dandri/continuwuity
1
0
Fork 0
mirror of https://forgejo.ellis.link/continuwuation/continuwuity/ synced 2026-04-02 16:15:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: dandri:renovate/serde_html_form-0.x
Branches Tags
dandri:main dandri:nex/feat/policy-servers-2-electric-boogaloo dandri:renovate/crate-ci-typos-1.x dandri:nex/chore/lettre-use-ring dandri:renovate/node-patch-updates dandri:aranje/illegal-car-mods dandri:ginger/email-support dandri:renovate/cargo-bins-cargo-binstall-1.x dandri:jade/community-guidelines dandri:nex/fix/federation-format dandri:jade/git-deps-updates dandri:jade/pin-gh-actions dandri:jade/changelog-check dandri:jade/rust-1-92 dandri:ginger/password-reset dandri:nex/experiment/push-gateway-logs dandri:ginger/msc3575-obliteration dandri:renovate/serde_html_form-0.x dandri:renovate/github-actions-non-major dandri:nex/feat/block-busted-rooms dandri:renovate/rand_core-0.x dandri:nex/fix/informative-startup-errs dandri:ginger/no-left-room-initial-sync dandri:jade/docker-entrypoint dandri:jade/dehydrated-devices dandri:ginger/complement-fixes dandri:nex/fix/stale-destination-cache dandri:nex/experiment/sync-mutex dandri:tcpipuk/docker-docs dandri:jade/snafu dandri:jade/rand-update dandri:nex/stateres-refactor dandri:ginger/779-in-troubleshooting dandri:renovate/reqwest-0.x dandri:jade/liveit-guide dandri:jade/http3 dandri:nex/feat/admin-hide-empty-rooms dandri:ginger/oobe dandri:nex/fix/debian-thingy dandri:jade/ldap-admin-check dandri:nex/fix/remote-restricted-joins dandri:nex/feat/msc4406-sender-ignored dandri:jade/deadlock-detection dandri:nex/feat/room-shutdown dandri:jade/get-started dandri:jade/docs-guide dandri:ginger/fix-local-invites dandri:nex/fix/tpi dandri:nex/feat/room-deletion dandri:nex/feat/msc4322-media-redaction dandri:ginger/stitched-order dandri:jade/build-info dandri:nex/feat/ignore-deny-all-acls dandri:ginger/deps/update-rspress dandri:jade/admin-announce-improvements dandri:ginger/xtask-improvements dandri:nex/fix/origin-check dandri:jade/improve-admin-config-display dandri:nex/fix/better-stateres-error-logs dandri:jade/sender-timeouts dandri:nex/feat/custom-v12-room-ids dandri:nex/fix/whoami dandri:nex/fix/directory-publish-v12 dandri:ginger/update-metadata dandri:nex/feat/admin-force-logout dandri:tom/max-perf-docs dandri:nex/fix/invalid-appservice-reg dandri:nex/feat/antispam dandri:nex/feat/account-locking dandri:jade/logging-cleanup dandri:jade/remove-legacy-appservice-auth dandri:nex/fix/key-query dandri:jade/update-prek dandri:nex/fix/room-summaries dandri:ginger/restrict-admin-commands dandri:ginger/enable-console-by-default dandri:jade/tag-fixes dandri:jade/otlp dandri:nex/meta/pull-req-template dandri:nex/fix/fed-invite-compliance dandri:nex/feat/build-commit dandri:nex/feat/join-logging dandri:jade/mailmap-updates dandri:jade/hack-ci-tmp dandri:jade/v12-stable dandri:jade/relations dandri:ginger/database-refactor dandri:jade/fix-ldap-uiaa dandri:nex/fix/validation dandri:ginger/nuke-invalid-msc4133-fields-in-migration dandri:ginger/downgrade-artifact-actions dandri:oddlid/reload-fix dandri:jade/fix-assert dandri:ginger/sync-v3-cleanup dandri:ginger/remove-absolute-action-urls dandri:jade/website dandri:nex/fix/backoff dandri:ginger/fix-mdbook-for-0.5 dandri:ginger/no-docker-on-prs dandri:backport/v0.5.0-rc.8-1 dandri:nex/fed-improvements dandri:jade/rust-1.90 dandri:jade/mirror-dockerhub dandri:jade/clippy-fixes dandri:jade/fix-support dandri:jade/clean-images dandri:jade/wal-compression-type dandri:jade/flake-clone dandri:ginger/upload-rpms-on-schedule dandri:nex/fix/incoming-fetch dandri:nex/fix/upgrade dandri:tom/ci-fedora-rpm dandri:jade/ci-release-fix dandri:jade/rocksdb-10-5 dandri:ginger/fix-msc4133-migration dandri:ginger/migrate-busted-tz dandri:hydra/public dandri:nex/feat/manual-extremities dandri:nex/feat/async-media dandri:nex/feat/fast-joins-hack-do-not-use-DO-NOT-USE dandri:nex/feat/better-logging dandri:trigger-ci-so-latest-isnt-on-illegal-car-mods dandri:nex/feat/pins-backfill dandri:jade/tuwunel-2025-06-old dandri:jade/ai-slop-db-docs dandri:nex/fix-create-auth dandri:jade/version-stats dandri:jade/read-receipts dandri:jade/rust-toolchain-no-targets dandri:jade/logging-features dandri:jade/syncv5-typing dandri:jade/msc2815 dandri:jade/purge-sync-tokens dandri:morguldir/see-eye dandri:jade/css-small-screen dandri:nex/wip-751 dandri:tuwunel-rebase dandri:test dandri:oddlid/rename-admin-room-bot dandri:strawberry/nix-ci-stuff dandri:strawberry/valgrind dandri:phonemain dandri:strawberry/morgs-snake-sync-jason-main dandri:newer-media-endpoints dandri:folly-coroutines-async-io dandri:federation-retry-timer-port dandri:bad-attempt-at-extracting-homeserver-signing-key dandri:room-deletion-attempt-do-not-use
dandri:v0.5.7-alpha.1 dandri:v0.5.6 dandri:v0.5.6-alpha dandri:v0.5.5 dandri:v0.5.4 dandri:v0.5.3 dandri:v0.5.2 dandri:v0.5.1 dandri:v0.5.0 dandri:v0.5.0-rc.8.1 dandri:v0.5.0-rc.8 dandri:v0.5.0-rc.7 dandri:v0.5.0-rc.6 dandri:v0.5.0-rc.5 dandri:v0.5.0-rc4 dandri:v0.5.0-rc3 dandri:v0.5.0-rc2 dandri:v0.5.0-rc dandri:v0.4.7-rc dandri:v0.4.6 dandri:v0.4.6-rc dandri:v0.4.5-rc dandri:v0.4.5 dandri:v0.4.4 dandri:v0.4.3 dandri:v0.4.2 dandri:v0.4.1 dandri:v0.3.4 dandri:v0.3.3 dandri:v0.3.2 dandri:v0.3.1 dandri:v0.3.0
...
compare: dandri:renovate/node-patch-updates
Branches Tags
dandri:nex/feat/policy-servers-2-electric-boogaloo dandri:renovate/crate-ci-typos-1.x dandri:nex/chore/lettre-use-ring dandri:renovate/node-patch-updates dandri:main dandri:aranje/illegal-car-mods dandri:ginger/email-support dandri:renovate/cargo-bins-cargo-binstall-1.x dandri:jade/community-guidelines dandri:nex/fix/federation-format dandri:jade/git-deps-updates dandri:jade/pin-gh-actions dandri:jade/changelog-check dandri:jade/rust-1-92 dandri:ginger/password-reset dandri:nex/experiment/push-gateway-logs dandri:ginger/msc3575-obliteration dandri:renovate/serde_html_form-0.x dandri:renovate/github-actions-non-major dandri:nex/feat/block-busted-rooms dandri:renovate/rand_core-0.x dandri:nex/fix/informative-startup-errs dandri:ginger/no-left-room-initial-sync dandri:jade/docker-entrypoint dandri:jade/dehydrated-devices dandri:ginger/complement-fixes dandri:nex/fix/stale-destination-cache dandri:nex/experiment/sync-mutex dandri:tcpipuk/docker-docs dandri:jade/snafu dandri:jade/rand-update dandri:nex/stateres-refactor dandri:ginger/779-in-troubleshooting dandri:renovate/reqwest-0.x dandri:jade/liveit-guide dandri:jade/http3 dandri:nex/feat/admin-hide-empty-rooms dandri:ginger/oobe dandri:nex/fix/debian-thingy dandri:jade/ldap-admin-check dandri:nex/fix/remote-restricted-joins dandri:nex/feat/msc4406-sender-ignored dandri:jade/deadlock-detection dandri:nex/feat/room-shutdown dandri:jade/get-started dandri:jade/docs-guide dandri:ginger/fix-local-invites dandri:nex/fix/tpi dandri:nex/feat/room-deletion dandri:nex/feat/msc4322-media-redaction dandri:ginger/stitched-order dandri:jade/build-info dandri:nex/feat/ignore-deny-all-acls dandri:ginger/deps/update-rspress dandri:jade/admin-announce-improvements dandri:ginger/xtask-improvements dandri:nex/fix/origin-check dandri:jade/improve-admin-config-display dandri:nex/fix/better-stateres-error-logs dandri:jade/sender-timeouts dandri:nex/feat/custom-v12-room-ids dandri:nex/fix/whoami dandri:nex/fix/directory-publish-v12 dandri:ginger/update-metadata dandri:nex/feat/admin-force-logout dandri:tom/max-perf-docs dandri:nex/fix/invalid-appservice-reg dandri:nex/feat/antispam dandri:nex/feat/account-locking dandri:jade/logging-cleanup dandri:jade/remove-legacy-appservice-auth dandri:nex/fix/key-query dandri:jade/update-prek dandri:nex/fix/room-summaries dandri:ginger/restrict-admin-commands dandri:ginger/enable-console-by-default dandri:jade/tag-fixes dandri:jade/otlp dandri:nex/meta/pull-req-template dandri:nex/fix/fed-invite-compliance dandri:nex/feat/build-commit dandri:nex/feat/join-logging dandri:jade/mailmap-updates dandri:jade/hack-ci-tmp dandri:jade/v12-stable dandri:jade/relations dandri:ginger/database-refactor dandri:jade/fix-ldap-uiaa dandri:nex/fix/validation dandri:ginger/nuke-invalid-msc4133-fields-in-migration dandri:ginger/downgrade-artifact-actions dandri:oddlid/reload-fix dandri:jade/fix-assert dandri:ginger/sync-v3-cleanup dandri:ginger/remove-absolute-action-urls dandri:jade/website dandri:nex/fix/backoff dandri:ginger/fix-mdbook-for-0.5 dandri:ginger/no-docker-on-prs dandri:backport/v0.5.0-rc.8-1 dandri:nex/fed-improvements dandri:jade/rust-1.90 dandri:jade/mirror-dockerhub dandri:jade/clippy-fixes dandri:jade/fix-support dandri:jade/clean-images dandri:jade/wal-compression-type dandri:jade/flake-clone dandri:ginger/upload-rpms-on-schedule dandri:nex/fix/incoming-fetch dandri:nex/fix/upgrade dandri:tom/ci-fedora-rpm dandri:jade/ci-release-fix dandri:jade/rocksdb-10-5 dandri:ginger/fix-msc4133-migration dandri:ginger/migrate-busted-tz dandri:hydra/public dandri:nex/feat/manual-extremities dandri:nex/feat/async-media dandri:nex/feat/fast-joins-hack-do-not-use-DO-NOT-USE dandri:nex/feat/better-logging dandri:trigger-ci-so-latest-isnt-on-illegal-car-mods dandri:nex/feat/pins-backfill dandri:jade/tuwunel-2025-06-old dandri:jade/ai-slop-db-docs dandri:nex/fix-create-auth dandri:jade/version-stats dandri:jade/read-receipts dandri:jade/rust-toolchain-no-targets dandri:jade/logging-features dandri:jade/syncv5-typing dandri:jade/msc2815 dandri:jade/purge-sync-tokens dandri:morguldir/see-eye dandri:jade/css-small-screen dandri:nex/wip-751 dandri:tuwunel-rebase dandri:test dandri:oddlid/rename-admin-room-bot dandri:strawberry/nix-ci-stuff dandri:strawberry/valgrind dandri:phonemain dandri:strawberry/morgs-snake-sync-jason-main dandri:newer-media-endpoints dandri:folly-coroutines-async-io dandri:federation-retry-timer-port dandri:bad-attempt-at-extracting-homeserver-signing-key dandri:room-deletion-attempt-do-not-use
dandri:v0.5.7-alpha.1 dandri:v0.5.6 dandri:v0.5.6-alpha dandri:v0.5.5 dandri:v0.5.4 dandri:v0.5.3 dandri:v0.5.2 dandri:v0.5.1 dandri:v0.5.0 dandri:v0.5.0-rc.8.1 dandri:v0.5.0-rc.8 dandri:v0.5.0-rc.7 dandri:v0.5.0-rc.6 dandri:v0.5.0-rc.5 dandri:v0.5.0-rc4 dandri:v0.5.0-rc3 dandri:v0.5.0-rc2 dandri:v0.5.0-rc dandri:v0.4.7-rc dandri:v0.4.6 dandri:v0.4.6-rc dandri:v0.4.5-rc dandri:v0.4.5 dandri:v0.4.4 dandri:v0.4.3 dandri:v0.4.2 dandri:v0.4.1 dandri:v0.3.4 dandri:v0.3.3 dandri:v0.3.2 dandri:v0.3.1 dandri:v0.3.0

157 Commits
renovate/s ... renovate/n

Author SHA1 Message Date
Renovate Bot
ab10d37f68 chore(deps): update node-patch-updates to v2.0.8 2026-04-01 05:03:35 +00:00
timedout
0cc1e4685c style: Make main green again 2026-03-31 18:07:44 +01:00
ginger
3d2915093c Update LICENSE 2026-03-31 02:26:22 +00:00
Ginger
e1c54f4dec fix: Don't allow UIAA stages to be completed if no flow includes them 2026-03-31 02:20:59 +00:00
ginger
0c9fa3b7e5 feat: Add a notice about email to the first-run banner 2026-03-31 02:20:59 +00:00
Ginger
a95b488e6a chore: Update admin command docs 2026-03-31 02:20:59 +00:00
Ginger
4f8833e937 fix: Update connection_uri docs 2026-03-31 02:20:59 +00:00
Ginger
f32599e030 feat: Supply more informative error message if email is disabled 2026-03-31 02:20:59 +00:00
Ginger
b6f0b41d3d feat: Ratelimit sending threepid validation emails 2026-03-31 02:20:59 +00:00
Ginger
d5675b85cf fix: Release session lock before sending threepid validation email 2026-03-31 02:20:59 +00:00
Ginger
951b5abe19 refactor: Remove UiaaStatus enum 2026-03-31 02:20:59 +00:00
Ginger
a325ad16f1 feat: Fall back to email when registering a user who didn't provide a username 2026-03-31 02:20:59 +00:00
Ginger
f93a1cc506 fix: Don't bail out on email association failures when registering a new user 2026-03-31 02:20:59 +00:00
Ginger
6e8dbcbfab refactor: Remove workarounds for matrix-appservice-irc 2026-03-31 02:20:59 +00:00
ginger
97458207e5 chore: Update news fragment 2026-03-31 02:20:59 +00:00
Ginger
ab8929e2fa chore: Fix typo 2026-03-31 02:20:59 +00:00
Ginger
166d7d0f63 fix: Remove associated email on account deactivation 2026-03-31 02:20:59 +00:00
Ginger
20a6f0c6fb chore: News fragment 2026-03-31 02:20:59 +00:00
Ginger
3885e43b5d feat: Add support for 3pid management 2026-03-31 02:20:59 +00:00
Ginger
ef7ad6082c feat: Add support for registering a new account with an email address 2026-03-31 02:20:59 +00:00
Ginger
717d319708 feat: Add support for logging in with an email address 2026-03-31 02:20:59 +00:00
Ginger
0b04757bef feat: Add support for password resets via email 2026-03-31 02:20:59 +00:00
Ginger
f2b7dd6519 feat: Add a webpage for threepid validation links 2026-03-31 02:20:59 +00:00
Ginger
9d06208a7a feat: Store threepid validation sessions in memory instead of the database 2026-03-31 02:20:59 +00:00
Ginger
955da3a74f feat: Add admin commands for managing users' email addresses 2026-03-31 02:20:59 +00:00
Ginger
7e79a544cf refactor: Split account routes into multiple files 2026-03-31 02:20:59 +00:00
Ginger
f5db4d17d6 feat: Refactor UIAA service, add support for email stage 2026-03-31 02:20:59 +00:00
Ginger
54fd1d313f feat: Implement threepid service 2026-03-31 02:20:59 +00:00
Ginger
bb7fd9efc1 feat: Implement mailer service for sending emails 2026-03-31 02:20:59 +00:00
Jade Ellis
aa79072411 docs: Revert duplicate link 2026-03-29 19:34:56 +01:00
Jade Ellis
8b72c5eb11 docs: Fix email link 2026-03-29 19:25:24 +01:00
Jade Ellis
e5cfc503d8 docs: Delete unused book.toml 2026-03-29 19:21:02 +01:00
Jade Ellis
07d5081008 docs: Apply feedback 2026-03-29 19:20:05 +01:00
Jade Ellis
dba7f47972 docs: Link MatrixRTC room 2026-03-29 19:15:42 +01:00
Jade Ellis
0a2d4e1cb2 docs: Replace Contributor Covenant with community guidelines 2026-03-29 19:15:42 +01:00
Jade Ellis
f45857acd4 docs: Update community guidelines 2026-03-29 19:15:41 +01:00
norm
9209b847f6 docs: Mention systemd's ReadWritePaths setting for the backup dir 
The systemd unit file uses `ProtectSystem=strict`, which makes almost
every directory read-only. This can cause backups to not work, even if
the directory is granted the correct permissions and ownership to the
`conduwuit` user.

The `ReadWritePaths` setting lets you specify which directories are
exempt from being made read-only by `ProtectSystem=strict`.
 2026-03-27 19:25:26 +00:00
Jade Ellis
cf9c2c23b6 chore: Upgrade git dependencies 2026-03-27 18:39:43 +00:00
Jade Ellis
1bd161a306 fix(deps): Update to rocksdb v10.10.1, jemalloc 0.6.1 
Re-adds revert to try and fix rocksdb repair deadlock
 2026-03-27 18:39:43 +00:00
Renovate Bot
0a0206e866 chore(deps): update node-patch-updates to v2.0.7 2026-03-27 13:31:35 +00:00
Henry-Hiles
e6f31d7d4f fix(renovate): Fix name of extends of renovate.json to use full name for pinGitHubActionDigests 2026-03-26 21:45:11 -04:00
timedout
f0c3fdfe3a fix: Well-known read errors no longer crash resolver flow 
Reviewed-By: Jade Ellis <jade@ellis.link>
 2026-03-27 00:54:17 +00:00
Jade
3c3314b498 deps: Pin actions 
In the wake of all the compromises so far this week, this seems like a good idea.
 2026-03-27 00:46:06 +00:00
Niklas Wojtkowiak
8e7846c644 fix(alias): preserve room alias enumeration on delete 2026-03-26 19:23:24 +00:00
Jade Ellis
3ebaba920f ci: Minor improvements 2026-03-25 17:32:28 +00:00
Jade Ellis
19e620c8c6 ci: Automatically comment on pull requests missing changelog entries 2026-03-25 17:32:28 +00:00
Henry-Hiles
300b6d81e7 feat(nix): add NPM to devshell 2026-03-25 12:55:49 +00:00
PerformativeJade
ed81dfc6cd fix: Thumbnail fetching error handling 2026-03-24 20:14:55 +00:00
Jade Ellis
2ffafc17d2 style: Unmeow 2026-03-24 19:48:37 +00:00
Jade Ellis
8589563a2f meow 2026-03-24 19:46:14 +00:00
Henry-Hiles
27d806e961 fix(docs): make contributing.mdx a symlink 2026-03-24 11:18:54 -04:00
stratself
7aa02a1cd9 fix(docs): Remove prefligit reference 2026-03-24 13:20:56 +00:00
stratself
fc342f5401 docs: move all contrib docs to central source at CONTRIBUTING.md 
* remove rarely-used docs/contributing.mdx page and redirect links to
  docs/development/contributing.mdx
* softlink docs/development/contributing.mdx to CONTRIBUTING.md
* add back section of towncrier to CONTRIBUTING.md
* use indirect hyperlinks for all URLs in CONTRIBUTING.md
 2026-03-24 13:20:56 +00:00
stratself
ef089c1800 docs(livekit): Put livekit+coturn port clash notice in a tip box 
* reworded first part of external TURN integration
* add restart/recreate instructions to apply final TURNs changes
 2026-03-24 13:20:13 +00:00
stratself
279c505af9 docs(livekit): Further enhance compose instructions + examples 2026-03-24 13:20:13 +00:00
stratself
f9058ee062 docs: Add instructions from #1440 to Livekit workarounds 
* still keep the link to the issue on forgejo
* also fixed a word in the Calls overview page
 2026-03-24 13:20:13 +00:00
stratself
6c856bd1a4 chore: Write news fragment for PR 2026-03-24 13:20:13 +00:00
stratself
4dbda8692c fix(docs): Other small improvements in clarity and consistent wordings 2026-03-24 13:20:13 +00:00
stratself
075914d8e8 fix(docs): Use correct var for nonfed server in livekit t00ting 2026-03-24 13:20:13 +00:00
stratself
a2a644194b fix(docs): Remove trailing whitespace 2026-03-24 13:20:13 +00:00
stratself
093ef742c3 docs(livekit): various mini-clarifications and edits 
* specify that the added ports belong to livekit's container in
  TURN section, and remind firewall rules for them
* prioritize the network_mode: host workaround
* add docker livelogs instructions
* use bash for code blocks instead of console
* some other small fixes
 2026-03-24 13:20:13 +00:00
stratself
010daf079d fix(docs): use docker run instead of exec for a livekit troubleshooting command 2026-03-24 13:20:13 +00:00
stratself
58c4f5d5b5 fix(docs): further apply fixes from feedback for livekit documentation 2026-03-24 13:20:13 +00:00
ginger
c78a72bbef chore: Trim trailing whitespace 
Signed-off-by: Ellis Git <forgejo@mail.ellis.link>
 2026-03-24 13:20:13 +00:00
stratself
7e8f1ffd63 fix(docs): little nits for livekit's troubleshooting section 2026-03-24 13:20:13 +00:00
stratself
3d0b886ab8 fix(docs): apply clarity fixes for livekit testing from feedbacks 
* clearer wording and ordering on client token versus openid token
* provide outputs for curl examples
 2026-03-24 13:20:13 +00:00
stratself
2e7bfea240 docs(livekit): new troubleshooting section and other small changes 
* add link to matrix-rtc room
* include livekit key-secret pair examples for clarity with livekit.yaml
* troubleshooting: add common EC errors and docker networking subsections
* fix a merge conflict issue
 2026-03-24 13:20:13 +00:00
stratself
b9456c1130 docs: add caveat for deployment with non-federated instances 2026-03-24 13:20:13 +00:00
stratself
3ce6e909dd docs: apply changes from feedback 
turn all the things into LiveKit
 2026-03-24 13:20:13 +00:00
stratself
3b4b401a51 docs: add livekit testing instructions against new /get_token endpoint 2026-03-24 13:20:13 +00:00
stratself
260b88975d docs: replace personal links and small fixes in docs for Livekit TURN 2026-03-24 13:20:13 +00:00
stratself
be8e3772c1 docs: rework Related Documentation section for livekit page 
* separate links into categories in order of importance: guides, specs, source codes
* add short description to included community guides
* add Element Call, lk-jwt-service, and the livekit MSCs too
 2026-03-24 13:20:13 +00:00
stratself
8b91db2918 docs: add caveat for deployment with non-federated instances 2026-03-24 13:20:13 +00:00
stratself
34758c52cc docs: apply changes from feedback 
turn all the things into LiveKit
 2026-03-24 13:20:13 +00:00
stratself
8b8c015dcc docs: add livekit testing instructions against new /get_token endpoint 2026-03-24 13:20:13 +00:00
stratself
9afe5f6bed docs: add caveat for deployment with non-federated instances 2026-03-24 13:20:13 +00:00
stratself
fe03b3b8b7 docs: apply changes from feedback 
turn all the things into LiveKit
 2026-03-24 13:20:13 +00:00
stratself
a04ef6d686 docs: add livekit testing instructions against new /get_token endpoint 2026-03-24 13:20:13 +00:00
stratself
fd807ff1f6 docs: specify both inbuilt + external options for livekit TURN in calls page 2026-03-24 13:20:13 +00:00
stratself
b0632dde41 docs: replace personal links and small fixes in docs for Livekit TURN 2026-03-24 13:20:13 +00:00
stratself
cc3a8a1d40 docs: move Livekit's inbuilt TURN guide to top 
The purpose is to simplify new deployments, which are more likely
to use Livekit-only calls. This also makes docs flow a bit better
 2026-03-24 13:20:13 +00:00
stratself
30a540d8bc docs: rework Related Documentation section for livekit page 
* separate links into categories in order of importance: guides, specs, source codes
* add short description to included community guides
* add Element Call, lk-jwt-service, and the livekit MSCs too
 2026-03-24 13:20:13 +00:00
stratself
6d0832a6ee docs: replaces all instances of matrix-rtc to livekit to match rest of page 2026-03-24 13:20:13 +00:00
Renovate Bot
119aa6476d chore(deps): update docker/setup-qemu-action action to v4 2026-03-24 13:12:12 +00:00
Jonathan Sutton
b9854662f3 fix(room_member): Strip join_authorized_via_users_server (#1542) 
Realized code for fix did in fact require a check for
`join_authorized_via_users_server` before stripping. Otherwise,
waste processing power, most of the time.

Signed-off-by: Jonathan Sutton <jonathansutton91@proton.me>
 2026-03-24 13:11:25 +00:00
Jonathan Sutton
dab50b1ec3 fix(room_member): Strip join_authorized_via_users_server (#1542) 
Fixed test.

Signed-off-by: Jonathan Sutton <jonathansutton91@proton.me>
 2026-03-24 13:11:25 +00:00
Jonathan Sutton
0338539221 fix(room_member): Strip join_authorized_via_users_server (#1542) 
Added test.

Signed-off-by: Jonathan Sutton <jonathansutton91@proton.me>
 2026-03-24 13:11:25 +00:00
Jonathan Sutton
e94e614498 fix(room_member): Strip join_authorized_via_users_server (#1542) 
Removed extra clone() and made membership_content mutable, to change
contents and reserialize to json.

Signed-off-by: Jonathan Sutton <jonathansutton91@proton.me>
 2026-03-24 13:11:25 +00:00
Jonathan Sutton
098e8a0b92 fix(room_member): Strip join_authorized_via_users_server (#1542) 
Added news fragment.

Signed-off-by: Jonathan Sutton <jonathansutton91@proton.me>
 2026-03-24 13:11:25 +00:00
Jonathan Sutton
1c3890476a fix(room_member): Strip join_authorized_via_users_server (#1542) 
Actually implemented fix. Modified json if user was already a member.

Signed-off-by: Jonathan Sutton <jonathansutton91@proton.me>
 2026-03-24 13:11:25 +00:00
Jonathan Sutton
8ef6f02ee9 fix(room_member): Strip join_authorized_via_users_server (#1542) 
Some clients were sending join_authorized_via_users_server when they
were already in the room, to change nicknames. This caused an undesirable
error, so a check for if they were already in the room was moved and
changed to strip from metadata before attempting to process metadata.

Signed-off-by: Jonathan Sutton <jonathansutton91@proton.me>
 2026-03-24 13:11:25 +00:00
Renovate Bot
11020df89d chore(deps): update node-patch-updates to v2.0.6 2026-03-24 13:10:39 +00:00
Renovate Bot
47e3738807 chore(deps): update dependency cargo-bins/cargo-binstall to v1.17.8 2026-03-24 13:08:48 +00:00
Renovate Bot
8afb19757e chore(deps): update dependency typescript to v6 2026-03-24 05:02:11 +00:00
31a05b9c
de3dfb2bea style: format 2026-03-23 20:54:10 +00:00
31a05b9c
bbb2615f2c fix: request errror: error sending request 2026-03-23 19:27:18 +00:00
coolGi
af1b4de231 fix: Typo in the domain for the announcment schema 2026-03-22 21:34:55 +13:00
timedout
677c407755 chore: Bump ruwuma 
# Conflicts:
#	Cargo.lock
#	Cargo.toml
 2026-03-21 16:24:05 +00:00
renovate
e3ae714248 chore(Nix): Updated flake hashes 2026-03-20 18:55:28 +00:00
Jade Ellis
fb9a2aa4d6 chore: Upgrade Rust to 1.92 2026-03-20 18:27:59 +00:00
coolGi
5164822090 chore: Update ruwuma 2026-03-21 06:13:45 +13:00
Jade Ellis
6b013bcf60 chore: Update funding links 2026-03-19 12:45:12 +00:00
Ginger
05a49ceb60 chore: Whitelist cognitive_complexity lint 2026-03-18 13:59:48 -04:00
Ginger
728c5828ba feat: Add a panic handler and clean up error page 2026-03-18 13:43:34 -04:00
Ginger
50c94d85a1 fix: Code cleanup 2026-03-18 13:18:53 -04:00
Ginger
0cc188f62c fix: Remove redirect on index 2026-03-18 12:42:55 -04:00
Ginger
6451671f66 fix: Update doc comment 2026-03-18 12:42:55 -04:00
theS1LV3R
ca21a885d5 chore: Rename option index_page_allow_indexing to allow_web_indexing 2026-03-18 12:42:55 -04:00
Ginger
4af4110f6d chore: Update news fragment 2026-03-18 12:42:55 -04:00
Ginger
51b450c05c feat: Use a context struct to store global template context 2026-03-18 12:42:55 -04:00
theS1LV3R
f9d1f71343 fix: Fix logic error 2026-03-18 12:42:55 -04:00
theS1LV3R
7901e4b996 chore: Add news fragment for !1527 2026-03-18 12:42:55 -04:00
theS1LV3R
7b6bf4b78e feat: Add option for a noindex meta tag on the HTML index page 
Adds a new config option `index_page_allow_indexing` which defaults to false.

Fixes: !1527
 2026-03-18 12:42:55 -04:00
Ginger
67d5619ccb fix: Fix password reset page appearance in light mode 2026-03-18 12:42:55 -04:00
Ginger
bf001f96d6 feat: Restrict reset token command 2026-03-18 12:42:55 -04:00
Ginger
ae2b87f03f fix: Fix M_NOT_FOUND for users with no origin set 2026-03-18 12:42:55 -04:00
Ginger
957cd3502f fix: Evil CSS hackery 2026-03-18 12:42:55 -04:00
Ginger
a109542eb8 fix: Disable text selection on k10y 2026-03-18 12:42:55 -04:00
Ginger
8c4844b00b fix: Use error page for extractor rejections 2026-03-18 12:42:55 -04:00
Ginger
eec7103910 feat: Implement dedicated 404 page for routes under /_continuwuity/ 2026-03-18 12:42:55 -04:00
Ginger
43aa172829 feat: Move index to /_continuwuity/ 2026-03-18 12:42:55 -04:00
Ginger
9b4c483b6d chore: Remove unnecessary database map left over from refactor 2026-03-18 12:42:55 -04:00
Ginger
b885e206ce fix: Use server name in index again 2026-03-18 12:42:55 -04:00
Ginger
07a935f625 fix: Add CSRF protection 2026-03-18 12:42:55 -04:00
Ginger
d13801e976 fix: Disallow issuing password reset tokens for deactivated users 2026-03-18 12:42:55 -04:00
Ginger
5716c36b47 chore: Change password reset page path 2026-03-18 12:42:55 -04:00
Ginger
f11943b956 chore: News fragment 2026-03-18 12:42:55 -04:00
Ginger
8b726a9c94 chore: Cleanup 2026-03-18 12:42:55 -04:00
Ginger
ffa3c53847 feat: Implement a webpage for self-service password resets 2026-03-18 12:42:55 -04:00
Ginger
da8833fca4 feat: Implement a command for issuing password reset links 2026-03-18 12:42:55 -04:00
Ginger
267feb3c09 feat: Add a new service for handling password resets 2026-03-18 12:42:55 -04:00
Ginger
3d50af0943 refactor: Split web code into multiple files, improve static resource loading 2026-03-18 12:42:55 -04:00
Ginger
9515019641 fix: Allow cognitive_complexity on two particularly large functions 2026-03-18 10:57:50 -04:00
Renovate Bot
f0f53dfada chore(deps): lock file maintenance 2026-03-18 05:05:56 +00:00
Renovate Bot
acef746d26 fix(deps): Update rust crate recaptcha-verify to 0.2.0 2026-03-17 13:20:50 +00:00
Jade Ellis
3356b60e97 chore: Remove git.nexy7574.co.uk mirror 
This mirror seems to have some issues preventing regsync from working.
 2026-03-16 18:13:26 +00:00
Jade Ellis
c988c2b387 chore: Release 2026-03-16 16:48:53 +00:00
theS1LV3R
3121229707 docs: Update docker documentation to add /sbin/conduwuit to examples 
These will likely have to be updated when !1485 goes through.

Fixes: !1529
 2026-03-15 00:21:37 +00:00
Shane Jaroch
ff85145ee8 fix: missing logic inversion for acquired keys (should speed up room joins) 2026-03-13 20:54:38 -04:00
lveneris
f61d1a11e0 chore: set correct commit types for all renovate PRs 2026-03-09 21:51:21 +00:00
lveneris
11ba8979ff chore: batch non-major non-zerover cargo renovate PRs 2026-03-09 21:51:21 +00:00
Ginger
f6956ccf12 fix: Nuke all remaining references to MSC3575 in docs and code 2026-03-09 17:11:19 +00:00
Kimiblock Moe
977a5ac8c1 Enable the reloading of systemd credentials 
systemd v260 has introduced a new option: RefreshOnReload, of which when set to true automatically reloads all confext and credential files. This should eliminate the full restart requirement to reload a changed configuration.
 2026-03-09 16:08:47 +00:00
timedout
906c3df953 style: Reduce migration warning verbosity to info 
They aren't actually warning of anything
 2026-03-09 13:30:24 +00:00
timedout
33e5fdc16f style: Reduce verbosity of fix_corrupt_msc4133_fields 2026-03-09 13:30:24 +00:00
timedout
77ac17855a fix: Don't fail on invalid stripped state entries during migration 2026-03-09 13:30:24 +00:00
timedout
65ffcd2884 perf: Insert missed migration markers into fresh databases 2026-03-09 13:30:24 +00:00
timedout
7ec88bdbfe feat: Make noise about migrations and make errors more informative 2026-03-09 13:30:24 +00:00
Ginger
da3fac8cb4 fix: Use more robust check for max_request_size 2026-03-09 13:27:39 +00:00
Trash Panda
3366113939 fix: Retrieve content_type and video width/height 2026-03-09 13:27:39 +00:00
Trash Panda
9039784f41 fix: Clippy lints 2026-03-09 13:27:39 +00:00
Trash Panda
7f165e5bbe fix: Refactor and block media downloads larger than max_request_size 2026-03-09 13:27:39 +00:00
Trash Panda
c97111e3ca fix: Update example config 2026-03-09 13:27:39 +00:00
Trash Panda
e8746760fa feat(url-preview): Optionally download audio/video files for url preview requests 2026-03-09 13:27:39 +00:00
Katie Kloss
9dbd75e740 docs: Update FreeBSD instructions 2026-03-09 13:26:57 +00:00
Renovate Bot
85b2fd91b9 chore(deps): update rust crate serde-saphyr to 0.0.21 2026-03-09 13:26:23 +00:00
Renovate Bot
6420c218a9 chore(deps): update node-patch-updates to v2.0.5 2026-03-09 12:59:58 +00:00
129 changed files with 5525 additions and 2563 deletions
Expand all files Collapse all files

2
.forgejo/actions/prepare-docker-build/action.yml
View File

@@ -75,7 +75,7 @@ runs:
- name: Set up QEMU
if: ${{ env.BUILDKIT_ENDPOINT == '' }}
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@v4
- name: Login to builtin registry
if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}

4
.forgejo/regsync/regsync.yml
View File

@@ -62,10 +62,6 @@ sync:
target: registry.gitlab.com/continuwuity/continuwuity
type: repository
<<: *tags-main
- source: *source
target: git.nexy7574.co.uk/mirrored/continuwuity
type: repository
<<: *tags-releases
- source: *source
target: ghcr.io/continuwuity/continuwuity
type: repository

103
.forgejo/workflows/check-changelog.yml Normal file
View File

@@ -0,0 +1,103 @@
name: Check Changelog
on:
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review]
concurrency:
group: "${{ github.workflow }}-${{ github.ref }}"
cancel-in-progress: true
permissions:
contents: read
pull-requests: write
issues: write
jobs:
check-changelog:
name: Check for changelog
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
persist-credentials: false
sparse-checkout: .
- name: Check for changelog entry
id: check_files
run: |
git fetch origin ${GITHUB_BASE_REF}
# Check for Added (A) or Modified (M) files in changelog.d
CHANGELOG_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF} HEAD -- changelog.d/)
SRC_CHANGES=$(git diff --name-status origin/${GITHUB_BASE_REF} HEAD -- src/)
echo "Changes in changelog.d/:"
echo "$CHANGELOG_CHANGES"
echo "Changes in src/:"
echo "$SRC_CHANGES"
if echo "$CHANGELOG_CHANGES" | grep -q "^[AM]"; then
echo "has_changelog=true" >> $GITHUB_OUTPUT
else
echo "has_changelog=false" >> $GITHUB_OUTPUT
fi
if [ -n "$SRC_CHANGES" ]; then
echo "src_changed=true" >> $GITHUB_OUTPUT
else
echo "src_changed=false" >> $GITHUB_OUTPUT
fi
- name: Manage PR Comment
uses: https://github.com/actions/github-script@v8
env:
HAS_CHANGELOG: ${{ steps.check_files.outputs.has_changelog }}
SRC_CHANGED: ${{ steps.check_files.outputs.src_changed }}
with:
script: |
const hasChangelog = process.env.HAS_CHANGELOG === 'true';
const srcChanged = process.env.SRC_CHANGED === 'true';
const commentSignature = '<!-- changelog-check-action -->';
const commentBody = `${commentSignature}\nPlease add a changelog fragment to \`changelog.d/\` describing your changes.`;
const { data: currentUser } = await github.rest.users.getAuthenticated();
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
});
const botComment = comments.find(comment =>
comment.user.id === currentUser.id &&
comment.body.includes(commentSignature)
);
const shouldWarn = srcChanged && !hasChangelog;
if (!shouldWarn) {
if (botComment) {
console.log('Changelog found or not required. Deleting existing warning comment.');
await github.rest.issues.deleteComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
});
}
} else {
if (!botComment) {
console.log('Changelog missing and required. Creating warning comment.');
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: commentBody,
});
}
}

4
.github/FUNDING.yml vendored
View File

@@ -1,4 +1,4 @@
github: [JadedBlueEyes, nexy7574, gingershaped]
custom:
- https://ko-fi.com/nexy7574
- https://ko-fi.com/JadedBlueEyes
- https://timedout.uk/donate.html
- https://jade.ellis.link/sponsors

132
CODE_OF_CONDUCT.md
View File

@@ -1,131 +1 @@
# Contributor Covenant Code of Conduct
## Our Pledge
We as members, contributors, and leaders pledge to make participation in our
community a harassment-free experience for everyone, regardless of age, body
size, visible or invisible disability, ethnicity, sex characteristics, gender
identity and expression, level of experience, education, socio-economic status,
nationality, personal appearance, race, caste, color, religion, or sexual
identity and orientation.
We pledge to act and interact in ways that contribute to an open, welcoming,
diverse, inclusive, and healthy community.
## Our Standards
Examples of behavior that contributes to a positive environment for our
community include:
* Demonstrating empathy and kindness toward other people
* Being respectful of differing opinions, viewpoints, and experiences
* Giving and gracefully accepting constructive feedback
* Accepting responsibility and apologizing to those affected by our mistakes,
and learning from the experience
* Focusing on what is best not just for us as individuals, but for the overall
community
Examples of unacceptable behavior include:
* The use of sexualized language or imagery, and sexual attention or advances of
any kind
* Trolling, insulting or derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or email address,
without their explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Enforcement Responsibilities
Community leaders are responsible for clarifying and enforcing our standards of
acceptable behavior and will take appropriate and fair corrective action in
response to any behavior that they deem inappropriate, threatening, offensive,
or harmful.
Community leaders have the right and responsibility to remove, edit, or reject
comments, commits, code, wiki edits, issues, and other contributions that are
not aligned to this Code of Conduct, and will communicate reasons for moderation
decisions when appropriate.
## Scope
This Code of Conduct applies within all community spaces, and also applies when
an individual is officially representing the community in public spaces.
Examples of representing our community include using an official e-mail address,
posting via an official social media account, or acting as an appointed
representative at an online or offline event.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported to the community leaders responsible for enforcement over Matrix at [#continuwuity:continuwuity.org](https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org) or email at <tom@tcpip.uk>, <jade@continuwuity.org> and <nex@continuwuity.org> respectively.
All complaints will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the
reporter of any incident.
## Enforcement Guidelines
Community leaders will follow these Community Impact Guidelines in determining
the consequences for any action they deem in violation of this Code of Conduct:
### 1. Correction
**Community Impact**: Use of inappropriate language or other behavior deemed
unprofessional or unwelcome in the community.
**Consequence**: A private, written warning from community leaders, providing
clarity around the nature of the violation and an explanation of why the
behavior was inappropriate. A public apology may be requested.
### 2. Warning
**Community Impact**: A violation through a single incident or series of
actions.
**Consequence**: A warning with consequences for continued behavior. No
interaction with the people involved, including unsolicited interaction with
those enforcing the Code of Conduct, for a specified period of time. This
includes avoiding interactions in community spaces as well as external channels
like social media. Violating these terms may lead to a temporary or permanent
ban.
### 3. Temporary Ban
**Community Impact**: A serious violation of community standards, including
sustained inappropriate behavior.
**Consequence**: A temporary ban from any sort of interaction or public
communication with the community for a specified period of time. No public or
private interaction with the people involved, including unsolicited interaction
with those enforcing the Code of Conduct, is allowed during this period.
Violating these terms may lead to a permanent ban.
### 4. Permanent Ban
**Community Impact**: Demonstrating a pattern of violation of community
standards, including sustained inappropriate behavior, harassment of an
individual, or aggression toward or disparagement of classes of individuals.
**Consequence**: A permanent ban from any sort of public interaction within the
community.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
version 2.1, available at
[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
Community Impact Guidelines were inspired by
[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
For answers to common questions about this code of conduct, see the FAQ at
[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
[https://www.contributor-covenant.org/translations][translations].
[homepage]: https://www.contributor-covenant.org
[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
[Mozilla CoC]: https://github.com/mozilla/diversity
[FAQ]: https://www.contributor-covenant.org/faq
[translations]: https://www.contributor-covenant.org/translations
Contributors are expected to follow the [Continuwuity Community Guidelines](continuwuity.org/community/guidelines).

36
CONTRIBUTING.md
View File

@@ -36,7 +36,7 @@ # Run all checks
prek --all-files
```
Alternatively, you can use [pre-commit](https://pre-commit.com/):
Alternatively, you can use [pre-commit][pre-commit]:
```bash
# Requires python
@@ -52,6 +52,8 @@ # Run all checks manually
These same checks are run in CI via the prek-checks workflow to ensure consistency. These must pass before the PR is merged.
[pre-commit]: https://pre-commit.com/
### Running tests locally
Tests, compilation, and linting can be run with standard Cargo commands:
@@ -109,7 +111,7 @@ ### Writing documentation
### Commit Messages
Continuwuity follows the [Conventional Commits](https://www.conventionalcommits.org/) specification for commit messages. This provides a standardized format that makes the commit history more readable and enables automated tools to generate changelogs.
Continuwuity follows the [Conventional Commits][conventional-commits] specification for commit messages. This provides a standardized format that makes the commit history more readable and enables automated tools to generate changelogs.
The basic structure is:
@@ -168,6 +170,7 @@ ### Creating pull requests
their contributions accepted. This includes users who have been banned from
continuwuity Matrix rooms for Code of Conduct violations.
[conventional-commits]: https://www.conventionalcommits.org/
[issues]: https://forgejo.ellis.link/continuwuation/continuwuity/issues
[continuwuity-matrix]: https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org
[complement]: https://github.com/matrix-org/complement/
@@ -175,3 +178,32 @@ ### Creating pull requests
[nodejs-download]: https://nodejs.org/en/download
[rspress]: https://rspress.rs/
[documentation.yml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/.forgejo/workflows/documentation.yml
#### Writing news fragments
In order to make writing our changelogs easier, we make use of [Towncrier]. Towncrier builds changelogs based on
"news fragments", which are little markdown files in the `changelog.d/` directory that describe individual changes.
When you make a pull request that changes functionality, fixes a bug, or adds documentation, please add a news fragment
describing your change. The file name *MUST* be in the format of `{pull_request_number}.{type}`, where `{type}` is one
of the following:
- `feature` - for new features
- `bugfix` - for bug fixes
- `doc` - for documentation changes
- `misc` - for other changes that don't fit the above categories
For example:
```bash
$ echo "Fixed the quantum flux stabiliser. Contributed by @alice." > changelog.d/42.bugfix
```
(Note: If you want to credit yourself, you should reference your forgejo handle, however links to other platforms are also acceptable.)
When the next release is made, Towncrier will automatically include your news fragment in the changelog.
You can read more about writing news fragments in the [Towncrier tutorial][tt].
[Towncrier]: https://towncrier.readthedocs.io/
[tt]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments

640
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

54
Cargo.toml
View File

@@ -12,7 +12,7 @@ license = "Apache-2.0"
# See also `rust-toolchain.toml`
readme = "README.md"
repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
version = "0.5.6"
version = "0.5.7-alpha.1"
[workspace.metadata.crane]
name = "conduwuit"
@@ -99,7 +99,7 @@ features = [
[workspace.dependencies.axum-extra]
version = "0.12.0"
default-features = false
features = ["typed-header", "tracing"]
features = ["typed-header", "tracing", "cookie"]
[workspace.dependencies.axum-server]
version = "0.7.2"
@@ -159,7 +159,7 @@ features = ["raw_value"]
# Used for appservice registration files
[workspace.dependencies.serde-saphyr]
version = "0.0.19"
version = "0.0.21"
# Used to load forbidden room/user regex from config
[workspace.dependencies.serde_regex]
@@ -278,7 +278,7 @@ features = [
]
[workspace.dependencies.hyper-util]
version = "=0.1.17"
version = "=0.1.20"
default-features = false
features = [
"server-auto",
@@ -332,7 +332,7 @@ version = "0.4.0"
# used for MPMC channels
[workspace.dependencies.async-channel]
version = "2.3.1"
version = "2.5.0"
[workspace.dependencies.async-trait]
version = "0.1.88"
@@ -344,7 +344,7 @@ version = "0.1.2"
[workspace.dependencies.ruma]
git = "https://forgejo.ellis.link/continuwuation/ruwuma"
#branch = "conduwuit-changes"
rev = "bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
rev = "a97b91adcc012ef04991d823b8b5a79c6686ae48"
features = [
"compat",
"rand",
@@ -388,7 +388,7 @@ features = [
[workspace.dependencies.rust-rocksdb]
git = "https://forgejo.ellis.link/continuwuation/rust-rocksdb-zaidoon1"
rev = "61d9d23872197e9ace4a477f2617d5c9f50ecb23"
rev = "31fb8f772c7afcdc0061ab6a40cfa3a1be2fccd9"
default-features = false
features = [
"multi-threaded-cf",
@@ -451,7 +451,7 @@ version = "0.46.0"
# jemalloc usage
[workspace.dependencies.tikv-jemalloc-sys]
git = "https://forgejo.ellis.link/continuwuation/jemallocator"
rev = "82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
rev = "df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554"
default-features = false
features = [
"background_threads_runtime_support",
@@ -459,7 +459,7 @@ features = [
]
[workspace.dependencies.tikv-jemallocator]
git = "https://forgejo.ellis.link/continuwuation/jemallocator"
rev = "82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
rev = "df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554"
default-features = false
features = [
"background_threads_runtime_support",
@@ -467,7 +467,7 @@ features = [
]
[workspace.dependencies.tikv-jemalloc-ctl]
git = "https://forgejo.ellis.link/continuwuation/jemallocator"
rev = "82af58d6a13ddd5dcdc7d4e91eae3b63292995b8"
rev = "df86ff89d4b1e223b9f7d2dd2fbb7f202da7f554"
default-features = false
features = ["use_std"]
@@ -493,7 +493,7 @@ features = [
]
[workspace.dependencies.rustyline-async]
version = "0.4.3"
version = "0.4.9"
default-features = false
[workspace.dependencies.termimad]
@@ -526,7 +526,7 @@ version = "0.4.13"
version = "2.0"
[workspace.dependencies.core_affinity]
version = "0.8.1"
version = "0.8.3"
[workspace.dependencies.libc]
version = "0.2"
@@ -550,15 +550,25 @@ version = "0.12.0"
default-features = false
features = ["sync", "tls-rustls", "rustls-provider"]
[workspace.dependencies.resolv-conf]
version = "0.7.5"
[workspace.dependencies.yansi]
version = "1.0.1"
[workspace.dependencies.askama]
version = "0.15.0"
[workspace.dependencies.lettre]
version = "0.11.19"
default-features = false
features = ["smtp-transport", "pool", "hostname", "builder", "rustls", "aws-lc-rs", "rustls-native-certs", "tokio1", "tokio1-rustls", "tracing", "serde"]
[workspace.dependencies.governor]
version = "0.10.4"
default-features = false
features = ["std"]
[workspace.dependencies.nonzero_ext]
version = "0.3.0"
#
# Patches
#
@@ -571,25 +581,25 @@ version = "0.15.0"
# adds event for CTRL+\: https://forgejo.ellis.link/continuwuation/rustyline-async/src/branch/main/.patchy/0001-add-event-for-ctrl.patch
[patch.crates-io.rustyline-async]
git = "https://forgejo.ellis.link/continuwuation/rustyline-async"
rev = "e9f01cf8c6605483cb80b3b0309b400940493d7f"
rev = "b13aca2cc08d5f78303746cd192d9a03d73e768e"
# adds LIFO queue scheduling; this should be updated with PR progress.
[patch.crates-io.event-listener]
git = "https://forgejo.ellis.link/continuwuation/event-listener"
rev = "fe4aebeeaae435af60087ddd56b573a2e0be671d"
rev = "b2c19bcaf5a0a69c38c034e417bda04a9b991529"
[patch.crates-io.async-channel]
git = "https://forgejo.ellis.link/continuwuation/async-channel"
rev = "92e5e74063bf2a3b10414bcc8a0d68b235644280"
rev = "e990f0006b68dc9bace7a3c95fc90b5c4e44948d"
# adds affinity masks for selecting more than one core at a time
[patch.crates-io.core_affinity]
git = "https://forgejo.ellis.link/continuwuation/core_affinity_rs"
rev = "9c8e51510c35077df888ee72a36b4b05637147da"
rev = "7c7a9dea35382743a63837cdd1d977efdb8f1b8a"
# reverts hyperium#148 conflicting with our delicate federation resolver hooks
[patch.crates-io.hyper-util]
git = "https://forgejo.ellis.link/continuwuation/hyper-util"
rev = "5886d5292bf704c246206ad72d010d674a7b77d0"
rev = "09fcd3bf4656c81a8ad573bee410ab2b57f60b86"
#
# Our crates
@@ -919,7 +929,6 @@ fn_to_numeric_cast_any = "warn"
format_push_string = "warn"
get_unwrap = "warn"
impl_trait_in_params = "warn"
let_underscore_untyped = "warn"
lossy_float_literal = "warn"
mem_forget = "warn"
missing_assert_message = "warn"
@@ -969,3 +978,6 @@ needless_raw_string_hashes = "allow"
# TODO: Enable this lint & fix all instances
collapsible_if = "allow"
# TODO: break these apart
cognitive_complexity = "allow"

3
LICENSE
View File

@@ -1,4 +1,3 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
@@ -187,7 +186,7 @@
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2023 June
Copyright 2023 Continuwuity Team and contributors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.

23
book.toml
View File

@@ -1,23 +0,0 @@
[book]
title = "continuwuity"
description = "continuwuity is a community continuation of the conduwuit Matrix homeserver, written in Rust."
language = "en"
authors = ["The continuwuity Community"]
text-direction = "ltr"
src = "docs"
[build]
build-dir = "public"
create-missing = true
extra-watch-dirs = ["debian", "docs"]
[rust]
edition = "2024"
[output.html]
edit-url-template = "https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/{path}"
git-repository-url = "https://forgejo.ellis.link/continuwuation/continuwuity"
git-repository-icon = "fa-git-alt"
[output.html.search]
limit-results = 15

1
changelog.d/+1770db35.feature.md Normal file
View File

@@ -0,0 +1 @@
Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger

1
changelog.d/+6368729a.feature.md Normal file
View File

@@ -0,0 +1 @@
Added support for using an admin command to issue self-service password reset links.

1
changelog.d/+alias-enumeration-delete.bugfix.md Normal file
View File

@@ -0,0 +1 @@
Fixed room alias deletion so removing one local alias no longer removes other aliases from room alias listings.

1
changelog.d/1429.doc Normal file
View File

@@ -0,0 +1 @@
Added Testing and Troubleshooting instructions for Livekit documentation. Contributed by @stratself.

1
changelog.d/1527.feature.md Normal file
View File

@@ -0,0 +1 @@
Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger.

1
changelog.d/1542.bugfix.md Normal file
View File

@@ -0,0 +1 @@
Stripped `join_authorised_via_users_server` from json if user is already in room (@partha:cxy.run)

1
changelog.d/1572.bugfix Normal file
View File

@@ -0,0 +1 @@
Fixed internal server errors for fetching thumbnails. Contributed by @PerformativeJade

56
conduwuit-example.toml
View File

@@ -25,6 +25,10 @@
#
# Also see the `[global.well_known]` config section at the very bottom.
#
# If `client` is not set under `[global.well_known]`, the server name will
# be used as the base domain for user-facing links (such as password
# reset links) created by Continuwuity.
#
# Examples of delegation:
# - https://continuwuity.org/.well-known/matrix/server
# - https://continuwuity.org/.well-known/matrix/client
@@ -91,6 +95,10 @@
# engine API. To use this, set a database backup path that continuwuity
# can write to.
#
# If you are using systemd, you will need to add the path to
# ReadWritePaths in the service file, preferably via a drop-in file
# through `systemctl edit`.
#
# For more information, see:
# https://continuwuity.org/maintenance.html#backups
#
@@ -1505,6 +1513,11 @@
#
#url_preview_user_agent = "continuwuity/<version> (bot; +https://continuwuity.org)"
# Determines whether audio and video files will be downloaded for URL
# previews.
#
#url_preview_allow_audio_video = false
# List of forbidden room aliases and room IDs as strings of regex
# patterns.
#
@@ -1790,6 +1803,11 @@
#
#config_reload_signal = true
# Allow search engines and crawlers to index Continuwuity's built-in
# webpages served under the `/_continuwuity/` prefix.
#
#allow_web_indexing = false
[global.tls]
# Path to a valid TLS certificate file.
@@ -2023,3 +2041,41 @@
# web->synapseHTTPAntispam->authorization
#
#secret =
#[global.smtp]
# A `smtp://`` URI which will be used to connect to a mail server.
# Uncommenting the [global.smtp] group and setting this option enables
# features which depend on the ability to send email,
# such as self-service password resets.
#
# For most modern mail servers, format the URI like this:
# `smtps://username:password@hostname:port`
# Note that you will need to URL-encode the username and password. If your
# username _is_ your email address, you will need to replace the `@` with
# `%40`.
#
# For a guide on the accepted URI syntax, consult Lettre's documentation:
# https://docs.rs/lettre/latest/lettre/transport/smtp/struct.AsyncSmtpTransport.html#method.from_url
#
#connection_uri =
# The outgoing address which will be used for sending emails.
#
# For a syntax guide, see https://datatracker.ietf.org/doc/html/rfc2822#section-3.4
#
# ...or if you don't want to read the RFC, for some reason:
# - `Name <address@domain.org>` to specify a sender name
# - `address@domain.org` to not use a name
#
#sender =
# Whether to require that users provide an email address when they
# register.
#
#require_email_for_registration = false
# Whether to require that users who register with a registration token
# provide an email address.
#
#require_email_for_token_registration = false

4
docker/Dockerfile
View File

@@ -10,7 +10,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean
# Match Rustc version as close as possible
# rustc -vV
ARG LLVM_VERSION=20
ARG LLVM_VERSION=21
# ENV RUSTUP_TOOLCHAIN=${RUST_VERSION}
# Install repo tools
@@ -48,7 +48,7 @@ EOF
# Developer tool versions
# renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
ENV BINSTALL_VERSION=1.17.7
ENV BINSTALL_VERSION=1.17.8
# renovate: datasource=github-releases depName=psastras/sbom-rs
ENV CARGO_SBOM_VERSION=0.9.1
# renovate: datasource=crate depName=lddtree

2
docker/musl.Dockerfile
View File

@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
# Developer tool versions
# renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
ENV BINSTALL_VERSION=1.17.7
ENV BINSTALL_VERSION=1.17.8
# renovate: datasource=github-releases depName=psastras/sbom-rs
ENV CARGO_SBOM_VERSION=0.9.1
# renovate: datasource=crate depName=lddtree

3
docs/advanced/delegation.mdx
View File

@@ -109,9 +109,6 @@ ## Serving with a reverse proxy
{
"m.homeserver": {
"base_url": "https://matrix.example.com/"
},
"org.matrix.msc3575.proxy": {
"url": "https://matrix.example.com/"
}
}
```

2
docs/calls.mdx
View File

@@ -10,4 +10,4 @@ # Calls
For either one to work correctly, you have to do some additional setup.
- For legacy calls to work, you need to set up a TURN/STUN server. [Read the TURN guide for tips on how to set up coturn](./calls/turn.mdx)
- For MatrixRTC / Element Call to work, you have to set up the LiveKit backend (foci). LiveKit also uses TURN/STUN to increase reliability, so you might want to configure your TURN server first. [Read the LiveKit guide](./calls/livekit.mdx)
- For MatrixRTC / Element Call to work, you have to set up the LiveKit backend (foci). LiveKit also uses TURN/STUN to increase reliability - you can set up its built-in TURN server, or integrate with an existing one. [Read the LiveKit guide](./calls/livekit.mdx)

247
docs/calls/livekit.mdx
View File

@@ -4,6 +4,10 @@ # Matrix RTC/Element Call Setup
This guide assumes that you are using docker compose for deployment. LiveKit only provides Docker images.
:::
:::tip
You can find help setting up MatrixRTC in our dedicated room - [#matrixrtc:continuwuity.org](https://matrix.to/#/%23matrixrtc%3Acontinuwuity.org)
:::
## Instructions
### 1. Domain
@@ -14,17 +18,21 @@ ### 1. Domain
### 2. Services
Using LiveKit with Matrix requires two services - Livekit itself, and a service (`lk-jwt-service`) that grants Matrix users permission to connect to it.
Using LiveKit with Matrix requires two services - LiveKit itself, and a service (`lk-jwt-service`) that grants Matrix users permission to connect to it.
You must generate a key and secret to allow the Matrix service to authenticate with LiveKit. `LK_MATRIX_KEY` should be around 20 random characters, and `LK_MATRIX_SECRET` should be around 64. Remember to replace these with the actual values!
:::tip Generating the secrets
LiveKit provides a utility to generate secure random keys
```bash
docker run --rm livekit/livekit-server:latest generate-keys
~$ docker run --rm livekit/livekit-server:latest generate-keys
API Key: APIUxUnMnSkuFWV
API Secret: t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
```
:::
Create a `docker-compose.yml` file as following:
```yaml
services:
lk-jwt-service:
@@ -32,10 +40,11 @@ ### 2. Services
container_name: lk-jwt-service
environment:
- LIVEKIT_JWT_BIND=:8081
- LIVEKIT_URL=wss://livekit.example.com
- LIVEKIT_KEY=LK_MATRIX_KEY
- LIVEKIT_SECRET=LK_MATRIX_SECRET
- LIVEKIT_FULL_ACCESS_HOMESERVERS=example.com
- LIVEKIT_URL=wss://livekit.example.com # your LiveKit domain
- LIVEKIT_FULL_ACCESS_HOMESERVERS=example.com # your server_name
# Replace these with the generated values as above
- LIVEKIT_KEY=LK_MATRIX_KEY # APIUxUnMnSkuFWV
- LIVEKIT_SECRET=LK_MATRIX_SECRET # t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
restart: unless-stopped
ports:
- "8081:8081"
@@ -70,6 +79,8 @@ # - "50100-50200:50100-50200/udp"
enable_loopback_candidate: false
keys:
LK_MATRIX_KEY: LK_MATRIX_SECRET
# replace these with your key-secret pair. Example:
# APIUxUnMnSkuFWV: t93ZVjPeoEdyx7Wbet3kG4L3NGZIZVEFvqe0UuiVc22A
```
#### Firewall hints
@@ -95,7 +106,7 @@ ### 4. Configure your Reverse Proxy
Reverse proxies can be configured in many different ways - so we can't provide a step by step for this.
By default, all routes should be forwarded to Livekit with the exception of the following path prefixes, which should be forwarded to the JWT/Authentication service:
All paths should be forwarded to LiveKit by default, with the exception of the following path prefixes, which should be forwarded to the JWT/Authentication service:
- `/sfu/get`
- `/healthz`
@@ -104,7 +115,7 @@ ### 4. Configure your Reverse Proxy
<details>
<summary>Example caddy config</summary>
```
matrix-rtc.example.com {
livekit.example.com {
# for lk-jwt-service
@lk-jwt-service path /sfu/get* /healthz* /get_token*
@@ -122,7 +133,7 @@ ### 4. Configure your Reverse Proxy
<summary>Example nginx config</summary>
```
server {
server_name matrix-rtc.example.com;
server_name livekit.example.com;
# for lk-jwt-service
location ~ ^/(sfu/get|healthz|get_token) {
@@ -133,7 +144,7 @@ ### 4. Configure your Reverse Proxy
proxy_buffering off;
}
# for livekit
# for LiveKit
location / {
proxy_pass http://127.0.0.1:7880$request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
@@ -173,44 +184,11 @@ ### 6. Start Everything
Start up the services using your usual method - for example `docker compose up -d`.
## Additional Configuration
## Additional TURN configuration
### TURN Integration
### Using LiveKit's built-in TURN server
If you've already set up coturn, there may be a port clash between the two services. To fix this, make sure the `min-port` and `max-port` for coturn so it doesn't overlap with LiveKit's range:
```ini
min-port=50201
max-port=65535
```
To improve LiveKit's reliability, you can configure it to use your coturn server.
Generate a long random secret for LiveKit, and add it to your coturn config under the `static-auth-secret` option. You can add as many secrets as you want - so set a different one for each thing using your TURN server.
Then configure livekit, making sure to replace `COTURN_SECRET`:
```yaml
# livekit.yaml
rtc:
turn_servers:
- host: coturn.ellis.link
port: 3478
protocol: tcp
secret: "COTURN_SECRET"
- host: coturn.ellis.link
port: 5349
protocol: tls # Only if you've set up TLS in your coturn
secret: "COTURN_SECRET"
- host: coturn.ellis.link
port: 3478
protocol: udp
secret: "COTURN_SECRET"
```
## LiveKit's built in TURN server
Livekit includes a built in TURN server which can be used in place of an external option. This TURN server will only work with Livekit, so you can't use it for legacy Matrix calling - or anything else.
LiveKit includes a built-in TURN server which can be used in place of an external option. This TURN server will only work with LiveKit, so you can't use it for legacy Matrix calling or anything else.
If you don't want to set up a separate TURN server, you can enable this with the following changes:
@@ -221,20 +199,175 @@ ### add this to livekit.yaml ###
udp_port: 3478
relay_range_start: 50300
relay_range_end: 50400
domain: matrix-rtc.example.com
domain: livekit.example.com
```
```yaml
### Add these to docker-compose ###
- "3478:3478/udp"
- "50300-50400:50300-50400/udp"
### add these to livekit's docker-compose ###
ports:
- "3478:3478/udp"
- "50300-50400:50300-50400/udp"
### if you're using `network_mode: host`, you can skip this part
```
### Related Documentation
Recreate the LiveKit container (with `docker-compose up -d livekit`) to apply these changes. Remember to allow the new `3478/udp` and `50100:50200/udp` ports through your firewall.
- [LiveKit GitHub](https://github.com/livekit/livekit)
- [LiveKit Connection Tester](https://livekit.io/connection-test) - use with the token returned by `/sfu/get` or `/get_token`
- [MatrixRTC proposal](https://half-shot.github.io/msc-crafter/#msc/4143)
- [Synapse documentation](https://github.com/element-hq/element-call/blob/livekit/docs/self-hosting.md)
- [Community guide](https://tomfos.tr/matrix/livekit/)
- [Community guide](https://blog.kimiblock.top/2024/12/24/hosting-element-call/)
### Integration with an external TURN server
If you've already [set up coturn](./turn), you can configure Livekit to use it.
:::tip Avoid port clashes between the two services
Before continuing, make sure coturn's `min-port` and `max-port` do not overlap with LiveKit's port range:
```ini
# in your coturn.conf
min-port=50201
max-port=65535
```
:::
Generate a long random secret for LiveKit, and add it to your coturn config under the `static-auth-secret` option. You can add as many secrets as you want, so set a different one for LiveKit to use.
Then configure LiveKit, making sure to replace `COTURN_SECRET` with the one you generated:
```yaml
# livekit.yaml
rtc:
turn_servers:
- host: coturn.example.com
port: 3478
protocol: udp
secret: "COTURN_SECRET"
- host: coturn.example.com
port: 3478
protocol: tcp
secret: "COTURN_SECRET"
- host: coturn.example.com
port: 5349
protocol: tls # Only if you have already set up TLS in your coturn
secret: "COTURN_SECRET"
```
Restart LiveKit and coturn to apply these changes.
## Testing
To test that LiveKit is successfully integrated with Continuwuity, you will need to replicate its [Token Exchange Flow](https://github.com/element-hq/lk-jwt-service#%EF%B8%8F-how-it-works--token-exchange-flow).
First, you will need an access token for your current login session. These can be found in your client's settings or obtained via [this website](https://timedout.uk/mxtoken.html).
Then, using that token, request another OpenID token for use with the lk-jwt-service:
```bash
~$ curl -X POST -H "Authorization: Bearer <session-access-token>" \
https://matrix.example.com/_matrix/client/v3/user/@user:example.com/openid/request_token
{"access_token":"<openid_access_token>","token_type":"Bearer","matrix_server_name":"example.com","expires_in":3600}
```
Next, create a `payload.json` file with the following content:
<details>
<summary>`payload.json`</summary>
```json
{
"room_id": "abc",
"slot_id": "xyz",
"openid_token": {
"matrix_server_name": "example.com",
"access_token": "<openid_access_token>",
"token_type": "Bearer"
},
"member": {
"id": "xyz",
"claimed_device_id": "DEVICEID",
"claimed_user_id": "@user:example.com"
}
}
```
Replace `matrix_server_name` and `claimed_user_id` with your information, and `<openid_access_token>` with the one you got from the previous step. Other values can be left as-is.
</details>
You can then send this payload to the lk-jwt-service:
```bash
~$ curl -X POST -d @payload.json https://livekit.example.com/get_token
{"url":"wss://livekit.example.com","jwt":"a_really_really_long_string"}
```
The lk-jwt-service will, after checking against Continuwuity, answer with a `jwt` token to create a LiveKit media room. Use this token to test at the [LiveKit Connection Tester](https://livekit.io/connection-test). If everything works there, then you have set up LiveKit successfully!
## Troubleshooting
To debug any issues, you can place a call or redo the Testing instructions, and check the container logs for any specific errors. Use `docker-compose logs --follow` to follow them in real-time.
### Common errors in Element Call UI
- `MISSING_MATRIX_RTC_FOCUS`: LiveKit is missing from Continuwuity's config file
- "Waiting for media" popup always showing: a LiveKit URL has been configured in Continuwuity, but your client cannot connect to it for some reason
### Docker loopback networking issues
Some distros do not allow Docker containers to connect to its host's public IP by default. This would cause `lk-jwt-service` to fail connecting to `livekit` or `continuwuity` on the same host. As a result, you would see connection refused/connection timeouts log entries in the JWT service, even when `LIVEKIT_URL` has been configured correctly.
To alleviate this, you can try one of the following workarounds:
- Use `network_mode: host` for the `lk-jwt-service` container (instead of the default bridge networking).
- Add an `extra_hosts` file mapping livekit's (and continuwuity's) domain name to a localhost address:
```diff
# in docker-compose.yaml
services:
lk-jwt-service:
...
+ extra_hosts:
+ - "livekit.example.com:127.0.0.1"
+ - "matrix.example.com:127.0.0.1"
```
- (**untested, use at your own risk**) Implement an iptables workaround as shown [here](https://forums.docker.com/t/unable-to-connect-to-host-service-from-inside-docker-container/145749/6).
After implementing the changes and restarting your compose, you can test whether the connection works by cURLing from a sidecar container:
```bash
~$ docker run --rm --net container:lk-jwt-service docker.io/curlimages/curl https://livekit.example.com
OK
```
### Workaround for non-federating servers
When deploying on servers with federation disabled (`allow_federation = false`), LiveKit will fail as it can't fetch the required [OpenID endpoint](https://spec.matrix.org/v1.17/server-server-api/#get_matrixfederationv1openiduserinfo) via federation paths.
As a workaround, you can enable federation, but forbid all remote servers via the following config parameters:
```toml
### in your continuwuity.toml file ###
allow_federation = true
forbidden_remote_server_names = [".*"]
```
Subscribe to issue [!1440](https://forgejo.ellis.link/continuwuation/continuwuity/issues/1440) for future updates on this matter.
## Related Documentation
Guides:
- [Element Call self-hosting documentation](https://github.com/element-hq/element-call/blob/livekit/docs/self-hosting.md)
- [Community guide with overview of LiveKit's mechanisms](https://tomfos.tr/matrix/livekit/)
- [Community guide using systemd](https://blog.kimiblock.top/2024/12/24/hosting-element-call/)
Specifications:
- [MatrixRTC proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4143)
- [LiveKit proposal](https://github.com/matrix-org/matrix-spec-proposals/pull/4195)
Source code:
- [Element Call](https://github.com/element-hq/element-call)
- [lk-jwt-service](https://github.com/element-hq/lk-jwt-service)
- [LiveKit server](https://github.com/livekit/livekit)

58
docs/community/guidelines.mdx
View File

@@ -1,17 +1,12 @@
# Continuwuity Community Guidelines
Welcome to the Continuwuity commuwunity! We're excited to have you here. Continuwuity is a
continuation of the conduwuit homeserver, which in turn is a hard-fork of the Conduit homeserver,
aimed at making Matrix more accessible and inclusive for everyone.
Welcome to the Continuwuity commuwunity! We're excited to have you here.
This space is dedicated to fostering a positive, supportive, and welcoming environment for everyone.
These guidelines apply to all Continuwuity spaces, including our Matrix rooms and any other
community channels that reference them. We've written these guidelines to help us all create an
environment where everyone feels safe and respected.
Our project aims to make Matrix more accessible and inclusive for everyone. To that end, we are dedicated to fostering a positive, supportive, safe and welcoming environment for our community.
For code and contribution guidelines, please refer to the
[Contributor's Covenant](https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CODE_OF_CONDUCT.md).
Below are additional guidelines specific to the Continuwuity community.
These guidelines apply to all Continuwuity spaces, including our Matrix rooms and code forge.
Our community spaces are intended for individuals aged 16 or over, because we expect maturity and respect from our community members.
## Our Values and Expected Behaviors
@@ -29,17 +24,21 @@ ## Our Values and Expected Behaviors
3. **Communicate Clearly and Kindly**: Our community includes neurodivergent individuals and those
who may not appreciate sarcasm or subtlety. Communicate clearly and kindly. Avoid ambiguity and
ensure your messages can be easily understood by all. Avoid placing the burden of education on
ensure your messages can be easily understood by all.
4. **Be Considerate and Proactive**: Not everyone has the same time, resource and experience to spare.
Don't expect others to give up their time and labour for you; be thankful for what you have already been given.
Avoid placing the burden of education on
marginalized groups; please make an effort to look into your questions before asking others for
detailed explanations.
4. **Be Open to Improving Inclusivity**: Actively participate in making our community more inclusive.
5. **Be Engaged and Open-Minded**: Actively participate in making our community more inclusive.
Report behaviour that contradicts these guidelines (see Reporting and Enforcement below) and be
open to constructive feedback aimed at improving our community. Understand that discussing
negative experiences can be emotionally taxing; focus on the message, not the tone.
5. **Commit to Our Values**: Building an inclusive community requires ongoing effort from everyone.
Recognise that addressing bias and discrimination is a continuous process that needs commitment
6. **Commit to Our Values**: Building an inclusive community requires ongoing effort from everyone.
Recognise that creating a welcoming and open community is a continuous process that needs commitment
and action from all members.
## Unacceptable Behaviors
@@ -72,36 +71,6 @@ ## Unacceptable Behaviors
This is not an exhaustive list. Any behaviour that makes others feel unsafe or unwelcome may be
subject to enforcement action.
## Matrix Community
These Community Guidelines apply to the entire
[Continuwuity Matrix Space](https://matrix.to/#/#space:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org) and its rooms, including:
### [#continuwuity:continuwuity.org](https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org)
This room is for support and discussions about Continuwuity. Ask questions, share insights, and help
each other out while adhering to these guidelines.
We ask that this room remain focused on the Continuwuity software specifically: the team are
typically happy to engage in conversations about related subjects in the off-topic room.
### [#offtopic:continuwuity.org](https://matrix.to/#/#offtopic:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org)
For off-topic community conversations about any subject. While this room allows for a wide range of
topics, the same guidelines apply. Please keep discussions respectful and inclusive, and avoid
divisive or stressful subjects like specific country/world politics unless handled with exceptional
care and respect for diverse viewpoints.
General topics, such as world events, are welcome as long as they follow the guidelines. If a member
of the team asks for the conversation to end, please respect their decision.
### [#dev:continuwuity.org](https://matrix.to/#/#dev:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org)
This room is dedicated to discussing active development of Continuwuity, including ongoing issues or
code development. Collaboration here must follow these guidelines, and please consider raising
[an issue](https://forgejo.ellis.link/continuwuation/continuwuity/issues) on the repository to help
track progress.
## Reporting and Enforcement
We take these Community Guidelines seriously to protect our community members. If you witness or
@@ -114,6 +83,7 @@ ## Reporting and Enforcement
will immediately alert all available moderators.
* **Direct Message:** If you're not comfortable raising the issue publicly, please send a direct
message (DM) to one of the room moderators.
* **Email**: Please email Jade and/or Nex at `jade@continuwuity.org` and `nex@continuwuity.org` respectively, or email `team@continuwuity.org`.
Reports will be handled with discretion. We will investigate promptly and thoroughly.

1
docs/contributing.mdx
View File

@@ -1 +0,0 @@
../CONTRIBUTING.md

1
docs/deploying/docker-compose.for-traefik.yml
View File

@@ -6,6 +6,7 @@ services:
### then you are ready to go.
image: forgejo.ellis.link/continuwuation/continuwuity:latest
restart: unless-stopped
command: /sbin/conduwuit
volumes:
- db:/var/lib/continuwuity
#- ./continuwuity.toml:/etc/continuwuity.toml

1
docs/deploying/docker-compose.with-caddy.yml
View File

@@ -23,6 +23,7 @@ services:
### then you are ready to go.
image: forgejo.ellis.link/continuwuation/continuwuity:latest
restart: unless-stopped
command: /sbin/conduwuit
volumes:
- db:/var/lib/continuwuity
- /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.

1
docs/deploying/docker-compose.with-traefik.yml
View File

@@ -6,6 +6,7 @@ services:
### then you are ready to go.
image: forgejo.ellis.link/continuwuation/continuwuity:latest
restart: unless-stopped
command: /sbin/conduwuit
volumes:
- db:/var/lib/continuwuity
- /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.

1
docs/deploying/docker-compose.yml
View File

@@ -6,6 +6,7 @@ services:
### then you are ready to go.
image: forgejo.ellis.link/continuwuation/continuwuity:latest
restart: unless-stopped
command: /sbin/conduwuit
ports:
- 8448:6167
volumes:

4
docs/deploying/docker.mdx
View File

@@ -78,7 +78,7 @@ #### 2. Start the server with initial admin user
-e CONTINUWUITY_ALLOW_REGISTRATION="false" \
--name continuwuity \
forgejo.ellis.link/continuwuation/continuwuity:latest \
--execute "users create-user admin"
/sbin/conduwuit --execute "users create-user admin"
```
Replace `matrix.example.com` with your actual server name and `admin` with
@@ -141,7 +141,7 @@ #### Creating Your First Admin User
services:
continuwuity:
image: forgejo.ellis.link/continuwuation/continuwuity:latest
command: --execute "users create-user admin"
command: /sbin/conduwuit --execute "users create-user admin"
# ... rest of configuration
```

6
docs/deploying/freebsd.mdx
View File

@@ -1,7 +1,7 @@
# Continuwuity for FreeBSD
Continuwuity currently does not provide FreeBSD builds or FreeBSD packaging. However, Continuwuity does build and work on FreeBSD using the system-provided RocksDB.
Continuwuity doesn't provide official FreeBSD packages; however, a community-maintained set of packages is available on [Forgejo](https://forgejo.ellis.link/katie/continuwuity-bsd). Note that these are provided as standalone packages and are not part of a FreeBSD package repository (yet), so updates need to be downloaded and installed manually.
Contributions to get Continuwuity packaged for FreeBSD are welcome.
Please see the installation instructions in that repository. Direct any questions to its issue tracker or to [@katie:kat5.dev](https://matrix.to/#/@katie:kat5.dev).
Please join our [Continuwuity BSD](https://matrix.to/#/%23bsd:continuwuity.org) community room.
For general BSD support, please join our [Continuwuity BSD](https://matrix.to/#/%23bsd:continuwuity.org) community room.

1
docs/deploying/kubernetes.mdx
View File

@@ -39,6 +39,7 @@ # Continuwuity for Kubernetes
- name: continuwuity
# use a sha hash <3
image: forgejo.ellis.link/continuwuation/continuwuity:latest
command: ["/sbin/conduwuit"]
imagePullPolicy: IfNotPresent
ports:
- name: http

203
docs/development/contributing.mdx
View File

@@ -1,203 +0,0 @@
# Contributing guide
This page is about contributing to Continuwuity. The
[development](./index.mdx) and [code style guide](./code_style.mdx) pages may be of interest for you as well.
If you would like to work on an [issue][issues] that is not assigned, preferably
ask in the Matrix room first at [#continuwuity:continuwuity.org][continuwuity-matrix],
and comment on it.
### Code Style
Please review and follow the [code style guide](./code_style) for formatting, linting, naming conventions, and other code standards.
### Pre-commit Checks
Continuwuity uses pre-commit hooks to enforce various coding standards and catch common issues before they're committed. These checks include:
- Code formatting and linting
- Typo detection (both in code and commit messages)
- Checking for large files
- Ensuring proper line endings and no trailing whitespace
- Validating YAML, JSON, and TOML files
- Checking for merge conflicts
You can run these checks locally by installing [prefligit](https://github.com/j178/prefligit):
```bash
# Requires UV: https://docs.astral.sh/uv/getting-started/installation/
# Mac/linux: curl -LsSf https://astral.sh/uv/install.sh | sh
# Windows: powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
# Install prefligit using cargo-binstall
cargo binstall prefligit
# Install git hooks to run checks automatically
prefligit install
# Run all checks
prefligit --all-files
```
Alternatively, you can use [pre-commit](https://pre-commit.com/):
```bash
# Requires python
# Install pre-commit
pip install pre-commit
# Install the hooks
pre-commit install
# Run all checks manually
pre-commit run --all-files
```
These same checks are run in CI via the prefligit-checks workflow to ensure consistency. These must pass before the PR is merged.
### Running tests locally
Tests, compilation, and linting can be run with standard Cargo commands:
```bash
# Run tests
cargo test
# Check compilation
cargo check --workspace --features full
# Run lints
cargo clippy --workspace --features full
# Auto-fix: cargo clippy --workspace --features full --fix --allow-staged;
# Format code (must use nightly)
cargo +nightly fmt
```
### Matrix tests
Continuwuity uses [Complement][complement] for Matrix protocol compliance testing. Complement tests are run manually by developers, and documentation on how to run these tests locally is currently being developed.
If your changes are done to fix Matrix tests, please note that in your pull request. If more Complement tests start failing from your changes, please review the logs and determine if they're intended or not.
[Sytest][sytest] is currently unsupported.
### Writing documentation
Continuwuity's website uses [`mdbook`][mdbook] and is deployed via CI using Cloudflare Pages
in the [`documentation.yml`][documentation.yml] workflow file. All documentation is in the `docs/`
directory at the top level.
To build the documentation locally:
1. Install mdbook if you don't have it already:
```bash
cargo install mdbook # or cargo binstall, or another method
```
2. Build the documentation:
```bash
mdbook build
```
The output of the mdbook generation is in `public/`. You can open the HTML files directly in your browser without needing a web server.
### Commit Messages
Continuwuity follows the [Conventional Commits](https://www.conventionalcommits.org/) specification for commit messages. This provides a standardized format that makes the commit history more readable and enables automated tools to generate changelogs.
The basic structure is:
```
<type>[(optional scope)]: <description>
[optional body]
[optional footer(s)]
```
The allowed types for commits are:
- `fix`: Bug fixes
- `feat`: New features
- `docs`: Documentation changes
- `style`: Changes that don't affect the meaning of the code (formatting, etc.)
- `refactor`: Code changes that neither fix bugs nor add features
- `perf`: Performance improvements
- `test`: Adding or fixing tests
- `build`: Changes to the build system or dependencies
- `ci`: Changes to CI configuration
- `chore`: Other changes that don't modify source or test files
Examples:
```
feat: add user authentication
fix(database): resolve connection pooling issue
docs: update installation instructions
```
The project uses the `committed` hook to validate commit messages in pre-commit. This ensures all commits follow the conventional format.
### Creating pull requests
Please try to keep contributions to the Forgejo Instance. While the mirrors of continuwuity
allow for pull/merge requests, there is no guarantee the maintainers will see them in a timely
manner. Additionally, please mark WIP or unfinished or incomplete PRs as drafts.
This prevents us from having to ping once in a while to double check the status
of it, especially when the CI completed successfully and everything so it
*looks* done.
Before submitting a pull request, please ensure:
1. Your code passes all CI checks (formatting, linting, typo detection, etc.). Run pre-commit for this.
2. Your code follows the [code style guide](./code_style)
3. Your commit messages follow the conventional commits format
4. Tests are added for new functionality
5. Documentation is updated if needed
6. You have written a [news fragment](#writing-news-fragments) for your changes
Direct all PRs/MRs to the `main` branch.
By sending a pull request or patch, you are agreeing that your changes are
allowed to be licenced under the Apache-2.0 licence and all of your conduct is
in line with the Contributor's Covenant, and continuwuity's Code of Conduct.
Contribution by users who violate either of these code of conducts may not have
their contributions accepted. This includes users who have been banned from
continuwuity Matrix rooms for Code of Conduct violations.
[issues]: https://forgejo.ellis.link/continuwuation/continuwuity/issues
[continuwuity-matrix]: https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org
[complement]: https://github.com/matrix-org/complement/
[sytest]: https://github.com/matrix-org/sytest/
[mdbook]: https://rust-lang.github.io/mdBook/
[documentation.yml]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/.forgejo/workflows/documentation.yml
#### Writing news fragments
In order to make writing our changelogs easier, we make use of [Towncrier]. Towncrier builds changelogs based on
"news fragments", which are little markdown files in the `changelog.d/` directory that describe individual changes.
When you make a pull request that changes functionality, fixes a bug, or adds documentation, please add a news fragment
describing your change. The file name *MUST* be in the format of `{pull_request_number}.{type}`, where `{type}` is one
of the following:
- `feature` - for new features
- `bugfix` - for bug fixes
- `doc` - for documentation changes
- `misc` - for other changes that don't fit the above categories
For example:
```bash
$ echo "Fixed the quantum flux stabiliser. Contributed by @alice." > changelog.d/42.bugfix
```
(Note: If you want to credit yourself, you should reference your forgejo handle, however links to other platforms are also acceptable.)
When the next release is made, Towncrier will automatically include your news fragment in the changelog.
You can read more about writing news fragments in the [Towncrier tutorial][tt].
[Towncrier]: https://towncrier.readthedocs.io/
[tt]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments

1
docs/development/contributing.mdx Symbolic link
View File

@@ -0,0 +1 @@
../../CONTRIBUTING.md

2
docs/public/.well-known/matrix/client
View File

@@ -1 +1 @@
{"m.homeserver":{"base_url": "https://matrix.continuwuity.org"},"org.matrix.msc3575.proxy":{"url": "https://matrix.continuwuity.org"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.ellis.link"}]}
{"m.homeserver":{"base_url": "https://matrix.continuwuity.org"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.ellis.link"}]}

2
docs/public/schema/announcements.schema.json
View File

@@ -1,6 +1,6 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"$id": "https://continwuity.org/schema/announcements.schema.json",
"$id": "https://continuwuity.org/schema/announcements.schema.json",
"type": "object",
"properties": {
"announcements": {

4
docs/reference/admin/debug.md
View File

@@ -130,6 +130,10 @@ ## `!admin debug database-files`
List database files
## `!admin debug send-test-email`
Send a test email to the invoking admin's email address
## `!admin debug tester`
Developer test stubs

18
docs/reference/admin/users.md
View File

@@ -12,6 +12,24 @@ ## `!admin users reset-password`
Reset user password
## `!admin users issue-password-reset-link`
Issue a self-service password reset link for a user
## `!admin users get-email`
Get a user's associated email address
## `!admin users get-user-by-email`
Get the user with the given email address
## `!admin users change-email`
Update or remove a user's email address.
If `email` is not supplied, the user's existing address will be removed.
## `!admin users deactivate`
Deactivate a user

36
flake.lock generated
View File

@@ -3,11 +3,11 @@
"advisory-db": {
"flake": false,
"locked": {
"lastModified": 1772776993,
"narHash": "sha256-CpBa+UpogN0Xn1gMmgqQrzKGee+E8TCkgHar8/w6CRk=",
"lastModified": 1773786698,
"narHash": "sha256-o/J7ZculgwSs1L4H4UFlFZENOXTJzq1X0n71x6oNNvY=",
"owner": "rustsec",
"repo": "advisory-db",
"rev": "b3472341e37cbd4b8c27b052b2abb34792f4d3c4",
"rev": "99e9de91bb8b61f06ef234ff84e11f758ecd5384",
"type": "github"
},
"original": {
@@ -18,11 +18,11 @@
},
"crane": {
"locked": {
"lastModified": 1772560058,
"narHash": "sha256-NuVKdMBJldwUXgghYpzIWJdfeB7ccsu1CC7B+NfSoZ8=",
"lastModified": 1773189535,
"narHash": "sha256-E1G/Or6MWeP+L6mpQ0iTFLpzSzlpGrITfU2220Gq47g=",
"owner": "ipetkov",
"repo": "crane",
"rev": "db590d9286ed5ce22017541e36132eab4e8b3045",
"rev": "6fa2fb4cf4a89ba49fc9dd5a3eb6cde99d388269",
"type": "github"
},
"original": {
@@ -39,11 +39,11 @@
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1772953398,
"narHash": "sha256-fTTHCaEvPLzWyZFxPud/G9HM3pNYmW/64Kj58hdH4+k=",
"lastModified": 1773732206,
"narHash": "sha256-HKibxaUXyWd4Hs+ZUnwo6XslvaFqFqJh66uL9tphU4Q=",
"owner": "nix-community",
"repo": "fenix",
"rev": "fc4863887d98fd879cf5f11af1d23d44d9bdd8ae",
"rev": "0aa13c1b54063a8d8679b28a5cd357ba98f4a56b",
"type": "github"
},
"original": {
@@ -89,11 +89,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1772773019,
"narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
"lastModified": 1773734432,
"narHash": "sha256-IF5ppUWh6gHGHYDbtVUyhwy/i7D261P7fWD1bPefOsw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "aca4d95fce4914b3892661bcb80b8087293536c6",
"rev": "cda48547b432e8d3b18b4180ba07473762ec8558",
"type": "github"
},
"original": {
@@ -132,11 +132,11 @@
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1772877513,
"narHash": "sha256-RcRGv2Bng5I9y75XwFX7oK2l6mLH1dtbTTG9U8qun0c=",
"lastModified": 1773697963,
"narHash": "sha256-xdKI77It9PM6eNrCcDZsnP4SKulZwk8VkDgBRVMnCb8=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "a1b86d600f88be98643e5dd61d6ed26eda17c09e",
"rev": "2993637174252ff60a582fd1f55b9ab52c39db6d",
"type": "github"
},
"original": {
@@ -153,11 +153,11 @@
]
},
"locked": {
"lastModified": 1772660329,
"narHash": "sha256-IjU1FxYqm+VDe5qIOxoW+pISBlGvVApRjiw/Y/ttJzY=",
"lastModified": 1773297127,
"narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "3710e0e1218041bbad640352a0440114b1e10428",
"rev": "71b125cd05fbfd78cab3e070b73544abe24c5016",
"type": "github"
},
"original": {

2
nix/packages/rust.nix
View File

@@ -15,7 +15,7 @@
file = inputs.self + "/rust-toolchain.toml";
# See also `rust-toolchain.toml`
sha256 = "sha256-SJwZ8g0zF2WrKDVmHrVG3pD2RGoQeo24MEXnNx5FyuI=";
sha256 = "sha256-sqSWJDUxc+zaz1nBWMAJKTAGBuGWP25GCftIOlCEAtA=";
};
in
{

1
nix/shells/default.nix
View File

@@ -17,6 +17,7 @@
# basic nix shell containing all things necessary to build continuwuity in all flavors manually (on x86_64-linux)
devShells.default = uwulib.build.craneLib.devShell {
packages = [
pkgs.nodejs
pkgs.pkg-config
pkgs.liburing
pkgs.rust-jemalloc-sys-unprefixed

400
package-lock.json generated
View File

@@ -12,25 +12,25 @@
"@rspress/core": "^2.0.0",
"@rspress/plugin-client-redirects": "^2.0.0",
"@rspress/plugin-sitemap": "^2.0.0",
"typescript": "^5.9.3"
"typescript": "^6.0.0"
}
},
"node_modules/@emnapi/core": {
"version": "1.8.1",
"resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.8.1.tgz",
"integrity": "sha512-AvT9QFpxK0Zd8J0jopedNm+w/2fIzvtPKPjqyw9jwvBaReTTqPBk9Hixaz7KbjimP+QNz605/XnjFcDAL2pqBg==",
"version": "1.9.1",
"resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.1.tgz",
"integrity": "sha512-mukuNALVsoix/w1BJwFzwXBN/dHeejQtuVzcDsfOEsdpCumXb/E9j8w11h5S54tT1xhifGfbbSm/ICrObRb3KA==",
"dev": true,
"license": "MIT",
"optional": true,
"dependencies": {
"@emnapi/wasi-threads": "1.1.0",
"@emnapi/wasi-threads": "1.2.0",
"tslib": "^2.4.0"
}
},
"node_modules/@emnapi/runtime": {
"version": "1.8.1",
"resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.8.1.tgz",
"integrity": "sha512-mehfKSMWjjNol8659Z8KxEMrdSJDDot5SXMq00dM8BN4o+CLNXQ0xH2V7EchNHV4RmbZLmmPdEaXZc5H2FXmDg==",
"version": "1.9.1",
"resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.1.tgz",
"integrity": "sha512-VYi5+ZVLhpgK4hQ0TAjiQiZ6ol0oe4mBx7mVv7IflsiEp0OWoVsp/+f9Vc1hOhE0TtkORVrI1GvzyreqpgWtkA==",
"dev": true,
"license": "MIT",
"optional": true,
@@ -39,9 +39,9 @@
}
},
"node_modules/@emnapi/wasi-threads": {
"version": "1.1.0",
"resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.1.0.tgz",
"integrity": "sha512-WI0DdZ8xFSbgMjR1sFsKABJ/C5OnRrjT06JXbZKexJGrDuPTzZdDYfFlsgcCXCyf+suG5QU2e/y1Wo2V/OapLQ==",
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.2.0.tgz",
"integrity": "sha512-N10dEJNSsUx41Z6pZsXU8FjPjpBEplgH24sfkmITrBED1/U2Esum9F3lfLrMjKHHjmi557zQn7kR9R+XWXu5Rg==",
"dev": true,
"license": "MIT",
"optional": true,
@@ -106,27 +106,31 @@
}
},
"node_modules/@napi-rs/wasm-runtime": {
"version": "1.0.7",
"resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.0.7.tgz",
"integrity": "sha512-SeDnOO0Tk7Okiq6DbXmmBODgOAb9dp9gjlphokTUxmt8U3liIP1ZsozBahH69j/RJv+Rfs6IwUKHTgQYJ/HBAw==",
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.1.tgz",
"integrity": "sha512-p64ah1M1ld8xjWv3qbvFwHiFVWrq1yFvV4f7w+mzaqiR4IlSgkqhcRdHwsGgomwzBH51sRY4NEowLxnaBjcW/A==",
"dev": true,
"license": "MIT",
"optional": true,
"dependencies": {
"@emnapi/core": "^1.5.0",
"@emnapi/runtime": "^1.5.0",
"@emnapi/core": "^1.7.1",
"@emnapi/runtime": "^1.7.1",
"@tybys/wasm-util": "^0.10.1"
},
"funding": {
"type": "github",
"url": "https://github.com/sponsors/Brooooooklyn"
}
},
"node_modules/@rsbuild/core": {
"version": "2.0.0-beta.6",
"resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.0-beta.6.tgz",
"integrity": "sha512-DUBhUzvzj6xlGUAHTTipFskSuZmVEuTX7lGU+ToPuo8n3bsQrWn/UBOEQAd45g66k7QfXadoZ/v7eodQErpvGQ==",
"version": "2.0.0-beta.11",
"resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.0-beta.11.tgz",
"integrity": "sha512-IBbQx7SrnSpD7j2p2qyq3qDxoqmG4E6lcflTpbBitX6iUrzpVRQbP4rktXZ2iuY7ph9+FtUK/SVAVA+Ocm3Nig==",
"dev": true,
"license": "MIT",
"dependencies": {
"@rspack/core": "2.0.0-beta.3",
"@swc/helpers": "^0.5.19"
"@rspack/core": "2.0.0-beta.9",
"@swc/helpers": "^0.5.20"
},
"bin": {
"rsbuild": "bin/rsbuild.js"
@@ -144,42 +148,47 @@
}
},
"node_modules/@rsbuild/plugin-react": {
"version": "1.4.5",
"resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-1.4.5.tgz",
"integrity": "sha512-eS2sXCedgGA/7bLu8yVtn48eE/GyPbXx4Q7OcutB01IQ1D2y8WSMBys4nwfrecy19utvw4NPn4gYDy52316+vg==",
"version": "1.4.6",
"resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-1.4.6.tgz",
"integrity": "sha512-LAT6xHlEyZKA0VjF/ph5d50iyG+WSmBx+7g98HNZUwb94VeeTMZFB8qVptTkbIRMss3BNKOXmHOu71Lhsh9oEw==",
"dev": true,
"license": "MIT",
"dependencies": {
"@rspack/plugin-react-refresh": "^1.6.0",
"@rspack/plugin-react-refresh": "^1.6.1",
"react-refresh": "^0.18.0"
},
"peerDependencies": {
"@rsbuild/core": "^1.0.0 || ^2.0.0-0"
},
"peerDependenciesMeta": {
"@rsbuild/core": {
"optional": true
}
}
},
"node_modules/@rspack/binding": {
"version": "2.0.0-beta.3",
"resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.0-beta.3.tgz",
"integrity": "sha512-GSj+d8AlLs1oElhYq32vIN/eAsxWG9jy0EiNgSxWTt5Gdamv87kcvsV4jwfWIjlltdnBIJgey2RnU+hDZlTAvw==",
"version": "2.0.0-beta.9",
"resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.0-beta.9.tgz",
"integrity": "sha512-QgkOvzl6BJc4Vg5eaY9r7MkHNfXvVZPgTIeYkdBEOYPowdyCLhlG9vH7QltqLKP9KDNel70YIeMyUrpTqez01w==",
"dev": true,
"license": "MIT",
"optionalDependencies": {
"@rspack/binding-darwin-arm64": "2.0.0-beta.3",
"@rspack/binding-darwin-x64": "2.0.0-beta.3",
"@rspack/binding-linux-arm64-gnu": "2.0.0-beta.3",
"@rspack/binding-linux-arm64-musl": "2.0.0-beta.3",
"@rspack/binding-linux-x64-gnu": "2.0.0-beta.3",
"@rspack/binding-linux-x64-musl": "2.0.0-beta.3",
"@rspack/binding-wasm32-wasi": "2.0.0-beta.3",
"@rspack/binding-win32-arm64-msvc": "2.0.0-beta.3",
"@rspack/binding-win32-ia32-msvc": "2.0.0-beta.3",
"@rspack/binding-win32-x64-msvc": "2.0.0-beta.3"
"@rspack/binding-darwin-arm64": "2.0.0-beta.9",
"@rspack/binding-darwin-x64": "2.0.0-beta.9",
"@rspack/binding-linux-arm64-gnu": "2.0.0-beta.9",
"@rspack/binding-linux-arm64-musl": "2.0.0-beta.9",
"@rspack/binding-linux-x64-gnu": "2.0.0-beta.9",
"@rspack/binding-linux-x64-musl": "2.0.0-beta.9",
"@rspack/binding-wasm32-wasi": "2.0.0-beta.9",
"@rspack/binding-win32-arm64-msvc": "2.0.0-beta.9",
"@rspack/binding-win32-ia32-msvc": "2.0.0-beta.9",
"@rspack/binding-win32-x64-msvc": "2.0.0-beta.9"
}
},
"node_modules/@rspack/binding-darwin-arm64": {
"version": "2.0.0-beta.3",
"resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.0-beta.3.tgz",
"integrity": "sha512-QebSomLWlCbFsC0sfDuGqLJtkgyrnr38vrCepWukaAXIY4ANy5QB49LDKdLpVv6bKlC95MpnW37NvSNWY5GMYA==",
"version": "2.0.0-beta.9",
"resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.0-beta.9.tgz",
"integrity": "sha512-9Aao24b+lrVGG25itl2c7e6HK6eNH5J5ao1Uq5UoSwSJZOxRPuY+QlHIvE2tyt833Ly9qcT1J7os2AIUNlF6Vw==",
"cpu": [
"arm64"
],
@@ -191,9 +200,9 @@
]
},
"node_modules/@rspack/binding-darwin-x64": {
"version": "2.0.0-beta.3",
"resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.0-beta.3.tgz",
"integrity": "sha512-EysmBq+sz+Ph0bu0gXpU1uuZG9gXgjqY+w3MJel+ieTFyQO3L/R56V32McgssMbheJbYcviDDn7Tz4D+lTvdJA==",
"version": "2.0.0-beta.9",
"resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.0-beta.9.tgz",
"integrity": "sha512-sP6gusMsxm3W4aHpRsmVaBQU09n1p/1+XpLHT/gZy6nJ7Wy3nqfNKNoybNBORwCuFcGUon6cVRcieN9AEm6iJA==",
"cpu": [
"x64"
],
@@ -205,13 +214,16 @@
]
},
"node_modules/@rspack/binding-linux-arm64-gnu": {
"version": "2.0.0-beta.3",
"resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.0-beta.3.tgz",
"integrity": "sha512-iFPj4TQZKewnqWPfTbyk3F8QCBI/Edv7TVSRIPBHRnCM0lvYZl/8IZlUzXSamLvrtDpouF0nUzht/fktoWOhAg==",
"version": "2.0.0-beta.9",
"resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.0-beta.9.tgz",
"integrity": "sha512-k2DPN3B2qaz4L/h/R+l7rbDk/lLwbR/sayfsHZ8sLdZ3f6pvaSI9ejrsFv0nU4OmKCQsz4zYuoKTVFPtDfbGjA==",
"cpu": [
"arm64"
],
"dev": true,
"libc": [
"glibc"
],
"license": "MIT",
"optional": true,
"os": [
@@ -219,13 +231,16 @@
]
},
"node_modules/@rspack/binding-linux-arm64-musl": {
"version": "2.0.0-beta.3",
"resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.0-beta.3.tgz",
"integrity": "sha512-355mygfCNb0eF/y4HgtJcd0i9csNTG4Z15PCCplIkSAKJpFpkORM2xJb50BqsbhVafYl6AHoBlGWAo9iIzUb/w==",
"version": "2.0.0-beta.9",
"resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.0-beta.9.tgz",
"integrity": "sha512-7+XwAsqhfc2rIHMc9mY6RMBTP76RRqmUm1UjidqYdJl5hYBa5apffjeZfJYgAhVbSwKB/tUffzPpEffGUuc5kw==",
"cpu": [
"arm64"
],
"dev": true,
"libc": [
"musl"
],
"license": "MIT",
"optional": true,
"os": [
@@ -233,13 +248,16 @@
]
},
"node_modules/@rspack/binding-linux-x64-gnu": {
"version": "2.0.0-beta.3",
"resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.0-beta.3.tgz",
"integrity": "sha512-U8a+bcP/tkMyiwiO9XfeRYYO20YPGiZNxWWt7FEsdmRuRAl6M+EmWaJllJFQtKH+GG8IN93pNoVPMvARjLoJOQ==",
"version": "2.0.0-beta.9",
"resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.0-beta.9.tgz",
"integrity": "sha512-z/EOUKEq5rq4sYsVSFL9uzdPtTPVA82x3gsRJlDTfEcruZZI7Y6JKUkpDYkC0LivXqyOnoOz8slAFd2/dByRtA==",
"cpu": [
"x64"
],
"dev": true,
"libc": [
"glibc"
],
"license": "MIT",
"optional": true,
"os": [
@@ -247,13 +265,16 @@
]
},
"node_modules/@rspack/binding-linux-x64-musl": {
"version": "2.0.0-beta.3",
"resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.0-beta.3.tgz",
"integrity": "sha512-g81rqkaqDFRTID2VrHBYeM+xZe8yWov7IcryTrl9RGXXr61s+6Tu/mWyM378PuHOCyMNu7G3blVaSjLvKauG6Q==",
"version": "2.0.0-beta.9",
"resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.0-beta.9.tgz",
"integrity": "sha512-LVIXrqtAOy/DowIB04jyUyYy+5kHtZNJ0W5EJd39OwY/9gGvhgAEVvSWu7JrRAvKW1kQsV7GnRT5ninbDrRw1A==",
"cpu": [
"x64"
],
"dev": true,
"libc": [
"musl"
],
"license": "MIT",
"optional": true,
"os": [
@@ -261,9 +282,9 @@
]
},
"node_modules/@rspack/binding-wasm32-wasi": {
"version": "2.0.0-beta.3",
"resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.0-beta.3.tgz",
"integrity": "sha512-tzGd8H2oj5F3oR/Hxp+J68zVU/nG+9ndH2KK3/RieVjNAiVNHCR0/ZU9D47s6fnmvWOqAQ1qO8gnVoVLopC4YA==",
"version": "2.0.0-beta.9",
"resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.0-beta.9.tgz",
"integrity": "sha512-Vl7aDAt7DCqtZ/RJd8hLFjQqufX+efL/XZG3qADsagl/SspH1ItJ7N6X1S8o50eKoshy27Jr7mQYZEdufX9qhQ==",
"cpu": [
"wasm32"
],
@@ -271,13 +292,13 @@
"license": "MIT",
"optional": true,
"dependencies": {
"@napi-rs/wasm-runtime": "1.0.7"
"@napi-rs/wasm-runtime": "1.1.1"
}
},
"node_modules/@rspack/binding-win32-arm64-msvc": {
"version": "2.0.0-beta.3",
"resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.0-beta.3.tgz",
"integrity": "sha512-TZZRSWa34sm5WyoQHwnyBjLJ4w3fcWRYA9ybYjSVWjUU6tVGdMiHiZp+WexUpIETvChLXU1JENNmBg/U7wvZEA==",
"version": "2.0.0-beta.9",
"resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.0-beta.9.tgz",
"integrity": "sha512-g4Fc3JjfibuHt5ltoV64eK0bs6NKlh8kgHA8Go3ETwEGO6OBck877e+5CqPtjTH8c1/KQPbnCoccGR1OScoZGg==",
"cpu": [
"arm64"
],
@@ -289,9 +310,9 @@
]
},
"node_modules/@rspack/binding-win32-ia32-msvc": {
"version": "2.0.0-beta.3",
"resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.0-beta.3.tgz",
"integrity": "sha512-VFnfdbJhyl6gNW1VzTyd1ZrHCboHPR7vrOalEsulQRqVNbtDkjm1sqLHtDcLmhTEv0a9r4lli8uubWDwmel8KQ==",
"version": "2.0.0-beta.9",
"resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.0-beta.9.tgz",
"integrity": "sha512-Oii4HpCEH3CBDKSXcS6EVlV9nGYVKAV/uBLSsuZ0RNdEG0i+OHvEiicqHAwuIYZNlH4Ea/Vwc+Dl5PM2twCZ4Q==",
"cpu": [
"ia32"
],
@@ -303,9 +324,9 @@
]
},
"node_modules/@rspack/binding-win32-x64-msvc": {
"version": "2.0.0-beta.3",
"resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.0-beta.3.tgz",
"integrity": "sha512-rwZ6Y3b3oqPj+ZDPPRxr3136HUPKDSlPQa4v7bBOPLDlrFDFOynMIEqDUUi5+8lPaUQ8WWR0aJK4cgcTTT0Siw==",
"version": "2.0.0-beta.9",
"resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.0-beta.9.tgz",
"integrity": "sha512-7UFjyy7QMtWvf1CBEVQkHL6bJBKaVY9yq9+Qxb7ggtxvpBbkoYykdsrhMTvr/f5TBjBqHmyeb0/oYXqo5pWFBQ==",
"cpu": [
"x64"
],
@@ -317,13 +338,13 @@
]
},
"node_modules/@rspack/core": {
"version": "2.0.0-beta.3",
"resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.0-beta.3.tgz",
"integrity": "sha512-VuLteRIesuyFFTXZaciUY0lwDZiwMc7JcpE8guvjArztDhtpVvlaOcLlVBp/Yza8c/Tk8Dxwe1ARzFL7xG1/0w==",
"version": "2.0.0-beta.9",
"resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.0-beta.9.tgz",
"integrity": "sha512-4sN3f72l4cj8n/dSCdWn6FkSjfHiDxHWrO1Kmqd0Bk0MmgyW+ldHitsSWPETCAxjTJGXY34r5sou5sYzb0DRww==",
"dev": true,
"license": "MIT",
"dependencies": {
"@rspack/binding": "2.0.0-beta.3"
"@rspack/binding": "2.0.0-beta.9"
},
"engines": {
"node": "^20.19.0 || >=22.12.0"
@@ -362,20 +383,20 @@
}
},
"node_modules/@rspress/core": {
"version": "2.0.4",
"resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.4.tgz",
"integrity": "sha512-OdeGMY75OFzyRZvXuBEMre3q8Y4/OjYJa4vVBDp4Z2E65LSt8+hYkzzkarEl6sFWqbp8c1o9qfSUf4xMctmKvw==",
"version": "2.0.8",
"resolved": "https://registry.npmjs.org/@rspress/core/-/core-2.0.8.tgz",
"integrity": "sha512-MDkpm6fO0+NoW+Lx0KVL/n9DSRGQcoggeXY+EtlC+ySqF9VxQk4hu87fQhD8q2ikMOd7lbVsWmKspd3rIFD88g==",
"dev": true,
"license": "MIT",
"dependencies": {
"@mdx-js/mdx": "^3.1.1",
"@mdx-js/react": "^3.1.1",
"@rsbuild/core": "2.0.0-beta.6",
"@rsbuild/plugin-react": "~1.4.5",
"@rspress/shared": "2.0.4",
"@shikijs/rehype": "^4.0.1",
"@rsbuild/core": "2.0.0-beta.11",
"@rsbuild/plugin-react": "~1.4.6",
"@rspress/shared": "2.0.8",
"@shikijs/rehype": "^4.0.2",
"@types/unist": "^3.0.3",
"@unhead/react": "^2.1.9",
"@unhead/react": "^2.1.12",
"body-scroll-lock": "4.0.0-beta.0",
"cac": "^7.0.0",
"chokidar": "^3.6.0",
@@ -396,15 +417,17 @@
"react-lazy-with-preload": "^2.2.1",
"react-reconciler": "0.33.0",
"react-render-to-markdown": "19.0.1",
"react-router-dom": "^7.13.1",
"react-router-dom": "^7.13.2",
"rehype-external-links": "^3.0.0",
"rehype-raw": "^7.0.0",
"remark-cjk-friendly": "^2.0.1",
"remark-cjk-friendly-gfm-strikethrough": "^2.0.1",
"remark-gfm": "^4.0.1",
"remark-mdx": "^3.1.1",
"remark-parse": "^11.0.0",
"remark-stringify": "^11.0.0",
"scroll-into-view-if-needed": "^3.1.0",
"shiki": "^4.0.1",
"shiki": "^4.0.2",
"tinyglobby": "^0.2.15",
"tinypool": "^1.1.1",
"unified": "^11.0.5",
@@ -420,40 +443,40 @@
}
},
"node_modules/@rspress/plugin-client-redirects": {
"version": "2.0.4",
"resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.4.tgz",
"integrity": "sha512-cm7VNfisVCHe+YHNjd9YrWt6/WtJ5I/oNRyjt+tqCeOcC1IJSX2LhNXpNN5h9az3wxYn37kVctBUjzqkj2FQ+A==",
"version": "2.0.8",
"resolved": "https://registry.npmjs.org/@rspress/plugin-client-redirects/-/plugin-client-redirects-2.0.8.tgz",
"integrity": "sha512-6/+CYf4u2PGOmuQkqvzLeUKTdOlj+Fnt3D/6IgjZmbXcSDweLvHhC+dHgdZw7T4paiqIxeCqU0duYX8W5agAug==",
"dev": true,
"license": "MIT",
"engines": {
"node": "^20.19.0 || >=22.12.0"
},
"peerDependencies": {
"@rspress/core": "^2.0.4"
"@rspress/core": "^2.0.8"
}
},
"node_modules/@rspress/plugin-sitemap": {
"version": "2.0.4",
"resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.4.tgz",
"integrity": "sha512-TKaj3/8+P1fP3sD5NOaWVMXvRvJFQmuJQlUBxhRM0oiUHhzNNkVy/2YXkjYJuXuMhFPLnOWCjrYjTG3xcZE7Wg==",
"version": "2.0.8",
"resolved": "https://registry.npmjs.org/@rspress/plugin-sitemap/-/plugin-sitemap-2.0.8.tgz",
"integrity": "sha512-V3u+wRvzmJmC+GkigvQYDQfEo43xUlya9OVLqSyRcB/crQ0U99oto6v73isZB/qS/pTb2wbFY+CbzOqrD1uBsA==",
"dev": true,
"license": "MIT",
"engines": {
"node": "^20.19.0 || >=22.12.0"
},
"peerDependencies": {
"@rspress/core": "^2.0.4"
"@rspress/core": "^2.0.8"
}
},
"node_modules/@rspress/shared": {
"version": "2.0.4",
"resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.4.tgz",
"integrity": "sha512-os2nzsPgHKVFXjDoW7N53rmhLChCw/y2O2TGilT4w2A4HNJa2oJwRk0UryXbxxWD5C85HErTjovs2uBdhdOTtA==",
"version": "2.0.8",
"resolved": "https://registry.npmjs.org/@rspress/shared/-/shared-2.0.8.tgz",
"integrity": "sha512-kvfBUvMvWcn/7PJHqZxPeu1yblzvAuB1/gk/1orp5KsYu3wbZ7X3Hsm9smDJVs5Plw1iPt67t9fOYNSM0+VjUA==",
"dev": true,
"license": "MIT",
"dependencies": {
"@rsbuild/core": "2.0.0-beta.6",
"@shikijs/rehype": "^4.0.1",
"@rsbuild/core": "2.0.0-beta.11",
"@shikijs/rehype": "^4.0.2",
"gray-matter": "4.0.3",
"lodash-es": "^4.17.23",
"unified": "^11.0.5"
@@ -586,9 +609,9 @@
"license": "MIT"
},
"node_modules/@swc/helpers": {
"version": "0.5.19",
"resolved": "https://registry.npmjs.org/@swc/helpers/-/helpers-0.5.19.tgz",
"integrity": "sha512-QamiFeIK3txNjgUTNppE6MiG3p7TdninpZu0E0PbqVh1a9FNLT2FRhisaa4NcaX52XVhA5l7Pk58Ft7Sqi/2sA==",
"version": "0.5.20",
"resolved": "https://registry.npmjs.org/@swc/helpers/-/helpers-0.5.20.tgz",
"integrity": "sha512-2egEBHUMasdypIzrprsu8g+OEVd7Vp2MM3a2eVlM/cyFYto0nGz5BX5BTgh/ShZZI9ed+ozEq+Ngt+rgmUs8tw==",
"dev": true,
"license": "Apache-2.0",
"dependencies": {
@@ -693,13 +716,13 @@
"license": "ISC"
},
"node_modules/@unhead/react": {
"version": "2.1.10",
"resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.10.tgz",
"integrity": "sha512-z9IzzkaCI1GyiBwVRMt4dGc2mOvsj9drbAdXGMy6DWpu9FwTR37ZTmAi7UeCVyIkpVdIaNalz7vkbvGG8afFng==",
"version": "2.1.12",
"resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.12.tgz",
"integrity": "sha512-1xXFrxyw29f+kScXfEb0GxjlgtnHxoYau0qpW9k8sgWhQUNnE5gNaH3u+rNhd5IqhyvbdDRJpQ25zoz0HIyGaw==",
"dev": true,
"license": "MIT",
"dependencies": {
"unhead": "2.1.10"
"unhead": "2.1.12"
},
"funding": {
"url": "https://github.com/sponsors/harlan-zw"
@@ -1285,6 +1308,19 @@
"node": "^8.16.0 || ^10.6.0 || >=11.0.0"
}
},
"node_modules/get-east-asian-width": {
"version": "1.5.0",
"resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.5.0.tgz",
"integrity": "sha512-CQ+bEO+Tva/qlmw24dCejulK5pMzVnUOFOijVogd3KQs07HnRIgp8TGipvCCRT06xeYEbpbgwaCxglFyiuIcmA==",
"dev": true,
"license": "MIT",
"engines": {
"node": ">=18"
},
"funding": {
"url": "https://github.com/sponsors/sindresorhus"
}
},
"node_modules/github-slugger": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/github-slugger/-/github-slugger-2.0.0.tgz",
@@ -1558,9 +1594,9 @@
}
},
"node_modules/hookable": {
"version": "6.0.1",
"resolved": "https://registry.npmjs.org/hookable/-/hookable-6.0.1.tgz",
"integrity": "sha512-uKGyY8BuzN/a5gvzvA+3FVWo0+wUjgtfSdnmjtrOVwQCZPHpHDH2WRO3VZSOeluYrHoDCiXFffZXs8Dj1ULWtw==",
"version": "6.1.0",
"resolved": "https://registry.npmjs.org/hookable/-/hookable-6.1.0.tgz",
"integrity": "sha512-ZoKZSJgu8voGK2geJS+6YtYjvIzu9AOM/KZXsBxr83uhLL++e9pEv/dlgwgy3dvHg06kTz6JOh1hk3C8Ceiymw==",
"dev": true,
"license": "MIT"
},
@@ -2176,6 +2212,80 @@
"micromark-util-types": "^2.0.0"
}
},
"node_modules/micromark-extension-cjk-friendly": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/micromark-extension-cjk-friendly/-/micromark-extension-cjk-friendly-2.0.1.tgz",
"integrity": "sha512-OkzoYVTL1ChbvQ8Cc1ayTIz7paFQz8iS9oIYmewncweUSwmWR+hkJF9spJ1lxB90XldJl26A1F4IkPOKS3bDXw==",
"dev": true,
"license": "MIT",
"dependencies": {
"devlop": "^1.1.0",
"micromark-extension-cjk-friendly-util": "3.0.1",
"micromark-util-chunked": "^2.0.1",
"micromark-util-resolve-all": "^2.0.1",
"micromark-util-symbol": "^2.0.1"
},
"engines": {
"node": ">=18"
},
"peerDependencies": {
"micromark": "^4.0.0",
"micromark-util-types": "^2.0.0"
},
"peerDependenciesMeta": {
"micromark-util-types": {
"optional": true
}
}
},
"node_modules/micromark-extension-cjk-friendly-gfm-strikethrough": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/micromark-extension-cjk-friendly-gfm-strikethrough/-/micromark-extension-cjk-friendly-gfm-strikethrough-2.0.1.tgz",
"integrity": "sha512-wVC0zwjJNqQeX+bb07YTPu/CvSAyCTafyYb7sMhX1r62/Lw5M/df3JyYaANyp8g15c1ypJRFSsookTqA1IDsUg==",
"dev": true,
"license": "MIT",
"dependencies": {
"devlop": "^1.1.0",
"get-east-asian-width": "^1.4.0",
"micromark-extension-cjk-friendly-util": "3.0.1",
"micromark-util-character": "^2.1.1",
"micromark-util-chunked": "^2.0.1",
"micromark-util-resolve-all": "^2.0.1",
"micromark-util-symbol": "^2.0.1"
},
"engines": {
"node": ">=18"
},
"peerDependencies": {
"micromark": "^4.0.0",
"micromark-util-types": "^2.0.0"
},
"peerDependenciesMeta": {
"micromark-util-types": {
"optional": true
}
}
},
"node_modules/micromark-extension-cjk-friendly-util": {
"version": "3.0.1",
"resolved": "https://registry.npmjs.org/micromark-extension-cjk-friendly-util/-/micromark-extension-cjk-friendly-util-3.0.1.tgz",
"integrity": "sha512-GcbXqTTHOsiZHyF753oIddP/J2eH8j9zpyQPhkof6B2JNxfEJabnQqxbCgzJNuNes0Y2jTNJ3LiYPSXr6eJA8w==",
"dev": true,
"license": "MIT",
"dependencies": {
"get-east-asian-width": "^1.4.0",
"micromark-util-character": "^2.1.1",
"micromark-util-symbol": "^2.0.1"
},
"engines": {
"node": ">=18"
},
"peerDependenciesMeta": {
"micromark-util-types": {
"optional": true
}
}
},
"node_modules/micromark-extension-gfm": {
"version": "3.0.0",
"resolved": "https://registry.npmjs.org/micromark-extension-gfm/-/micromark-extension-gfm-3.0.0.tgz",
@@ -2889,14 +2999,14 @@
"license": "MIT"
},
"node_modules/oniguruma-to-es": {
"version": "4.3.4",
"resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.4.tgz",
"integrity": "sha512-3VhUGN3w2eYxnTzHn+ikMI+fp/96KoRSVK9/kMTcFqj1NRDh2IhQCKvYxDnWePKRXY/AqH+Fuiyb7VHSzBjHfA==",
"version": "4.3.5",
"resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.5.tgz",
"integrity": "sha512-Zjygswjpsewa0NLTsiizVuMQZbp0MDyM6lIt66OxsF21npUDlzpHi1Mgb/qhQdkb+dWFTzJmFbEWdvZgRho8eQ==",
"dev": true,
"license": "MIT",
"dependencies": {
"oniguruma-parser": "^0.12.1",
"regex": "^6.0.1",
"regex": "^6.1.0",
"regex-recursion": "^6.0.2"
}
},
@@ -3041,9 +3151,9 @@
}
},
"node_modules/react-router": {
"version": "7.13.1",
"resolved": "https://registry.npmjs.org/react-router/-/react-router-7.13.1.tgz",
"integrity": "sha512-td+xP4X2/6BJvZoX6xw++A2DdEi++YypA69bJUV5oVvqf6/9/9nNlD70YO1e9d3MyamJEBQFEzk6mbfDYbqrSA==",
"version": "7.13.2",
"resolved": "https://registry.npmjs.org/react-router/-/react-router-7.13.2.tgz",
"integrity": "sha512-tX1Aee+ArlKQP+NIUd7SE6Li+CiGKwQtbS+FfRxPX6Pe4vHOo6nr9d++u5cwg+Z8K/x8tP+7qLmujDtfrAoUJA==",
"dev": true,
"license": "MIT",
"dependencies": {
@@ -3064,13 +3174,13 @@
}
},
"node_modules/react-router-dom": {
"version": "7.13.1",
"resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.13.1.tgz",
"integrity": "sha512-UJnV3Rxc5TgUPJt2KJpo1Jpy0OKQr0AjgbZzBFjaPJcFOb2Y8jA5H3LT8HUJAiRLlWrEXWHbF1Z4SCZaQjWDHw==",
"version": "7.13.2",
"resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.13.2.tgz",
"integrity": "sha512-aR7SUORwTqAW0JDeiWF07e9SBE9qGpByR9I8kJT5h/FrBKxPMS6TiC7rmVO+gC0q52Bx7JnjWe8Z1sR9faN4YA==",
"dev": true,
"license": "MIT",
"dependencies": {
"react-router": "7.13.1"
"react-router": "7.13.2"
},
"engines": {
"node": ">=20.0.0"
@@ -3242,6 +3352,50 @@
"url": "https://opencollective.com/unified"
}
},
"node_modules/remark-cjk-friendly": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/remark-cjk-friendly/-/remark-cjk-friendly-2.0.1.tgz",
"integrity": "sha512-6WwkoQyZf/4j5k53zdFYrR8Ca+UVn992jXdLUSBDZR4eBpFhKyVxmA4gUHra/5fesjGIxrDhHesNr/sVoiiysA==",
"dev": true,
"license": "MIT",
"dependencies": {
"micromark-extension-cjk-friendly": "2.0.1"
},
"engines": {
"node": ">=18"
},
"peerDependencies": {
"@types/mdast": "^4.0.0",
"unified": "^11.0.0"
},
"peerDependenciesMeta": {
"@types/mdast": {
"optional": true
}
}
},
"node_modules/remark-cjk-friendly-gfm-strikethrough": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/remark-cjk-friendly-gfm-strikethrough/-/remark-cjk-friendly-gfm-strikethrough-2.0.1.tgz",
"integrity": "sha512-pWKj25O2eLXIL1aBupayl1fKhco+Brw8qWUWJPVB9EBzbQNd7nGLj0nLmJpggWsGLR5j5y40PIdjxby9IEYTuA==",
"dev": true,
"license": "MIT",
"dependencies": {
"micromark-extension-cjk-friendly-gfm-strikethrough": "2.0.1"
},
"engines": {
"node": ">=18"
},
"peerDependencies": {
"@types/mdast": "^4.0.0",
"unified": "^11.0.0"
},
"peerDependenciesMeta": {
"@types/mdast": {
"optional": true
}
}
},
"node_modules/remark-gfm": {
"version": "4.0.1",
"resolved": "https://registry.npmjs.org/remark-gfm/-/remark-gfm-4.0.1.tgz",
@@ -3573,9 +3727,9 @@
"license": "0BSD"
},
"node_modules/typescript": {
"version": "5.9.3",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
"integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
"version": "6.0.2",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.2.tgz",
"integrity": "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ==",
"dev": true,
"license": "Apache-2.0",
"bin": {
@@ -3587,9 +3741,9 @@
}
},
"node_modules/unhead": {
"version": "2.1.10",
"resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.10.tgz",
"integrity": "sha512-We8l9uNF8zz6U8lfQaVG70+R/QBfQx1oPIgXin4BtZnK2IQpz6yazQ0qjMNVBDw2ADgF2ea58BtvSK+XX5AS7g==",
"version": "2.1.12",
"resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.12.tgz",
"integrity": "sha512-iTHdWD9ztTunOErtfUFk6Wr11BxvzumcYJ0CzaSCBUOEtg+DUZ9+gnE99i8QkLFT2q1rZD48BYYGXpOZVDLYkA==",
"dev": true,
"license": "MIT",
"dependencies": {

2
package.json
View File

@@ -25,6 +25,6 @@
"@rspress/core": "^2.0.0",
"@rspress/plugin-client-redirects": "^2.0.0",
"@rspress/plugin-sitemap": "^2.0.0",
"typescript": "^5.9.3"
"typescript": "^6.0.0"
}
}

1
pkg/conduwuit.service
View File

@@ -18,6 +18,7 @@ Environment="CONTINUWUITY_DATABASE_PATH=%S/conduwuit"
Environment="CONTINUWUITY_CONFIG_RELOAD_SIGNAL=true"
LoadCredential=conduwuit.toml:/etc/conduwuit/conduwuit.toml
RefreshOnReload=yes
ExecStart=/usr/bin/conduwuit --config ${CREDENTIALS_DIRECTORY}/conduwuit.toml

36
renovate.json
View File

@@ -1,6 +1,6 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended", "replacements:all"],
"extends": ["config:recommended", "replacements:all", ":semanticCommitTypeAll(chore)", "helpers:pinGitHubActionDigests"],
"dependencyDashboard": true,
"osvVulnerabilityAlerts": true,
"lockFileMaintenance": {
@@ -36,10 +36,18 @@
},
"packageRules": [
{
"description": "Batch patch-level Rust dependency updates",
"description": "Batch minor and patch Rust dependency updates",
"matchManagers": ["cargo"],
"matchUpdateTypes": ["minor", "patch"],
"matchCurrentVersion": ">=1.0.0",
"groupName": "rust-non-major"
},
{
"description": "Batch patch-level zerover Rust dependency updates",
"matchManagers": ["cargo"],
"matchUpdateTypes": ["patch"],
"groupName": "rust-patch-updates"
"matchCurrentVersion": ">=0.1.0,<1.0.0",
"groupName": "rust-zerover-patch-updates"
},
{
"description": "Limit concurrent Cargo PRs",
@@ -87,16 +95,16 @@
}
],
"customManagers": [
{
"customType": "regex",
"description": "Update _VERSION variables in Dockerfiles",
"managerFilePatterns": [
"/(^|/)([Dd]ocker|[Cc]ontainer)file[^/]*$/",
"/(^|/|\\.)([Dd]ocker|[Cc]ontainer)file$/"
],
"matchStrings": [
"# renovate: datasource=(?<datasource>[a-zA-Z0-9-._]+?) depName=(?<depName>[^\\s]+?)(?: (lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?(?: extractVersion=(?<extractVersion>[^\\s]+?))?(?: registryUrl=(?<registryUrl>[^\\s]+?))?\\s+(?:ENV\\s+|ARG\\s+)?[A-Za-z0-9_]+?_VERSION[ =][\"']?(?<currentValue>.+?)[\"']?\\s+(?:(?:ENV\\s+|ARG\\s+)?[A-Za-z0-9_]+?_CHECKSUM[ =][\"']?(?<currentDigest>.+?)[\"']?\\s)?"
]
}
{
"customType": "regex",
"description": "Update _VERSION variables in Dockerfiles",
"managerFilePatterns": [
"/(^|/)([Dd]ocker|[Cc]ontainer)file[^/]*$/",
"/(^|/|\\.)([Dd]ocker|[Cc]ontainer)file$/"
],
"matchStrings": [
"# renovate: datasource=(?<datasource>[a-zA-Z0-9-._]+?) depName=(?<depName>[^\\s]+?)(?: (lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?(?: extractVersion=(?<extractVersion>[^\\s]+?))?(?: registryUrl=(?<registryUrl>[^\\s]+?))?\\s+(?:ENV\\s+|ARG\\s+)?[A-Za-z0-9_]+?_VERSION[ =][\"']?(?<currentValue>.+?)[\"']?\\s+(?:(?:ENV\\s+|ARG\\s+)?[A-Za-z0-9_]+?_CHECKSUM[ =][\"']?(?<currentDigest>.+?)[\"']?\\s)?"
]
}
]
}

2
rust-toolchain.toml
View File

@@ -10,7 +10,7 @@
[toolchain]
profile = "minimal"
channel = "1.90.0"
channel = "1.92.0"
components = [
# For rust-analyzer
"rust-src",

1
src/admin/Cargo.toml
View File

@@ -80,6 +80,7 @@ conduwuit-macros.workspace = true
conduwuit-service.workspace = true
const-str.workspace = true
futures.workspace = true
lettre.workspace = true
log.workspace = true
ruma.workspace = true
serde_json.workspace = true

29
src/admin/debug/commands.rs
View File

@@ -19,6 +19,7 @@
warn,
};
use futures::{FutureExt, StreamExt, TryStreamExt};
use lettre::message::Mailbox;
use ruma::{
CanonicalJsonObject, CanonicalJsonValue, EventId, OwnedEventId, OwnedRoomId,
OwnedRoomOrAliasId, OwnedServerName, RoomId, RoomVersionId,
@@ -876,3 +877,31 @@ pub(super) async fn trim_memory(&self) -> Result {
writeln!(self, "done").await
}
#[admin_command]
pub(super) async fn send_test_email(&self) -> Result {
self.bail_restricted()?;
let mailer = self.services.mailer.expect_mailer()?;
let Some(sender) = self.sender else {
return Err!("No sender user provided in context");
};
let Some(email) = self
.services
.threepid
.get_email_for_localpart(sender.localpart())
.await
else {
return Err!("{} has no associated email address", sender);
};
mailer
.send(Mailbox::new(None, email.clone()), service::mailer::messages::Test)
.await?;
self.write_str(&format!("Test email successfully sent to {email}"))
.await?;
Ok(())
}

3
src/admin/debug/mod.rs
View File

@@ -225,6 +225,9 @@ pub enum DebugCommand {
level: Option<i32>,
},
/// Send a test email to the invoking admin's email address
SendTestEmail,
/// Developer test stubs
#[command(subcommand)]
#[allow(non_snake_case)]

129
src/admin/user/commands.rs
View File

@@ -11,6 +11,7 @@
warn,
};
use futures::{FutureExt, StreamExt};
use lettre::Address;
use ruma::{
OwnedEventId, OwnedRoomId, OwnedRoomOrAliasId, OwnedServerName, OwnedUserId, UserId,
events::{
@@ -296,6 +297,31 @@ pub(super) async fn reset_password(
Ok(())
}
#[admin_command]
pub(super) async fn issue_password_reset_link(&self, username: String) -> Result {
use conduwuit_service::password_reset::{PASSWORD_RESET_PATH, RESET_TOKEN_QUERY_PARAM};
self.bail_restricted()?;
let mut reset_url = self
.services
.config
.get_client_domain()
.join(PASSWORD_RESET_PATH)
.unwrap();
let user_id = parse_local_user_id(self.services, &username)?;
let token = self.services.password_reset.issue_token(user_id).await?;
reset_url
.query_pairs_mut()
.append_pair(RESET_TOKEN_QUERY_PARAM, &token.token);
self.write_str(&format!("Password reset link issued for {username}: {reset_url}"))
.await?;
Ok(())
}
#[admin_command]
pub(super) async fn deactivate_all(&self, no_leave_rooms: bool, force: bool) -> Result {
if self.body.len() < 2
@@ -1069,3 +1095,106 @@ pub(super) async fn enable_login(&self, user_id: String) -> Result {
self.write_str(&format!("{user_id} can now log in.")).await
}
#[admin_command]
pub(super) async fn get_email(&self, user_id: String) -> Result {
self.bail_restricted()?;
let user_id = parse_local_user_id(self.services, &user_id)?;
match self
.services
.threepid
.get_email_for_localpart(user_id.localpart())
.await
{
| Some(email) =>
self.write_str(&format!("{user_id} has the associated email address {email}."))
.await,
| None =>
self.write_str(&format!("{user_id} has no associated email address."))
.await,
}
}
#[admin_command]
pub(super) async fn get_user_by_email(&self, email: String) -> Result {
self.bail_restricted()?;
let Ok(email) = Address::try_from(email) else {
return Err!("Invalid email address.");
};
match self.services.threepid.get_localpart_for_email(&email).await {
| Some(localpart) => {
let user_id = OwnedUserId::parse(format!(
"@{localpart}:{}",
self.services.globals.server_name()
))
.unwrap();
self.write_str(&format!("{email} belongs to {user_id}."))
.await
},
| None =>
self.write_str(&format!("No user has {email} as their email address."))
.await,
}
}
#[admin_command]
pub(super) async fn change_email(&self, user_id: String, email: Option<String>) -> Result {
self.bail_restricted()?;
let user_id = parse_local_user_id(self.services, &user_id)?;
let Ok(new_email) = email.map(Address::try_from).transpose() else {
return Err!("Invalid email address.");
};
if self.services.mailer.mailer().is_none() {
warn!("SMTP has not been configured on this server, emails cannot be sent.");
}
let current_email = self
.services
.threepid
.get_email_for_localpart(user_id.localpart())
.await;
match (current_email, new_email) {
| (None, None) =>
self.write_str(&format!(
"{user_id} already had no associated email. No changes have been made."
))
.await,
| (current_email, Some(new_email)) => {
self.services
.threepid
.associate_localpart_email(user_id.localpart(), &new_email)
.await?;
if let Some(current_email) = current_email {
self.write_str(&format!(
"The associated email of {user_id} has been changed from {current_email} to \
{new_email}."
))
.await
} else {
self.write_str(&format!(
"{user_id} has been associated with the email {new_email}."
))
.await
}
},
| (Some(current_email), None) => {
self.services
.threepid
.disassociate_localpart_email(user_id.localpart())
.await;
self.write_str(&format!(
"The associated email of {user_id} has been removed (it was {current_email})."
))
.await
},
}
}

24
src/admin/user/mod.rs
View File

@@ -29,6 +29,30 @@ pub enum UserCommand {
password: Option<String>,
},
/// Issue a self-service password reset link for a user.
IssuePasswordResetLink {
/// Username of the user who may use the link
username: String,
},
/// Get a user's associated email address.
GetEmail {
user_id: String,
},
/// Get the user with the given email address.
GetUserByEmail {
email: String,
},
/// Update or remove a user's email address.
///
/// If `email` is not supplied, the user's existing address will be removed.
ChangeEmail {
user_id: String,
email: Option<String>,
},
/// Deactivate a user
///
/// User will be removed from all rooms by default.

1
src/api/Cargo.toml
View File

@@ -85,6 +85,7 @@ http-body-util.workspace = true
hyper.workspace = true
ipaddress.workspace = true
itertools.workspace = true
lettre.workspace = true
log.workspace = true
rand.workspace = true
reqwest.workspace = true

980
src/api/client/account.rs
View File

@@ -1,980 +0,0 @@
use std::fmt::Write;
use axum::extract::State;
use axum_client_ip::InsecureClientIp;
use conduwuit::{
Err, Error, Event, Result, debug_info, err, error, info,
matrix::pdu::PduBuilder,
utils::{self, ReadyExt, stream::BroadbandExt},
warn,
};
use conduwuit_service::Services;
use futures::{FutureExt, StreamExt};
use register::RegistrationKind;
use ruma::{
OwnedRoomId, UserId,
api::client::{
account::{
ThirdPartyIdRemovalStatus, change_password, check_registration_token_validity,
deactivate, get_3pids, get_username_availability,
register::{self, LoginType},
request_3pid_management_token_via_email, request_3pid_management_token_via_msisdn,
whoami,
},
uiaa::{AuthFlow, AuthType, UiaaInfo},
},
events::{
GlobalAccountDataEventType, StateEventType,
room::{
member::{MembershipState, RoomMemberEventContent},
message::RoomMessageEventContent,
power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
},
},
push,
};
use super::{DEVICE_ID_LENGTH, SESSION_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
use crate::Ruma;
const RANDOM_USER_ID_LENGTH: usize = 10;
/// # `GET /_matrix/client/v3/register/available`
///
/// Checks if a username is valid and available on this server.
///
/// Conditions for returning true:
/// - The user id is not historical
/// - The server name of the user id matches this server
/// - No user or appservice on this server already claimed this username
///
/// Note: This will not reserve the username, so the username might become
/// invalid when trying to register
#[tracing::instrument(skip_all, fields(%client), name = "register_available", level = "info")]
pub(crate) async fn get_register_available_route(
State(services): State<crate::State>,
InsecureClientIp(client): InsecureClientIp,
body: Ruma<get_username_availability::v3::Request>,
) -> Result<get_username_availability::v3::Response> {
// workaround for https://github.com/matrix-org/matrix-appservice-irc/issues/1780 due to inactivity of fixing the issue
let is_matrix_appservice_irc = body.appservice_info.as_ref().is_some_and(|appservice| {
appservice.registration.id == "irc"
|| appservice.registration.id.contains("matrix-appservice-irc")
|| appservice.registration.id.contains("matrix_appservice_irc")
});
if services
.globals
.forbidden_usernames()
.is_match(&body.username)
{
return Err!(Request(Forbidden("Username is forbidden")));
}
// don't force the username lowercase if it's from matrix-appservice-irc
let body_username = if is_matrix_appservice_irc {
body.username.clone()
} else {
body.username.to_lowercase()
};
// Validate user id
let user_id =
match UserId::parse_with_server_name(&body_username, services.globals.server_name()) {
| Ok(user_id) => {
if let Err(e) = user_id.validate_strict() {
// unless the username is from the broken matrix appservice IRC bridge, we
// should follow synapse's behaviour on not allowing things like spaces
// and UTF-8 characters in usernames
if !is_matrix_appservice_irc {
return Err!(Request(InvalidUsername(debug_warn!(
"Username {body_username} contains disallowed characters or spaces: \
{e}"
))));
}
}
user_id
},
| Err(e) => {
return Err!(Request(InvalidUsername(debug_warn!(
"Username {body_username} is not valid: {e}"
))));
},
};
// Check if username is creative enough
if services.users.exists(&user_id).await {
return Err!(Request(UserInUse("User ID is not available.")));
}
if let Some(ref info) = body.appservice_info {
if !info.is_user_match(&user_id) {
return Err!(Request(Exclusive("Username is not in an appservice namespace.")));
}
}
if services.appservice.is_exclusive_user_id(&user_id).await {
return Err!(Request(Exclusive("Username is reserved by an appservice.")));
}
Ok(get_username_availability::v3::Response { available: true })
}
/// # `POST /_matrix/client/v3/register`
///
/// Register an account on this homeserver.
///
/// You can use [`GET
/// /_matrix/client/v3/register/available`](fn.get_register_available_route.
/// html) to check if the user id is valid and available.
///
/// - Only works if registration is enabled
/// - If type is guest: ignores all parameters except
/// initial_device_display_name
/// - If sender is not appservice: Requires UIAA (but we only use a dummy stage)
/// - If type is not guest and no username is given: Always fails after UIAA
/// check
/// - Creates a new account and populates it with default account data
/// - If `inhibit_login` is false: Creates a device and returns device id and
/// access_token
#[allow(clippy::doc_markdown)]
#[tracing::instrument(skip_all, fields(%client), name = "register", level = "info")]
pub(crate) async fn register_route(
State(services): State<crate::State>,
InsecureClientIp(client): InsecureClientIp,
body: Ruma<register::v3::Request>,
) -> Result<register::v3::Response> {
let is_guest = body.kind == RegistrationKind::Guest;
let emergency_mode_enabled = services.config.emergency_password.is_some();
// Allow registration if it's enabled in the config file or if this is the first
// run (so the first user account can be created)
let allow_registration =
services.config.allow_registration || services.firstrun.is_first_run();
if !allow_registration && body.appservice_info.is_none() {
match (body.username.as_ref(), body.initial_device_display_name.as_ref()) {
| (Some(username), Some(device_display_name)) => {
info!(
%is_guest,
user = %username,
device_name = %device_display_name,
"Rejecting registration attempt as registration is disabled"
);
},
| (Some(username), _) => {
info!(
%is_guest,
user = %username,
"Rejecting registration attempt as registration is disabled"
);
},
| (_, Some(device_display_name)) => {
info!(
%is_guest,
device_name = %device_display_name,
"Rejecting registration attempt as registration is disabled"
);
},
| (None, _) => {
info!(
%is_guest,
"Rejecting registration attempt as registration is disabled"
);
},
}
return Err!(Request(Forbidden(
"This server is not accepting registrations at this time."
)));
}
if is_guest && !services.config.allow_guest_registration {
info!(
"Guest registration disabled, rejecting guest registration attempt, initial device \
name: \"{}\"",
body.initial_device_display_name.as_deref().unwrap_or("")
);
return Err!(Request(GuestAccessForbidden("Guest registration is disabled.")));
}
// forbid guests from registering if there is not a real admin user yet. give
// generic user error.
if is_guest && services.users.count().await < 2 {
warn!(
"Guest account attempted to register before a real admin user has been registered, \
rejecting registration. Guest's initial device name: \"{}\"",
body.initial_device_display_name.as_deref().unwrap_or("")
);
return Err!(Request(Forbidden(
"This server is not accepting registrations at this time."
)));
}
let user_id = match (body.username.as_ref(), is_guest) {
| (Some(username), false) => {
// workaround for https://github.com/matrix-org/matrix-appservice-irc/issues/1780 due to inactivity of fixing the issue
let is_matrix_appservice_irc =
body.appservice_info.as_ref().is_some_and(|appservice| {
appservice.registration.id == "irc"
|| appservice.registration.id.contains("matrix-appservice-irc")
|| appservice.registration.id.contains("matrix_appservice_irc")
});
if services.globals.forbidden_usernames().is_match(username)
&& !emergency_mode_enabled
{
return Err!(Request(Forbidden("Username is forbidden")));
}
// don't force the username lowercase if it's from matrix-appservice-irc
let body_username = if is_matrix_appservice_irc {
username.clone()
} else {
username.to_lowercase()
};
let proposed_user_id = match UserId::parse_with_server_name(
&body_username,
services.globals.server_name(),
) {
| Ok(user_id) => {
if let Err(e) = user_id.validate_strict() {
// unless the username is from the broken matrix appservice IRC bridge, or
// we are in emergency mode, we should follow synapse's behaviour on
// not allowing things like spaces and UTF-8 characters in usernames
if !is_matrix_appservice_irc && !emergency_mode_enabled {
return Err!(Request(InvalidUsername(debug_warn!(
"Username {body_username} contains disallowed characters or \
spaces: {e}"
))));
}
}
// Don't allow registration with user IDs that aren't local
if !services.globals.user_is_local(&user_id) {
return Err!(Request(InvalidUsername(
"Username {body_username} is not local to this server"
)));
}
user_id
},
| Err(e) => {
return Err!(Request(InvalidUsername(debug_warn!(
"Username {body_username} is not valid: {e}"
))));
},
};
if services.users.exists(&proposed_user_id).await {
return Err!(Request(UserInUse("User ID is not available.")));
}
proposed_user_id
},
| _ => loop {
let proposed_user_id = UserId::parse_with_server_name(
utils::random_string(RANDOM_USER_ID_LENGTH).to_lowercase(),
services.globals.server_name(),
)
.unwrap();
if !services.users.exists(&proposed_user_id).await {
break proposed_user_id;
}
},
};
if body.body.login_type == Some(LoginType::ApplicationService) {
match body.appservice_info {
| Some(ref info) =>
if !info.is_user_match(&user_id) && !emergency_mode_enabled {
return Err!(Request(Exclusive(
"Username is not in an appservice namespace."
)));
},
| _ => {
return Err!(Request(MissingToken("Missing appservice token.")));
},
}
} else if services.appservice.is_exclusive_user_id(&user_id).await && !emergency_mode_enabled
{
return Err!(Request(Exclusive("Username is reserved by an appservice.")));
}
// UIAA
let mut uiaainfo = UiaaInfo {
flows: Vec::new(),
completed: Vec::new(),
params: Box::default(),
session: None,
auth_error: None,
};
let skip_auth = body.appservice_info.is_some() || is_guest;
// Populate required UIAA flows
if services.firstrun.is_first_run() {
// Registration token forced while in first-run mode
uiaainfo.flows.push(AuthFlow {
stages: vec![AuthType::RegistrationToken],
});
} else {
if services
.registration_tokens
.iterate_tokens()
.next()
.await
.is_some()
{
// Registration token required
uiaainfo.flows.push(AuthFlow {
stages: vec![AuthType::RegistrationToken],
});
}
if services.config.recaptcha_private_site_key.is_some() {
if let Some(pubkey) = &services.config.recaptcha_site_key {
// ReCaptcha required
uiaainfo
.flows
.push(AuthFlow { stages: vec![AuthType::ReCaptcha] });
uiaainfo.params = serde_json::value::to_raw_value(&serde_json::json!({
"m.login.recaptcha": {
"public_key": pubkey,
},
}))
.expect("Failed to serialize recaptcha params");
}
}
if uiaainfo.flows.is_empty() && !skip_auth {
// Registration isn't _disabled_, but there's no captcha configured and no
// registration tokens currently set. Bail out by default unless open
// registration was explicitly enabled.
if !services
.config
.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
{
return Err!(Request(Forbidden(
"This server is not accepting registrations at this time."
)));
}
// We have open registration enabled (😧), provide a dummy stage
uiaainfo = UiaaInfo {
flows: vec![AuthFlow { stages: vec![AuthType::Dummy] }],
completed: Vec::new(),
params: Box::default(),
session: None,
auth_error: None,
};
}
}
if !skip_auth {
match &body.auth {
| Some(auth) => {
let (worked, uiaainfo) = services
.uiaa
.try_auth(
&UserId::parse_with_server_name("", services.globals.server_name())
.unwrap(),
"".into(),
auth,
&uiaainfo,
)
.await?;
if !worked {
return Err(Error::Uiaa(uiaainfo));
}
// Success!
},
| _ => match body.json_body {
| Some(ref json) => {
uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
services.uiaa.create(
&UserId::parse_with_server_name("", services.globals.server_name())
.unwrap(),
"".into(),
&uiaainfo,
json,
);
return Err(Error::Uiaa(uiaainfo));
},
| _ => {
return Err!(Request(NotJson("JSON body is not valid")));
},
},
}
}
let password = if is_guest { None } else { body.password.as_deref() };
// Create user
services.users.create(&user_id, password, None).await?;
// Default to pretty displayname
let mut displayname = user_id.localpart().to_owned();
// If `new_user_displayname_suffix` is set, registration will push whatever
// content is set to the user's display name with a space before it
if !services.globals.new_user_displayname_suffix().is_empty()
&& body.appservice_info.is_none()
{
write!(displayname, " {}", services.server.config.new_user_displayname_suffix)?;
}
services
.users
.set_displayname(&user_id, Some(displayname.clone()));
// Initial account data
services
.account_data
.update(
None,
&user_id,
GlobalAccountDataEventType::PushRules.to_string().into(),
&serde_json::to_value(ruma::events::push_rules::PushRulesEvent {
content: ruma::events::push_rules::PushRulesEventContent {
global: push::Ruleset::server_default(&user_id),
},
})?,
)
.await?;
// Generate new device id if the user didn't specify one
let no_device = body.inhibit_login
|| body
.appservice_info
.as_ref()
.is_some_and(|aps| aps.registration.device_management);
let (token, device) = if !no_device {
// Don't create a device for inhibited logins
let device_id = if is_guest { None } else { body.device_id.clone() }
.unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into());
// Generate new token for the device
let new_token = utils::random_string(TOKEN_LENGTH);
// Create device for this account
services
.users
.create_device(
&user_id,
&device_id,
&new_token,
body.initial_device_display_name.clone(),
Some(client.to_string()),
)
.await?;
debug_info!(%user_id, %device_id, "User account was created");
(Some(new_token), Some(device_id))
} else {
(None, None)
};
let device_display_name = body.initial_device_display_name.as_deref().unwrap_or("");
// log in conduit admin channel if a non-guest user registered
if body.appservice_info.is_none() && !is_guest {
if !device_display_name.is_empty() {
let notice = format!(
"New user \"{user_id}\" registered on this server from IP {client} and device \
display name \"{device_display_name}\""
);
info!("{notice}");
if services.server.config.admin_room_notices {
services.admin.notice(&notice).await;
}
} else {
let notice = format!("New user \"{user_id}\" registered on this server.");
info!("{notice}");
if services.server.config.admin_room_notices {
services.admin.notice(&notice).await;
}
}
}
// log in conduit admin channel if a guest registered
if body.appservice_info.is_none() && is_guest && services.config.log_guest_registrations {
debug_info!("New guest user \"{user_id}\" registered on this server.");
if !device_display_name.is_empty() {
if services.server.config.admin_room_notices {
services
.admin
.notice(&format!(
"Guest user \"{user_id}\" with device display name \
\"{device_display_name}\" registered on this server from IP {client}"
))
.await;
}
} else {
#[allow(clippy::collapsible_else_if)]
if services.server.config.admin_room_notices {
services
.admin
.notice(&format!(
"Guest user \"{user_id}\" with no device display name registered on \
this server from IP {client}",
))
.await;
}
}
}
if !is_guest {
// Make the first user to register an administrator and disable first-run mode.
let was_first_user = services.firstrun.empower_first_user(&user_id).await?;
// If the registering user was not the first and we're suspending users on
// register, suspend them.
if !was_first_user && services.config.suspend_on_register {
// Note that we can still do auto joins for suspended users
services
.users
.suspend_account(&user_id, &services.globals.server_user)
.await;
// And send an @room notice to the admin room, to prompt admins to review the
// new user and ideally unsuspend them if deemed appropriate.
if services.server.config.admin_room_notices {
services
.admin
.send_loud_message(RoomMessageEventContent::text_plain(format!(
"User {user_id} has been suspended as they are not the first user on \
this server. Please review and unsuspend them if appropriate."
)))
.await
.ok();
}
}
}
if body.appservice_info.is_none()
&& !services.server.config.auto_join_rooms.is_empty()
&& (services.config.allow_guests_auto_join_rooms || !is_guest)
{
for room in &services.server.config.auto_join_rooms {
let Ok(room_id) = services.rooms.alias.resolve(room).await else {
error!(
"Failed to resolve room alias to room ID when attempting to auto join \
{room}, skipping"
);
continue;
};
if !services
.rooms
.state_cache
.server_in_room(services.globals.server_name(), &room_id)
.await
{
warn!(
"Skipping room {room} to automatically join as we have never joined before."
);
continue;
}
if let Some(room_server_name) = room.server_name() {
match join_room_by_id_helper(
&services,
&user_id,
&room_id,
Some("Automatically joining this room upon registration".to_owned()),
&[services.globals.server_name().to_owned(), room_server_name.to_owned()],
&body.appservice_info,
)
.boxed()
.await
{
| Err(e) => {
// don't return this error so we don't fail registrations
error!(
"Failed to automatically join room {room} for user {user_id}: {e}"
);
},
| _ => {
info!("Automatically joined room {room} for user {user_id}");
},
}
}
}
}
Ok(register::v3::Response {
access_token: token,
user_id,
device_id: device,
refresh_token: None,
expires_in: None,
})
}
/// # `POST /_matrix/client/r0/account/password`
///
/// Changes the password of this account.
///
/// - Requires UIAA to verify user password
/// - Changes the password of the sender user
/// - The password hash is calculated using argon2 with 32 character salt, the
/// plain password is
/// not saved
///
/// If logout_devices is true it does the following for each device except the
/// sender device:
/// - Invalidates access token
/// - Deletes device metadata (device id, device display name, last seen ip,
/// last seen ts)
/// - Forgets to-device events
/// - Triggers device list updates
#[tracing::instrument(skip_all, fields(%client), name = "change_password", level = "info")]
pub(crate) async fn change_password_route(
State(services): State<crate::State>,
InsecureClientIp(client): InsecureClientIp,
body: Ruma<change_password::v3::Request>,
) -> Result<change_password::v3::Response> {
// Authentication for this endpoint was made optional, but we need
// authentication currently
let sender_user = body
.sender_user
.as_ref()
.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
let mut uiaainfo = UiaaInfo {
flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
completed: Vec::new(),
params: Box::default(),
session: None,
auth_error: None,
};
match &body.auth {
| Some(auth) => {
let (worked, uiaainfo) = services
.uiaa
.try_auth(sender_user, body.sender_device(), auth, &uiaainfo)
.await?;
if !worked {
return Err(Error::Uiaa(uiaainfo));
}
// Success!
},
| _ => match body.json_body {
| Some(ref json) => {
uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
services
.uiaa
.create(sender_user, body.sender_device(), &uiaainfo, json);
return Err(Error::Uiaa(uiaainfo));
},
| _ => {
return Err!(Request(NotJson("JSON body is not valid")));
},
},
}
services
.users
.set_password(sender_user, Some(&body.new_password))
.await?;
if body.logout_devices {
// Logout all devices except the current one
services
.users
.all_device_ids(sender_user)
.ready_filter(|id| *id != body.sender_device())
.for_each(|id| services.users.remove_device(sender_user, id))
.await;
// Remove all pushers except the ones associated with this session
services
.pusher
.get_pushkeys(sender_user)
.map(ToOwned::to_owned)
.broad_filter_map(async |pushkey| {
services
.pusher
.get_pusher_device(&pushkey)
.await
.ok()
.filter(|pusher_device| pusher_device != body.sender_device())
.is_some()
.then_some(pushkey)
})
.for_each(async |pushkey| {
services.pusher.delete_pusher(sender_user, &pushkey).await;
})
.await;
}
info!("User {sender_user} changed their password.");
if services.server.config.admin_room_notices {
services
.admin
.notice(&format!("User {sender_user} changed their password."))
.await;
}
Ok(change_password::v3::Response {})
}
/// # `GET /_matrix/client/v3/account/whoami`
///
/// Get `user_id` of the sender user.
///
/// Note: Also works for Application Services
pub(crate) async fn whoami_route(
State(services): State<crate::State>,
body: Ruma<whoami::v3::Request>,
) -> Result<whoami::v3::Response> {
let is_guest = services
.users
.is_deactivated(body.sender_user())
.await
.map_err(|_| {
err!(Request(Forbidden("Application service has not registered this user.")))
})? && body.appservice_info.is_none();
Ok(whoami::v3::Response {
user_id: body.sender_user().to_owned(),
device_id: body.sender_device.clone(),
is_guest,
})
}
/// # `POST /_matrix/client/r0/account/deactivate`
///
/// Deactivate sender user account.
///
/// - Leaves all rooms and rejects all invitations
/// - Invalidates all access tokens
/// - Deletes all device metadata (device id, device display name, last seen ip,
/// last seen ts)
/// - Forgets all to-device events
/// - Triggers device list updates
/// - Removes ability to log in again
#[tracing::instrument(skip_all, fields(%client), name = "deactivate", level = "info")]
pub(crate) async fn deactivate_route(
State(services): State<crate::State>,
InsecureClientIp(client): InsecureClientIp,
body: Ruma<deactivate::v3::Request>,
) -> Result<deactivate::v3::Response> {
// Authentication for this endpoint was made optional, but we need
// authentication currently
let sender_user = body
.sender_user
.as_ref()
.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
let mut uiaainfo = UiaaInfo {
flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
completed: Vec::new(),
params: Box::default(),
session: None,
auth_error: None,
};
match &body.auth {
| Some(auth) => {
let (worked, uiaainfo) = services
.uiaa
.try_auth(sender_user, body.sender_device(), auth, &uiaainfo)
.await?;
if !worked {
return Err(Error::Uiaa(uiaainfo));
}
// Success!
},
| _ => match body.json_body {
| Some(ref json) => {
uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
services
.uiaa
.create(sender_user, body.sender_device(), &uiaainfo, json);
return Err(Error::Uiaa(uiaainfo));
},
| _ => {
return Err!(Request(NotJson("JSON body is not valid")));
},
},
}
// Remove profile pictures and display name
let all_joined_rooms: Vec<OwnedRoomId> = services
.rooms
.state_cache
.rooms_joined(sender_user)
.map(Into::into)
.collect()
.await;
full_user_deactivate(&services, sender_user, &all_joined_rooms)
.boxed()
.await?;
info!("User {sender_user} deactivated their account.");
if services.server.config.admin_room_notices {
services
.admin
.notice(&format!("User {sender_user} deactivated their account."))
.await;
}
Ok(deactivate::v3::Response {
id_server_unbind_result: ThirdPartyIdRemovalStatus::NoSupport,
})
}
/// # `GET _matrix/client/v3/account/3pid`
///
/// Get a list of third party identifiers associated with this account.
///
/// - Currently always returns empty list
pub(crate) async fn third_party_route(
body: Ruma<get_3pids::v3::Request>,
) -> Result<get_3pids::v3::Response> {
let _sender_user = body.sender_user.as_ref().expect("user is authenticated");
Ok(get_3pids::v3::Response::new(Vec::new()))
}
/// # `POST /_matrix/client/v3/account/3pid/email/requestToken`
///
/// "This API should be used to request validation tokens when adding an email
/// address to an account"
///
/// - 403 signals that The homeserver does not allow the third party identifier
/// as a contact option.
pub(crate) async fn request_3pid_management_token_via_email_route(
_body: Ruma<request_3pid_management_token_via_email::v3::Request>,
) -> Result<request_3pid_management_token_via_email::v3::Response> {
Err!(Request(ThreepidDenied("Third party identifiers are not implemented")))
}
/// # `POST /_matrix/client/v3/account/3pid/msisdn/requestToken`
///
/// "This API should be used to request validation tokens when adding an phone
/// number to an account"
///
/// - 403 signals that The homeserver does not allow the third party identifier
/// as a contact option.
pub(crate) async fn request_3pid_management_token_via_msisdn_route(
_body: Ruma<request_3pid_management_token_via_msisdn::v3::Request>,
) -> Result<request_3pid_management_token_via_msisdn::v3::Response> {
Err!(Request(ThreepidDenied("Third party identifiers are not implemented")))
}
/// # `GET /_matrix/client/v1/register/m.login.registration_token/validity`
///
/// Checks if the provided registration token is valid at the time of checking.
pub(crate) async fn check_registration_token_validity(
State(services): State<crate::State>,
body: Ruma<check_registration_token_validity::v1::Request>,
) -> Result<check_registration_token_validity::v1::Response> {
// TODO: ratelimit this pretty heavily
let valid = services
.registration_tokens
.validate_token(body.token.clone())
.await
.is_some();
Ok(check_registration_token_validity::v1::Response { valid })
}
/// Runs through all the deactivation steps:
///
/// - Mark as deactivated
/// - Removing display name
/// - Removing avatar URL and blurhash
/// - Removing all profile data
/// - Leaving all rooms (and forgets all of them)
pub async fn full_user_deactivate(
services: &Services,
user_id: &UserId,
all_joined_rooms: &[OwnedRoomId],
) -> Result<()> {
services.users.deactivate_account(user_id).await.ok();
services
.users
.all_profile_keys(user_id)
.ready_for_each(|(profile_key, _)| {
services.users.set_profile_key(user_id, &profile_key, None);
})
.await;
// TODO: Rescind all user invites
let mut pdu_queue: Vec<(PduBuilder, &OwnedRoomId)> = Vec::new();
for room_id in all_joined_rooms {
let room_power_levels = services
.rooms
.state_accessor
.room_state_get_content::<RoomPowerLevelsEventContent>(
room_id,
&StateEventType::RoomPowerLevels,
"",
)
.await
.ok();
let user_can_demote_self =
room_power_levels
.as_ref()
.is_some_and(|power_levels_content| {
RoomPowerLevels::from(power_levels_content.clone())
.user_can_change_user_power_level(user_id, user_id)
}) || services
.rooms
.state_accessor
.room_state_get(room_id, &StateEventType::RoomCreate, "")
.await
.is_ok_and(|event| event.sender() == user_id);
if user_can_demote_self {
let mut power_levels_content = room_power_levels.unwrap_or_default();
power_levels_content.users.remove(user_id);
let pl_evt = PduBuilder::state(String::new(), &power_levels_content);
pdu_queue.push((pl_evt, room_id));
}
// Leave the room
pdu_queue.push((
PduBuilder::state(user_id.to_string(), &RoomMemberEventContent {
avatar_url: None,
blurhash: None,
membership: MembershipState::Leave,
displayname: None,
join_authorized_via_users_server: None,
reason: None,
is_direct: None,
third_party_invite: None,
redact_events: None,
}),
room_id,
));
// TODO: Redact all messages sent by the user in the room
}
super::update_all_rooms(services, pdu_queue, user_id).await;
for room_id in all_joined_rooms {
services.rooms.state_cache.forget(room_id, user_id);
}
Ok(())
}

426
src/api/client/account/mod.rs Normal file
View File

@@ -0,0 +1,426 @@
use axum::extract::State;
use axum_client_ip::InsecureClientIp;
use conduwuit::{
Err, Event, Result, err, info,
pdu::PduBuilder,
utils::{ReadyExt, stream::BroadbandExt},
};
use conduwuit_service::Services;
use futures::{FutureExt, StreamExt};
use lettre::{Address, message::Mailbox};
use ruma::{
OwnedRoomId, OwnedUserId, UserId,
api::client::{
account::{
ThirdPartyIdRemovalStatus, change_password, check_registration_token_validity,
deactivate, get_username_availability, request_password_change_token_via_email,
whoami,
},
uiaa::{AuthFlow, AuthType},
},
events::{
StateEventType,
room::{
member::{MembershipState, RoomMemberEventContent},
power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
},
},
};
use service::{mailer::messages, uiaa::Identity};
use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
use crate::Ruma;
pub(crate) mod register;
pub(crate) mod threepid;
/// # `GET /_matrix/client/v3/register/available`
///
/// Checks if a username is valid and available on this server.
///
/// Conditions for returning true:
/// - The user id is not historical
/// - The server name of the user id matches this server
/// - No user or appservice on this server already claimed this username
///
/// Note: This will not reserve the username, so the username might become
/// invalid when trying to register
#[tracing::instrument(skip_all, fields(%client), name = "register_available", level = "info")]
pub(crate) async fn get_register_available_route(
State(services): State<crate::State>,
InsecureClientIp(client): InsecureClientIp,
body: Ruma<get_username_availability::v3::Request>,
) -> Result<get_username_availability::v3::Response> {
// Validate user id
let user_id =
match UserId::parse_with_server_name(&body.username, services.globals.server_name()) {
| Ok(user_id) => {
if let Err(e) = user_id.validate_strict() {
return Err!(Request(InvalidUsername(debug_warn!(
"Username {} contains disallowed characters or spaces: {e}",
body.username
))));
}
user_id
},
| Err(e) => {
return Err!(Request(InvalidUsername(debug_warn!(
"Username {} is not valid: {e}",
body.username
))));
},
};
// Check if username is creative enough
if services.users.exists(&user_id).await {
return Err!(Request(UserInUse("User ID is not available.")));
}
if let Some(ref info) = body.appservice_info {
if !info.is_user_match(&user_id) {
return Err!(Request(Exclusive("Username is not in an appservice namespace.")));
}
}
if services.appservice.is_exclusive_user_id(&user_id).await {
return Err!(Request(Exclusive("Username is reserved by an appservice.")));
}
Ok(get_username_availability::v3::Response { available: true })
}
/// # `POST /_matrix/client/r0/account/password`
///
/// Changes the password of this account.
///
/// - Requires UIAA to verify user password
/// - Changes the password of the sender user
/// - The password hash is calculated using argon2 with 32 character salt, the
/// plain password is
/// not saved
///
/// If logout_devices is true it does the following for each device except the
/// sender device:
/// - Invalidates access token
/// - Deletes device metadata (device id, device display name, last seen ip,
/// last seen ts)
/// - Forgets to-device events
/// - Triggers device list updates
#[tracing::instrument(skip_all, fields(%client), name = "change_password", level = "info")]
pub(crate) async fn change_password_route(
State(services): State<crate::State>,
InsecureClientIp(client): InsecureClientIp,
body: Ruma<change_password::v3::Request>,
) -> Result<change_password::v3::Response> {
let identity = if let Some(ref user_id) = body.sender_user {
// A signed-in user is trying to change their password, prompt them for their
// existing one
services
.uiaa
.authenticate(
&body.auth,
vec![AuthFlow::new(vec![AuthType::Password])],
Box::default(),
Some(Identity::from_user_id(user_id)),
)
.await?
} else {
// A signed-out user is trying to reset their password, prompt them for email
// confirmation. Note that we do not _send_ an email here, their client should
// have already hit `/account/password/requestToken` to send the email. We
// just validate it.
services
.uiaa
.authenticate(
&body.auth,
vec![AuthFlow::new(vec![AuthType::EmailIdentity])],
Box::default(),
None,
)
.await?
};
let sender_user = OwnedUserId::parse(format!(
"@{}:{}",
identity.localpart.expect("localpart should be known"),
services.globals.server_name()
))
.expect("user ID should be valid");
services
.users
.set_password(&sender_user, Some(&body.new_password))
.await?;
if body.logout_devices {
// Logout all devices except the current one
services
.users
.all_device_ids(&sender_user)
.ready_filter(|id| *id != body.sender_device())
.for_each(|id| services.users.remove_device(&sender_user, id))
.await;
// Remove all pushers except the ones associated with this session
services
.pusher
.get_pushkeys(&sender_user)
.map(ToOwned::to_owned)
.broad_filter_map(async |pushkey| {
services
.pusher
.get_pusher_device(&pushkey)
.await
.ok()
.filter(|pusher_device| pusher_device != body.sender_device())
.is_some()
.then_some(pushkey)
})
.for_each(async |pushkey| {
services.pusher.delete_pusher(&sender_user, &pushkey).await;
})
.await;
}
info!("User {} changed their password.", &sender_user);
if services.server.config.admin_room_notices {
services
.admin
.notice(&format!("User {} changed their password.", &sender_user))
.await;
}
Ok(change_password::v3::Response {})
}
/// # `POST /_matrix/client/v3/account/password/email/requestToken`
///
/// Requests a validation email for the purpose of resetting a user's password.
pub(crate) async fn request_password_change_token_via_email_route(
State(services): State<crate::State>,
body: Ruma<request_password_change_token_via_email::v3::Request>,
) -> Result<request_password_change_token_via_email::v3::Response> {
let Ok(email) = Address::try_from(body.email.clone()) else {
return Err!(Request(InvalidParam("Invalid email address.")));
};
let Some(localpart) = services.threepid.get_localpart_for_email(&email).await else {
return Err!(Request(ThreepidNotFound(
"No account is associated with this email address"
)));
};
let user_id =
OwnedUserId::parse(format!("@{localpart}:{}", services.globals.server_name())).unwrap();
let display_name = services.users.displayname(&user_id).await.ok();
let session = services
.threepid
.send_validation_email(
Mailbox::new(display_name.clone(), email),
|verification_link| messages::PasswordReset {
display_name: display_name.as_deref(),
user_id: &user_id,
verification_link,
},
&body.client_secret,
body.send_attempt.try_into().unwrap(),
)
.await?;
Ok(request_password_change_token_via_email::v3::Response::new(session))
}
/// # `GET /_matrix/client/v3/account/whoami`
///
/// Get `user_id` of the sender user.
///
/// Note: Also works for Application Services
pub(crate) async fn whoami_route(
State(services): State<crate::State>,
body: Ruma<whoami::v3::Request>,
) -> Result<whoami::v3::Response> {
let is_guest = services
.users
.is_deactivated(body.sender_user())
.await
.map_err(|_| {
err!(Request(Forbidden("Application service has not registered this user.")))
})? && body.appservice_info.is_none();
Ok(whoami::v3::Response {
user_id: body.sender_user().to_owned(),
device_id: body.sender_device.clone(),
is_guest,
})
}
/// # `POST /_matrix/client/r0/account/deactivate`
///
/// Deactivate sender user account.
///
/// - Leaves all rooms and rejects all invitations
/// - Invalidates all access tokens
/// - Deletes all device metadata (device id, device display name, last seen ip,
/// last seen ts)
/// - Forgets all to-device events
/// - Triggers device list updates
/// - Removes ability to log in again
#[tracing::instrument(skip_all, fields(%client), name = "deactivate", level = "info")]
pub(crate) async fn deactivate_route(
State(services): State<crate::State>,
InsecureClientIp(client): InsecureClientIp,
body: Ruma<deactivate::v3::Request>,
) -> Result<deactivate::v3::Response> {
// Authentication for this endpoint is technically optional,
// but we require the user to be logged in
let sender_user = body
.sender_user
.as_ref()
.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
// Prompt the user to confirm with their password using UIAA
let _ = services
.uiaa
.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
.await?;
// Remove profile pictures and display name
let all_joined_rooms: Vec<OwnedRoomId> = services
.rooms
.state_cache
.rooms_joined(sender_user)
.map(Into::into)
.collect()
.await;
full_user_deactivate(&services, sender_user, &all_joined_rooms)
.boxed()
.await?;
info!("User {sender_user} deactivated their account.");
if services.server.config.admin_room_notices {
services
.admin
.notice(&format!("User {sender_user} deactivated their account."))
.await;
}
Ok(deactivate::v3::Response {
id_server_unbind_result: ThirdPartyIdRemovalStatus::Success,
})
}
/// # `GET /_matrix/client/v1/register/m.login.registration_token/validity`
///
/// Checks if the provided registration token is valid at the time of checking.
pub(crate) async fn check_registration_token_validity(
State(services): State<crate::State>,
body: Ruma<check_registration_token_validity::v1::Request>,
) -> Result<check_registration_token_validity::v1::Response> {
// TODO: ratelimit this pretty heavily
let valid = services
.registration_tokens
.validate_token(body.token.clone())
.await
.is_some();
Ok(check_registration_token_validity::v1::Response { valid })
}
/// Runs through all the deactivation steps:
///
/// - Mark as deactivated
/// - Removing display name
/// - Removing avatar URL and blurhash
/// - Removing all profile data
/// - Leaving all rooms (and forgets all of them)
pub async fn full_user_deactivate(
services: &Services,
user_id: &UserId,
all_joined_rooms: &[OwnedRoomId],
) -> Result<()> {
services.users.deactivate_account(user_id).await.ok();
if services.globals.user_is_local(user_id) {
let _ = services
.threepid
.disassociate_localpart_email(user_id.localpart())
.await;
}
services
.users
.all_profile_keys(user_id)
.ready_for_each(|(profile_key, _)| {
services.users.set_profile_key(user_id, &profile_key, None);
})
.await;
// TODO: Rescind all user invites
let mut pdu_queue: Vec<(PduBuilder, &OwnedRoomId)> = Vec::new();
for room_id in all_joined_rooms {
let room_power_levels = services
.rooms
.state_accessor
.room_state_get_content::<RoomPowerLevelsEventContent>(
room_id,
&StateEventType::RoomPowerLevels,
"",
)
.await
.ok();
let user_can_demote_self =
room_power_levels
.as_ref()
.is_some_and(|power_levels_content| {
RoomPowerLevels::from(power_levels_content.clone())
.user_can_change_user_power_level(user_id, user_id)
}) || services
.rooms
.state_accessor
.room_state_get(room_id, &StateEventType::RoomCreate, "")
.await
.is_ok_and(|event| event.sender() == user_id);
if user_can_demote_self {
let mut power_levels_content = room_power_levels.unwrap_or_default();
power_levels_content.users.remove(user_id);
let pl_evt = PduBuilder::state(String::new(), &power_levels_content);
pdu_queue.push((pl_evt, room_id));
}
// Leave the room
pdu_queue.push((
PduBuilder::state(user_id.to_string(), &RoomMemberEventContent {
avatar_url: None,
blurhash: None,
membership: MembershipState::Leave,
displayname: None,
join_authorized_via_users_server: None,
reason: None,
is_direct: None,
third_party_invite: None,
redact_events: None,
}),
room_id,
));
// TODO: Redact all messages sent by the user in the room
}
super::update_all_rooms(services, pdu_queue, user_id).await;
for room_id in all_joined_rooms {
services.rooms.state_cache.forget(room_id, user_id);
}
Ok(())
}

601
src/api/client/account/register.rs Normal file
View File

@@ -0,0 +1,601 @@
use std::{collections::HashMap, fmt::Write};
use axum::extract::State;
use axum_client_ip::InsecureClientIp;
use conduwuit::{
Err, Result, debug_info, error, info,
utils::{self},
warn,
};
use conduwuit_service::Services;
use futures::{FutureExt, StreamExt};
use lettre::{Address, message::Mailbox};
use register::RegistrationKind;
use ruma::{
OwnedUserId, UserId,
api::client::{
account::{
register::{self, LoginType},
request_registration_token_via_email,
},
uiaa::{AuthFlow, AuthType},
},
events::{GlobalAccountDataEventType, room::message::RoomMessageEventContent},
push,
};
use serde_json::value::RawValue;
use service::mailer::messages;
use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
use crate::Ruma;
const RANDOM_USER_ID_LENGTH: usize = 10;
/// # `POST /_matrix/client/v3/register`
///
/// Register an account on this homeserver.
///
/// You can use [`GET
/// /_matrix/client/v3/register/available`](fn.get_register_available_route.
/// html) to check if the user id is valid and available.
///
/// - Only works if registration is enabled
/// - If type is guest: ignores all parameters except
/// initial_device_display_name
/// - If sender is not appservice: Requires UIAA (but we only use a dummy stage)
/// - If type is not guest and no username is given: Always fails after UIAA
/// check
/// - Creates a new account and populates it with default account data
/// - If `inhibit_login` is false: Creates a device and returns device id and
/// access_token
#[allow(clippy::doc_markdown)]
#[tracing::instrument(skip_all, fields(%client), name = "register", level = "info")]
pub(crate) async fn register_route(
State(services): State<crate::State>,
InsecureClientIp(client): InsecureClientIp,
body: Ruma<register::v3::Request>,
) -> Result<register::v3::Response> {
let is_guest = body.kind == RegistrationKind::Guest;
let emergency_mode_enabled = services.config.emergency_password.is_some();
// Allow registration if it's enabled in the config file or if this is the first
// run (so the first user account can be created)
let allow_registration =
services.config.allow_registration || services.firstrun.is_first_run();
if !allow_registration && body.appservice_info.is_none() {
match (body.username.as_ref(), body.initial_device_display_name.as_ref()) {
| (Some(username), Some(device_display_name)) => {
info!(
%is_guest,
user = %username,
device_name = %device_display_name,
"Rejecting registration attempt as registration is disabled"
);
},
| (Some(username), _) => {
info!(
%is_guest,
user = %username,
"Rejecting registration attempt as registration is disabled"
);
},
| (_, Some(device_display_name)) => {
info!(
%is_guest,
device_name = %device_display_name,
"Rejecting registration attempt as registration is disabled"
);
},
| (None, _) => {
info!(
%is_guest,
"Rejecting registration attempt as registration is disabled"
);
},
}
return Err!(Request(Forbidden(
"This server is not accepting registrations at this time."
)));
}
if is_guest && !services.config.allow_guest_registration {
info!(
"Guest registration disabled, rejecting guest registration attempt, initial device \
name: \"{}\"",
body.initial_device_display_name.as_deref().unwrap_or("")
);
return Err!(Request(GuestAccessForbidden("Guest registration is disabled.")));
}
// forbid guests from registering if there is not a real admin user yet. give
// generic user error.
if is_guest && services.firstrun.is_first_run() {
warn!(
"Guest account attempted to register before a real admin user has been registered, \
rejecting registration. Guest's initial device name: \"{}\"",
body.initial_device_display_name.as_deref().unwrap_or("")
);
return Err!(Request(Forbidden(
"This server is not accepting registrations at this time."
)));
}
// Appeservices and guests get to skip auth
let skip_auth = body.appservice_info.is_some() || is_guest;
let identity = if skip_auth {
// Appservices and guests have no identity
None
} else {
// Perform UIAA to determine the user's identity
let (flows, params) = create_registration_uiaa_session(&services).await?;
Some(
services
.uiaa
.authenticate(&body.auth, flows, params, None)
.await?,
)
};
// If the user didn't supply a username but did supply an email, use
// the email's user as their initial localpart to avoid falling back to
// a randomly generated localpart
let supplied_username = body.username.clone().or_else(|| {
if let Some(identity) = &identity
&& let Some(email) = &identity.email
{
Some(email.user().to_owned())
} else {
None
}
});
let user_id = determine_registration_user_id(
&services,
supplied_username,
is_guest,
emergency_mode_enabled,
)
.await?;
if body.body.login_type == Some(LoginType::ApplicationService) {
// For appservice logins, make sure that the user ID is in the appservice's
// namespace
match body.appservice_info {
| Some(ref info) =>
if !info.is_user_match(&user_id) && !emergency_mode_enabled {
return Err!(Request(Exclusive(
"Username is not in an appservice namespace."
)));
},
| _ => {
return Err!(Request(MissingToken("Missing appservice token.")));
},
}
} else if services.appservice.is_exclusive_user_id(&user_id).await && !emergency_mode_enabled
{
// For non-appservice logins, ban user IDs which are in an appservice's
// namespace (unless emergency mode is enabled)
return Err!(Request(Exclusive("Username is reserved by an appservice.")));
}
let password = if is_guest { None } else { body.password.as_deref() };
// Create user
services.users.create(&user_id, password, None).await?;
// Set an initial display name
let mut displayname = user_id.localpart().to_owned();
// Apply the new user displayname suffix, if it's set
if !services.globals.new_user_displayname_suffix().is_empty()
&& body.appservice_info.is_none()
{
write!(displayname, " {}", services.server.config.new_user_displayname_suffix)?;
}
services
.users
.set_displayname(&user_id, Some(displayname.clone()));
// Initial account data
services
.account_data
.update(
None,
&user_id,
GlobalAccountDataEventType::PushRules.to_string().into(),
&serde_json::to_value(ruma::events::push_rules::PushRulesEvent {
content: ruma::events::push_rules::PushRulesEventContent {
global: push::Ruleset::server_default(&user_id),
},
})?,
)
.await?;
// Generate new device id if the user didn't specify one
let no_device = body.inhibit_login
|| body
.appservice_info
.as_ref()
.is_some_and(|aps| aps.registration.device_management);
let (token, device) = if !no_device {
// Don't create a device for inhibited logins
let device_id = if is_guest { None } else { body.device_id.clone() }
.unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into());
// Generate new token for the device
let new_token = utils::random_string(TOKEN_LENGTH);
// Create device for this account
services
.users
.create_device(
&user_id,
&device_id,
&new_token,
body.initial_device_display_name.clone(),
Some(client.to_string()),
)
.await?;
debug_info!(%user_id, %device_id, "User account was created");
(Some(new_token), Some(device_id))
} else {
(None, None)
};
// If the user registered with an email, associate it with their account.
if let Some(identity) = identity
&& let Some(email) = identity.email
{
// This may fail if the email is already in use, but we already check for that
// in `/requestToken`, so ignoring the error is acceptable here in the rare case
// that an email is sniped by another user between the `/requestToken` request
// and the `/register` request.
let _ = services
.threepid
.associate_localpart_email(user_id.localpart(), &email)
.await;
}
let device_display_name = body.initial_device_display_name.as_deref().unwrap_or("");
// log in conduit admin channel if a non-guest user registered
if body.appservice_info.is_none() && !is_guest {
if !device_display_name.is_empty() {
let notice = format!(
"New user \"{user_id}\" registered on this server from IP {client} and device \
display name \"{device_display_name}\""
);
info!("{notice}");
if services.server.config.admin_room_notices {
services.admin.notice(&notice).await;
}
} else {
let notice = format!("New user \"{user_id}\" registered on this server.");
info!("{notice}");
if services.server.config.admin_room_notices {
services.admin.notice(&notice).await;
}
}
}
// log in conduit admin channel if a guest registered
if body.appservice_info.is_none() && is_guest && services.config.log_guest_registrations {
debug_info!("New guest user \"{user_id}\" registered on this server.");
if !device_display_name.is_empty() {
if services.server.config.admin_room_notices {
services
.admin
.notice(&format!(
"Guest user \"{user_id}\" with device display name \
\"{device_display_name}\" registered on this server from IP {client}"
))
.await;
}
} else {
#[allow(clippy::collapsible_else_if)]
if services.server.config.admin_room_notices {
services
.admin
.notice(&format!(
"Guest user \"{user_id}\" with no device display name registered on \
this server from IP {client}",
))
.await;
}
}
}
if !is_guest {
// Make the first user to register an administrator and disable first-run mode.
let was_first_user = services.firstrun.empower_first_user(&user_id).await?;
// If the registering user was not the first and we're suspending users on
// register, suspend them.
if !was_first_user && services.config.suspend_on_register {
// Note that we can still do auto joins for suspended users
services
.users
.suspend_account(&user_id, &services.globals.server_user)
.await;
// And send an @room notice to the admin room, to prompt admins to review the
// new user and ideally unsuspend them if deemed appropriate.
if services.server.config.admin_room_notices {
services
.admin
.send_loud_message(RoomMessageEventContent::text_plain(format!(
"User {user_id} has been suspended as they are not the first user on \
this server. Please review and unsuspend them if appropriate."
)))
.await
.ok();
}
}
}
if body.appservice_info.is_none()
&& !services.server.config.auto_join_rooms.is_empty()
&& (services.config.allow_guests_auto_join_rooms || !is_guest)
{
for room in &services.server.config.auto_join_rooms {
let Ok(room_id) = services.rooms.alias.resolve(room).await else {
error!(
"Failed to resolve room alias to room ID when attempting to auto join \
{room}, skipping"
);
continue;
};
if !services
.rooms
.state_cache
.server_in_room(services.globals.server_name(), &room_id)
.await
{
warn!(
"Skipping room {room} to automatically join as we have never joined before."
);
continue;
}
if let Some(room_server_name) = room.server_name() {
match join_room_by_id_helper(
&services,
&user_id,
&room_id,
Some("Automatically joining this room upon registration".to_owned()),
&[services.globals.server_name().to_owned(), room_server_name.to_owned()],
&body.appservice_info,
)
.boxed()
.await
{
| Err(e) => {
// don't return this error so we don't fail registrations
error!(
"Failed to automatically join room {room} for user {user_id}: {e}"
);
},
| _ => {
info!("Automatically joined room {room} for user {user_id}");
},
}
}
}
}
Ok(register::v3::Response {
access_token: token,
user_id,
device_id: device,
refresh_token: None,
expires_in: None,
})
}
/// Determine which flows and parameters should be presented when
/// registering a new account.
async fn create_registration_uiaa_session(
services: &Services,
) -> Result<(Vec<AuthFlow>, Box<RawValue>)> {
let mut params = HashMap::<String, serde_json::Value>::new();
let flows = if services.firstrun.is_first_run() {
// Registration token forced while in first-run mode
vec![AuthFlow::new(vec![AuthType::RegistrationToken])]
} else {
let mut flows = vec![];
if services
.registration_tokens
.iterate_tokens()
.next()
.await
.is_some()
{
// Trusted registration flow with a token is available
let mut token_flow = AuthFlow::new(vec![AuthType::RegistrationToken]);
if let Some(smtp) = &services.config.smtp
&& smtp.require_email_for_token_registration
{
// Email is required for token registrations
token_flow.stages.push(AuthType::EmailIdentity);
}
flows.push(token_flow);
}
let mut untrusted_flow = AuthFlow::default();
if services.config.recaptcha_private_site_key.is_some() {
if let Some(pubkey) = &services.config.recaptcha_site_key {
// ReCaptcha is configured for untrusted registrations
untrusted_flow.stages.push(AuthType::ReCaptcha);
params.insert(
AuthType::ReCaptcha.as_str().to_owned(),
serde_json::json!({
"public_key": pubkey,
}),
);
}
}
if let Some(smtp) = &services.config.smtp
&& smtp.require_email_for_registration
{
// Email is required for untrusted registrations
untrusted_flow.stages.push(AuthType::EmailIdentity);
}
if !untrusted_flow.stages.is_empty() {
flows.push(untrusted_flow);
}
if flows.is_empty() {
// No flows are configured. Bail out by default
// unless open registration was explicitly enabled.
if !services
.config
.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
{
return Err!(Request(Forbidden(
"This server is not accepting registrations at this time."
)));
}
// We have open registration enabled (😧), provide a dummy flow
flows.push(AuthFlow::new(vec![AuthType::Dummy]));
}
flows
};
let params = serde_json::value::to_raw_value(&params).expect("params should be valid JSON");
Ok((flows, params))
}
async fn determine_registration_user_id(
services: &Services,
supplied_username: Option<String>,
is_guest: bool,
emergency_mode_enabled: bool,
) -> Result<OwnedUserId> {
if let Some(supplied_username) = supplied_username
&& !is_guest
{
// The user gets to pick their username. Do some validation to make sure it's
// acceptable.
// Don't allow registration with forbidden usernames.
if services
.globals
.forbidden_usernames()
.is_match(&supplied_username)
&& !emergency_mode_enabled
{
return Err!(Request(Forbidden("Username is forbidden")));
}
// Create and validate the user ID
let user_id = match UserId::parse_with_server_name(
&supplied_username,
services.globals.server_name(),
) {
| Ok(user_id) => {
if let Err(e) = user_id.validate_strict() {
// Unless we are in emergency mode, we should follow synapse's behaviour on
// not allowing things like spaces and UTF-8 characters in usernames
if !emergency_mode_enabled {
return Err!(Request(InvalidUsername(debug_warn!(
"Username {supplied_username} contains disallowed characters or \
spaces: {e}"
))));
}
}
// Don't allow registration with user IDs that aren't local
if !services.globals.user_is_local(&user_id) {
return Err!(Request(InvalidUsername(
"Username {supplied_username} is not local to this server"
)));
}
user_id
},
| Err(e) => {
return Err!(Request(InvalidUsername(debug_warn!(
"Username {supplied_username} is not valid: {e}"
))));
},
};
if services.users.exists(&user_id).await {
return Err!(Request(UserInUse("User ID is not available.")));
}
Ok(user_id)
} else {
// The user is a guest or didn't specify a username. Generate a username for
// them.
loop {
let user_id = UserId::parse_with_server_name(
utils::random_string(RANDOM_USER_ID_LENGTH).to_lowercase(),
services.globals.server_name(),
)
.unwrap();
if !services.users.exists(&user_id).await {
break Ok(user_id);
}
}
}
}
/// # `POST /_matrix/client/v3/register/email/requestToken`
///
/// Requests a validation email for the purpose of registering a new account.
pub(crate) async fn request_registration_token_via_email_route(
State(services): State<crate::State>,
body: Ruma<request_registration_token_via_email::v3::Request>,
) -> Result<request_registration_token_via_email::v3::Response> {
let Ok(email) = Address::try_from(body.email.clone()) else {
return Err!(Request(InvalidParam("Invalid email address.")));
};
if services
.threepid
.get_localpart_for_email(&email)
.await
.is_some()
{
return Err!(Request(ThreepidInUse("This email address is already in use.")));
}
let session = services
.threepid
.send_validation_email(
Mailbox::new(None, email),
|verification_link| messages::NewAccount {
server_name: services.config.server_name.as_ref(),
verification_link,
},
&body.client_secret,
body.send_attempt.try_into().unwrap(),
)
.await?;
Ok(request_registration_token_via_email::v3::Response::new(session))
}

153
src/api/client/account/threepid.rs Normal file
View File

@@ -0,0 +1,153 @@
use std::time::SystemTime;
use axum::extract::State;
use conduwuit::{Err, Result, err};
use lettre::{Address, message::Mailbox};
use ruma::{
MilliSecondsSinceUnixEpoch,
api::client::account::{
ThirdPartyIdRemovalStatus, add_3pid, delete_3pid, get_3pids,
request_3pid_management_token_via_email, request_3pid_management_token_via_msisdn,
},
thirdparty::{Medium, ThirdPartyIdentifierInit},
};
use service::{mailer::messages, uiaa::Identity};
use crate::Ruma;
/// # `GET _matrix/client/v3/account/3pid`
///
/// Get a list of third party identifiers associated with this account.
pub(crate) async fn third_party_route(
State(services): State<crate::State>,
body: Ruma<get_3pids::v3::Request>,
) -> Result<get_3pids::v3::Response> {
let sender_user = body.sender_user();
let mut threepids = vec![];
if let Some(email) = services
.threepid
.get_email_for_localpart(sender_user.localpart())
.await
{
threepids.push(
ThirdPartyIdentifierInit {
address: email.to_string(),
medium: Medium::Email,
// We don't currently track these, and they aren't used for much
validated_at: MilliSecondsSinceUnixEpoch::now(),
added_at: MilliSecondsSinceUnixEpoch::from_system_time(SystemTime::UNIX_EPOCH)
.unwrap(),
}
.into(),
);
}
Ok(get_3pids::v3::Response::new(threepids))
}
/// # `POST /_matrix/client/v3/account/3pid/email/requestToken`
///
/// Requests a validation email for the purpose of changing an account's email.
pub(crate) async fn request_3pid_management_token_via_email_route(
State(services): State<crate::State>,
body: Ruma<request_3pid_management_token_via_email::v3::Request>,
) -> Result<request_3pid_management_token_via_email::v3::Response> {
let Ok(email) = Address::try_from(body.email.clone()) else {
return Err!(Request(InvalidParam("Invalid email address.")));
};
if services
.threepid
.get_localpart_for_email(&email)
.await
.is_some()
{
return Err!(Request(ThreepidInUse("This email address is already in use.")));
}
let session = services
.threepid
.send_validation_email(
Mailbox::new(None, email),
|verification_link| messages::ChangeEmail {
server_name: services.config.server_name.as_str(),
user_id: body.sender_user.as_deref(),
verification_link,
},
&body.client_secret,
body.send_attempt.try_into().unwrap(),
)
.await?;
Ok(request_3pid_management_token_via_email::v3::Response::new(session))
}
/// # `POST /_matrix/client/v3/account/3pid/msisdn/requestToken`
///
/// "This API should be used to request validation tokens when adding an email
/// address to an account"
///
/// - 403 signals that The homeserver does not allow the third party identifier
/// as a contact option.
pub(crate) async fn request_3pid_management_token_via_msisdn_route(
_body: Ruma<request_3pid_management_token_via_msisdn::v3::Request>,
) -> Result<request_3pid_management_token_via_msisdn::v3::Response> {
Err!(Request(ThreepidMediumNotSupported(
"MSISDN third-party identifiers are not supported."
)))
}
/// # `POST /_matrix/client/v3/account/3pid/add`
pub(crate) async fn add_3pid_route(
State(services): State<crate::State>,
body: Ruma<add_3pid::v3::Request>,
) -> Result<add_3pid::v3::Response> {
let sender_user = body.sender_user();
// Require password auth to add an email
let _ = services
.uiaa
.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
.await?;
let email = services
.threepid
.consume_valid_session(&body.sid, &body.client_secret)
.await
.map_err(|message| err!(Request(ThreepidAuthFailed("{message}"))))?;
services
.threepid
.associate_localpart_email(sender_user.localpart(), &email)
.await?;
Ok(add_3pid::v3::Response::new())
}
/// # `POST /_matrix/client/v3/account/3pid/delete`
pub(crate) async fn delete_3pid_route(
State(services): State<crate::State>,
body: Ruma<delete_3pid::v3::Request>,
) -> Result<delete_3pid::v3::Response> {
let sender_user = body.sender_user();
if body.medium != Medium::Email {
return Ok(delete_3pid::v3::Response {
id_server_unbind_result: ThirdPartyIdRemovalStatus::NoSupport,
});
}
if services
.threepid
.disassociate_localpart_email(sender_user.localpart())
.await
.is_none()
{
return Err!(Request(ThreepidNotFound("Your account has no associated email.")));
}
Ok(delete_3pid::v3::Response {
id_server_unbind_result: ThirdPartyIdRemovalStatus::Success,
})
}

8
src/api/client/capabilities.rs
View File

@@ -30,8 +30,10 @@ pub(crate) async fn get_capabilities_route(
default: services.server.config.default_room_version.clone(),
};
// we do not implement 3PID stuff
capabilities.thirdparty_id_changes = ThirdPartyIdChangesCapability { enabled: false };
// Only allow 3pid changes if SMTP is configured
capabilities.thirdparty_id_changes = ThirdPartyIdChangesCapability {
enabled: services.mailer.mailer().is_some(),
};
capabilities.get_login_token = GetLoginTokenCapability {
enabled: services.server.config.login_via_existing_session,
@@ -51,7 +53,7 @@ pub(crate) async fn get_capabilities_route(
.await
{
// Advertise suspension API
capabilities.set("uk.timedout.msc4323", json!({"suspend":true, "lock": false}))?;
capabilities.set("uk.timedout.msc4323", json!({"suspend": true, "lock": false}))?;
}
Ok(get_capabilities::v3::Response { capabilities })

94
src/api/client/device.rs
View File

@@ -1,17 +1,15 @@
use axum::extract::State;
use axum_client_ip::InsecureClientIp;
use conduwuit::{Err, Error, Result, debug, err, utils};
use conduwuit::{Err, Result, debug, err, utils};
use futures::StreamExt;
use ruma::{
MilliSecondsSinceUnixEpoch, OwnedDeviceId,
api::client::{
device::{self, delete_device, delete_devices, get_device, get_devices, update_device},
error::ErrorKind,
uiaa::{AuthFlow, AuthType, UiaaInfo},
api::client::device::{
self, delete_device, delete_devices, get_device, get_devices, update_device,
},
};
use service::uiaa::Identity;
use super::SESSION_ID_LENGTH;
use crate::{Ruma, client::DEVICE_ID_LENGTH};
/// # `GET /_matrix/client/r0/devices`
@@ -123,7 +121,7 @@ pub(crate) async fn delete_device_route(
State(services): State<crate::State>,
body: Ruma<delete_device::v3::Request>,
) -> Result<delete_device::v3::Response> {
let (sender_user, sender_device) = body.sender();
let sender_user = body.sender_user();
let appservice = body.appservice_info.as_ref();
if appservice.is_some_and(|appservice| appservice.registration.device_management) {
@@ -139,41 +137,11 @@ pub(crate) async fn delete_device_route(
return Ok(delete_device::v3::Response {});
}
// UIAA
let mut uiaainfo = UiaaInfo {
flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
completed: Vec::new(),
params: Box::default(),
session: None,
auth_error: None,
};
match &body.auth {
| Some(auth) => {
let (worked, uiaainfo) = services
.uiaa
.try_auth(sender_user, sender_device, auth, &uiaainfo)
.await?;
if !worked {
return Err!(Uiaa(uiaainfo));
}
// Success!
},
| _ => match body.json_body {
| Some(ref json) => {
uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
services
.uiaa
.create(sender_user, sender_device, &uiaainfo, json);
return Err!(Uiaa(uiaainfo));
},
| _ => {
return Err!(Request(NotJson("Not json.")));
},
},
}
// Prompt the user to confirm with their password using UIAA
let _ = services
.uiaa
.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
.await?;
services
.users
@@ -200,7 +168,7 @@ pub(crate) async fn delete_devices_route(
State(services): State<crate::State>,
body: Ruma<delete_devices::v3::Request>,
) -> Result<delete_devices::v3::Response> {
let (sender_user, sender_device) = body.sender();
let sender_user = body.sender_user();
let appservice = body.appservice_info.as_ref();
if appservice.is_some_and(|appservice| appservice.registration.device_management) {
@@ -215,41 +183,11 @@ pub(crate) async fn delete_devices_route(
return Ok(delete_devices::v3::Response {});
}
// UIAA
let mut uiaainfo = UiaaInfo {
flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
completed: Vec::new(),
params: Box::default(),
session: None,
auth_error: None,
};
match &body.auth {
| Some(auth) => {
let (worked, uiaainfo) = services
.uiaa
.try_auth(sender_user, sender_device, auth, &uiaainfo)
.await?;
if !worked {
return Err(Error::Uiaa(uiaainfo));
}
// Success!
},
| _ => match body.json_body {
| Some(ref json) => {
uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
services
.uiaa
.create(sender_user, sender_device, &uiaainfo, json);
return Err(Error::Uiaa(uiaainfo));
},
| _ => {
return Err(Error::BadRequest(ErrorKind::NotJson, "Not json."));
},
},
}
// Prompt the user to confirm with their password using UIAA
let _ = services
.uiaa
.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
.await?;
for device_id in &body.devices {
services.users.remove_device(sender_user, device_id).await;

45
src/api/client/keys.rs
View File

@@ -7,7 +7,6 @@
use conduwuit::{
Err, Error, Result, debug, debug_warn, err,
result::NotFound,
utils,
utils::{IterStream, stream::WidebandExt},
};
use conduwuit_service::{Services, users::parse_master_key};
@@ -22,7 +21,6 @@
upload_signatures::{self},
upload_signing_keys,
},
uiaa::{AuthFlow, AuthType, UiaaInfo},
},
federation,
},
@@ -30,8 +28,8 @@
serde::Raw,
};
use serde_json::json;
use service::uiaa::Identity;
use super::SESSION_ID_LENGTH;
use crate::Ruma;
/// # `POST /_matrix/client/r0/keys/upload`
@@ -174,16 +172,7 @@ pub(crate) async fn upload_signing_keys_route(
State(services): State<crate::State>,
body: Ruma<upload_signing_keys::v3::Request>,
) -> Result<upload_signing_keys::v3::Response> {
let (sender_user, sender_device) = body.sender();
// UIAA
let mut uiaainfo = UiaaInfo {
flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
completed: Vec::new(),
params: Box::default(),
session: None,
auth_error: None,
};
let sender_user = body.sender_user();
match check_for_new_keys(
services,
@@ -207,32 +196,10 @@ pub(crate) async fn upload_signing_keys_route(
// Some of the keys weren't found, so we let them upload
},
| _ => {
match &body.auth {
| Some(auth) => {
let (worked, uiaainfo) = services
.uiaa
.try_auth(sender_user, sender_device, auth, &uiaainfo)
.await?;
if !worked {
return Err(Error::Uiaa(uiaainfo));
}
// Success!
},
| _ => match body.json_body.as_ref() {
| Some(json) => {
uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
services
.uiaa
.create(sender_user, sender_device, &uiaainfo, json);
return Err(Error::Uiaa(uiaainfo));
},
| _ => {
return Err(Error::BadRequest(ErrorKind::NotJson, "Not json."));
},
},
}
let _ = services
.uiaa
.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
.await?;
},
}

14
src/api/client/media.rs
View File

@@ -114,7 +114,19 @@ pub(crate) async fn get_content_thumbnail_route(
content,
content_type,
content_disposition,
} = fetch_thumbnail(&services, &mxc, user, body.timeout_ms, &dim).await?;
} = match fetch_thumbnail(&services, &mxc, user, body.timeout_ms, &dim).await {
| Ok(meta) => meta,
| Err(conduwuit::Error::Io(e)) => match e.kind() {
| std::io::ErrorKind::NotFound =>
return Err!(Request(NotFound("Thumbnail not found."))),
| std::io::ErrorKind::PermissionDenied => {
error!("Permission denied when trying to read file: {e:?}");
return Err!(Request(Unknown("Unknown error when fetching thumbnail.")));
},
| _ => return Err!(Request(Unknown("Unknown error when fetching thumbnail."))),
},
| Err(_) => return Err!(Request(Unknown("Unknown error when fetching thumbnail."))),
};
Ok(get_content_thumbnail::v1::Response {
file: content.expect("entire file contents"),

3
src/api/client/mod.rs
View File

@@ -92,6 +92,3 @@
/// generated user access token length
const TOKEN_LENGTH: usize = 32;
/// generated user session ID length
const SESSION_ID_LENGTH: usize = service::uiaa::SESSION_ID_LENGTH;

96
src/api/client/session.rs
View File

@@ -8,8 +8,9 @@
warn,
};
use conduwuit_core::{debug_error, debug_warn};
use conduwuit_service::{Services, uiaa::SESSION_ID_LENGTH};
use conduwuit_service::Services;
use futures::StreamExt;
use lettre::Address;
use ruma::{
OwnedUserId, UserId,
api::client::{
@@ -26,9 +27,10 @@
},
logout, logout_all,
},
uiaa,
uiaa::UserIdentifier,
},
};
use service::uiaa::Identity;
use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
use crate::Ruma;
@@ -80,7 +82,7 @@ pub(crate) async fn password_login(
.password_hash(lowercased_user_id)
.await
.map(|hash| (hash, lowercased_user_id))
.map_err(|_| err!(Request(Forbidden("Wrong username or password."))))?,
.map_err(|_| err!(Request(Forbidden("Invalid identifier or password."))))?,
};
if hash.is_empty() {
@@ -89,7 +91,7 @@ pub(crate) async fn password_login(
hash::verify_password(password, &hash)
.inspect_err(|e| debug_error!("{e}"))
.map_err(|_| err!(Request(Forbidden("Wrong username or password."))))?;
.map_err(|_| err!(Request(Forbidden("Invalid identifier or password."))))?;
Ok(user_id.to_owned())
}
@@ -161,28 +163,38 @@ pub(super) async fn ldap_login(
pub(crate) async fn handle_login(
services: &Services,
body: &Ruma<login::v3::Request>,
identifier: Option<&uiaa::UserIdentifier>,
identifier: Option<&UserIdentifier>,
password: &str,
user: Option<&String>,
) -> Result<OwnedUserId> {
debug!("Got password login type");
let user_id_or_localpart = match (identifier, user) {
| (Some(UserIdentifier::UserIdOrLocalpart(localpart)), _) => localpart,
| (Some(UserIdentifier::Email { address }), _) => {
let email = Address::try_from(address.to_owned())
.map_err(|_| err!(Request(InvalidParam("Email is malformed"))))?;
&services
.threepid
.get_localpart_for_email(&email)
.await
.ok_or_else(|| err!(Request(Forbidden("Invalid identifier or password"))))?
},
| (None, Some(user)) => user,
| _ => {
return Err!(Request(InvalidParam("Identifier type not recognized")));
},
};
let user_id =
if let Some(uiaa::UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
UserId::parse_with_server_name(user_id, &services.config.server_name)
} else if let Some(user) = user {
UserId::parse_with_server_name(user, &services.config.server_name)
} else {
return Err!(Request(Unknown(
debug_warn!(?body.login_info, "Valid identifier or username was not provided (invalid or unsupported login type?)")
)));
}
.map_err(|e| err!(Request(InvalidUsername(warn!("Username is invalid: {e}")))))?;
UserId::parse_with_server_name(user_id_or_localpart, &services.config.server_name)
.map_err(|_| err!(Request(InvalidUsername("User ID is malformed"))))?;
let lowercased_user_id = UserId::parse_with_server_name(
user_id.localpart().to_lowercase(),
&services.config.server_name,
)?;
)
.unwrap();
if !services.globals.user_is_local(&user_id)
|| !services.globals.user_is_local(&lowercased_user_id)
@@ -244,7 +256,7 @@ pub(crate) async fn login_route(
password,
user,
..
}) => handle_login(&services, &body, identifier.as_ref(), password, user.as_ref()).await?,
}) => handle_login(&services, identifier.as_ref(), password, user.as_ref()).await?,
| login::v3::LoginInfo::Token(login::v3::Token { token }) => {
debug!("Got token login type");
if !services.server.config.login_via_existing_session {
@@ -264,7 +276,7 @@ pub(crate) async fn login_route(
};
let user_id =
if let Some(uiaa::UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
if let Some(UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
UserId::parse_with_server_name(user_id, &services.config.server_name)
} else if let Some(user) = user {
UserId::parse_with_server_name(user, &services.config.server_name)
@@ -273,7 +285,7 @@ pub(crate) async fn login_route(
debug_warn!(?body.login_info, "Valid identifier or username was not provided (invalid or unsupported login type?)")
)));
}
.map_err(|e| err!(Request(InvalidUsername(warn!("Username is invalid: {e}")))))?;
.map_err(|_| err!(Request(InvalidUsername(warn!("User ID is malformed")))))?;
if !services.globals.user_is_local(&user_id) {
return Err!(Request(Unknown("User ID does not belong to this homeserver")));
@@ -370,45 +382,13 @@ pub(crate) async fn login_token_route(
return Err!(Request(Forbidden("Login via an existing session is not enabled")));
}
// This route SHOULD have UIA
// TODO: How do we make only UIA sessions that have not been used before valid?
let (sender_user, sender_device) = body.sender();
let sender_user = body.sender_user();
let mut uiaainfo = uiaa::UiaaInfo {
flows: vec![uiaa::AuthFlow { stages: vec![uiaa::AuthType::Password] }],
completed: Vec::new(),
params: Box::default(),
session: None,
auth_error: None,
};
match &body.auth {
| Some(auth) => {
let (worked, uiaainfo) = services
.uiaa
.try_auth(sender_user, sender_device, auth, &uiaainfo)
.await?;
if !worked {
return Err(Error::Uiaa(uiaainfo));
}
// Success!
},
| _ => match body.json_body.as_ref() {
| Some(json) => {
uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
services
.uiaa
.create(sender_user, sender_device, &uiaainfo, json);
return Err(Error::Uiaa(uiaainfo));
},
| _ => {
return Err!(Request(NotJson("No JSON body was sent when required.")));
},
},
}
// Prompt the user to confirm with their password using UIAA
let _ = services
.uiaa
.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
.await?;
let login_token = utils::random_string(TOKEN_LENGTH);
let expires_in = services.users.create_login_token(sender_user, &login_token);

27
src/api/client/state.rs
View File

@@ -1,3 +1,5 @@
#[cfg(test)]
mod tests;
use axum::extract::State;
use axum_client_ip::InsecureClientIp;
use conduwuit::{
@@ -194,6 +196,7 @@ async fn send_state_event_for_key_helper(
state_key: &str,
timestamp: Option<MilliSecondsSinceUnixEpoch>,
) -> Result<OwnedEventId> {
let json: &mut Raw<AnyStateEventContent> = &mut json.clone();
allowed_to_send_state_event(services, room_id, event_type, state_key, json).await?;
let state_lock = services.rooms.state.mutex.lock(room_id).await;
let event_id = services
@@ -221,7 +224,7 @@ async fn allowed_to_send_state_event(
room_id: &RoomId,
event_type: &StateEventType,
state_key: &str,
json: &Raw<AnyStateEventContent>,
json: &mut Raw<AnyStateEventContent>,
) -> Result {
match event_type {
| StateEventType::RoomCreate => {
@@ -366,7 +369,7 @@ async fn allowed_to_send_state_event(
}
},
| StateEventType::RoomMember => match json.deserialize_as::<RoomMemberEventContent>() {
| Ok(membership_content) => {
| Ok(mut membership_content) => {
let Ok(state_key) = UserId::parse(state_key) else {
return Err!(Request(BadJson(
"Membership event has invalid or non-existent state key"
@@ -376,20 +379,24 @@ async fn allowed_to_send_state_event(
if let Some(authorising_user) =
membership_content.join_authorized_via_users_server
{
if membership_content.membership != MembershipState::Join {
return Err!(Request(BadJson(
"join_authorised_via_users_server is only for member joins"
)));
}
// join_authorized_via_users_server must be thrown away, if user is already a
// member of the room.
if services
.rooms
.state_cache
.is_joined(state_key, room_id)
.await
{
return Err!(Request(InvalidParam(
"{state_key} is already joined, an authorising user is not required."
membership_content.join_authorized_via_users_server = None;
*json = Raw::<AnyStateEventContent>::from_json_string(
serde_json::to_string(&membership_content)?,
)?;
return Ok(());
}
if membership_content.membership != MembershipState::Join {
return Err!(Request(BadJson(
"join_authorised_via_users_server is only for member joins"
)));
}

34
src/api/client/state/tests.rs Normal file
View File

@@ -0,0 +1,34 @@
use super::*;
#[test]
fn test_strip_room_member() -> Result<()> {
//Test setup
let body = r#"
{
"avatar_url": "Something",
"displayname": "Someone",
"join_authorized_via_users_server": "@someone:domain.tld",
"membership": "join"
}"#;
println!("JSON (original): {body}");
let json: &mut Raw<AnyStateEventContent> =
&mut Raw::<AnyStateEventContent>::from_json_string(body.to_owned())?;
let mut membership_content: RoomMemberEventContent =
json.deserialize_as::<RoomMemberEventContent>()?;
//Begin Test
membership_content.join_authorized_via_users_server = None;
*json = Raw::<AnyStateEventContent>::from_json_string(serde_json::to_string(
&membership_content,
)?)?;
//Compare result
let result = json.json().get();
println!("JSON (modified): {result}");
assert_eq!(
result,
r#"{"avatar_url":"Something","displayname":"Someone","membership":"join"}"#
);
Ok(())
}

12
src/api/router.rs
View File

@@ -28,7 +28,8 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
.ruma_route(&client::appservice_ping)
.ruma_route(&client::get_supported_versions_route)
.ruma_route(&client::get_register_available_route)
.ruma_route(&client::register_route)
.ruma_route(&client::register::register_route)
.ruma_route(&client::register::request_registration_token_via_email_route)
.ruma_route(&client::get_login_types_route)
.ruma_route(&client::login_route)
.ruma_route(&client::login_token_route)
@@ -36,10 +37,13 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
.ruma_route(&client::logout_route)
.ruma_route(&client::logout_all_route)
.ruma_route(&client::change_password_route)
.ruma_route(&client::request_password_change_token_via_email_route)
.ruma_route(&client::deactivate_route)
.ruma_route(&client::third_party_route)
.ruma_route(&client::request_3pid_management_token_via_email_route)
.ruma_route(&client::request_3pid_management_token_via_msisdn_route)
.ruma_route(&client::threepid::third_party_route)
.ruma_route(&client::threepid::request_3pid_management_token_via_email_route)
.ruma_route(&client::threepid::request_3pid_management_token_via_msisdn_route)
.ruma_route(&client::threepid::add_3pid_route)
.ruma_route(&client::threepid::delete_3pid_route)
.ruma_route(&client::check_registration_token_validity)
.ruma_route(&client::get_capabilities_route)
.ruma_route(&client::get_pushrules_all_route)

45
src/api/router/args.rs
View File

@@ -2,14 +2,13 @@
use axum::{body::Body, extract::FromRequest};
use bytes::{BufMut, Bytes, BytesMut};
use conduwuit::{Error, Result, debug, debug_warn, err, trace, utils::string::EMPTY};
use conduwuit::{Error, Result, debug, debug_warn, err, trace};
use ruma::{
CanonicalJsonObject, CanonicalJsonValue, DeviceId, OwnedDeviceId, OwnedServerName,
OwnedUserId, ServerName, UserId, api::IncomingRequest,
};
use service::Services;
use super::{auth, auth::Auth, request, request::Request};
use super::{auth, request, request::Request};
use crate::{State, service::appservice::RegistrationInfo};
/// Extractor for Ruma request structs
@@ -108,7 +107,7 @@ async fn from_request(
}
let auth = auth::auth(services, &mut request, json_body.as_ref(), &T::METADATA).await?;
Ok(Self {
body: make_body::<T>(services, &mut request, json_body.as_mut(), &auth)?,
body: make_body::<T>(&mut request, json_body.as_mut())?,
origin: auth.origin,
sender_user: auth.sender_user,
sender_device: auth.sender_device,
@@ -118,16 +117,11 @@ async fn from_request(
}
}
fn make_body<T>(
services: &Services,
request: &mut Request,
json_body: Option<&mut CanonicalJsonValue>,
auth: &Auth,
) -> Result<T>
fn make_body<T>(request: &mut Request, json_body: Option<&mut CanonicalJsonValue>) -> Result<T>
where
T: IncomingRequest,
{
let body = take_body(services, request, json_body, auth);
let body = take_body(request, json_body);
let http_request = into_http_request(request, body);
T::try_from_http_request(http_request, &request.path)
.map_err(|e| err!(Request(BadJson(debug_warn!("{e}")))))
@@ -151,38 +145,11 @@ fn into_http_request(request: &Request, body: Bytes) -> hyper::Request<Bytes> {
}
#[allow(clippy::needless_pass_by_value)]
fn take_body(
services: &Services,
request: &mut Request,
json_body: Option<&mut CanonicalJsonValue>,
auth: &Auth,
) -> Bytes {
fn take_body(request: &mut Request, json_body: Option<&mut CanonicalJsonValue>) -> Bytes {
let Some(CanonicalJsonValue::Object(json_body)) = json_body else {
return mem::take(&mut request.body);
};
let user_id = auth.sender_user.clone().unwrap_or_else(|| {
let server_name = services.globals.server_name();
UserId::parse_with_server_name(EMPTY, server_name).expect("valid user_id")
});
let uiaa_request = json_body
.get("auth")
.and_then(CanonicalJsonValue::as_object)
.and_then(|auth| auth.get("session"))
.and_then(CanonicalJsonValue::as_str)
.and_then(|session| {
services
.uiaa
.get_uiaa_request(&user_id, auth.sender_device.as_deref(), session)
});
if let Some(CanonicalJsonValue::Object(initial_request)) = uiaa_request {
for (key, value) in initial_request {
json_body.entry(key).or_insert(value);
}
}
let mut buf = BytesMut::new().writer();
serde_json::to_writer(&mut buf, &json_body).expect("value serialization can't fail");
buf.into_inner().freeze()

2
src/core/Cargo.toml
View File

@@ -84,6 +84,7 @@ libc.workspace = true
libloading.workspace = true
libloading.optional = true
log.workspace = true
lettre.workspace = true
num-traits.workspace = true
rand.workspace = true
rand_core = { version = "0.6.4", features = ["getrandom"] }
@@ -114,6 +115,7 @@ tracing.workspace = true
url.workspace = true
parking_lot.workspace = true
lock_api.workspace = true
hyper-util.workspace = true
[target.'cfg(unix)'.dependencies]
nix.workspace = true

70
src/core/config/mod.rs
View File

@@ -16,6 +16,7 @@
};
use figment::providers::{Env, Format, Toml};
pub use figment::{Figment, value::Value as FigmentValue};
use lettre::message::Mailbox;
use regex::RegexSet;
use ruma::{
OwnedRoomId, OwnedRoomOrAliasId, OwnedServerName, OwnedUserId, RoomVersionId,
@@ -68,6 +69,10 @@ pub struct Config {
///
/// Also see the `[global.well_known]` config section at the very bottom.
///
/// If `client` is not set under `[global.well_known]`, the server name will
/// be used as the base domain for user-facing links (such as password
/// reset links) created by Continuwuity.
///
/// Examples of delegation:
/// - https://continuwuity.org/.well-known/matrix/server
/// - https://continuwuity.org/.well-known/matrix/client
@@ -141,6 +146,10 @@ pub struct Config {
/// engine API. To use this, set a database backup path that continuwuity
/// can write to.
///
/// If you are using systemd, you will need to add the path to
/// ReadWritePaths in the service file, preferably via a drop-in file
/// through `systemctl edit`.
///
/// For more information, see:
/// https://continuwuity.org/maintenance.html#backups
///
@@ -752,6 +761,9 @@ pub struct Config {
#[serde(default)]
pub well_known: WellKnownConfig,
/// display: nested
pub smtp: Option<SmtpConfig>,
/// Enable OpenTelemetry OTLP tracing export. This replaces the deprecated
/// Jaeger exporter. Traces will be sent via OTLP to a collector (such as
/// Jaeger) that supports the OpenTelemetry Protocol.
@@ -1735,6 +1747,11 @@ pub struct Config {
/// default: "continuwuity/<version> (bot; +https://continuwuity.org)"
pub url_preview_user_agent: Option<String>,
/// Determines whether audio and video files will be downloaded for URL
/// previews.
#[serde(default)]
pub url_preview_allow_audio_video: bool,
/// List of forbidden room aliases and room IDs as strings of regex
/// patterns.
///
@@ -2084,6 +2101,13 @@ pub struct Config {
#[serde(default)]
pub force_disable_first_run_mode: bool,
/// Allow search engines and crawlers to index Continuwuity's built-in
/// webpages served under the `/_continuwuity/` prefix.
///
/// default: false
#[serde(default)]
pub allow_web_indexing: bool,
/// display: nested
#[serde(default)]
pub ldap: LdapConfig,
@@ -2424,6 +2448,52 @@ pub struct DraupnirConfig {
pub secret: String,
}
#[derive(Clone, Debug, Deserialize)]
#[config_example_generator(
filename = "conduwuit-example.toml",
section = "global.smtp",
optional = "true"
)]
pub struct SmtpConfig {
/// A `smtp://`` URI which will be used to connect to a mail server.
/// Uncommenting the [global.smtp] group and setting this option enables
/// features which depend on the ability to send email,
/// such as self-service password resets.
///
/// For most modern mail servers, format the URI like this:
/// `smtps://username:password@hostname:port`
/// Note that you will need to URL-encode the username and password. If your
/// username _is_ your email address, you will need to replace the `@` with
/// `%40`.
///
/// For a guide on the accepted URI syntax, consult Lettre's documentation:
/// https://docs.rs/lettre/latest/lettre/transport/smtp/struct.AsyncSmtpTransport.html#method.from_url
pub connection_uri: String,
/// The outgoing address which will be used for sending emails.
///
/// For a syntax guide, see https://datatracker.ietf.org/doc/html/rfc2822#section-3.4
///
/// ...or if you don't want to read the RFC, for some reason:
/// - `Name <address@domain.org>` to specify a sender name
/// - `address@domain.org` to not use a name
pub sender: Mailbox,
/// Whether to require that users provide an email address when they
/// register.
///
/// default: false
#[serde(default)]
pub require_email_for_registration: bool,
/// Whether to require that users who register with a registration token
/// provide an email address.
///
/// default: false
#[serde(default)]
pub require_email_for_token_registration: bool,
}
const DEPRECATED_KEYS: &[&str] = &[
"cache_capacity",
"conduit_cache_capacity_modifier",

44
src/core/error/mod.rs
View File

@@ -4,7 +4,7 @@
mod response;
mod serde;
use std::{any::Any, borrow::Cow, convert::Infallible, sync::PoisonError};
use std::{any::Any, borrow::Cow, convert::Infallible, error::Error as _, sync::PoisonError};
pub use self::{err::visit, log::*};
@@ -66,8 +66,8 @@ pub enum Error {
Poison(Cow<'static, str>),
#[error("Regex error: {0}")]
Regex(#[from] regex::Error),
#[error("Request error: {0}")]
Reqwest(#[from] reqwest::Error),
#[error("{0}")]
Reqwest(FormattedReqwestError),
#[error("{0}")]
SerdeDe(Cow<'static, str>),
#[error("{0}")]
@@ -236,3 +236,41 @@ pub fn infallible(_e: &Infallible) {
#[must_use]
#[allow(clippy::needless_pass_by_value)]
pub fn sanitized_message(e: Error) -> String { e.sanitized_message() }
#[derive(Debug)]
pub struct FormattedReqwestError(reqwest::Error);
impl std::ops::Deref for FormattedReqwestError {
type Target = reqwest::Error;
fn deref(&self) -> &Self::Target { &self.0 }
}
impl std::error::Error for FormattedReqwestError {
fn source(&self) -> Option<&(dyn std::error::Error + 'static)> { self.0.source() }
}
impl std::fmt::Display for FormattedReqwestError {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
if let Some(hyper_error) = self.0.source()
&& hyper_error.is::<hyper_util::client::legacy::Error>()
&& let Some(real_error) = hyper_error.source()
{
if let Some(real_reason) = real_error.source() {
write!(f, "{real_error}: {real_reason}")
} else {
write!(f, "{real_error}")
}
} else {
write!(f, "Request error: {}", &self.0)
}
}
}
impl From<reqwest::Error> for FormattedReqwestError {
fn from(err: reqwest::Error) -> Self { Self(err) }
}
impl From<reqwest::Error> for Error {
fn from(err: reqwest::Error) -> Self { Self::Reqwest(err.into()) }
}

1
src/core/matrix/state_res/event_auth.rs
View File

@@ -1224,6 +1224,7 @@ fn can_send_event(event: &impl Event, ple: Option<&impl Event>, user_level: Int)
}
/// Confirm that the event sender has the required power levels.
#[allow(clippy::cognitive_complexity)]
fn check_power_levels(
room_version: &RoomVersion,
power_event: &impl Event,

1
src/core/matrix/state_res/mod.rs
View File

@@ -75,6 +75,7 @@
/// event is part of the same room.
//#[tracing::instrument(level = "debug", skip(state_sets, auth_chain_sets,
//#[tracing::instrument(level event_fetch))]
#[allow(clippy::cognitive_complexity)]
pub async fn resolve<'a, Pdu, Sets, SetIter, Hasher, Fetch, FetchFut, Exists, ExistsFut>(
room_version: &RoomVersionId,
state_sets: Sets,

7
src/database/de.rs
View File

@@ -415,13 +415,6 @@ fn deserialize_ignored_any<V: Visitor<'de>>(self, _visitor: V) -> Result<V::Valu
tracing::instrument(level = "trace", skip_all, fields(?self.buf))
)]
fn deserialize_any<V: Visitor<'de>>(self, visitor: V) -> Result<V::Value> {
debug_assert_eq!(
conduwuit::debug::type_name::<V>(),
"serde_json::value::de::<impl serde_core::de::Deserialize for \
serde_json::value::Value>::deserialize::ValueVisitor",
"deserialize_any: type not expected"
);
match self.record_peek_byte() {
| Some(b'{') => self.deserialize_map(visitor),
| Some(b'[') => serde_json::Deserializer::from_slice(self.record_next())

16
src/database/engine/cf_opts.rs
View File

@@ -70,15 +70,17 @@ fn descriptor_cf_options(
);
}
opts.set_options_from_string("{{arena_block_size=2097152;}}")
let mut opts = opts
.get_options_from_string("{{arena_block_size=2097152;}}")
.map_err(map_err)?;
#[cfg(debug_assertions)]
opts.set_options_from_string(
"{{paranoid_checks=true;paranoid_file_checks=true;force_consistency_checks=true;\
verify_sst_unique_id_in_manifest=true;}}",
)
.map_err(map_err)?;
let opts = opts
.get_options_from_string(
"{{paranoid_checks=true;paranoid_file_checks=true;force_consistency_checks=true;\
verify_sst_unique_id_in_manifest=true;}}",
)
.map_err(map_err)?;
Ok(opts)
}
@@ -105,7 +107,7 @@ fn set_table_options(opts: &mut Options, desc: &Descriptor, cache: Option<&Cache
prepopulate,
);
opts.set_options_from_string(&string).map_err(map_err)?;
let mut opts = opts.get_options_from_string(&string).map_err(map_err)?;
opts.set_block_based_table_factory(&table);

2
src/database/engine/db_opts.rs
View File

@@ -138,7 +138,7 @@ fn set_logging_defaults(opts: &mut Options, config: &Config) {
if config.rocksdb_log_stderr {
opts.set_stderr_logger(rocksdb_log_level, "rocksdb");
} else {
opts.set_callback_logger(rocksdb_log_level, &handle_log);
opts.set_callback_logger(rocksdb_log_level, handle_log);
}
}

12
src/database/maps.rs
View File

@@ -53,6 +53,10 @@ pub(super) fn open_list(db: &Arc<Engine>, maps: &[Descriptor]) -> Result<Maps> {
name: "disabledroomids",
..descriptor::RANDOM_SMALL
},
Descriptor {
name: "email_localpart",
..descriptor::RANDOM_SMALL
},
Descriptor {
name: "eventid_outlierpdu",
cache_disp: CacheDisp::SharedWith("pduid_pdu"),
@@ -100,6 +104,10 @@ pub(super) fn open_list(db: &Arc<Engine>, maps: &[Descriptor]) -> Result<Maps> {
name: "lazyloadedids",
..descriptor::RANDOM_SMALL
},
Descriptor {
name: "localpart_email",
..descriptor::RANDOM_SMALL
},
Descriptor {
name: "mediaid_file",
..descriptor::RANDOM_SMALL
@@ -112,6 +120,10 @@ pub(super) fn open_list(db: &Arc<Engine>, maps: &[Descriptor]) -> Result<Maps> {
name: "onetimekeyid_onetimekeys",
..descriptor::RANDOM_SMALL
},
Descriptor {
name: "passwordresettoken_info",
..descriptor::RANDOM_SMALL
},
Descriptor {
name: "pduid_pdu",
cache_disp: CacheDisp::SharedWith("eventid_outlierpdu"),

2
src/router/router.rs
View File

@@ -18,5 +18,5 @@ pub(crate) fn build(services: &Arc<Services>) -> (Router, Guard) {
}
async fn not_found(_uri: Uri) -> impl IntoResponse {
Error::Request(ErrorKind::Unrecognized, "Not Found".into(), StatusCode::NOT_FOUND)
Error::Request(ErrorKind::Unrecognized, "not found :(".into(), StatusCode::NOT_FOUND)
}

5
src/service/Cargo.toml
View File

@@ -91,6 +91,7 @@ conduwuit-database.workspace = true
const-str.workspace = true
either.workspace = true
futures.workspace = true
governor.workspace = true
hickory-resolver.workspace = true
http.workspace = true
image.workspace = true
@@ -102,6 +103,7 @@ ldap3.optional = true
log.workspace = true
loole.workspace = true
lru-cache.workspace = true
nonzero_ext.workspace = true
rand.workspace = true
regex.workspace = true
reqwest.workspace = true
@@ -121,8 +123,9 @@ webpage.workspace = true
webpage.optional = true
blurhash.workspace = true
blurhash.optional = true
recaptcha-verify = { version = "0.1.5", default-features = false }
recaptcha-verify = { version = "0.2.0", default-features = false }
yansi.workspace = true
lettre.workspace = true
[target.'cfg(all(unix, target_os = "linux"))'.dependencies]
sd-notify.workspace = true

13
src/service/config/mod.rs
View File

@@ -6,6 +6,7 @@
config::{Config, check},
error, implement,
};
use url::Url;
use crate::registration_tokens::{ValidToken, ValidTokenSource};
@@ -23,6 +24,18 @@ pub fn get_config_file_token(&self) -> Option<ValidToken> {
.clone()
.map(|token| ValidToken { token, source: ValidTokenSource::Config })
}
/// Get the base domain to use for user-facing URLs.
#[must_use]
pub fn get_client_domain(&self) -> Url {
self.well_known.client.clone().unwrap_or_else(|| {
let host = self.server_name.host();
format!("https://{host}")
.as_str()
.try_into()
.expect("server name should be a valid host")
})
}
}
#[async_trait]

33
src/service/firstrun/mod.rs
View File

@@ -122,7 +122,7 @@ fn disable_first_run(&self) -> bool {
/// if they were not.
pub async fn empower_first_user(&self, user: &UserId) -> Result<bool> {
#[derive(Template)]
#[template(path = "welcome.md.j2")]
#[template(path = "welcome.md")]
struct WelcomeMessage<'a> {
config: &'a Dep<config::Service>,
domain: &'a str,
@@ -228,19 +228,34 @@ pub fn print_first_run_banner(&self) {
);
},
}
if self.services.config.suspend_on_register {
eprintln!(
"{} Accounts created after yours will be suspended, as set in your \
configuration.",
"Your account will not be suspended when you register.".green()
);
}
if let Some(smtp) = &self.services.config.smtp {
if smtp.require_email_for_registration || smtp.require_email_for_token_registration {
eprintln!(
"{} Accounts created after yours may be required to provide an email \
address, as set in your configuration.",
"You will not be asked for your email address when you register.".yellow(),
);
}
eprintln!(
"If you wish to associate an email address with your account, you may do so \
after registration in your client's settings (if supported)."
);
}
eprintln!(
"{} https://matrix.org/ecosystem/clients/",
"Find a list of Matrix clients here:".bold()
);
if self.services.config.suspend_on_register {
eprintln!(
"{} Because you enabled suspend-on-register in your configuration, accounts \
created after yours will be automatically suspended.",
"Your account will not be suspended when you register.".green()
);
}
if self
.services
.config

4
src/service/globals/mod.rs
View File

@@ -142,6 +142,10 @@ pub fn url_preview_check_root_domain(&self) -> bool {
self.server.config.url_preview_check_root_domain
}
pub fn url_preview_allow_audio_video(&self) -> bool {
self.server.config.url_preview_allow_audio_video
}
pub fn forbidden_alias_names(&self) -> &RegexSet { &self.server.config.forbidden_alias_names }
pub fn forbidden_usernames(&self) -> &RegexSet { &self.server.config.forbidden_usernames }

49
src/service/mailer/messages.rs Normal file
View File

@@ -0,0 +1,49 @@
use askama::Template;
use ruma::UserId;
pub trait MessageTemplate: Template {
fn subject(&self) -> String;
}
#[derive(Template)]
#[template(path = "mail/change_email.txt")]
pub struct ChangeEmail<'a> {
pub server_name: &'a str,
pub user_id: Option<&'a UserId>,
pub verification_link: String,
}
impl MessageTemplate for ChangeEmail<'_> {
fn subject(&self) -> String { "Verify your email address".to_owned() }
}
#[derive(Template)]
#[template(path = "mail/new_account.txt")]
pub struct NewAccount<'a> {
pub server_name: &'a str,
pub verification_link: String,
}
impl MessageTemplate for NewAccount<'_> {
fn subject(&self) -> String { "Create your new Matrix account".to_owned() }
}
#[derive(Template)]
#[template(path = "mail/password_reset.txt")]
pub struct PasswordReset<'a> {
pub display_name: Option<&'a str>,
pub user_id: &'a UserId,
pub verification_link: String,
}
impl MessageTemplate for PasswordReset<'_> {
fn subject(&self) -> String { format!("Password reset request for {}", &self.user_id) }
}
#[derive(Template)]
#[template(path = "mail/test.txt")]
pub struct Test;
impl MessageTemplate for Test {
fn subject(&self) -> String { "Test message".to_owned() }
}

109
src/service/mailer/mod.rs Normal file
View File

@@ -0,0 +1,109 @@
use std::sync::Arc;
use conduwuit::{Err, Result, err, info};
use lettre::{
AsyncSmtpTransport, AsyncTransport, Tokio1Executor,
message::{Mailbox, MessageBuilder, header::ContentType},
};
use crate::{Args, mailer::messages::MessageTemplate};
pub mod messages;
type Transport = AsyncSmtpTransport<Tokio1Executor>;
type TransportError = lettre::transport::smtp::Error;
pub struct Service {
transport: Option<(Mailbox, Transport)>,
}
#[async_trait::async_trait]
impl crate::Service for Service {
fn build(args: Args<'_>) -> Result<Arc<Self>> {
let transport = args
.server
.config
.smtp
.as_ref()
.map(|config| {
Ok((config.sender.clone(), Transport::from_url(&config.connection_uri)?.build()))
})
.transpose()
.map_err(|err: TransportError| err!("Failed to set up SMTP transport: {err}"))?;
Ok(Arc::new(Self { transport }))
}
fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
async fn worker(self: Arc<Self>) -> Result<()> {
if let Some((_, ref transport)) = self.transport {
match transport.test_connection().await {
| Ok(true) => {
info!("SMTP connection test successful");
Ok(())
},
| Ok(false) => {
Err!("SMTP connection test failed")
},
| Err(err) => {
Err!("SMTP connection test failed: {err}")
},
}
} else {
info!("SMTP is not configured, email functionality will be unavailable");
Ok(())
}
}
}
impl Service {
/// Returns a mailer which allows email to be sent, if SMTP is configured.
#[must_use]
pub fn mailer(&self) -> Option<Mailer<'_>> {
self.transport
.as_ref()
.map(|(sender, transport)| Mailer { sender, transport })
}
pub fn expect_mailer(&self) -> Result<Mailer<'_>> {
self.mailer().ok_or_else(|| {
err!(Request(FeatureDisabled("This homeserver is not configured to send email.")))
})
}
}
pub struct Mailer<'a> {
sender: &'a Mailbox,
transport: &'a Transport,
}
impl Mailer<'_> {
/// Sends an email.
pub async fn send<Template: MessageTemplate>(
&self,
recipient: Mailbox,
message: Template,
) -> Result<()> {
let subject = message.subject();
let body = message
.render()
.map_err(|err| err!("Failed to render message template: {err}"))?;
let message = MessageBuilder::new()
.from(self.sender.clone())
.to(recipient)
.subject(subject)
.date_now()
.header(ContentType::TEXT_PLAIN)
.body(body)
.expect("should have been able to construct message");
self.transport
.send(message)
.await
.map_err(|err: TransportError| err!("Failed to send message: {err}"))?;
Ok(())
}
}

70
src/service/media/data.rs
View File

@@ -207,6 +207,28 @@ pub(super) fn set_url_preview(
value.extend_from_slice(&data.image_width.unwrap_or(0).to_be_bytes());
value.push(0xFF);
value.extend_from_slice(&data.image_height.unwrap_or(0).to_be_bytes());
value.push(0xFF);
value.extend_from_slice(
data.video
.as_ref()
.map(String::as_bytes)
.unwrap_or_default(),
);
value.push(0xFF);
value.extend_from_slice(&data.video_size.unwrap_or(0).to_be_bytes());
value.push(0xFF);
value.extend_from_slice(&data.video_width.unwrap_or(0).to_be_bytes());
value.push(0xFF);
value.extend_from_slice(&data.video_height.unwrap_or(0).to_be_bytes());
value.push(0xFF);
value.extend_from_slice(
data.audio
.as_ref()
.map(String::as_bytes)
.unwrap_or_default(),
);
value.push(0xFF);
value.extend_from_slice(&data.audio_size.unwrap_or(0).to_be_bytes());
self.url_previews.insert(url.as_bytes(), &value);
@@ -267,6 +289,48 @@ pub(super) async fn get_url_preview(&self, url: &str) -> Result<UrlPreviewData>
| Some(0) => None,
| x => x,
};
let video = match values
.next()
.and_then(|b| String::from_utf8(b.to_vec()).ok())
{
| Some(s) if s.is_empty() => None,
| x => x,
};
let video_size = match values
.next()
.map(|b| usize::from_be_bytes(b.try_into().unwrap_or_default()))
{
| Some(0) => None,
| x => x,
};
let video_width = match values
.next()
.map(|b| u32::from_be_bytes(b.try_into().unwrap_or_default()))
{
| Some(0) => None,
| x => x,
};
let video_height = match values
.next()
.map(|b| u32::from_be_bytes(b.try_into().unwrap_or_default()))
{
| Some(0) => None,
| x => x,
};
let audio = match values
.next()
.and_then(|b| String::from_utf8(b.to_vec()).ok())
{
| Some(s) if s.is_empty() => None,
| x => x,
};
let audio_size = match values
.next()
.map(|b| usize::from_be_bytes(b.try_into().unwrap_or_default()))
{
| Some(0) => None,
| x => x,
};
Ok(UrlPreviewData {
title,
@@ -275,6 +339,12 @@ pub(super) async fn get_url_preview(&self, url: &str) -> Result<UrlPreviewData>
image_size,
image_width,
image_height,
video,
video_size,
video_width,
video_height,
audio,
audio_size,
})
}
}

178
src/service/media/preview.rs
View File

@@ -10,6 +10,8 @@
use conduwuit::{Err, Result, debug, err, utils::response::LimitReadExt};
use conduwuit_core::implement;
use ipaddress::IPAddress;
#[cfg(feature = "url_preview")]
use ruma::OwnedMxcUri;
use serde::Serialize;
use url::Url;
@@ -29,6 +31,18 @@ pub struct UrlPreviewData {
pub image_width: Option<u32>,
#[serde(skip_serializing_if = "Option::is_none", rename(serialize = "og:image:height"))]
pub image_height: Option<u32>,
#[serde(skip_serializing_if = "Option::is_none", rename(serialize = "og:video"))]
pub video: Option<String>,
#[serde(skip_serializing_if = "Option::is_none", rename(serialize = "matrix:video:size"))]
pub video_size: Option<usize>,
#[serde(skip_serializing_if = "Option::is_none", rename(serialize = "og:video:width"))]
pub video_width: Option<u32>,
#[serde(skip_serializing_if = "Option::is_none", rename(serialize = "og:video:height"))]
pub video_height: Option<u32>,
#[serde(skip_serializing_if = "Option::is_none", rename(serialize = "og:audio"))]
pub audio: Option<String>,
#[serde(skip_serializing_if = "Option::is_none", rename(serialize = "matrix:audio:size"))]
pub audio_size: Option<usize>,
}
#[implement(Service)]
@@ -96,7 +110,9 @@ async fn request_url_preview(&self, url: &Url) -> Result<UrlPreviewData> {
let data = match content_type {
| html if html.starts_with("text/html") => self.download_html(url.as_str()).await?,
| img if img.starts_with("image/") => self.download_image(url.as_str()).await?,
| img if img.starts_with("image/") => self.download_image(url.as_str(), None).await?,
| video if video.starts_with("video/") => self.download_video(url.as_str(), None).await?,
| audio if audio.starts_with("audio/") => self.download_audio(url.as_str(), None).await?,
| _ => return Err!(Request(Unknown("Unsupported Content-Type"))),
};
@@ -107,11 +123,17 @@ async fn request_url_preview(&self, url: &Url) -> Result<UrlPreviewData> {
#[cfg(feature = "url_preview")]
#[implement(Service)]
pub async fn download_image(&self, url: &str) -> Result<UrlPreviewData> {
pub async fn download_image(
&self,
url: &str,
preview_data: Option<UrlPreviewData>,
) -> Result<UrlPreviewData> {
use conduwuit::utils::random_string;
use image::ImageReader;
use ruma::Mxc;
let mut preview_data = preview_data.unwrap_or_default();
let image = self
.services
.client
@@ -128,6 +150,7 @@ pub async fn download_image(&self, url: &str) -> Result<UrlPreviewData> {
.expect("u64 should fit in usize"),
)
.await?;
let mxc = Mxc {
server_name: self.services.globals.server_name(),
media_id: &random_string(super::MXC_LENGTH),
@@ -135,27 +158,125 @@ pub async fn download_image(&self, url: &str) -> Result<UrlPreviewData> {
self.create(&mxc, None, None, None, &image).await?;
let cursor = std::io::Cursor::new(&image);
let (width, height) = match ImageReader::new(cursor).with_guessed_format() {
| Err(_) => (None, None),
| Ok(reader) => match reader.into_dimensions() {
preview_data.image = Some(mxc.to_string());
if preview_data.image_height.is_none() || preview_data.image_width.is_none() {
let cursor = std::io::Cursor::new(&image);
let (width, height) = match ImageReader::new(cursor).with_guessed_format() {
| Err(_) => (None, None),
| Ok((width, height)) => (Some(width), Some(height)),
},
| Ok(reader) => match reader.into_dimensions() {
| Err(_) => (None, None),
| Ok((width, height)) => (Some(width), Some(height)),
},
};
preview_data.image_width = width;
preview_data.image_height = height;
}
Ok(preview_data)
}
#[cfg(feature = "url_preview")]
#[implement(Service)]
pub async fn download_video(
&self,
url: &str,
preview_data: Option<UrlPreviewData>,
) -> Result<UrlPreviewData> {
let mut preview_data = preview_data.unwrap_or_default();
if self.services.globals.url_preview_allow_audio_video() {
let (url, size) = self.download_media(url).await?;
preview_data.video = Some(url.to_string());
preview_data.video_size = Some(size);
}
Ok(preview_data)
}
#[cfg(feature = "url_preview")]
#[implement(Service)]
pub async fn download_audio(
&self,
url: &str,
preview_data: Option<UrlPreviewData>,
) -> Result<UrlPreviewData> {
let mut preview_data = preview_data.unwrap_or_default();
if self.services.globals.url_preview_allow_audio_video() {
let (url, size) = self.download_media(url).await?;
preview_data.audio = Some(url.to_string());
preview_data.audio_size = Some(size);
}
Ok(preview_data)
}
#[cfg(feature = "url_preview")]
#[implement(Service)]
pub async fn download_media(&self, url: &str) -> Result<(OwnedMxcUri, usize)> {
use conduwuit::utils::random_string;
use http::header::CONTENT_TYPE;
use ruma::Mxc;
let response = self.services.client.url_preview.get(url).send().await?;
let content_type = response.headers().get(CONTENT_TYPE).cloned();
let media = response
.limit_read(
self.services
.server
.config
.max_request_size
.try_into()
.expect("u64 should fit in usize"),
)
.await?;
let mxc = Mxc {
server_name: self.services.globals.server_name(),
media_id: &random_string(super::MXC_LENGTH),
};
Ok(UrlPreviewData {
image: Some(mxc.to_string()),
image_size: Some(image.len()),
image_width: width,
image_height: height,
..Default::default()
})
let content_type = content_type.and_then(|v| v.to_str().map(ToOwned::to_owned).ok());
self.create(&mxc, None, None, content_type.as_deref(), &media)
.await?;
Ok((OwnedMxcUri::from(mxc.to_string()), media.len()))
}
#[cfg(not(feature = "url_preview"))]
#[implement(Service)]
pub async fn download_image(&self, _url: &str) -> Result<UrlPreviewData> {
pub async fn download_image(
&self,
_url: &str,
_preview_data: Option<UrlPreviewData>,
) -> Result<UrlPreviewData> {
Err!(FeatureDisabled("url_preview"))
}
#[cfg(not(feature = "url_preview"))]
#[implement(Service)]
pub async fn download_video(
&self,
_url: &str,
_preview_data: Option<UrlPreviewData>,
) -> Result<UrlPreviewData> {
Err!(FeatureDisabled("url_preview"))
}
#[cfg(not(feature = "url_preview"))]
#[implement(Service)]
pub async fn download_audio(
&self,
_url: &str,
_preview_data: Option<UrlPreviewData>,
) -> Result<UrlPreviewData> {
Err!(FeatureDisabled("url_preview"))
}
#[cfg(not(feature = "url_preview"))]
#[implement(Service)]
pub async fn download_media(&self, _url: &str) -> Result<UrlPreviewData> {
Err!(FeatureDisabled("url_preview"))
}
@@ -182,18 +303,29 @@ async fn download_html(&self, url: &str) -> Result<UrlPreviewData> {
return Err!(Request(Unknown("Failed to parse HTML")));
};
let mut data = match html.opengraph.images.first() {
| None => UrlPreviewData::default(),
| Some(obj) => self.download_image(&obj.url).await?,
};
let mut preview_data = UrlPreviewData::default();
if let Some(obj) = html.opengraph.images.first() {
preview_data = self.download_image(&obj.url, Some(preview_data)).await?;
}
if let Some(obj) = html.opengraph.videos.first() {
preview_data = self.download_video(&obj.url, Some(preview_data)).await?;
preview_data.video_width = obj.properties.get("width").and_then(|v| v.parse().ok());
preview_data.video_height = obj.properties.get("height").and_then(|v| v.parse().ok());
}
if let Some(obj) = html.opengraph.audios.first() {
preview_data = self.download_audio(&obj.url, Some(preview_data)).await?;
}
let props = html.opengraph.properties;
/* use OpenGraph title/description, but fall back to HTML if not available */
data.title = props.get("title").cloned().or(html.title);
data.description = props.get("description").cloned().or(html.description);
preview_data.title = props.get("title").cloned().or(html.title);
preview_data.description = props.get("description").cloned().or(html.description);
Ok(data)
Ok(preview_data)
}
#[cfg(not(feature = "url_preview"))]

112
src/service/migrations.rs
View File

@@ -1,8 +1,9 @@
use std::{cmp, collections::HashMap, future::ready};
use conduwuit::{
Err, Event, Pdu, Result, debug, debug_info, debug_warn, error, info,
Err, Event, Pdu, Result, debug, debug_info, debug_warn, err, error, info,
result::NotFound,
trace,
utils::{
IterStream, ReadyExt,
stream::{TryExpect, TryIgnore},
@@ -57,6 +58,7 @@ pub(crate) async fn migrations(services: &Services) -> Result<()> {
}
async fn fresh(services: &Services) -> Result<()> {
info!("Creating new fresh database");
let db = &services.db;
services.globals.db.bump_database_version(DATABASE_VERSION);
@@ -66,11 +68,18 @@ async fn fresh(services: &Services) -> Result<()> {
db["global"].insert(b"retroactively_fix_bad_data_from_roomuserid_joined", []);
db["global"].insert(b"fix_referencedevents_missing_sep", []);
db["global"].insert(b"fix_readreceiptid_readreceipt_duplicates", []);
db["global"].insert(b"fix_corrupt_msc4133_fields", []);
db["global"].insert(b"populate_userroomid_leftstate_table", []);
db["global"].insert(b"fix_local_invite_state", []);
// Create the admin room and server user on first run
crate::admin::create_admin_room(services).boxed().await?;
info!("Creating admin room and server user");
crate::admin::create_admin_room(services)
.boxed()
.await
.inspect_err(|e| error!("Failed to create admin room during db init: {e}"))?;
warn!("Created new RocksDB database with version {DATABASE_VERSION}");
info!("Created new database with version {DATABASE_VERSION}");
Ok(())
}
@@ -88,19 +97,33 @@ async fn migrate(services: &Services) -> Result<()> {
}
if services.globals.db.database_version().await < 12 {
db_lt_12(services).await?;
db_lt_12(services)
.await
.map_err(|e| err!("Failed to run v12 migrations: {e}"))?;
}
// This migration can be reused as-is anytime the server-default rules are
// updated.
if services.globals.db.database_version().await < 13 {
db_lt_13(services).await?;
db_lt_13(services)
.await
.map_err(|e| err!("Failed to run v13 migrations: {e}"))?;
}
if db["global"].get(b"feat_sha256_media").await.is_not_found() {
media::migrations::migrate_sha256_media(services).await?;
media::migrations::migrate_sha256_media(services)
.await
.map_err(|e| err!("Failed to run SHA256 media migration: {e}"))?;
} else if config.media_startup_check {
media::migrations::checkup_sha256_media(services).await?;
info!("Starting media startup integrity check.");
let now = std::time::Instant::now();
media::migrations::checkup_sha256_media(services)
.await
.map_err(|e| err!("Failed to verify media integrity: {e}"))?;
info!(
"Finished media startup integrity check in {} seconds.",
now.elapsed().as_secs_f32()
);
}
if db["global"]
@@ -108,7 +131,12 @@ async fn migrate(services: &Services) -> Result<()> {
.await
.is_not_found()
{
fix_bad_double_separator_in_state_cache(services).await?;
info!("Running migration 'fix_bad_double_separator_in_state_cache'");
fix_bad_double_separator_in_state_cache(services)
.await
.map_err(|e| {
err!("Failed to run 'fix_bad_double_separator_in_state_cache' migration: {e}")
})?;
}
if db["global"]
@@ -116,7 +144,15 @@ async fn migrate(services: &Services) -> Result<()> {
.await
.is_not_found()
{
retroactively_fix_bad_data_from_roomuserid_joined(services).await?;
info!("Running migration 'retroactively_fix_bad_data_from_roomuserid_joined'");
retroactively_fix_bad_data_from_roomuserid_joined(services)
.await
.map_err(|e| {
err!(
"Failed to run 'retroactively_fix_bad_data_from_roomuserid_joined' \
migration: {e}"
)
})?;
}
if db["global"]
@@ -125,7 +161,12 @@ async fn migrate(services: &Services) -> Result<()> {
.is_not_found()
|| services.globals.db.database_version().await < 17
{
fix_referencedevents_missing_sep(services).await?;
info!("Running migration 'fix_referencedevents_missing_sep'");
fix_referencedevents_missing_sep(services)
.await
.map_err(|e| {
err!("Failed to run 'fix_referencedevents_missing_sep' migration': {e}")
})?;
}
if db["global"]
@@ -134,7 +175,12 @@ async fn migrate(services: &Services) -> Result<()> {
.is_not_found()
|| services.globals.db.database_version().await < 17
{
fix_readreceiptid_readreceipt_duplicates(services).await?;
info!("Running migration 'fix_readreceiptid_readreceipt_duplicates'");
fix_readreceiptid_readreceipt_duplicates(services)
.await
.map_err(|e| {
err!("Failed to run 'fix_readreceiptid_readreceipt_duplicates' migration': {e}")
})?;
}
if services.globals.db.database_version().await < 17 {
@@ -147,7 +193,10 @@ async fn migrate(services: &Services) -> Result<()> {
.await
.is_not_found()
{
fix_corrupt_msc4133_fields(services).await?;
info!("Running migration 'fix_corrupt_msc4133_fields'");
fix_corrupt_msc4133_fields(services)
.await
.map_err(|e| err!("Failed to run 'fix_corrupt_msc4133_fields' migration': {e}"))?;
}
if services.globals.db.database_version().await < 18 {
@@ -160,7 +209,12 @@ async fn migrate(services: &Services) -> Result<()> {
.await
.is_not_found()
{
populate_userroomid_leftstate_table(services).await?;
info!("Running migration 'populate_userroomid_leftstate_table'");
populate_userroomid_leftstate_table(services)
.await
.map_err(|e| {
err!("Failed to run 'populate_userroomid_leftstate_table' migration': {e}")
})?;
}
if db["global"]
@@ -168,14 +222,17 @@ async fn migrate(services: &Services) -> Result<()> {
.await
.is_not_found()
{
fix_local_invite_state(services).await?;
info!("Running migration 'fix_local_invite_state'");
fix_local_invite_state(services)
.await
.map_err(|e| err!("Failed to run 'fix_local_invite_state' migration': {e}"))?;
}
assert_eq!(
services.globals.db.database_version().await,
DATABASE_VERSION,
"Failed asserting local database version {} is equal to known latest conduwuit database \
version {}",
"Failed asserting local database version {} is equal to known latest continuwuity \
database version {}",
services.globals.db.database_version().await,
DATABASE_VERSION,
);
@@ -370,7 +427,7 @@ async fn db_lt_13(services: &Services) -> Result<()> {
}
async fn fix_bad_double_separator_in_state_cache(services: &Services) -> Result<()> {
warn!("Fixing bad double separator in state_cache roomuserid_joined");
info!("Fixing bad double separator in state_cache roomuserid_joined");
let db = &services.db;
let roomuserid_joined = &db["roomuserid_joined"];
@@ -414,7 +471,7 @@ async fn fix_bad_double_separator_in_state_cache(services: &Services) -> Result<
}
async fn retroactively_fix_bad_data_from_roomuserid_joined(services: &Services) -> Result<()> {
warn!("Retroactively fixing bad data from broken roomuserid_joined");
info!("Retroactively fixing bad data from broken roomuserid_joined");
let db = &services.db;
let _cork = db.cork_and_sync();
@@ -504,7 +561,7 @@ async fn retroactively_fix_bad_data_from_roomuserid_joined(services: &Services)
}
async fn fix_referencedevents_missing_sep(services: &Services) -> Result {
warn!("Fixing missing record separator between room_id and event_id in referencedevents");
info!("Fixing missing record separator between room_id and event_id in referencedevents");
let db = &services.db;
let cork = db.cork_and_sync();
@@ -552,7 +609,7 @@ async fn fix_readreceiptid_readreceipt_duplicates(services: &Services) -> Result
type ArrayId = ArrayString<MAX_BYTES>;
type Key<'a> = (&'a RoomId, u64, &'a UserId);
warn!("Fixing undeleted entries in readreceiptid_readreceipt...");
info!("Fixing undeleted entries in readreceiptid_readreceipt...");
let db = &services.db;
let cork = db.cork_and_sync();
@@ -606,7 +663,7 @@ async fn fix_corrupt_msc4133_fields(services: &Services) -> Result {
use serde_json::{Value, from_slice};
type KeyVal<'a> = ((OwnedUserId, String), &'a [u8]);
warn!("Fixing corrupted `us.cloke.msc4175.tz` fields...");
info!("Fixing corrupted `us.cloke.msc4175.tz` fields...");
let db = &services.db;
let cork = db.cork_and_sync();
@@ -746,7 +803,18 @@ async fn fix_local_invite_state(services: &Services) -> Result {
let fixed = userroomid_invitestate.stream()
// if they're a local user on this homeserver
.try_filter(|((user_id, _), _): &KeyVal<'_>| ready(services.globals.user_is_local(user_id)))
.and_then(async |((user_id, room_id), stripped_state): KeyVal<'_>| Ok::<_, conduwuit::Error>((user_id.to_owned(), room_id.to_owned(), stripped_state.deserialize()?)))
.and_then(async |((user_id, room_id), stripped_state): KeyVal<'_>| Ok::<_,
conduwuit::Error>((user_id.to_owned(), room_id.to_owned(), stripped_state.deserialize
().unwrap_or_else(|e| {
trace!("Failed to deserialize: {:?}", stripped_state.json());
warn!(
%user_id,
%room_id,
"Failed to deserialize stripped state for invite, removing from db: {e}"
);
userroomid_invitestate.del((user_id, room_id));
vec![]
}))))
.try_fold(0_usize, async |mut fixed, (user_id, room_id, stripped_state)| {
// and their invite state is None
if stripped_state.is_empty()

3
src/service/mod.rs
View File

@@ -21,8 +21,10 @@
pub mod firstrun;
pub mod globals;
pub mod key_backups;
pub mod mailer;
pub mod media;
pub mod moderation;
pub mod password_reset;
pub mod presence;
pub mod pusher;
pub mod registration_tokens;
@@ -31,6 +33,7 @@
pub mod sending;
pub mod server_keys;
pub mod sync;
pub mod threepid;
pub mod transactions;
pub mod uiaa;
pub mod users;

68
src/service/password_reset/data.rs Normal file
View File

@@ -0,0 +1,68 @@
use std::{
sync::Arc,
time::{Duration, SystemTime},
};
use conduwuit::utils::{ReadyExt, stream::TryExpect};
use database::{Database, Deserialized, Json, Map};
use ruma::{OwnedUserId, UserId};
use serde::{Deserialize, Serialize};
pub(super) struct Data {
passwordresettoken_info: Arc<Map>,
}
#[derive(Debug, Serialize, Deserialize)]
pub struct ResetTokenInfo {
pub user: OwnedUserId,
pub issued_at: SystemTime,
}
impl ResetTokenInfo {
// one hour
const MAX_TOKEN_AGE: Duration = Duration::from_secs(60 * 60);
pub fn is_valid(&self) -> bool {
let now = SystemTime::now();
now.duration_since(self.issued_at)
.is_ok_and(|duration| duration < Self::MAX_TOKEN_AGE)
}
}
impl Data {
pub(super) fn new(db: &Arc<Database>) -> Self {
Self {
passwordresettoken_info: db["passwordresettoken_info"].clone(),
}
}
/// Associate a reset token with its info in the database.
pub(super) fn save_token(&self, token: &str, info: &ResetTokenInfo) {
self.passwordresettoken_info.raw_put(token, Json(info));
}
/// Lookup the info for a reset token.
pub(super) async fn lookup_token_info(&self, token: &str) -> Option<ResetTokenInfo> {
self.passwordresettoken_info
.get(token)
.await
.deserialized()
.ok()
}
/// Find a user's existing reset token, if any.
pub(super) async fn find_token_for_user(
&self,
user: &UserId,
) -> Option<(String, ResetTokenInfo)> {
self.passwordresettoken_info
.stream::<'_, String, ResetTokenInfo>()
.expect_ok()
.ready_find(|(_, info)| info.user == user)
.await
}
/// Remove a reset token.
pub(super) fn remove_token(&self, token: &str) { self.passwordresettoken_info.remove(token); }
}

120
src/service/password_reset/mod.rs Normal file
View File

@@ -0,0 +1,120 @@
mod data;
use std::{sync::Arc, time::SystemTime};
use conduwuit::{Err, Result, utils};
use data::{Data, ResetTokenInfo};
use ruma::OwnedUserId;
use crate::{Dep, globals, users};
pub const PASSWORD_RESET_PATH: &str = "/_continuwuity/account/reset_password";
pub const RESET_TOKEN_QUERY_PARAM: &str = "token";
const RESET_TOKEN_LENGTH: usize = 32;
pub struct Service {
db: Data,
services: Services,
}
struct Services {
users: Dep<users::Service>,
globals: Dep<globals::Service>,
}
#[derive(Debug)]
pub struct ValidResetToken {
pub token: String,
pub info: ResetTokenInfo,
}
impl crate::Service for Service {
fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
Ok(Arc::new(Self {
db: Data::new(args.db),
services: Services {
users: args.depend::<users::Service>("users"),
globals: args.depend::<globals::Service>("globals"),
},
}))
}
fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
}
impl Service {
/// Generate a random string suitable to be used as a password reset token.
#[must_use]
pub fn generate_token_string() -> String { utils::random_string(RESET_TOKEN_LENGTH) }
/// Issue a password reset token for `user`, who must be a local user with
/// the `password` origin.
pub async fn issue_token(&self, user_id: OwnedUserId) -> Result<ValidResetToken> {
if !self.services.globals.user_is_local(&user_id) {
return Err!("Cannot issue a password reset token for remote user {user_id}");
}
if user_id == self.services.globals.server_user {
return Err!("Cannot issue a password reset token for the server user");
}
if self
.services
.users
.origin(&user_id)
.await
.unwrap_or_else(|_| "password".to_owned())
!= "password"
{
return Err!("Cannot issue a password reset token for non-internal user {user_id}");
}
if self.services.users.is_deactivated(&user_id).await? {
return Err!("Cannot issue a password reset token for deactivated user {user_id}");
}
if let Some((existing_token, _)) = self.db.find_token_for_user(&user_id).await {
self.db.remove_token(&existing_token);
}
let token = Self::generate_token_string();
let info = ResetTokenInfo {
user: user_id,
issued_at: SystemTime::now(),
};
self.db.save_token(&token, &info);
Ok(ValidResetToken { token, info })
}
/// Check if `token` represents a valid, non-expired password reset token.
pub async fn check_token(&self, token: &str) -> Option<ValidResetToken> {
self.db.lookup_token_info(token).await.and_then(|info| {
if info.is_valid() {
Some(ValidResetToken { token: token.to_owned(), info })
} else {
self.db.remove_token(token);
None
}
})
}
/// Consume the supplied valid token, using it to change its user's password
/// to `new_password`.
pub async fn consume_token(
&self,
ValidResetToken { token, info }: ValidResetToken,
new_password: &str,
) -> Result<()> {
if info.is_valid() {
self.db.remove_token(&token);
self.services
.users
.set_password(&info.user, Some(new_password))
.await?;
}
Ok(())
}
}

6
src/service/registration_tokens/mod.rs
View File

@@ -13,8 +13,6 @@
use crate::{Dep, config, firstrun};
const RANDOM_TOKEN_LENGTH: usize = 16;
pub struct Service {
db: Data,
services: Services,
@@ -103,9 +101,11 @@ fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
}
impl Service {
const RANDOM_TOKEN_LENGTH: usize = 16;
/// Generate a random string suitable to be used as a registration token.
#[must_use]
pub fn generate_token_string() -> String { utils::random_string(RANDOM_TOKEN_LENGTH) }
pub fn generate_token_string() -> String { utils::random_string(Self::RANDOM_TOKEN_LENGTH) }
/// Issue a new registration token and save it in the database.
pub fn issue_token(

5
src/service/resolver/well_known.rs
View File

@@ -26,7 +26,10 @@ pub(super) async fn request_well_known(&self, dest: &str) -> Result<Option<Strin
return Ok(None);
}
let text = response.limit_read_text(8192).await?;
let Ok(text) = response.limit_read_text(8192).await else {
debug!("failed to read well-known response (too large or non-text content)");
return Ok(None);
};
trace!("response text: {text:?}");
let body: serde_json::Value = serde_json::from_str(&text).unwrap_or_default();

24
src/service/rooms/alias/mod.rs
View File

@@ -104,17 +104,13 @@ pub async fn remove_alias(&self, alias: &RoomAliasId, user_id: &UserId) -> Resul
return Err!(Request(Forbidden("User is not permitted to remove this alias.")));
}
let alias_full = alias.as_bytes().to_vec();
let alias = alias.alias();
let Ok(room_id) = self.db.alias_roomid.get(&alias).await else {
return Err!(Request(NotFound("Alias does not exist or is invalid.")));
};
let prefix = (&room_id, Interfix);
self.db
.aliasid_alias
.keys_prefix_raw(&prefix)
.ignore_err()
.ready_for_each(|key| self.db.aliasid_alias.remove(key))
self.remove_aliasid_alias_entries(&room_id, &alias_full)
.await;
self.db.alias_roomid.remove(alias.as_bytes());
@@ -274,6 +270,22 @@ async fn who_created_alias(&self, alias: &RoomAliasId) -> Result<OwnedUserId> {
self.db.alias_userid.get(alias.alias()).await.deserialized()
}
async fn remove_aliasid_alias_entries(&self, room_id: &[u8], alias_full: &[u8]) {
let prefix = (room_id, Interfix);
let keys: Vec<Vec<u8>> = self
.db
.aliasid_alias
.stream_prefix_raw(&prefix)
.ignore_err()
.ready_filter_map(|(key, value)| (value == alias_full).then_some(key.to_vec()))
.collect()
.await;
for key in keys {
self.db.aliasid_alias.remove(&key);
}
}
async fn resolve_appservice_alias(
&self,
room_alias: &RoomAliasId,

2
src/service/server_keys/acquire.rs
View File

@@ -228,7 +228,7 @@ async fn acquire_notary_result(&self, missing: &mut Batch, server_keys: ServerSi
self.add_signing_keys(server_keys.clone()).await;
if let Some(key_ids) = missing.get_mut(server) {
key_ids.retain(|key_id| key_exists(&server_keys, key_id));
key_ids.retain(|key_id| !key_exists(&server_keys, key_id));
if key_ids.is_empty() {
missing.remove(server);
}

24
src/service/services.rs
View File

@@ -1,7 +1,7 @@
use std::{any::Any, collections::BTreeMap, sync::Arc};
use conduwuit::{
Result, Server, SyncRwLock, debug, debug_info, info, trace, utils::stream::IterStream,
Result, Server, SyncRwLock, debug, debug_info, error, info, trace, utils::stream::IterStream,
};
use database::Database;
use futures::{Stream, StreamExt, TryStreamExt};
@@ -9,12 +9,12 @@
use crate::{
account_data, admin, announcements, antispam, appservice, client, config, emergency,
federation, firstrun, globals, key_backups,
federation, firstrun, globals, key_backups, mailer,
manager::Manager,
media, moderation, presence, pusher, registration_tokens, resolver, rooms, sending,
server_keys,
media, moderation, password_reset, presence, pusher, registration_tokens, resolver, rooms,
sending, server_keys,
service::{self, Args, Map, Service},
sync, transactions, uiaa, users,
sync, threepid, transactions, uiaa, users,
};
pub struct Services {
@@ -27,6 +27,8 @@ pub struct Services {
pub globals: Arc<globals::Service>,
pub key_backups: Arc<key_backups::Service>,
pub media: Arc<media::Service>,
pub password_reset: Arc<password_reset::Service>,
pub mailer: Arc<mailer::Service>,
pub presence: Arc<presence::Service>,
pub pusher: Arc<pusher::Service>,
pub registration_tokens: Arc<registration_tokens::Service>,
@@ -38,6 +40,7 @@ pub struct Services {
pub server_keys: Arc<server_keys::Service>,
pub sync: Arc<sync::Service>,
pub transactions: Arc<transactions::Service>,
pub threepid: Arc<threepid::Service>,
pub uiaa: Arc<uiaa::Service>,
pub users: Arc<users::Service>,
pub moderation: Arc<moderation::Service>,
@@ -81,6 +84,8 @@ macro_rules! build {
globals: build!(globals::Service),
key_backups: build!(key_backups::Service),
media: build!(media::Service),
password_reset: build!(password_reset::Service),
mailer: build!(mailer::Service),
presence: build!(presence::Service),
pusher: build!(pusher::Service),
registration_tokens: build!(registration_tokens::Service),
@@ -110,6 +115,7 @@ macro_rules! build {
sending: build!(sending::Service),
server_keys: build!(server_keys::Service),
sync: build!(sync::Service),
threepid: build!(threepid::Service),
transactions: build!(transactions::Service),
uiaa: build!(uiaa::Service),
users: build!(users::Service),
@@ -125,10 +131,12 @@ macro_rules! build {
}
pub async fn start(self: &Arc<Self>) -> Result<Arc<Self>> {
debug_info!("Starting services...");
info!("Starting services...");
self.admin.set_services(Some(Arc::clone(self)).as_ref());
super::migrations::migrations(self).await?;
super::migrations::migrations(self)
.await
.inspect_err(|e| error!("Migrations failed: {e}"))?;
self.manager
.lock()
.await
@@ -147,7 +155,7 @@ pub async fn start(self: &Arc<Self>) -> Result<Arc<Self>> {
.await;
}
debug_info!("Services startup complete.");
info!("Services startup complete.");
Ok(Arc::clone(self))
}

3
src/service/templates/mail/_base.txt Normal file
View File

@@ -0,0 +1,3 @@
{%- block content %}{% endblock %}
Message sent by Continuwuity {{ env!("CARGO_PKG_VERSION") }}. 🐈

13
src/service/templates/mail/change_email.txt Normal file
View File

@@ -0,0 +1,13 @@
{% extends "_base.txt" %}
{% block content -%}
Hello!
{% if let Some(user_id) = user_id -%}
Somebody, probably you, tried to associate this email address with the Matrix account {{ user_id }}.
{%- else -%}
Somebody, probably you, tried to associate this email address with a Matrix account on {{ server_name }}.
{%- endif %}
If that was you, and this is your email address, click this link to proceed:
{{ verification_link }}
Otherwise, you can ignore this email. The above link will expire in one hour.
{%- endblock %}

10
src/service/templates/mail/new_account.txt Normal file
View File

@@ -0,0 +1,10 @@
{% extends "_base.txt" %}
{% block content -%}
Hello!
Somebody, probably you, tried to create a Matrix account on {{ server_name }} using this email address.
Use the link below to proceed with creating your account:
{{ verification_link }}
If you are not trying to create an account, you can ignore this email. The above link will expire in one hour.
{%- endblock %}

14
src/service/templates/mail/password_reset.txt Normal file
View File

@@ -0,0 +1,14 @@
{% extends "_base.txt" %}
{% block content -%}
{%- if let Some(display_name) = display_name -%}
Hello {{ display_name }} ({{ user_id }}),
{%- else -%}
Hello {{ user_id }},
{%- endif %}
Somebody, probably you, tried to reset your Matrix account's password.
If you requested for your password to be reset, click this link to proceed:
{{ verification_link }}
Otherwise, you can ignore this email. The above link will expire in one hour.
{%- endblock %}

5
src/service/templates/mail/test.txt Normal file
View File

@@ -0,0 +1,5 @@
{% extends "_base.txt" %}
{% block content -%}
If you're seeing this, SMTP is configured correctly. :3
{%- endblock %}

0
src/service/templates/welcome.md.j2 → src/service/templates/welcome.md
View File

281
src/service/threepid/mod.rs Normal file
View File

@@ -0,0 +1,281 @@
use std::{borrow::Cow, collections::HashMap, sync::Arc};
use conduwuit::{Err, Error, Result, result::FlatOk};
use database::{Deserialized, Map};
use governor::{DefaultKeyedRateLimiter, Quota, RateLimiter};
use lettre::{Address, message::Mailbox};
use nonzero_ext::nonzero;
use ruma::{
ClientSecret, OwnedClientSecret, OwnedSessionId, SessionId, api::client::error::ErrorKind,
};
mod session;
use crate::{
Args, Dep, config,
mailer::{self, messages::MessageTemplate},
threepid::session::{ValidationSessions, ValidationState, ValidationToken},
};
pub struct Service {
db: Data,
services: Services,
sessions: tokio::sync::Mutex<ValidationSessions>,
send_attempts: std::sync::Mutex<HashMap<(OwnedClientSecret, Address), usize>>,
ratelimiter: DefaultKeyedRateLimiter<Address>,
}
struct Data {
localpart_email: Arc<Map>,
email_localpart: Arc<Map>,
}
struct Services {
config: Dep<config::Service>,
mailer: Dep<mailer::Service>,
}
impl crate::Service for Service {
fn build(args: Args<'_>) -> Result<Arc<Self>> {
Ok(Arc::new(Self {
db: Data {
email_localpart: args.db["email_localpart"].clone(),
localpart_email: args.db["localpart_email"].clone(),
},
services: Services {
config: args.depend("config"),
mailer: args.depend("mailer"),
},
sessions: tokio::sync::Mutex::default(),
send_attempts: std::sync::Mutex::default(),
ratelimiter: RateLimiter::keyed(Self::EMAIL_RATELIMIT),
}))
}
fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
}
impl Service {
// Each address gets two tickets to send an email, which refill at a rate of one
// per ten minutes. This allows two emails to be sent at once without waiting
// (in case the first one gets eaten), but requires a wait of at least ten
// minutes before sending another.
const EMAIL_RATELIMIT: Quota =
Quota::per_minute(nonzero!(10_u32)).allow_burst(nonzero!(2_u32));
const VALIDATION_URL_PATH: &str = "/_continuwuity/3pid/email/validate";
/// Send a validation message to an email address.
///
/// Returns the validation session ID on success.
#[allow(clippy::impl_trait_in_params)]
pub async fn send_validation_email<Template: MessageTemplate>(
&self,
recipient: Mailbox,
prepare_body: impl FnOnce(String) -> Template,
client_secret: &ClientSecret,
send_attempt: usize,
) -> Result<OwnedSessionId> {
let mailer = self.services.mailer.expect_mailer()?;
let mut sessions = self.sessions.lock().await;
let session = match sessions.get_session_by_client_secret(client_secret) {
// If a validation session already exists for this client secret, we can either
// reuse it with a new token or return early because it's already valid.
| Some(session) => {
match session.validation_state {
| ValidationState::Validated => {
// If the existing session is already valid, don't send an email.
return Ok(session.session_id.clone());
},
| ValidationState::Pending(ref mut token) => {
// Check ratelimiting for the target address.
if self.ratelimiter.check_key(&recipient.email).is_err() {
return Err(Error::BadRequest(
ErrorKind::LimitExceeded { retry_after: None },
"You're sending emails too fast, try again in a few minutes.",
));
}
// Check the send attempt for this session.
let mut send_attempts = self.send_attempts.lock().unwrap();
let last_send_attempt = send_attempts
.entry((session.client_secret.clone(), session.email.clone()))
.or_default();
if send_attempt <= *last_send_attempt {
// If the supplied send attempt isn't higher than the last
// one, don't send an email.
return Ok(session.session_id.clone());
}
// Save this send attempt.
*last_send_attempt = send_attempt;
drop(send_attempts);
// Create a new token for the existing session.
*token = ValidationToken::new_random();
session
},
}
},
// If no session exists, create a new one.
| None => sessions.create_session(recipient.email.clone(), client_secret.to_owned()),
};
// Clone this so it can outlive the lock we're holding on `sessions`
let session_id = session.session_id.clone();
let ValidationState::Pending(token) = &session.validation_state else {
unreachable!("session should be pending")
};
let mut validation_url = self
.services
.config
.get_client_domain()
.join(Self::VALIDATION_URL_PATH)
.unwrap();
validation_url
.query_pairs_mut()
.append_pair("session", session_id.as_str())
.append_pair("token", &token.token);
// Once the validation URL is built, we don't need any data borrowed from
// `sessions` anymore and can release our lock
drop(sessions);
let message = prepare_body(validation_url.to_string());
mailer.send(recipient, message).await?;
Ok(session_id)
}
/// Attempt to mark a validation session as valid using a validation token.
pub async fn try_validate_session(
&self,
session_id: &SessionId,
supplied_token: &str,
) -> Result<(), Cow<'static, str>> {
let mut sessions = self.sessions.lock().await;
let Some(session) = sessions.get_session(session_id) else {
return Err("Validation session does not exist".into());
};
session.validation_state = match &session.validation_state {
| ValidationState::Validated => {
// If the session is already validated, do nothing.
return Ok(());
},
| ValidationState::Pending(token) => {
// Otherwise check the token and mark the session as valid.
if *token != *supplied_token || !token.is_valid() {
return Err("Validation token is invalid or expired, please request a new \
one"
.into());
}
ValidationState::Validated
},
};
Ok(())
}
/// Consume a validated validation session, removing it from the database
/// and returning the newly validated email address.
pub async fn consume_valid_session(
&self,
session_id: &SessionId,
client_secret: &ClientSecret,
) -> Result<Address, Cow<'static, str>> {
let mut sessions = self.sessions.lock().await;
let Some(session) = sessions.get_session(session_id) else {
return Err("Validation session does not exist".into());
};
if session.client_secret == client_secret
&& matches!(session.validation_state, ValidationState::Validated)
{
let session = sessions.remove_session(session_id);
Ok(session.email)
} else {
Err("This email address has not been validated. Did you use the link that was sent \
to you?"
.into())
}
}
/// Associate a localpart with an email address.
pub async fn associate_localpart_email(
&self,
localpart: &str,
email: &Address,
) -> Result<()> {
match self.get_localpart_for_email(email).await {
| Some(existing_localpart) if existing_localpart != localpart => {
// Another account is already using the supplied email.
Err!(Request(ThreepidInUse("This email address is already in use.")))
},
| Some(_) => {
// The supplied localpart is already associated with the supplied email,
// no changes are necessary.
Ok(())
},
| None => {
// The supplied email is not already in use.
let email: &str = email.as_ref();
self.db.localpart_email.insert(localpart, email);
self.db.email_localpart.insert(email, localpart);
Ok(())
},
}
}
/// Given a localpart, remove its corresponding email address.
///
/// [`Self::get_localpart_for_email`] may be used if only the email is
/// known.
pub async fn disassociate_localpart_email(&self, localpart: &str) -> Option<Address> {
let email = self.get_email_for_localpart(localpart).await?;
self.db.localpart_email.remove(localpart);
self.db
.email_localpart
.remove(<Address as AsRef<str>>::as_ref(&email));
Some(email)
}
/// Get the email associated with a localpart, if one exists.
pub async fn get_email_for_localpart(&self, localpart: &str) -> Option<Address> {
self.db
.localpart_email
.get(localpart)
.await
.deserialized::<String>()
.ok()
.map(TryInto::try_into)
.flat_ok()
}
/// Get the localpart associated with an email, if one exists.
pub async fn get_localpart_for_email(&self, email: &Address) -> Option<String> {
self.db
.email_localpart
.get(<Address as AsRef<str>>::as_ref(email))
.await
.deserialized()
.ok()
}
}

Some files were not shown because too many files have changed in this diff Show More