feat: Enable debug logs in release builds

Requiring them is now handled by an action

.forgejo/actions/timelord/action.yml

@@ -71,7 +71,7 @@ runs:
 
     - name: Install timelord-cli and git-warp-time
       if: steps.check-binaries.outputs.need-install == 'true'
-      uses: https://github.com/taiki-e/install-action@787505cde8a44ea468a00478fe52baf23b15bccd # v2
+      uses: https://github.com/taiki-e/install-action@b5fddbb5361bce8a06fb168c9d403a6cc552b084 # v2
       with:
         tool: git-warp-time,timelord-cli@3.0.1
 

.forgejo/pull_request_template.md

@@ -45,7 +45,6 @@
   - [ ] I have [tested my contribution][c1t] (or proof-read it for documentation-only changes)
         myself, if applicable. This includes ensuring code compiles.
   - [ ] My commit messages follow the [commit message format][c1cm] and are descriptive.
-  - [ ] I have written a [news fragment][n1] for this PR, if applicable<!--(can be done after hitting open!)-->.
 
 <!--
 Notes on these requirements:
@@ -79,4 +78,3 @@
 [c1pc]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#pre-commit-checks
 [c1t]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#running-tests-locally
 [c1cm]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#commit-messages
-[n1]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments

.pre-commit-config.yaml

@@ -24,7 +24,7 @@ repos:
         - id: check-added-large-files
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.45.2
+    rev: v1.46.0
     hooks:
       - id: typos
       - id: typos

Cargo.toml

@@ -39,7 +39,10 @@ features = ["ffi", "std", "union"]
 version = "1.1.0"
 
 [workspace.dependencies.ctor]
-version = "0.10.0"
+version = "0.13.0"
+
+[workspace.dependencies.dtor]
+version = "0.13.0"
 
 [workspace.dependencies.cargo_toml]
 version = "0.22"
@@ -161,7 +164,7 @@ features = ["raw_value"]
 
 # Used for appservice registration files
 [workspace.dependencies.serde-saphyr]
-version = "0.0.24"
+version = "0.0.25"
 
 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
@@ -349,7 +352,7 @@ version = "1.1.1"
 [workspace.dependencies.ruma]
 # version = "0.14.1"
 git = "https://github.com/ruma/ruma.git"
-rev = "8b522a87b541be0802fb3c7820747a6869d37318"
+rev = "5742fec0021b85fedbf5cd1f59c50a00bb5b9f7c"
 features = [
     "appservice-api-c",
     "client-api",
@@ -430,7 +433,7 @@ features = ["http", "grpc-tonic", "trace", "logs", "metrics"]
 
 # optional sentry metrics for crash/panic reporting
 [workspace.dependencies.sentry]
-version = "0.47.0"
+version = "0.48.0"
 default-features = false
 features = [
     "backtrace",
@@ -445,9 +448,9 @@ features = [
 ]
 
 [workspace.dependencies.sentry-tracing]
-version = "0.47.0"
+version = "0.48.0"
 [workspace.dependencies.sentry-tower]
-version = "0.47.0"
+version = "0.48.0"
 
 # jemalloc usage
 [workspace.dependencies.tikv-jemalloc-sys]
@@ -546,16 +549,11 @@ features = ["std"]
 [workspace.dependencies.maplit]
 version = "1.0.2"
 
-[workspace.dependencies.ldap3]
-version = "0.12.0"
-default-features = false
-features = ["sync", "tls-rustls", "rustls-provider"]
-
 [workspace.dependencies.yansi]
 version = "1.0.1"
 
 [workspace.dependencies.askama]
-version = "0.15.0"
+version = "0.16.0"
 
 [workspace.dependencies.lettre]
 version = "0.11.19"

changelog.d/+48bfd52a.bugfix.md

@@ -0,0 +1 @@
+The invite recipient's membership event is now included in invite stripped state, which should fix flaky invite display in some clients. Contributed by @ginger

changelog.d/1701.removal.md

@@ -0,0 +1 @@
+Removed support for LDAP.

changelog.d/1706.docs

@@ -0,0 +1 @@
+Clarified in the config that `max_request_size` affects federated media as well.

changelog.d/1710.feature

@@ -0,0 +1 @@
+Added support for fallback encryption keys.

conduwuit-example.toml

@@ -291,6 +291,7 @@
 #ip_lookup_strategy = 5
 
 # Max request size for file uploads in bytes. Defaults to 20MB.
+# Also limits incoming federated media.
 #
 #max_request_size = 20971520
 
@@ -1933,102 +1934,6 @@
 #
 #foci = []
 
-[global.ldap]
-
-# Whether to enable LDAP login.
-#
-# example: "true"
-#
-#enable = false
-
-# Whether to force LDAP authentication or authorize classical password
-# login.
-#
-# example: "true"
-#
-#ldap_only = false
-
-# URI of the LDAP server.
-#
-# example: "ldap://ldap.example.com:389"
-#
-#uri = ""
-
-# StartTLS for LDAP connections.
-#
-#use_starttls = false
-
-# Skip TLS certificate verification, possibly dangerous.
-#
-#disable_tls_verification = false
-
-# Root of the searches.
-#
-# example: "ou=users,dc=example,dc=org"
-#
-#base_dn = ""
-
-# Bind DN if anonymous search is not enabled.
-#
-# You can use the variable `{username}` that will be replaced by the
-# entered username. In such case, the password used to bind will be the
-# one provided for the login and not the one given by
-# `bind_password_file`. Beware: automatically granting admin rights will
-# not work if you use this direct bind instead of a LDAP search.
-#
-# example: "cn=ldap-reader,dc=example,dc=org" or
-# "cn={username},ou=users,dc=example,dc=org"
-#
-#bind_dn = ""
-
-# Path to a file on the system that contains the password for the
-# `bind_dn`.
-#
-# The server must be able to access the file, and it must not be empty.
-#
-#bind_password_file = ""
-
-# Search filter to limit user searches.
-#
-# You can use the variable `{username}` that will be replaced by the
-# entered username for more complex filters.
-#
-# example: "(&(objectClass=person)(memberOf=matrix))"
-#
-#filter = "(objectClass=*)"
-
-# Attribute to use to uniquely identify the user.
-#
-# example: "uid" or "cn"
-#
-#uid_attribute = "uid"
-
-# Attribute containing the display name of the user.
-#
-# example: "givenName" or "sn"
-#
-#name_attribute = "givenName"
-
-# Root of the searches for admin users.
-#
-# Defaults to `base_dn` if empty.
-#
-# example: "ou=admins,dc=example,dc=org"
-#
-#admin_base_dn = ""
-
-# The LDAP search filter to find administrative users for continuwuity.
-#
-# If left blank, administrative state must be configured manually for each
-# user.
-#
-# You can use the variable `{username}` that will be replaced by the
-# entered username for more complex filters.
-#
-# example: "(objectClass=conduwuitAdmin)" or "(uid={username})"
-#
-#admin_filter = ""
-
 #[global.antispam]
 
 #[global.antispam.meowlnir]

docker/Dockerfile

@@ -50,7 +50,7 @@ EOF
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.1
+ENV BINSTALL_VERSION=1.19.0
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree

docker/musl.Dockerfile

@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
 
 # Developer tool versions
 # renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
-ENV BINSTALL_VERSION=1.18.1
+ENV BINSTALL_VERSION=1.19.0
 # renovate: datasource=github-releases depName=psastras/sbom-rs
 ENV CARGO_SBOM_VERSION=0.9.1
 # renovate: datasource=crate depName=lddtree

flake.lock

@@ -3,11 +3,11 @@
     "advisory-db": {
       "flake": false,
       "locked": {
-        "lastModified": 1775907537,
-        "narHash": "sha256-vbeLNgmsx1Z6TwnlDV0dKyeBCcon3UpkV9yLr/yc6HM=",
+        "lastModified": 1777645914,
+        "narHash": "sha256-P1T7QVQS13OvkXEuEhI91CLaQfyv6iqV9vW8IBLLDYg=",
         "owner": "rustsec",
         "repo": "advisory-db",
-        "rev": "d99f7b9eb81731bddebf80a355f8be7b2f8b1b28",
+        "rev": "d6ba1f7070ba91f45efe372d68eb648be67d0417",
         "type": "github"
       },
       "original": {
@@ -18,11 +18,11 @@
     },
     "crane": {
       "locked": {
-        "lastModified": 1775839657,
-        "narHash": "sha256-SPm9ck7jh3Un9nwPuMGbRU04UroFmOHjLP56T10MOeM=",
+        "lastModified": 1777335812,
+        "narHash": "sha256-bEg5xoAxAwsyfnGhkEX7RJViTIBIYPd8ISg4O1c0HFc=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "7cf72d978629469c4bd4206b95c402514c1f6000",
+        "rev": "5e0fb2f64edff2822249f21293b8304dedaaf676",
         "type": "github"
       },
       "original": {
@@ -39,11 +39,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1775891769,
-        "narHash": "sha256-EOfVlTKw2n8w1uhfh46GS4hEGnQ7oWrIWQfIY6utIkI=",
+        "lastModified": 1777624102,
+        "narHash": "sha256-thSyElkje577x/kAbP72nHlfiFc1a+tCudskLPHXe9s=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "6fbc54dde15aee725bdc7aae5e478849685d5f56",
+        "rev": "4d81601e0b73f20d81d066754ad0e7d1e7f75a06",
         "type": "github"
       },
       "original": {
@@ -89,11 +89,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1775710090,
-        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
+        "lastModified": 1777268161,
+        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
+        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
         "type": "github"
       },
       "original": {
@@ -132,11 +132,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1775843361,
-        "narHash": "sha256-j53ZgyDvmYf3Sjh1IPvvTjqa614qUfVQSzj59+MpzkY=",
+        "lastModified": 1777583169,
+        "narHash": "sha256-dVJ4+wrRKc8oIgp3rLOFSq1obt/sCKlXy3h47qof/w0=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "9eb97ea96d8400e8957ddd56702e962614296583",
+        "rev": "aa64e4828a2bbba44463c1229a81c748d3cce583",
         "type": "github"
       },
       "original": {

package-lock.json

@@ -16,26 +16,24 @@
       }
     },
     "node_modules/@emnapi/core": {
-      "version": "1.9.2",
-      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.2.tgz",
-      "integrity": "sha512-UC+ZhH3XtczQYfOlu3lNEkdW/p4dsJ1r/bP7H8+rhao3TTTMO1ATq/4DdIi23XuGoFY+Cz0JmCbdVl0hz9jZcA==",
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.10.0.tgz",
+      "integrity": "sha512-yq6OkJ4p82CAfPl0u9mQebQHKPJkY7WrIuk205cTYnYe+k2Z8YBh11FrbRG/H6ihirqcacOgl2BIO8oyMQLeXw==",
       "dev": true,
       "license": "MIT",
       "optional": true,
-      "peer": true,
       "dependencies": {
         "@emnapi/wasi-threads": "1.2.1",
         "tslib": "^2.4.0"
       }
     },
     "node_modules/@emnapi/runtime": {
-      "version": "1.9.2",
-      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.2.tgz",
-      "integrity": "sha512-3U4+MIWHImeyu1wnmVygh5WlgfYDtyf0k8AbLhMFxOipihf6nrWC4syIm/SwEeec0mNSafiiNnMJwbza/Is6Lw==",
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.10.0.tgz",
+      "integrity": "sha512-ewvYlk86xUoGI0zQRNq/mC+16R1QeDlKQy21Ki3oSYXNgLb45GV1P6A0M+/s6nyCuNDqe5VpaY84BzXGwVbwFA==",
       "dev": true,
       "license": "MIT",
       "optional": true,
-      "peer": true,
       "dependencies": {
         "tslib": "^2.4.0"
       }
@@ -47,7 +45,6 @@
       "dev": true,
       "license": "MIT",
       "optional": true,
-      "peer": true,
       "dependencies": {
         "tslib": "^2.4.0"
       }
@@ -109,9 +106,9 @@
       }
     },
     "node_modules/@napi-rs/wasm-runtime": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.2.tgz",
-      "integrity": "sha512-sNXv5oLJ7ob93xkZ1XnxisYhGYXfaG9f65/ZgYuAu3qt7b3NadcOEhLvx28hv31PgX8SZJRYrAIPQilQmFpLVw==",
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.4.tgz",
+      "integrity": "sha512-3NQNNgA1YSlJb/kMH1ildASP9HW7/7kYnRI2szWJaofaS1hWmbGI4H+d3+22aGzXXN9IJ+n+GiFVcGipJP18ow==",
       "dev": true,
       "license": "MIT",
       "optional": true,
@@ -128,13 +125,13 @@
       }
     },
     "node_modules/@rsbuild/core": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.0-rc.1.tgz",
-      "integrity": "sha512-eqxtRlQiFSm/ibCNGiPj8ozsGSNK91NY+GksmPuTCPmWQExGtPqM1V+s13UYeWZS6fYbMRs7NlQKD896e0QkKA==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.3.tgz",
+      "integrity": "sha512-2myp7jUgGen50saxW8OJD/eMVKp7HnuBN5MUzwRb6mDbRZZVpoorfI4LQqiGSBNjGLB6jltvx/R2yHmcmnchwg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@rspack/core": "2.0.0-rc.1",
+        "@rspack/core": "~2.0.1",
         "@swc/helpers": "^0.5.21"
       },
       "bin": {
@@ -153,17 +150,17 @@
       }
     },
     "node_modules/@rsbuild/plugin-react": {
-      "version": "1.4.6",
-      "resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-1.4.6.tgz",
-      "integrity": "sha512-LAT6xHlEyZKA0VjF/ph5d50iyG+WSmBx+7g98HNZUwb94VeeTMZFB8qVptTkbIRMss3BNKOXmHOu71Lhsh9oEw==",
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-2.0.0.tgz",
+      "integrity": "sha512-/1gzt39EGUSFEqB83g46QoOwsgv172HI18i6au1b6lgIaX4sv9stuX4ijdHbHCp8PqYEq+MyQ99jIQMO6I+etg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@rspack/plugin-react-refresh": "^1.6.1",
+        "@rspack/plugin-react-refresh": "2.0.0",
         "react-refresh": "^0.18.0"
       },
       "peerDependencies": {
-        "@rsbuild/core": "^1.0.0 || ^2.0.0-0"
+        "@rsbuild/core": "^2.0.0-0"
       },
       "peerDependenciesMeta": {
         "@rsbuild/core": {
@@ -172,28 +169,28 @@
       }
     },
     "node_modules/@rspack/binding": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.0-rc.1.tgz",
-      "integrity": "sha512-rhJqtbyiRPOjTAZW0xTZFbOrS5yP5yL1SF0DPE9kvFfzePz30IqjMDMxL0KuhkDZd/M1eUINJyoqd8NTbR9wHw==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.1.tgz",
+      "integrity": "sha512-ynV1gw4KqFtQ0P+ZZh76SUj49wBb2FuHW3zSmHverHWuxBhzvrZS6/dZ+fCFQG8bTTPtrPz0RQUTN3uEDbPVBQ==",
       "dev": true,
       "license": "MIT",
       "optionalDependencies": {
-        "@rspack/binding-darwin-arm64": "2.0.0-rc.1",
-        "@rspack/binding-darwin-x64": "2.0.0-rc.1",
-        "@rspack/binding-linux-arm64-gnu": "2.0.0-rc.1",
-        "@rspack/binding-linux-arm64-musl": "2.0.0-rc.1",
-        "@rspack/binding-linux-x64-gnu": "2.0.0-rc.1",
-        "@rspack/binding-linux-x64-musl": "2.0.0-rc.1",
-        "@rspack/binding-wasm32-wasi": "2.0.0-rc.1",
-        "@rspack/binding-win32-arm64-msvc": "2.0.0-rc.1",
-        "@rspack/binding-win32-ia32-msvc": "2.0.0-rc.1",
-        "@rspack/binding-win32-x64-msvc": "2.0.0-rc.1"
+        "@rspack/binding-darwin-arm64": "2.0.1",
+        "@rspack/binding-darwin-x64": "2.0.1",
+        "@rspack/binding-linux-arm64-gnu": "2.0.1",
+        "@rspack/binding-linux-arm64-musl": "2.0.1",
+        "@rspack/binding-linux-x64-gnu": "2.0.1",
+        "@rspack/binding-linux-x64-musl": "2.0.1",
+        "@rspack/binding-wasm32-wasi": "2.0.1",
+        "@rspack/binding-win32-arm64-msvc": "2.0.1",
+        "@rspack/binding-win32-ia32-msvc": "2.0.1",
+        "@rspack/binding-win32-x64-msvc": "2.0.1"
       }
     },
     "node_modules/@rspack/binding-darwin-arm64": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.0-rc.1.tgz",
-      "integrity": "sha512-fYbeDDDg6QKZzXYt/J0/j0Qhr01wQLuISUsYnNhu5MLwdXVUSVcqz+CTqgF3d0EQVVn6FqLV63lbNRzUGfSq9g==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.1.tgz",
+      "integrity": "sha512-CGFO5zmajD1Itch1lxAI7+gvKiagzyqXopHv/jHG9Su2WWQ2/Nhn2/rkSpdp6ptE9ri6+6tCOOahf099/v/Xog==",
       "cpu": [
         "arm64"
       ],
@@ -205,9 +202,9 @@
       ]
     },
     "node_modules/@rspack/binding-darwin-x64": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.0-rc.1.tgz",
-      "integrity": "sha512-MvXi9kr8xXn1y0PD1WI/4YphRNOdbykJjKdEsAG4JxEVoERmhIHOTwKvUqlejajizAwlVZcxQl/FacoPLsKN5Q==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.1.tgz",
+      "integrity": "sha512-2vvBNBoS09/PurupBwSrlTZd8283o00B8v20ncsNUdEff41uCR/hzIrYoTIVWnVST+Gt5O1+cfcfORp397lajg==",
       "cpu": [
         "x64"
       ],
@@ -219,9 +216,9 @@
       ]
     },
     "node_modules/@rspack/binding-linux-arm64-gnu": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.0-rc.1.tgz",
-      "integrity": "sha512-j6WsHEwGSdUoiy4BsQBW0RjFl+MBzozdybSYhkiyVSoHlbm7CPt3XaaS3elH5YcwuLHORmVHPP91QhwWl9UFJg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.1.tgz",
+      "integrity": "sha512-uvNXk6ahE3AH3h2avnd1Mgno68YQpS4cfX1OkOGWIC/roL+NrOP2XVXV4yfVAoydPALDO7AfbIfN0QdmBK3rsA==",
       "cpu": [
         "arm64"
       ],
@@ -236,9 +233,9 @@
       ]
     },
     "node_modules/@rspack/binding-linux-arm64-musl": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.0-rc.1.tgz",
-      "integrity": "sha512-MPoZE0aS8oH+Wr0R5tIYch8gbUwYYf4LsiGdP6enMKMTrmpJyOVGlhPHVSwsrFgBg7fjTGOuxHuibtsvDUdLOQ==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.1.tgz",
+      "integrity": "sha512-S/a6uN9PiZ5O/PjSqyIXhuRC1lVzeJkJV69NeLk5sIEUiDQ/aQGZG97uN+tluwpbo1tPbLJkdHYETfjspOX4Pg==",
       "cpu": [
         "arm64"
       ],
@@ -253,9 +250,9 @@
       ]
     },
     "node_modules/@rspack/binding-linux-x64-gnu": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.0-rc.1.tgz",
-      "integrity": "sha512-gOlPCwtIg9GsFG/8ZdUyV5SyXDaGq2kmtXmyyFU7RO33MaalltNEBMf2hevRPj9z39eSzxwgJDonMOdx5Fo0Og==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.1.tgz",
+      "integrity": "sha512-C13Kk0OkZiocZVj187Sf753UH6pDXnuEu6vzUvi3qv9ltibG1ki0H2Y8isXBYL2cHQOV+hk0g1S6/4z3TTB97A==",
       "cpu": [
         "x64"
       ],
@@ -270,9 +267,9 @@
       ]
     },
     "node_modules/@rspack/binding-linux-x64-musl": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.0-rc.1.tgz",
-      "integrity": "sha512-K6Swk1rfP4z4b6bp84NlikGlUWMOPpIWCtlPr/W0TWgc2C/cd844oHdoIu7WtmOH7y9AwB5UG2bWpgFAVwykCw==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.1.tgz",
+      "integrity": "sha512-TQsiBFpEDGkuvK9tNdGj/Uc+AIytzqhxXH/1jKU6M24cWB1DTw/Cx7DdrkCBDyq3129K3POLdujvbWCGqBzQUw==",
       "cpu": [
         "x64"
       ],
@@ -287,9 +284,9 @@
       ]
     },
     "node_modules/@rspack/binding-wasm32-wasi": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.0-rc.1.tgz",
-      "integrity": "sha512-aa9oUTqOb1QjwsHVlMr5sV+7mcBI4MLQ/xhFO2CIEcfVnJIPl8XpKUbDEgqMwcFlzcgzKmHg5cVmIvd82BLgow==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.1.tgz",
+      "integrity": "sha512-wk3gyUgBW/ayP49bI54bkY8+EQnfBHxdoe9dz3oobSTZQc8AOWwmUUDEPltW8rUvPOM6dfHECTOUMnfaf2f5yA==",
       "cpu": [
         "wasm32"
       ],
@@ -297,13 +294,15 @@
       "license": "MIT",
       "optional": true,
       "dependencies": {
-        "@napi-rs/wasm-runtime": "1.1.2"
+        "@emnapi/core": "1.10.0",
+        "@emnapi/runtime": "1.10.0",
+        "@napi-rs/wasm-runtime": "1.1.4"
       }
     },
     "node_modules/@rspack/binding-win32-arm64-msvc": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.0-rc.1.tgz",
-      "integrity": "sha512-+UxF0c7E9bE3siFbMHi+mmoeQJzcTKl1j3x+Y6MY/PJ3V70cU23wOaxMvmSsCyq2JNJBT2RCNZ9HaL+o3kReug==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.1.tgz",
+      "integrity": "sha512-rHjLcy3VcAC3+x+PxH+gwhwv6tPe0JdXTNT5eAOs9wgZIM6T9p4wre49+K4Qy98+Fb7TTbLX0ObUitlOkGwTSA==",
       "cpu": [
         "arm64"
       ],
@@ -315,9 +314,9 @@
       ]
     },
     "node_modules/@rspack/binding-win32-ia32-msvc": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.0-rc.1.tgz",
-      "integrity": "sha512-gc0JdkdxSWo+o/b1qTCT6mZ3DrlGe32eW+Ps3xInxcG4UHjUG7hTDgFtOgVQ6VhQ8WMUXG+TQOz0CySVpYjsoQ==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.1.tgz",
+      "integrity": "sha512-Ad1vVqMBBnd4T8rsORngu9sl2kyRTlS4kMlvFudjzl1X2UFArEDBe0YVGNN7ZvahM12CErUx2WiN8Sd8pb+qXQ==",
       "cpu": [
         "ia32"
       ],
@@ -329,9 +328,9 @@
       ]
     },
     "node_modules/@rspack/binding-win32-x64-msvc": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.0-rc.1.tgz",
-      "integrity": "sha512-Dnj0jthyVUikf65MGEyZy3akshtSmR1xsp/Xr0h/NWTo5JFWHKAFNYFE+jFfY0uzC8e4IDcLQLYoFomqV1DsEg==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.1.tgz",
+      "integrity": "sha512-oPM2Jtm7HOlmxl/aBfleAVlL6t9VeHx6WvEets7BBJMInemFXAQd4CErRqybf7rXutACzLeUWBOue4Jpd1/ykw==",
       "cpu": [
         "x64"
       ],
@@ -343,13 +342,13 @@
       ]
     },
     "node_modules/@rspack/core": {
-      "version": "2.0.0-rc.1",
-      "resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.0-rc.1.tgz",
-      "integrity": "sha512-OIfkYn05/IWtVIdZ8Y/a0y/k4ipzqfApxIZqnJM59G/bGwQKMBrLHpOMGgV2Wmq1j9UMXzF7ZtsFMUbYBhFb9A==",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.1.tgz",
+      "integrity": "sha512-lgfZiExh8kDR/3obgi3RQKwKG5av1Xf5qDN1aVde777W9pbmx0Pqvrww1qtNvJ+gobEjbrrn5HEZWYGe0VLmcA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@rspack/binding": "2.0.0-rc.1"
+        "@rspack/binding": "2.0.1"
       },
       "engines": {
         "node": "^20.19.0 || >=22.12.0"
@@ -368,36 +367,33 @@
       }
     },
     "node_modules/@rspack/plugin-react-refresh": {
-      "version": "1.6.2",
-      "resolved": "https://registry.npmjs.org/@rspack/plugin-react-refresh/-/plugin-react-refresh-1.6.2.tgz",
-      "integrity": "sha512-k+/VrfTNgo+KirjI6V+8CWRj6y+DH9jOUWv8JorYY4vKf/9xfnZ8xHzuB4iqCwTtoZl9YnxOaOuoyjJipc2tiQ==",
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@rspack/plugin-react-refresh/-/plugin-react-refresh-2.0.0.tgz",
+      "integrity": "sha512-Cf6CxBStNDJbiXMc/GmsvG1G8PRlUpa0MSfWsMTI+e8npzuTN/p8nwLs3shriBZOLciqgkSZpBtPTd10BLpj1g==",
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "error-stack-parser": "^2.1.4"
-      },
       "peerDependencies": {
-        "react-refresh": ">=0.10.0 <1.0.0",
-        "webpack-hot-middleware": "2.x"
+        "@rspack/core": "^2.0.0-0",
+        "react-refresh": ">=0.10.0 <1.0.0"
       },
       "peerDependenciesMeta": {
-        "webpack-hot-middleware": {
+        "@rspack/core": {
           "optional": true
         }
       }
     },
     "node_modules/@rspress/core": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.9.tgz",
-      "integrity": "sha512-cfbqqbWtdimrWIsfeyPnQOTKwJpdNLr8VnwLIL4JYC2ZcRq+xcInpszLXVpV86nONL6qI19usr2Or7uzZJ+ynA==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.10.tgz",
+      "integrity": "sha512-DvoV7YUW538x0CVAGyYPKfjUHgEuq7Z8LZq1cpfUgBpA1DynFUK3Ls6spvdoAHAl3l0AN+xxOHpu/sRVhzqi/A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@mdx-js/mdx": "^3.1.1",
         "@mdx-js/react": "^3.1.1",
-        "@rsbuild/core": "2.0.0-rc.1",
-        "@rsbuild/plugin-react": "~1.4.6",
-        "@rspress/shared": "2.0.9",
+        "@rsbuild/core": "^2.0.2",
+        "@rsbuild/plugin-react": "~2.0.0",
+        "@rspress/shared": "2.0.10",
         "@shikijs/rehype": "^4.0.2",
         "@types/unist": "^3.0.3",
         "@unhead/react": "^2.1.13",
@@ -411,8 +407,8 @@
         "mdast-util-mdxjs-esm": "^2.0.1",
         "medium-zoom": "1.1.0",
         "nprogress": "^0.2.0",
-        "react": "^19.2.4",
-        "react-dom": "^19.2.4",
+        "react": "^19.2.5",
+        "react-dom": "^19.2.5",
         "react-lazy-with-preload": "^2.2.1",
         "react-reconciler": "0.33.0",
         "react-render-to-markdown": "19.0.1",
@@ -440,39 +436,39 @@
       }
     },
     "node_modules/@rspress/plugin-client-redirects": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.9.tgz",
-      "integrity": "sha512-r2GyHzOSt8CeS4UIsy/cPM5Zotekt1JVQFmgOYGapvll5ktUlVcd77HLtXDbZjtpgtj0XlaMLrXueOpV2gsBoQ==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.10.tgz",
+      "integrity": "sha512-ImOm3h/cbXiJXIvpwv3Wn9rM91xgdhKbD2WX+WlMlWO4AtQfKR4XFrVhIZZAkrt09eeotRIklA7nu8Nuzzzbsw==",
       "dev": true,
       "license": "MIT",
       "engines": {
         "node": "^20.19.0 || >=22.12.0"
       },
       "peerDependencies": {
-        "@rspress/core": "^2.0.9"
+        "@rspress/core": "^2.0.10"
       }
     },
     "node_modules/@rspress/plugin-sitemap": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.9.tgz",
-      "integrity": "sha512-GTuXuySaeaazUZoUxdk2vZ8p0ehIgulPjCP9C7gDg6lIh5JGpUbcjG4def4tWHsxUoKp2rIwu/93bHwKb8T0Mw==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.10.tgz",
+      "integrity": "sha512-PZLig9+OlnyLcy6x9BlEqWSRef6TzDWB6Dlh2/hY41FtKlhyb7d7U56RGlLselWaQV54SHVa6H/y611A56ZI2g==",
       "dev": true,
       "license": "MIT",
       "engines": {
         "node": "^20.19.0 || >=22.12.0"
       },
       "peerDependencies": {
-        "@rspress/core": "^2.0.9"
+        "@rspress/core": "^2.0.10"
       }
     },
     "node_modules/@rspress/shared": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.9.tgz",
-      "integrity": "sha512-G48n3pC7AVAR58pLqwClUCYj5Nt7ZgYEStR8VTBGFuPgXtzb3+KPfo/gz0hb6wxdKJ1cL5ohPsZ6EXqllu6lew==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.10.tgz",
+      "integrity": "sha512-Kx10OAHWqi2jvW7ScmBUbkGjnwv4E6rEoelUchcL8It8nQ4nAVk0xvvES7m64knEon55zDbs8JQumCjbHu801Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@rsbuild/core": "2.0.0-rc.1",
+        "@rsbuild/core": "^2.0.2",
         "@shikijs/rehype": "^4.0.2",
         "unified": "^11.0.5"
       }
@@ -972,16 +968,6 @@
         "url": "https://github.com/fb55/entities?sponsor=1"
       }
     },
-    "node_modules/error-stack-parser": {
-      "version": "2.1.4",
-      "resolved": "https://registry.npmjs.org/error-stack-parser/-/error-stack-parser-2.1.4.tgz",
-      "integrity": "sha512-Sk5V6wVazPhq5MhpO+AUxJn5x7XSXGl1R93Vn7i+zS15KDVxQijejNCrz8340/2bgLBjR9GtEG8ZVKONDjcqGQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "stackframe": "^1.3.4"
-      }
-    },
     "node_modules/esast-util-from-estree": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/esast-util-from-estree/-/esast-util-from-estree-2.0.0.tgz",
@@ -1413,9 +1399,9 @@
       }
     },
     "node_modules/hookable": {
-      "version": "6.1.0",
-      "resolved": "https://registry.npmjs.org/hookable/-/hookable-6.1.0.tgz",
-      "integrity": "sha512-ZoKZSJgu8voGK2geJS+6YtYjvIzu9AOM/KZXsBxr83uhLL++e9pEv/dlgwgy3dvHg06kTz6JOh1hk3C8Ceiymw==",
+      "version": "6.1.1",
+      "resolved": "https://registry.npmjs.org/hookable/-/hookable-6.1.1.tgz",
+      "integrity": "sha512-U9LYDy1CwhMCnprUfeAZWZGByVbhd54hwepegYTK7Pi5NvqEj63ifz5z+xukznehT7i6NIZRu89Ay1AZmRsLEQ==",
       "dev": true,
       "license": "MIT"
     },
@@ -2697,20 +2683,20 @@
       "license": "MIT"
     },
     "node_modules/oniguruma-parser": {
-      "version": "0.12.1",
-      "resolved": "https://registry.npmjs.org/oniguruma-parser/-/oniguruma-parser-0.12.1.tgz",
-      "integrity": "sha512-8Unqkvk1RYc6yq2WBYRj4hdnsAxVze8i7iPfQr8e4uSP3tRv0rpZcbGUDvxfQQcdwHt/e9PrMvGCsa8OqG9X3w==",
+      "version": "0.12.2",
+      "resolved": "https://registry.npmjs.org/oniguruma-parser/-/oniguruma-parser-0.12.2.tgz",
+      "integrity": "sha512-6HVa5oIrgMC6aA6WF6XyyqbhRPJrKR02L20+2+zpDtO5QAzGHAUGw5TKQvwi5vctNnRHkJYmjAhRVQF2EKdTQw==",
       "dev": true,
       "license": "MIT"
     },
     "node_modules/oniguruma-to-es": {
-      "version": "4.3.5",
-      "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.5.tgz",
-      "integrity": "sha512-Zjygswjpsewa0NLTsiizVuMQZbp0MDyM6lIt66OxsF21npUDlzpHi1Mgb/qhQdkb+dWFTzJmFbEWdvZgRho8eQ==",
+      "version": "4.3.6",
+      "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.6.tgz",
+      "integrity": "sha512-csuQ9x3Yr0cEIs/Zgx/OEt9iBw9vqIunAPQkx19R/fiMq2oGVTgcMqO/V3Ybqefr1TBvosI6jU539ksaBULJyA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "oniguruma-parser": "^0.12.1",
+        "oniguruma-parser": "^0.12.2",
         "regex": "^6.1.0",
         "regex-recursion": "^6.0.2"
       }
@@ -2836,9 +2822,9 @@
       }
     },
     "node_modules/react-router": {
-      "version": "7.14.0",
-      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.14.0.tgz",
-      "integrity": "sha512-m/xR9N4LQLmAS0ZhkY2nkPA1N7gQ5TUVa5n8TgANuDTARbn1gt+zLPXEm7W0XDTbrQ2AJSJKhoa6yx1D8BcpxQ==",
+      "version": "7.14.2",
+      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.14.2.tgz",
+      "integrity": "sha512-yCqNne6I8IB6rVCH7XUvlBK7/QKyqypBFGv+8dj4QBFJiiRX+FG7/nkdAvGElyvVZ/HQP5N19wzteuTARXi5Gw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -2859,13 +2845,13 @@
       }
     },
     "node_modules/react-router-dom": {
-      "version": "7.14.0",
-      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.14.0.tgz",
-      "integrity": "sha512-2G3ajSVSZMEtmTjIklRWlNvo8wICEpLihfD/0YMDxbWK2UyP5EGfnoIn9AIQGnF3G/FX0MRbHXdFcD+rL1ZreQ==",
+      "version": "7.14.2",
+      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.14.2.tgz",
+      "integrity": "sha512-YZcM5ES8jJSM+KrJ9BdvHHqlnGTg5tH3sC5ChFRj4inosKctdyzBDhOyyHdGk597q2OT6NTrCA1OvB/YDwfekQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "react-router": "7.14.0"
+        "react-router": "7.14.2"
       },
       "engines": {
         "node": ">=20.0.0"
@@ -3218,13 +3204,6 @@
         "url": "https://github.com/sponsors/wooorm"
       }
     },
-    "node_modules/stackframe": {
-      "version": "1.3.4",
-      "resolved": "https://registry.npmjs.org/stackframe/-/stackframe-1.3.4.tgz",
-      "integrity": "sha512-oeVtt7eWQS+Na6F//S4kJ2K2VbRlS9D43mAlMyVpVWovy9o+jfgH8O9agzANzaiLjclA0oYzUXEM4PurhSUChw==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/stringify-entities": {
       "version": "4.0.4",
       "resolved": "https://registry.npmjs.org/stringify-entities/-/stringify-entities-4.0.4.tgz",

src/admin/Cargo.toml

@@ -81,6 +81,7 @@ conduwuit-macros.workspace = true
 conduwuit-service.workspace = true
 const-str.workspace = true
 ctor.workspace = true
+dtor.workspace = true
 futures.workspace = true
 lettre.workspace = true
 log.workspace = true

src/admin/user/commands.rs

@@ -70,7 +70,7 @@ pub(super) async fn create_user(&self, username: String, password: Option<String
 	// Create user
 	self.services
 		.users
-		.create(&user_id, Some(password.as_str()), None)
+		.create(&user_id, Some(password.as_str()))
 		.await?;
 
 	// Default to pretty displayname

src/api/Cargo.toml

@@ -48,9 +48,6 @@ jemalloc_stats = [
 	"conduwuit-core/jemalloc_stats",
 	"conduwuit-service/jemalloc_stats",
 ]
-ldap = [
-    "conduwuit-service/ldap"
-]
 release_max_log_level = [
 	"conduwuit-core/release_max_log_level",
 	"conduwuit-service/release_max_log_level",
@@ -77,6 +74,7 @@ conduwuit-macros.workspace = true
 conduwuit-service.workspace = true
 const-str.workspace = true
 ctor.workspace = true
+dtor.workspace = true
 futures.workspace = true
 hmac.workspace = true
 http.workspace = true

src/api/client/account/register.rs

@@ -190,7 +190,7 @@ pub(crate) async fn register_route(
 	let password = if is_guest { None } else { body.password.as_deref() };
 
 	// Create user
-	services.users.create(&user_id, password, None).await?;
+	services.users.create(&user_id, password).await?;
 
 	// Set an initial display name
 	let mut displayname = user_id.localpart().to_owned();

src/api/client/keys.rs

@@ -64,6 +64,27 @@ pub(crate) async fn upload_keys_route(
 			.await?;
 	}
 
+	for (key_id, fallback_key) in &body.fallback_keys {
+		if fallback_key
+			.deserialize()
+			.inspect_err(|e| {
+				debug_warn!(
+					%key_id,
+					?fallback_key,
+					"Invalid one time key JSON submitted by client, skipping: {e}"
+				);
+			})
+			.is_err()
+		{
+			continue;
+		}
+
+		services
+			.users
+			.add_fallback_key(sender_user, sender_device, key_id, fallback_key, false)
+			.await?;
+	}
+
 	if let Some(device_keys) = &body.device_keys {
 		let deser_device_keys = device_keys.deserialize().map_err(|e| {
 			err!(Request(BadJson(debug_warn!(

src/api/client/membership/invite.rs

@@ -163,7 +163,11 @@ pub(crate) async fn invite_helper(
 				)
 				.await?;
 
-			let invite_room_state = services.rooms.state.summary_stripped(&pdu, room_id).await;
+			let invite_room_state = services
+				.rooms
+				.state
+				.summary_stripped(&pdu, room_id, recipient_user)
+				.await;
 
 			drop(state_lock);
 

src/api/client/membership/kick.rs

@@ -24,9 +24,14 @@ pub(crate) async fn kick_user_route(
 	if !services
 		.rooms
 		.state_cache
-		.is_joined(&body.user_id, &body.room_id)
+		.user_membership(&body.user_id, &body.room_id)
 		.await
-	{
+		.is_some_and(|membership| {
+			matches!(
+				membership,
+				MembershipState::Invite | MembershipState::Join | MembershipState::Knock
+			)
+		}) {
 		return Err!(Request(Forbidden("You cannot kick users who are not in the room.")));
 	}
 

src/api/client/session.rs

@@ -7,7 +7,7 @@
 	utils::{self, ReadyExt, hash, stream::BroadbandExt},
 	warn,
 };
-use conduwuit_core::{debug_error, debug_warn};
+use conduwuit_core::debug_error;
 use conduwuit_service::Services;
 use futures::StreamExt;
 use lettre::Address;
@@ -64,17 +64,6 @@ pub(crate) async fn password_login(
 	lowercased_user_id: &UserId,
 	password: &str,
 ) -> Result<OwnedUserId> {
-	// Restrict login to accounts only of type 'password', including untyped
-	// legacy accounts which are equivalent to 'password'.
-	if services
-		.users
-		.origin(user_id)
-		.await
-		.is_ok_and(|origin| origin != "password")
-	{
-		return Err!(Request(Forbidden("Account does not permit password login.")));
-	}
-
 	let (hash, user_id) = match services.users.password_hash(user_id).await {
 		| Ok(hash) => (hash, user_id),
 		| Err(_) => services
@@ -96,71 +85,6 @@ pub(crate) async fn password_login(
 	Ok(user_id.to_owned())
 }
 
-/// Authenticates the given user through the configured LDAP server.
-///
-/// Creates the user if the user is found in the LDAP and do not already have an
-/// account.
-#[tracing::instrument(skip_all, fields(%user_id), name = "ldap", level = "debug")]
-pub(super) async fn ldap_login(
-	services: &Services,
-	user_id: &UserId,
-	lowercased_user_id: &UserId,
-	password: &str,
-) -> Result<OwnedUserId> {
-	let (user_dn, is_ldap_admin) = match services.config.ldap.bind_dn.as_ref() {
-		| Some(bind_dn) if bind_dn.contains("{username}") =>
-			(bind_dn.replace("{username}", lowercased_user_id.localpart()), None),
-		| _ => {
-			debug!("Searching user in LDAP");
-
-			let dns = services.users.search_ldap(user_id).await?;
-			if dns.len() >= 2 {
-				return Err!(Ldap("LDAP search returned two or more results"));
-			}
-
-			let Some((user_dn, is_admin)) = dns.first() else {
-				return password_login(services, user_id, lowercased_user_id, password).await;
-			};
-
-			(user_dn.clone(), *is_admin)
-		},
-	};
-
-	let user_id = services
-		.users
-		.auth_ldap(&user_dn, password)
-		.await
-		.map(|()| lowercased_user_id.to_owned())?;
-
-	// LDAP users are automatically created on first login attempt. This is a very
-	// common feature that can be seen on many services using a LDAP provider for
-	// their users (synapse, Nextcloud, Jellyfin, ...).
-	//
-	// LDAP users are crated with a dummy password but non empty because an empty
-	// password is reserved for deactivated accounts. The conduwuit password field
-	// will never be read to login a LDAP user so it's not an issue.
-	if !services.users.exists(lowercased_user_id).await {
-		services
-			.users
-			.create(lowercased_user_id, Some("*"), Some("ldap"))
-			.await?;
-	}
-
-	// Only sync admin status if LDAP can actually determine it.
-	// None means LDAP cannot determine admin status (manual config required).
-	if let Some(is_ldap_admin) = is_ldap_admin {
-		let is_conduwuit_admin = services.admin.user_is_admin(lowercased_user_id).await;
-
-		if is_ldap_admin && !is_conduwuit_admin {
-			Box::pin(services.admin.make_user_admin(lowercased_user_id)).await?;
-		} else if !is_ldap_admin && is_conduwuit_admin {
-			Box::pin(services.admin.revoke_admin(lowercased_user_id)).await?;
-		}
-	}
-
-	Ok(user_id)
-}
-
 pub(crate) async fn handle_login(
 	services: &Services,
 	identifier: Option<&UserIdentifier>,
@@ -212,18 +136,7 @@ pub(crate) async fn handle_login(
 		return Err!(Request(Forbidden("This account is not permitted to log in.")));
 	}
 
-	if cfg!(feature = "ldap") && services.config.ldap.enable {
-		match Box::pin(ldap_login(services, &user_id, &lowercased_user_id, password)).await {
-			| Ok(user_id) => Ok(user_id),
-			| Err(err) if services.config.ldap.ldap_only => Err(err),
-			| Err(err) => {
-				debug_warn!("{err}");
-				password_login(services, &user_id, &lowercased_user_id, password).await
-			},
-		}
-	} else {
-		password_login(services, &user_id, &lowercased_user_id, password).await
-	}
+	password_login(services, &user_id, &lowercased_user_id, password).await
 }
 
 /// # `POST /_matrix/client/v3/login`

src/api/client/sync/v3/mod.rs

@@ -395,6 +395,10 @@ pub(crate) async fn build_sync_events(
 		.users
 		.count_one_time_keys(syncing_user, syncing_device);
 
+	let unused_fallback_key_types = services
+		.users
+		.list_unused_fallback_key_types(syncing_user, syncing_device);
+
 	let (
 		(joined_rooms, mut device_list_updates),
 		left_rooms,
@@ -405,6 +409,7 @@ pub(crate) async fn build_sync_events(
 		to_device_events,
 		keys_changed,
 		device_one_time_keys_count,
+		unused_fallback_key_types,
 	) = async {
 		futures::join!(
 			joined_rooms,
@@ -415,7 +420,8 @@ pub(crate) async fn build_sync_events(
 			account_data,
 			to_device_events,
 			keys_changed,
-			device_one_time_keys_count
+			device_one_time_keys_count,
+			unused_fallback_key_types,
 		)
 	}
 	.boxed()
@@ -433,8 +439,7 @@ pub(crate) async fn build_sync_events(
 		account_data: assign!(GlobalAccountData::new(), { events: account_data }),
 		device_lists: device_list_updates.into(),
 		device_one_time_keys_count,
-		// Fallback keys are not yet supported
-		device_unused_fallback_key_types: None,
+		device_unused_fallback_key_types: Some(unused_fallback_key_types),
 		presence: assign!(Presence::new(), {
 			events: presence_updates
 				.into_iter()

src/api/server/invite.rs

@@ -172,7 +172,9 @@ pub(crate) async fn create_invite_route(
 	let pdu: PduEvent = serde_json::from_value(event.into())
 		.map_err(|e| err!(Request(BadJson("Invalid invite event PDU: {e}"))))?;
 
-	invite_state.push(RawStrippedState::Pdu(pdu.content.clone()));
+	invite_state.push(RawStrippedState::Pdu(
+		serde_json::value::to_raw_value(&pdu).expect("PDU was just created, it must be valid"),
+	));
 
 	// If we are active in the room, the remote server will notify us about the
 	// join/invite through /send. If we are not in the room, we need to manually

src/api/server/send_knock.rs

@@ -183,7 +183,7 @@ pub(crate) async fn create_knock_event_v1_route(
 	let knock_room_state = services
 		.rooms
 		.state
-		.summary_stripped(&pdu, &body.room_id)
+		.summary_stripped(&pdu, &body.room_id, &sender)
 		.await;
 
 	Ok(create_knock_event::v1::Response::new(knock_room_state))

src/core/Cargo.toml

@@ -70,6 +70,7 @@ conduwuit-build-metadata.workspace = true
 const-str.workspace = true
 core_affinity.workspace = true
 ctor.workspace = true
+dtor.workspace = true
 cyborgtime.workspace = true
 either.workspace = true
 figment.workspace = true

src/core/alloc/je.rs

@@ -47,7 +47,7 @@
 const NAME_MAX: usize = 128;
 const KEY_SEGS: usize = 8;
 
-#[ctor::ctor]
+#[ctor::ctor(unsafe)]
 fn _static_initialization() {
 	acq_epoch().expect("pre-initialization of jemalloc failed");
 	acq_epoch().expect("pre-initialization of jemalloc failed");

src/core/config/mod.rs

@@ -371,6 +371,7 @@ pub struct Config {
 	pub ip_lookup_strategy: u8,
 
 	/// Max request size for file uploads in bytes. Defaults to 20MB.
+	/// Also limits incoming federated media.
 	///
 	/// default: 20971520
 	#[serde(default = "default_max_request_size")]
@@ -2129,10 +2130,6 @@ pub struct Config {
 	#[serde(default)]
 	pub allow_web_indexing: bool,
 
-	/// display: nested
-	#[serde(default)]
-	pub ldap: LdapConfig,
-
 	/// Configuration for antispam support
 	/// display: nested
 	#[serde(default)]
@@ -2294,126 +2291,6 @@ pub fn effective_foci(&self, deprecated_foci: &[RtcFocusInfo]) -> Vec<RtcTranspo
 	}
 }
 
-#[derive(Clone, Debug, Default, Deserialize)]
-#[config_example_generator(filename = "conduwuit-example.toml", section = "global.ldap")]
-pub struct LdapConfig {
-	/// Whether to enable LDAP login.
-	///
-	/// example: "true"
-	#[serde(default)]
-	pub enable: bool,
-
-	/// Whether to force LDAP authentication or authorize classical password
-	/// login.
-	///
-	/// example: "true"
-	#[serde(default)]
-	pub ldap_only: bool,
-
-	/// URI of the LDAP server.
-	///
-	/// example: "ldap://ldap.example.com:389"
-	///
-	/// default: ""
-	#[serde(default)]
-	pub uri: Option<Url>,
-
-	/// StartTLS for LDAP connections.
-	///
-	/// default: false
-	#[serde(default)]
-	pub use_starttls: bool,
-
-	/// Skip TLS certificate verification, possibly dangerous.
-	///
-	/// default: false
-	#[serde(default)]
-	pub disable_tls_verification: bool,
-
-	/// Root of the searches.
-	///
-	/// example: "ou=users,dc=example,dc=org"
-	///
-	/// default: ""
-	#[serde(default)]
-	pub base_dn: String,
-
-	/// Bind DN if anonymous search is not enabled.
-	///
-	/// You can use the variable `{username}` that will be replaced by the
-	/// entered username. In such case, the password used to bind will be the
-	/// one provided for the login and not the one given by
-	/// `bind_password_file`. Beware: automatically granting admin rights will
-	/// not work if you use this direct bind instead of a LDAP search.
-	///
-	/// example: "cn=ldap-reader,dc=example,dc=org" or
-	/// "cn={username},ou=users,dc=example,dc=org"
-	///
-	/// default: ""
-	#[serde(default)]
-	pub bind_dn: Option<String>,
-
-	/// Path to a file on the system that contains the password for the
-	/// `bind_dn`.
-	///
-	/// The server must be able to access the file, and it must not be empty.
-	///
-	/// default: ""
-	#[serde(default)]
-	pub bind_password_file: Option<PathBuf>,
-
-	/// Search filter to limit user searches.
-	///
-	/// You can use the variable `{username}` that will be replaced by the
-	/// entered username for more complex filters.
-	///
-	/// example: "(&(objectClass=person)(memberOf=matrix))"
-	///
-	/// default: "(objectClass=*)"
-	#[serde(default = "default_ldap_search_filter")]
-	pub filter: String,
-
-	/// Attribute to use to uniquely identify the user.
-	///
-	/// example: "uid" or "cn"
-	///
-	/// default: "uid"
-	#[serde(default = "default_ldap_uid_attribute")]
-	pub uid_attribute: String,
-
-	/// Attribute containing the display name of the user.
-	///
-	/// example: "givenName" or "sn"
-	///
-	/// default: "givenName"
-	#[serde(default = "default_ldap_name_attribute")]
-	pub name_attribute: String,
-
-	/// Root of the searches for admin users.
-	///
-	/// Defaults to `base_dn` if empty.
-	///
-	/// example: "ou=admins,dc=example,dc=org"
-	///
-	/// default: ""
-	#[serde(default)]
-	pub admin_base_dn: String,
-
-	/// The LDAP search filter to find administrative users for continuwuity.
-	///
-	/// If left blank, administrative state must be configured manually for each
-	/// user.
-	///
-	/// You can use the variable `{username}` that will be replaced by the
-	/// entered username for more complex filters.
-	///
-	/// example: "(objectClass=conduwuitAdmin)" or "(uid={username})"
-	///
-	/// default: ""
-	#[serde(default)]
-	pub admin_filter: String,
-}
-
 #[derive(Deserialize, Clone, Debug)]
 #[serde(transparent)]
 struct ListeningPort {
@@ -2934,9 +2811,3 @@ pub(super) fn default_blurhash_x_component() -> u32 { 4 }
 pub(super) fn default_blurhash_y_component() -> u32 { 3 }
 
 // end recommended & blurhashing defaults
-
-fn default_ldap_search_filter() -> String { "(objectClass=*)".to_owned() }
-
-fn default_ldap_uid_attribute() -> String { String::from("uid") }
-
-fn default_ldap_name_attribute() -> String { String::from("givenName") }

src/core/debug.rs

@@ -62,7 +62,7 @@ macro_rules! debug_info {
 pub static DEBUGGER: LazyLock<bool> =
 	LazyLock::new(|| env::var("_").unwrap_or_default().ends_with("gdb"));
 
-#[cfg_attr(debug_assertions, ctor::ctor)]
+#[cfg_attr(debug_assertions, ctor::ctor(unsafe))]
 #[cfg_attr(not(debug_assertions), allow(dead_code))]
 fn set_panic_trap() {
 	if !*DEBUGGER {

src/core/error/mod.rs

@@ -110,8 +110,6 @@ pub enum Error {
 	InconsistentRoomState(&'static str, ruma::OwnedRoomId),
 	#[error(transparent)]
 	IntoHttp(#[from] ruma::api::error::IntoHttpError),
-	#[error("{0}")]
-	Ldap(Cow<'static, str>),
 	#[error(transparent)]
 	Mxc(#[from] ruma::MxcUriError),
 	#[error(transparent)]

src/database/Cargo.toml

@@ -58,6 +58,7 @@ conduwuit-core.workspace = true
 conduwuit-macros.workspace = true
 const-str.workspace = true
 ctor.workspace = true
+dtor.workspace = true
 futures.workspace = true
 log.workspace = true
 minicbor.workspace = true

src/database/de.rs

@@ -288,8 +288,14 @@ fn deserialize_option<V: Visitor<'de>>(self, visitor: V) -> Result<V::Value> {
 	}
 
 	#[cfg_attr(unabridged, tracing::instrument(level = "trace", skip_all))]
-	fn deserialize_bool<V: Visitor<'de>>(self, _visitor: V) -> Result<V::Value> {
-		unhandled!("deserialize bool not implemented")
+	fn deserialize_bool<V: Visitor<'de>>(self, visitor: V) -> Result<V::Value> {
+		let byte = self
+			.buf
+			.get(self.pos)
+			.ok_or(Self::Error::SerdeDe("bool buffer underflow".into()))?;
+		self.inc_pos(1);
+
+		visitor.visit_bool(*byte != 0x00)
 	}
 
 	#[cfg_attr(unabridged, tracing::instrument(level = "trace", skip_all))]

src/database/maps.rs

@@ -120,6 +120,10 @@ pub(super) fn open_list(db: &Arc<Engine>, maps: &[Descriptor]) -> Result<Maps> {
 		name: "onetimekeyid_onetimekeys",
 		..descriptor::RANDOM_SMALL
 	},
+	Descriptor {
+		name: "fallbackkeyid_fallbackkey",
+		..descriptor::RANDOM_SMALL
+	},
 	Descriptor {
 		name: "passwordresettoken_info",
 		..descriptor::RANDOM_SMALL

src/database/ser.rs

@@ -297,8 +297,8 @@ fn serialize_u16(self, _v: u16) -> Result<Self::Ok> {
 
 	fn serialize_u8(self, v: u8) -> Result<Self::Ok> { self.write(&[v]) }
 
-	fn serialize_bool(self, _v: bool) -> Result<Self::Ok> {
-		unhandled!("serialize bool not implemented")
+	fn serialize_bool(self, v: bool) -> Result<Self::Ok> {
+		if v { self.write(&[0x01]) } else { self.write(&[0x00]) }
 	}
 
 	fn serialize_unit(self) -> Result<Self::Ok> { unhandled!("serialize unit not implemented") }

src/macros/build_info.rs

@@ -32,11 +32,11 @@ mod __compile_introspection {
 			const CRATE_NAME: &str = #crate_name;
 
 			/// Register this crate's features with the global registry during static initialization
-			#[::ctor::ctor]
+			#[::ctor::ctor(unsafe)]
 			fn register() {
 				conduwuit_core::info::introspection::ENABLED_FEATURES.lock().unwrap().insert(#crate_name, &ENABLED);
 			}
-			#[::ctor::dtor]
+			#[::dtor::dtor(unsafe)]
 			fn unregister() {
 				conduwuit_core::info::introspection::ENABLED_FEATURES.lock().unwrap().remove(#crate_name);
 			}

src/main/Cargo.toml

@@ -42,27 +42,27 @@ assets = [
 [features]
 default = [
     "standard",
-    "release_max_log_level",
+    #"release_max_log_level",
     "ring",
-	"bindgen-runtime", # replace with bindgen-static on alpine
+    "bindgen-runtime", # replace with bindgen-static on alpine
 ]
 standard = [
     "blurhashing",
-	"brotli_compression",
-	"element_hacks",
-	"gzip_compression",
-	"io_uring",
-	"jemalloc",
-	"jemalloc_conf",
-	"journald",
-	"ldap",
-	"media_thumbnail",
-	"systemd",
-	"url_preview",
-	"zstd_compression",
+    "brotli_compression",
+    "element_hacks",
+    "gzip_compression",
+    "io_uring",
+    "jemalloc",
+    "jemalloc_conf",
+    "journald",
+    "media_thumbnail",
+    "systemd",
+    "url_preview",
+    "zstd_compression",
     "sentry_telemetry",
     "otlp_telemetry",
-	"console",
+    "console",
+    "direct_tls",
 ]
 full = [
     "standard",
@@ -126,9 +126,6 @@ jemalloc_stats = [
 jemalloc_conf = [
 	"conduwuit-core/jemalloc_conf",
 ]
-ldap = [
-	"conduwuit-api/ldap",
-]
 media_thumbnail = [
 	"conduwuit-service/media_thumbnail",
 ]
@@ -217,6 +214,7 @@ conduwuit-macros.workspace = true
 
 clap.workspace = true
 ctor.workspace = true
+dtor.workspace = true
 console-subscriber.optional = true
 console-subscriber.workspace = true
 const-str.workspace = true

src/router/Cargo.toml

@@ -105,6 +105,7 @@ conduwuit-service.workspace = true
 conduwuit-web.workspace = true
 const-str.workspace = true
 ctor.workspace = true
+dtor.workspace = true
 futures.workspace = true
 http.workspace = true
 http-body-util.workspace = true

src/service/Cargo.toml

@@ -52,9 +52,6 @@ jemalloc_stats = [
 	"conduwuit-core/jemalloc_stats",
 	"conduwuit-database/jemalloc_stats",
 ]
-ldap = [
-    "dep:ldap3"
-]
 media_thumbnail = [
 	"dep:image",
 ]
@@ -89,6 +86,7 @@ conduwuit-database.workspace = true
 conduwuit-macros.workspace = true
 const-str.workspace = true
 ctor.workspace = true
+dtor.workspace = true
 either.workspace = true
 futures.workspace = true
 governor.workspace = true
@@ -98,8 +96,6 @@ image.workspace = true
 image.optional = true
 ipaddress.workspace = true
 itertools.workspace = true
-ldap3.workspace = true
-ldap3.optional = true
 log.workspace = true
 loole.workspace = true
 lru-cache.workspace = true

src/service/admin/create.rs

@@ -37,7 +37,7 @@ pub async fn create_admin_room(services: &Services) -> Result {
 
 	// Create a user for the server
 	let server_user = services.globals.server_user.as_ref();
-	services.users.create(server_user, None, None).await?;
+	services.users.create(server_user, None).await?;
 
 	let mut create_content = {
 		use RoomVersionId::*;

src/service/appservice/mod.rs

@@ -111,7 +111,7 @@ async fn start_appservice(&self, id: String, registration: Registration) -> Resu
 		if !self.services.users.exists(&appservice_user_id).await {
 			self.services
 				.users
-				.create(&appservice_user_id, None, None)
+				.create(&appservice_user_id, None)
 				.await?;
 		} else if self
 			.services

src/service/emergency/mod.rs

@@ -37,11 +37,6 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
 	}
 
 	async fn worker(self: Arc<Self>) -> Result {
-		if self.services.config.ldap.enable {
-			warn!("emergency password feature not available with LDAP enabled.");
-			return Ok(());
-		}
-
 		self.set_emergency_access().await.inspect_err(|e| {
 			error!("Could not set the configured emergency password for the server user: {e}");
 		})

src/service/migrations.rs

@@ -802,7 +802,7 @@ async fn fix_local_invite_state(services: &Services) -> Result {
 				&& services.globals.user_is_local(&membership_event.sender) {
 
 				// build and save stripped state for their invite in the database
-				let stripped_state = services.rooms.state.summary_stripped(&membership_event, &room_id).await;
+				let stripped_state = services.rooms.state.summary_stripped(&membership_event, &room_id, &user_id).await;
 				userroomid_invitestate.put((&user_id, &room_id), Json(stripped_state));
 				fixed = fixed.saturating_add(1);
 			}

src/service/password_reset/mod.rs

@@ -58,17 +58,6 @@ pub async fn issue_token(&self, user_id: OwnedUserId) -> Result<ValidResetToken>
 			return Err!("Cannot issue a password reset token for the server user");
 		}
 
-		if self
-			.services
-			.users
-			.origin(&user_id)
-			.await
-			.unwrap_or_else(|_| "password".to_owned())
-			!= "password"
-		{
-			return Err!("Cannot issue a password reset token for non-internal user {user_id}");
-		}
-
 		if self.services.users.is_deactivated(&user_id).await? {
 			return Err!("Cannot issue a password reset token for deactivated user {user_id}");
 		}

src/service/rooms/state/mod.rs

@@ -300,12 +300,13 @@ pub async fn summary_stripped<'a, E>(
 		&self,
 		event: &'a E,
 		room_id: &RoomId,
+		target_user: &UserId,
 	) -> Vec<RawStrippedState>
 	where
 		E: Event + Send + Sync,
 		&'a E: Event + Send,
 	{
-		let cells = [
+		let mut state_events = [
 			(&StateEventType::RoomCreate, ""),
 			(&StateEventType::RoomJoinRules, ""),
 			(&StateEventType::RoomCanonicalAlias, ""),
@@ -314,9 +315,14 @@ pub async fn summary_stripped<'a, E>(
 			(&StateEventType::RoomMember, event.sender().as_str()), // Add recommended events
 			(&StateEventType::RoomEncryption, ""),
 			(&StateEventType::RoomTopic, ""),
-		];
+		]
+		.to_vec();
 
-		let fetches = cells.into_iter().map(|(event_type, state_key)| {
+		if target_user != event.sender() {
+			state_events.push((&StateEventType::RoomMember, target_user.as_str()));
+		}
+
+		let fetches = state_events.into_iter().map(|(event_type, state_key)| {
 			self.services
 				.state_accessor
 				.room_state_get(room_id, event_type, state_key)
@@ -326,7 +332,7 @@ pub async fn summary_stripped<'a, E>(
 			.await
 			.into_iter()
 			.filter_map(Result::ok)
-			.map(|pdu| RawStrippedState::Pdu(pdu.content))
+			.map(|pdu| RawStrippedState::Pdu(serde_json::value::to_raw_value(&pdu).unwrap()))
 			.collect()
 	}
 

src/service/rooms/state_cache/update.rs

@@ -47,7 +47,7 @@ pub async fn update_membership(
 	#[allow(clippy::collapsible_if)]
 	if !self.services.globals.user_is_local(user_id) {
 		if !self.services.users.exists(user_id).await {
-			self.services.users.create(user_id, None, None).await?;
+			self.services.users.create(user_id, None).await?;
 		}
 	}
 
@@ -119,7 +119,11 @@ pub async fn update_membership(
 			self.mark_as_joined(user_id, room_id);
 		},
 		| MembershipState::Invite => {
-			let last_state = self.services.state.summary_stripped(pdu, room_id).await;
+			let last_state = self
+				.services
+				.state
+				.summary_stripped(pdu, room_id, user_id)
+				.await;
 
 			self.mark_as_invited(user_id, room_id, pdu.sender(), last_state, None)
 				.await?;

src/service/uiaa/mod.rs

@@ -385,23 +385,6 @@ async fn check_stage(
 					password_verified = hash::verify_password(password, &hash).is_ok();
 				}
 
-				// If local password verification failed, try LDAP authentication
-				#[cfg(feature = "ldap")]
-				if !password_verified && self.services.config.ldap.enable {
-					// Search for user in LDAP to get their DN
-					if let Ok(dns) = self.services.users.search_ldap(&user_id).await {
-						if let Some((user_dn, _is_admin)) = dns.first() {
-							// Try to authenticate with LDAP
-							password_verified = self
-								.services
-								.users
-								.auth_ldap(user_dn, password)
-								.await
-								.is_ok();
-						}
-					}
-				}
-
 				if password_verified {
 					identity.try_set_localpart(user_id.localpart().to_owned())?;
 

src/service/users/mod.rs

@@ -1,24 +1,16 @@
 pub(super) mod dehydrated_device;
 
-#[cfg(feature = "ldap")]
-use std::collections::HashMap;
 use std::{collections::BTreeMap, mem, net::IpAddr, sync::Arc};
 
-#[cfg(feature = "ldap")]
-use conduwuit::result::LogErr;
 use conduwuit::{
-	Err, Error, Result, Server, debug_warn, err, is_equal_to, trace,
+	Err, Error, Result, Server, debug_warn, err, trace,
 	utils::{self, ReadyExt, stream::TryIgnore, string::Unquoted},
 };
-#[cfg(feature = "ldap")]
-use conduwuit_core::{debug, error};
 use database::{Deserialized, Ignore, Interfix, Json, Map};
 use futures::{Stream, StreamExt, TryFutureExt};
-#[cfg(feature = "ldap")]
-use ldap3::{LdapConnAsync, LdapConnSettings, Scope, SearchEntry};
 use ruma::{
-	DeviceId, KeyId, MilliSecondsSinceUnixEpoch, OneTimeKeyAlgorithm, OneTimeKeyId,
-	OneTimeKeyName, OwnedDeviceId, OwnedKeyId, OwnedMxcUri, OwnedUserId, RoomId, UInt, UserId,
+	DeviceId, MilliSecondsSinceUnixEpoch, OneTimeKeyAlgorithm, OneTimeKeyId, OneTimeKeyName,
+	OwnedDeviceId, OwnedKeyId, OwnedMxcUri, OwnedOneTimeKeyId, OwnedUserId, RoomId, UInt, UserId,
 	api::{
 		client::{device::Device, filter::FilterDefinition},
 		error::ErrorKind,
@@ -65,6 +57,7 @@ struct Data {
 	keychangeid_userid: Arc<Map>,
 	keyid_key: Arc<Map>,
 	onetimekeyid_onetimekeys: Arc<Map>,
+	fallbackkeyid_fallbackkey: Arc<Map>,
 	openidtoken_expiresatuserid: Arc<Map>,
 	logintoken_expiresatuserid: Arc<Map>,
 	todeviceid_events: Arc<Map>,
@@ -79,7 +72,6 @@ struct Data {
 	userid_displayname: Arc<Map>,
 	userid_lastonetimekeyupdate: Arc<Map>,
 	userid_masterkeyid: Arc<Map>,
-	userid_origin: Arc<Map>,
 	userid_password: Arc<Map>,
 	userid_suspension: Arc<Map>,
 	userid_lock: Arc<Map>,
@@ -106,6 +98,7 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
 				keychangeid_userid: args.db["keychangeid_userid"].clone(),
 				keyid_key: args.db["keyid_key"].clone(),
 				onetimekeyid_onetimekeys: args.db["onetimekeyid_onetimekeys"].clone(),
+				fallbackkeyid_fallbackkey: args.db["fallbackkeyid_fallbackkey"].clone(),
 				openidtoken_expiresatuserid: args.db["openidtoken_expiresatuserid"].clone(),
 				logintoken_expiresatuserid: args.db["logintoken_expiresatuserid"].clone(),
 				todeviceid_events: args.db["todeviceid_events"].clone(),
@@ -120,7 +113,6 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
 				userid_displayname: args.db["userid_displayname"].clone(),
 				userid_lastonetimekeyupdate: args.db["userid_lastonetimekeyupdate"].clone(),
 				userid_masterkeyid: args.db["userid_masterkeyid"].clone(),
-				userid_origin: args.db["userid_origin"].clone(),
 				userid_password: args.db["userid_password"].clone(),
 				userid_suspension: args.db["userid_suspension"].clone(),
 				userid_lock: args.db["userid_lock"].clone(),
@@ -178,26 +170,12 @@ pub async fn is_admin(&self, user_id: &UserId) -> bool {
 	}
 
 	/// Create a new user account on this homeserver.
-	///
-	/// User origin is by default "password" (meaning that it will login using
-	/// its user_id/password). Users with other origins (currently only "ldap"
-	/// is available) have special login processes.
 	#[inline]
-	pub async fn create(
-		&self,
-		user_id: &UserId,
-		password: Option<&str>,
-		origin: Option<&str>,
-	) -> Result<()> {
-		if !self.services.globals.user_is_local(user_id)
-			&& (password.is_some() || origin.is_some())
-		{
-			return Err!("Cannot create a nonlocal user with a set password or origin");
+	pub async fn create(&self, user_id: &UserId, password: Option<&str>) -> Result<()> {
+		if !self.services.globals.user_is_local(user_id) && password.is_some() {
+			return Err!("Cannot create a nonlocal user with a set password");
 		}
 
-		self.db
-			.userid_origin
-			.insert(user_id, origin.unwrap_or("password"));
 		self.set_password(user_id, password).await?;
 
 		Ok(())
@@ -360,11 +338,6 @@ pub fn list_local_users(&self) -> impl Stream<Item = OwnedUserId> + Send + '_ {
 			.ready_filter_map(|(u, p): (OwnedUserId, &[u8])| (!p.is_empty()).then_some(u))
 	}
 
-	/// Returns the origin of the user (password/LDAP/...).
-	pub async fn origin(&self, user_id: &UserId) -> Result<String> {
-		self.db.userid_origin.get(user_id).await.deserialized()
-	}
-
 	/// Returns the password hash for the given user.
 	pub async fn password_hash(&self, user_id: &UserId) -> Result<String> {
 		self.db.userid_password.get(user_id).await.deserialized()
@@ -372,22 +345,6 @@ pub async fn password_hash(&self, user_id: &UserId) -> Result<String> {
 
 	/// Hash and set the user's password to the Argon2 hash
 	pub async fn set_password(&self, user_id: &UserId, password: Option<&str>) -> Result<()> {
-		// Cannot change the password of a LDAP user. There are two special cases :
-		// - a `None` password can be used to deactivate a LDAP user
-		// - a "*" password is used as the default password of an active LDAP user
-		if cfg!(feature = "ldap")
-			&& password.is_some_and(|pwd| pwd != "*")
-			&& self
-				.db
-				.userid_origin
-				.get(user_id)
-				.await
-				.deserialized::<String>()
-				.is_ok_and(is_equal_to!("ldap"))
-		{
-			return Err!(Request(InvalidParam("Cannot change password of a LDAP user")));
-		}
-
 		password
 			.map(utils::hash::password)
 			.transpose()
@@ -595,7 +552,7 @@ pub async fn add_one_time_key(
 		&self,
 		user_id: &UserId,
 		device_id: &DeviceId,
-		one_time_key_key: &KeyId<OneTimeKeyAlgorithm, OneTimeKeyName>,
+		one_time_key_key: &OneTimeKeyId,
 		one_time_key_value: &Raw<OneTimeKey>,
 	) -> Result {
 		// All devices have metadata
@@ -632,6 +589,39 @@ pub async fn add_one_time_key(
 		Ok(())
 	}
 
+	/// Save a fallback key for the given user, device, and algorithm
+	/// This key will replace an existing fallback key
+	pub async fn add_fallback_key(
+		&self,
+		user_id: &UserId,
+		device_id: &DeviceId,
+		fallback_key_id: &OneTimeKeyId,
+		fallback_key: &Raw<OneTimeKey>,
+		used: bool,
+	) -> Result {
+		// All devices have metadata
+		// Only existing devices should be able to call this, but we shouldn't assert
+		// either...
+		let key = (user_id, device_id);
+		if self.db.userdeviceid_metadata.qry(&key).await.is_err() {
+			return Err!(Database(error!(
+				%user_id,
+				%device_id,
+				"User does not exist or device has no metadata."
+			)));
+		}
+
+		// There is one fallback key slot per user, per device, per algorithm
+		// Therefore we use this as the DB key for this column
+		let db_key = (user_id, device_id, fallback_key_id.algorithm());
+
+		self.db
+			.fallbackkeyid_fallbackkey
+			.put(db_key, (used, fallback_key_id.as_str(), Json(fallback_key)));
+
+		Ok(())
+	}
+
 	pub async fn last_one_time_keys_update(&self, user_id: &UserId) -> u64 {
 		self.db
 			.userid_lastonetimekeyupdate
@@ -663,6 +653,8 @@ pub async fn take_one_time_key(
 			.onetimekeyid_onetimekeys
 			.raw_stream_prefix(&prefix)
 			.ignore_err()
+			.next()
+			.await
 			.map(|(key, val)| {
 				self.db.onetimekeyid_onetimekeys.remove(key);
 
@@ -681,11 +673,44 @@ pub async fn take_one_time_key(
 					.unwrap();
 
 				(key, val)
-			})
-			.next()
-			.await;
+			});
 
-		one_time_key.ok_or_else(|| err!(Request(NotFound("No one-time-key found"))))
+		if let Some(result) = one_time_key {
+			return Ok(result);
+		}
+
+		// No one-time key has been found. Look for a fallback key.
+
+		let db_key = (user_id, device_id, key_algorithm);
+
+		let fallback_key = self
+			.db
+			.fallbackkeyid_fallbackkey
+			.qry(&db_key)
+			.await
+			.ok()
+			.and_then(|handle| {
+				handle
+					.deserialized::<(bool, OwnedOneTimeKeyId, Raw<OneTimeKey>)>()
+					.ok()
+			});
+
+		if let Some((used, fallback_key_id, fallback_key_value)) = fallback_key {
+			if !used {
+				// write the key to the database again to mark it as used
+				self.add_fallback_key(
+					user_id,
+					device_id,
+					&fallback_key_id,
+					&fallback_key_value,
+					true,
+				)
+				.await?;
+			}
+			return Ok((fallback_key_id, fallback_key_value));
+		}
+
+		Err(err!(Request(NotFound("No one-time key or fallback key found"))))
 	}
 
 	pub async fn count_one_time_keys(
@@ -718,6 +743,34 @@ pub async fn count_one_time_keys(
 		algorithm_counts
 	}
 
+	pub async fn list_unused_fallback_key_types(
+		&self,
+		user_id: &UserId,
+		device_id: &DeviceId,
+	) -> Vec<OneTimeKeyAlgorithm> {
+		type KeyVal = ((String, String, OneTimeKeyAlgorithm), (bool, String, Ignore));
+
+		let mut query = user_id.as_bytes().to_vec();
+		query.push(0xFF);
+		query.extend_from_slice(device_id.as_bytes());
+		query.push(0xFF);
+
+		let mut unused_algorithms = Vec::new();
+
+		self.db
+			.fallbackkeyid_fallbackkey
+			.stream_prefix(&query)
+			.ignore_err()
+			.ready_for_each(|((_, _, fallback_key_algorithm), (used, ..)): KeyVal| {
+				if !used {
+					unused_algorithms.push(fallback_key_algorithm);
+				}
+			})
+			.await;
+
+		unused_algorithms
+	}
+
 	pub async fn add_device_keys(
 		&self,
 		user_id: &UserId,
@@ -1292,177 +1345,6 @@ pub async fn clear_profile(&self, user_id: &UserId) {
 			.ready_for_each(|(key, _)| self.set_profile_key(user_id, &key, None))
 			.await;
 	}
-
-	#[cfg(feature = "ldap")]
-	async fn create_ldap_connection(
-		config: &conduwuit_core::config::LdapConfig,
-		uri: &str,
-	) -> Result<(LdapConnAsync, ldap3::Ldap), ldap3::LdapError> {
-		let mut settings = LdapConnSettings::new();
-
-		if config.use_starttls {
-			settings = settings.set_starttls(true);
-		}
-
-		if config.disable_tls_verification {
-			settings = settings.set_no_tls_verify(true);
-		}
-
-		LdapConnAsync::with_settings(settings, uri).await
-	}
-
-	#[cfg(not(feature = "ldap"))]
-	pub async fn search_ldap(&self, _user_id: &UserId) -> Result<Vec<(String, Option<bool>)>> {
-		Err!(FeatureDisabled("ldap"))
-	}
-
-	#[cfg(feature = "ldap")]
-	pub async fn search_ldap(&self, user_id: &UserId) -> Result<Vec<(String, Option<bool>)>> {
-		let localpart = user_id.localpart().to_owned();
-		let lowercased_localpart = localpart.to_lowercase();
-
-		let config = &self.services.server.config.ldap;
-		let uri = config
-			.uri
-			.as_ref()
-			.ok_or_else(|| err!(Ldap(error!("LDAP URI is not configured."))))?;
-
-		debug!(?uri, "LDAP creating connection...");
-		let (conn, mut ldap) = Self::create_ldap_connection(config, uri.as_str())
-			.await
-			.map_err(|e| err!(Ldap(error!(%user_id, "LDAP connection setup error: {e}"))))?;
-
-		let driver = self.services.server.runtime().spawn(async move {
-			match conn.drive().await {
-				| Err(e) => error!("LDAP connection error: {e}"),
-				| Ok(()) => debug!("LDAP connection completed."),
-			}
-		});
-
-		match (&config.bind_dn, &config.bind_password_file) {
-			| (Some(bind_dn), Some(bind_password_file)) => {
-				let bind_pw = String::from_utf8(std::fs::read(bind_password_file)?)?;
-				ldap.simple_bind(bind_dn, bind_pw.trim())
-					.await
-					.and_then(ldap3::LdapResult::success)
-					.map_err(|e| err!(Ldap(error!("LDAP bind error: {e}"))))?;
-			},
-			| (..) => {},
-		}
-
-		let attr = [&config.uid_attribute, &config.name_attribute];
-
-		let user_filter = &config.filter.replace("{username}", &lowercased_localpart);
-
-		let (entries, _result) = ldap
-			.search(&config.base_dn, Scope::Subtree, user_filter, &attr)
-			.await
-			.and_then(ldap3::SearchResult::success)
-			.inspect(|(entries, result)| trace!(?entries, ?result, "LDAP Search"))
-			.map_err(|e| err!(Ldap(error!(?attr, ?user_filter, "LDAP search error: {e}"))))?;
-
-		let mut dns: HashMap<String, Option<bool>> = entries
-			.into_iter()
-			.filter_map(|entry| {
-				let search_entry = SearchEntry::construct(entry);
-				debug!(?search_entry, "LDAP search entry");
-				search_entry
-					.attrs
-					.get(&config.uid_attribute)
-					.into_iter()
-					.chain(search_entry.attrs.get(&config.name_attribute))
-					.any(|ids| ids.contains(&localpart) || ids.contains(&lowercased_localpart))
-					.then_some((search_entry.dn, None))
-			})
-			.collect();
-
-		if !config.admin_filter.is_empty() {
-			// Update all existing entries to Some(false) since we can now determine admin
-			// status
-			for admin_status in dns.values_mut() {
-				*admin_status = Some(false);
-			}
-			let admin_base_dn = if config.admin_base_dn.is_empty() {
-				&config.base_dn
-			} else {
-				&config.admin_base_dn
-			};
-
-			let admin_filter = &config
-				.admin_filter
-				.replace("{username}", &lowercased_localpart);
-
-			let (admin_entries, _result) = ldap
-				.search(admin_base_dn, Scope::Subtree, admin_filter, &attr)
-				.await
-				.and_then(ldap3::SearchResult::success)
-				.inspect(|(entries, result)| trace!(?entries, ?result, "LDAP Admin Search"))
-				.map_err(|e| {
-					err!(Ldap(error!(?attr, ?admin_filter, "Ldap admin search error: {e}")))
-				})?;
-
-			dns.extend(admin_entries.into_iter().filter_map(|entry| {
-				let search_entry = SearchEntry::construct(entry);
-				debug!(?search_entry, "LDAP search entry");
-				search_entry
-					.attrs
-					.get(&config.uid_attribute)
-					.into_iter()
-					.chain(search_entry.attrs.get(&config.name_attribute))
-					.any(|ids| ids.contains(&localpart) || ids.contains(&lowercased_localpart))
-					.then_some((search_entry.dn, Some(true)))
-			}));
-		}
-
-		ldap.unbind()
-			.await
-			.map_err(|e| err!(Ldap(error!("LDAP unbind error: {e}"))))?;
-
-		driver.await.log_err().ok();
-
-		Ok(dns.drain().collect())
-	}
-
-	#[cfg(not(feature = "ldap"))]
-	pub async fn auth_ldap(&self, _user_dn: &str, _password: &str) -> Result {
-		Err!(FeatureDisabled("ldap"))
-	}
-
-	#[cfg(feature = "ldap")]
-	pub async fn auth_ldap(&self, user_dn: &str, password: &str) -> Result {
-		let config = &self.services.server.config.ldap;
-		let uri = config
-			.uri
-			.as_ref()
-			.ok_or_else(|| err!(Ldap(error!("LDAP URI is not configured."))))?;
-
-		debug!(?uri, "LDAP creating connection...");
-		let (conn, mut ldap) = Self::create_ldap_connection(config, uri.as_str())
-			.await
-			.map_err(|e| err!(Ldap(error!(%user_dn, "LDAP connection setup error: {e}"))))?;
-
-		let driver = self.services.server.runtime().spawn(async move {
-			match conn.drive().await {
-				| Err(e) => error!("LDAP connection error: {e}"),
-				| Ok(()) => debug!("LDAP connection completed."),
-			}
-		});
-
-		ldap.simple_bind(user_dn, password)
-			.await
-			.and_then(ldap3::LdapResult::success)
-			.map_err(|e| {
-				err!(Request(Forbidden(debug_error!("LDAP authentication error: {e}"))))
-			})?;
-
-		ldap.unbind()
-			.await
-			.map_err(|e| err!(Ldap(error!("LDAP unbind error: {e}"))))?;
-
-		driver.await.log_err().ok();
-
-		Ok(())
-	}
 }
 
 pub fn parse_master_key(

xtask/Cargo.toml

@@ -14,7 +14,7 @@ conduwuit-admin.workspace = true
 conduwuit.workspace = true
 clap.workspace = true
 
-askama = "0.15.1"
+askama = "0.16.0"
 cargo_metadata = "0.23.1"
 
 [lints]