	// Remove profile pictures and display name
@@ -329,8 +322,6 @@ pub(crate) async fn check_registration_token_validity(
 /// Runs through all the deactivation steps:
 ///
 /// - Mark as deactivated
-/// - Removing display name
-/// - Removing avatar URL and blurhash
 /// - Removing all profile data
 /// - Leaving all rooms (and forgets all of them)
 pub async fn full_user_deactivate(

src/api/client/account/register.rs

@@ -1,15 +1,17 @@
-use std::collections::HashMap;
+use std::{collections::HashMap, fmt::Write};
 
 use axum::extract::State;
 use axum_client_ip::ClientIp;
 use conduwuit::{
-	Err, Result, debug_info, info,
+	Err, Result, debug_info, error, info,
 	utils::{self},
+	warn,
 };
 use conduwuit_service::Services;
-use futures::StreamExt;
+use futures::{FutureExt, StreamExt};
 use lettre::{Address, message::Mailbox};
 use ruma::{
+	OwnedUserId, UserId,
 	api::client::{
 		account::{
 			register::{self, LoginType, RegistrationKind},
@@ -18,6 +20,11 @@
 		uiaa::{AuthFlow, AuthType},
 	},
 	assign,
+	events::{
+		GlobalAccountDataEventType, push_rules::PushRulesEvent,
+		room::message::RoomMessageEventContent,
+	},
+	push,
 };
 use serde_json::value::RawValue;
 use service::{mailer::messages, users::HashedPassword};
@@ -25,6 +32,8 @@
 use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
 use crate::Ruma;
 
+const RANDOM_USER_ID_LENGTH: usize = 10;
+
 /// # `POST /_matrix/client/v3/register`
 ///
 /// Register an account on this homeserver.
@@ -43,6 +52,8 @@ pub(crate) async fn register_route(
 		return Err!(Request(GuestAccessForbidden("Guests may not register on this server.")));
 	}
 
+	let emergency_mode_enabled = services.config.emergency_password.is_some();
+
 	// Allow registration if it's enabled in the config file or if this is the first
 	// run (so the first user account can be created)
 	let allow_registration =
@@ -60,51 +71,101 @@ pub(crate) async fn register_route(
 		)));
 	}
 
-	let user_id = if body.body.login_type == Some(LoginType::ApplicationService) {
-		let Some(appservice_info) = &body.appservice_info else {
-			return Err!(Request(Forbidden(
-				"Only appservices can use the appservice login type."
-			)));
-		};
-
-		let user_id = services
-			.users
-			.determine_registration_user_id(body.username.clone(), None, Some(appservice_info))
-			.await?;
-
-		services.users.create(&user_id, None).await?;
-
-		user_id
+	let identity = if body.appservice_info.is_some() {
+		// Appservices can skip auth
+		None
 	} else {
 		// Perform UIAA to determine the user's identity
 		let (flows, params) = create_registration_uiaa_session(&services).await?;
 
-		let identity = services
-			.uiaa
-			.authenticate(&body.auth, flows, params, None)
-			.await?;
-
-		let password = if let Some(password) = &body.password {
-			HashedPassword::new(password)?
-		} else {
-			return Err!(Request(InvalidParam("A password must be provided.")));
-		};
-
-		let user_id = services
-			.users
-			.determine_registration_user_id(body.username.clone(), identity.email.as_ref(), None)
-			.await?;
-
-		services
-			.users
-			.create_local_account(&user_id, password, identity.email)
-			.await;
-
-		user_id
+		Some(
+			services
+				.uiaa
+				.authenticate(&body.auth, flows, params, None)
+				.await?,
+		)
 	};
 
+	// If the user didn't supply a username but did supply an email, use
+	// the email's user as their initial localpart to avoid falling back to
+	// a randomly generated localpart
+	let supplied_username = body.username.clone().or_else(|| {
+		if let Some(identity) = &identity
+			&& let Some(email) = &identity.email
+		{
+			Some(email.user().to_owned())
+		} else {
+			None
+		}
+	});
+
+	let user_id =
+		determine_registration_user_id(&services, supplied_username, emergency_mode_enabled)
+			.await?;
+
+	if body.body.login_type == Some(LoginType::ApplicationService) {
+		// For appservice logins, make sure that the user ID is in the appservice's
+		// namespace
+
+		match body.appservice_info {
+			| Some(ref info) =>
+				if !info.is_user_match(&user_id) && !emergency_mode_enabled {
+					return Err!(Request(Exclusive(
+						"Username is not in an appservice namespace."
+					)));
+				},
+			| _ => {
+				return Err!(Request(MissingToken("Missing appservice token.")));
+			},
+		}
+	} else if services.appservice.is_exclusive_user_id(&user_id).await && !emergency_mode_enabled
+	{
+		// For non-appservice logins, ban user IDs which are in an appservice's
+		// namespace (unless emergency mode is enabled)
+		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
+	}
+
+	let password = if body.appservice_info.is_some() {
+		None
+	} else if let Some(password) = body.password.as_deref() {
+		Some(HashedPassword::new(password)?)
+	} else {
+		return Err!(Request(InvalidParam("A password must be provided")));
+	};
+
+	// Create user
+	services.users.create(&user_id, password).await?;
+
+	// Set an initial display name
+	let mut displayname = user_id.localpart().to_owned();
+
+	// Apply the new user displayname suffix, if it's set
+	if !services.globals.new_user_displayname_suffix().is_empty()
+		&& body.appservice_info.is_none()
+	{
+		write!(displayname, " {}", services.server.config.new_user_displayname_suffix)?;
+	}
+
+	services
+		.users
+		.set_displayname(&user_id, Some(displayname.clone()));
+
+	// Initial account data
+	services
+		.account_data
+		.update(
+			None,
+			&user_id,
+			GlobalAccountDataEventType::PushRules.to_string().into(),
+			&serde_json::to_value(PushRulesEvent::new(
+				push::Ruleset::server_default(&user_id).into(),
+			))
+			.expect("should be able to serialize push rules"),
+		)
+		.await?;
+
+	// Generate new device id if the user didn't specify one
 	let (token, device) = if !body.inhibit_login {
-		// Generate new device id if the user didn't specify one
 		let device_id = body
 			.device_id
 			.clone()
@@ -120,7 +181,6 @@ pub(crate) async fn register_route(
 				&user_id,
 				&device_id,
 				&new_token,
-				None,
 				body.initial_device_display_name.clone(),
 				Some(client.to_string()),
 			)
@@ -131,7 +191,118 @@ pub(crate) async fn register_route(
 		(None, None)
 	};
 
-	debug_info!(%user_id, ?device, "New account created via legacy registration");
+	debug_info!(%user_id, ?device, "User account was created");
+
+	// If the user registered with an email, associate it with their account.
+	if let Some(identity) = identity
+		&& let Some(email) = identity.email
+	{
+		// This may fail if the email is already in use, but we already check for that
+		// in `/requestToken`, so ignoring the error is acceptable here in the rare case
+		// that an email is sniped by another user between the `/requestToken` request
+		// and the `/register` request.
+		let _ = services
+			.threepid
+			.associate_localpart_email(user_id.localpart(), &email)
+			.await;
+	}
+
+	let device_display_name = body.initial_device_display_name.as_deref().unwrap_or("");
+
+	if body.appservice_info.is_none() {
+		if !device_display_name.is_empty() {
+			let notice = format!(
+				"New user \"{user_id}\" registered on this server from IP {client} and device \
+				 display name \"{device_display_name}\""
+			);
+
+			info!("{notice}");
+			if services.server.config.admin_room_notices {
+				services.admin.notice(&notice).await;
+			}
+		} else {
+			let notice = format!("New user \"{user_id}\" registered on this server.");
+
+			info!("{notice}");
+			if services.server.config.admin_room_notices {
+				services.admin.notice(&notice).await;
+			}
+		}
+	}
+
+	// Make the first user to register an administrator and disable first-run mode.
+	let was_first_user = services.firstrun.empower_first_user(&user_id).await?;
+
+	// If the registering user was not the first and we're suspending users on
+	// register, suspend them.
+	if !was_first_user && services.config.suspend_on_register {
+		// Note that we can still do auto joins for suspended users
+		services
+			.users
+			.suspend_account(&user_id, &services.globals.server_user)
+			.await;
+		// And send an @room notice to the admin room, to prompt admins to review the
+		// new user and ideally unsuspend them if deemed appropriate.
+		if services.server.config.admin_room_notices {
+			services
+				.admin
+				.send_loud_message(RoomMessageEventContent::text_plain(format!(
+					"User {user_id} has been suspended as they are not the first user on this \
+					 server. Please review and unsuspend them if appropriate."
+				)))
+				.await
+				.ok();
+		}
+	}
+
+	if body.appservice_info.is_none() && !services.server.config.auto_join_rooms.is_empty() {
+		for room in &services.server.config.auto_join_rooms {
+			let Ok(room_id) = services.rooms.alias.resolve(room).await else {
+				error!(
+					"Failed to resolve room alias to room ID when attempting to auto join \
+					 {room}, skipping"
+				);
+				continue;
+			};
+
+			if !services
+				.rooms
+				.state_cache
+				.server_in_room(services.globals.server_name(), &room_id)
+				.await
+			{
+				warn!(
+					"Skipping room {room} to automatically join as we have never joined before."
+				);
+				continue;
+			}
+
+			if let Some(room_server_name) = room.server_name() {
+				match services
+					.rooms
+					.membership
+					.join_room(
+						&user_id,
+						&room_id,
+						Some("Automatically joining this room upon registration".to_owned()),
+						&[services.globals.server_name().to_owned(), room_server_name.to_owned()],
+					)
+					.boxed()
+					.await
+				{
+					| Err(e) => {
+						// don't return this error so we don't fail registrations
+						error!(
+							"Failed to automatically join room {room} for user {user_id}: {e}"
+						);
+					},
+					| _ => {
+						info!("Automatically joined room {room} for user {user_id}");
+					},
+				}
+			}
+		}
+	}
 
 	Ok(assign!(register::v3::Response::new(user_id), {
 		access_token: token,
@@ -203,21 +374,21 @@ async fn create_registration_uiaa_session(
 
 		// Require all users to agree to the terms and conditions, if configured
 		let terms = &services.config.registration_terms;
-		if !terms.documents.is_empty() {
-			let mut terms_map = HashMap::new();
+		if !terms.is_empty() {
+			let mut terms =
+				serde_json::to_value(terms.clone()).expect("failed to serialize terms");
 
-			for (id, document) in &terms.documents {
-				terms_map.insert(id.to_owned(), serde_json::json!({
-					terms.language.clone(): serde_json::to_value(document).expect("should be able to serialize document")
-				}));
+			// Insert a dummy `version` field
+			for (_, documents) in terms.as_object_mut().unwrap() {
+				let documents = documents.as_object_mut().unwrap();
+
+				documents.insert("version".to_owned(), "latest".into());
 			}
 
-			terms_map.insert("version".to_owned(), "latest".into());
-
 			params.insert(
 				AuthType::Terms.as_str().to_owned(),
 				serde_json::json!({
-					"policies": terms_map,
+					"policies": terms,
 				}),
 			);
 
@@ -250,6 +421,81 @@ async fn create_registration_uiaa_session(
 	Ok((flows, params))
 }
 
+async fn determine_registration_user_id(
+	services: &Services,
+	supplied_username: Option<String>,
+	emergency_mode_enabled: bool,
+) -> Result<OwnedUserId> {
+	if let Some(supplied_username) = supplied_username {
+		// The user gets to pick their username. Do some validation to make sure it's
+		// acceptable.
+
+		// Don't allow registration with forbidden usernames.
+		if services
+			.globals
+			.forbidden_usernames()
+			.is_match(&supplied_username)
+			&& !emergency_mode_enabled
+		{
+			return Err!(Request(Forbidden("Username is forbidden")));
+		}
+
+		// Create and validate the user ID
+		let user_id = match UserId::parse_with_server_name(
+			&supplied_username,
+			services.globals.server_name(),
+		) {
+			| Ok(user_id) => {
+				if let Err(e) = user_id.validate_strict() {
+					// Unless we are in emergency mode, we should follow synapse's behaviour on
+					// not allowing things like spaces and UTF-8 characters in usernames
+					if !emergency_mode_enabled {
+						return Err!(Request(InvalidUsername(debug_warn!(
+							"Username {supplied_username} contains disallowed characters or \
+							 spaces: {e}"
+						))));
+					}
+				}
+
+				// Don't allow registration with user IDs that aren't local
+				if !services.globals.user_is_local(&user_id) {
+					return Err!(Request(InvalidUsername(
+						"Username {supplied_username} is not local to this server"
+					)));
+				}
+
+				user_id
+			},
+			| Err(e) => {
+				return Err!(Request(InvalidUsername(debug_warn!(
+					"Username {supplied_username} is not valid: {e}"
+				))));
+			},
+		};
+
+		if services.users.exists(&user_id).await {
+			return Err!(Request(UserInUse("User ID is not available.")));
+		}
+
+		Ok(user_id)
+	} else {
+		// The user didn't specify a username. Generate a username for
+		// them.
+
+		loop {
+			let user_id = UserId::parse_with_server_name(
+				utils::random_string(RANDOM_USER_ID_LENGTH).to_lowercase(),
+				services.globals.server_name(),
+			)
+			.unwrap();
+
+			if !services.users.exists(&user_id).await {
+				break Ok(user_id);
+			}
+		}
+	}
+}
+
 /// # `POST /_matrix/client/v3/register/email/requestToken`
 ///
 /// Requests a validation email for the purpose of registering a new account.

src/api/client/account/threepid.rs

@@ -11,7 +11,7 @@
 	},
 	thirdparty::{Medium, ThirdPartyIdentifierInit},
 };
-use service::mailer::messages;
+use service::{mailer::messages, uiaa::Identity};
 
 use crate::Ruma;
 
@@ -116,15 +116,14 @@ pub(crate) async fn add_3pid_route(
 	// Require password auth to add an email
 	let _ = services
 		.uiaa
-		.authenticate_password(&body.auth, sender_user, body.sender_device(), None)
+		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
 		.await?;
 
 	let email = services
 		.threepid
-		.get_valid_session(&body.sid, &body.client_secret)
+		.consume_valid_session(&body.sid, &body.client_secret)
 		.await
-		.map_err(|message| err!(Request(ThreepidAuthFailed("{message}"))))?
-		.consume();
+		.map_err(|message| err!(Request(ThreepidAuthFailed("{message}"))))?;
 
 	services
 		.threepid

src/api/client/device.rs

@@ -8,6 +8,7 @@
 		self, delete_device, delete_devices, get_device, get_devices, update_device,
 	},
 };
+use service::uiaa::Identity;
 
 use crate::{Ruma, client::DEVICE_ID_LENGTH};
 
@@ -94,7 +95,6 @@ pub(crate) async fn update_device_route(
 					&device_id,
 					&appservice.registration.as_token,
 					None,
-					None,
 					Some(client.to_string()),
 				)
 				.await?;
@@ -126,7 +126,7 @@ pub(crate) async fn delete_device_route(
 		// Prompt the user to confirm with their password using UIAA
 		let _ = services
 			.uiaa
-			.authenticate_password(&body.auth, sender_user, body.sender_device(), None)
+			.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
 			.await?;
 	}
 
@@ -162,7 +162,7 @@ pub(crate) async fn delete_devices_route(
 		// Prompt the user to confirm with their password using UIAA
 		let _ = services
 			.uiaa
-			.authenticate_password(&body.auth, sender_user, body.sender_device(), None)
+			.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
 			.await?;
 	}
 

src/api/client/keys.rs

@@ -26,7 +26,7 @@
 	serde::Raw,
 };
 use serde_json::json;
-use service::oauth::OAuthTicket;
+use service::uiaa::Identity;
 
 use crate::Ruma;
 
@@ -204,12 +204,7 @@ pub(crate) async fn upload_signing_keys_route(
 	{
 		let _ = services
 			.uiaa
-			.authenticate_password(
-				&body.auth,
-				sender_user,
-				body.sender_device(),
-				Some(OAuthTicket::CrossSigningReset),
-			)
+			.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
 			.await?;
 	}
 

src/api/client/media.rs

@@ -21,7 +21,6 @@
 		},
 		media::create_content,
 	},
-	assign,
 };
 use service::media::mxc::Mxc;
 
@@ -76,17 +75,7 @@ pub(crate) async fn create_content_route(
 		return Err!(Request(Unknown("Failed to save uploaded media")));
 	}
 
-	let blurhash = body.generate_blurhash.then(|| {
-		services
-			.media
-			.create_blurhash(&body.file, content_type, filename)
-			.ok()
-			.flatten()
-	});
-
-	Ok(assign!(create_content::v3::Response::new(mxc.to_string().into()), {
-		blurhash: blurhash.flatten(),
-	}))
+	Ok(create_content::v3::Response::new(mxc.to_string().into()))
 }
 
 /// # `GET /_matrix/client/v1/media/thumbnail/{serverName}/{mediaId}`

src/api/client/membership/invite.rs

@@ -247,7 +247,6 @@ pub(crate) async fn invite_helper(
 	let mut content = RoomMemberEventContent::new(MembershipState::Invite);
 	content.displayname = services.users.displayname(recipient_user).await.ok();
 	content.avatar_url = services.users.avatar_url(recipient_user).await.ok();
-	content.blurhash = services.users.blurhash(recipient_user).await.ok();
 	content.is_direct = Some(is_direct);
 	content.reason = reason;
 

src/api/client/membership/knock.rs

@@ -343,7 +343,6 @@ async fn knock_room_helper_local(
 	let mut content = RoomMemberEventContent::new(MembershipState::Knock);
 	content.displayname = services.users.displayname(sender_user).await.ok();
 	content.avatar_url = services.users.avatar_url(sender_user).await.ok();
-	content.blurhash = services.users.blurhash(sender_user).await.ok();
 	content.reason.clone_from(&reason.clone());
 
 	// Try normal knock first
@@ -527,7 +526,6 @@ async fn knock_room_helper_remote(
 	let mut knock_content = RoomMemberEventContent::new(MembershipState::Knock);
 	knock_content.displayname = services.users.displayname(sender_user).await.ok();
 	knock_content.avatar_url = services.users.avatar_url(sender_user).await.ok();
-	knock_content.blurhash = services.users.blurhash(sender_user).await.ok();
 	knock_content.reason = reason;
 
 	knock_event_stub.insert(

src/api/client/mod.rs

@@ -16,7 +16,6 @@
 pub(super) mod membership;
 pub(super) mod message;
 pub(super) mod mutual_rooms;
-pub(super) mod oauth;
 pub(super) mod openid;
 pub(super) mod presence;
 pub(super) mod profile;
@@ -62,7 +61,6 @@
 pub use membership::{leave_all_rooms, leave_room, remote_leave_room};
 pub(super) use message::*;
 pub(super) use mutual_rooms::*;
-pub(super) use oauth::*;
 pub(super) use openid::*;
 pub(super) use presence::*;
 pub(super) use profile::*;
@@ -75,7 +73,6 @@
 pub(super) use room::*;
 pub(super) use search::*;
 pub(super) use send::*;
-pub use session::handle_login;
 pub(super) use session::*;
 pub(super) use space::*;
 pub(super) use state::*;

src/api/client/mutual_rooms.rs

@@ -21,10 +21,6 @@ pub(crate) async fn get_mutual_rooms_route(
 		return Err!(Request(Unknown("You cannot request rooms in common with yourself.")));
 	}
 
-	if !services.users.exists(&body.user_id).await {
-		return Ok(mutual_rooms::unstable::Response::new(vec![]));
-	}
-
 	let mutual_rooms = services
 		.rooms
 		.state_cache

src/api/client/oauth/mod.rs

@@ -1,56 +0,0 @@
-use axum::{
-	Json, Router,
-	extract::{Request, State},
-	middleware::{self, Next},
-	response::{IntoResponse, Response},
-	routing::method_routing::{get, post},
-};
-use const_str::concat;
-use http::StatusCode;
-use serde_json::json;
-pub(crate) use server_metadata::*;
-
-mod register_client;
-mod server_metadata;
-mod token;
-
-const BASE_PATH: &str = concat!(conduwuit_core::ROUTE_PREFIX, "/oauth2/");
-const AUTH_CODE_PATH: &str = "grant/authorization_code";
-const JWKS_URI_PATH: &str = "client/keys.json";
-const CLIENT_REGISTER_PATH: &str = "client/register";
-const TOKEN_REVOKE_PATH: &str = "client/revoke";
-const TOKEN_PATH: &str = "grant/token";
-const ACCOUNT_MANAGEMENT_PATH: &str = concat!(conduwuit_core::ROUTE_PREFIX, "/account/deeplink");
-
-pub(crate) fn router(state: crate::State) -> Router<crate::State> {
-	Router::new()
-		.nest(BASE_PATH, oauth_router())
-		.route(
-			"/.well-known/openid-configuration",
-			get(
-				// TODO(unspecced): used by old versions of the matrix-js-sdk
-				async |State(services): State<crate::State>| {
-					Json(authorization_server_metadata(&services).await)
-				},
-			),
-		)
-		.layer(middleware::from_fn_with_state(
-			state,
-			async |State(state): State<crate::State>, request: Request, next: Next| -> Response {
-				if state.config.oauth.compatibility_mode.oauth_available() {
-					next.run(request).await
-				} else {
-					(StatusCode::NOT_FOUND, "OAuth is unavailable on this server").into_response()
-				}
-			},
-		))
-}
-
-fn oauth_router() -> Router<crate::State> {
-	Router::new()
-		.route(concat!("/", CLIENT_REGISTER_PATH), post(register_client::register_client_route))
-		// TODO(unspecced): used by old versions of the matrix-js-sdk
-		.route(concat!("/", JWKS_URI_PATH), get(async || Json(json!({"keys": []}))))
-		.route(concat!("/", TOKEN_PATH), post(token::token_route))
-		.route(concat!("/", TOKEN_REVOKE_PATH), post(token::revoke_token_route))
-}

src/api/client/oauth/register_client.rs

@@ -1,28 +0,0 @@
-use axum::{
-	Json,
-	extract::State,
-	response::{IntoResponse, Response},
-};
-use http::StatusCode;
-use serde::Serialize;
-use service::oauth::client_metadata::ClientMetadata;
-
-#[derive(Serialize)]
-struct RegisteredClient {
-	client_id: String,
-	#[serde(flatten)]
-	metadata: ClientMetadata,
-}
-
-pub(crate) async fn register_client_route(
-	State(services): State<crate::State>,
-	Json(metadata): Json<ClientMetadata>,
-) -> Result<Response, Response> {
-	let client_id = services
-		.oauth
-		.register_client(&metadata)
-		.await
-		.map_err(|err| (StatusCode::BAD_REQUEST, err.to_owned()).into_response())?;
-
-	Ok(Json(RegisteredClient { client_id, metadata }).into_response())
-}

src/api/client/oauth/server_metadata.rs

@@ -1,62 +0,0 @@
-use axum::extract::State;
-use conduwuit::{Err, Result};
-use ruma::{
-	api::client::discovery::get_authorization_server_metadata::{
-		self, v1::AccountManagementAction,
-	},
-	serde::Raw,
-};
-use serde_json::{Value, json};
-use service::Services;
-
-use crate::{
-	Ruma,
-	client::oauth::{
-		ACCOUNT_MANAGEMENT_PATH, AUTH_CODE_PATH, CLIENT_REGISTER_PATH, JWKS_URI_PATH, TOKEN_PATH,
-		TOKEN_REVOKE_PATH,
-	},
-};
-
-pub(crate) async fn get_authorization_server_metadata_route(
-	State(services): State<crate::State>,
-	_body: Ruma<get_authorization_server_metadata::v1::Request>,
-) -> Result<get_authorization_server_metadata::v1::Response> {
-	if !services.config.oauth.compatibility_mode.oauth_available() {
-		return Err!(Request(Unrecognized("OAuth is unavailable on this server")));
-	}
-
-	let metadata = Raw::new(&authorization_server_metadata(&services).await).unwrap();
-
-	Ok(get_authorization_server_metadata::v1::Response::new(metadata.cast_unchecked()))
-}
-
-pub(crate) async fn authorization_server_metadata(services: &Services) -> Value {
-	let endpoint_base = services
-		.config
-		.get_client_domain()
-		.join(super::BASE_PATH)
-		.unwrap();
-
-	json!({
-		"account_management_uri": endpoint_base.join(ACCOUNT_MANAGEMENT_PATH).unwrap(),
-		"account_management_actions_supported": [
-			AccountManagementAction::AccountDeactivate,
-			AccountManagementAction::CrossSigningReset,
-			AccountManagementAction::DeviceDelete,
-			AccountManagementAction::DeviceView,
-			AccountManagementAction::DevicesList,
-			AccountManagementAction::Profile,
-		],
-		"authorization_endpoint": endpoint_base.join(AUTH_CODE_PATH).unwrap(),
-		"code_challenge_methods_supported": ["S256"],
-		"grant_types_supported": ["authorization_code", "refresh_token"],
-		"issuer": services.config.get_client_domain(),
-		"jwks_uri": endpoint_base.join(JWKS_URI_PATH).unwrap(),
-		"prompt_values_supported": ["create"],
-		"registration_endpoint": endpoint_base.join(CLIENT_REGISTER_PATH).unwrap(),
-		"response_modes_supported": ["query", "fragment"],
-		"response_types_supported": ["code"],
-		"revocation_endpoint": endpoint_base.join(TOKEN_REVOKE_PATH).unwrap(),
-		"token_endpoint": endpoint_base.join(TOKEN_PATH).unwrap(),
-	})
-}

src/api/client/oauth/token.rs

@@ -1,23 +0,0 @@
-use axum::{Form, Json, extract::State, response::IntoResponse};
-use http::StatusCode;
-use service::oauth::grant::{RevokeTokenRequest, TokenRequest};
-
-pub(crate) async fn token_route(
-	State(services): State<crate::State>,
-	Form(request): Form<TokenRequest>,
-) -> impl IntoResponse {
-	match services.oauth.issue_token(request).await {
-		| Ok(response) => Ok(Json(response)),
-		| Err(err) => Err((StatusCode::BAD_REQUEST, err.message())),
-	}
-}
-
-pub(crate) async fn revoke_token_route(
-	State(services): State<crate::State>,
-	Form(request): Form<RevokeTokenRequest>,
-) -> impl IntoResponse {
-	match services.oauth.revoke_token(request.token).await {
-		| Ok(()) => Ok(StatusCode::OK),
-		| Err(err) => Err((StatusCode::BAD_REQUEST, err.message())),
-	}
-}

src/api/client/profile.rs

@@ -23,8 +23,7 @@
 
 /// # `GET /_matrix/client/v3/profile/{userId}`
 ///
-/// Returns the displayname, avatar_url, blurhash, and custom profile fields of
-/// the user.
+/// Returns the user's profile information.
 ///
 /// - If user is on another server and we do not have a local copy already,
 ///   fetch profile over federation.
@@ -322,19 +321,9 @@ async fn set_profile_field(
 			services.users.set_avatar_url(user_id, None);
 		},
 		| other =>
-			if other.field_name().as_str() == "blurhash" {
-				if let Some(Value::String(blurhash)) = other.value() {
-					services.users.set_blurhash(user_id, Some(blurhash));
-				} else {
-					services.users.set_blurhash(user_id, None);
-				}
-			} else {
-				services.users.set_profile_key(
-					user_id,
-					other.field_name().as_str(),
-					other.value(),
-				);
-			},
+			services
+				.users
+				.set_profile_key(user_id, other.field_name().as_str(), other.value()),
 	}
 
 	// If the user is local and changed their displayname or avatar_url, update it

src/api/client/room/create.rs

@@ -288,7 +288,6 @@ pub(crate) async fn create_room_route(
 	let mut join_event = RoomMemberEventContent::new(MembershipState::Join);
 	join_event.displayname = services.users.displayname(sender_user).await.ok();
 	join_event.avatar_url = services.users.avatar_url(sender_user).await.ok();
-	join_event.blurhash = services.users.blurhash(sender_user).await.ok();
 	join_event.is_direct = Some(body.is_direct);
 
 	debug_info!("Joining {sender_user} to room {room_id}");

src/api/client/room/upgrade.rs

@@ -271,7 +271,6 @@ pub(crate) async fn upgrade_room_route(
 				&assign!(RoomMemberEventContent::new(MembershipState::Join), {
 					displayname: services.users.displayname(sender_user).await.ok(),
 					avatar_url: services.users.avatar_url(sender_user).await.ok(),
-					blurhash: services.users.blurhash(sender_user).await.ok(),
 				}),
 			),
 			sender_user,

src/api/client/session.rs

@@ -29,6 +29,7 @@
 	},
 	assign,
 };
+use service::uiaa::Identity;
 
 use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
 use crate::Ruma;
@@ -43,12 +44,6 @@ pub(crate) async fn get_login_types_route(
 	ClientIp(client): ClientIp,
 	_body: Ruma<get_login_types::v3::Request>,
 ) -> Result<get_login_types::v3::Response> {
-	if !services.config.oauth.compatibility_mode.uiaa_available() {
-		return Err!(Request(Unrecognized(
-			"User-interactive authentication is not available on this server."
-		)));
-	}
-
 	Ok(get_login_types::v3::Response::new(vec![
 		get_login_types::v3::LoginType::Password(PasswordLoginType::default()),
 		get_login_types::v3::LoginType::ApplicationService(ApplicationServiceLoginType::default()),
@@ -58,7 +53,7 @@ pub(crate) async fn get_login_types_route(
 	]))
 }
 
-pub async fn handle_login(
+pub(crate) async fn handle_login(
 	services: &Services,
 	identifier: Option<&UserIdentifier>,
 	password: &str,
@@ -124,15 +119,10 @@ pub(crate) async fn login_route(
 	ClientIp(client): ClientIp,
 	body: Ruma<login::v3::Request>,
 ) -> Result<login::v3::Response> {
-	if !services.config.oauth.compatibility_mode.uiaa_available() {
-		return Err!(Request(Unrecognized(
-			"User-interactive authentication is not available on this server."
-		)));
-	}
-
 	let emergency_mode_enabled = services.config.emergency_password.is_some();
 
 	// Validate login method
+	// TODO: Other login methods
 	let user_id = match &body.login_info {
 		#[allow(deprecated)]
 		| login::v3::LoginInfo::Password(login::v3::Password {
@@ -213,7 +203,7 @@ pub(crate) async fn login_route(
 	if device_exists {
 		services
 			.users
-			.set_token(&user_id, &device_id, &token, None)
+			.set_token(&user_id, &device_id, &token)
 			.await?;
 	} else {
 		services
@@ -222,7 +212,6 @@ pub(crate) async fn login_route(
 				&user_id,
 				&device_id,
 				&token,
-				None,
 				body.initial_device_display_name.clone(),
 				Some(client.to_string()),
 			)
@@ -270,7 +259,7 @@ pub(crate) async fn login_token_route(
 	// Prompt the user to confirm with their password using UIAA
 	let _ = services
 		.uiaa
-		.authenticate_password(&body.auth, sender_user, body.sender_device(), None)
+		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
 		.await?;
 
 	let login_token = utils::random_string(TOKEN_LENGTH);

src/api/client/sync/v5.rs

@@ -69,6 +69,7 @@ pub(crate) async fn sync_events_v5_route(
 	ClientIp(client_ip): ClientIp,
 	body: Ruma<sync_events::v5::Request>,
 ) -> Result<sync_events::v5::Response> {
+	debug_assert!(DEFAULT_BUMP_TYPES.is_sorted(), "DEFAULT_BUMP_TYPES is not sorted");
 	let ref sender_user = body.sender_user().to_owned();
 	let ref sender_device = body.sender_device().to_owned();
 

src/api/client/unversioned.rs

@@ -1,7 +1,8 @@
-use std::collections::BTreeMap;
-
 use axum::{Json, extract::State, response::IntoResponse};
-use conduwuit::Result;
+use conduwuit::{
+	Result,
+	matrix::versions::{unstable_features, versions},
+};
 use futures::StreamExt;
 use ruma::{api::client::discovery::get_supported_versions, assign};
 
@@ -22,47 +23,10 @@
 pub(crate) async fn get_supported_versions_route(
 	_body: Ruma<get_supported_versions::Request>,
 ) -> Result<get_supported_versions::Response> {
-	let versions = vec![
-		"r0.0.1".to_owned(),
-		"r0.1.0".to_owned(),
-		"r0.2.0".to_owned(),
-		"r0.3.0".to_owned(),
-		"r0.4.0".to_owned(),
-		"r0.5.0".to_owned(),
-		"r0.6.0".to_owned(),
-		"r0.6.1".to_owned(),
-		"v1.1".to_owned(),
-		"v1.2".to_owned(),
-		"v1.3".to_owned(),
-		"v1.4".to_owned(),
-		"v1.5".to_owned(),
-		"v1.8".to_owned(),
-		"v1.11".to_owned(),
-		"v1.12".to_owned(),
-		"v1.13".to_owned(),
-		"v1.14".to_owned(),
-	];
-
-	let unstable_features = BTreeMap::from_iter([
-		("org.matrix.e2e_cross_signing".to_owned(), true),
-		("org.matrix.msc2285.stable".to_owned(), true), /* private read receipts (https://github.com/matrix-org/matrix-spec-proposals/pull/2285) */
-		("uk.half-shot.msc2666.query_mutual_rooms".to_owned(), true), /* query mutual rooms (https://github.com/matrix-org/matrix-spec-proposals/pull/2666) */
-		("org.matrix.msc2836".to_owned(), true), /* threading/threads (https://github.com/matrix-org/matrix-spec-proposals/pull/2836) */
-		("org.matrix.msc2946".to_owned(), true), /* spaces/hierarchy summaries (https://github.com/matrix-org/matrix-spec-proposals/pull/2946) */
-		("org.matrix.msc3026.busy_presence".to_owned(), true), /* busy presence status (https://github.com/matrix-org/matrix-spec-proposals/pull/3026) */
-		("org.matrix.msc3814".to_owned(), true),               /* dehydrated devices */
-		("org.matrix.msc3827".to_owned(), true), /* filtering of /publicRooms by room type (https://github.com/matrix-org/matrix-spec-proposals/pull/3827) */
-		("org.matrix.msc3952_intentional_mentions".to_owned(), true), /* intentional mentions (https://github.com/matrix-org/matrix-spec-proposals/pull/3952) */
-		("org.matrix.msc3916.stable".to_owned(), true), /* authenticated media (https://github.com/matrix-org/matrix-spec-proposals/pull/3916) */
-		("org.matrix.msc4180".to_owned(), true), /* stable flag for 3916 (https://github.com/matrix-org/matrix-spec-proposals/pull/4180) */
-		("uk.tcpip.msc4133".to_owned(), true), /* Extending User Profile API with Key:Value Pairs (https://github.com/matrix-org/matrix-spec-proposals/pull/4133) */
-		("us.cloke.msc4175".to_owned(), true), /* Profile field for user time zone (https://github.com/matrix-org/matrix-spec-proposals/pull/4175) */
-		("org.matrix.simplified_msc3575".to_owned(), true), /* Simplified Sliding sync (https://github.com/matrix-org/matrix-spec-proposals/pull/4186) */
-		("uk.timedout.msc4323".to_owned(), true), /* agnostic suspend (https://github.com/matrix-org/matrix-spec-proposals/pull/4323) */
-		("org.matrix.msc4155".to_owned(), true), /* invite filtering (https://github.com/matrix-org/matrix-spec-proposals/pull/4155) */
-	]);
-
-	Ok(assign!(get_supported_versions::Response::new(versions), { unstable_features }))
+	Ok(assign!(
+		get_supported_versions::Response::new(versions()),
+		{ unstable_features: unstable_features() }
+	))
 }
 
 /// # `GET /_conduwuit/server_version`
@@ -71,8 +35,8 @@ pub(crate) async fn get_supported_versions_route(
 /// `/_matrix/federation/v1/version`
 pub(crate) async fn conduwuit_server_version() -> Result<impl IntoResponse> {
 	Ok(Json(serde_json::json!({
-		"name": conduwuit::BRANDING,
-		"version": conduwuit::version(),
+		"name": conduwuit::version::name(),
+		"version": conduwuit::version::version(),
 	})))
 }
 

src/api/client/well_known.rs

@@ -2,7 +2,7 @@
 use conduwuit::{Err, Result};
 use ruma::{
 	api::client::discovery::{
-		discover_homeserver::{self, HomeserverInfo, RtcFocusInfo},
+		discover_homeserver::{self, HomeserverInfo},
 		discover_support::{self, Contact, ContactRole},
 	},
 	assign,
@@ -31,10 +31,8 @@ pub(crate) async fn well_known_client(
 		rtc_foci: services
 			.config
 			.matrix_rtc
-			.effective_foci(&services.config.well_known.rtc_focus_server_urls)
-			.into_iter()
-			.map(|focus| RtcFocusInfo::new(focus.transport_type(), focus.data().into_owned()).unwrap())
-			.collect()
+			.foci
+			.clone()
 	}))
 }
 
@@ -48,10 +46,7 @@ pub(crate) async fn get_rtc_transports(
 	_body: Ruma<ruma::api::client::rtc::transports::v1::Request>,
 ) -> Result<ruma::api::client::rtc::transports::v1::Response> {
 	Ok(ruma::api::client::rtc::transports::v1::Response::new(
-		services
-			.config
-			.matrix_rtc
-			.effective_foci(&services.config.well_known.rtc_focus_server_urls),
+		services.config.matrix_rtc.foci.clone(),
 	))
 }
 

src/api/router.rs

@@ -10,7 +10,7 @@
 	response::{IntoResponse, Redirect},
 	routing::{any, get, post},
 };
-use conduwuit::err;
+use conduwuit::{Server, err};
 pub(super) use conduwuit_service::state::State;
 use http::{Uri, uri};
 
@@ -18,8 +18,8 @@
 pub(super) use self::{args::Args as Ruma, response::RumaResponse};
 use crate::{admin, client, server};
 
-pub fn build(router: Router<State>, state: State) -> Router<State> {
-	let config = &state.server.config;
+pub fn build(router: Router<State>, server: &Server) -> Router<State> {
+	let config = &server.config;
 	let mut router = router
         .ruma_route(&client::appservice_ping)
 		.ruma_route(&client::get_supported_versions_route)
@@ -185,8 +185,6 @@ pub fn build(router: Router<State>, state: State) -> Router<State> {
 		.ruma_route(&client::well_known_client)
 		.ruma_route(&client::get_rtc_transports)
 		.ruma_route(&client::room_initial_sync_route)
-		.ruma_route(&client::get_authorization_server_metadata_route)
-		.merge(client::oauth::router(state))
 		.route("/_conduwuit/server_version", get(client::conduwuit_server_version))
 		.route("/_continuwuity/server_version", get(client::conduwuit_server_version))
 		.ruma_route(&admin::rooms::ban::ban_room)

src/api/router/auth.rs

@@ -1,7 +1,6 @@
 use std::any::{Any, TypeId};
 
-use conduwuit::{Err, Error, Result, err};
-use http::StatusCode;
+use conduwuit::{Err, Result, err};
 use ruma::{
 	OwnedDeviceId, OwnedServerName, OwnedUserId, UserId,
 	api::{
@@ -10,15 +9,12 @@
 			AccessToken, AccessTokenOptional, AppserviceToken, AppserviceTokenOptional,
 			AuthScheme, NoAccessToken, NoAuthentication,
 		},
-		error::{ErrorKind, UnknownTokenErrorData},
 		federation::authentication::ServerSignatures,
 	},
-	assign,
 };
 use service::{
 	Services,
 	server_keys::{PubKeyMap, PubKeys},
-	users::AccessTokenStatus,
 };
 
 use crate::{router::args::AuthQueryParams, service::appservice::RegistrationInfo};
@@ -107,21 +103,12 @@ async fn verify<B: AsRef<[u8]> + Sync>(
 		query: AuthQueryParams,
 		route: TypeId,
 	) -> Result<Auth> {
+		// Check for appservice tokens first
+
 		let (sender_user, sender_device, appservice_info) = {
-			if let Some((sender_user, sender_device, status)) =
+			if let Ok((sender_user, sender_device)) =
 				services.users.find_from_token(&output).await
 			{
-				// If the token is expired we return a soft logout
-				if matches!(status, AccessTokenStatus::Expired) {
-					return Err(Error::Request(
-						ErrorKind::UnknownToken(
-							assign!(UnknownTokenErrorData::new(), { soft_logout: true }),
-						),
-						"This token has expired".into(),
-						StatusCode::UNAUTHORIZED,
-					));
-				}
-
 				// Locked users can only use /logout and /logout/all
 				if services
 					.users
@@ -133,7 +120,7 @@ async fn verify<B: AsRef<[u8]> + Sync>(
 						|| route
 							== TypeId::of::<ruma::api::client::session::logout_all::v3::Request>(
 							)) {
-						return Err!(Request(UserLocked("Your account is locked.")));
+						return Err!(Request(Unauthorized("Your account is locked.")));
 					}
 				}
 
@@ -181,11 +168,7 @@ async fn verify<B: AsRef<[u8]> + Sync>(
 
 				(Some(sender_user), sender_device, Some(appservice_info))
 			} else {
-				return Err(Error::Request(
-					ErrorKind::UnknownToken(UnknownTokenErrorData::new()),
-					"Invalid token".into(),
-					StatusCode::UNAUTHORIZED,
-				));
+				return Err!(Request(Unauthorized("Invalid access token.")));
 			}
 		};
 

src/api/server/version.rs

@@ -11,8 +11,8 @@ pub(crate) async fn get_server_version_route(
 ) -> Result<get_server_version::v1::Response> {
 	Ok(assign!(get_server_version::v1::Response::new(), {
 		server: Some(assign!(get_server_version::v1::Server::new(), {
-			name: Some(conduwuit::BRANDING.into()),
-			version: Some(conduwuit::version().into()),
+			name: Some(conduwuit::version::name().into()),
+			version: Some(conduwuit::version::version().into()),
 		})),
 	}))
 }

src/core/config/mod.rs

@@ -4,7 +4,7 @@
 pub mod proxy;
 
 use std::{
-	collections::{BTreeMap, BTreeSet},
+	collections::{BTreeMap, BTreeSet, HashMap},
 	net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr},
 	path::PathBuf,
 };
@@ -20,10 +20,7 @@
 use regex::RegexSet;
 use ruma::{
 	OwnedRoomId, OwnedRoomOrAliasId, OwnedServerName, OwnedUserId, RoomVersionId,
-	api::client::{
-		discovery::{discover_homeserver::RtcFocusInfo, discover_support::ContactRole},
-		rtc::transports::v1::RtcTransport,
-	},
+	api::client::{discovery::discover_support::ContactRole, rtc::RtcTransport},
 };
 use serde::{Deserialize, Serialize, de::IgnoredAny};
 use url::Url;
@@ -659,25 +656,19 @@ pub struct Config {
 	/// even if `recaptcha_site_key` is set.
 	pub recaptcha_private_site_key: Option<String>,
 
-	/// display: nested
-	#[serde(default)]
-	pub registration_terms: RegistrationTerms,
-
-	/// display: nested
-	#[serde(default)]
-	pub oauth: OauthConfig,
-
-	/// Controls whether users are allowed to deactivate their own accounts
-	/// through the account management panel or their Matrix clients. Server
-	/// admins can always deactivate users using the relevant admin commands.
+	/// Policy documents, such as terms and conditions or a privacy policy,
+	/// which users must agree to when registering an account.
 	///
-	/// Note that, in some jurisdictions, you may be legally required to honor
-	/// users who request to deactivate their accounts if you set this option
-	/// to `false`.
+	/// Example:
+	/// ```ignore
+	/// [global.registration_terms.privacy_policy]
+	/// en = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
+	/// es = { name = "Política de Privacidad", url = "https://homeserver.example/es/privacy_policy.html" }
+	/// ```
 	///
-	/// default: true
-	#[serde(default = "true_fn")]
-	pub allow_deactivation: bool,
+	/// default: {}
+	#[serde(default)]
+	pub registration_terms: HashMap<String, HashMap<String, TermsDocument>>,
 
 	/// Controls whether encrypted rooms and events are allowed.
 	#[serde(default = "true_fn")]
@@ -2126,10 +2117,6 @@ pub struct Config {
 	#[serde(default)]
 	pub antispam: Option<Antispam>,
 
-	/// display: nested
-	#[serde(default)]
-	pub blurhashing: BlurhashConfig,
-
 	/// Configuration for MatrixRTC (MSC4143) transport discovery.
 	/// display: nested
 	#[serde(default)]
@@ -2203,43 +2190,6 @@ pub struct WellKnownConfig {
 	/// PGP key URI for server support contacts, to be served as part of the
 	/// MSC1929 server support endpoint.
 	pub support_pgp_key: Option<String>,
-
-	/// **DEPRECATED**: Use `[global.matrix_rtc].foci` instead.
-	///
-	/// A list of MatrixRTC foci URLs which will be served as part of the
-	/// MSC4143 client endpoint at /.well-known/matrix/client.
-	///
-	/// This option is deprecated and will be removed in a future release.
-	/// Please migrate to the new `[global.matrix_rtc]` config section.
-	///
-	/// default: []
-	#[serde(default)]
-	pub rtc_focus_server_urls: Vec<RtcFocusInfo>,
-}
-
-#[derive(Clone, Copy, Debug, Deserialize, Default)]
-#[allow(rustdoc::broken_intra_doc_links, rustdoc::bare_urls)]
-#[config_example_generator(filename = "conduwuit-example.toml", section = "global.blurhashing")]
-pub struct BlurhashConfig {
-	/// blurhashing x component, 4 is recommended by https://blurha.sh/
-	///
-	/// default: 4
-	#[serde(default = "default_blurhash_x_component")]
-	pub components_x: u32,
-	/// blurhashing y component, 3 is recommended by https://blurha.sh/
-	///
-	/// default: 3
-	#[serde(default = "default_blurhash_y_component")]
-	pub components_y: u32,
-	/// Max raw size that the server will blurhash, this is the size of the
-	/// image after converting it to raw data, it should be higher than the
-	/// upload limit but not too high. The higher it is the higher the
-	/// potential load will be for clients requesting blurhashes. The default
-	/// is 33.55MB. Setting it to 0 disables blurhashing.
-	///
-	/// default: 33554432
-	#[serde(default = "default_blurhash_max_raw_size")]
-	pub blurhash_max_raw_size: u64,
 }
 
 #[derive(Clone, Debug, Deserialize, Default)]
@@ -2263,25 +2213,6 @@ pub struct MatrixRtcConfig {
 	pub foci: Vec<RtcTransport>,
 }
 
-impl MatrixRtcConfig {
-	/// Returns the effective foci, falling back to the deprecated
-	/// `rtc_focus_server_urls` if the new config is empty.
-	#[must_use]
-	pub fn effective_foci(&self, deprecated_foci: &[RtcFocusInfo]) -> Vec<RtcTransport> {
-		if !self.foci.is_empty() {
-			self.foci.clone()
-		} else {
-			deprecated_foci
-				.iter()
-				.map(|focus| {
-					RtcTransport::new(focus.focus_type().to_owned(), focus.data().into_owned())
-						.unwrap()
-				})
-				.collect()
-		}
-	}
-}
-
 #[derive(Deserialize, Clone, Debug)]
 #[serde(transparent)]
 struct ListeningPort {
@@ -2405,30 +2336,6 @@ pub struct SmtpConfig {
 	pub require_email_for_token_registration: bool,
 }
 
-#[derive(Clone, Debug, Default, Deserialize, Serialize)]
-#[config_example_generator(
-	filename = "conduwuit-example.toml",
-	section = "global.registration-terms",
-	optional = "true"
-)]
-pub struct RegistrationTerms {
-	/// The language code to provide to clients along with the policy documents.
-	///
-	/// default: "en"
-	pub language: String,
-	/// Policy documents, such as terms and conditions or a privacy policy,
-	/// which users must agree to when registering an account.
-	///
-	/// Example:
-	/// ```ignore
-	/// [global.registration_terms.documents]
-	/// privacy_policy = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
-	/// ```
-	///
-	/// default: {}
-	pub documents: BTreeMap<String, TermsDocument>,
-}
-
 /// A policy document for use with a m.login.terms stage.
 #[derive(Clone, Debug, Deserialize, Serialize)]
 pub struct TermsDocument {
@@ -2436,43 +2343,6 @@ pub struct TermsDocument {
 	pub url: String,
 }
 
-#[derive(Clone, Debug, Default, Deserialize)]
-#[config_example_generator(
-	filename = "conduwuit-example.toml",
-	section = "global.oauth",
-	optional = "true"
-)]
-pub struct OauthConfig {
-	/// The compatibility mode to use for OAuth.
-	///
-	/// - "disabled": OAuth will be unavailable. Users will only be able to log
-	///   in using legacy authentication.
-	/// - "hybrid": OAuth and legacy authentication will both be available. Some
-	///   clients may only use one or the other.
-	/// - "exclusive": Only OAuth will be available. Clients which require
-	///   legacy authentication will be unable to log in.
-	///
-	/// default: "hybrid"
-	pub compatibility_mode: OAuthMode,
-}
-
-#[derive(Clone, Debug, Default, Deserialize)]
-#[serde(rename_all = "snake_case")]
-pub enum OAuthMode {
-	Disabled,
-	#[default]
-	Hybrid,
-	Exclusive,
-}
-
-impl OAuthMode {
-	#[must_use]
-	pub fn uiaa_available(&self) -> bool { matches!(self, Self::Disabled | Self::Hybrid) }
-
-	#[must_use]
-	pub fn oauth_available(&self) -> bool { matches!(self, Self::Hybrid | Self::Exclusive) }
-}
-
 const DEPRECATED_KEYS: &[&str] = &[
 	"cache_capacity",
 	"conduit_cache_capacity_modifier",
@@ -2853,13 +2723,3 @@ fn default_client_response_timeout() -> u64 { 120 }
 fn default_client_shutdown_timeout() -> u64 { 15 }
 
 fn default_sender_shutdown_timeout() -> u64 { 5 }
-
-// blurhashing defaults recommended by https://blurha.sh/
-// 2^25
-pub(super) fn default_blurhash_max_raw_size() -> u64 { 33_554_432 }
-
-pub(super) fn default_blurhash_x_component() -> u32 { 4 }
-
-pub(super) fn default_blurhash_y_component() -> u32 { 3 }
-
-// end recommended & blurhashing defaults

src/core/error/mod.rs

@@ -158,7 +158,6 @@ pub fn message(&self) -> String {
 		match self {
 			| Self::Federation(origin, error) => format!("Answer from {origin}: {error}"),
 			| Self::Ruma(error) => response::ruma_error_message(error),
-			| Self::Request(_, message, _) => message.clone().into_owned(),
 			| _ => format!("{self}"),
 		}
 	}

src/core/error/response.rs

@@ -73,8 +73,11 @@ pub(super) fn bad_request_code(kind: &ErrorKind) -> StatusCode {
 		// 413
 		| TooLarge => StatusCode::PAYLOAD_TOO_LARGE,
 
+		// 405
+		| Unrecognized => StatusCode::METHOD_NOT_ALLOWED,
+
 		// 404
-		| Unrecognized | NotFound => StatusCode::NOT_FOUND,
+		| NotFound => StatusCode::NOT_FOUND,
 
 		// 403
 		| GuestAccessForbidden

src/core/info/version.rs

@@ -7,16 +7,19 @@
 
 use std::sync::OnceLock;
 
-pub const BRANDING: &str = "continuwuity";
-pub const ROUTE_PREFIX: &str = "/_continuwuity";
-pub const WEBSITE: &str = "https://continuwuity.org";
-pub const SEMANTIC: &str = env!("CARGO_PKG_VERSION");
+static BRANDING: &str = "continuwuity";
+static WEBSITE: &str = "https://continuwuity.org";
+static SEMANTIC: &str = env!("CARGO_PKG_VERSION");
 
 static VERSION: OnceLock<String> = OnceLock::new();
 static VERSION_UA: OnceLock<String> = OnceLock::new();
 static USER_AGENT: OnceLock<String> = OnceLock::new();
 static USER_AGENT_MEDIA: OnceLock<String> = OnceLock::new();
 
+#[inline]
+#[must_use]
+pub fn name() -> &'static str { BRANDING }
+
 #[inline]
 pub fn version() -> &'static str { VERSION.get_or_init(init_version) }
 
@@ -29,10 +32,10 @@ pub fn user_agent() -> &'static str { USER_AGENT.get_or_init(init_user_agent) }
 #[inline]
 pub fn user_agent_media() -> &'static str { USER_AGENT_MEDIA.get_or_init(init_user_agent_media) }
 
-fn init_user_agent() -> String { format!("{BRANDING}/{} (bot; +{WEBSITE})", version_ua()) }
+fn init_user_agent() -> String { format!("{}/{} (bot; +{WEBSITE})", name(), version_ua()) }
 
 fn init_user_agent_media() -> String {
-	format!("{BRANDING}/{} (embedbot; facebookexternalhit/1.1; +{WEBSITE})", version_ua())
+	format!("{}/{} (embedbot; facebookexternalhit/1.1; +{WEBSITE})", name(), version_ua())
 }
 
 fn init_version_ua() -> String {

src/core/mod.rs

@@ -34,7 +34,10 @@ macro_rules! mod_dtor {
 pub use conduwuit_build_metadata as build_metadata;
 pub use config::Config;
 pub use error::Error;
-pub use info::version::*;
+pub use info::{
+	version,
+	version::{name, version},
+};
 pub use matrix::{Event, EventTypeExt, Pdu, PduCount, PduEvent, PduId, pdu, state_res};
 pub use parking_lot::{Mutex as SyncMutex, RwLock as SyncRwLock};
 pub use server::Server;

src/core/utils/time.rs

@@ -61,23 +61,17 @@ pub fn format(ts: SystemTime, str: &str) -> String {
 pub fn pretty(d: Duration) -> String {
 	use Unit::*;
 
-	let fmt = |w, u| {
-		if w == 1 {
-			format!("{w} {u}")
-		} else {
-			format!("{w} {u}s")
-		}
-	};
-	let gen64 = |w, u| fmt(w, u);
-	let gen128 = |w, u| gen64(u64::try_from(w).expect("u128 to u64"), u);
+	let fmt = |w, f, u| format!("{w}.{f} {u}");
+	let gen64 = |w, f, u| fmt(w, (f * 100.0) as u32, u);
+	let gen128 = |w, f, u| gen64(u64::try_from(w).expect("u128 to u64"), f, u);
 	match whole_and_frac(d) {
-		| (Days(whole), _) => gen64(whole, "day"),
-		| (Hours(whole), _) => gen64(whole, "hour"),
-		| (Mins(whole), _) => gen64(whole, "minute"),
-		| (Secs(whole), _) => gen64(whole, "second"),
-		| (Millis(whole), _) => gen128(whole, "millisecond"),
-		| (Micros(whole), _) => gen128(whole, "microsecond"),
-		| (Nanos(whole), _) => gen128(whole, "nanosecond"),
+		| (Days(whole), frac) => gen64(whole, frac, "days"),
+		| (Hours(whole), frac) => gen64(whole, frac, "hours"),
+		| (Mins(whole), frac) => gen64(whole, frac, "minutes"),
+		| (Secs(whole), frac) => gen64(whole, frac, "seconds"),
+		| (Millis(whole), frac) => gen128(whole, frac, "milliseconds"),
+		| (Micros(whole), frac) => gen128(whole, frac, "microseconds"),
+		| (Nanos(whole), frac) => gen128(whole, frac, "nanoseconds"),
 	}
 }
 

src/database/maps.rs

@@ -49,10 +49,6 @@ pub(super) fn open_list(db: &Arc<Engine>, maps: &[Descriptor]) -> Result<Maps> {
 		name: "bannedroomids",
 		..descriptor::RANDOM_SMALL
 	},
-	Descriptor {
-		name: "clientid_clientmetadata",
-		..descriptor::RANDOM_SMALL
-	},
 	Descriptor {
 		name: "disabledroomids",
 		..descriptor::RANDOM_SMALL
@@ -161,10 +157,6 @@ pub(super) fn open_list(db: &Arc<Engine>, maps: &[Descriptor]) -> Result<Maps> {
 		name: "referencedevents",
 		..descriptor::RANDOM
 	},
-	Descriptor {
-		name: "refreshtoken_refreshtokeninfo",
-		..descriptor::RANDOM_SMALL
-	},
 	Descriptor {
 		name: "registrationtoken_info",
 		..descriptor::RANDOM_SMALL
@@ -374,14 +366,6 @@ pub(super) fn open_list(db: &Arc<Engine>, maps: &[Descriptor]) -> Result<Maps> {
 		name: "userdevicetxnid_response",
 		..descriptor::RANDOM_SMALL
 	},
-	Descriptor {
-		name: "userdeviceid_oauthsessioninfo",
-		..descriptor::RANDOM_SMALL
-	},
-	Descriptor {
-		name: "userdeviceid_tokenexpires",
-		..descriptor::RANDOM_SMALL
-	},
 	Descriptor {
 		name: "userfilterid_filter",
 		..descriptor::RANDOM_SMALL
@@ -392,7 +376,7 @@ pub(super) fn open_list(db: &Arc<Engine>, maps: &[Descriptor]) -> Result<Maps> {
 	},
 	Descriptor {
 		name: "userid_blurhash",
-		..descriptor::RANDOM_SMALL
+		..descriptor::DROPPED
 	},
 	Descriptor {
 		name: "userid_dehydrateddevice",
@@ -486,8 +470,4 @@ pub(super) fn open_list(db: &Arc<Engine>, maps: &[Descriptor]) -> Result<Maps> {
 		name: "userroomid_invitesender",
 		..descriptor::RANDOM_SMALL
 	},
-	Descriptor {
-		name: "websessionid_session",
-		..descriptor::RANDOM_SMALL
-	},
 ];

src/main/Cargo.toml

@@ -47,7 +47,6 @@ default = [
 	"bindgen-runtime", # replace with bindgen-static on alpine
 ]
 standard = [
-    "blurhashing",
 	"brotli_compression",
 	"element_hacks",
 	"gzip_compression",
@@ -71,9 +70,6 @@ full = [
     "tokio_console",
 ]
 
-blurhashing = [
-	"conduwuit-service/blurhashing",
-]
 brotli_compression = [
 	"conduwuit-api/brotli_compression",
 	"conduwuit-core/brotli_compression",

src/main/clap.rs

@@ -15,7 +15,7 @@
 #[clap(
 	about,
 	long_about = None,
-	name = conduwuit_core::BRANDING,
+	name = conduwuit_core::name(),
 	version = conduwuit_core::version(),
 )]
 pub struct Args {

src/main/logging.rs

@@ -110,7 +110,7 @@ pub(crate) fn init(
 				.with_batch_exporter(exporter)
 				.build();
 
-			let tracer = provider.tracer(conduwuit_core::BRANDING);
+			let tracer = provider.tracer(conduwuit_core::name());
 
 			let telemetry = tracing_opentelemetry::layer().with_tracer(tracer);
 

src/main/sentry.rs

@@ -47,7 +47,7 @@ fn options(config: &Config) -> ClientOptions {
 		traces_sample_rate: config.sentry_traces_sample_rate,
 		debug: cfg!(debug_assertions),
 		release: release_name(),
-		user_agent: conduwuit_core::user_agent().into(),
+		user_agent: conduwuit_core::version::user_agent().into(),
 		attach_stacktrace: config.sentry_attach_stacktrace,
 		before_send: Some(Arc::new(before_send)),
 		before_breadcrumb: Some(Arc::new(before_breadcrumb)),

src/router/request.rs

@@ -112,9 +112,7 @@ fn handle_result(method: &Method, uri: &Uri, result: Response) -> Result<Respons
 	}
 
 	if status == StatusCode::METHOD_NOT_ALLOWED {
-		return Ok(
-			err!(Request(Unrecognized("Method not allowed"), METHOD_NOT_ALLOWED)).into_response()
-		);
+		return Ok(err!(Request(Unrecognized("Method Not Allowed"))).into_response());
 	}
 
 	Ok(result)

src/router/router.rs

@@ -9,8 +9,8 @@
 pub(crate) fn build(services: &Arc<Services>) -> (Router, Guard) {
 	let router = Router::<state::State>::new();
 	let (state, guard) = state::create(services.clone());
-	let router = conduwuit_api::router::build(router, state)
-		.merge(conduwuit_web::build(services))
+	let router = conduwuit_api::router::build(router, &services.server)
+		.merge(conduwuit_web::build())
 		.fallback(not_found)
 		.with_state(state);
 

src/service/Cargo.toml

@@ -16,10 +16,6 @@ crate-type = [
 ]
 
 [features]
-blurhashing = [
-	"dep:image",
-	"dep:blurhash",
-]
 brotli_compression = [
 	"conduwuit-core/brotli_compression",
 	"reqwest/brotli",
@@ -119,13 +115,10 @@ tracing.workspace = true
 url.workspace = true
 webpage.workspace = true
 webpage.optional = true
-blurhash.workspace = true
-blurhash.optional = true
 recaptcha-verify = { version = "0.2.0", default-features = false }
 reqwest_recaptcha = { package = "reqwest", version = "0.12.28", default-features = false, features = ["rustls-tls-native-roots-no-provider"]  } # As long as recaptcha-verify's reqwest is outdated
 yansi.workspace = true
 lettre.workspace = true
-serde_urlencoded.workspace = true
 
 [target.'cfg(all(unix, target_os = "linux"))'.dependencies]
 sd-notify.workspace = true

src/service/appservice/mod.rs

@@ -67,7 +67,7 @@ async fn worker(self: Arc<Self>) -> Result {
 		for (id, registration) in appservices {
 			// During startup, resolve any token collisions in favour of appservices
 			// by logging out conflicting user devices
-			if let Some((user_id, device_id, _)) = self
+			if let Ok((user_id, device_id)) = self
 				.services
 				.users
 				.find_from_token(&registration.as_token)
@@ -158,7 +158,7 @@ pub async fn register_appservice(
 			.users
 			.find_from_token(&registration.as_token)
 			.await
-			.is_some()
+			.is_ok()
 		{
 			return Err(err!(Request(InvalidParam(
 				"Cannot register appservice: The provided token is already in use by a user \

src/service/client/mod.rs

@@ -39,7 +39,7 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
 		let url_preview_user_agent = config
 			.url_preview_user_agent
 			.clone()
-			.unwrap_or_else(|| conduwuit::user_agent_media().to_owned());
+			.unwrap_or_else(|| conduwuit::version::user_agent_media().to_owned());
 
 		Ok(Arc::new(Self {
 			default: base(config)?
@@ -149,7 +149,7 @@ fn base(config: &Config) -> Result<reqwest::ClientBuilder> {
 		.timeout(Duration::from_secs(config.request_total_timeout))
 		.pool_idle_timeout(Duration::from_secs(config.request_idle_timeout))
 		.pool_max_idle_per_host(config.request_idle_per_host.into())
-		.user_agent(conduwuit::user_agent())
+		.user_agent(conduwuit::version::user_agent())
 		.redirect(redirect::Policy::limited(6))
         .danger_accept_invalid_certs(config.allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure)
 		.connection_verbose(cfg!(debug_assertions));

src/service/firstrun/mod.rs

@@ -6,7 +6,7 @@
 use askama::Template;
 use async_trait::async_trait;
 use conduwuit::{Result, info, utils::ReadyExt};
-use futures::StreamExt;
+use futures::{FutureExt, StreamExt};
 use ruma::{UserId, events::room::message::RoomMessageEventContent};
 
 use crate::{
@@ -120,7 +120,7 @@ fn disable_first_run(&self) -> bool {
 	///
 	/// Returns Ok(true) if the specified user was the first user, and Ok(false)
 	/// if they were not.
-	pub async fn empower_first_user(&self, user: &UserId) -> bool {
+	pub async fn empower_first_user(&self, user: &UserId) -> Result<bool> {
 		#[derive(Template)]
 		#[template(path = "welcome.md")]
 		struct WelcomeMessage<'a> {
@@ -130,14 +130,10 @@ struct WelcomeMessage<'a> {
 
 		// If first run mode isn't active, do nothing.
 		if !self.disable_first_run() {
-			return false;
+			return Ok(false);
 		}
 
-		self.services
-			.admin
-			.make_user_admin(user)
-			.await
-			.expect("should have been able to empower the first user");
+		self.services.admin.make_user_admin(user).boxed().await?;
 
 		// Send the welcome message
 		let welcome_message = WelcomeMessage {
@@ -150,12 +146,11 @@ struct WelcomeMessage<'a> {
 		self.services
 			.admin
 			.send_loud_message(RoomMessageEventContent::text_markdown(welcome_message))
-			.await
-			.expect("should have been able to send welcome message");
+			.await?;
 
 		info!("{user} has been invited to the admin room as the first user.");
 
-		true
+		Ok(true)
 	}
 
 	/// Get the single-use registration token which may be used to create the
@@ -186,7 +181,7 @@ pub fn print_first_run_banner(&self) {
 		eprintln!(
 			"Welcome to {} {}!",
 			"Continuwuity".bold().bright_magenta(),
-			conduwuit::version().bold()
+			conduwuit::version::version().bold()
 		);
 		eprintln!();
 		eprintln!(

src/service/mailer/mod.rs

@@ -92,8 +92,8 @@ pub async fn send<Template: MessageTemplate>(
 
 		let message = MessageBuilder::new()
 			.from(self.sender.clone())
-			.to(recipient.clone())
-			.subject(subject.clone())
+			.to(recipient)
+			.subject(subject)
 			.date_now()
 			.header(ContentType::TEXT_PLAIN)
 			.body(body)
@@ -104,8 +104,6 @@ pub async fn send<Template: MessageTemplate>(
 			.await
 			.map_err(|err: TransportError| err!("Failed to send message: {err}"))?;
 
-		info!(recipient = recipient.to_string(), ?subject, "Email sent");
-
 		Ok(())
 	}
 }

src/service/media/blurhash.rs

@@ -1,179 +0,0 @@
-#[cfg(feature = "blurhashing")]
-use conduwuit::config::BlurhashConfig as CoreBlurhashConfig;
-use conduwuit::{Result, implement};
-
-use super::Service;
-
-#[implement(Service)]
-#[cfg(not(feature = "blurhashing"))]
-pub fn create_blurhash(
-	&self,
-	_file: &[u8],
-	_content_type: Option<&str>,
-	_file_name: Option<&str>,
-) -> Result<Option<String>> {
-	conduwuit::debug_warn!("blurhashing on upload support was not compiled");
-
-	Ok(None)
-}
-
-#[implement(Service)]
-#[cfg(feature = "blurhashing")]
-pub fn create_blurhash(
-	&self,
-	file: &[u8],
-	content_type: Option<&str>,
-	file_name: Option<&str>,
-) -> Result<Option<String>> {
-	let config = BlurhashConfig::from(self.services.server.config.blurhashing);
-
-	// since 0 means disabled blurhashing, skipped blurhashing
-	if config.size_limit == 0 {
-		return Ok(None);
-	}
-
-	get_blurhash_from_request(file, content_type, file_name, config)
-		.map_err(|e| conduwuit::err!(debug_error!("blurhashing error: {e}")))
-		.map(Some)
-}
-
-/// Returns the blurhash or a blurhash error which implements Display.
-#[tracing::instrument(
-	name = "blurhash",
-	level = "debug",
-	skip(data),
-	fields(
-		bytes = data.len(),
-	),
-)]
-#[cfg(feature = "blurhashing")]
-fn get_blurhash_from_request(
-	data: &[u8],
-	mime: Option<&str>,
-	filename: Option<&str>,
-	config: BlurhashConfig,
-) -> Result<String, BlurhashingError> {
-	// Get format image is supposed to be in
-	let format = get_format_from_data_mime_and_filename(data, mime, filename)?;
-
-	// Get the image reader for said image format
-	let decoder = get_image_decoder_with_format_and_data(format, data)?;
-
-	// Check image size makes sense before unpacking whole image
-	if is_image_above_size_limit(&decoder, config) {
-		return Err(BlurhashingError::ImageTooLarge);
-	}
-
-	let image = image::DynamicImage::from_decoder(decoder)?;
-
-	blurhash_an_image(&image, config)
-}
-
-/// Gets the Image Format value from the data,mime, and filename
-/// It first checks if the mime is a valid image format
-/// Then it checks if the filename has a format, otherwise just guess based on
-/// the binary data Assumes that mime and filename extension won't be for a
-/// different file format than file.
-#[cfg(feature = "blurhashing")]
-fn get_format_from_data_mime_and_filename(
-	data: &[u8],
-	mime: Option<&str>,
-	filename: Option<&str>,
-) -> Result<image::ImageFormat, BlurhashingError> {
-	let extension = filename
-		.map(std::path::Path::new)
-		.and_then(std::path::Path::extension)
-		.map(std::ffi::OsStr::to_string_lossy);
-
-	mime.or(extension.as_deref())
-		.and_then(image::ImageFormat::from_mime_type)
-		.map_or_else(|| image::guess_format(data).map_err(Into::into), Ok)
-}
-
-#[cfg(feature = "blurhashing")]
-fn get_image_decoder_with_format_and_data(
-	image_format: image::ImageFormat,
-	data: &[u8],
-) -> Result<Box<dyn image::ImageDecoder + '_>, BlurhashingError> {
-	let mut image_reader = image::ImageReader::new(std::io::Cursor::new(data));
-	image_reader.set_format(image_format);
-	Ok(Box::new(image_reader.into_decoder()?))
-}
-
-#[cfg(feature = "blurhashing")]
-fn is_image_above_size_limit<T: image::ImageDecoder>(
-	decoder: &T,
-	blurhash_config: BlurhashConfig,
-) -> bool {
-	decoder.total_bytes() >= blurhash_config.size_limit
-}
-
-#[cfg(feature = "blurhashing")]
-#[tracing::instrument(name = "encode", level = "debug", skip_all)]
-#[inline]
-fn blurhash_an_image(
-	image: &image::DynamicImage,
-	blurhash_config: BlurhashConfig,
-) -> Result<String, BlurhashingError> {
-	Ok(blurhash::encode_image(
-		blurhash_config.components_x,
-		blurhash_config.components_y,
-		&image.to_rgba8(),
-	)?)
-}
-
-#[derive(Clone, Copy, Debug)]
-pub struct BlurhashConfig {
-	pub components_x: u32,
-	pub components_y: u32,
-
-	/// size limit in bytes
-	pub size_limit: u64,
-}
-
-#[cfg(feature = "blurhashing")]
-impl From<CoreBlurhashConfig> for BlurhashConfig {
-	fn from(value: CoreBlurhashConfig) -> Self {
-		Self {
-			components_x: value.components_x,
-			components_y: value.components_y,
-			size_limit: value.blurhash_max_raw_size,
-		}
-	}
-}
-
-#[derive(Debug)]
-#[cfg(feature = "blurhashing")]
-pub enum BlurhashingError {
-	HashingLibError(Box<dyn std::error::Error + Send>),
-	#[cfg(feature = "blurhashing")]
-	ImageError(Box<image::ImageError>),
-	ImageTooLarge,
-}
-
-#[cfg(feature = "blurhashing")]
-impl From<image::ImageError> for BlurhashingError {
-	fn from(value: image::ImageError) -> Self { Self::ImageError(Box::new(value)) }
-}
-
-#[cfg(feature = "blurhashing")]
-impl From<blurhash::Error> for BlurhashingError {
-	fn from(value: blurhash::Error) -> Self { Self::HashingLibError(Box::new(value)) }
-}
-
-#[cfg(feature = "blurhashing")]
-impl std::fmt::Display for BlurhashingError {
-	fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-		write!(f, "Blurhash Error:")?;
-		match &self {
-			| Self::ImageTooLarge => write!(f, "Image was too large to blurhash")?,
-			| Self::HashingLibError(e) =>
-				write!(f, "There was an error with the blurhashing library => {e}")?,
-			#[cfg(feature = "blurhashing")]
-			| Self::ImageError(e) =>
-				write!(f, "There was an error with the image loading library => {e}")?,
-		}
-
-		Ok(())
-	}
-}

src/service/media/mod.rs

@@ -1,4 +1,3 @@
-pub mod blurhash;
 mod data;
 pub(super) mod migrations;
 pub mod mxc;

src/service/mod.rs

@@ -27,7 +27,7 @@
 pub mod mailer;
 pub mod media;
 pub mod moderation;
-pub mod oauth;
+pub mod password_reset;
 pub mod presence;
 pub mod pusher;
 pub mod registration_tokens;

src/service/oauth/client_metadata.rs

@@ -1,196 +0,0 @@
-use std::{collections::BTreeSet, hash::Hash};
-
-use itertools::Itertools;
-use serde::{Deserialize, Deserializer, Serialize};
-use url::Url;
-
-#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
-#[non_exhaustive]
-pub struct ClientMetadata {
-	#[serde(default)]
-	pub application_type: ApplicationType,
-
-	#[serde(default, skip_serializing_if = "Option::is_none")]
-	pub client_name: Option<String>,
-
-	pub client_uri: Url,
-
-	#[serde(default, deserialize_with = "btreeset_skip_err")]
-	pub grant_types: BTreeSet<GrantType>,
-
-	#[serde(default, skip_serializing_if = "Option::is_none")]
-	pub logo_uri: Option<Url>,
-
-	#[serde(default, skip_serializing_if = "Option::is_none")]
-	pub policy_uri: Option<Url>,
-
-	#[serde(default)]
-	pub redirect_uris: Vec<Url>,
-
-	#[serde(default, deserialize_with = "btreeset_skip_err")]
-	pub response_types: BTreeSet<ResponseType>,
-
-	#[serde(default, skip_serializing_if = "Option::is_none")]
-	pub token_endpoint_auth_method: Option<String>,
-
-	#[serde(default, skip_serializing_if = "Option::is_none")]
-	pub tos_uri: Option<Url>,
-}
-
-impl ClientMetadata {
-	pub(super) const ACCEPTABLE_LOCALHOSTS: [&str; 3] = ["localhost", "127.0.0.1", "[::1]"];
-
-	pub(super) fn validate(&self) -> Result<(), &'static str> {
-		let Some(client_domain) = self.client_uri.domain() else {
-			return Err("Client URI must have a domain.");
-		};
-
-		if self.client_uri.scheme() != "https" {
-			return Err("Client URI must be HTTPS.");
-		}
-
-		if !self.client_uri.username().is_empty() || self.client_uri.password().is_some() {
-			return Err("Client URI must not include credentials.");
-		}
-
-		for uri in [&self.logo_uri, &self.policy_uri, &self.tos_uri]
-			.iter()
-			.filter_map(|uri| uri.as_ref())
-		{
-			if uri.scheme() != "https" {
-				return Err("All metadata URIs must be HTTPS.");
-			}
-
-			if !uri.username().is_empty() || uri.password().is_some() {
-				return Err("All metadata URIs must not include credentials.");
-			}
-
-			if !uri
-				.domain()
-				.is_some_and(|domain| is_subdomain(domain, client_domain))
-			{
-				return Err("All metadata URIs must be subdomains of the client URI.");
-			}
-		}
-
-		for uri in &self.redirect_uris {
-			match uri.scheme() {
-				| "https" => {
-					// HTTPS URIs are okay for native and web clients
-
-					if !uri.username().is_empty() || uri.password().is_some() {
-						return Err("HTTPS redirect URIs must not contain credentials.");
-					}
-				},
-				| "http" if self.application_type == ApplicationType::Native => {
-					if uri
-						.host_str()
-						.is_none_or(|host| !Self::ACCEPTABLE_LOCALHOSTS.contains(&host))
-					{
-						return Err("HTTP redirect URIs for native applications must only \
-						            refer to localhost.");
-					}
-
-					if uri.port().is_some() {
-						return Err("HTTP redirect URIs for native applications do not need to \
-						            specify a port. All ports will be accepted during \
-						            authorization.");
-					}
-				},
-				| private_scheme if self.application_type == ApplicationType::Native => {
-					let rdns_client_uri = client_domain.split('.').rev().join(".");
-
-					if !private_scheme.starts_with(&rdns_client_uri) {
-						return Err("Private-use scheme URIs for native applications must \
-						            begin with the application's client URI domain in \
-						            reverse-DNS notation.");
-					}
-
-					if uri.has_authority() {
-						return Err("Private-use scheme URIs for native applications must not \
-						            have an authority.");
-					}
-				},
-				| _ =>
-					return Err("A redirect URI's scheme is not valid for this application type."),
-			}
-		}
-
-		Ok(())
-	}
-}
-
-#[derive(Clone, Debug, Default, PartialEq, Eq, Deserialize, Serialize)]
-#[serde(rename_all = "snake_case")]
-pub enum ApplicationType {
-	#[default]
-	Web,
-	Native,
-}
-
-#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, Deserialize, Serialize)]
-#[serde(rename_all = "snake_case")]
-pub enum GrantType {
-	AuthorizationCode,
-	RefreshToken,
-}
-
-#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, Deserialize, Serialize)]
-#[serde(rename_all = "snake_case")]
-#[non_exhaustive]
-pub enum ResponseType {
-	Code,
-}
-
-/// Deserialize a BTreeSet from a sequence, skipping items which fail to
-/// deserialize. This is used as a deserialize helper for ClientMetadata to
-/// ignore unknown enum variants in a few fields.
-fn btreeset_skip_err<'de, D, V>(de: D) -> Result<BTreeSet<V>, D::Error>
-where
-	D: Deserializer<'de>,
-	V: Deserialize<'de> + Hash + Eq + Ord,
-{
-	use std::marker::PhantomData;
-
-	use serde::de::{SeqAccess, Visitor};
-
-	struct BTreeSetVisitor<V> {
-		item: PhantomData<V>,
-	}
-
-	impl<'de, V> Visitor<'de> for BTreeSetVisitor<V>
-	where
-		V: Deserialize<'de> + Hash + Eq + Ord,
-	{
-		type Value = BTreeSet<V>;
-
-		fn expecting(&self, formatter: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-			write!(formatter, "a sequence")
-		}
-
-		fn visit_seq<A>(self, mut seq: A) -> Result<Self::Value, A::Error>
-		where
-			A: SeqAccess<'de>,
-		{
-			let mut set = BTreeSet::new();
-
-			while let Some(element) = seq.next_element().transpose() {
-				if let Ok(element) = element {
-					set.insert(element);
-				}
-			}
-
-			Ok(set)
-		}
-	}
-
-	de.deserialize_seq(BTreeSetVisitor { item: PhantomData })
-}
-
-fn is_subdomain(subdomain: &str, domain: &str) -> bool {
-	if subdomain == domain {
-		return true;
-	}
-
-	subdomain.ends_with(&format!(".{domain}"))
-}

src/service/oauth/grant.rs

@@ -1,162 +0,0 @@
-use std::{collections::BTreeSet, fmt::Debug, hash::Hash, mem::discriminant};
-
-use regex::Regex;
-use ruma::OwnedDeviceId;
-use serde::{Deserialize, Serialize};
-use url::Url;
-
-use super::client_metadata::ResponseType;
-
-#[derive(Debug, Clone, Deserialize, Serialize)]
-pub struct AuthorizationCodeQuery {
-	pub response_type: ResponseType,
-	pub client_id: String,
-	pub redirect_uri: Url,
-	pub scope: RawScopes,
-	pub state: String,
-	#[serde(default)]
-	pub response_mode: ResponseMode,
-	pub code_challenge: String,
-	pub code_challenge_method: CodeChallengeMethod,
-	#[serde(default)]
-	pub prompt: Option<Prompt>,
-}
-
-#[derive(Debug, Clone, Default, Deserialize, Serialize)]
-#[serde(rename_all = "snake_case")]
-#[non_exhaustive]
-pub enum ResponseMode {
-	#[default]
-	// default for `code` response type, see https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#:~:text=Client%2E-,For,encoding%2E,-See
-	Query,
-	Fragment,
-}
-
-#[derive(Debug, Clone, Deserialize, Serialize)]
-#[non_exhaustive]
-pub enum CodeChallengeMethod {
-	S256,
-}
-
-#[derive(Debug, Clone, Deserialize, Serialize)]
-#[serde(rename_all = "snake_case")]
-#[non_exhaustive]
-pub enum Prompt {
-	Create,
-	#[serde(other)]
-	Unknown,
-}
-
-#[derive(Debug, Clone, Deserialize, Serialize, PartialOrd, Ord)]
-pub enum Scope {
-	Device(OwnedDeviceId),
-	ClientApi,
-}
-
-impl PartialEq for Scope {
-	fn eq(&self, other: &Self) -> bool { discriminant(self) == discriminant(other) }
-}
-
-impl Eq for Scope {}
-
-impl Hash for Scope {
-	fn hash<H: std::hash::Hasher>(&self, state: &mut H) { discriminant(self).hash(state); }
-}
-
-impl std::fmt::Display for Scope {
-	fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-		let urn = match self {
-			| Self::ClientApi => "urn:matrix:client:api:*".to_owned(),
-			| Self::Device(device_id) => format!("urn:matrix:client:device:{device_id}"),
-		};
-
-		f.write_str(&urn)
-	}
-}
-
-#[derive(Debug, Clone, Deserialize, Serialize)]
-pub struct RawScopes(String);
-
-impl RawScopes {
-	pub fn to_scopes(&self) -> Result<BTreeSet<Scope>, String> {
-		let client_api_token_regex =
-			Regex::new(r"urn:matrix:(client|org.matrix.msc2967.client):api:\*").unwrap();
-		let device_token_regex = Regex::new(
-			r"urn:matrix:(client|org.matrix.msc2967.client):device:([a-zA-Z0-9-._~]{5,})",
-		)
-		.unwrap();
-
-		let mut scopes = BTreeSet::new();
-
-		for token in self.0.split(' ') {
-			let scope_was_new = {
-				if client_api_token_regex.is_match(token) {
-					scopes.insert(Scope::ClientApi)
-				} else if let Some(captures) = device_token_regex.captures(token) {
-					scopes.insert(Scope::Device(captures.get(2).unwrap().as_str().into()))
-				} else if token == "openid" {
-					// TODO(unspecced): Element sets this scope but doesn't use it for anything
-					true
-				} else {
-					return Err(format!("Invalid scope: {token}"));
-				}
-			};
-
-			if !scope_was_new {
-				return Err("Scope was specified more than once".to_owned());
-			}
-		}
-
-		Ok(scopes)
-	}
-}
-
-#[derive(Serialize)]
-pub struct AuthorizationCodeResponse {
-	pub state: String,
-	pub code: String,
-}
-
-#[derive(Deserialize)]
-#[serde(tag = "grant_type", rename_all = "snake_case")]
-pub enum TokenRequest {
-	AuthorizationCode {
-		code: String,
-		redirect_uri: Url,
-		client_id: String,
-		code_verifier: String,
-	},
-	RefreshToken {
-		client_id: String,
-		refresh_token: String,
-	},
-}
-
-impl TokenRequest {
-	#[must_use]
-	pub fn client_id(&self) -> &str {
-		match self {
-			| Self::AuthorizationCode { client_id, .. }
-			| Self::RefreshToken { client_id, .. } => client_id,
-		}
-	}
-}
-
-#[derive(Serialize)]
-pub struct TokenResponse {
-	pub access_token: String,
-	pub token_type: TokenType,
-	pub expires_in: u64,
-	pub refresh_token: String,
-	pub scope: String,
-}
-
-#[derive(Serialize)]
-pub enum TokenType {
-	Bearer,
-}
-
-#[derive(Deserialize)]
-pub struct RevokeTokenRequest {
-	pub token: String,
-}

src/service/oauth/mod.rs

@@ -1,503 +0,0 @@
-use std::{
-	collections::{BTreeSet, HashMap},
-	sync::{Arc, Mutex},
-	time::{Duration, SystemTime},
-};
-
-use base64::Engine;
-use conduwuit::{
-	Err, Result, err, info,
-	utils::{self, hash::sha256},
-};
-use database::{Deserialized, Json, Map};
-use itertools::Itertools;
-use ruma::{DeviceId, OwnedDeviceId, OwnedUserId, UserId};
-use serde::{Deserialize, Serialize};
-use url::Url;
-
-use crate::{
-	Dep,
-	oauth::{
-		client_metadata::{ApplicationType, ClientMetadata, ResponseType},
-		grant::{
-			AuthorizationCodeQuery, AuthorizationCodeResponse, CodeChallengeMethod, ResponseMode,
-			Scope, TokenRequest, TokenResponse, TokenType,
-		},
-	},
-	users,
-};
-
-pub mod client_metadata;
-pub mod grant;
-
-pub struct Service {
-	services: Services,
-	db: Data,
-	tickets: Mutex<HashMap<String, HashMap<OAuthTicket, SystemTime>>>,
-	pending_code_grants: tokio::sync::Mutex<HashMap<String, PendingCodeGrant>>,
-}
-
-struct Data {
-	clientid_clientmetadata: Arc<Map>,
-	userdeviceid_oauthsessioninfo: Arc<Map>,
-	refreshtoken_refreshtokeninfo: Arc<Map>,
-}
-
-struct Services {
-	users: Dep<users::Service>,
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-pub struct SessionInfo {
-	pub client_id: String,
-	pub scopes: BTreeSet<Scope>,
-	current_refresh_token: String,
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-struct RefreshTokenInfo {
-	client_id: String,
-	user_id: OwnedUserId,
-	device_id: OwnedDeviceId,
-}
-
-struct PendingCodeGrant {
-	authorizing_user: OwnedUserId,
-	requested_scopes: BTreeSet<Scope>,
-	client_name: Option<String>,
-	expected_client_id: String,
-	expected_redirect_uri: Url,
-	code_challenge: String,
-	requested_at: SystemTime,
-}
-
-impl PendingCodeGrant {
-	const MAX_AGE: Duration = Duration::from_mins(1);
-	const RANDOM_CODE_LENGTH: usize = 32;
-
-	#[must_use]
-	pub(crate) fn generate_code() -> String { utils::random_string(Self::RANDOM_CODE_LENGTH) }
-
-	#[must_use]
-	pub(crate) fn is_valid_for(&self, client_id: &str) -> bool {
-		let now = SystemTime::now();
-
-		self.expected_client_id == client_id
-			&& now
-				.duration_since(self.requested_at)
-				.is_ok_and(|age| age < Self::MAX_AGE)
-	}
-}
-
-/// A time-limited grant for a client to perform some sensitive action.
-#[derive(Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
-pub enum OAuthTicket {
-	CrossSigningReset,
-}
-
-impl OAuthTicket {
-	const MAX_AGE: Duration = Duration::from_mins(10);
-
-	#[must_use]
-	pub fn ticket_issue_path(&self) -> &'static str {
-		match self {
-			| Self::CrossSigningReset => "/account/cross_signing_reset",
-		}
-	}
-}
-
-impl crate::Service for Service {
-	fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
-		Ok(Arc::new(Self {
-			services: Services {
-				users: args.depend::<users::Service>("users"),
-			},
-			db: Data {
-				clientid_clientmetadata: args.db["clientid_clientmetadata"].clone(),
-				userdeviceid_oauthsessioninfo: args.db["userdeviceid_oauthsessioninfo"].clone(),
-				refreshtoken_refreshtokeninfo: args.db["refreshtoken_refreshtokeninfo"].clone(),
-			},
-			tickets: Mutex::default(),
-			pending_code_grants: tokio::sync::Mutex::default(),
-		}))
-	}
-
-	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
-}
-
-impl Service {
-	const ACCESS_TOKEN_MAX_AGE: Duration = Duration::from_hours(1);
-	const RANDOM_TOKEN_LENGTH: usize = 32;
-
-	fn generate_token() -> String { utils::random_string(Self::RANDOM_TOKEN_LENGTH) }
-
-	pub async fn register_client(
-		&self,
-		metadata: &ClientMetadata,
-	) -> Result<String, &'static str> {
-		metadata.validate()?;
-
-		let client_id = base64::prelude::BASE64_STANDARD
-			.encode(sha256::hash(serde_json::to_string(metadata).unwrap().as_bytes()));
-
-		if self
-			.db
-			.clientid_clientmetadata
-			.exists(&client_id)
-			.await
-			.is_err()
-		{
-			self.db
-				.clientid_clientmetadata
-				.raw_put(&client_id, Json(metadata.clone()));
-		}
-
-		Ok(client_id)
-	}
-
-	pub async fn get_client_metadata(&self, client_id: &str) -> Option<ClientMetadata> {
-		self.db
-			.clientid_clientmetadata
-			.get(client_id)
-			.await
-			.deserialized()
-			.ok()
-	}
-
-	pub async fn get_session_info_for_device(
-		&self,
-		user_id: &UserId,
-		device_id: &DeviceId,
-	) -> Option<SessionInfo> {
-		self.db
-			.userdeviceid_oauthsessioninfo
-			.qry(&(user_id, device_id))
-			.await
-			.deserialized::<SessionInfo>()
-			.ok()
-	}
-
-	pub async fn request_authorization_code(
-		&self,
-		authorizing_user: OwnedUserId,
-		query: AuthorizationCodeQuery,
-	) -> Result<String, String> {
-		let Some(client_metadata) = self.get_client_metadata(&query.client_id).await else {
-			return Err("Invalid client ID".to_owned());
-		};
-
-		if !(client_metadata
-			.response_types
-			.contains(&query.response_type)
-			&& matches!(query.response_type, ResponseType::Code))
-		{
-			return Err("Invalid response type".to_owned());
-		}
-
-		if !matches!(query.code_challenge_method, CodeChallengeMethod::S256) {
-			return Err("Invalid code challenge type".to_owned());
-		}
-
-		{
-			let mut stripped_uri = query.redirect_uri.clone();
-
-			if client_metadata.application_type == ApplicationType::Native
-				&& query
-					.redirect_uri
-					.host_str()
-					.is_some_and(|host| ClientMetadata::ACCEPTABLE_LOCALHOSTS.contains(&host))
-			{
-				// Remove the port from localhost redirect URIs for native applications when
-				// checking if it's valid
-				stripped_uri.set_port(None).unwrap();
-			}
-
-			if !client_metadata.redirect_uris.contains(&stripped_uri) {
-				return Err("Invalid redirect URI".to_owned());
-			}
-		}
-
-		let requested_scopes = query.scope.to_scopes()?;
-
-		let redirect_uri_query_separator = match query.response_mode {
-			| ResponseMode::Fragment => '#',
-			| ResponseMode::Query => '?',
-		};
-
-		let code = PendingCodeGrant::generate_code();
-
-		info!(
-			client_id = &query.client_id,
-			client_name = &client_metadata.client_name,
-			?requested_scopes,
-			?authorizing_user,
-			"Issuing oauth authorization code"
-		);
-
-		let redirect_uri = format!(
-			"{}{}{}",
-			query.redirect_uri,
-			redirect_uri_query_separator,
-			serde_urlencoded::to_string(AuthorizationCodeResponse {
-				state: query.state,
-				code: code.clone(),
-			})
-			.unwrap(),
-		);
-
-		let pending_grant = PendingCodeGrant {
-			authorizing_user,
-			requested_scopes,
-			client_name: client_metadata.client_name,
-			expected_client_id: query.client_id,
-			expected_redirect_uri: query.redirect_uri,
-			code_challenge: query.code_challenge,
-			requested_at: SystemTime::now(),
-		};
-
-		self.pending_code_grants
-			.lock()
-			.await
-			.insert(code, pending_grant);
-
-		Ok(redirect_uri)
-	}
-
-	pub async fn issue_token(&self, request: TokenRequest) -> Result<TokenResponse> {
-		match request {
-			| TokenRequest::AuthorizationCode {
-				code,
-				redirect_uri,
-				client_id,
-				code_verifier,
-			} => {
-				let mut pending_grants = self.pending_code_grants.lock().await;
-
-				let Some(pending_grant) = pending_grants
-					.remove(&code)
-					.filter(|grant| grant.is_valid_for(&client_id))
-				else {
-					return Err!("Invalid code");
-				};
-
-				if redirect_uri != pending_grant.expected_redirect_uri {
-					return Err!("Unexpected redirect uri");
-				}
-
-				let expected_code_challenge =
-					base64::prelude::BASE64_URL_SAFE_NO_PAD.encode(sha256::hash(&code_verifier));
-				if expected_code_challenge != pending_grant.code_challenge {
-					return Err!("Invalid code challenge");
-				}
-
-				self.create_session(
-					pending_grant.authorizing_user,
-					pending_grant.requested_scopes,
-					pending_grant.client_name,
-					client_id,
-				)
-				.await
-			},
-			| TokenRequest::RefreshToken { client_id, refresh_token } =>
-				self.refresh_session(client_id, refresh_token).await,
-		}
-	}
-
-	pub async fn revoke_token(&self, token: String) -> Result<()> {
-		let (user_id, device_id) = if let Ok(refresh_token_info) = self
-			.db
-			.refreshtoken_refreshtokeninfo
-			.get(&token)
-			.await
-			.deserialized::<RefreshTokenInfo>()
-		{
-			(refresh_token_info.user_id, refresh_token_info.device_id)
-		} else if let Some((user_id, device_id, _)) =
-			self.services.users.find_from_token(&token).await
-		{
-			(user_id, device_id)
-		} else {
-			return Err!("Invalid token");
-		};
-
-		// This will also call [`Self::remove_session`]
-		self.services
-			.users
-			.remove_device(&user_id, &device_id)
-			.await;
-
-		Ok(())
-	}
-
-	async fn create_session(
-		&self,
-		authorizing_user: OwnedUserId,
-		requested_scopes: BTreeSet<Scope>,
-		client_name: Option<String>,
-		client_id: String,
-	) -> Result<TokenResponse> {
-		let access_token = Self::generate_token();
-		let refresh_token = Self::generate_token();
-
-		let device_id = requested_scopes
-			.iter()
-			.find_map(|scope| {
-				if let Scope::Device(device_id) = scope {
-					Some(device_id)
-				} else {
-					None
-				}
-			})
-			.ok_or_else(|| err!("No device ID scope supplied"))?;
-
-		self.services
-			.users
-			.create_device(
-				&authorizing_user,
-				device_id,
-				&access_token,
-				Some(Self::ACCESS_TOKEN_MAX_AGE),
-				client_name,
-				None,
-			)
-			.await?;
-
-		self.db.userdeviceid_oauthsessioninfo.put(
-			(&authorizing_user, device_id),
-			Json(SessionInfo {
-				client_id: client_id.clone(),
-				current_refresh_token: refresh_token.clone(),
-				scopes: requested_scopes.clone(),
-			}),
-		);
-
-		self.db.refreshtoken_refreshtokeninfo.raw_put(
-			&refresh_token,
-			Json(RefreshTokenInfo {
-				client_id: client_id.clone(),
-				user_id: authorizing_user.clone(),
-				device_id: device_id.to_owned(),
-			}),
-		);
-
-		info!(
-			?client_id,
-			?authorizing_user,
-			?device_id,
-			?requested_scopes,
-			"Created new oauth session"
-		);
-
-		Ok(TokenResponse {
-			access_token,
-			token_type: TokenType::Bearer,
-			expires_in: Self::ACCESS_TOKEN_MAX_AGE.as_secs(),
-			scope: requested_scopes.iter().join(" "),
-			refresh_token,
-		})
-	}
-
-	async fn refresh_session(
-		&self,
-		client_id: String,
-		refresh_token: String,
-	) -> Result<TokenResponse> {
-		let Some(refresh_token_info) = self
-			.db
-			.refreshtoken_refreshtokeninfo
-			.get(&refresh_token)
-			.await
-			.deserialized::<RefreshTokenInfo>()
-			.ok()
-		else {
-			return Err!("Invalid refresh token");
-		};
-
-		assert_eq!(&client_id, &refresh_token_info.client_id, "refresh token client id mismatch");
-
-		let mut session_info = self
-			.get_session_info_for_device(
-				&refresh_token_info.user_id,
-				&refresh_token_info.device_id,
-			)
-			.await
-			.expect("session info should exist");
-
-		assert_eq!(&client_id, &session_info.client_id, "session info client id mismatch");
-
-		let new_access_token = Self::generate_token();
-		let new_refresh_token = Self::generate_token();
-		let scope = session_info.scopes.iter().join(" ");
-		session_info
-			.current_refresh_token
-			.clone_from(&new_refresh_token);
-
-		self.services
-			.users
-			.set_token(
-				&refresh_token_info.user_id,
-				&refresh_token_info.device_id,
-				&new_access_token,
-				Some(Self::ACCESS_TOKEN_MAX_AGE),
-			)
-			.await?;
-
-		self.db.userdeviceid_oauthsessioninfo.put(
-			(&refresh_token_info.user_id, &refresh_token_info.device_id),
-			Json(session_info),
-		);
-
-		self.db.refreshtoken_refreshtokeninfo.remove(&refresh_token);
-		drop(refresh_token);
-		self.db
-			.refreshtoken_refreshtokeninfo
-			.raw_put(&new_refresh_token, Json(refresh_token_info));
-
-		Ok(TokenResponse {
-			access_token: new_access_token,
-			token_type: TokenType::Bearer,
-			expires_in: Self::ACCESS_TOKEN_MAX_AGE.as_secs(),
-			scope,
-			refresh_token: new_refresh_token,
-		})
-	}
-
-	pub async fn remove_session(&self, user_id: &UserId, device_id: &DeviceId) {
-		let session_info = self.get_session_info_for_device(user_id, device_id).await;
-
-		if let Some(session_info) = session_info {
-			self.db
-				.refreshtoken_refreshtokeninfo
-				.remove(&session_info.current_refresh_token);
-			self.db
-				.userdeviceid_oauthsessioninfo
-				.del((user_id, device_id));
-			info!(?user_id, ?device_id, "Removed OAuth session");
-		}
-	}
-
-	/// Issue a ticket for `localpart` to perform some action.
-	pub fn issue_ticket(&self, localpart: String, ticket: OAuthTicket) {
-		self.tickets
-			.lock()
-			.unwrap()
-			.entry(localpart)
-			.or_default()
-			.insert(ticket, SystemTime::now());
-	}
-
-	/// Try to consume an unexpired ticket for `localpart`.
-	pub fn try_consume_ticket(&self, localpart: &str, ticket: OAuthTicket) -> bool {
-		let now = SystemTime::now();
-
-		self.tickets
-			.lock()
-			.unwrap()
-			.get_mut(localpart)
-			.and_then(|tickets| tickets.remove(&ticket))
-			.is_some_and(|issued| {
-				now.duration_since(issued)
-					.is_ok_and(|duration| duration < OAuthTicket::MAX_AGE)
-			})
-	}
-}

src/service/password_reset/data.rs

@@ -0,0 +1,68 @@
+use std::{
+	sync::Arc,
+	time::{Duration, SystemTime},
+};
+
+use conduwuit::utils::{ReadyExt, stream::TryExpect};
+use database::{Database, Deserialized, Json, Map};
+use ruma::{OwnedUserId, UserId};
+use serde::{Deserialize, Serialize};
+
+pub(super) struct Data {
+	passwordresettoken_info: Arc<Map>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct ResetTokenInfo {
+	pub user: OwnedUserId,
+	pub issued_at: SystemTime,
+}
+
+impl ResetTokenInfo {
+	// one hour
+	const MAX_TOKEN_AGE: Duration = Duration::from_hours(1);
+
+	pub fn is_valid(&self) -> bool {
+		let now = SystemTime::now();
+
+		now.duration_since(self.issued_at)
+			.is_ok_and(|duration| duration < Self::MAX_TOKEN_AGE)
+	}
+}
+
+impl Data {
+	pub(super) fn new(db: &Arc<Database>) -> Self {
+		Self {
+			passwordresettoken_info: db["passwordresettoken_info"].clone(),
+		}
+	}
+
+	/// Associate a reset token with its info in the database.
+	pub(super) fn save_token(&self, token: &str, info: &ResetTokenInfo) {
+		self.passwordresettoken_info.raw_put(token, Json(info));
+	}
+
+	/// Lookup the info for a reset token.
+	pub(super) async fn lookup_token_info(&self, token: &str) -> Option<ResetTokenInfo> {
+		self.passwordresettoken_info
+			.get(token)
+			.await
+			.deserialized()
+			.ok()
+	}
+
+	/// Find a user's existing reset token, if any.
+	pub(super) async fn find_token_for_user(
+		&self,
+		user: &UserId,
+	) -> Option<(String, ResetTokenInfo)> {
+		self.passwordresettoken_info
+			.stream::<'_, String, ResetTokenInfo>()
+			.expect_ok()
+			.ready_find(|(_, info)| info.user == user)
+			.await
+	}
+
+	/// Remove a reset token.
+	pub(super) fn remove_token(&self, token: &str) { self.passwordresettoken_info.remove(token); }
+}

src/service/password_reset/mod.rs

@@ -0,0 +1,111 @@
+mod data;
+
+use std::{sync::Arc, time::SystemTime};
+
+use conduwuit::{Err, Result, utils};
+use data::{Data, ResetTokenInfo};
+use ruma::OwnedUserId;
+
+use crate::{
+	Dep, globals,
+	users::{self, HashedPassword},
+};
+
+pub const PASSWORD_RESET_PATH: &str = "/_continuwuity/account/reset_password";
+pub const RESET_TOKEN_QUERY_PARAM: &str = "token";
+const RESET_TOKEN_LENGTH: usize = 32;
+
+pub struct Service {
+	db: Data,
+	services: Services,
+}
+
+struct Services {
+	users: Dep<users::Service>,
+	globals: Dep<globals::Service>,
+}
+
+#[derive(Debug)]
+pub struct ValidResetToken {
+	pub token: String,
+	pub info: ResetTokenInfo,
+}
+
+impl crate::Service for Service {
+	fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
+		Ok(Arc::new(Self {
+			db: Data::new(args.db),
+			services: Services {
+				users: args.depend::<users::Service>("users"),
+				globals: args.depend::<globals::Service>("globals"),
+			},
+		}))
+	}
+
+	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
+}
+
+impl Service {
+	/// Generate a random string suitable to be used as a password reset token.
+	#[must_use]
+	pub fn generate_token_string() -> String { utils::random_string(RESET_TOKEN_LENGTH) }
+
+	/// Issue a password reset token for `user`, who must be a local user with
+	/// the `password` origin.
+	pub async fn issue_token(&self, user_id: OwnedUserId) -> Result<ValidResetToken> {
+		if !self.services.globals.user_is_local(&user_id) {
+			return Err!("Cannot issue a password reset token for remote user {user_id}");
+		}
+
+		if user_id == self.services.globals.server_user {
+			return Err!("Cannot issue a password reset token for the server user");
+		}
+
+		if self.services.users.is_deactivated(&user_id).await? {
+			return Err!("Cannot issue a password reset token for deactivated user {user_id}");
+		}
+
+		if let Some((existing_token, _)) = self.db.find_token_for_user(&user_id).await {
+			self.db.remove_token(&existing_token);
+		}
+
+		let token = Self::generate_token_string();
+		let info = ResetTokenInfo {
+			user: user_id,
+			issued_at: SystemTime::now(),
+		};
+
+		self.db.save_token(&token, &info);
+
+		Ok(ValidResetToken { token, info })
+	}
+
+	/// Check if `token` represents a valid, non-expired password reset token.
+	pub async fn check_token(&self, token: &str) -> Option<ValidResetToken> {
+		self.db.lookup_token_info(token).await.and_then(|info| {
+			if info.is_valid() {
+				Some(ValidResetToken { token: token.to_owned(), info })
+			} else {
+				self.db.remove_token(token);
+				None
+			}
+		})
+	}
+
+	/// Consume the supplied valid token, using it to change its user's password
+	/// to `new_password`.
+	pub async fn consume_token(
+		&self,
+		ValidResetToken { token, info }: ValidResetToken,
+		new_password: &str,
+	) -> Result<()> {
+		if info.is_valid() {
+			self.db.remove_token(&token);
+			self.services
+				.users
+				.set_password(&info.user, Some(HashedPassword::new(new_password)?));
+		}
+
+		Ok(())
+	}
+}

src/service/registration_tokens/mod.rs

@@ -10,7 +10,6 @@
 	stream::{iter, once},
 };
 use ruma::OwnedUserId;
-use serde::{Deserialize, Serialize};
 
 use crate::{Dep, config, firstrun};
 
@@ -28,7 +27,7 @@ struct Services {
 }
 
 /// A validated registration token which may be used to create an account.
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Debug)]
 pub struct ValidToken {
 	pub token: String,
 	pub source: ValidTokenSource,
@@ -45,7 +44,7 @@ fn eq(&self, other: &str) -> bool { self.token == other }
 }
 
 /// The source of a valid database token.
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Debug)]
 pub enum ValidTokenSource {
 	/// The static token set in the homeserver's config file.
 	Config,

src/service/rooms/membership/mod.rs

@@ -240,7 +240,6 @@ async fn join_local_room(
 		let mut content = RoomMemberEventContent::new(MembershipState::Join);
 		content.displayname = self.services.users.displayname(sender_user).await.ok();
 		content.avatar_url = self.services.users.avatar_url(sender_user).await.ok();
-		content.blurhash = self.services.users.blurhash(sender_user).await.ok();
 		content.reason.clone_from(&reason);
 		content.join_authorized_via_users_server = auth_user;
 
@@ -351,7 +350,6 @@ async fn join_remote_room(
 		let mut join_content = RoomMemberEventContent::new(MembershipState::Join);
 		join_content.displayname = self.services.users.displayname(sender_user).await.ok();
 		join_content.avatar_url = self.services.users.avatar_url(sender_user).await.ok();
-		join_content.blurhash = self.services.users.blurhash(sender_user).await.ok();
 		join_content.reason = reason;
 		join_content
 			.join_authorized_via_users_server

src/service/services.rs

@@ -11,8 +11,8 @@
 	account_data, admin, announcements, antispam, appservice, client, config, emergency,
 	federation, firstrun, globals, key_backups, mailer,
 	manager::Manager,
-	media, moderation, oauth, presence, pusher, registration_tokens, resolver, rooms, sending,
-	server_keys,
+	media, moderation, password_reset, presence, pusher, registration_tokens, resolver, rooms,
+	sending, server_keys,
 	service::{self, Args, Map, Service},
 	sync, threepid, transactions, uiaa, users,
 };
@@ -27,7 +27,7 @@ pub struct Services {
 	pub globals: Arc<globals::Service>,
 	pub key_backups: Arc<key_backups::Service>,
 	pub media: Arc<media::Service>,
-	pub oauth: Arc<oauth::Service>,
+	pub password_reset: Arc<password_reset::Service>,
 	pub mailer: Arc<mailer::Service>,
 	pub presence: Arc<presence::Service>,
 	pub pusher: Arc<pusher::Service>,
@@ -84,7 +84,7 @@ macro_rules! build {
 			globals: build!(globals::Service),
 			key_backups: build!(key_backups::Service),
 			media: build!(media::Service),
-			oauth: build!(oauth::Service),
+			password_reset: build!(password_reset::Service),
 			mailer: build!(mailer::Service),
 			presence: build!(presence::Service),
 			pusher: build!(pusher::Service),

src/service/threepid/mod.rs

@@ -9,9 +9,8 @@
 	ClientSecret, OwnedClientSecret, OwnedSessionId, SessionId,
 	api::error::{ErrorKind, LimitExceededErrorData},
 };
-use tokio::sync::MutexGuard;
 
-pub mod session;
+mod session;
 
 use crate::{
 	Args, Dep, config,
@@ -27,7 +26,6 @@ pub struct Service {
 	ratelimiter: DefaultKeyedRateLimiter<Address>,
 }
 
-#[derive(Clone, Copy, Debug, PartialEq, Eq)]
 pub enum EmailRequirement {
 	/// Users may change their email, but cannot remove it entirely.
 	Required,
@@ -221,12 +219,13 @@ pub async fn try_validate_session(
 		Ok(())
 	}
 
-	/// Get a validated validation session.
-	pub async fn get_valid_session(
+	/// Consume a validated validation session, removing it from the database
+	/// and returning the newly validated email address.
+	pub async fn consume_valid_session(
 		&self,
 		session_id: &SessionId,
 		client_secret: &ClientSecret,
-	) -> Result<ValidSession<'_>, Cow<'static, str>> {
+	) -> Result<Address, Cow<'static, str>> {
 		let mut sessions = self.sessions.lock().await;
 
 		let Some(session) = sessions.get_session(session_id) else {
@@ -236,13 +235,9 @@ pub async fn get_valid_session(
 		if session.client_secret == client_secret
 			&& matches!(session.validation_state, ValidationState::Validated)
 		{
-			let email = session.email.clone();
+			let session = sessions.remove_session(session_id);
 
-			Ok(ValidSession {
-				email,
-				session_id: session_id.to_owned(),
-				sessions,
-			})
+			Ok(session.email)
 		} else {
 			Err("This email address has not been validated. Did you use the link that was sent \
 			     to you?"
@@ -318,20 +313,3 @@ pub async fn get_localpart_for_email(&self, email: &Address) -> Option<String> {
 			.ok()
 	}
 }
-
-pub struct ValidSession<'lock> {
-	pub email: Address,
-	session_id: OwnedSessionId,
-	sessions: MutexGuard<'lock, ValidationSessions>,
-}
-
-impl ValidSession<'_> {
-	/// Consume this session, removing it from the database and releasing the
-	/// lock it holds.
-	#[must_use]
-	pub fn consume(mut self) -> Address {
-		self.sessions.remove_session(&self.session_id);
-
-		self.email
-	}
-}

src/service/threepid/session.rs

@@ -8,14 +8,14 @@
 use ruma::{ClientSecret, OwnedClientSecret, OwnedSessionId, SessionId};
 
 #[derive(Default)]
-pub struct ValidationSessions {
+pub(super) struct ValidationSessions {
 	sessions: HashMap<OwnedSessionId, ValidationSession>,
 	client_secrets: HashMap<OwnedClientSecret, OwnedSessionId>,
 }
 
 /// A pending or completed email validation session.
 #[derive(Debug)]
-pub struct ValidationSession {
+pub(crate) struct ValidationSession {
 	/// The session's ID
 	pub session_id: OwnedSessionId,
 	/// The client's supplied client secret
@@ -28,7 +28,7 @@ pub struct ValidationSession {
 
 /// The state of an email validation session.
 #[derive(Debug)]
-pub enum ValidationState {
+pub(crate) enum ValidationState {
 	/// The session is waiting for this validation token to be provided
 	Pending(ValidationToken),
 	/// The session has been validated
@@ -36,7 +36,7 @@ pub enum ValidationState {
 }
 
 #[derive(Clone, Debug)]
-pub struct ValidationToken {
+pub(crate) struct ValidationToken {
 	pub token: String,
 	pub issued_at: SystemTime,
 }
@@ -69,7 +69,7 @@ impl ValidationSessions {
 	const RANDOM_SID_LENGTH: usize = 16;
 
 	#[must_use]
-	pub fn generate_session_id() -> OwnedSessionId {
+	pub(super) fn generate_session_id() -> OwnedSessionId {
 		SessionId::parse(utils::random_string(Self::RANDOM_SID_LENGTH)).unwrap()
 	}
 

src/service/uiaa/mod.rs

@@ -7,7 +7,7 @@
 use conduwuit::{Err, Error, Result, error, utils};
 use lettre::Address;
 use ruma::{
-	DeviceId, UserId,
+	UserId,
 	api::{
 		client::uiaa::{
 			AuthData, AuthFlow, AuthType, EmailIdentity, EmailUserIdentifier,
@@ -16,19 +16,11 @@
 		},
 		error::{ErrorKind, StandardErrorBody},
 	},
-	assign,
-};
-use serde_json::{
-	json,
-	value::{RawValue, to_raw_value},
 };
+use serde_json::value::RawValue;
 use tokio::sync::Mutex;
 
-use crate::{
-	Dep, config, globals,
-	oauth::{self, OAuthTicket},
-	registration_tokens, threepid, users,
-};
+use crate::{Dep, config, globals, registration_tokens, threepid, users};
 
 pub struct Service {
 	services: Services,
@@ -41,7 +33,6 @@ struct Services {
 	config: Dep<config::Service>,
 	registration_tokens: Dep<registration_tokens::Service>,
 	threepid: Dep<threepid::Service>,
-	oauth: Dep<oauth::Service>,
 }
 
 impl crate::Service for Service {
@@ -54,7 +45,6 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
 				registration_tokens: args
 					.depend::<registration_tokens::Service>("registration_tokens"),
 				threepid: args.depend::<threepid::Service>("threepid"),
-				oauth: args.depend::<oauth::Service>("oauth"),
 			},
 			uiaa_sessions: Mutex::new(HashMap::new()),
 		}))
@@ -64,56 +54,8 @@ fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
 }
 
 struct UiaaSession {
-	session_metadata: UiaaSessionMetadata,
 	info: UiaaInfo,
-}
-
-#[derive(Clone)]
-enum UiaaSessionMetadata {
-	Legacy {
-		identity: Identity,
-	},
-	OAuth {
-		localpart: String,
-		ticket: OAuthTicket,
-	},
-}
-
-impl UiaaSessionMetadata {
-	fn into_identity(self) -> Identity {
-		match self {
-			| Self::Legacy { identity } => identity,
-			| Self::OAuth { localpart, .. } =>
-				assign!(Identity::default(), { localpart: Some(localpart) }),
-		}
-	}
-}
-
-/// Information about the user which is initiating this UIAA session.
-pub struct UiaaInitiator<'a> {
-	user_id: &'a UserId,
-	device_id: &'a DeviceId,
-	oauth_ticket: Option<OAuthTicket>,
-}
-
-impl<'a> UiaaInitiator<'a> {
-	#[must_use]
-	pub fn new(user_id: &'a UserId, device_id: &'a DeviceId) -> Self {
-		Self { user_id, device_id, oauth_ticket: None }
-	}
-
-	#[must_use]
-	pub fn with_oauth_ticket(
-		user_id: &'a UserId,
-		device_id: &'a DeviceId,
-		oauth_ticket: OAuthTicket,
-	) -> Self {
-		Self {
-			user_id,
-			device_id,
-			oauth_ticket: Some(oauth_ticket),
-		}
-	}
+	identity: Identity,
 }
 
 /// Information about the authenticated user's identity.
@@ -164,7 +106,7 @@ impl Identity {
 	/// Create an Identity with the localpart of the provided user ID
 	/// and all other fields set to None.
 	#[must_use]
-	fn from_user_id(user_id: &UserId) -> Self {
+	pub fn from_user_id(user_id: &UserId) -> Self {
 		Self {
 			localpart: Some(user_id.localpart().to_owned()),
 			..Default::default()
@@ -182,11 +124,11 @@ pub async fn authenticate(
 		auth: &Option<AuthData>,
 		flows: Vec<AuthFlow>,
 		params: Box<RawValue>,
-		initiator: Option<UiaaInitiator<'_>>,
+		identity: Option<Identity>,
 	) -> Result<Identity> {
 		match auth.as_ref() {
 			| None => {
-				let info = self.create_session(flows, params, initiator).await?;
+				let info = self.create_session(flows, params, identity).await;
 
 				Err(Error::Uiaa(info))
 			},
@@ -198,8 +140,8 @@ pub async fn authenticate(
 						// session if they want to start the UIAA exchange with existing
 						// authentication data. If that happens, we create a new session
 						// here.
-						self.create_session(flows, params, initiator)
-							.await?
+						self.create_session(flows, params, identity)
+							.await
 							.session
 							.unwrap()
 							.into()
@@ -219,15 +161,13 @@ pub async fn authenticate(
 	pub async fn authenticate_password(
 		&self,
 		auth: &Option<AuthData>,
-		user_id: &UserId,
-		device_id: &DeviceId,
-		oauth_ticket: Option<OAuthTicket>,
+		identity: Option<Identity>,
 	) -> Result<Identity> {
 		self.authenticate(
 			auth,
 			vec![AuthFlow::new(vec![AuthType::Password])],
 			Box::default(),
-			Some(UiaaInitiator { user_id, device_id, oauth_ticket }),
+			identity,
 		)
 		.await
 	}
@@ -243,84 +183,20 @@ async fn create_session(
 		&self,
 		flows: Vec<AuthFlow>,
 		params: Box<RawValue>,
-		initiator: Option<UiaaInitiator<'_>>,
-	) -> Result<UiaaInfo> {
+		identity: Option<Identity>,
+	) -> UiaaInfo {
 		let mut uiaa_sessions = self.uiaa_sessions.lock().await;
 
 		let session_id = utils::random_string(Self::SESSION_ID_LENGTH);
+		let mut info = assign::assign!(UiaaInfo::new(flows), {params: Some(params)});
+		info.session = Some(session_id.clone());
 
-		let mut info = assign!(UiaaInfo::new(flows), { params: Some(params), session: Some(session_id.clone()) });
+		uiaa_sessions.insert(session_id, UiaaSession {
+			info: info.clone(),
+			identity: identity.unwrap_or_default(),
+		});
 
-		let session_metadata = if let Some(initiator) = initiator {
-			let is_oauth = self
-				.services
-				.oauth
-				.get_session_info_for_device(initiator.user_id, initiator.device_id)
-				.await
-				.is_some();
-
-			if is_oauth {
-				if let Some(oauth_ticket) = initiator.oauth_ticket {
-					let ticket_url = self
-						.services
-						.config
-						.get_client_domain()
-						.join(&format!(
-							"{}{}",
-							conduwuit_core::ROUTE_PREFIX,
-							oauth_ticket.ticket_issue_path()
-						))
-						.unwrap();
-
-					info.flows = vec![AuthFlow::new(vec![AuthType::OAuth])];
-					info.params = Some(
-						to_raw_value(&json!({
-							AuthType::OAuth.as_str(): {
-								"url": ticket_url,
-							},
-							// TODO(compat): This is necessary for older versions of matrix-rust-sdk
-							"org.matrix.cross_signing_reset": {
-								"url": ticket_url,
-							}
-						}))
-						.unwrap(),
-					);
-
-					UiaaSessionMetadata::OAuth {
-						localpart: initiator.user_id.localpart().to_owned(),
-						ticket: oauth_ticket,
-					}
-				} else {
-					return Err!(Request(Forbidden(
-						"Clients authorized with OAuth cannot use this route."
-					)));
-				}
-			} else {
-				UiaaSessionMetadata::Legacy {
-					identity: Identity::from_user_id(initiator.user_id),
-				}
-			}
-		} else {
-			UiaaSessionMetadata::Legacy { identity: Identity::default() }
-		};
-
-		// Legacy sessions aren't available if OAuth is required
-		if matches!(&session_metadata, UiaaSessionMetadata::Legacy { .. })
-			&& !self
-				.services
-				.config
-				.oauth
-				.compatibility_mode
-				.uiaa_available()
-		{
-			return Err!(Request(Unrecognized(
-				"User-interactive authentication is unavailable on this server"
-			)));
-		}
-
-		uiaa_sessions.insert(session_id, UiaaSession { session_metadata, info: info.clone() });
-
-		Ok(info)
+		info
 	}
 
 	/// Proceed with UIAA authentication given a client's authorization data.
@@ -349,7 +225,7 @@ async fn continue_session(
 		}
 
 		let completed = {
-			let UiaaSession { session_metadata, info } = session.get_mut();
+			let UiaaSession { info, identity } = session.get_mut();
 
 			let auth_type = auth.auth_type().expect("auth type should be set");
 
@@ -382,12 +258,12 @@ async fn continue_session(
 
 			// If the provided stage hasn't already been completed, check it for completion
 			if !completed_stages.contains(auth_type.as_str()) {
-				match self.check_stage(auth, session_metadata.clone()).await {
-					| Ok((completed_stage, updated_metadata)) => {
+				match self.check_stage(auth, identity.clone()).await {
+					| Ok((completed_stage, updated_identity)) => {
 						info.auth_error = None;
 						completed_stages.insert(completed_stage.to_string());
 						info.completed.push(completed_stage);
-						*session_metadata = updated_metadata;
+						*identity = updated_identity;
 					},
 					| Err(error) => {
 						info.auth_error = Some(error);
@@ -403,9 +279,9 @@ async fn continue_session(
 
 		if completed {
 			// This session is complete, remove it and return success
-			let (_, UiaaSession { session_metadata, .. }) = session.remove_entry();
+			let (_, UiaaSession { identity, .. }) = session.remove_entry();
 
-			Ok(Ok(session_metadata.into_identity()))
+			Ok(Ok(identity))
 		} else {
 			// The client needs to try again, return the updated session
 			Ok(Err(session.get().info.clone()))
@@ -419,174 +295,152 @@ async fn continue_session(
 	async fn check_stage(
 		&self,
 		auth: &AuthData,
-		mut session_metadata: UiaaSessionMetadata,
-	) -> Result<(AuthType, UiaaSessionMetadata), StandardErrorBody> {
-		// Note: This function takes ownership of `session_metadata` because mutations
-		// to the identity (if it's a legacy session) must not be applied unless
-		// checking the stage succeeds. The updated identity is returned as part of
-		// the Ok value, and `continue_session` handles saving it to `uiaa_sessions`.
+		mut identity: Identity,
+	) -> Result<(AuthType, Identity), StandardErrorBody> {
+		// Note: This function takes ownership of `identity` because mutations to the
+		// identity must not be applied unless checking the stage succeeds. The
+		// updated identity is returned as part of the Ok value, and
+		// `continue_session` handles saving it to `uiaa_sessions`.
 		//
 		// This also means it's fine to mutate `identity` at any point in this function,
 		// because those mutations won't be saved unless the function returns Ok.
 
-		let completed_auth_type = match &mut session_metadata {
-			| UiaaSessionMetadata::OAuth { localpart, ticket } => {
-				// m.oauth is the only valid stage for oauth sessions
-				assert!(
-					matches!(auth, AuthData::OAuth(_)),
-					"got non-oauth auth data for oauth session"
-				);
+		match auth {
+			| AuthData::Dummy(_) => Ok(AuthType::Dummy),
+			| AuthData::EmailIdentity(EmailIdentity {
+				thirdparty_id_creds: ThirdpartyIdCredentials { client_secret, sid, .. },
+				..
+			}) => {
+				match self
+					.services
+					.threepid
+					.consume_valid_session(sid, client_secret)
+					.await
+				{
+					| Ok(email) => {
+						if let Some(localpart) =
+							self.services.threepid.get_localpart_for_email(&email).await
+						{
+							identity.try_set_localpart(localpart)?;
+						}
 
-				if self.services.oauth.try_consume_ticket(localpart, *ticket) {
-					Ok(AuthType::OAuth)
+						identity.try_set_email(email)?;
+
+						Ok(AuthType::EmailIdentity)
+					},
+					| Err(message) => Err(StandardErrorBody::new(
+						ErrorKind::ThreepidAuthFailed,
+						message.into_owned(),
+					)),
+				}
+			},
+			#[allow(clippy::useless_let_if_seq)]
+			| AuthData::Password(Password { identifier, password, .. }) => {
+				let user_id_or_localpart = match identifier {
+					| UserIdentifier::Matrix(MatrixUserIdentifier { user, .. }) =>
+						user.to_owned(),
+					| UserIdentifier::Email(EmailUserIdentifier { address, .. }) => {
+						let Ok(email) = Address::try_from(address.to_owned()) else {
+							return Err(StandardErrorBody::new(
+								ErrorKind::InvalidParam,
+								"Email is malformed".to_owned(),
+							));
+						};
+
+						if let Some(localpart) =
+							self.services.threepid.get_localpart_for_email(&email).await
+						{
+							identity.try_set_email(email)?;
+
+							localpart
+						} else {
+							return Err(StandardErrorBody::new(
+								ErrorKind::Forbidden,
+								"Invalid identifier or password".to_owned(),
+							));
+						}
+					},
+					| _ =>
+						return Err(StandardErrorBody::new(
+							ErrorKind::Unrecognized,
+							"Identifier type not recognized".to_owned(),
+						)),
+				};
+
+				let Ok(user_id) = UserId::parse_with_server_name(
+					user_id_or_localpart,
+					self.services.globals.server_name(),
+				) else {
+					return Err(StandardErrorBody::new(
+						ErrorKind::InvalidParam,
+						"User ID is malformed".to_owned(),
+					));
+				};
+
+				if self
+					.services
+					.users
+					.check_password(&user_id, password)
+					.await
+					.is_ok()
+				{
+					identity.try_set_localpart(user_id.localpart().to_owned())?;
+
+					Ok(AuthType::Password)
 				} else {
 					Err(StandardErrorBody::new(
 						ErrorKind::Forbidden,
-						"No OAuth ticket available".to_owned(),
+						"Invalid identifier or password".to_owned(),
 					))
 				}
 			},
-			| UiaaSessionMetadata::Legacy { identity } => match auth {
-				| AuthData::Dummy(_) => Ok(AuthType::Dummy),
-				| AuthData::EmailIdentity(EmailIdentity {
-					thirdparty_id_creds: ThirdpartyIdCredentials { client_secret, sid, .. },
-					..
-				}) => {
-					match self
-						.services
-						.threepid
-						.get_valid_session(sid, client_secret)
-						.await
-					{
-						| Ok(session) => {
-							let email = session.consume();
+			| AuthData::ReCaptcha(ReCaptcha { response, .. }) => {
+				let Some(ref private_site_key) = self.services.config.recaptcha_private_site_key
+				else {
+					return Err(StandardErrorBody::new(
+						ErrorKind::Forbidden,
+						"ReCaptcha is not configured".to_owned(),
+					));
+				};
 
-							if let Some(localpart) =
-								self.services.threepid.get_localpart_for_email(&email).await
-							{
-								identity.try_set_localpart(localpart)?;
-							}
-
-							identity.try_set_email(email)?;
-
-							Ok(AuthType::EmailIdentity)
-						},
-						| Err(message) => Err(StandardErrorBody::new(
-							ErrorKind::ThreepidAuthFailed,
-							message.into_owned(),
-						)),
-					}
-				},
-				#[allow(clippy::useless_let_if_seq)]
-				| AuthData::Password(Password { identifier, password, .. }) => {
-					let user_id_or_localpart = match identifier {
-						| UserIdentifier::Matrix(MatrixUserIdentifier { user, .. }) =>
-							user.to_owned(),
-						| UserIdentifier::Email(EmailUserIdentifier { address, .. }) => {
-							let Ok(email) = Address::try_from(address.to_owned()) else {
-								return Err(StandardErrorBody::new(
-									ErrorKind::InvalidParam,
-									"Email is malformed".to_owned(),
-								));
-							};
-
-							if let Some(localpart) =
-								self.services.threepid.get_localpart_for_email(&email).await
-							{
-								identity.try_set_email(email)?;
-
-								localpart
-							} else {
-								return Err(StandardErrorBody::new(
-									ErrorKind::Forbidden,
-									"Invalid identifier or password".to_owned(),
-								));
-							}
-						},
-						| _ =>
-							return Err(StandardErrorBody::new(
-								ErrorKind::Unrecognized,
-								"Identifier type not recognized".to_owned(),
-							)),
-					};
-
-					let Ok(user_id) = UserId::parse_with_server_name(
-						user_id_or_localpart,
-						self.services.globals.server_name(),
-					) else {
-						return Err(StandardErrorBody::new(
-							ErrorKind::InvalidParam,
-							"User ID is malformed".to_owned(),
-						));
-					};
-
-					if self
-						.services
-						.users
-						.check_password(&user_id, password)
-						.await
-						.is_ok()
-					{
-						identity.try_set_localpart(user_id.localpart().to_owned())?;
-
-						Ok(AuthType::Password)
-					} else {
+				match recaptcha_verify::verify_v3(private_site_key, response, None).await {
+					| Ok(()) => Ok(AuthType::ReCaptcha),
+					| Err(e) => {
+						error!("ReCaptcha verification failed: {e:?}");
 						Err(StandardErrorBody::new(
 							ErrorKind::Forbidden,
-							"Invalid identifier or password".to_owned(),
+							"ReCaptcha verification failed".to_owned(),
 						))
-					}
-				},
-				| AuthData::ReCaptcha(ReCaptcha { response, .. }) => {
-					let Some(ref private_site_key) =
-						self.services.config.recaptcha_private_site_key
-					else {
-						return Err(StandardErrorBody::new(
-							ErrorKind::Forbidden,
-							"ReCaptcha is not configured".to_owned(),
-						));
-					};
-
-					match recaptcha_verify::verify_v3(private_site_key, response, None).await {
-						| Ok(()) => Ok(AuthType::ReCaptcha),
-						| Err(e) => {
-							error!("ReCaptcha verification failed: {e:?}");
-							Err(StandardErrorBody::new(
-								ErrorKind::Forbidden,
-								"ReCaptcha verification failed".to_owned(),
-							))
-						},
-					}
-				},
-				| AuthData::RegistrationToken(RegistrationToken { token, .. }) => {
-					let token = token.trim().to_owned();
-
-					if let Some(valid_token) = self
-						.services
-						.registration_tokens
-						.validate_token(token)
-						.await
-					{
-						self.services
-							.registration_tokens
-							.mark_token_as_used(valid_token);
-
-						Ok(AuthType::RegistrationToken)
-					} else {
-						Err(StandardErrorBody::new(
-							ErrorKind::Forbidden,
-							"Invalid registration token".to_owned(),
-						))
-					}
-				},
-				| AuthData::Terms(_) => Ok(AuthType::Terms),
-				| _ => Err(StandardErrorBody::new(
-					ErrorKind::Unrecognized,
-					"Unsupported stage type".into(),
-				)),
+					},
+				}
 			},
-		}?;
+			| AuthData::RegistrationToken(RegistrationToken { token, .. }) => {
+				let token = token.trim().to_owned();
 
-		Ok((completed_auth_type, session_metadata))
+				if let Some(valid_token) = self
+					.services
+					.registration_tokens
+					.validate_token(token)
+					.await
+				{
+					self.services
+						.registration_tokens
+						.mark_token_as_used(valid_token);
+
+					Ok(AuthType::RegistrationToken)
+				} else {
+					Err(StandardErrorBody::new(
+						ErrorKind::Forbidden,
+						"Invalid registration token".to_owned(),
+					))
+				}
+			},
+			| AuthData::Terms(_) => Ok(AuthType::Terms),
+			| _ => Err(StandardErrorBody::new(
+				ErrorKind::Unrecognized,
+				"Unsupported stage type".into(),
+			)),
+		}
+		.map(|auth_type| (auth_type, identity))
 	}
 }

src/service/users/dehydrated_device.rs

@@ -54,7 +54,6 @@ pub async fn set_dehydrated_device(&self, user_id: &UserId, request: Request) ->
 		user_id,
 		&request.device_id,
 		"",
-		None,
 		request.initial_device_display_name.clone(),
 		None,
 	)
@@ -139,6 +138,7 @@ pub async fn get_dehydrated_device_id(&self, user_id: &UserId) -> Result<OwnedDe
 	level = "debug",
 	skip_all,
 	fields(%user_id),
+	ret,
 )]
 pub async fn get_dehydrated_device(&self, user_id: &UserId) -> Result<DehydratedDevice> {
 	self.db

src/service/users/mod.rs

@@ -1,21 +1,13 @@
 pub(super) mod dehydrated_device;
 
-use std::{
-	collections::BTreeMap,
-	mem,
-	net::IpAddr,
-	sync::Arc,
-	time::{Duration, SystemTime},
-};
+use std::{collections::BTreeMap, mem, net::IpAddr, sync::Arc};
 
 use conduwuit::{
-	Err, Error, Result, debug_error, debug_warn, err, info, trace,
+	Err, Error, Result, Server, debug_error, debug_warn, err, trace,
 	utils::{self, ReadyExt, stream::TryIgnore, string::Unquoted},
-	warn,
 };
 use database::{Deserialized, Ignore, Interfix, Json, Map};
-use futures::{FutureExt, Stream, StreamExt, TryFutureExt};
-use lettre::Address;
+use futures::{Stream, StreamExt, TryFutureExt};
 use ruma::{
 	DeviceId, MilliSecondsSinceUnixEpoch, OneTimeKeyAlgorithm, OneTimeKeyId, OneTimeKeyName,
 	OwnedDeviceId, OwnedKeyId, OwnedMxcUri, OwnedOneTimeKeyId, OwnedUserId, RoomId, UInt, UserId,
@@ -26,24 +18,15 @@
 	encryption::{CrossSigningKey, DeviceKeys, OneTimeKey},
 	events::{
 		AnyToDeviceEvent, GlobalAccountDataEventType, ignored_user_list::IgnoredUserListEvent,
-		push_rules::PushRulesEvent, room::message::RoomMessageEventContent,
 	},
-	push::Ruleset,
 	serde::Raw,
 	uint,
 };
 use ruminuwuity::invite_permission_config::{FilterLevel, InvitePermissionConfigEvent};
 use serde::{Deserialize, Serialize};
 use serde_json::json;
-use tracing::error;
 
-use crate::{
-	Dep, account_data, admin,
-	appservice::{self, RegistrationInfo},
-	config, firstrun, globals, oauth,
-	rooms::{self, alias, membership},
-	threepid,
-};
+use crate::{Dep, account_data, admin, appservice, globals, rooms};
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct UserSuspension {
@@ -58,7 +41,6 @@ pub struct UserSuspension {
 /// A password hash. This is only for use when setting a user's password,
 /// if the hash needs to be kept around for a while without keeping the password
 /// in memory.
-#[derive(Serialize, Deserialize)]
 pub struct HashedPassword(String);
 
 impl HashedPassword {
@@ -69,30 +51,19 @@ pub fn new(password: &str) -> Result<Self> {
 	}
 }
 
-/// The status of an access token.
-pub enum AccessTokenStatus {
-	Valid,
-	Expired,
-}
-
 pub struct Service {
 	services: Services,
 	db: Data,
 }
 
 struct Services {
+	server: Arc<Server>,
 	account_data: Dep<account_data::Service>,
 	admin: Dep<admin::Service>,
-	alias: Dep<alias::Service>,
 	appservice: Dep<appservice::Service>,
-	config: Dep<config::Service>,
-	firstrun: Dep<firstrun::Service>,
 	globals: Dep<globals::Service>,
-	membership: Dep<membership::Service>,
-	oauth: Dep<oauth::Service>,
 	state_accessor: Dep<rooms::state_accessor::Service>,
 	state_cache: Dep<rooms::state_cache::Service>,
-	threepid: Dep<threepid::Service>,
 }
 
 struct Data {
@@ -104,12 +75,10 @@ struct Data {
 	logintoken_expiresatuserid: Arc<Map>,
 	todeviceid_events: Arc<Map>,
 	token_userdeviceid: Arc<Map>,
-	userdeviceid_tokenexpires: Arc<Map>,
 	userdeviceid_metadata: Arc<Map>,
 	userdeviceid_token: Arc<Map>,
 	userfilterid_filter: Arc<Map>,
 	userid_avatarurl: Arc<Map>,
-	userid_blurhash: Arc<Map>,
 	userid_dehydrateddevice: Arc<Map>,
 	userid_devicelistversion: Arc<Map>,
 	userid_displayname: Arc<Map>,
@@ -128,19 +97,14 @@ impl crate::Service for Service {
 	fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
 		Ok(Arc::new(Self {
 			services: Services {
+				server: args.server.clone(),
 				account_data: args.depend::<account_data::Service>("account_data"),
 				admin: args.depend::<admin::Service>("admin"),
-				alias: args.depend::<alias::Service>("alias"),
 				appservice: args.depend::<appservice::Service>("appservice"),
-				config: args.depend::<config::Service>("config"),
-				firstrun: args.depend::<firstrun::Service>("firstrun"),
 				globals: args.depend::<globals::Service>("globals"),
-				membership: args.depend::<membership::Service>("membership"),
-				oauth: args.depend::<oauth::Service>("oauth"),
 				state_accessor: args
 					.depend::<rooms::state_accessor::Service>("rooms::state_accessor"),
 				state_cache: args.depend::<rooms::state_cache::Service>("rooms::state_cache"),
-				threepid: args.depend::<threepid::Service>("threepid"),
 			},
 			db: Data {
 				keychangeid_userid: args.db["keychangeid_userid"].clone(),
@@ -155,7 +119,6 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
 				userdeviceid_token: args.db["userdeviceid_token"].clone(),
 				userfilterid_filter: args.db["userfilterid_filter"].clone(),
 				userid_avatarurl: args.db["userid_avatarurl"].clone(),
-				userid_blurhash: args.db["userid_blurhash"].clone(),
 				userid_dehydrateddevice: args.db["userid_dehydrateddevice"].clone(),
 				userid_devicelistversion: args.db["userid_devicelistversion"].clone(),
 				userid_displayname: args.db["userid_displayname"].clone(),
@@ -168,7 +131,6 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
 				userid_selfsigningkeyid: args.db["userid_selfsigningkeyid"].clone(),
 				userid_usersigningkeyid: args.db["userid_usersigningkeyid"].clone(),
 				useridprofilekey_value: args.db["useridprofilekey_value"].clone(),
-				userdeviceid_tokenexpires: args.db["userdeviceid_tokenexpires"].clone(),
 			},
 		}))
 	}
@@ -230,239 +192,12 @@ pub async fn create(&self, user_id: &UserId, password: Option<HashedPassword>) -
 		Ok(())
 	}
 
-	/// Create a new account for a local human or bot user.
-	pub async fn create_local_account(
-		&self,
-		user_id: &UserId,
-		password: HashedPassword,
-		email: Option<Address>,
-	) {
-		self.create(user_id, Some(password))
-			.await
-			.expect("should be able to save a new local user. what happened?");
-
-		// Set an initial display name
-		{
-			let mut displayname = user_id.localpart().to_owned();
-
-			let suffix = &self.services.config.new_user_displayname_suffix;
-			if !suffix.is_empty() {
-				displayname.push(' ');
-				displayname.push_str(suffix);
-			}
-
-			self.set_displayname(user_id, Some(displayname));
-		};
-
-		// Set default push rules
-		self.services
-			.account_data
-			.update(
-				None,
-				user_id,
-				GlobalAccountDataEventType::PushRules.to_string().into(),
-				&serde_json::to_value(PushRulesEvent::new(
-					Ruleset::server_default(user_id).into(),
-				))
-				.expect("should be able to serialize push rules"),
-			)
-			.await
-			.expect("should be able to update account data");
-
-		// If the user registered with an email, associate it with their account.
-		if let Some(email) = email {
-			// This may fail if the email is already in use, but we  should have already
-			// checked that when we sent the validation email, so ignoring the error is
-			// acceptable here in the rare case that an email is sniped by another user
-			// between the validation email being sent and the account being created.
-			let _ = self
-				.services
-				.threepid
-				.associate_localpart_email(user_id.localpart(), &email)
-				.await;
-		}
-
-		// Attempt to empower the first user and disable first-run mode.
-		let was_first_user = self.services.firstrun.empower_first_user(user_id).await;
-
-		// If the registering user was not the first and we're suspending users on
-		// register, suspend them.
-		if !was_first_user && self.services.config.suspend_on_register {
-			// Note that we can still do auto joins for suspended users
-			self.suspend_account(user_id, &self.services.globals.server_user)
-				.await;
-
-			// And send an @room notice to the admin room, to prompt admins to review the
-			// new user and ideally unsuspend them if deemed appropriate.
-			if self.services.config.admin_room_notices {
-				self.services
-					.admin
-					.send_loud_message(RoomMessageEventContent::text_plain(format!(
-						"User {user_id} has been suspended as they are not the first user on \
-						 this server. Please review and unsuspend them if appropriate."
-					)))
-					.await
-					.ok();
-			}
-		}
-
-		// Autojoin the user to the configured autojoin rooms
-		for room in &self.services.config.auto_join_rooms {
-			let Ok(room_id) = self.services.alias.resolve(room).await else {
-				error!(
-					"Failed to resolve room alias to room ID when attempting to auto join \
-					 {room}, skipping"
-				);
-				continue;
-			};
-
-			if !self
-				.services
-				.state_cache
-				.server_in_room(self.services.globals.server_name(), &room_id)
-				.await
-			{
-				warn!(
-					"Skipping room {room} to automatically join as we have never joined before."
-				);
-				continue;
-			}
-
-			if let Some(room_server_name) = room.server_name() {
-				match self
-					.services
-					.membership
-					.join_room(
-						user_id,
-						&room_id,
-						Some("Automatically joining this room upon registration".to_owned()),
-						&[
-							self.services.globals.server_name().to_owned(),
-							room_server_name.to_owned(),
-						],
-					)
-					.boxed()
-					.await
-				{
-					| Err(e) => {
-						// don't return this error so we don't fail registrations
-						error!(
-							"Failed to automatically join room {room} for user {user_id}: {e}"
-						);
-					},
-					| _ => {
-						info!("Automatically joined room {room} for user {user_id}");
-					},
-				}
-			}
-		}
-
-		info!("Created new user account for {user_id}");
-	}
-
-	pub async fn determine_registration_user_id(
-		&self,
-		supplied_username: Option<String>,
-		email: Option<&Address>,
-		appservice_info: Option<&RegistrationInfo>,
-	) -> Result<OwnedUserId> {
-		const RANDOM_USER_ID_LENGTH: usize = 10;
-
-		let emergency_mode_enabled = self.services.config.emergency_password.is_some();
-
-		let supplied_username = supplied_username.or_else(|| {
-			// If the user didn't supply a username but did supply an email, use
-			// the email's user part to avoid falling back to a random username
-			email.map(|address| address.user().to_owned())
-		});
-
-		if let Some(supplied_username) = supplied_username {
-			// The user gets to pick their username. Do some validation to make sure it's
-			// acceptable.
-
-			// Don't allow registration with forbidden usernames.
-			if self
-				.services
-				.globals
-				.forbidden_usernames()
-				.is_match(&supplied_username)
-				&& !emergency_mode_enabled
-			{
-				return Err!(Request(Forbidden("Username is forbidden")));
-			}
-
-			// Create and validate the user ID
-			let user_id = match UserId::parse_with_server_name(
-				&supplied_username,
-				self.services.globals.server_name(),
-			) {
-				| Ok(user_id) => {
-					if let Err(e) = user_id.validate_strict() {
-						// Unless we are in emergency mode, we should follow synapse's behaviour
-						// on not allowing things like spaces and UTF-8 characters in
-						// usernames
-						if !emergency_mode_enabled {
-							return Err!(Request(InvalidUsername(debug_warn!(
-								"Username {supplied_username} contains disallowed characters or \
-								 spaces: {e}"
-							))));
-						}
-					}
-
-					// Don't allow registration with user IDs that aren't local
-					if !self.services.globals.user_is_local(&user_id) {
-						return Err!(Request(InvalidUsername(
-							"Username {supplied_username} is not local to this server"
-						)));
-					}
-
-					user_id
-				},
-				| Err(e) => {
-					return Err!(Request(InvalidUsername(debug_warn!(
-						"Username {supplied_username} is not valid: {e}"
-					))));
-				},
-			};
-
-			if self.exists(&user_id).await {
-				return Err!(Request(UserInUse("User ID is not available.")));
-			}
-
-			// Check that the user ID is/is not in an appservice's namespace
-			if let Some(appservice_info) = appservice_info {
-				if !appservice_info.is_user_match(&user_id) && !emergency_mode_enabled {
-					return Err!(Request(Exclusive(
-						"Username is not in this appservice's namespace."
-					)));
-				}
-			} else if self
-				.services
-				.appservice
-				.is_exclusive_user_id(&user_id)
-				.await && !emergency_mode_enabled
-			{
-				return Err!(Request(Exclusive("Username is reserved by an appservice.")));
-			}
-
-			Ok(user_id)
-		} else {
-			// The user didn't specify a username. Generate a username for
-			// them.
-
-			loop {
-				let user_id = UserId::parse_with_server_name(
-					utils::random_string(RANDOM_USER_ID_LENGTH).to_lowercase(),
-					self.services.globals.server_name(),
-				)
-				.unwrap();
-
-				if !self.exists(&user_id).await {
-					break Ok(user_id);
-				}
-			}
-		}
-	}
+	// /// Create a new account for a local human or bot user.
+	// pub async fn create_local_account(
+	// 	&self,
+	// 	username: String,
+	// 	password:
+	// )
 
 	/// Deactivate account
 	pub async fn deactivate_account(&self, user_id: &UserId) -> Result<()> {
@@ -602,42 +337,8 @@ pub async fn is_active_local(&self, user_id: &UserId) -> bool {
 	pub async fn count(&self) -> usize { self.db.userid_password.count().await }
 
 	/// Find out which user an access token belongs to.
-	pub async fn find_from_token(
-		&self,
-		token: &str,
-	) -> Option<(OwnedUserId, OwnedDeviceId, AccessTokenStatus)> {
-		let user = self
-			.db
-			.token_userdeviceid
-			.get(token)
-			.await
-			.deserialized()
-			.ok();
-
-		// Check if the token has expired
-		if let Some((user_id, device_id)) = user {
-			if let Some(expires) = self
-				.db
-				.userdeviceid_tokenexpires
-				.qry(&(&user_id, &device_id))
-				.await
-				.deserialized::<u64>()
-				.ok()
-				.map(Duration::from_secs)
-			{
-				let expires_at = SystemTime::UNIX_EPOCH
-					.checked_add(expires)
-					.expect("expiry time should not overflow SystemTime");
-
-				if SystemTime::now() > expires_at {
-					return Some((user_id, device_id, AccessTokenStatus::Expired));
-				}
-			}
-
-			Some((user_id, device_id, AccessTokenStatus::Valid))
-		} else {
-			None
-		}
+	pub async fn find_from_token(&self, token: &str) -> Result<(OwnedUserId, OwnedDeviceId)> {
+		self.db.token_userdeviceid.get(token).await.deserialized()
 	}
 
 	/// Returns an iterator over all users on this homeserver.
@@ -727,27 +428,12 @@ pub fn set_avatar_url(&self, user_id: &UserId, avatar_url: Option<OwnedMxcUri>)
 		}
 	}
 
-	/// Get the blurhash of a user.
-	pub async fn blurhash(&self, user_id: &UserId) -> Result<String> {
-		self.db.userid_blurhash.get(user_id).await.deserialized()
-	}
-
-	/// Sets a new avatar_url or removes it if avatar_url is None.
-	pub fn set_blurhash(&self, user_id: &UserId, blurhash: Option<String>) {
-		if let Some(blurhash) = blurhash {
-			self.db.userid_blurhash.insert(user_id, blurhash);
-		} else {
-			self.db.userid_blurhash.remove(user_id);
-		}
-	}
-
 	/// Adds a new device to a user.
 	pub async fn create_device(
 		&self,
 		user_id: &UserId,
 		device_id: &DeviceId,
 		token: &str,
-		token_max_age: Option<Duration>,
 		initial_device_display_name: Option<String>,
 		client_ip: Option<String>,
 	) -> Result<()> {
@@ -765,8 +451,7 @@ pub async fn create_device(
 
 		increment(&self.db.userid_devicelistversion, user_id.as_bytes());
 		self.db.userdeviceid_metadata.put(key, Json(device));
-		self.set_token(user_id, device_id, token, token_max_age)
-			.await
+		self.set_token(user_id, device_id, token).await
 	}
 
 	/// Removes a device from a user.
@@ -782,7 +467,6 @@ pub async fn remove_device(&self, user_id: &UserId, device_id: &DeviceId) {
 		if let Ok(old_token) = self.db.userdeviceid_token.qry(&userdeviceid).await {
 			self.db.userdeviceid_token.del(userdeviceid);
 			self.db.token_userdeviceid.remove(&old_token);
-			self.db.userdeviceid_tokenexpires.del(userdeviceid);
 		}
 
 		// Remove todevice events
@@ -796,9 +480,6 @@ pub async fn remove_device(&self, user_id: &UserId, device_id: &DeviceId) {
 
 		// TODO: Remove onetimekeys
 
-		// Remove OAuth session information
-		self.services.oauth.remove_session(user_id, device_id).await;
-
 		increment(&self.db.userid_devicelistversion, user_id.as_bytes());
 
 		self.db.userdeviceid_metadata.del(userdeviceid);
@@ -854,7 +535,6 @@ pub async fn set_token(
 		user_id: &UserId,
 		device_id: &DeviceId,
 		token: &str,
-		token_max_age: Option<Duration>,
 	) -> Result<()> {
 		let key = (user_id, device_id);
 		if self.db.userdeviceid_metadata.qry(&key).await.is_err() {
@@ -881,7 +561,6 @@ pub async fn set_token(
 		// Remove old token
 		if let Ok(old_token) = self.db.userdeviceid_token.qry(&key).await {
 			self.db.token_userdeviceid.remove(&old_token);
-			self.db.userdeviceid_tokenexpires.remove(&old_token);
 			// It will be removed from userdeviceid_token by the insert later
 		}
 
@@ -889,18 +568,6 @@ pub async fn set_token(
 		self.db.userdeviceid_token.put_raw(key, token);
 		self.db.token_userdeviceid.raw_put(token, key);
 
-		if let Some(max_age) = token_max_age {
-			let expires = SystemTime::now()
-				.duration_since(SystemTime::UNIX_EPOCH)
-				.expect("system time should not be before the epoch")
-				.saturating_add(max_age)
-				.as_secs();
-
-			self.db.userdeviceid_tokenexpires.put(key, expires);
-		} else {
-			self.db.userdeviceid_tokenexpires.del(key);
-		}
-
 		Ok(())
 	}
 
@@ -1571,7 +1238,7 @@ pub async fn get_filter(
 	pub fn create_openid_token(&self, user_id: &UserId, token: &str) -> Result<u64> {
 		use std::num::Saturating as Sat;
 
-		let expires_in = self.services.config.openid_token_ttl;
+		let expires_in = self.services.server.config.openid_token_ttl;
 		let expires_at = Sat(utils::millis_since_unix_epoch()) + Sat(expires_in) * Sat(1000);
 
 		let mut value = expires_at.0.to_be_bytes().to_vec();
@@ -1615,7 +1282,7 @@ pub async fn find_from_openid_token(&self, token: &str) -> Result<OwnedUserId> {
 	pub fn create_login_token(&self, user_id: &UserId, token: &str) -> u64 {
 		use std::num::Saturating as Sat;
 
-		let expires_in = self.services.config.login_token_ttl;
+		let expires_in = self.services.server.config.login_token_ttl;
 		let expires_at = Sat(utils::millis_since_unix_epoch()) + Sat(expires_in);
 
 		let value = (expires_at.0, user_id);
@@ -1696,7 +1363,6 @@ pub fn set_profile_key(
 	pub async fn clear_profile(&self, user_id: &UserId) {
 		self.set_displayname(user_id, None);
 		self.set_avatar_url(user_id, None);
-		self.set_blurhash(user_id, None);
 		self.all_profile_keys(user_id)
 			.ready_for_each(|(key, _)| self.set_profile_key(user_id, &key, None))
 			.await;

src/web/Cargo.toml

@@ -22,8 +22,6 @@ crate-type = [
 conduwuit-build-metadata.workspace = true
 conduwuit-service.workspace = true
 conduwuit-core.workspace = true
-conduwuit-database.workspace = true
-conduwuit-api.workspace = true
 async-trait.workspace = true
 askama.workspace = true
 axum.workspace = true
@@ -37,18 +35,9 @@ ruma.workspace = true
 thiserror.workspace = true
 tower-http.workspace = true
 serde.workspace = true
-serde_json.workspace = true
-lettre.workspace = true
 memory-serve = "2.1.0"
 validator = { version = "0.20.0", features = ["derive"] }
 tower-sec-fetch = { version = "0.1.2", features = ["tracing"] }
-tower-sessions = { version = "0.15.0", default-features = false, features = ["axum-core"] }
-tower-sessions-core = { version = "0.15.0", features = ["deletion-task"] }
-serde_urlencoded.workspace = true
-url.workspace = true
-recaptcha-verify = { version = "0.2.0", default-features = false }
-reqwest_recaptcha = { package = "reqwest", version = "0.12.28", default-features = false, features = ["rustls-tls-native-roots-no-provider"]  } # As long as recaptcha-verify's reqwest is outdated
-form_urlencoded = "1.2.2"
 
 [build-dependencies]
 memory-serve = "2.1.0"

src/web/extract.rs

@@ -1,48 +0,0 @@
-use axum::{
-	extract::{FromRequest, FromRequestParts, Request},
-	http::{Method, request::Parts},
-};
-use serde::de::DeserializeOwned;
-
-use crate::WebError;
-
-/// An extractor which deserializes a struct from a POST request's body.
-/// For GET requests the struct will be None.
-#[derive(Debug, Clone, Copy, Default)]
-#[must_use]
-pub(crate) struct PostForm<T>(pub Option<T>);
-
-impl<T, S> FromRequest<S> for PostForm<T>
-where
-	T: DeserializeOwned,
-	S: Send + Sync,
-{
-	type Rejection = WebError;
-
-	async fn from_request(req: Request, state: &S) -> Result<Self, Self::Rejection> {
-		if req.method() == Method::POST {
-			let axum::Form(data) = axum::Form::from_request(req, state).await?;
-
-			Ok(Self(Some(data)))
-		} else {
-			Ok(Self(None))
-		}
-	}
-}
-
-/// An extractor which wraps another extractor and converts its errors into
-/// `WebError`s.
-pub(crate) struct Expect<E>(pub E);
-
-impl<E, S, R> FromRequestParts<S> for Expect<E>
-where
-	E: FromRequestParts<S, Rejection = R>,
-	WebError: From<R>,
-	S: Send + Sync,
-{
-	type Rejection = WebError;
-
-	async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
-		Ok(Self(E::from_request_parts(parts, state).await?))
-	}
-}

src/web/mod.rs

@@ -1,34 +1,25 @@
-use std::{any::Any, sync::Once, time::Duration};
+use std::any::Any;
 
 use askama::Template;
 use axum::{
 	Router,
-	extract::rejection::{FormRejection, PathRejection, QueryRejection},
-	http::StatusCode,
-	middleware::from_fn_with_state,
-	response::{Html, IntoResponse, Redirect, Response},
+	extract::rejection::{FormRejection, QueryRejection},
+	http::{HeaderValue, StatusCode, header},
+	response::{Html, IntoResponse, Response},
 };
-use conduwuit_service::{Services, state};
-use tower_http::catch_panic::CatchPanicLayer;
+use conduwuit_service::state;
+use tower_http::{catch_panic::CatchPanicLayer, set_header::SetResponseHeaderLayer};
 use tower_sec_fetch::SecFetchLayer;
-use tower_sessions::{ExpiredDeletion, SessionManagerLayer, cookie::SameSite};
 
-use crate::{
-	pages::TemplateContext,
-	session::{LoginQuery, store::RocksDbSessionStore},
-};
+use crate::pages::TemplateContext;
 
-mod extract;
 mod pages;
-mod session;
 
 type State = state::State;
 
 const CATASTROPHIC_FAILURE: &str = "cat-astrophic failure! we couldn't even render the error template. \
 please contact the team @ https://continuwuity.org";
 
-const ROUTE_PREFIX: &str = conduwuit_core::ROUTE_PREFIX;
-
 #[derive(Debug, thiserror::Error)]
 enum WebError {
 	#[error("Failed to validate form body: {0}")]
@@ -38,16 +29,10 @@ enum WebError {
 	#[error("{0}")]
 	FormRejection(#[from] FormRejection),
 	#[error("{0}")]
-	PathRejection(#[from] PathRejection),
-	#[error("{0}")]
 	BadRequest(String),
 
 	#[error("This page does not exist.")]
 	NotFound,
-	#[error("You are not allowed to request this page: {0}")]
-	Forbidden(String),
-	#[error("You must log in to access this page")]
-	LoginRequired(LoginQuery),
 
 	#[error("Failed to render template: {0}")]
 	Render(#[from] askama::Error),
@@ -67,26 +52,12 @@ struct Error {
 			context: TemplateContext,
 		}
 
-		if let Self::LoginRequired(query) = self {
-			return Redirect::to(&format!(
-				"{}/account/login?{}",
-				ROUTE_PREFIX,
-				serde_urlencoded::to_string(query).unwrap()
-			))
-			.into_response();
-		}
-
 		let status = match &self {
 			| Self::ValidationError(_)
 			| Self::BadRequest(_)
 			| Self::QueryRejection(_)
-			| Self::FormRejection(_)
-			| Self::InternalError(_) => StatusCode::BAD_REQUEST,
+			| Self::FormRejection(_) => StatusCode::BAD_REQUEST,
 			| Self::NotFound => StatusCode::NOT_FOUND,
-			| Self::Forbidden(_) => StatusCode::FORBIDDEN,
-			| Self::LoginRequired(_) => {
-				unreachable!("LoginRequired is handled earlier")
-			},
 			| _ => StatusCode::INTERNAL_SERVER_ERROR,
 		};
 
@@ -96,7 +67,6 @@ struct Error {
 			context: TemplateContext {
 				// Statically set false to prevent error pages from being indexed.
 				allow_indexing: false,
-				csp_nonce: String::new(),
 			},
 		};
 
@@ -108,39 +78,21 @@ struct Error {
 	}
 }
 
-static STORE_CLEANUP_TASK: Once = Once::new();
-
-pub fn build(services: &Services) -> Router<state::State> {
+pub fn build() -> Router<state::State> {
 	#[allow(clippy::wildcard_imports)]
 	use pages::*;
 
-	let store = RocksDbSessionStore::new(&services.db);
-
-	STORE_CLEANUP_TASK.call_once(|| {
-		services.server.runtime().spawn(
-			store
-				.clone()
-				.continuously_delete_expired(Duration::from_hours(1)),
-		);
-	});
-
 	Router::new()
 		.merge(index::build())
 		.nest(
 			"/_continuwuity/",
 			Router::new()
-				.nest("/account/", account::build())
-				.merge(debug::build())
-				.nest("/oauth2/", oauth::build())
 				.merge(resources::build())
+				.merge(password_reset::build())
+				.merge(debug::build())
 				.merge(threepid::build())
 				.fallback(async || WebError::NotFound),
 		)
-		.layer(
-			SessionManagerLayer::new(store)
-				.with_name("_c10y_session")
-				.with_same_site(SameSite::Lax),
-		)
 		.layer(CatchPanicLayer::custom(|panic: Box<dyn Any + Send + 'static>| {
 			let details = if let Some(s) = panic.downcast_ref::<String>() {
 				s.clone()
@@ -152,7 +104,10 @@ pub fn build(services: &Services) -> Router<state::State> {
 
 			WebError::Panic(details).into_response()
 		}))
-		.layer(from_fn_with_state(services.config.clone(), template_context_middleware))
+		.layer(SetResponseHeaderLayer::if_not_present(
+			header::CONTENT_SECURITY_POLICY,
+			HeaderValue::from_static("default-src 'self'; img-src 'self' data:;"),
+		))
 		.layer(SecFetchLayer::new(|policy| {
 			policy.allow_safe_methods().reject_missing_metadata();
 		}))

src/web/pages/account/cross_signing_reset.rs

@@ -1,47 +0,0 @@
-use axum::{Extension, Router, extract::State, routing::on};
-use conduwuit_service::oauth::OAuthTicket;
-
-use crate::{
-	extract::PostForm,
-	pages::{GET_POST, Result, TemplateContext, components::UserCard},
-	response,
-	session::{LoginTarget, User},
-	template,
-};
-
-pub(crate) fn build() -> Router<crate::State> {
-	Router::new().route("/", on(GET_POST, route_cross_signing_reset))
-}
-
-template! {
-	struct CrossSigningReset use "cross_signing_reset.html.j2" {
-		user_card: UserCard,
-		body: CrossSigningResetBody
-	}
-}
-
-#[derive(Debug)]
-enum CrossSigningResetBody {
-	Form,
-	Success,
-}
-
-async fn route_cross_signing_reset(
-	State(services): State<crate::State>,
-	Extension(context): Extension<TemplateContext>,
-	user: User,
-	PostForm(form): PostForm<()>,
-) -> Result {
-	let user_id = user.expect_recent(LoginTarget::CrossSigningReset)?;
-	let user_card = UserCard::for_local_user(&services, user_id.clone()).await;
-
-	if form.is_some() {
-		services
-			.oauth
-			.issue_ticket(user_id.localpart().to_owned(), OAuthTicket::CrossSigningReset);
-
-		response!(CrossSigningReset::new(context, user_card, CrossSigningResetBody::Success))
-	} else {
-		response!(CrossSigningReset::new(context, user_card, CrossSigningResetBody::Form))
-	}
-}

src/web/pages/account/deactivate.rs

@@ -1,129 +0,0 @@
-use axum::{Extension, Router, extract::State, routing::on};
-use conduwuit_api::client::full_user_deactivate;
-use futures::StreamExt;
-use ruma::{OwnedRoomId, OwnedUserId, UserId};
-use tower_sessions::Session;
-use validator::{Validate, ValidationError, ValidationErrors};
-
-use crate::{
-	extract::PostForm,
-	form,
-	pages::{
-		GET_POST, Result, TemplateContext,
-		components::{UserCard, form::Form},
-	},
-	response,
-	session::{LoginTarget, User},
-	template,
-};
-
-pub(crate) fn build() -> Router<crate::State> {
-	Router::new().route("/", on(GET_POST, route_deactivate))
-}
-
-template! {
-	struct Deactivate use "deactivate.html.j2" {
-		body: DeactivateBody
-	}
-}
-
-#[derive(Debug)]
-#[allow(clippy::large_enum_variant)]
-enum DeactivateBody {
-	Unavailable,
-	Form {
-		user_id: OwnedUserId,
-		user_card: UserCard,
-		form: Form<'static>,
-	},
-	Success,
-}
-
-form! {
-	struct DeactivateForm {
-		password: String where {
-			input_type: "password",
-			label: "Enter your password to confirm",
-			autocomplete: "current-password"
-		},
-		#[validate(required(message = "This checkbox must be checked"))]
-		confirm: Option<String> where {
-			input_type: "checkbox",
-			label: "I understand that deactivating my account cannot be undone."
-		}
-
-		submit: "Deactivate my account",
-		slowdown: true
-	}
-}
-
-async fn route_deactivate(
-	State(services): State<crate::State>,
-	Extension(context): Extension<TemplateContext>,
-	user: User,
-	session: Session,
-	PostForm(form): PostForm<DeactivateForm>,
-) -> Result {
-	let user_id = user.expect_recent(LoginTarget::Deactivate)?;
-	let user_card = UserCard::for_local_user(&services, user_id.clone()).await;
-
-	let body = {
-		if !services.config.allow_deactivation {
-			DeactivateBody::Unavailable
-		} else if let Some(form) = form {
-			if let Err(err) = validate_deactivate_form(&services, &user_id, form).await {
-				DeactivateBody::Form {
-					user_id,
-					user_card,
-					form: DeactivateForm::with_errors(context.clone(), err),
-				}
-			} else {
-				let all_joined_rooms: Vec<OwnedRoomId> = services
-					.rooms
-					.state_cache
-					.rooms_joined(&user_id)
-					.collect()
-					.await;
-
-				full_user_deactivate(&services, &user_id, &all_joined_rooms).await?;
-
-				session.clear().await;
-
-				DeactivateBody::Success
-			}
-		} else {
-			DeactivateBody::Form {
-				user_id,
-				user_card,
-				form: DeactivateForm::build(context.clone()),
-			}
-		}
-	};
-
-	response!(Deactivate::new(context, body))
-}
-
-async fn validate_deactivate_form(
-	services: &crate::State,
-	user_id: &UserId,
-	form: DeactivateForm,
-) -> Result<(), ValidationErrors> {
-	form.validate()?;
-
-	if services
-		.users
-		.check_password(user_id, &form.password)
-		.await
-		.is_err()
-	{
-		let mut errors = ValidationErrors::new();
-		errors.add(
-			"password",
-			ValidationError::new("wrong").with_message("Incorrect password".into()),
-		);
-
-		return Err(errors);
-	}
-
-	Ok(())
-}

src/web/pages/account/device.rs

@@ -1,126 +0,0 @@
-use axum::{
-	Extension, Router,
-	extract::{Path, State},
-	routing::{get, on},
-};
-use conduwuit_service::oauth::{SessionInfo, client_metadata::ClientMetadata};
-use futures::StreamExt;
-use ruma::OwnedDeviceId;
-use serde::{Deserialize, Serialize};
-
-use crate::{
-	WebError,
-	extract::{Expect, PostForm},
-	pages::{
-		GET_POST, Result, TemplateContext,
-		components::{ClientScopes, DeviceCard, DeviceCardStyle},
-	},
-	response,
-	session::{LoginTarget, User},
-	template,
-};
-
-pub(crate) fn build() -> Router<crate::State> {
-	Router::new()
-		.route("/{device}/", get(get_device_info))
-		.route("/{device}/remove", on(GET_POST, route_remove_device))
-}
-
-template! {
-	struct DeviceInfo use "device_info.html.j2" {
-		device_card: DeviceCard,
-		client_metadata: Option<(ClientMetadata, SessionInfo)>
-	}
-}
-
-async fn get_device_info(
-	State(services): State<crate::State>,
-	Extension(context): Extension<TemplateContext>,
-	user: User,
-	Expect(Path(query)): Expect<Path<DevicePath>>,
-) -> Result {
-	let user_id = user.expect(LoginTarget::RemoveDevice(query.clone()))?;
-
-	let Ok(device) = services
-		.users
-		.get_device_metadata(&user_id, &query.device)
-		.await
-	else {
-		return response!(WebError::BadRequest("Unknown device".to_owned()));
-	};
-
-	let client_metadata = async {
-		let session_info = services
-			.oauth
-			.get_session_info_for_device(&user_id, &device.device_id)
-			.await?;
-		let client_metadata = services
-			.oauth
-			.get_client_metadata(&session_info.client_id)
-			.await?;
-
-		Some((client_metadata, session_info))
-	}
-	.await;
-
-	let device_card =
-		DeviceCard::for_device(&services, &user_id, device, DeviceCardStyle::Detailed).await;
-
-	response!(DeviceInfo::new(context, device_card, client_metadata))
-}
-
-template! {
-	struct RemoveDevice use "remove_device.html.j2" {
-		body: RemoveDeviceBody
-	}
-}
-
-#[derive(Debug)]
-enum RemoveDeviceBody {
-	Form {
-		device_card: Box<DeviceCard>,
-		last_device: bool,
-	},
-	Success,
-}
-
-#[derive(Clone, Debug, Deserialize, Serialize)]
-pub(crate) struct DevicePath {
-	pub device: OwnedDeviceId,
-}
-
-async fn route_remove_device(
-	State(services): State<crate::State>,
-	Extension(context): Extension<TemplateContext>,
-	user: User,
-	Expect(Path(query)): Expect<Path<DevicePath>>,
-	PostForm(form): PostForm<()>,
-) -> Result {
-	let user_id = user.expect_recent(LoginTarget::RemoveDevice(query.clone()))?;
-
-	let Ok(device) = services
-		.users
-		.get_device_metadata(&user_id, &query.device)
-		.await
-	else {
-		return response!(WebError::BadRequest("Unknown device".to_owned()));
-	};
-
-	if form.is_some() {
-		services
-			.users
-			.remove_device(&user_id, &device.device_id)
-			.await;
-
-		response!(RemoveDevice::new(context, RemoveDeviceBody::Success))
-	} else {
-		let device_card =
-			DeviceCard::for_device(&services, &user_id, device, DeviceCardStyle::Minimal).await;
-		let last_device = services.users.all_devices_metadata(&user_id).count().await <= 1;
-
-		response!(RemoveDevice::new(context, RemoveDeviceBody::Form {
-			device_card: Box::new(device_card),
-			last_device
-		}))
-	}
-}

src/web/pages/account/email.rs

@@ -1,210 +0,0 @@
-use axum::{
-	Extension, Router,
-	extract::{Query, State},
-	routing::{get, on, post},
-};
-use conduwuit_core::warn;
-use conduwuit_service::{mailer::messages, threepid::session::ValidationSessions};
-use lettre::{Address, message::Mailbox};
-use ruma::{ClientSecret, OwnedClientSecret, OwnedSessionId};
-use serde::{Deserialize, Serialize};
-
-use crate::{
-	WebError,
-	extract::{Expect, PostForm},
-	form,
-	pages::{
-		GET_POST, Result, TemplateContext,
-		account::ThreepidQuery,
-		components::{UserCard, form::Form},
-	},
-	response,
-	session::{LoginTarget, User},
-	template,
-};
-
-pub(crate) fn build() -> Router<crate::State> {
-	Router::new()
-		.route("/change/", on(GET_POST, route_change_email))
-		.route("/change/validate", get(get_change_email_validate))
-		.route("/change/delete", post(post_delete_email))
-}
-
-template! {
-	struct ChangeEmail use "change_email.html.j2" {
-		user_card: UserCard,
-		email: Option<String>,
-		form: Form<'static>,
-		may_remove: bool
-	}
-}
-
-form! {
-	struct ChangeEmailForm {
-		email: Address where {
-			input_type: "email",
-			label: "Email address"
-		}
-
-		submit: "Change email"
-	}
-}
-
-template! {
-	struct ChangeEmailValidate use "change_email_validate.html.j2" {
-		user_card: UserCard,
-		body: ChangeEmailValidateBody
-	}
-}
-
-template! {
-	struct DeleteEmail use "delete_email.html.j2" {
-		user_card: UserCard
-	}
-}
-
-#[derive(Debug)]
-enum ChangeEmailValidateBody {
-	ValidationPending {
-		session_id: OwnedSessionId,
-		client_secret: OwnedClientSecret,
-		validation_error: bool,
-	},
-	Success,
-}
-
-async fn route_change_email(
-	State(services): State<crate::State>,
-	Extension(context): Extension<TemplateContext>,
-	user: User,
-	PostForm(form): PostForm<ChangeEmailForm>,
-) -> Result {
-	let user_id = user.expect_recent(LoginTarget::ChangeEmail)?;
-
-	let Some(form) = form else {
-		return response!(ChangeEmail::new(
-			context.clone(),
-			UserCard::for_local_user(&services, user_id.clone()).await,
-			services
-				.threepid
-				.get_email_for_localpart(user_id.localpart())
-				.await
-				.map(|address| address.to_string()),
-			ChangeEmailForm::build(context),
-			services.threepid.email_requirement().may_remove(),
-		));
-	};
-
-	let client_secret = ClientSecret::new();
-
-	let session_id = {
-		let display_name = services.users.displayname(&user_id).await.ok();
-
-		match services
-			.threepid
-			.send_validation_email(
-				Mailbox::new(display_name, form.email.clone()),
-				|verification_link| messages::ChangeEmail {
-					server_name: services.globals.server_name().as_str(),
-					user_id: Some(&user_id),
-					verification_link,
-				},
-				&client_secret,
-				0,
-			)
-			.await
-		{
-			| Ok(session_id) => session_id,
-			| Err(err) => {
-				// If we couldn't send an email, generate a random session ID to not give that
-				// away
-				warn!(
-					"Failed to send email change message for {user_id} to {}: {err}",
-					form.email
-				);
-
-				ValidationSessions::generate_session_id()
-			},
-		}
-	};
-
-	response!(ChangeEmailValidate::new(
-		context,
-		UserCard::for_local_user(&services, user_id).await,
-		ChangeEmailValidateBody::ValidationPending {
-			session_id,
-			client_secret,
-			validation_error: false
-		}
-	))
-}
-
-#[derive(Deserialize, Serialize)]
-struct ChangeEmailQuery {
-	#[serde(flatten)]
-	threepid: ThreepidQuery,
-}
-
-async fn get_change_email_validate(
-	State(services): State<crate::State>,
-	Extension(context): Extension<TemplateContext>,
-	Expect(Query(ChangeEmailQuery {
-		threepid: ThreepidQuery { client_secret, session_id },
-	})): Expect<Query<ChangeEmailQuery>>,
-	user: User,
-) -> Result {
-	let user_id = user.expect(LoginTarget::ChangeEmail)?;
-	let user_card = UserCard::for_local_user(&services, user_id.clone()).await;
-
-	if !services.threepid.email_requirement().may_change() {
-		return Err(WebError::Forbidden("You may not change your email address.".to_owned()));
-	}
-
-	let Ok(session) = services
-		.threepid
-		.get_valid_session(&session_id, &client_secret)
-		.await
-	else {
-		return response!(ChangeEmailValidate::new(
-			context,
-			user_card,
-			ChangeEmailValidateBody::ValidationPending {
-				session_id,
-				client_secret,
-				validation_error: true
-			}
-		));
-	};
-
-	let new_email = session.consume();
-
-	if let Err(err) = services
-		.threepid
-		.associate_localpart_email(user_id.localpart(), &new_email)
-		.await
-	{
-		return response!(BadRequest(err.message()));
-	}
-
-	response!(ChangeEmailValidate::new(context, user_card, ChangeEmailValidateBody::Success))
-}
-
-async fn post_delete_email(
-	State(services): State<crate::State>,
-	Extension(context): Extension<TemplateContext>,
-	user: User,
-) -> Result {
-	let user_id = user.expect(LoginTarget::ChangeEmail)?;
-	let user_card = UserCard::for_local_user(&services, user_id.clone()).await;
-
-	if !services.threepid.email_requirement().may_remove() {
-		return Err(WebError::Forbidden("You may not remove your email address.".to_owned()));
-	}
-
-	let _ = services
-		.threepid
-		.disassociate_localpart_email(user_id.localpart())
-		.await;
-
-	response!(DeleteEmail::new(context, user_card))
-}

src/web/pages/account/login.rs

@@ -1,155 +0,0 @@
-use std::time::SystemTime;
-
-use axum::{
-	Extension, Router,
-	extract::{Query, RawQuery, State},
-	response::{IntoResponse, Redirect},
-	routing::{get, on},
-};
-use conduwuit_api::client::handle_login;
-use ruma::{
-	OwnedUserId,
-	api::client::uiaa::{EmailUserIdentifier, MatrixUserIdentifier, UserIdentifier},
-};
-use serde::Deserialize;
-use tower_sessions::Session;
-
-use crate::{
-	ROUTE_PREFIX, WebError,
-	extract::{Expect, PostForm},
-	pages::{
-		GET_POST, Result, TemplateContext,
-		account::register::{TrustedFlowStatus, UntrustedFlowStatus, registration_flow_status},
-		components::UserCard,
-	},
-	response,
-	session::{LoginQuery, LoginTarget, User, UserSession},
-	template,
-};
-
-pub(crate) fn build() -> Router<crate::State> {
-	Router::new()
-		.route("/login", on(GET_POST, route_login))
-		.route("/logout", get(get_logout))
-}
-
-template! {
-	struct Login use "login.html.j2" {
-		body: LoginBody,
-		login_error: Option<String>
-	}
-}
-
-#[derive(Debug)]
-enum LoginBody {
-	Unauthenticated {
-		server_name: String,
-		registration_available: bool,
-		next: Option<LoginTarget>,
-	},
-	Authenticated {
-		user_card: UserCard,
-	},
-}
-
-#[derive(Deserialize)]
-struct LoginForm {
-	identifier: Option<String>,
-	password: String,
-}
-
-async fn route_login(
-	State(services): State<crate::State>,
-	Extension(context): Extension<TemplateContext>,
-	Expect(Query(LoginQuery { next, reauthenticate })): Expect<Query<LoginQuery>>,
-	session_store: Session,
-	user: User,
-	PostForm(form): PostForm<LoginForm>,
-) -> Result {
-	let user_id = user.into_session().map(|session| session.user_id);
-
-	let body = match &user_id {
-		| None => {
-			let (trusted_flow_status, untrusted_flow_status) =
-				registration_flow_status(&services).await;
-
-			let registration_available =
-				matches!(trusted_flow_status, TrustedFlowStatus::Available)
-					|| matches!(untrusted_flow_status, UntrustedFlowStatus::Available { .. });
-
-			LoginBody::Unauthenticated {
-				server_name: services.globals.server_name().to_string(),
-				registration_available,
-				next: next.clone(),
-			}
-		},
-		| Some(user_id) => {
-			if !reauthenticate {
-				return response!(Redirect::to(&next.unwrap_or_default().target_path()));
-			}
-
-			let user_card = UserCard::for_local_user(&services, user_id.to_owned()).await;
-
-			LoginBody::Authenticated { user_card }
-		},
-	};
-
-	let mut template = Login::new(context, body, None);
-
-	if let Some(form) = form {
-		let login_result = match (user_id, form.identifier) {
-			| (Some(user_id), _) => {
-				// The user is already authenticated, we need to check their password
-				services
-					.users
-					.check_password(&user_id, &form.password)
-					.await
-			},
-			| (None, Some(identifier)) => {
-				// The user isn't authenticated, we need to log them in
-				let identifier = if identifier.parse::<lettre::Address>().is_ok() {
-					UserIdentifier::Email(EmailUserIdentifier::new(identifier))
-				} else {
-					UserIdentifier::Matrix(MatrixUserIdentifier::new(identifier))
-				};
-
-				handle_login(&services, Some(&identifier), &form.password, None).await
-			},
-			| (None, None) => {
-				// The user isn't authenticated and didn't supply an identity
-				return response!(WebError::BadRequest("No identity provided".to_owned()));
-			},
-		};
-
-		let user_id = match login_result {
-			| Ok(user_id) => user_id,
-			| Err(err) => {
-				let error_message = if let conduwuit_core::Error::Request(_, message, _) = err {
-					message.into_owned()
-				} else {
-					"Internal login error".to_owned()
-				};
-
-				template.login_error = Some(error_message);
-				return response!(template);
-			},
-		};
-
-		let user_session = UserSession { user_id, last_login: SystemTime::now() };
-
-		session_store
-			.insert(User::KEY, user_session)
-			.await
-			.expect("should be able to serialize user session");
-
-		return response!(Redirect::to(&next.unwrap_or_default().target_path()));
-	}
-
-	response!(template)
-}
-
-async fn get_logout(session: Session, RawQuery(query): RawQuery) -> impl IntoResponse {
-	let _ = session.remove::<OwnedUserId>(User::KEY).await;
-
-	Redirect::to(&format!("{}/account/login?{}", ROUTE_PREFIX, query.unwrap_or_default()))
-}

src/web/pages/account/mod.rs

@@ -1,153 +0,0 @@
-use axum::{
-	Extension, Router,
-	extract::{Query, State},
-	response::Redirect,
-	routing::get,
-};
-use conduwuit_core::utils::{IterStream, ReadyExt, stream::TryExpect};
-use conduwuit_service::threepid::EmailRequirement;
-use futures::StreamExt;
-use ruma::{
-	OwnedClientSecret, OwnedDeviceId, OwnedSessionId,
-	api::client::discovery::get_authorization_server_metadata::v1::AccountManagementAction,
-};
-use serde::{Deserialize, Serialize};
-
-use crate::{
-	WebError,
-	extract::Expect,
-	pages::{
-		Result, TemplateContext,
-		components::{DeviceCard, DeviceCardStyle, UserCard},
-	},
-	response,
-	session::{LoginTarget, User},
-	template,
-};
-
-pub(crate) mod cross_signing_reset;
-pub(crate) mod deactivate;
-pub(crate) mod device;
-pub(crate) mod email;
-pub(crate) mod login;
-pub(crate) mod password;
-pub(crate) mod register;
-
-pub(crate) fn build() -> Router<crate::State> {
-	#[allow(clippy::wildcard_imports)]
-	use self::*;
-
-	Router::new()
-		.route("/", get(get_account))
-		.route("/deeplink", get(get_account_deeplink))
-		.merge(login::build())
-		.nest("/password/", password::build())
-		.nest("/email/", email::build())
-		.nest("/cross_signing_reset", cross_signing_reset::build())
-		.nest("/deactivate", deactivate::build())
-		.nest("/device/", device::build())
-		.nest("/register/", register::build())
-}
-
-#[derive(Deserialize, Serialize)]
-struct ThreepidQuery {
-	client_secret: OwnedClientSecret,
-	session_id: OwnedSessionId,
-}
-
-template! {
-	struct Account use "account.html.j2" {
-		user_card: UserCard,
-		email_requirement: EmailRequirement,
-		email: Option<String>,
-		devices: Vec<DeviceCard>
-	}
-}
-
-async fn get_account(
-	State(services): State<crate::State>,
-	Extension(context): Extension<TemplateContext>,
-	user: User,
-) -> Result {
-	let user_id = user.expect(LoginTarget::Account)?;
-
-	let email_requirement = services.threepid.email_requirement();
-	let email = services
-		.threepid
-		.get_email_for_localpart(user_id.localpart())
-		.await
-		.map(|address| address.to_string());
-
-	let user_card = UserCard::for_local_user(&services, user_id.clone()).await;
-
-	let dehydrated_device_id = services.users.get_dehydrated_device_id(&user_id).await.ok();
-
-	let mut devices: Vec<_> = services
-		.users
-		.all_device_ids(&user_id)
-		.then(async |device_id| {
-			services
-				.users
-				.get_device_metadata(&user_id, &device_id)
-				.await
-		})
-		.expect_ok()
-		.ready_filter(|device| {
-			dehydrated_device_id
-				.as_ref()
-				.is_none_or(|id| device.device_id != *id)
-		})
-		.collect()
-		.await;
-
-	devices.sort_unstable_by(|a, b| a.last_seen_ts.cmp(&b.last_seen_ts).reverse());
-
-	let device_cards = devices
-		.into_iter()
-		.stream()
-		.then(async |device| {
-			DeviceCard::for_device(&services, &user_id, device, DeviceCardStyle::Minimal).await
-		})
-		.collect()
-		.await;
-
-	response!(Account::new(context, user_card, email_requirement, email, device_cards))
-}
-
-#[derive(Deserialize)]
-struct AccountDeeplinkQuery {
-	action: Option<AccountManagementAction>,
-	device_id: Option<OwnedDeviceId>,
-}
-
-async fn get_account_deeplink(
-	Expect(Query(query)): Expect<Query<AccountDeeplinkQuery>>,
-) -> Result {
-	let redirect_target = match query.action.unwrap_or(AccountManagementAction::Profile) {
-		| AccountManagementAction::AccountDeactivate => "deactivate".to_owned(),
-		| AccountManagementAction::CrossSigningReset => "cross_signing_reset".to_owned(),
-		| AccountManagementAction::DeviceDelete => {
-			let Some(device_id) = query.device_id else {
-				return response!(WebError::BadRequest(
-					"A device ID is required for this action".to_owned()
-				));
-			};
-
-			format!("device/{device_id}/delete")
-		},
-		| AccountManagementAction::DeviceView => {
-			let Some(device_id) = query.device_id else {
-				return response!(WebError::BadRequest(
-					"A device ID is required for this action".to_owned()
-				));
-			};
-
-			format!("device/{device_id}/")
-		},
-		| AccountManagementAction::DevicesList => "#devices".to_owned(),
-		| AccountManagementAction::Profile => String::new(),
-		| _ => return response!(WebError::BadRequest("Unknown action".to_owned())),
-	};
-
-	response!(Redirect::to(&format!("{}/account/{}", crate::ROUTE_PREFIX, redirect_target)))
-}

src/web/pages/account/password/change.rs

@@ -1,122 +0,0 @@
-use axum::{Extension, Router, extract::State, routing::on};
-use conduwuit_service::users::HashedPassword;
-use ruma::UserId;
-use validator::{Validate, ValidationError, ValidationErrors};
-
-use crate::{
-	extract::PostForm,
-	form,
-	pages::{
-		GET_POST, Result, TemplateContext,
-		components::{UserCard, form::Form},
-	},
-	response,
-	session::{LoginTarget, User},
-	template,
-};
-
-pub(crate) fn build() -> Router<crate::State> {
-	Router::new().route("/", on(GET_POST, route_change_password))
-}
-
-template! {
-	struct ChangePassword use "change_password.html.j2" {
-		user_card: UserCard,
-		body: ChangePasswordBody
-	}
-}
-
-#[derive(Debug)]
-enum ChangePasswordBody {
-	Form(Form<'static>),
-	Success,
-}
-
-form! {
-	struct ChangePasswordForm {
-		#[validate(length(min = 1, message = "Current password cannot be empty"))]
-		current_password: String where {
-			input_type: "password",
-			label: "Current password",
-			autocomplete: "current-password"
-		},
-
-		#[validate(length(min = 1, message = "New password cannot be empty"))]
-		new_password: String where {
-			input_type: "password",
-			label: "New password",
-			autocomplete: "new-password"
-		},
-
-		#[validate(must_match(other = "new_password", message = "Passwords must match"))]
-		confirm_new_password: String where {
-			input_type: "password",
-			label: "Confirm new password",
-			autocomplete: "new-password"
-		}
-
-		submit: "Change password"
-	}
-}
-
-async fn route_change_password(
-	State(services): State<crate::State>,
-	Extension(context): Extension<TemplateContext>,
-	user: User,
-	PostForm(form): PostForm<ChangePasswordForm>,
-) -> Result {
-	let user_id = user.expect(LoginTarget::ChangePassword)?;
-	let user_card = UserCard::for_local_user(&services, user_id.clone()).await;
-
-	let body = if let Some(form) = form {
-		match change_password(&services, &user_id, form).await {
-			| Ok(()) => ChangePasswordBody::Success,
-			| Err(errors) =>
-				ChangePasswordBody::Form(ChangePasswordForm::with_errors(context.clone(), errors)),
-		}
-	} else {
-		ChangePasswordBody::Form(ChangePasswordForm::build(context.clone()))
-	};
-
-	response!(ChangePassword::new(context, user_card, body))
-}
-
-async fn change_password(
-	services: &crate::State,
-	user_id: &UserId,
-	form: ChangePasswordForm,
-) -> Result<(), ValidationErrors> {
-	form.validate()?;
-
-	if services
-		.users
-		.check_password(user_id, &form.current_password)
-		.await
-		.is_err()
-	{
-		let mut errors = ValidationErrors::new();
-		errors.add(
-			"current_password",
-			ValidationError::new("wrong").with_message("Incorrect password".into()),
-		);
-
-		return Err(errors);
-	}
-
-	match HashedPassword::new(&form.new_password) {
-		| Ok(hash) => {
-			services.users.set_password(user_id, Some(hash));
-		},
-		| Err(err) => {
-			let mut errors = ValidationErrors::new();
-			errors.add(
-				"new_password",
-				ValidationError::new("malformed").with_message(err.message().into()),
-			);
-
-			return Err(errors);
-		},
-	}
-
-	Ok(())
-}

src/web/pages/account/password/mod.rs

@@ -1,13 +0,0 @@
-use axum::Router;
-
-mod change;
-mod reset;
-
-pub(crate) fn build() -> Router<crate::State> {
-	#[allow(clippy::wildcard_imports)]
-	use self::*;
-
-	Router::new()
-		.nest("/change", change::build())
-		.nest("/reset/", reset::build())
-}

src/web/pages/account/password/reset.rs

@@ -1,250 +0,0 @@
-use axum::{
-	Extension, Router,
-	extract::{Query, State},
-	routing::on,
-};
-use conduwuit_core::warn;
-use conduwuit_service::{
-	mailer::messages, threepid::session::ValidationSessions, users::HashedPassword,
-};
-use lettre::{Address, message::Mailbox};
-use ruma::{ClientSecret, OwnedClientSecret, OwnedSessionId, UserId};
-use serde::{Deserialize, Serialize};
-use validator::{Validate, ValidationError, ValidationErrors};
-
-use crate::{
-	WebError,
-	extract::{Expect, PostForm},
-	form,
-	pages::{
-		GET_POST, Result, TemplateContext,
-		account::ThreepidQuery,
-		components::{UserCard, form::Form},
-	},
-	response,
-	session::require_active,
-	template,
-};
-
-pub(crate) fn build() -> Router<crate::State> {
-	Router::new()
-		.route("/", on(GET_POST, route_reset_password))
-		.route("/validate", on(GET_POST, route_reset_password_validate))
-}
-
-template! {
-	struct ResetPassword use "reset_password.html.j2" {
-		body: ResetPasswordBody
-	}
-}
-
-#[derive(Debug)]
-enum ResetPasswordBody {
-	Form(Form<'static>),
-	Unavailable,
-}
-
-form! {
-	struct ResetPasswordRequestForm {
-		email: Address where {
-			input_type: "email",
-			label: "Email address"
-		}
-
-		submit: "Send email"
-	}
-}
-
-async fn route_reset_password(
-	State(services): State<crate::State>,
-	Extension(context): Extension<TemplateContext>,
-	PostForm(form): PostForm<ResetPasswordRequestForm>,
-) -> Result {
-	// Check if SMTP is configured
-	if services.mailer.mailer().is_none() {
-		return response!(ResetPassword::new(context, ResetPasswordBody::Unavailable));
-	}
-
-	let Some(form) = form else {
-		// For GET requests return the reset request form
-		return response!(ResetPassword::new(
-			context.clone(),
-			ResetPasswordBody::Form(ResetPasswordRequestForm::build(context))
-		));
-	};
-
-	let client_secret = ClientSecret::new();
-
-	let session_id = async {
-		let Some(localpart) = services.threepid.get_localpart_for_email(&form.email).await else {
-			warn!("No user is associated with the email address {}", form.email);
-
-			return None;
-		};
-
-		let user_id =
-			UserId::parse(format!("@{localpart}:{}", services.globals.server_name())).unwrap();
-		let display_name = services.users.displayname(&user_id).await.ok();
-
-		match services
-			.threepid
-			.send_validation_email(
-				Mailbox::new(display_name.clone(), form.email.clone()),
-				|verification_link| messages::PasswordReset {
-					display_name: display_name.as_deref(),
-					user_id: &user_id,
-					verification_link,
-				},
-				&client_secret,
-				0,
-			)
-			.await
-		{
-			| Ok(session_id) => Some(session_id),
-			| Err(err) => {
-				warn!("Failed to send reset email for {localpart} to {}: {err}", form.email);
-
-				None
-			},
-		}
-	}
-	.await
-	.unwrap_or_else(|| {
-		// If we couldn't send an email, generate a random session ID to not give that
-		// away
-		ValidationSessions::generate_session_id()
-	});
-
-	response!(ResetPasswordValidate::new(
-		context,
-		ResetPasswordValidateBody::ValidationPending {
-			client_secret,
-			session_id,
-			validation_error: false
-		}
-	))
-}
-
-template! {
-	struct ResetPasswordValidate use "reset_password_validate.html.j2" {
-		body: ResetPasswordValidateBody
-	}
-}
-
-#[derive(Debug)]
-enum ResetPasswordValidateBody {
-	ValidationPending {
-		session_id: OwnedSessionId,
-		client_secret: OwnedClientSecret,
-		validation_error: bool,
-	},
-	ValidationSuccess {
-		user_card: UserCard,
-		form: Form<'static>,
-	},
-	ResetSuccess {
-		user_card: UserCard,
-	},
-}
-
-form! {
-	struct ResetPasswordForm {
-		#[validate(length(min = 1, message = "Password cannot be empty"))]
-		new_password: String where {
-			input_type: "password",
-			label: "New password",
-			autocomplete: "new-password"
-		},
-
-		#[validate(must_match(other = "new_password", message = "Passwords must match"))]
-		confirm_new_password: String where {
-			input_type: "password",
-			label: "Confirm new password",
-			autocomplete: "new-password"
-		}
-
-		submit: "Reset password"
-	}
-}
-
-#[derive(Deserialize, Serialize)]
-struct ResetPasswordQuery {
-	#[serde(flatten)]
-	threepid: ThreepidQuery,
-}
-
-async fn route_reset_password_validate(
-	State(services): State<crate::State>,
-	Extension(context): Extension<TemplateContext>,
-	Expect(Query(query)): Expect<Query<ResetPasswordQuery>>,
-	PostForm(form): PostForm<ResetPasswordForm>,
-) -> Result {
-	let body = match services
-		.threepid
-		.get_valid_session(&query.threepid.session_id, &query.threepid.client_secret)
-		.await
-	{
-		| Ok(session) => {
-			let Some(localpart) = services
-				.threepid
-				.get_localpart_for_email(&session.email)
-				.await
-			else {
-				return Err(WebError::BadRequest("Inapplicable threepid session.".to_owned()));
-			};
-
-			let user_id =
-				UserId::parse(format!("@{localpart}:{}", services.globals.server_name()))
-					.unwrap();
-
-			require_active(&services, &user_id).await?;
-
-			let user_card = UserCard::for_local_user(&services, user_id.clone()).await;
-
-			if let Some(form) = form {
-				if let Err(err) = form.validate() {
-					ResetPasswordValidateBody::ValidationSuccess {
-						user_card,
-						form: ResetPasswordForm::with_errors(context.clone(), err),
-					}
-				} else {
-					match HashedPassword::new(&form.new_password) {
-						| Ok(hash) => {
-							let _ = session.consume();
-
-							services.users.set_password(&user_id, Some(hash));
-
-							ResetPasswordValidateBody::ResetSuccess { user_card }
-						},
-						| Err(err) => {
-							let mut errors = ValidationErrors::new();
-
-							errors.add(
-								"new_password",
-								ValidationError::new("malformed")
-									.with_message(err.message().into()),
-							);
-
-							ResetPasswordValidateBody::ValidationSuccess {
-								user_card,
-								form: ResetPasswordForm::with_errors(context.clone(), errors),
-							}
-						},
-					}
-				}
-			} else {
-				ResetPasswordValidateBody::ValidationSuccess {
-					user_card,
-					form: ResetPasswordForm::build(context.clone()),
-				}
-			}
-		},
-		| Err(_) => ResetPasswordValidateBody::ValidationPending {
-			session_id: query.threepid.session_id,
-			client_secret: query.threepid.client_secret,
-			validation_error: true,
-		},
-	};
-
-	response!(ResetPasswordValidate::new(context, body))
-}

src/web/pages/account/register.rs

@@ -1,581 +0,0 @@
-use std::{collections::BTreeMap, time::SystemTime};
-
-use axum::{
-	Extension, Router,
-	extract::{Query, State},
-	response::{Redirect, Response},
-	routing::{get, on},
-};
-use conduwuit_core::{config::TermsDocument, warn};
-use conduwuit_service::{
-	mailer::messages, registration_tokens::ValidToken, users::HashedPassword,
-};
-use futures::StreamExt;
-use lettre::{Address, message::Mailbox};
-use ruma::{ClientSecret, OwnedClientSecret, OwnedServerName, OwnedSessionId, OwnedUserId};
-use serde::{Deserialize, Serialize, de::IgnoredAny};
-use tower_sessions::Session;
-use validator::{Validate, ValidationError, ValidationErrors};
-
-use crate::{
-	WebError,
-	extract::{Expect, PostForm},
-	pages::{GET_POST, Result, TemplateContext, account::ThreepidQuery},
-	response,
-	session::{LoginTarget, User, UserSession},
-	template,
-};
-
-const COMPLETED_REGISTRATION_KEY: &str = "completed_registration";
-
-pub(crate) fn build() -> Router<crate::State> {
-	Router::new()
-		.route("/", on(GET_POST, route_register))
-		.route("/validate", get(get_register_email_validate))
-}
-
-template! {
-	struct Register use "register.html.j2" {
-		server_name: OwnedServerName,
-		is_first_run: bool,
-		body: RegisterBody
-	}
-}
-
-#[derive(Debug)]
-enum RegisterBody {
-	Unavailable,
-	UsernamePrompt {
-		allow_federation: bool,
-		trusted_flow_status: TrustedFlowStatus,
-		untrusted_flow_status: UntrustedFlowStatus,
-		username_error: Option<String>,
-		next: Option<LoginTarget>,
-	},
-	DetailsPrompt {
-		username: Option<String>,
-		require_email: bool,
-		flow: RegistrationFlowParameters,
-		terms: BTreeMap<String, TermsDocument>,
-		validation_errors: ValidationErrors,
-	},
-}
-
-#[derive(Debug)]
-pub(super) enum TrustedFlowStatus {
-	Unavailable,
-	Available,
-}
-
-#[derive(Debug)]
-pub(super) enum UntrustedFlowStatus {
-	Unavailable,
-	Available {
-		require_email: bool,
-	},
-}
-
-#[derive(Default, Deserialize, Serialize)]
-pub(crate) struct RegisterQuery {
-	pub username: Option<String>,
-	pub token: Option<String>,
-	pub flow: Option<RequestedRegistrationFlow>,
-	#[serde(default)]
-	pub from_landing: bool,
-	#[serde(flatten)]
-	pub next: Option<LoginTarget>,
-}
-
-#[derive(Clone, Copy, Deserialize, Serialize)]
-#[serde(rename_all = "snake_case")]
-pub(crate) enum RequestedRegistrationFlow {
-	Untrusted,
-	Trusted,
-}
-
-#[derive(Debug)]
-enum RegistrationFlowParameters {
-	Untrusted {
-		recaptcha_sitekey: Option<String>,
-	},
-	Trusted {
-		registration_token: Option<String>,
-	},
-}
-
-#[derive(Deserialize, Validate)]
-struct RegistrationForm {
-	flow: RequestedRegistrationFlow,
-	username: String,
-	email: Option<Address>,
-	#[validate(length(min = 1, message = "Password cannot be empty"))]
-	password: String,
-	#[validate(must_match(other = "password", message = "Passwords must match"))]
-	confirm_password: String,
-	registration_token: Option<String>,
-	#[serde(rename = "g-recaptcha-response")]
-	recaptcha_response: Option<String>,
-}
-
-#[derive(Deserialize, Serialize)]
-struct CompletedRegistration {
-	user_id: OwnedUserId,
-	password_hash: HashedPassword,
-	registration_token: Option<ValidToken>,
-	next: Option<LoginTarget>,
-}
-
-async fn route_register(
-	State(services): State<crate::State>,
-	Extension(context): Extension<TemplateContext>,
-	session_store: Session,
-	Expect(Query(query)): Expect<Query<RegisterQuery>>,
-	PostForm(form): PostForm<RegistrationForm>,
-) -> Result {
-	if session_store
-		.get::<IgnoredAny>(User::KEY)
-		.await
-		.unwrap()
-		.is_some()
-	{
-		// Redirect already logged-in users to the account panel
-		return response!(Redirect::to(&LoginTarget::Account.target_path()));
-	}
-
-	let validation_errors = if let Some(form) = form {
-		match form.validate() {
-			| Ok(()) => {
-				match begin_registration(
-					&services,
-					context.clone(),
-					session_store,
-					form,
-					query.next.clone(),
-				)
-				.await?
-				{
-					| Ok(response) => return Ok(response),
-					| Err(err) => err,
-				}
-			},
-			| Err(err) => err,
-		}
-	} else {
-		ValidationErrors::new()
-	};
-
-	let (trusted_flow_status, untrusted_flow_status) = registration_flow_status(&services).await;
-
-	if matches!(trusted_flow_status, TrustedFlowStatus::Unavailable)
-		&& matches!(untrusted_flow_status, UntrustedFlowStatus::Unavailable)
-	{
-		return response!(Register::new(
-			context,
-			services.globals.server_name().to_owned(),
-			services.firstrun.is_first_run(),
-			RegisterBody::Unavailable
-		));
-	}
-
-	if query.username.is_some() && query.flow.is_none() {
-		return response!(WebError::BadRequest(
-			"A flow must be provided if a username is provided".to_owned()
-		));
-	}
-
-	if let Some(username) = &query.username
-		&& query.from_landing
-	{
-		// Check if the username is valid and available before showing the details form
-		// to keep the user from wasting their time
-
-		if let Err(err) = services
-			.users
-			.determine_registration_user_id(Some(username.to_owned()), None, None)
-			.await
-		{
-			return response!(Register::new(
-				context,
-				services.globals.server_name().to_owned(),
-				services.firstrun.is_first_run(),
-				RegisterBody::UsernamePrompt {
-					allow_federation: services.config.allow_federation,
-					trusted_flow_status,
-					untrusted_flow_status,
-					username_error: Some(err.message()),
-					next: query.next,
-				}
-			));
-		}
-	}
-
-	let body = {
-		let terms = services.config.registration_terms.documents.clone();
-
-		match (query.flow, query.token) {
-			| (Some(RequestedRegistrationFlow::Trusted), token) | (_, token @ Some(_)) =>
-				RegisterBody::DetailsPrompt {
-					username: query.username,
-					require_email: services
-						.config
-						.smtp
-						.as_ref()
-						.is_some_and(|smtp| smtp.require_email_for_token_registration),
-					flow: RegistrationFlowParameters::Trusted { registration_token: token },
-					terms,
-					validation_errors,
-				},
-			| (Some(RequestedRegistrationFlow::Untrusted), _) => RegisterBody::DetailsPrompt {
-				username: query.username,
-				require_email: services
-					.config
-					.smtp
-					.as_ref()
-					.is_some_and(|smtp| smtp.require_email_for_registration),
-				flow: RegistrationFlowParameters::Untrusted {
-					recaptcha_sitekey: services.config.recaptcha_site_key.clone(),
-				},
-				terms,
-				validation_errors,
-			},
-			| (None, None) => RegisterBody::UsernamePrompt {
-				allow_federation: services.config.allow_federation,
-				trusted_flow_status,
-				untrusted_flow_status,
-				username_error: None,
-				next: query.next,
-			},
-		}
-	};
-
-	response!(Register::new(
-		context,
-		services.globals.server_name().to_owned(),
-		services.firstrun.is_first_run(),
-		body
-	))
-}
-
-template! {
-	struct RegisterEmailValidate use "register_email_validate.html.j2" {
-		session_id: OwnedSessionId,
-		client_secret: OwnedClientSecret,
-		validation_error: bool
-	}
-}
-
-#[derive(Deserialize, Serialize)]
-struct RegisterEmailValidateQuery {
-	#[serde(flatten)]
-	threepid: ThreepidQuery,
-}
-
-async fn get_register_email_validate(
-	State(services): State<crate::State>,
-	Extension(context): Extension<TemplateContext>,
-	session_store: Session,
-	Expect(Query(RegisterEmailValidateQuery {
-		threepid: ThreepidQuery { client_secret, session_id },
-	})): Expect<Query<RegisterEmailValidateQuery>>,
-) -> Result {
-	let Ok(session) = services
-		.threepid
-		.get_valid_session(&session_id, &client_secret)
-		.await
-	else {
-		return response!(RegisterEmailValidate::new(context, session_id, client_secret, true));
-	};
-
-	let Some(completed_registration) = session_store
-		.get::<CompletedRegistration>(COMPLETED_REGISTRATION_KEY)
-		.await
-		.expect("should be able to deserialize completed session")
-	else {
-		return response!(WebError::BadRequest(
-			"Inapplicable session. What are you doing here?".to_owned()
-		));
-	};
-
-	let email = session.consume();
-
-	response!(
-		complete_registration(&services, session_store, completed_registration, Some(email))
-			.await
-	)
-}
-
-async fn begin_registration(
-	services: &crate::State,
-	context: TemplateContext,
-	session_store: Session,
-	form: RegistrationForm,
-	next: Option<LoginTarget>,
-) -> Result<Result<Response, ValidationErrors>> {
-	let open_registration = services
-		.config
-		.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse;
-	let mut errors = ValidationErrors::new();
-
-	let user_id = match services
-		.users
-		.determine_registration_user_id(Some(form.username), form.email.as_ref(), None)
-		.await
-	{
-		| Ok(user_id) => user_id,
-		| Err(err) => {
-			errors.add(
-				"username",
-				ValidationError::new("invalid").with_message(err.message().into()),
-			);
-			return Ok(Err(errors));
-		},
-	};
-
-	let password_hash = match HashedPassword::new(&form.password) {
-		| Ok(password) => password,
-		| Err(err) => {
-			errors.add(
-				"password",
-				ValidationError::new("invalid").with_message(err.message().into()),
-			);
-			return Ok(Err(errors));
-		},
-	};
-
-	let mut registration_token = None;
-
-	// Check flow-specific form fields
-	match form.flow {
-		| RequestedRegistrationFlow::Trusted => {
-			// If the form claims to be using the trusted flow, it has to have a
-			// registration token
-
-			let Some(valid_token) = async {
-				services
-					.registration_tokens
-					.validate_token(form.registration_token?)
-					.await
-			}
-			.await
-			else {
-				errors.add(
-					"registration_token",
-					ValidationError::new("invalid")
-						.with_message("Invalid registration token".into()),
-				);
-				return Ok(Err(errors));
-			};
-
-			registration_token = Some(valid_token);
-		},
-		| RequestedRegistrationFlow::Untrusted => {
-			// Don't check auth for the untrusted flow at all if open reg is enabled
-			if !open_registration {
-				// If the form claims to be using the untrusted flow, it _may_ need to have a
-				// reCAPTCHA response if reCAPTCHA is configured
-
-				if let Some(recaptcha_private_site_key) =
-					&services.config.recaptcha_private_site_key
-				{
-					let Some(recaptcha_response) = form.recaptcha_response else {
-						return Err(WebError::BadRequest(
-							"reCAPTCHA response expected".to_owned(),
-						));
-					};
-
-					if recaptcha_verify::verify_v3(
-						recaptcha_private_site_key,
-						&recaptcha_response,
-						None,
-					)
-					.await
-					.is_err()
-					{
-						errors.add(
-							"recaptcha",
-							ValidationError::new("missing")
-								.with_message("Please complete the CAPTCHA".into()),
-						);
-						return Ok(Err(errors));
-					}
-				}
-			}
-		},
-	}
-
-	let completed_registration = CompletedRegistration {
-		user_id,
-		password_hash,
-		registration_token,
-		next,
-	};
-
-	// Check if we need to send an email
-	let require_email = services
-		.config
-		.smtp
-		.as_ref()
-		.is_some_and(|smtp| match form.flow {
-			| RequestedRegistrationFlow::Trusted => smtp.require_email_for_token_registration,
-			| RequestedRegistrationFlow::Untrusted =>
-				!open_registration && smtp.require_email_for_registration,
-		});
-
-	if require_email {
-		// If an email is required we have to validate it before we can complete
-		// registration
-		let Some(address) = form.email else {
-			errors.add(
-				"email",
-				ValidationError::new("missing")
-					.with_message("Please provide an email address".into()),
-			);
-			return Ok(Err(errors));
-		};
-
-		if services
-			.threepid
-			.get_localpart_for_email(&address)
-			.await
-			.is_some()
-		{
-			errors.add(
-				"email",
-				ValidationError::new("in_use")
-					.with_message("This email address is already in use.".into()),
-			);
-			return Ok(Err(errors));
-		}
-
-		let client_secret = ClientSecret::new();
-
-		let session_id = {
-			match services
-				.threepid
-				.send_validation_email(
-					Mailbox::new(None, address.clone()),
-					|verification_link| messages::NewAccount {
-						server_name: services.globals.server_name().as_str(),
-						verification_link,
-					},
-					&client_secret,
-					0,
-				)
-				.await
-			{
-				| Ok(session_id) => session_id,
-				| Err(err) => {
-					warn!(
-						"Failed to send new account message for {} to {}: {err}",
-						&completed_registration.user_id, address,
-					);
-
-					errors.add(
-						"email",
-						ValidationError::new("invalid").with_message(
-							"Failed to send validation email. Is this address correct?".into(),
-						),
-					);
-					return Ok(Err(errors));
-				},
-			}
-		};
-
-		session_store
-			.insert(COMPLETED_REGISTRATION_KEY, completed_registration)
-			.await
-			.expect("should have been able to serialize completed registration");
-
-		Ok(response!(
-			RegisterEmailValidate::new(context, session_id, client_secret, false,)
-		))
-	} else {
-		// If email isn't required we can immediately complete registration
-		Ok(response!(
-			complete_registration(services, session_store, completed_registration, None).await
-		))
-	}
-}
-
-async fn complete_registration(
-	services: &crate::State,
-	session_store: Session,
-	CompletedRegistration {
-		user_id,
-		password_hash,
-		registration_token,
-		next,
-	}: CompletedRegistration,
-	email: Option<Address>,
-) -> Redirect {
-	services
-		.users
-		.create_local_account(&user_id, password_hash, email)
-		.await;
-
-	if let Some(registration_token) = registration_token {
-		services
-			.registration_tokens
-			.mark_token_as_used(registration_token);
-	}
-
-	let user_session = UserSession { user_id, last_login: SystemTime::now() };
-
-	session_store
-		.insert(User::KEY, user_session)
-		.await
-		.expect("should be able to serialize user session");
-
-	Redirect::to(&next.unwrap_or_default().target_path())
-}
-
-pub(super) async fn registration_flow_status(
-	services: &crate::State,
-) -> (TrustedFlowStatus, UntrustedFlowStatus) {
-	// Allow registration if it's enabled in the config file or if this is the first
-	// run (so the first user account can be created)
-	let allow_registration =
-		services.config.allow_registration || services.firstrun.is_first_run();
-
-	// Trusted flow is only available if any registration tokens exist
-	let trusted_flow_status = {
-		if !allow_registration {
-			TrustedFlowStatus::Unavailable
-		} else if services
-			.registration_tokens
-			.iterate_tokens()
-			.next()
-			.await
-			.is_some()
-		{
-			TrustedFlowStatus::Available
-		} else {
-			TrustedFlowStatus::Unavailable
-		}
-	};
-
-	// Untrusted flow is available if email is required for registration,
-	// or reCAPTCHA is configured, or open registration is enabled
-	let untrusted_flow_status = {
-		let require_email = services
-			.config
-			.smtp
-			.as_ref()
-			.is_some_and(|smtp| smtp.require_email_for_registration);
-
-		if !allow_registration || services.firstrun.is_first_run() {
-			UntrustedFlowStatus::Unavailable
-		} else if services.config.recaptcha_private_site_key.is_some() || require_email {
-			UntrustedFlowStatus::Available { require_email }
-		} else if services
-			.config
-			.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
-		{
-			UntrustedFlowStatus::Available { require_email: false }
-		} else {
-			UntrustedFlowStatus::Unavailable
-		}
-	};
-
-	(trusted_flow_status, untrusted_flow_status)
-}

src/web/pages/components/form.rs

@@ -1,34 +1,13 @@
 use askama::{Template, filters::HtmlSafe};
 use validator::ValidationErrors;
 
-use crate::pages::TemplateContext;
-
 /// A reusable form component with field validation.
 #[derive(Debug, Template)]
 #[template(path = "_components/form.html.j2")]
 pub(crate) struct Form<'a> {
-	context: TemplateContext,
-	inputs: Vec<FormInput<'a>>,
-	submit_label: &'a str,
-	slowdown: bool,
+	pub inputs: Vec<FormInput<'a>>,
 	pub validation_errors: Option<ValidationErrors>,
-}
-
-impl<'a> Form<'a> {
-	pub(crate) fn new(
-		context: TemplateContext,
-		inputs: Vec<FormInput<'a>>,
-		submit_label: &'a str,
-		slowdown: bool,
-	) -> Self {
-		Self {
-			context,
-			inputs,
-			submit_label,
-			slowdown,
-			validation_errors: None,
-		}
-	}
+	pub submit_label: &'a str,
 }
 
 impl HtmlSafe for Form<'_> {}
@@ -71,16 +50,6 @@ fn default() -> Self {
 	}
 }
 
-#[macro_export]
-macro_rules! default {
-	($value:expr) => {
-		$value
-	};
-	() => {
-		Default::default()
-	};
-}
-
 /// Generate a deserializable struct which may be turned into a [`Form`]
 /// for inclusion in another template.
 #[macro_export]
@@ -94,7 +63,6 @@ struct $struct_name:ident {
             ),*
 
             submit: $submit_label:expr
-            $(, slowdown: $slowdown:expr)?
         }
     ) => {
         #[derive(Debug, serde::Deserialize, validator::Validate)]
@@ -109,10 +77,9 @@ struct $struct_name {
         impl $struct_name {
             /// Generate a [`Form`] which matches the shape of this struct.
             #[allow(clippy::needless_update)]
-            fn build(context: TemplateContext) -> $crate::pages::components::form::Form<'static> {
-                $crate::pages::components::form::Form::new(
-                    context,
-                    vec![
+            fn build(validation_errors: Option<validator::ValidationErrors>) -> $crate::pages::components::form::Form<'static> {
+                $crate::pages::components::form::Form {
+                    inputs: vec![
                         $(
                             $crate::pages::components::form::FormInput {
                                 id: stringify!($name),
@@ -122,17 +89,9 @@ fn build(context: TemplateContext) -> $crate::pages::components::form::Form<'sta
                             },
                         )*
                     ],
-                    $submit_label,
-                    $crate::default!($($slowdown)?)
-                )
-            }
-
-            /// Generate a [`Form`] with validation errors.
-            #[allow(unused)]
-            fn with_errors(context: TemplateContext, errors: validator::ValidationErrors) -> $crate::pages::components::form::Form<'static> {
-                let mut form = Self::build(context);
-                form.validation_errors = Some(errors);
-                form
+                    validation_errors,
+                    submit_label: $submit_label,
+                }
             }
         }
     };

src/web/pages/components/mod.rs

@@ -1,33 +1,37 @@
-use std::{collections::BTreeSet, time::SystemTime};
-
 use askama::{Template, filters::HtmlSafe};
 use base64::Engine;
-use conduwuit_core::{result::FlatOk, utils};
-use conduwuit_service::{
-	Services,
-	media::mxc::Mxc,
-	oauth::{client_metadata::ClientMetadata, grant::Scope},
-};
-use ruma::{OwnedDeviceId, OwnedUserId, UserId, api::client::device::Device};
+use conduwuit_core::result::FlatOk;
+use conduwuit_service::{Services, media::mxc::Mxc};
+use ruma::UserId;
 
 pub(super) mod form;
 
 #[derive(Debug)]
-pub(super) enum AvatarType {
+pub(super) enum AvatarType<'a> {
 	Initial(char),
-	Image(String),
+	Image(&'a str),
 }
 
 #[derive(Debug, Template)]
 #[template(path = "_components/avatar.html.j2")]
-pub(super) struct Avatar {
-	pub(super) avatar_type: AvatarType,
+pub(super) struct Avatar<'a> {
+	pub(super) avatar_type: AvatarType<'a>,
 }
 
-impl HtmlSafe for Avatar {}
+impl HtmlSafe for Avatar<'_> {}
 
-impl Avatar {
-	pub(super) async fn for_local_user(services: &Services, user_id: &UserId) -> Self {
+#[derive(Debug, Template)]
+#[template(path = "_components/user_card.html.j2")]
+pub(super) struct UserCard<'a> {
+	pub user_id: &'a UserId,
+	pub display_name: Option<String>,
+	pub avatar_src: Option<String>,
+}
+
+impl HtmlSafe for UserCard<'_> {}
+
+impl<'a> UserCard<'a> {
+	pub(super) async fn for_local_user(services: &Services, user_id: &'a UserId) -> Self {
 		let display_name = services.users.displayname(user_id).await.ok();
 
 		let avatar_src = async {
@@ -50,140 +54,22 @@ pub(super) async fn for_local_user(services: &Services, user_id: &UserId) -> Sel
 		}
 		.await;
 
-		let avatar_type = if let Some(avatar_src) = avatar_src {
+		Self { user_id, display_name, avatar_src }
+	}
+
+	fn avatar(&'a self) -> Avatar<'a> {
+		let avatar_type = if let Some(ref avatar_src) = self.avatar_src {
 			AvatarType::Image(avatar_src)
-		} else if let Some(initial) = display_name
+		} else if let Some(initial) = self
+			.display_name
 			.as_ref()
 			.and_then(|display_name| display_name.chars().next())
 		{
 			AvatarType::Initial(initial)
 		} else {
-			AvatarType::Initial(user_id.localpart().chars().next().unwrap())
+			AvatarType::Initial(self.user_id.localpart().chars().next().unwrap())
 		};
 
-		Self { avatar_type }
-	}
-
-	pub(super) fn for_device(
-		oauth_metadata: Option<&ClientMetadata>,
-		display_name: Option<&str>,
-	) -> Self {
-		let avatar_src = oauth_metadata
-			.and_then(|metadata| metadata.logo_uri.as_ref())
-			.map(|uri| uri.as_str().to_owned());
-
-		let avatar_type = if let Some(avatar_src) = avatar_src {
-			AvatarType::Image(avatar_src)
-		} else if let Some(initial) = display_name.and_then(|name| name.chars().next()) {
-			if oauth_metadata.is_some() {
-				AvatarType::Initial(initial)
-			} else {
-				AvatarType::Initial('❖')
-			}
-		} else {
-			AvatarType::Initial('?')
-		};
-
-		Self { avatar_type }
+		Avatar { avatar_type }
 	}
 }
-
-#[derive(Debug, Template)]
-#[template(path = "_components/user_card.html.j2")]
-pub(super) struct UserCard {
-	pub user_id: OwnedUserId,
-	pub display_name: Option<String>,
-	pub avatar: Avatar,
-}
-
-impl HtmlSafe for UserCard {}
-
-impl UserCard {
-	pub(super) async fn for_local_user(services: &Services, user_id: OwnedUserId) -> Self {
-		let display_name = services.users.displayname(&user_id).await.ok();
-		let avatar = Avatar::for_local_user(services, &user_id).await;
-
-		Self { user_id, display_name, avatar }
-	}
-}
-
-#[derive(Debug, Template)]
-#[template(path = "_components/device_card.html.j2")]
-pub(super) struct DeviceCard {
-	pub device_id: OwnedDeviceId,
-	pub display_name: Option<String>,
-	pub avatar: Avatar,
-	pub last_active: String,
-	pub oauth_metadata: Option<ClientMetadata>,
-	pub style: DeviceCardStyle,
-}
-
-impl HtmlSafe for DeviceCard {}
-
-#[derive(Debug, PartialEq, Eq)]
-pub(super) enum DeviceCardStyle {
-	Minimal,
-	Detailed,
-}
-
-impl DeviceCard {
-	pub(super) async fn for_device(
-		services: &Services,
-		user_id: &UserId,
-		device: Device,
-		style: DeviceCardStyle,
-	) -> Self {
-		let oauth_metadata = async {
-			let session_info = services
-				.oauth
-				.get_session_info_for_device(user_id, &device.device_id)
-				.await?;
-
-			Some(
-				services
-					.oauth
-					.get_client_metadata(&session_info.client_id)
-					.await
-					.expect("client should exist"),
-			)
-		}
-		.await;
-
-		let display_name = oauth_metadata
-			.as_ref()
-			.and_then(|metadata| metadata.client_name.clone())
-			.or_else(|| device.display_name.clone());
-
-		let avatar = Avatar::for_device(oauth_metadata.as_ref(), display_name.as_deref());
-
-		let last_active = device.last_seen_ts.map_or_else(
-			|| "unknown".to_owned(),
-			|last_seen_ts| {
-				last_seen_ts
-					.to_system_time()
-					.and_then(|t| SystemTime::now().duration_since(t).ok())
-					.map_or_else(
-						|| "now".to_owned(),
-						|duration| format!("{} ago", utils::time::pretty(duration)),
-					)
-			},
-		);
-
-		Self {
-			device_id: device.device_id,
-			display_name,
-			avatar,
-			last_active,
-			oauth_metadata,
-			style,
-		}
-	}
-}
-
-#[derive(Debug, Template)]
-#[template(path = "_components/client_scopes.html.j2")]
-pub(super) struct ClientScopes {
-	pub scopes: BTreeSet<Scope>,
-}
-
-impl HtmlSafe for ClientScopes {}

src/web/pages/index.rs

@@ -1,39 +1,25 @@
-use axum::{Extension, Router, extract::State, routing::get};
+use axum::{Router, extract::State, response::IntoResponse, routing::get};
 
-use crate::{
-	pages::{Result, TemplateContext},
-	response, template,
-};
+use crate::{WebError, template};
 
 pub(crate) fn build() -> Router<crate::State> {
 	Router::new()
-		.route("/", get(get_index))
-		.route(&format!("{}/", crate::ROUTE_PREFIX), get(get_index))
-		.route(&format!("{}/_book", crate::ROUTE_PREFIX), get(get_book))
+		.route("/", get(index))
+		.route("/_continuwuity/", get(index))
 }
 
-template! {
-	struct Index<'a> use "index.html.j2" {
-		server_name: &'a str,
-		first_run: bool
+async fn index(State(services): State<crate::State>) -> Result<impl IntoResponse, WebError> {
+	template! {
+		struct Index<'a> use "index.html.j2" {
+			server_name: &'a str,
+			first_run: bool
+		}
 	}
-}
 
-async fn get_index(
-	State(services): State<crate::State>,
-	Extension(context): Extension<TemplateContext>,
-) -> Result {
-	response!(Index::new(
-		context,
+	Ok(Index::new(
+		&services,
 		services.globals.server_name().as_str(),
 		services.firstrun.is_first_run(),
-	))
-}
-
-template! {
-	struct Book use "book.html.j2" {}
-}
-
-async fn get_book(Extension(context): Extension<TemplateContext>) -> Result {
-	response!(Book::new(context))
+	)
+	.into_response())
 }

src/web/pages/mod.rs

@@ -1,70 +1,21 @@
-use std::sync::Arc;
-
-use axum::{
-	extract::{Request, State},
-	http::{HeaderValue, header},
-	middleware::Next,
-	response::Response,
-	routing::MethodFilter,
-};
-use conduwuit_core::utils;
-
-use crate::WebError;
-
-pub(super) mod account;
 mod components;
 pub(super) mod debug;
 pub(super) mod index;
-pub(super) mod oauth;
+pub(super) mod password_reset;
 pub(super) mod resources;
 pub(super) mod threepid;
 
-type Result<T = Response, E = WebError> = std::result::Result<T, E>;
-
-const GET_POST: MethodFilter = MethodFilter::GET.or(MethodFilter::POST);
-
-#[derive(Debug, Clone)]
+#[derive(Debug)]
 pub(crate) struct TemplateContext {
 	pub allow_indexing: bool,
-	pub csp_nonce: String,
 }
 
-const CSP_NONCE_LENGTH: usize = 32;
-
-pub(super) async fn template_context_middleware(
-	State(config): State<Arc<conduwuit_service::config::Service>>,
-	mut request: Request,
-	next: Next,
-) -> Response {
-	let csp_nonce = utils::random_string(CSP_NONCE_LENGTH);
-	let context = TemplateContext {
-		allow_indexing: config.allow_web_indexing,
-		csp_nonce: csp_nonce.clone(),
-	};
-
-	assert!(
-		request.extensions_mut().insert(context).is_none(),
-		"template context should only be inserted once"
-	);
-
-	let mut response = next.run(request).await;
-
-	let child_src = if config.recaptcha_site_key.is_some() {
-		"www.google.com"
-	} else {
-		"'none'"
-	};
-
-	response.headers_mut().insert(
-		header::CONTENT_SECURITY_POLICY,
-		HeaderValue::from_str(&format!(
-			"default-src 'none'; style-src 'self'; img-src 'self' https: data:; script-src \
-			 'nonce-{csp_nonce}'; child-src {child_src};"
-		))
-		.expect("should be able to build CSP header"),
-	);
-
-	response
+impl From<&crate::State> for TemplateContext {
+	fn from(state: &crate::State) -> Self {
+		Self {
+			allow_indexing: state.config.allow_web_indexing,
+		}
+	}
 }
 
 #[macro_export]
@@ -76,17 +27,15 @@ struct $name:ident $(<$lifetime:lifetime>)? use $path:literal {
     ) => {
         #[derive(Debug, askama::Template)]
         #[template(path = $path)]
-		#[allow(unused)]
         struct $name$(<$lifetime>)? {
-			context: $crate::pages::TemplateContext,
+            context: $crate::pages::TemplateContext,
             $($field_name: $field_type,)*
         }
 
         impl$(<$lifetime>)? $name$(<$lifetime>)? {
-            #[allow(clippy::too_many_arguments)]
-            fn new(context: $crate::pages::TemplateContext, $($field_name: $field_type,)*) -> Self {
+            fn new(state: &$crate::State, $($field_name: $field_type,)*) -> Self {
                 Self {
-                    context,
+                    context: state.into(),
                     $($field_name,)*
                 }
             }
@@ -105,16 +54,3 @@ fn into_response(self) -> axum::response::Response {
         }
     };
 }
-
-#[macro_export]
-macro_rules! response {
-	(BadRequest($body:expr)) => {
-		response!((axum::http::StatusCode::BAD_REQUEST, $body))
-	};
-
-	($body:expr) => {{
-		use axum::response::IntoResponse;
-
-		Ok($body.into_response())
-	}};
-}

src/web/pages/oauth/grant.rs

@@ -1,144 +0,0 @@
-use axum::{
-	Extension, Router,
-	extract::{Query, State},
-	response::Redirect,
-	routing::on,
-};
-use conduwuit_service::oauth::grant::{AuthorizationCodeQuery, Prompt};
-use ruma::OwnedUserId;
-use url::Url;
-
-use crate::{
-	ROUTE_PREFIX, WebError,
-	extract::{Expect, PostForm},
-	pages::{
-		GET_POST, Result, TemplateContext,
-		account::register::{RegisterQuery, RequestedRegistrationFlow},
-		components::{Avatar, AvatarType, ClientScopes},
-	},
-	response,
-	session::{LoginQuery, LoginTarget, User},
-	template,
-};
-
-pub(crate) fn build() -> Router<crate::State> {
-	Router::new().route("/authorization_code", on(GET_POST, route_authorization_code))
-}
-
-template! {
-	struct Grant use "grant.html.j2" {
-		logout_query: String,
-		user_id: OwnedUserId,
-		user_avatar: Avatar,
-		client_uri: Url,
-		client_name: String,
-		client_avatar: Avatar,
-		policy_uri: Option<Url>,
-		tos_uri: Option<Url>,
-		scopes: ClientScopes
-	}
-}
-
-async fn route_authorization_code(
-	State(services): State<crate::State>,
-	Extension(context): Extension<TemplateContext>,
-	user: User,
-	Expect(Query(query)): Expect<Query<AuthorizationCodeQuery>>,
-	PostForm(form): PostForm<()>,
-) -> Result {
-	let user_id = if let Some(user) = user.into_session() {
-		user.user_id
-	} else {
-		let is_first_run = services.firstrun.is_first_run();
-		let next = LoginTarget::AuthorizationCode(query.clone());
-
-		let uri = if query
-			.prompt
-			.is_some_and(|prompt| matches!(prompt, Prompt::Create))
-			|| is_first_run
-		{
-			format!(
-				"{}/account/register/?{}",
-				ROUTE_PREFIX,
-				serde_urlencoded::to_string(RegisterQuery {
-					next: Some(next),
-					flow: if is_first_run {
-						Some(RequestedRegistrationFlow::Trusted)
-					} else {
-						None
-					},
-					..Default::default()
-				})
-				.unwrap()
-			)
-		} else {
-			format!(
-				"{}/account/login?{}",
-				ROUTE_PREFIX,
-				serde_urlencoded::to_string(LoginQuery {
-					next: Some(next),
-					..Default::default()
-				})
-				.unwrap()
-			)
-		};
-
-		return response!(Redirect::to(&uri));
-	};
-
-	if form.is_some() {
-		let redirect_uri = services
-			.oauth
-			.request_authorization_code(user_id, query)
-			.await
-			.map_err(WebError::BadRequest)?;
-
-		return response!(Redirect::to(&redirect_uri));
-	}
-
-	let Some(client) = services.oauth.get_client_metadata(&query.client_id).await else {
-		return Err(WebError::BadRequest("Invalid client ID".to_owned()));
-	};
-
-	let scopes = query.scope.to_scopes().map_err(WebError::BadRequest)?;
-
-	let client_name = if let Some(name) = &client.client_name {
-		name
-	} else {
-		"Unknown application"
-	}
-	.to_owned();
-
-	let client_avatar = {
-		let avatar_type = if let Some(logo) = &client.logo_uri {
-			AvatarType::Image(logo.to_string())
-		} else if let Some(name) = &client.client_name
-			&& let Some(char) = name.chars().next()
-		{
-			AvatarType::Initial(char)
-		} else {
-			AvatarType::Initial('?')
-		};
-
-		Avatar { avatar_type }
-	};
-
-	let user_avatar = Avatar::for_local_user(&services, &user_id).await;
-
-	response!(Grant::new(
-		context,
-		serde_urlencoded::to_string(LoginQuery {
-			next: Some(LoginTarget::AuthorizationCode(query)),
-			reauthenticate: false,
-		})
-		.unwrap(),
-		user_id,
-		user_avatar,
-		client.client_uri.clone(),
-		client_name,
-		client_avatar,
-		client.policy_uri.clone(),
-		client.tos_uri.clone(),
-		ClientScopes { scopes },
-	))
-}

src/web/pages/oauth/mod.rs

@@ -1,10 +0,0 @@
-use axum::Router;
-
-mod grant;
-
-pub(crate) fn build() -> Router<crate::State> {
-	#[allow(clippy::wildcard_imports)]
-	use self::*;
-
-	Router::new().nest("/grant/", grant::build())
-}

src/web/pages/password_reset.rs

@@ -0,0 +1,119 @@
+use axum::{
+	Router,
+	extract::{
+		Query, State,
+		rejection::{FormRejection, QueryRejection},
+	},
+	http::StatusCode,
+	response::{IntoResponse, Response},
+	routing::get,
+};
+use serde::Deserialize;
+use validator::Validate;
+
+use crate::{
+	WebError, form,
+	pages::components::{UserCard, form::Form},
+	template,
+};
+
+const INVALID_TOKEN_ERROR: &str = "Invalid reset token. Your reset link may have expired.";
+
+template! {
+	struct PasswordReset<'a> use "password_reset.html.j2" {
+		user_card: UserCard<'a>,
+		body: PasswordResetBody
+	}
+}
+
+#[derive(Debug)]
+enum PasswordResetBody {
+	Form(Form<'static>),
+	Success,
+}
+
+form! {
+	struct PasswordResetForm {
+		#[validate(length(min = 1, message = "Password cannot be empty"))]
+		new_password: String where {
+			input_type: "password",
+			label: "New password",
+			autocomplete: "new-password"
+		},
+
+		#[validate(must_match(other = "new_password", message = "Passwords must match"))]
+		confirm_new_password: String where {
+			input_type: "password",
+			label: "Confirm new password",
+			autocomplete: "new-password"
+		}
+
+		submit: "Reset Password"
+	}
+}
+
+pub(crate) fn build() -> Router<crate::State> {
+	Router::new()
+		.route("/account/reset_password", get(get_password_reset).post(post_password_reset))
+}
+
+#[derive(Deserialize)]
+struct PasswordResetQuery {
+	token: String,
+}
+
+async fn password_reset_form(
+	services: crate::State,
+	query: PasswordResetQuery,
+	reset_form: Form<'static>,
+) -> Result<impl IntoResponse, WebError> {
+	let Some(token) = services.password_reset.check_token(&query.token).await else {
+		return Err(WebError::BadRequest(INVALID_TOKEN_ERROR.to_owned()));
+	};
+
+	let user_card = UserCard::for_local_user(&services, &token.info.user).await;
+
+	Ok(PasswordReset::new(&services, user_card, PasswordResetBody::Form(reset_form))
+		.into_response())
+}
+
+async fn get_password_reset(
+	State(services): State<crate::State>,
+	query: Result<Query<PasswordResetQuery>, QueryRejection>,
+) -> Result<impl IntoResponse, WebError> {
+	let Query(query) = query?;
+
+	password_reset_form(services, query, PasswordResetForm::build(None)).await
+}
+
+async fn post_password_reset(
+	State(services): State<crate::State>,
+	query: Result<Query<PasswordResetQuery>, QueryRejection>,
+	form: Result<axum::Form<PasswordResetForm>, FormRejection>,
+) -> Result<Response, WebError> {
+	let Query(query) = query?;
+	let axum::Form(form) = form?;
+
+	match form.validate() {
+		| Ok(()) => {
+			let Some(token) = services.password_reset.check_token(&query.token).await else {
+				return Err(WebError::BadRequest(INVALID_TOKEN_ERROR.to_owned()));
+			};
+			let user_id = token.info.user.clone();
+
+			services
+				.password_reset
+				.consume_token(token, &form.new_password)
+				.await?;
+
+			let user_card = UserCard::for_local_user(&services, &user_id).await;
+			Ok(PasswordReset::new(&services, user_card, PasswordResetBody::Success)
+				.into_response())
+		},
+		| Err(err) => Ok((
+			StatusCode::BAD_REQUEST,
+			password_reset_form(services, query, PasswordResetForm::build(Some(err))).await,
+		)
+			.into_response()),
+	}
+}

src/web/pages/resources/book.css

@@ -1,22 +0,0 @@
-html {
-    height: 100svh;
-    --bg: oklch(0.44 0.177 353.06);
-    background-color: var(--bg);
-    background-image: linear-gradient(180deg, var(--bg) 55%, black 100%);;
-}
-
-main {
-    margin-top: 20vh;
-    margin-left: 5%;
-    margin-right: 5%;
-    color: white;
-    font-family: monospace;
-    font-size: 1.3em;
-    line-height: 1.2;
-}
-
-em {
-    font-size: 1.35em;
-    font-weight: bold;
-    white-space: nowrap;
-}

src/web/pages/resources/common.css

@@ -9,7 +9,6 @@
     --panel-bg: oklch(0.91 0.042 317.27);
     --c1: oklch(0.44 0.177 353.06);
     --c2: oklch(0.59 0.158 150.88);
-    --avatar-color: var(--c2);
 
     --name-lightness: 0.45;
     --background-lightness: 0.9;
@@ -27,7 +26,7 @@
 
     @media (prefers-color-scheme: dark) {
         color-scheme: dark;
-        --text-color: #f5ebeb;
+        --text-color: #fff;
         --secondary: #888;
         --bg: oklch(0.15 0.042 317.27);
         --panel-bg: oklch(0.24 0.03 317.27);
@@ -55,13 +54,10 @@
 }
 
 body {
-    display: flex;
-    flex-direction: column;
-    align-items: center;
-    justify-content: space-around;
-
+    display: grid;
     margin: 0;
     padding: 0;
+    place-items: center;
     min-height: 100vh;
 
     color: var(--text-color);
@@ -77,7 +73,6 @@ html {
 
 footer {
     padding-inline: 0.25rem;
-    margin-top: 1rem;
     height: max(fit-content, 2rem);
 
     .logo {
@@ -88,29 +83,12 @@ footer {
 
 p {
     margin: 1rem 0;
-
-    a {
-        white-space: nowrap;
-    }
-}
-
-section {
-    margin: 1rem 0;
 }
 
 em {
     color: oklch(from var(--c2) var(--name-lightness) c h);
     font-weight: bold;
     font-style: normal;
-
-    &.negative {
-        color: red;
-    }
-}
-
-hr {
-    border-width: 1px;
-    border-color: var(--secondary);
 }
 
 small {
@@ -128,88 +106,36 @@ small.error {
 .panel {
     --preferred-width: 12rem + 40dvw;
     --maximum-width: 48rem;
-    --minimum-width: 32rem;
 
-    width: min(clamp(var(--minimum-width), var(--preferred-width), var(--maximum-width)), calc(100dvw - 3rem));
+    width: min(clamp(24rem, var(--preferred-width), var(--maximum-width)), calc(100dvw - 3rem));
     border-radius: var(--border-radius-lg);
     background-color: var(--panel-bg);
     padding-inline: 1.5rem;
     padding-block: 1rem;
-    margin-top: 1em;
-    margin-bottom: auto;
     box-shadow: 0 0.25em 0.375em hsla(0, 0%, 0%, 0.1);
 
-    &.middle {
-        margin-top: 0;
-        margin-bottom: 0;
-    }
-
     &.narrow {
         --preferred-width: 12rem + 20dvw;
         --maximum-width: 36rem;
 
-        input, button, a.button {
+        input, button {
             width: 100%;
         }
     }
-
-    &:not(.narrow) form p {
-        margin-bottom: 0;
-    }
-}
-
-img.matrix-icon {
-    @media (prefers-color-scheme: dark) {
-        filter: invert();
-    }
-}
-
-h1.with-matrix-icon {
-    display: flex;
-    align-items: center;
-
-    a:last-of-type {
-        margin-left: auto;
-
-        img {
-            height: 1em;
-        }
-    }
-}
-
-h1 a.back {
-    font-size: initial;
-    font-weight: initial;
 }
 
 label {
     display: block;
-    margin-bottom: 0.2em;
 }
 
-a, a:visited {
-    color: oklch(from var(--c1) var(--name-lightness) c h);
-}
-
-code {
-    color: oklch(from var(--secondary) var(--name-lightness) c h);
-}
-
-pre {
-    background-color: oklch(from var(--panel-bg) calc(l - 0.05) c h);
-    border-radius: var(--border-radius-sm);
-    padding: 8px;
-}
-
-input, button, a.button {
+input, button {
     display: inline-block;
     padding: 0.5em;
+    margin-bottom: 0.5em;
 
     font-size: inherit;
     font-family: inherit;
-    line-height: normal;
-    color: var(--text-color);
-    text-decoration: none;
+    color: white;
     background-color: transparent;
 
     border: none;
@@ -225,36 +151,14 @@ input {
     }
 }
 
-input[type="checkbox"] {
-    display: inline;
-    margin: 0;
-    width: auto !important;
-}
-
-button, a.button {
-    color: white;
+button {
     background-color: var(--c1);
     transition: opacity .2s;
-    text-align: center;
-    margin: 0.5rem 0;
 
     &:enabled:hover {
         opacity: 0.8;
         cursor: pointer;
     }
-
-    &:disabled {
-        color: lightgray;
-        background-color: gray;
-    }
-
-    &:not(:disabled) {
-        transition: linear color, background-color 0.1s;
-    }
-
-    &:visited {
-        color: white;
-    }
 }
 
 h1 {
@@ -262,15 +166,6 @@ h1 {
     margin-bottom: 0.67em;
 }
 
-.fullwidth {
-    width: 100%;
-    margin-bottom: 0 !important;
-}
-
-.select-all {
-    user-select: all;
-}
-
 @media (max-width: 425px) {
     main {
         padding-block-start: 2rem;
@@ -280,12 +175,11 @@ h1 {
     .panel {
         border-radius: 0;
         width: 100%;
-        margin-top: 0;
     }
 }
 
 @media (max-width: 799px) {
-    input, button, a.button {
+    input, button {
         width: 100%;
     }
 }

src/web/pages/resources/components.css

@@ -11,17 +11,12 @@
     font-size: calc(var(--avatar-size) * 0.5);
     font-weight: 700;
     line-height: calc(var(--avatar-size) - 2px);
-    user-select: none;
 
-    color: oklch(from var(--avatar-color) calc(l + 0.2) c h);
-    background-color: var(--avatar-color);
+    color: oklch(from var(--c1) calc(l + 0.2) c h);
+    background-color: var(--c1);
 }
 
-.red-avatar {
-    --avatar-color: var(--c1);
-}
-
-.card {
+.user-card {
     display: flex;
     flex-direction: row;
     align-items: center;
@@ -37,21 +32,13 @@
         p {
             margin: 0;
 
-            &.name {
+            &.display-name {
                 font-weight: 700;
             }
-        }
 
-        .id {
-            color: var(--secondary);
-            font-weight: normal;
+            &:nth-of-type(2) {
+                color: var(--secondary);
+            }
         }
     }
 }
-
-.card-list {
-    display: flex;
-    flex-direction: column;
-    gap: 10px;
-    margin-top: 10px;
-}

src/web/pages/resources/error.css

@@ -2,19 +2,12 @@
     font-family: monospace;
     font-size: x-small;
     font-weight: 700;
-    transform: translate(0rem, 2rem);
+    transform: translate(1rem, 1.6rem);
     color: var(--secondary);
     user-select: none;
-    margin: 0;
-    padding: 0;
-    background: none;
 }
 
 h1 {
     display: flex;
     align-items: center;
 }
-
-code {
-    white-space: pre-wrap;
-}