fix: Helps when you refer to variables that exist

feat: Add debug logs to pusher service
2026-05-26 20:49:55 +00:00 · 2026-03-09 16:43:09 +00:00 · 2026-03-09 16:37:51 +00:00
98 changed files with 1898 additions and 4392 deletions
@@ -62,6 +62,10 @@ sync:
    target: registry.gitlab.com/continuwuity/continuwuity
    type: repository
    <<: *tags-main
  - source: *source
    target: git.nexy7574.co.uk/mirrored/continuwuity
    type: repository
    <<: *tags-releases
  - source: *source
    target: ghcr.io/continuwuity/continuwuity
    type: repository
@@ -1,4 +1,4 @@
 github: [JadedBlueEyes, nexy7574, gingershaped]
 custom:
-  - https://timedout.uk/donate.html
+  - https://ko-fi.com/nexy7574
-  - https://jade.ellis.link/sponsors
+  - https://ko-fi.com/JadedBlueEyes
@@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.7-alpha.1"
+version = "0.5.6"
 [workspace.metadata.crane]
 name = "conduwuit"
@@ -99,7 +99,7 @@ features = [
 [workspace.dependencies.axum-extra]
 version = "0.12.0"
 default-features = false
-features = ["typed-header", "tracing", "cookie"]
+features = ["typed-header", "tracing"]
 [workspace.dependencies.axum-server]
 version = "0.7.2"
@@ -344,7 +344,7 @@ version = "0.1.2"
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
 #branch = "conduwuit-changes"
-rev = "a97b91adcc012ef04991d823b8b5a79c6686ae48"
+rev = "bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
 features = [
    "compat",
    "rand",
@@ -559,19 +559,6 @@ version = "1.0.1"
 [workspace.dependencies.askama]
 version = "0.15.0"
 [workspace.dependencies.lettre]
 version = "0.11.19"
 default-features = false
 features = ["smtp-transport", "pool", "hostname", "builder", "rustls", "aws-lc-rs", "rustls-native-certs", "tokio1", "tokio1-rustls", "tracing", "serde"]
 [workspace.dependencies.governor]
 version = "0.10.4"
 default-features = false
 features = ["std"]
 [workspace.dependencies.nonzero_ext]
 version = "0.3.0"
 #
 # Patches
 #
@@ -932,6 +919,7 @@ fn_to_numeric_cast_any = "warn"
 format_push_string = "warn"
 get_unwrap = "warn"
 impl_trait_in_params = "warn"
 let_underscore_untyped = "warn"
 lossy_float_literal = "warn"
 mem_forget = "warn"
 missing_assert_message = "warn"
@@ -981,6 +969,3 @@ needless_raw_string_hashes = "allow"
 # TODO: Enable this lint & fix all instances
 collapsible_if = "allow"
 # TODO: break these apart
 cognitive_complexity = "allow"
@@ -1 +0,0 @@
 Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger
@@ -1 +0,0 @@
 Added support for using an admin command to issue self-service password reset links.
@@ -1 +0,0 @@
 Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger.
@@ -25,10 +25,6 @@
 #
 # Also see the `[global.well_known]` config section at the very bottom.
 #
 # If `client` is not set under `[global.well_known]`, the server name will
 # be used as the base domain for user-facing links (such as password
 # reset links) created by Continuwuity.
 #
 # Examples of delegation:
 # - https://continuwuity.org/.well-known/matrix/server
 # - https://continuwuity.org/.well-known/matrix/client
@@ -1799,11 +1795,6 @@
 #
 #config_reload_signal = true
 # Allow search engines and crawlers to index Continuwuity's built-in
 # webpages served under the `/_continuwuity/` prefix.
 #
 #allow_web_indexing = false
 [global.tls]
 # Path to a valid TLS certificate file.
@@ -2037,41 +2028,3 @@
 # web->synapseHTTPAntispam->authorization
 #
 #secret =
 #[global.smtp]
 # A `smtp://`` URI which will be used to connect to a mail server.
 # Uncommenting the [global.smtp] group and setting this option enables
 # features which depend on the ability to send email,
 # such as self-service password resets.
 #
 # For most modern mail servers, format the URI like this:
 # 	`smtps://username:password@hostname:port`
 # Note that you will need to URL-encode the username and password. If your
 # username _is_ your email address, you will need to replace the `@` with
 # `%40`.
 #
 # For a guide on the accepted URI syntax, consult Lettre's documentation:
 # https://docs.rs/lettre/latest/lettre/transport/smtp/struct.AsyncSmtpTransport.html#method.from_url
 #
 #connection_uri =
 # The outgoing address which will be used for sending emails.
 #
 # For a syntax guide, see https://datatracker.ietf.org/doc/html/rfc2822#section-3.4
 #
 # ...or if you don't want to read the RFC, for some reason:
 # - `Name <address@domain.org>` to specify a sender name
 # - `address@domain.org` to not use a name
 #
 #sender =
 # Whether to require that users provide an email address when they
 # register.
 #
 #require_email_for_registration = false
 # Whether to require that users who register with a registration token
 # provide an email address.
 #
 #require_email_for_token_registration = false
@@ -10,7 +10,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean
 # Match Rustc version as close as possible
 # rustc -vV
-ARG LLVM_VERSION=21
+ARG LLVM_VERSION=20
 # ENV RUSTUP_TOOLCHAIN=${RUST_VERSION}
 # Install repo tools
@@ -109,6 +109,9 @@ Restart Continuwuity and your reverse proxy. Once that's done, visit these route
 {
  "m.homeserver": {
    "base_url": "https://matrix.example.com/"
  },
  "org.matrix.msc3575.proxy": {
    "url": "https://matrix.example.com/"
  }
 }
 ```
@@ -6,7 +6,6 @@ services:
    ### then you are ready to go.
    image: forgejo.ellis.link/continuwuation/continuwuity:latest
    restart: unless-stopped
    command: /sbin/conduwuit
    volumes:
      - db:/var/lib/continuwuity
      #- ./continuwuity.toml:/etc/continuwuity.toml
@@ -23,7 +23,6 @@ services:
        ### then you are ready to go.
        image: forgejo.ellis.link/continuwuation/continuwuity:latest
        restart: unless-stopped
        command: /sbin/conduwuit
        volumes:
            - db:/var/lib/continuwuity
            - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
@@ -6,7 +6,6 @@ services:
    ### then you are ready to go.
    image: forgejo.ellis.link/continuwuation/continuwuity:latest
    restart: unless-stopped
    command: /sbin/conduwuit
    volumes:
      - db:/var/lib/continuwuity
      - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.
@@ -6,7 +6,6 @@ services:
        ### then you are ready to go.
        image: forgejo.ellis.link/continuwuation/continuwuity:latest
        restart: unless-stopped
        command: /sbin/conduwuit
        ports:
            - 8448:6167
        volumes:
@@ -78,7 +78,7 @@ docker run -d \
  -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
  --name continuwuity \
  forgejo.ellis.link/continuwuation/continuwuity:latest \
-  /sbin/conduwuit --execute "users create-user admin"
+  --execute "users create-user admin"
 ```
 Replace `matrix.example.com` with your actual server name and `admin` with
@@ -141,7 +141,7 @@ compose file, add under the `continuwuity` service:
 services:
    continuwuity:
        image: forgejo.ellis.link/continuwuation/continuwuity:latest
-        command: /sbin/conduwuit --execute "users create-user admin"
+        command: --execute "users create-user admin"
        # ... rest of configuration
 ```
@@ -39,7 +39,6 @@ spec:
        - name: continuwuity
          # use a sha hash <3
          image: forgejo.ellis.link/continuwuation/continuwuity:latest
          command: ["/sbin/conduwuit"]
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -1 +1 @@
-{"m.homeserver":{"base_url": "https://matrix.continuwuity.org"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.ellis.link"}]}
+{"m.homeserver":{"base_url": "https://matrix.continuwuity.org"},"org.matrix.msc3575.proxy":{"url": "https://matrix.continuwuity.org"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.ellis.link"}]}
@@ -130,10 +130,6 @@ Trim memory usage
 List database files
 ## `!admin debug send-test-email`
 Send a test email to the invoking admin's email address
 ## `!admin debug tester`
 Developer test stubs
@@ -12,24 +12,6 @@ Create a new user
 Reset user password
 ## `!admin users issue-password-reset-link`
 Issue a self-service password reset link for a user
 ## `!admin users get-email`
 Get a user's associated email address
 ## `!admin users get-user-by-email`
 Get the user with the given email address
 ## `!admin users change-email`
 Update or remove a user's email address.
 If `email` is not supplied, the user's existing address will be removed.
 ## `!admin users deactivate`
 Deactivate a user
@@ -3,11 +3,11 @@
    "advisory-db": {
      "flake": false,
      "locked": {
-        "lastModified": 1773786698,
+        "lastModified": 1772776993,
-        "narHash": "sha256-o/J7ZculgwSs1L4H4UFlFZENOXTJzq1X0n71x6oNNvY=",
+        "narHash": "sha256-CpBa+UpogN0Xn1gMmgqQrzKGee+E8TCkgHar8/w6CRk=",
        "owner": "rustsec",
        "repo": "advisory-db",
-        "rev": "99e9de91bb8b61f06ef234ff84e11f758ecd5384",
+        "rev": "b3472341e37cbd4b8c27b052b2abb34792f4d3c4",
        "type": "github"
      },
      "original": {
@@ -18,11 +18,11 @@
    },
    "crane": {
      "locked": {
-        "lastModified": 1773189535,
+        "lastModified": 1772560058,
-        "narHash": "sha256-E1G/Or6MWeP+L6mpQ0iTFLpzSzlpGrITfU2220Gq47g=",
+        "narHash": "sha256-NuVKdMBJldwUXgghYpzIWJdfeB7ccsu1CC7B+NfSoZ8=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "6fa2fb4cf4a89ba49fc9dd5a3eb6cde99d388269",
+        "rev": "db590d9286ed5ce22017541e36132eab4e8b3045",
        "type": "github"
      },
      "original": {
@@ -39,11 +39,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1773732206,
+        "lastModified": 1772953398,
-        "narHash": "sha256-HKibxaUXyWd4Hs+ZUnwo6XslvaFqFqJh66uL9tphU4Q=",
+        "narHash": "sha256-fTTHCaEvPLzWyZFxPud/G9HM3pNYmW/64Kj58hdH4+k=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "0aa13c1b54063a8d8679b28a5cd357ba98f4a56b",
+        "rev": "fc4863887d98fd879cf5f11af1d23d44d9bdd8ae",
        "type": "github"
      },
      "original": {
@@ -89,11 +89,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1773734432,
+        "lastModified": 1772773019,
-        "narHash": "sha256-IF5ppUWh6gHGHYDbtVUyhwy/i7D261P7fWD1bPefOsw=",
+        "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "cda48547b432e8d3b18b4180ba07473762ec8558",
+        "rev": "aca4d95fce4914b3892661bcb80b8087293536c6",
        "type": "github"
      },
      "original": {
@@ -132,11 +132,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1773697963,
+        "lastModified": 1772877513,
-        "narHash": "sha256-xdKI77It9PM6eNrCcDZsnP4SKulZwk8VkDgBRVMnCb8=",
+        "narHash": "sha256-RcRGv2Bng5I9y75XwFX7oK2l6mLH1dtbTTG9U8qun0c=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "2993637174252ff60a582fd1f55b9ab52c39db6d",
+        "rev": "a1b86d600f88be98643e5dd61d6ed26eda17c09e",
        "type": "github"
      },
      "original": {
@@ -153,11 +153,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1773297127,
+        "lastModified": 1772660329,
-        "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=",
+        "narHash": "sha256-IjU1FxYqm+VDe5qIOxoW+pISBlGvVApRjiw/Y/ttJzY=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016",
+        "rev": "3710e0e1218041bbad640352a0440114b1e10428",
        "type": "github"
      },
      "original": {
@@ -15,7 +15,7 @@
            file = inputs.self + "/rust-toolchain.toml";
            # See also `rust-toolchain.toml`
-            sha256 = "sha256-sqSWJDUxc+zaz1nBWMAJKTAGBuGWP25GCftIOlCEAtA=";
+            sha256 = "sha256-SJwZ8g0zF2WrKDVmHrVG3pD2RGoQeo24MEXnNx5FyuI=";
          };
        in
        {
@@ -16,21 +16,21 @@
      }
    },
    "node_modules/@emnapi/core": {
-      "version": "1.9.0",
+      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.0.tgz",
+      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.8.1.tgz",
-      "integrity": "sha512-0DQ98G9ZQZOxfUcQn1waV2yS8aWdZ6kJMbYCJB3oUBecjWYO1fqJ+a1DRfPF3O5JEkwqwP1A9QEN/9mYm2Yd0w==",
+      "integrity": "sha512-AvT9QFpxK0Zd8J0jopedNm+w/2fIzvtPKPjqyw9jwvBaReTTqPBk9Hixaz7KbjimP+QNz605/XnjFcDAL2pqBg==",
      "dev": true,
      "license": "MIT",
      "optional": true,
      "dependencies": {
-        "@emnapi/wasi-threads": "1.2.0",
+        "@emnapi/wasi-threads": "1.1.0",
        "tslib": "^2.4.0"
      }
    },
    "node_modules/@emnapi/runtime": {
-      "version": "1.9.0",
+      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.0.tgz",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.8.1.tgz",
-      "integrity": "sha512-QN75eB0IH2ywSpRpNddCRfQIhmJYBCJ1x5Lb3IscKAL8bMnVAKnRg8dCoXbHzVLLH7P38N2Z3mtulB7W0J0FKw==",
+      "integrity": "sha512-mehfKSMWjjNol8659Z8KxEMrdSJDDot5SXMq00dM8BN4o+CLNXQ0xH2V7EchNHV4RmbZLmmPdEaXZc5H2FXmDg==",
      "dev": true,
      "license": "MIT",
      "optional": true,
@@ -39,9 +39,9 @@
      }
    },
    "node_modules/@emnapi/wasi-threads": {
-      "version": "1.2.0",
+      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.2.0.tgz",
+      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.1.0.tgz",
-      "integrity": "sha512-N10dEJNSsUx41Z6pZsXU8FjPjpBEplgH24sfkmITrBED1/U2Esum9F3lfLrMjKHHjmi557zQn7kR9R+XWXu5Rg==",
+      "integrity": "sha512-WI0DdZ8xFSbgMjR1sFsKABJ/C5OnRrjT06JXbZKexJGrDuPTzZdDYfFlsgcCXCyf+suG5QU2e/y1Wo2V/OapLQ==",
      "dev": true,
      "license": "MIT",
      "optional": true,
@@ -144,22 +144,17 @@
      }
    },
    "node_modules/@rsbuild/plugin-react": {
-      "version": "1.4.6",
+      "version": "1.4.5",
-      "resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-1.4.6.tgz",
+      "resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-1.4.5.tgz",
-      "integrity": "sha512-LAT6xHlEyZKA0VjF/ph5d50iyG+WSmBx+7g98HNZUwb94VeeTMZFB8qVptTkbIRMss3BNKOXmHOu71Lhsh9oEw==",
+      "integrity": "sha512-eS2sXCedgGA/7bLu8yVtn48eE/GyPbXx4Q7OcutB01IQ1D2y8WSMBys4nwfrecy19utvw4NPn4gYDy52316+vg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@rspack/plugin-react-refresh": "^1.6.1",
+        "@rspack/plugin-react-refresh": "^1.6.0",
        "react-refresh": "^0.18.0"
      },
      "peerDependencies": {
        "@rsbuild/core": "^1.0.0 || ^2.0.0-0"
      },
      "peerDependenciesMeta": {
        "@rsbuild/core": {
          "optional": true
        }
      }
    },
    "node_modules/@rspack/binding": {
@@ -700,13 +695,13 @@
      "license": "ISC"
    },
    "node_modules/@unhead/react": {
-      "version": "2.1.12",
+      "version": "2.1.10",
-      "resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.12.tgz",
+      "resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.10.tgz",
-      "integrity": "sha512-1xXFrxyw29f+kScXfEb0GxjlgtnHxoYau0qpW9k8sgWhQUNnE5gNaH3u+rNhd5IqhyvbdDRJpQ25zoz0HIyGaw==",
+      "integrity": "sha512-z9IzzkaCI1GyiBwVRMt4dGc2mOvsj9drbAdXGMy6DWpu9FwTR37ZTmAi7UeCVyIkpVdIaNalz7vkbvGG8afFng==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "unhead": "2.1.12"
+        "unhead": "2.1.10"
      },
      "funding": {
        "url": "https://github.com/sponsors/harlan-zw"
@@ -1578,9 +1573,9 @@
      }
    },
    "node_modules/hookable": {
-      "version": "6.1.0",
+      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/hookable/-/hookable-6.1.0.tgz",
+      "resolved": "https://registry.npmjs.org/hookable/-/hookable-6.0.1.tgz",
-      "integrity": "sha512-ZoKZSJgu8voGK2geJS+6YtYjvIzu9AOM/KZXsBxr83uhLL++e9pEv/dlgwgy3dvHg06kTz6JOh1hk3C8Ceiymw==",
+      "integrity": "sha512-uKGyY8BuzN/a5gvzvA+3FVWo0+wUjgtfSdnmjtrOVwQCZPHpHDH2WRO3VZSOeluYrHoDCiXFffZXs8Dj1ULWtw==",
      "dev": true,
      "license": "MIT"
    },
@@ -2983,14 +2978,14 @@
      "license": "MIT"
    },
    "node_modules/oniguruma-to-es": {
-      "version": "4.3.5",
+      "version": "4.3.4",
-      "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.5.tgz",
+      "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.4.tgz",
-      "integrity": "sha512-Zjygswjpsewa0NLTsiizVuMQZbp0MDyM6lIt66OxsF21npUDlzpHi1Mgb/qhQdkb+dWFTzJmFbEWdvZgRho8eQ==",
+      "integrity": "sha512-3VhUGN3w2eYxnTzHn+ikMI+fp/96KoRSVK9/kMTcFqj1NRDh2IhQCKvYxDnWePKRXY/AqH+Fuiyb7VHSzBjHfA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "oniguruma-parser": "^0.12.1",
-        "regex": "^6.1.0",
+        "regex": "^6.0.1",
        "regex-recursion": "^6.0.2"
      }
    },
@@ -3725,9 +3720,9 @@
      }
    },
    "node_modules/unhead": {
-      "version": "2.1.12",
+      "version": "2.1.10",
-      "resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.12.tgz",
+      "resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.10.tgz",
-      "integrity": "sha512-iTHdWD9ztTunOErtfUFk6Wr11BxvzumcYJ0CzaSCBUOEtg+DUZ9+gnE99i8QkLFT2q1rZD48BYYGXpOZVDLYkA==",
+      "integrity": "sha512-We8l9uNF8zz6U8lfQaVG70+R/QBfQx1oPIgXin4BtZnK2IQpz6yazQ0qjMNVBDw2ADgF2ea58BtvSK+XX5AS7g==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -1,6 +1,6 @@
 {
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-    "extends": ["config:recommended", "replacements:all", ":semanticCommitTypeAll(chore)"],
+    "extends": ["config:recommended", "replacements:all"],
    "dependencyDashboard": true,
    "osvVulnerabilityAlerts": true,
    "lockFileMaintenance": {
@@ -36,18 +36,10 @@
    },
    "packageRules": [
        {
-            "description": "Batch minor and patch Rust dependency updates",
+            "description": "Batch patch-level Rust dependency updates",
            "matchManagers": ["cargo"],
            "matchUpdateTypes": ["minor", "patch"],
            "matchCurrentVersion": ">=1.0.0",
            "groupName": "rust-non-major"
        },
        {
            "description": "Batch patch-level zerover Rust dependency updates",
            "matchManagers": ["cargo"],
            "matchUpdateTypes": ["patch"],
-            "matchCurrentVersion": ">=0.1.0,<1.0.0",
+            "groupName": "rust-patch-updates"
            "groupName": "rust-zerover-patch-updates"
        },
        {
            "description": "Limit concurrent Cargo PRs",
@@ -10,7 +10,7 @@
 [toolchain]
 profile = "minimal"
-channel = "1.92.0"
+channel = "1.90.0"
 components = [
    # For rust-analyzer
    "rust-src",
@@ -80,7 +80,6 @@ conduwuit-macros.workspace = true
 conduwuit-service.workspace = true
 const-str.workspace = true
 futures.workspace = true
 lettre.workspace = true
 log.workspace = true
 ruma.workspace = true
 serde_json.workspace = true
@@ -19,7 +19,6 @@ use conduwuit::{
 	warn,
 };
 use futures::{FutureExt, StreamExt, TryStreamExt};
 use lettre::message::Mailbox;
 use ruma::{
 	CanonicalJsonObject, CanonicalJsonValue, EventId, OwnedEventId, OwnedRoomId,
 	OwnedRoomOrAliasId, OwnedServerName, RoomId, RoomVersionId,
@@ -877,31 +876,3 @@ pub(super) async fn trim_memory(&self) -> Result {
 	writeln!(self, "done").await
 }
 #[admin_command]
 pub(super) async fn send_test_email(&self) -> Result {
 	self.bail_restricted()?;
 	let mailer = self.services.mailer.expect_mailer()?;
 	let Some(sender) = self.sender else {
 		return Err!("No sender user provided in context");
 	};
 	let Some(email) = self
 		.services
 		.threepid
 		.get_email_for_localpart(sender.localpart())
 		.await
 	else {
 		return Err!("{} has no associated email address", sender);
 	};
 	mailer
 		.send(Mailbox::new(None, email.clone()), service::mailer::messages::Test)
 		.await?;
 	self.write_str(&format!("Test email successfully sent to {email}"))
 		.await?;
 	Ok(())
 }
@@ -225,9 +225,6 @@ pub enum DebugCommand {
 		level: Option<i32>,
 	},
 	/// Send a test email to the invoking admin's email address
 	SendTestEmail,
 	/// Developer test stubs
 	#[command(subcommand)]
 	#[allow(non_snake_case)]
@@ -11,7 +11,6 @@ use conduwuit::{
 	warn,
 };
 use futures::{FutureExt, StreamExt};
 use lettre::Address;
 use ruma::{
 	OwnedEventId, OwnedRoomId, OwnedRoomOrAliasId, OwnedServerName, OwnedUserId, UserId,
 	events::{
@@ -297,31 +296,6 @@ pub(super) async fn reset_password(
 	Ok(())
 }
 #[admin_command]
 pub(super) async fn issue_password_reset_link(&self, username: String) -> Result {
 	use conduwuit_service::password_reset::{PASSWORD_RESET_PATH, RESET_TOKEN_QUERY_PARAM};
 	self.bail_restricted()?;
 	let mut reset_url = self
 		.services
 		.config
 		.get_client_domain()
 		.join(PASSWORD_RESET_PATH)
 		.unwrap();
 	let user_id = parse_local_user_id(self.services, &username)?;
 	let token = self.services.password_reset.issue_token(user_id).await?;
 	reset_url
 		.query_pairs_mut()
 		.append_pair(RESET_TOKEN_QUERY_PARAM, &token.token);
 	self.write_str(&format!("Password reset link issued for {username}: {reset_url}"))
 		.await?;
 	Ok(())
 }
 #[admin_command]
 pub(super) async fn deactivate_all(&self, no_leave_rooms: bool, force: bool) -> Result {
 	if self.body.len() < 2
@@ -1095,106 +1069,3 @@ pub(super) async fn enable_login(&self, user_id: String) -> Result {
 	self.write_str(&format!("{user_id} can now log in.")).await
 }
 #[admin_command]
 pub(super) async fn get_email(&self, user_id: String) -> Result {
 	self.bail_restricted()?;
 	let user_id = parse_local_user_id(self.services, &user_id)?;
 	match self
 		.services
 		.threepid
 		.get_email_for_localpart(user_id.localpart())
 		.await
 	{
 		| Some(email) =>
 			self.write_str(&format!("{user_id} has the associated email address {email}."))
 				.await,
 		| None =>
 			self.write_str(&format!("{user_id} has no associated email address."))
 				.await,
 	}
 }
 #[admin_command]
 pub(super) async fn get_user_by_email(&self, email: String) -> Result {
 	self.bail_restricted()?;
 	let Ok(email) = Address::try_from(email) else {
 		return Err!("Invalid email address.");
 	};
 	match self.services.threepid.get_localpart_for_email(&email).await {
 		| Some(localpart) => {
 			let user_id = OwnedUserId::parse(format!(
 				"@{localpart}:{}",
 				self.services.globals.server_name()
 			))
 			.unwrap();
 			self.write_str(&format!("{email} belongs to {user_id}."))
 				.await
 		},
 		| None =>
 			self.write_str(&format!("No user has {email} as their email address."))
 				.await,
 	}
 }
 #[admin_command]
 pub(super) async fn change_email(&self, user_id: String, email: Option<String>) -> Result {
 	self.bail_restricted()?;
 	let user_id = parse_local_user_id(self.services, &user_id)?;
 	let Ok(new_email) = email.map(Address::try_from).transpose() else {
 		return Err!("Invalid email address.");
 	};
 	if self.services.mailer.mailer().is_none() {
 		warn!("SMTP has not been configured on this server, emails cannot be sent.");
 	}
 	let current_email = self
 		.services
 		.threepid
 		.get_email_for_localpart(user_id.localpart())
 		.await;
 	match (current_email, new_email) {
 		| (None, None) =>
 			self.write_str(&format!(
 				"{user_id} already had no associated email. No changes have been made."
 			))
 			.await,
 		| (current_email, Some(new_email)) => {
 			self.services
 				.threepid
 				.associate_localpart_email(user_id.localpart(), &new_email)
 				.await?;
 			if let Some(current_email) = current_email {
 				self.write_str(&format!(
 					"The associated email of {user_id} has been changed from {current_email} to \
 					 {new_email}."
 				))
 				.await
 			} else {
 				self.write_str(&format!(
 					"{user_id} has been associated with the email {new_email}."
 				))
 				.await
 			}
 		},
 		| (Some(current_email), None) => {
 			self.services
 				.threepid
 				.disassociate_localpart_email(user_id.localpart())
 				.await;
 			self.write_str(&format!(
 				"The associated email of {user_id} has been removed (it was {current_email})."
 			))
 			.await
 		},
 	}
 }
@@ -29,30 +29,6 @@ pub enum UserCommand {
 		password: Option<String>,
 	},
 	/// Issue a self-service password reset link for a user.
 	IssuePasswordResetLink {
 		/// Username of the user who may use the link
 		username: String,
 	},
 	/// Get a user's associated email address.
 	GetEmail {
 		user_id: String,
 	},
 	/// Get the user with the given email address.
 	GetUserByEmail {
 		email: String,
 	},
 	/// Update or remove a user's email address.
 	///
 	/// If `email` is not supplied, the user's existing address will be removed.
 	ChangeEmail {
 		user_id: String,
 		email: Option<String>,
 	},
 	/// Deactivate a user
 	///
 	/// User will be removed from all rooms by default.
@@ -85,7 +85,6 @@ http-body-util.workspace = true
 hyper.workspace = true
 ipaddress.workspace = true
 itertools.workspace = true
 lettre.workspace = true
 log.workspace = true
 rand.workspace = true
 reqwest.workspace = true
@@ -0,0 +1,980 @@
 use std::fmt::Write;
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
 	Err, Error, Event, Result, debug_info, err, error, info,
 	matrix::pdu::PduBuilder,
 	utils::{self, ReadyExt, stream::BroadbandExt},
 	warn,
 };
 use conduwuit_service::Services;
 use futures::{FutureExt, StreamExt};
 use register::RegistrationKind;
 use ruma::{
 	OwnedRoomId, UserId,
 	api::client::{
 		account::{
 			ThirdPartyIdRemovalStatus, change_password, check_registration_token_validity,
 			deactivate, get_3pids, get_username_availability,
 			register::{self, LoginType},
 			request_3pid_management_token_via_email, request_3pid_management_token_via_msisdn,
 			whoami,
 		},
 		uiaa::{AuthFlow, AuthType, UiaaInfo},
 	},
 	events::{
 		GlobalAccountDataEventType, StateEventType,
 		room::{
 			member::{MembershipState, RoomMemberEventContent},
 			message::RoomMessageEventContent,
 			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
 		},
 	},
 	push,
 };
 use super::{DEVICE_ID_LENGTH, SESSION_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
 use crate::Ruma;
 const RANDOM_USER_ID_LENGTH: usize = 10;
 /// # `GET /_matrix/client/v3/register/available`
 ///
 /// Checks if a username is valid and available on this server.
 ///
 /// Conditions for returning true:
 /// - The user id is not historical
 /// - The server name of the user id matches this server
 /// - No user or appservice on this server already claimed this username
 ///
 /// Note: This will not reserve the username, so the username might become
 /// invalid when trying to register
 #[tracing::instrument(skip_all, fields(%client), name = "register_available", level = "info")]
 pub(crate) async fn get_register_available_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<get_username_availability::v3::Request>,
 ) -> Result<get_username_availability::v3::Response> {
 	// workaround for https://github.com/matrix-org/matrix-appservice-irc/issues/1780 due to inactivity of fixing the issue
 	let is_matrix_appservice_irc = body.appservice_info.as_ref().is_some_and(|appservice| {
 		appservice.registration.id == "irc"
 			|| appservice.registration.id.contains("matrix-appservice-irc")
 			|| appservice.registration.id.contains("matrix_appservice_irc")
 	});
 	if services
 		.globals
 		.forbidden_usernames()
 		.is_match(&body.username)
 	{
 		return Err!(Request(Forbidden("Username is forbidden")));
 	}
 	// don't force the username lowercase if it's from matrix-appservice-irc
 	let body_username = if is_matrix_appservice_irc {
 		body.username.clone()
 	} else {
 		body.username.to_lowercase()
 	};
 	// Validate user id
 	let user_id =
 		match UserId::parse_with_server_name(&body_username, services.globals.server_name()) {
 			| Ok(user_id) => {
 				if let Err(e) = user_id.validate_strict() {
 					// unless the username is from the broken matrix appservice IRC bridge, we
 					// should follow synapse's behaviour on not allowing things like spaces
 					// and UTF-8 characters in usernames
 					if !is_matrix_appservice_irc {
 						return Err!(Request(InvalidUsername(debug_warn!(
 							"Username {body_username} contains disallowed characters or spaces: \
 							 {e}"
 						))));
 					}
 				}
 				user_id
 			},
 			| Err(e) => {
 				return Err!(Request(InvalidUsername(debug_warn!(
 					"Username {body_username} is not valid: {e}"
 				))));
 			},
 		};
 	// Check if username is creative enough
 	if services.users.exists(&user_id).await {
 		return Err!(Request(UserInUse("User ID is not available.")));
 	}
 	if let Some(ref info) = body.appservice_info {
 		if !info.is_user_match(&user_id) {
 			return Err!(Request(Exclusive("Username is not in an appservice namespace.")));
 		}
 	}
 	if services.appservice.is_exclusive_user_id(&user_id).await {
 		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
 	}
 	Ok(get_username_availability::v3::Response { available: true })
 }
 /// # `POST /_matrix/client/v3/register`
 ///
 /// Register an account on this homeserver.
 ///
 /// You can use [`GET
 /// /_matrix/client/v3/register/available`](fn.get_register_available_route.
 /// html) to check if the user id is valid and available.
 ///
 /// - Only works if registration is enabled
 /// - If type is guest: ignores all parameters except
 ///   initial_device_display_name
 /// - If sender is not appservice: Requires UIAA (but we only use a dummy stage)
 /// - If type is not guest and no username is given: Always fails after UIAA
 ///   check
 /// - Creates a new account and populates it with default account data
 /// - If `inhibit_login` is false: Creates a device and returns device id and
 ///   access_token
 #[allow(clippy::doc_markdown)]
 #[tracing::instrument(skip_all, fields(%client), name = "register", level = "info")]
 pub(crate) async fn register_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<register::v3::Request>,
 ) -> Result<register::v3::Response> {
 	let is_guest = body.kind == RegistrationKind::Guest;
 	let emergency_mode_enabled = services.config.emergency_password.is_some();
 	// Allow registration if it's enabled in the config file or if this is the first
 	// run (so the first user account can be created)
 	let allow_registration =
 		services.config.allow_registration || services.firstrun.is_first_run();
 	if !allow_registration && body.appservice_info.is_none() {
 		match (body.username.as_ref(), body.initial_device_display_name.as_ref()) {
 			| (Some(username), Some(device_display_name)) => {
 				info!(
 					%is_guest,
 					user = %username,
 					device_name = %device_display_name,
 					"Rejecting registration attempt as registration is disabled"
 				);
 			},
 			| (Some(username), _) => {
 				info!(
 					%is_guest,
 					user = %username,
 					"Rejecting registration attempt as registration is disabled"
 				);
 			},
 			| (_, Some(device_display_name)) => {
 				info!(
 					%is_guest,
 					device_name = %device_display_name,
 					"Rejecting registration attempt as registration is disabled"
 				);
 			},
 			| (None, _) => {
 				info!(
 					%is_guest,
 					"Rejecting registration attempt as registration is disabled"
 				);
 			},
 		}
 		return Err!(Request(Forbidden(
 			"This server is not accepting registrations at this time."
 		)));
 	}
 	if is_guest && !services.config.allow_guest_registration {
 		info!(
 			"Guest registration disabled, rejecting guest registration attempt, initial device \
 			 name: \"{}\"",
 			body.initial_device_display_name.as_deref().unwrap_or("")
 		);
 		return Err!(Request(GuestAccessForbidden("Guest registration is disabled.")));
 	}
 	// forbid guests from registering if there is not a real admin user yet. give
 	// generic user error.
 	if is_guest && services.users.count().await < 2 {
 		warn!(
 			"Guest account attempted to register before a real admin user has been registered, \
 			 rejecting registration. Guest's initial device name: \"{}\"",
 			body.initial_device_display_name.as_deref().unwrap_or("")
 		);
 		return Err!(Request(Forbidden(
 			"This server is not accepting registrations at this time."
 		)));
 	}
 	let user_id = match (body.username.as_ref(), is_guest) {
 		| (Some(username), false) => {
 			// workaround for https://github.com/matrix-org/matrix-appservice-irc/issues/1780 due to inactivity of fixing the issue
 			let is_matrix_appservice_irc =
 				body.appservice_info.as_ref().is_some_and(|appservice| {
 					appservice.registration.id == "irc"
 						|| appservice.registration.id.contains("matrix-appservice-irc")
 						|| appservice.registration.id.contains("matrix_appservice_irc")
 				});
 			if services.globals.forbidden_usernames().is_match(username)
 				&& !emergency_mode_enabled
 			{
 				return Err!(Request(Forbidden("Username is forbidden")));
 			}
 			// don't force the username lowercase if it's from matrix-appservice-irc
 			let body_username = if is_matrix_appservice_irc {
 				username.clone()
 			} else {
 				username.to_lowercase()
 			};
 			let proposed_user_id = match UserId::parse_with_server_name(
 				&body_username,
 				services.globals.server_name(),
 			) {
 				| Ok(user_id) => {
 					if let Err(e) = user_id.validate_strict() {
 						// unless the username is from the broken matrix appservice IRC bridge, or
 						// we are in emergency mode, we should follow synapse's behaviour on
 						// not allowing things like spaces and UTF-8 characters in usernames
 						if !is_matrix_appservice_irc && !emergency_mode_enabled {
 							return Err!(Request(InvalidUsername(debug_warn!(
 								"Username {body_username} contains disallowed characters or \
 								 spaces: {e}"
 							))));
 						}
 					}
 					// Don't allow registration with user IDs that aren't local
 					if !services.globals.user_is_local(&user_id) {
 						return Err!(Request(InvalidUsername(
 							"Username {body_username} is not local to this server"
 						)));
 					}
 					user_id
 				},
 				| Err(e) => {
 					return Err!(Request(InvalidUsername(debug_warn!(
 						"Username {body_username} is not valid: {e}"
 					))));
 				},
 			};
 			if services.users.exists(&proposed_user_id).await {
 				return Err!(Request(UserInUse("User ID is not available.")));
 			}
 			proposed_user_id
 		},
 		| _ => loop {
 			let proposed_user_id = UserId::parse_with_server_name(
 				utils::random_string(RANDOM_USER_ID_LENGTH).to_lowercase(),
 				services.globals.server_name(),
 			)
 			.unwrap();
 			if !services.users.exists(&proposed_user_id).await {
 				break proposed_user_id;
 			}
 		},
 	};
 	if body.body.login_type == Some(LoginType::ApplicationService) {
 		match body.appservice_info {
 			| Some(ref info) =>
 				if !info.is_user_match(&user_id) && !emergency_mode_enabled {
 					return Err!(Request(Exclusive(
 						"Username is not in an appservice namespace."
 					)));
 				},
 			| _ => {
 				return Err!(Request(MissingToken("Missing appservice token.")));
 			},
 		}
 	} else if services.appservice.is_exclusive_user_id(&user_id).await && !emergency_mode_enabled
 	{
 		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
 	}
 	// UIAA
 	let mut uiaainfo = UiaaInfo {
 		flows: Vec::new(),
 		completed: Vec::new(),
 		params: Box::default(),
 		session: None,
 		auth_error: None,
 	};
 	let skip_auth = body.appservice_info.is_some() || is_guest;
 	// Populate required UIAA flows
 	if services.firstrun.is_first_run() {
 		// Registration token forced while in first-run mode
 		uiaainfo.flows.push(AuthFlow {
 			stages: vec![AuthType::RegistrationToken],
 		});
 	} else {
 		if services
 			.registration_tokens
 			.iterate_tokens()
 			.next()
 			.await
 			.is_some()
 		{
 			// Registration token required
 			uiaainfo.flows.push(AuthFlow {
 				stages: vec![AuthType::RegistrationToken],
 			});
 		}
 		if services.config.recaptcha_private_site_key.is_some() {
 			if let Some(pubkey) = &services.config.recaptcha_site_key {
 				// ReCaptcha required
 				uiaainfo
 					.flows
 					.push(AuthFlow { stages: vec![AuthType::ReCaptcha] });
 				uiaainfo.params = serde_json::value::to_raw_value(&serde_json::json!({
 					"m.login.recaptcha": {
 						"public_key": pubkey,
 					},
 				}))
 				.expect("Failed to serialize recaptcha params");
 			}
 		}
 		if uiaainfo.flows.is_empty() && !skip_auth {
 			// Registration isn't _disabled_, but there's no captcha configured and no
 			// registration tokens currently set. Bail out by default unless open
 			// registration was explicitly enabled.
 			if !services
 				.config
 				.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
 			{
 				return Err!(Request(Forbidden(
 					"This server is not accepting registrations at this time."
 				)));
 			}
 			// We have open registration enabled (😧), provide a dummy stage
 			uiaainfo = UiaaInfo {
 				flows: vec![AuthFlow { stages: vec![AuthType::Dummy] }],
 				completed: Vec::new(),
 				params: Box::default(),
 				session: None,
 				auth_error: None,
 			};
 		}
 	}
 	if !skip_auth {
 		match &body.auth {
 			| Some(auth) => {
 				let (worked, uiaainfo) = services
 					.uiaa
 					.try_auth(
 						&UserId::parse_with_server_name("", services.globals.server_name())
 							.unwrap(),
 						"".into(),
 						auth,
 						&uiaainfo,
 					)
 					.await?;
 				if !worked {
 					return Err(Error::Uiaa(uiaainfo));
 				}
 				// Success!
 			},
 			| _ => match body.json_body {
 				| Some(ref json) => {
 					uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 					services.uiaa.create(
 						&UserId::parse_with_server_name("", services.globals.server_name())
 							.unwrap(),
 						"".into(),
 						&uiaainfo,
 						json,
 					);
 					return Err(Error::Uiaa(uiaainfo));
 				},
 				| _ => {
 					return Err!(Request(NotJson("JSON body is not valid")));
 				},
 			},
 		}
 	}
 	let password = if is_guest { None } else { body.password.as_deref() };
 	// Create user
 	services.users.create(&user_id, password, None).await?;
 	// Default to pretty displayname
 	let mut displayname = user_id.localpart().to_owned();
 	// If `new_user_displayname_suffix` is set, registration will push whatever
 	// content is set to the user's display name with a space before it
 	if !services.globals.new_user_displayname_suffix().is_empty()
 		&& body.appservice_info.is_none()
 	{
 		write!(displayname, " {}", services.server.config.new_user_displayname_suffix)?;
 	}
 	services
 		.users
 		.set_displayname(&user_id, Some(displayname.clone()));
 	// Initial account data
 	services
 		.account_data
 		.update(
 			None,
 			&user_id,
 			GlobalAccountDataEventType::PushRules.to_string().into(),
 			&serde_json::to_value(ruma::events::push_rules::PushRulesEvent {
 				content: ruma::events::push_rules::PushRulesEventContent {
 					global: push::Ruleset::server_default(&user_id),
 				},
 			})?,
 		)
 		.await?;
 	// Generate new device id if the user didn't specify one
 	let no_device = body.inhibit_login
 		|| body
 			.appservice_info
 			.as_ref()
 			.is_some_and(|aps| aps.registration.device_management);
 	let (token, device) = if !no_device {
 		// Don't create a device for inhibited logins
 		let device_id = if is_guest { None } else { body.device_id.clone() }
 			.unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into());
 		// Generate new token for the device
 		let new_token = utils::random_string(TOKEN_LENGTH);
 		// Create device for this account
 		services
 			.users
 			.create_device(
 				&user_id,
 				&device_id,
 				&new_token,
 				body.initial_device_display_name.clone(),
 				Some(client.to_string()),
 			)
 			.await?;
 		debug_info!(%user_id, %device_id, "User account was created");
 		(Some(new_token), Some(device_id))
 	} else {
 		(None, None)
 	};
 	let device_display_name = body.initial_device_display_name.as_deref().unwrap_or("");
 	// log in conduit admin channel if a non-guest user registered
 	if body.appservice_info.is_none() && !is_guest {
 		if !device_display_name.is_empty() {
 			let notice = format!(
 				"New user \"{user_id}\" registered on this server from IP {client} and device \
 				 display name \"{device_display_name}\""
 			);
 			info!("{notice}");
 			if services.server.config.admin_room_notices {
 				services.admin.notice(&notice).await;
 			}
 		} else {
 			let notice = format!("New user \"{user_id}\" registered on this server.");
 			info!("{notice}");
 			if services.server.config.admin_room_notices {
 				services.admin.notice(&notice).await;
 			}
 		}
 	}
 	// log in conduit admin channel if a guest registered
 	if body.appservice_info.is_none() && is_guest && services.config.log_guest_registrations {
 		debug_info!("New guest user \"{user_id}\" registered on this server.");
 		if !device_display_name.is_empty() {
 			if services.server.config.admin_room_notices {
 				services
 					.admin
 					.notice(&format!(
 						"Guest user \"{user_id}\" with device display name \
 						 \"{device_display_name}\" registered on this server from IP {client}"
 					))
 					.await;
 			}
 		} else {
 			#[allow(clippy::collapsible_else_if)]
 			if services.server.config.admin_room_notices {
 				services
 					.admin
 					.notice(&format!(
 						"Guest user \"{user_id}\" with no device display name registered on \
 						 this server from IP {client}",
 					))
 					.await;
 			}
 		}
 	}
 	if !is_guest {
 		// Make the first user to register an administrator and disable first-run mode.
 		let was_first_user = services.firstrun.empower_first_user(&user_id).await?;
 		// If the registering user was not the first and we're suspending users on
 		// register, suspend them.
 		if !was_first_user && services.config.suspend_on_register {
 			// Note that we can still do auto joins for suspended users
 			services
 				.users
 				.suspend_account(&user_id, &services.globals.server_user)
 				.await;
 			// And send an @room notice to the admin room, to prompt admins to review the
 			// new user and ideally unsuspend them if deemed appropriate.
 			if services.server.config.admin_room_notices {
 				services
 					.admin
 					.send_loud_message(RoomMessageEventContent::text_plain(format!(
 						"User {user_id} has been suspended as they are not the first user on \
 						 this server. Please review and unsuspend them if appropriate."
 					)))
 					.await
 					.ok();
 			}
 		}
 	}
 	if body.appservice_info.is_none()
 		&& !services.server.config.auto_join_rooms.is_empty()
 		&& (services.config.allow_guests_auto_join_rooms || !is_guest)
 	{
 		for room in &services.server.config.auto_join_rooms {
 			let Ok(room_id) = services.rooms.alias.resolve(room).await else {
 				error!(
 					"Failed to resolve room alias to room ID when attempting to auto join \
 					 {room}, skipping"
 				);
 				continue;
 			};
 			if !services
 				.rooms
 				.state_cache
 				.server_in_room(services.globals.server_name(), &room_id)
 				.await
 			{
 				warn!(
 					"Skipping room {room} to automatically join as we have never joined before."
 				);
 				continue;
 			}
 			if let Some(room_server_name) = room.server_name() {
 				match join_room_by_id_helper(
 					&services,
 					&user_id,
 					&room_id,
 					Some("Automatically joining this room upon registration".to_owned()),
 					&[services.globals.server_name().to_owned(), room_server_name.to_owned()],
 					&body.appservice_info,
 				)
 				.boxed()
 				.await
 				{
 					| Err(e) => {
 						// don't return this error so we don't fail registrations
 						error!(
 							"Failed to automatically join room {room} for user {user_id}: {e}"
 						);
 					},
 					| _ => {
 						info!("Automatically joined room {room} for user {user_id}");
 					},
 				}
 			}
 		}
 	}
 	Ok(register::v3::Response {
 		access_token: token,
 		user_id,
 		device_id: device,
 		refresh_token: None,
 		expires_in: None,
 	})
 }
 /// # `POST /_matrix/client/r0/account/password`
 ///
 /// Changes the password of this account.
 ///
 /// - Requires UIAA to verify user password
 /// - Changes the password of the sender user
 /// - The password hash is calculated using argon2 with 32 character salt, the
 ///   plain password is
 /// not saved
 ///
 /// If logout_devices is true it does the following for each device except the
 /// sender device:
 /// - Invalidates access token
 /// - Deletes device metadata (device id, device display name, last seen ip,
 ///   last seen ts)
 /// - Forgets to-device events
 /// - Triggers device list updates
 #[tracing::instrument(skip_all, fields(%client), name = "change_password", level = "info")]
 pub(crate) async fn change_password_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<change_password::v3::Request>,
 ) -> Result<change_password::v3::Response> {
 	// Authentication for this endpoint was made optional, but we need
 	// authentication currently
 	let sender_user = body
 		.sender_user
 		.as_ref()
 		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
 	let mut uiaainfo = UiaaInfo {
 		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
 		completed: Vec::new(),
 		params: Box::default(),
 		session: None,
 		auth_error: None,
 	};
 	match &body.auth {
 		| Some(auth) => {
 			let (worked, uiaainfo) = services
 				.uiaa
 				.try_auth(sender_user, body.sender_device(), auth, &uiaainfo)
 				.await?;
 			if !worked {
 				return Err(Error::Uiaa(uiaainfo));
 			}
 			// Success!
 		},
 		| _ => match body.json_body {
 			| Some(ref json) => {
 				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 				services
 					.uiaa
 					.create(sender_user, body.sender_device(), &uiaainfo, json);
 				return Err(Error::Uiaa(uiaainfo));
 			},
 			| _ => {
 				return Err!(Request(NotJson("JSON body is not valid")));
 			},
 		},
 	}
 	services
 		.users
 		.set_password(sender_user, Some(&body.new_password))
 		.await?;
 	if body.logout_devices {
 		// Logout all devices except the current one
 		services
 			.users
 			.all_device_ids(sender_user)
 			.ready_filter(|id| *id != body.sender_device())
 			.for_each(|id| services.users.remove_device(sender_user, id))
 			.await;
 		// Remove all pushers except the ones associated with this session
 		services
 			.pusher
 			.get_pushkeys(sender_user)
 			.map(ToOwned::to_owned)
 			.broad_filter_map(async |pushkey| {
 				services
 					.pusher
 					.get_pusher_device(&pushkey)
 					.await
 					.ok()
 					.filter(|pusher_device| pusher_device != body.sender_device())
 					.is_some()
 					.then_some(pushkey)
 			})
 			.for_each(async |pushkey| {
 				services.pusher.delete_pusher(sender_user, &pushkey).await;
 			})
 			.await;
 	}
 	info!("User {sender_user} changed their password.");
 	if services.server.config.admin_room_notices {
 		services
 			.admin
 			.notice(&format!("User {sender_user} changed their password."))
 			.await;
 	}
 	Ok(change_password::v3::Response {})
 }
 /// # `GET /_matrix/client/v3/account/whoami`
 ///
 /// Get `user_id` of the sender user.
 ///
 /// Note: Also works for Application Services
 pub(crate) async fn whoami_route(
 	State(services): State<crate::State>,
 	body: Ruma<whoami::v3::Request>,
 ) -> Result<whoami::v3::Response> {
 	let is_guest = services
 		.users
 		.is_deactivated(body.sender_user())
 		.await
 		.map_err(|_| {
 			err!(Request(Forbidden("Application service has not registered this user.")))
 		})? && body.appservice_info.is_none();
 	Ok(whoami::v3::Response {
 		user_id: body.sender_user().to_owned(),
 		device_id: body.sender_device.clone(),
 		is_guest,
 	})
 }
 /// # `POST /_matrix/client/r0/account/deactivate`
 ///
 /// Deactivate sender user account.
 ///
 /// - Leaves all rooms and rejects all invitations
 /// - Invalidates all access tokens
 /// - Deletes all device metadata (device id, device display name, last seen ip,
 ///   last seen ts)
 /// - Forgets all to-device events
 /// - Triggers device list updates
 /// - Removes ability to log in again
 #[tracing::instrument(skip_all, fields(%client), name = "deactivate", level = "info")]
 pub(crate) async fn deactivate_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<deactivate::v3::Request>,
 ) -> Result<deactivate::v3::Response> {
 	// Authentication for this endpoint was made optional, but we need
 	// authentication currently
 	let sender_user = body
 		.sender_user
 		.as_ref()
 		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
 	let mut uiaainfo = UiaaInfo {
 		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
 		completed: Vec::new(),
 		params: Box::default(),
 		session: None,
 		auth_error: None,
 	};
 	match &body.auth {
 		| Some(auth) => {
 			let (worked, uiaainfo) = services
 				.uiaa
 				.try_auth(sender_user, body.sender_device(), auth, &uiaainfo)
 				.await?;
 			if !worked {
 				return Err(Error::Uiaa(uiaainfo));
 			}
 			// Success!
 		},
 		| _ => match body.json_body {
 			| Some(ref json) => {
 				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 				services
 					.uiaa
 					.create(sender_user, body.sender_device(), &uiaainfo, json);
 				return Err(Error::Uiaa(uiaainfo));
 			},
 			| _ => {
 				return Err!(Request(NotJson("JSON body is not valid")));
 			},
 		},
 	}
 	// Remove profile pictures and display name
 	let all_joined_rooms: Vec<OwnedRoomId> = services
 		.rooms
 		.state_cache
 		.rooms_joined(sender_user)
 		.map(Into::into)
 		.collect()
 		.await;
 	full_user_deactivate(&services, sender_user, &all_joined_rooms)
 		.boxed()
 		.await?;
 	info!("User {sender_user} deactivated their account.");
 	if services.server.config.admin_room_notices {
 		services
 			.admin
 			.notice(&format!("User {sender_user} deactivated their account."))
 			.await;
 	}
 	Ok(deactivate::v3::Response {
 		id_server_unbind_result: ThirdPartyIdRemovalStatus::NoSupport,
 	})
 }
 /// # `GET _matrix/client/v3/account/3pid`
 ///
 /// Get a list of third party identifiers associated with this account.
 ///
 /// - Currently always returns empty list
 pub(crate) async fn third_party_route(
 	body: Ruma<get_3pids::v3::Request>,
 ) -> Result<get_3pids::v3::Response> {
 	let _sender_user = body.sender_user.as_ref().expect("user is authenticated");
 	Ok(get_3pids::v3::Response::new(Vec::new()))
 }
 /// # `POST /_matrix/client/v3/account/3pid/email/requestToken`
 ///
 /// "This API should be used to request validation tokens when adding an email
 /// address to an account"
 ///
 /// - 403 signals that The homeserver does not allow the third party identifier
 ///   as a contact option.
 pub(crate) async fn request_3pid_management_token_via_email_route(
 	_body: Ruma<request_3pid_management_token_via_email::v3::Request>,
 ) -> Result<request_3pid_management_token_via_email::v3::Response> {
 	Err!(Request(ThreepidDenied("Third party identifiers are not implemented")))
 }
 /// # `POST /_matrix/client/v3/account/3pid/msisdn/requestToken`
 ///
 /// "This API should be used to request validation tokens when adding an phone
 /// number to an account"
 ///
 /// - 403 signals that The homeserver does not allow the third party identifier
 ///   as a contact option.
 pub(crate) async fn request_3pid_management_token_via_msisdn_route(
 	_body: Ruma<request_3pid_management_token_via_msisdn::v3::Request>,
 ) -> Result<request_3pid_management_token_via_msisdn::v3::Response> {
 	Err!(Request(ThreepidDenied("Third party identifiers are not implemented")))
 }
 /// # `GET /_matrix/client/v1/register/m.login.registration_token/validity`
 ///
 /// Checks if the provided registration token is valid at the time of checking.
 pub(crate) async fn check_registration_token_validity(
 	State(services): State<crate::State>,
 	body: Ruma<check_registration_token_validity::v1::Request>,
 ) -> Result<check_registration_token_validity::v1::Response> {
 	// TODO: ratelimit this pretty heavily
 	let valid = services
 		.registration_tokens
 		.validate_token(body.token.clone())
 		.await
 		.is_some();
 	Ok(check_registration_token_validity::v1::Response { valid })
 }
 /// Runs through all the deactivation steps:
 ///
 /// - Mark as deactivated
 /// - Removing display name
 /// - Removing avatar URL and blurhash
 /// - Removing all profile data
 /// - Leaving all rooms (and forgets all of them)
 pub async fn full_user_deactivate(
 	services: &Services,
 	user_id: &UserId,
 	all_joined_rooms: &[OwnedRoomId],
 ) -> Result<()> {
 	services.users.deactivate_account(user_id).await.ok();
 	services
 		.users
 		.all_profile_keys(user_id)
 		.ready_for_each(|(profile_key, _)| {
 			services.users.set_profile_key(user_id, &profile_key, None);
 		})
 		.await;
 	// TODO: Rescind all user invites
 	let mut pdu_queue: Vec<(PduBuilder, &OwnedRoomId)> = Vec::new();
 	for room_id in all_joined_rooms {
 		let room_power_levels = services
 			.rooms
 			.state_accessor
 			.room_state_get_content::<RoomPowerLevelsEventContent>(
 				room_id,
 				&StateEventType::RoomPowerLevels,
 				"",
 			)
 			.await
 			.ok();
 		let user_can_demote_self =
 			room_power_levels
 				.as_ref()
 				.is_some_and(|power_levels_content| {
 					RoomPowerLevels::from(power_levels_content.clone())
 						.user_can_change_user_power_level(user_id, user_id)
 				}) || services
 				.rooms
 				.state_accessor
 				.room_state_get(room_id, &StateEventType::RoomCreate, "")
 				.await
 				.is_ok_and(|event| event.sender() == user_id);
 		if user_can_demote_self {
 			let mut power_levels_content = room_power_levels.unwrap_or_default();
 			power_levels_content.users.remove(user_id);
 			let pl_evt = PduBuilder::state(String::new(), &power_levels_content);
 			pdu_queue.push((pl_evt, room_id));
 		}
 		// Leave the room
 		pdu_queue.push((
 			PduBuilder::state(user_id.to_string(), &RoomMemberEventContent {
 				avatar_url: None,
 				blurhash: None,
 				membership: MembershipState::Leave,
 				displayname: None,
 				join_authorized_via_users_server: None,
 				reason: None,
 				is_direct: None,
 				third_party_invite: None,
 				redact_events: None,
 			}),
 			room_id,
 		));
 		// TODO: Redact all messages sent by the user in the room
 	}
 	super::update_all_rooms(services, pdu_queue, user_id).await;
 	for room_id in all_joined_rooms {
 		services.rooms.state_cache.forget(room_id, user_id);
 	}
 	Ok(())
 }
@@ -1,426 +0,0 @@
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
 	Err, Event, Result, err, info,
 	pdu::PduBuilder,
 	utils::{ReadyExt, stream::BroadbandExt},
 };
 use conduwuit_service::Services;
 use futures::{FutureExt, StreamExt};
 use lettre::{Address, message::Mailbox};
 use ruma::{
 	OwnedRoomId, OwnedUserId, UserId,
 	api::client::{
 		account::{
 			ThirdPartyIdRemovalStatus, change_password, check_registration_token_validity,
 			deactivate, get_username_availability, request_password_change_token_via_email,
 			whoami,
 		},
 		uiaa::{AuthFlow, AuthType},
 	},
 	events::{
 		StateEventType,
 		room::{
 			member::{MembershipState, RoomMemberEventContent},
 			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
 		},
 	},
 };
 use service::{mailer::messages, uiaa::Identity};
 use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
 use crate::Ruma;
 pub(crate) mod register;
 pub(crate) mod threepid;
 /// # `GET /_matrix/client/v3/register/available`
 ///
 /// Checks if a username is valid and available on this server.
 ///
 /// Conditions for returning true:
 /// - The user id is not historical
 /// - The server name of the user id matches this server
 /// - No user or appservice on this server already claimed this username
 ///
 /// Note: This will not reserve the username, so the username might become
 /// invalid when trying to register
 #[tracing::instrument(skip_all, fields(%client), name = "register_available", level = "info")]
 pub(crate) async fn get_register_available_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<get_username_availability::v3::Request>,
 ) -> Result<get_username_availability::v3::Response> {
 	// Validate user id
 	let user_id =
 		match UserId::parse_with_server_name(&body.username, services.globals.server_name()) {
 			| Ok(user_id) => {
 				if let Err(e) = user_id.validate_strict() {
 					return Err!(Request(InvalidUsername(debug_warn!(
 						"Username {} contains disallowed characters or spaces: {e}",
 						body.username
 					))));
 				}
 				user_id
 			},
 			| Err(e) => {
 				return Err!(Request(InvalidUsername(debug_warn!(
 					"Username {} is not valid: {e}",
 					body.username
 				))));
 			},
 		};
 	// Check if username is creative enough
 	if services.users.exists(&user_id).await {
 		return Err!(Request(UserInUse("User ID is not available.")));
 	}
 	if let Some(ref info) = body.appservice_info {
 		if !info.is_user_match(&user_id) {
 			return Err!(Request(Exclusive("Username is not in an appservice namespace.")));
 		}
 	}
 	if services.appservice.is_exclusive_user_id(&user_id).await {
 		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
 	}
 	Ok(get_username_availability::v3::Response { available: true })
 }
 /// # `POST /_matrix/client/r0/account/password`
 ///
 /// Changes the password of this account.
 ///
 /// - Requires UIAA to verify user password
 /// - Changes the password of the sender user
 /// - The password hash is calculated using argon2 with 32 character salt, the
 ///   plain password is
 /// not saved
 ///
 /// If logout_devices is true it does the following for each device except the
 /// sender device:
 /// - Invalidates access token
 /// - Deletes device metadata (device id, device display name, last seen ip,
 ///   last seen ts)
 /// - Forgets to-device events
 /// - Triggers device list updates
 #[tracing::instrument(skip_all, fields(%client), name = "change_password", level = "info")]
 pub(crate) async fn change_password_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<change_password::v3::Request>,
 ) -> Result<change_password::v3::Response> {
 	let identity = if let Some(ref user_id) = body.sender_user {
 		// A signed-in user is trying to change their password, prompt them for their
 		// existing one
 		services
 			.uiaa
 			.authenticate(
 				&body.auth,
 				vec![AuthFlow::new(vec![AuthType::Password])],
 				Box::default(),
 				Some(Identity::from_user_id(user_id)),
 			)
 			.await?
 	} else {
 		// A signed-out user is trying to reset their password, prompt them for email
 		// confirmation. Note that we do not _send_ an email here, their client should
 		// have already hit `/account/password/requestToken` to send the email. We
 		// just validate it.
 		services
 			.uiaa
 			.authenticate(
 				&body.auth,
 				vec![AuthFlow::new(vec![AuthType::EmailIdentity])],
 				Box::default(),
 				None,
 			)
 			.await?
 	};
 	let sender_user = OwnedUserId::parse(format!(
 		"@{}:{}",
 		identity.localpart.expect("localpart should be known"),
 		services.globals.server_name()
 	))
 	.expect("user ID should be valid");
 	services
 		.users
 		.set_password(&sender_user, Some(&body.new_password))
 		.await?;
 	if body.logout_devices {
 		// Logout all devices except the current one
 		services
 			.users
 			.all_device_ids(&sender_user)
 			.ready_filter(|id| *id != body.sender_device())
 			.for_each(|id| services.users.remove_device(&sender_user, id))
 			.await;
 		// Remove all pushers except the ones associated with this session
 		services
 			.pusher
 			.get_pushkeys(&sender_user)
 			.map(ToOwned::to_owned)
 			.broad_filter_map(async |pushkey| {
 				services
 					.pusher
 					.get_pusher_device(&pushkey)
 					.await
 					.ok()
 					.filter(|pusher_device| pusher_device != body.sender_device())
 					.is_some()
 					.then_some(pushkey)
 			})
 			.for_each(async |pushkey| {
 				services.pusher.delete_pusher(&sender_user, &pushkey).await;
 			})
 			.await;
 	}
 	info!("User {} changed their password.", &sender_user);
 	if services.server.config.admin_room_notices {
 		services
 			.admin
 			.notice(&format!("User {} changed their password.", &sender_user))
 			.await;
 	}
 	Ok(change_password::v3::Response {})
 }
 /// # `POST /_matrix/client/v3/account/password/email/requestToken`
 ///
 /// Requests a validation email for the purpose of resetting a user's password.
 pub(crate) async fn request_password_change_token_via_email_route(
 	State(services): State<crate::State>,
 	body: Ruma<request_password_change_token_via_email::v3::Request>,
 ) -> Result<request_password_change_token_via_email::v3::Response> {
 	let Ok(email) = Address::try_from(body.email.clone()) else {
 		return Err!(Request(InvalidParam("Invalid email address.")));
 	};
 	let Some(localpart) = services.threepid.get_localpart_for_email(&email).await else {
 		return Err!(Request(ThreepidNotFound(
 			"No account is associated with this email address"
 		)));
 	};
 	let user_id =
 		OwnedUserId::parse(format!("@{localpart}:{}", services.globals.server_name())).unwrap();
 	let display_name = services.users.displayname(&user_id).await.ok();
 	let session = services
 		.threepid
 		.send_validation_email(
 			Mailbox::new(display_name.clone(), email),
 			|verification_link| messages::PasswordReset {
 				display_name: display_name.as_deref(),
 				user_id: &user_id,
 				verification_link,
 			},
 			&body.client_secret,
 			body.send_attempt.try_into().unwrap(),
 		)
 		.await?;
 	Ok(request_password_change_token_via_email::v3::Response::new(session))
 }
 /// # `GET /_matrix/client/v3/account/whoami`
 ///
 /// Get `user_id` of the sender user.
 ///
 /// Note: Also works for Application Services
 pub(crate) async fn whoami_route(
 	State(services): State<crate::State>,
 	body: Ruma<whoami::v3::Request>,
 ) -> Result<whoami::v3::Response> {
 	let is_guest = services
 		.users
 		.is_deactivated(body.sender_user())
 		.await
 		.map_err(|_| {
 			err!(Request(Forbidden("Application service has not registered this user.")))
 		})? && body.appservice_info.is_none();
 	Ok(whoami::v3::Response {
 		user_id: body.sender_user().to_owned(),
 		device_id: body.sender_device.clone(),
 		is_guest,
 	})
 }
 /// # `POST /_matrix/client/r0/account/deactivate`
 ///
 /// Deactivate sender user account.
 ///
 /// - Leaves all rooms and rejects all invitations
 /// - Invalidates all access tokens
 /// - Deletes all device metadata (device id, device display name, last seen ip,
 ///   last seen ts)
 /// - Forgets all to-device events
 /// - Triggers device list updates
 /// - Removes ability to log in again
 #[tracing::instrument(skip_all, fields(%client), name = "deactivate", level = "info")]
 pub(crate) async fn deactivate_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<deactivate::v3::Request>,
 ) -> Result<deactivate::v3::Response> {
 	// Authentication for this endpoint is technically optional,
 	// but we require the user to be logged in
 	let sender_user = body
 		.sender_user
 		.as_ref()
 		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
 	// Prompt the user to confirm with their password using UIAA
 	let _ = services
 		.uiaa
 		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
 		.await?;
 	// Remove profile pictures and display name
 	let all_joined_rooms: Vec<OwnedRoomId> = services
 		.rooms
 		.state_cache
 		.rooms_joined(sender_user)
 		.map(Into::into)
 		.collect()
 		.await;
 	full_user_deactivate(&services, sender_user, &all_joined_rooms)
 		.boxed()
 		.await?;
 	info!("User {sender_user} deactivated their account.");
 	if services.server.config.admin_room_notices {
 		services
 			.admin
 			.notice(&format!("User {sender_user} deactivated their account."))
 			.await;
 	}
 	Ok(deactivate::v3::Response {
 		id_server_unbind_result: ThirdPartyIdRemovalStatus::Success,
 	})
 }
 /// # `GET /_matrix/client/v1/register/m.login.registration_token/validity`
 ///
 /// Checks if the provided registration token is valid at the time of checking.
 pub(crate) async fn check_registration_token_validity(
 	State(services): State<crate::State>,
 	body: Ruma<check_registration_token_validity::v1::Request>,
 ) -> Result<check_registration_token_validity::v1::Response> {
 	// TODO: ratelimit this pretty heavily
 	let valid = services
 		.registration_tokens
 		.validate_token(body.token.clone())
 		.await
 		.is_some();
 	Ok(check_registration_token_validity::v1::Response { valid })
 }
 /// Runs through all the deactivation steps:
 ///
 /// - Mark as deactivated
 /// - Removing display name
 /// - Removing avatar URL and blurhash
 /// - Removing all profile data
 /// - Leaving all rooms (and forgets all of them)
 pub async fn full_user_deactivate(
 	services: &Services,
 	user_id: &UserId,
 	all_joined_rooms: &[OwnedRoomId],
 ) -> Result<()> {
 	services.users.deactivate_account(user_id).await.ok();
 	if services.globals.user_is_local(user_id) {
 		let _ = services
 			.threepid
 			.disassociate_localpart_email(user_id.localpart())
 			.await;
 	}
 	services
 		.users
 		.all_profile_keys(user_id)
 		.ready_for_each(|(profile_key, _)| {
 			services.users.set_profile_key(user_id, &profile_key, None);
 		})
 		.await;
 	// TODO: Rescind all user invites
 	let mut pdu_queue: Vec<(PduBuilder, &OwnedRoomId)> = Vec::new();
 	for room_id in all_joined_rooms {
 		let room_power_levels = services
 			.rooms
 			.state_accessor
 			.room_state_get_content::<RoomPowerLevelsEventContent>(
 				room_id,
 				&StateEventType::RoomPowerLevels,
 				"",
 			)
 			.await
 			.ok();
 		let user_can_demote_self =
 			room_power_levels
 				.as_ref()
 				.is_some_and(|power_levels_content| {
 					RoomPowerLevels::from(power_levels_content.clone())
 						.user_can_change_user_power_level(user_id, user_id)
 				}) || services
 				.rooms
 				.state_accessor
 				.room_state_get(room_id, &StateEventType::RoomCreate, "")
 				.await
 				.is_ok_and(|event| event.sender() == user_id);
 		if user_can_demote_self {
 			let mut power_levels_content = room_power_levels.unwrap_or_default();
 			power_levels_content.users.remove(user_id);
 			let pl_evt = PduBuilder::state(String::new(), &power_levels_content);
 			pdu_queue.push((pl_evt, room_id));
 		}
 		// Leave the room
 		pdu_queue.push((
 			PduBuilder::state(user_id.to_string(), &RoomMemberEventContent {
 				avatar_url: None,
 				blurhash: None,
 				membership: MembershipState::Leave,
 				displayname: None,
 				join_authorized_via_users_server: None,
 				reason: None,
 				is_direct: None,
 				third_party_invite: None,
 				redact_events: None,
 			}),
 			room_id,
 		));
 		// TODO: Redact all messages sent by the user in the room
 	}
 	super::update_all_rooms(services, pdu_queue, user_id).await;
 	for room_id in all_joined_rooms {
 		services.rooms.state_cache.forget(room_id, user_id);
 	}
 	Ok(())
 }
@@ -1,601 +0,0 @@
 use std::{collections::HashMap, fmt::Write};
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
 	Err, Result, debug_info, error, info,
 	utils::{self},
 	warn,
 };
 use conduwuit_service::Services;
 use futures::{FutureExt, StreamExt};
 use lettre::{Address, message::Mailbox};
 use register::RegistrationKind;
 use ruma::{
 	OwnedUserId, UserId,
 	api::client::{
 		account::{
 			register::{self, LoginType},
 			request_registration_token_via_email,
 		},
 		uiaa::{AuthFlow, AuthType},
 	},
 	events::{GlobalAccountDataEventType, room::message::RoomMessageEventContent},
 	push,
 };
 use serde_json::value::RawValue;
 use service::mailer::messages;
 use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
 use crate::Ruma;
 const RANDOM_USER_ID_LENGTH: usize = 10;
 /// # `POST /_matrix/client/v3/register`
 ///
 /// Register an account on this homeserver.
 ///
 /// You can use [`GET
 /// /_matrix/client/v3/register/available`](fn.get_register_available_route.
 /// html) to check if the user id is valid and available.
 ///
 /// - Only works if registration is enabled
 /// - If type is guest: ignores all parameters except
 ///   initial_device_display_name
 /// - If sender is not appservice: Requires UIAA (but we only use a dummy stage)
 /// - If type is not guest and no username is given: Always fails after UIAA
 ///   check
 /// - Creates a new account and populates it with default account data
 /// - If `inhibit_login` is false: Creates a device and returns device id and
 ///   access_token
 #[allow(clippy::doc_markdown)]
 #[tracing::instrument(skip_all, fields(%client), name = "register", level = "info")]
 pub(crate) async fn register_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<register::v3::Request>,
 ) -> Result<register::v3::Response> {
 	let is_guest = body.kind == RegistrationKind::Guest;
 	let emergency_mode_enabled = services.config.emergency_password.is_some();
 	// Allow registration if it's enabled in the config file or if this is the first
 	// run (so the first user account can be created)
 	let allow_registration =
 		services.config.allow_registration || services.firstrun.is_first_run();
 	if !allow_registration && body.appservice_info.is_none() {
 		match (body.username.as_ref(), body.initial_device_display_name.as_ref()) {
 			| (Some(username), Some(device_display_name)) => {
 				info!(
 					%is_guest,
 					user = %username,
 					device_name = %device_display_name,
 					"Rejecting registration attempt as registration is disabled"
 				);
 			},
 			| (Some(username), _) => {
 				info!(
 					%is_guest,
 					user = %username,
 					"Rejecting registration attempt as registration is disabled"
 				);
 			},
 			| (_, Some(device_display_name)) => {
 				info!(
 					%is_guest,
 					device_name = %device_display_name,
 					"Rejecting registration attempt as registration is disabled"
 				);
 			},
 			| (None, _) => {
 				info!(
 					%is_guest,
 					"Rejecting registration attempt as registration is disabled"
 				);
 			},
 		}
 		return Err!(Request(Forbidden(
 			"This server is not accepting registrations at this time."
 		)));
 	}
 	if is_guest && !services.config.allow_guest_registration {
 		info!(
 			"Guest registration disabled, rejecting guest registration attempt, initial device \
 			 name: \"{}\"",
 			body.initial_device_display_name.as_deref().unwrap_or("")
 		);
 		return Err!(Request(GuestAccessForbidden("Guest registration is disabled.")));
 	}
 	// forbid guests from registering if there is not a real admin user yet. give
 	// generic user error.
 	if is_guest && services.firstrun.is_first_run() {
 		warn!(
 			"Guest account attempted to register before a real admin user has been registered, \
 			 rejecting registration. Guest's initial device name: \"{}\"",
 			body.initial_device_display_name.as_deref().unwrap_or("")
 		);
 		return Err!(Request(Forbidden(
 			"This server is not accepting registrations at this time."
 		)));
 	}
 	// Appeservices and guests get to skip auth
 	let skip_auth = body.appservice_info.is_some() || is_guest;
 	let identity = if skip_auth {
 		// Appservices and guests have no identity
 		None
 	} else {
 		// Perform UIAA to determine the user's identity
 		let (flows, params) = create_registration_uiaa_session(&services).await?;
 		Some(
 			services
 				.uiaa
 				.authenticate(&body.auth, flows, params, None)
 				.await?,
 		)
 	};
 	// If the user didn't supply a username but did supply an email, use
 	// the email's user as their initial localpart to avoid falling back to
 	// a randomly generated localpart
 	let supplied_username = body.username.clone().or_else(|| {
 		if let Some(identity) = &identity
 			&& let Some(email) = &identity.email
 		{
 			Some(email.user().to_owned())
 		} else {
 			None
 		}
 	});
 	let user_id = determine_registration_user_id(
 		&services,
 		supplied_username,
 		is_guest,
 		emergency_mode_enabled,
 	)
 	.await?;
 	if body.body.login_type == Some(LoginType::ApplicationService) {
 		// For appservice logins, make sure that the user ID is in the appservice's
 		// namespace
 		match body.appservice_info {
 			| Some(ref info) =>
 				if !info.is_user_match(&user_id) && !emergency_mode_enabled {
 					return Err!(Request(Exclusive(
 						"Username is not in an appservice namespace."
 					)));
 				},
 			| _ => {
 				return Err!(Request(MissingToken("Missing appservice token.")));
 			},
 		}
 	} else if services.appservice.is_exclusive_user_id(&user_id).await && !emergency_mode_enabled
 	{
 		// For non-appservice logins, ban user IDs which are in an appservice's
 		// namespace (unless emergency mode is enabled)
 		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
 	}
 	let password = if is_guest { None } else { body.password.as_deref() };
 	// Create user
 	services.users.create(&user_id, password, None).await?;
 	// Set an initial display name
 	let mut displayname = user_id.localpart().to_owned();
 	// Apply the new user displayname suffix, if it's set
 	if !services.globals.new_user_displayname_suffix().is_empty()
 		&& body.appservice_info.is_none()
 	{
 		write!(displayname, " {}", services.server.config.new_user_displayname_suffix)?;
 	}
 	services
 		.users
 		.set_displayname(&user_id, Some(displayname.clone()));
 	// Initial account data
 	services
 		.account_data
 		.update(
 			None,
 			&user_id,
 			GlobalAccountDataEventType::PushRules.to_string().into(),
 			&serde_json::to_value(ruma::events::push_rules::PushRulesEvent {
 				content: ruma::events::push_rules::PushRulesEventContent {
 					global: push::Ruleset::server_default(&user_id),
 				},
 			})?,
 		)
 		.await?;
 	// Generate new device id if the user didn't specify one
 	let no_device = body.inhibit_login
 		|| body
 			.appservice_info
 			.as_ref()
 			.is_some_and(|aps| aps.registration.device_management);
 	let (token, device) = if !no_device {
 		// Don't create a device for inhibited logins
 		let device_id = if is_guest { None } else { body.device_id.clone() }
 			.unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into());
 		// Generate new token for the device
 		let new_token = utils::random_string(TOKEN_LENGTH);
 		// Create device for this account
 		services
 			.users
 			.create_device(
 				&user_id,
 				&device_id,
 				&new_token,
 				body.initial_device_display_name.clone(),
 				Some(client.to_string()),
 			)
 			.await?;
 		debug_info!(%user_id, %device_id, "User account was created");
 		(Some(new_token), Some(device_id))
 	} else {
 		(None, None)
 	};
 	// If the user registered with an email, associate it with their account.
 	if let Some(identity) = identity
 		&& let Some(email) = identity.email
 	{
 		// This may fail if the email is already in use, but we already check for that
 		// in `/requestToken`, so ignoring the error is acceptable here in the rare case
 		// that an email is sniped by another user between the `/requestToken` request
 		// and the `/register` request.
 		let _ = services
 			.threepid
 			.associate_localpart_email(user_id.localpart(), &email)
 			.await;
 	}
 	let device_display_name = body.initial_device_display_name.as_deref().unwrap_or("");
 	// log in conduit admin channel if a non-guest user registered
 	if body.appservice_info.is_none() && !is_guest {
 		if !device_display_name.is_empty() {
 			let notice = format!(
 				"New user \"{user_id}\" registered on this server from IP {client} and device \
 				 display name \"{device_display_name}\""
 			);
 			info!("{notice}");
 			if services.server.config.admin_room_notices {
 				services.admin.notice(&notice).await;
 			}
 		} else {
 			let notice = format!("New user \"{user_id}\" registered on this server.");
 			info!("{notice}");
 			if services.server.config.admin_room_notices {
 				services.admin.notice(&notice).await;
 			}
 		}
 	}
 	// log in conduit admin channel if a guest registered
 	if body.appservice_info.is_none() && is_guest && services.config.log_guest_registrations {
 		debug_info!("New guest user \"{user_id}\" registered on this server.");
 		if !device_display_name.is_empty() {
 			if services.server.config.admin_room_notices {
 				services
 					.admin
 					.notice(&format!(
 						"Guest user \"{user_id}\" with device display name \
 						 \"{device_display_name}\" registered on this server from IP {client}"
 					))
 					.await;
 			}
 		} else {
 			#[allow(clippy::collapsible_else_if)]
 			if services.server.config.admin_room_notices {
 				services
 					.admin
 					.notice(&format!(
 						"Guest user \"{user_id}\" with no device display name registered on \
 						 this server from IP {client}",
 					))
 					.await;
 			}
 		}
 	}
 	if !is_guest {
 		// Make the first user to register an administrator and disable first-run mode.
 		let was_first_user = services.firstrun.empower_first_user(&user_id).await?;
 		// If the registering user was not the first and we're suspending users on
 		// register, suspend them.
 		if !was_first_user && services.config.suspend_on_register {
 			// Note that we can still do auto joins for suspended users
 			services
 				.users
 				.suspend_account(&user_id, &services.globals.server_user)
 				.await;
 			// And send an @room notice to the admin room, to prompt admins to review the
 			// new user and ideally unsuspend them if deemed appropriate.
 			if services.server.config.admin_room_notices {
 				services
 					.admin
 					.send_loud_message(RoomMessageEventContent::text_plain(format!(
 						"User {user_id} has been suspended as they are not the first user on \
 						 this server. Please review and unsuspend them if appropriate."
 					)))
 					.await
 					.ok();
 			}
 		}
 	}
 	if body.appservice_info.is_none()
 		&& !services.server.config.auto_join_rooms.is_empty()
 		&& (services.config.allow_guests_auto_join_rooms || !is_guest)
 	{
 		for room in &services.server.config.auto_join_rooms {
 			let Ok(room_id) = services.rooms.alias.resolve(room).await else {
 				error!(
 					"Failed to resolve room alias to room ID when attempting to auto join \
 					 {room}, skipping"
 				);
 				continue;
 			};
 			if !services
 				.rooms
 				.state_cache
 				.server_in_room(services.globals.server_name(), &room_id)
 				.await
 			{
 				warn!(
 					"Skipping room {room} to automatically join as we have never joined before."
 				);
 				continue;
 			}
 			if let Some(room_server_name) = room.server_name() {
 				match join_room_by_id_helper(
 					&services,
 					&user_id,
 					&room_id,
 					Some("Automatically joining this room upon registration".to_owned()),
 					&[services.globals.server_name().to_owned(), room_server_name.to_owned()],
 					&body.appservice_info,
 				)
 				.boxed()
 				.await
 				{
 					| Err(e) => {
 						// don't return this error so we don't fail registrations
 						error!(
 							"Failed to automatically join room {room} for user {user_id}: {e}"
 						);
 					},
 					| _ => {
 						info!("Automatically joined room {room} for user {user_id}");
 					},
 				}
 			}
 		}
 	}
 	Ok(register::v3::Response {
 		access_token: token,
 		user_id,
 		device_id: device,
 		refresh_token: None,
 		expires_in: None,
 	})
 }
 /// Determine which flows and parameters should be presented when
 /// registering a new account.
 async fn create_registration_uiaa_session(
 	services: &Services,
 ) -> Result<(Vec<AuthFlow>, Box<RawValue>)> {
 	let mut params = HashMap::<String, serde_json::Value>::new();
 	let flows = if services.firstrun.is_first_run() {
 		// Registration token forced while in first-run mode
 		vec![AuthFlow::new(vec![AuthType::RegistrationToken])]
 	} else {
 		let mut flows = vec![];
 		if services
 			.registration_tokens
 			.iterate_tokens()
 			.next()
 			.await
 			.is_some()
 		{
 			// Trusted registration flow with a token is available
 			let mut token_flow = AuthFlow::new(vec![AuthType::RegistrationToken]);
 			if let Some(smtp) = &services.config.smtp
 				&& smtp.require_email_for_token_registration
 			{
 				// Email is required for token registrations
 				token_flow.stages.push(AuthType::EmailIdentity);
 			}
 			flows.push(token_flow);
 		}
 		let mut untrusted_flow = AuthFlow::default();
 		if services.config.recaptcha_private_site_key.is_some() {
 			if let Some(pubkey) = &services.config.recaptcha_site_key {
 				// ReCaptcha is configured for untrusted registrations
 				untrusted_flow.stages.push(AuthType::ReCaptcha);
 				params.insert(
 					AuthType::ReCaptcha.as_str().to_owned(),
 					serde_json::json!({
 						"public_key": pubkey,
 					}),
 				);
 			}
 		}
 		if let Some(smtp) = &services.config.smtp
 			&& smtp.require_email_for_registration
 		{
 			// Email is required for untrusted registrations
 			untrusted_flow.stages.push(AuthType::EmailIdentity);
 		}
 		if !untrusted_flow.stages.is_empty() {
 			flows.push(untrusted_flow);
 		}
 		if flows.is_empty() {
 			// No flows are configured. Bail out by default
 			// unless open registration was explicitly enabled.
 			if !services
 				.config
 				.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
 			{
 				return Err!(Request(Forbidden(
 					"This server is not accepting registrations at this time."
 				)));
 			}
 			// We have open registration enabled (😧), provide a dummy flow
 			flows.push(AuthFlow::new(vec![AuthType::Dummy]));
 		}
 		flows
 	};
 	let params = serde_json::value::to_raw_value(&params).expect("params should be valid JSON");
 	Ok((flows, params))
 }
 async fn determine_registration_user_id(
 	services: &Services,
 	supplied_username: Option<String>,
 	is_guest: bool,
 	emergency_mode_enabled: bool,
 ) -> Result<OwnedUserId> {
 	if let Some(supplied_username) = supplied_username
 		&& !is_guest
 	{
 		// The user gets to pick their username. Do some validation to make sure it's
 		// acceptable.
 		// Don't allow registration with forbidden usernames.
 		if services
 			.globals
 			.forbidden_usernames()
 			.is_match(&supplied_username)
 			&& !emergency_mode_enabled
 		{
 			return Err!(Request(Forbidden("Username is forbidden")));
 		}
 		// Create and validate the user ID
 		let user_id = match UserId::parse_with_server_name(
 			&supplied_username,
 			services.globals.server_name(),
 		) {
 			| Ok(user_id) => {
 				if let Err(e) = user_id.validate_strict() {
 					// Unless we are in emergency mode, we should follow synapse's behaviour on
 					// not allowing things like spaces and UTF-8 characters in usernames
 					if !emergency_mode_enabled {
 						return Err!(Request(InvalidUsername(debug_warn!(
 							"Username {supplied_username} contains disallowed characters or \
 							 spaces: {e}"
 						))));
 					}
 				}
 				// Don't allow registration with user IDs that aren't local
 				if !services.globals.user_is_local(&user_id) {
 					return Err!(Request(InvalidUsername(
 						"Username {supplied_username} is not local to this server"
 					)));
 				}
 				user_id
 			},
 			| Err(e) => {
 				return Err!(Request(InvalidUsername(debug_warn!(
 					"Username {supplied_username} is not valid: {e}"
 				))));
 			},
 		};
 		if services.users.exists(&user_id).await {
 			return Err!(Request(UserInUse("User ID is not available.")));
 		}
 		Ok(user_id)
 	} else {
 		// The user is a guest or didn't specify a username. Generate a username for
 		// them.
 		loop {
 			let user_id = UserId::parse_with_server_name(
 				utils::random_string(RANDOM_USER_ID_LENGTH).to_lowercase(),
 				services.globals.server_name(),
 			)
 			.unwrap();
 			if !services.users.exists(&user_id).await {
 				break Ok(user_id);
 			}
 		}
 	}
 }
 /// # `POST /_matrix/client/v3/register/email/requestToken`
 ///
 /// Requests a validation email for the purpose of registering a new account.
 pub(crate) async fn request_registration_token_via_email_route(
 	State(services): State<crate::State>,
 	body: Ruma<request_registration_token_via_email::v3::Request>,
 ) -> Result<request_registration_token_via_email::v3::Response> {
 	let Ok(email) = Address::try_from(body.email.clone()) else {
 		return Err!(Request(InvalidParam("Invalid email address.")));
 	};
 	if services
 		.threepid
 		.get_localpart_for_email(&email)
 		.await
 		.is_some()
 	{
 		return Err!(Request(ThreepidInUse("This email address is already in use.")));
 	}
 	let session = services
 		.threepid
 		.send_validation_email(
 			Mailbox::new(None, email),
 			|verification_link| messages::NewAccount {
 				server_name: services.config.server_name.as_ref(),
 				verification_link,
 			},
 			&body.client_secret,
 			body.send_attempt.try_into().unwrap(),
 		)
 		.await?;
 	Ok(request_registration_token_via_email::v3::Response::new(session))
 }
@@ -1,153 +0,0 @@
 use std::time::SystemTime;
 use axum::extract::State;
 use conduwuit::{Err, Result, err};
 use lettre::{Address, message::Mailbox};
 use ruma::{
 	MilliSecondsSinceUnixEpoch,
 	api::client::account::{
 		ThirdPartyIdRemovalStatus, add_3pid, delete_3pid, get_3pids,
 		request_3pid_management_token_via_email, request_3pid_management_token_via_msisdn,
 	},
 	thirdparty::{Medium, ThirdPartyIdentifierInit},
 };
 use service::{mailer::messages, uiaa::Identity};
 use crate::Ruma;
 /// # `GET _matrix/client/v3/account/3pid`
 ///
 /// Get a list of third party identifiers associated with this account.
 pub(crate) async fn third_party_route(
 	State(services): State<crate::State>,
 	body: Ruma<get_3pids::v3::Request>,
 ) -> Result<get_3pids::v3::Response> {
 	let sender_user = body.sender_user();
 	let mut threepids = vec![];
 	if let Some(email) = services
 		.threepid
 		.get_email_for_localpart(sender_user.localpart())
 		.await
 	{
 		threepids.push(
 			ThirdPartyIdentifierInit {
 				address: email.to_string(),
 				medium: Medium::Email,
 				// We don't currently track these, and they aren't used for much
 				validated_at: MilliSecondsSinceUnixEpoch::now(),
 				added_at: MilliSecondsSinceUnixEpoch::from_system_time(SystemTime::UNIX_EPOCH)
 					.unwrap(),
 			}
 			.into(),
 		);
 	}
 	Ok(get_3pids::v3::Response::new(threepids))
 }
 /// # `POST /_matrix/client/v3/account/3pid/email/requestToken`
 ///
 /// Requests a validation email for the purpose of changing an account's email.
 pub(crate) async fn request_3pid_management_token_via_email_route(
 	State(services): State<crate::State>,
 	body: Ruma<request_3pid_management_token_via_email::v3::Request>,
 ) -> Result<request_3pid_management_token_via_email::v3::Response> {
 	let Ok(email) = Address::try_from(body.email.clone()) else {
 		return Err!(Request(InvalidParam("Invalid email address.")));
 	};
 	if services
 		.threepid
 		.get_localpart_for_email(&email)
 		.await
 		.is_some()
 	{
 		return Err!(Request(ThreepidInUse("This email address is already in use.")));
 	}
 	let session = services
 		.threepid
 		.send_validation_email(
 			Mailbox::new(None, email),
 			|verification_link| messages::ChangeEmail {
 				server_name: services.config.server_name.as_str(),
 				user_id: body.sender_user.as_deref(),
 				verification_link,
 			},
 			&body.client_secret,
 			body.send_attempt.try_into().unwrap(),
 		)
 		.await?;
 	Ok(request_3pid_management_token_via_email::v3::Response::new(session))
 }
 /// # `POST /_matrix/client/v3/account/3pid/msisdn/requestToken`
 ///
 /// "This API should be used to request validation tokens when adding an email
 /// address to an account"
 ///
 /// - 403 signals that The homeserver does not allow the third party identifier
 ///   as a contact option.
 pub(crate) async fn request_3pid_management_token_via_msisdn_route(
 	_body: Ruma<request_3pid_management_token_via_msisdn::v3::Request>,
 ) -> Result<request_3pid_management_token_via_msisdn::v3::Response> {
 	Err!(Request(ThreepidMediumNotSupported(
 		"MSISDN third-party identifiers are not supported."
 	)))
 }
 /// # `POST /_matrix/client/v3/account/3pid/add`
 pub(crate) async fn add_3pid_route(
 	State(services): State<crate::State>,
 	body: Ruma<add_3pid::v3::Request>,
 ) -> Result<add_3pid::v3::Response> {
 	let sender_user = body.sender_user();
 	// Require password auth to add an email
 	let _ = services
 		.uiaa
 		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
 		.await?;
 	let email = services
 		.threepid
 		.consume_valid_session(&body.sid, &body.client_secret)
 		.await
 		.map_err(|message| err!(Request(ThreepidAuthFailed("{message}"))))?;
 	services
 		.threepid
 		.associate_localpart_email(sender_user.localpart(), &email)
 		.await?;
 	Ok(add_3pid::v3::Response::new())
 }
 /// # `POST /_matrix/client/v3/account/3pid/delete`
 pub(crate) async fn delete_3pid_route(
 	State(services): State<crate::State>,
 	body: Ruma<delete_3pid::v3::Request>,
 ) -> Result<delete_3pid::v3::Response> {
 	let sender_user = body.sender_user();
 	if body.medium != Medium::Email {
 		return Ok(delete_3pid::v3::Response {
 			id_server_unbind_result: ThirdPartyIdRemovalStatus::NoSupport,
 		});
 	}
 	if services
 		.threepid
 		.disassociate_localpart_email(sender_user.localpart())
 		.await
 		.is_none()
 	{
 		return Err!(Request(ThreepidNotFound("Your account has no associated email.")));
 	}
 	Ok(delete_3pid::v3::Response {
 		id_server_unbind_result: ThirdPartyIdRemovalStatus::Success,
 	})
 }
@@ -30,10 +30,8 @@ pub(crate) async fn get_capabilities_route(
 		default: services.server.config.default_room_version.clone(),
 	};
-	// Only allow 3pid changes if SMTP is configured
+	// we do not implement 3PID stuff
-	capabilities.thirdparty_id_changes = ThirdPartyIdChangesCapability {
+	capabilities.thirdparty_id_changes = ThirdPartyIdChangesCapability { enabled: false };
 		enabled: services.mailer.mailer().is_some(),
 	};
 	capabilities.get_login_token = GetLoginTokenCapability {
 		enabled: services.server.config.login_via_existing_session,
@@ -53,7 +51,7 @@ pub(crate) async fn get_capabilities_route(
 		.await
 	{
 		// Advertise suspension API
-		capabilities.set("uk.timedout.msc4323", json!({"suspend": true, "lock": false}))?;
+		capabilities.set("uk.timedout.msc4323", json!({"suspend":true, "lock": false}))?;
 	}
 	Ok(get_capabilities::v3::Response { capabilities })
@@ -1,15 +1,17 @@
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
-use conduwuit::{Err, Result, debug, err, utils};
+use conduwuit::{Err, Error, Result, debug, err, utils};
 use futures::StreamExt;
 use ruma::{
 	MilliSecondsSinceUnixEpoch, OwnedDeviceId,
-	api::client::device::{
+	api::client::{
-		self, delete_device, delete_devices, get_device, get_devices, update_device,
+		device::{self, delete_device, delete_devices, get_device, get_devices, update_device},
 		error::ErrorKind,
 		uiaa::{AuthFlow, AuthType, UiaaInfo},
 	},
 };
 use service::uiaa::Identity;
 use super::SESSION_ID_LENGTH;
 use crate::{Ruma, client::DEVICE_ID_LENGTH};
 /// # `GET /_matrix/client/r0/devices`
@@ -121,7 +123,7 @@ pub(crate) async fn delete_device_route(
 	State(services): State<crate::State>,
 	body: Ruma<delete_device::v3::Request>,
 ) -> Result<delete_device::v3::Response> {
-	let sender_user = body.sender_user();
+	let (sender_user, sender_device) = body.sender();
 	let appservice = body.appservice_info.as_ref();
 	if appservice.is_some_and(|appservice| appservice.registration.device_management) {
@@ -137,11 +139,41 @@ pub(crate) async fn delete_device_route(
 		return Ok(delete_device::v3::Response {});
 	}
-	// Prompt the user to confirm with their password using UIAA
+	// UIAA
-	let _ = services
+	let mut uiaainfo = UiaaInfo {
-		.uiaa
+		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
-		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
+		completed: Vec::new(),
-		.await?;
+		params: Box::default(),
 		session: None,
 		auth_error: None,
 	};
 	match &body.auth {
 		| Some(auth) => {
 			let (worked, uiaainfo) = services
 				.uiaa
 				.try_auth(sender_user, sender_device, auth, &uiaainfo)
 				.await?;
 			if !worked {
 				return Err!(Uiaa(uiaainfo));
 			}
 			// Success!
 		},
 		| _ => match body.json_body {
 			| Some(ref json) => {
 				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 				services
 					.uiaa
 					.create(sender_user, sender_device, &uiaainfo, json);
 				return Err!(Uiaa(uiaainfo));
 			},
 			| _ => {
 				return Err!(Request(NotJson("Not json.")));
 			},
 		},
 	}
 	services
 		.users
@@ -168,7 +200,7 @@ pub(crate) async fn delete_devices_route(
 	State(services): State<crate::State>,
 	body: Ruma<delete_devices::v3::Request>,
 ) -> Result<delete_devices::v3::Response> {
-	let sender_user = body.sender_user();
+	let (sender_user, sender_device) = body.sender();
 	let appservice = body.appservice_info.as_ref();
 	if appservice.is_some_and(|appservice| appservice.registration.device_management) {
@@ -183,11 +215,41 @@ pub(crate) async fn delete_devices_route(
 		return Ok(delete_devices::v3::Response {});
 	}
-	// Prompt the user to confirm with their password using UIAA
+	// UIAA
-	let _ = services
+	let mut uiaainfo = UiaaInfo {
-		.uiaa
+		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
-		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
+		completed: Vec::new(),
-		.await?;
+		params: Box::default(),
 		session: None,
 		auth_error: None,
 	};
 	match &body.auth {
 		| Some(auth) => {
 			let (worked, uiaainfo) = services
 				.uiaa
 				.try_auth(sender_user, sender_device, auth, &uiaainfo)
 				.await?;
 			if !worked {
 				return Err(Error::Uiaa(uiaainfo));
 			}
 			// Success!
 		},
 		| _ => match body.json_body {
 			| Some(ref json) => {
 				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 				services
 					.uiaa
 					.create(sender_user, sender_device, &uiaainfo, json);
 				return Err(Error::Uiaa(uiaainfo));
 			},
 			| _ => {
 				return Err(Error::BadRequest(ErrorKind::NotJson, "Not json."));
 			},
 		},
 	}
 	for device_id in &body.devices {
 		services.users.remove_device(sender_user, device_id).await;
@@ -7,6 +7,7 @@ use axum::extract::State;
 use conduwuit::{
 	Err, Error, Result, debug, debug_warn, err,
 	result::NotFound,
 	utils,
 	utils::{IterStream, stream::WidebandExt},
 };
 use conduwuit_service::{Services, users::parse_master_key};
@@ -21,6 +22,7 @@ use ruma::{
 				upload_signatures::{self},
 				upload_signing_keys,
 			},
 			uiaa::{AuthFlow, AuthType, UiaaInfo},
 		},
 		federation,
 	},
@@ -28,8 +30,8 @@ use ruma::{
 	serde::Raw,
 };
 use serde_json::json;
 use service::uiaa::Identity;
 use super::SESSION_ID_LENGTH;
 use crate::Ruma;
 /// # `POST /_matrix/client/r0/keys/upload`
@@ -172,7 +174,16 @@ pub(crate) async fn upload_signing_keys_route(
 	State(services): State<crate::State>,
 	body: Ruma<upload_signing_keys::v3::Request>,
 ) -> Result<upload_signing_keys::v3::Response> {
-	let sender_user = body.sender_user();
+	let (sender_user, sender_device) = body.sender();
 	// UIAA
 	let mut uiaainfo = UiaaInfo {
 		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
 		completed: Vec::new(),
 		params: Box::default(),
 		session: None,
 		auth_error: None,
 	};
 	match check_for_new_keys(
 		services,
@@ -196,10 +207,32 @@ pub(crate) async fn upload_signing_keys_route(
 			// Some of the keys weren't found, so we let them upload
 		},
 		| _ => {
-			let _ = services
+			match &body.auth {
-				.uiaa
+				| Some(auth) => {
-				.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
+					let (worked, uiaainfo) = services
-				.await?;
+						.uiaa
 						.try_auth(sender_user, sender_device, auth, &uiaainfo)
 						.await?;
 					if !worked {
 						return Err(Error::Uiaa(uiaainfo));
 					}
 					// Success!
 				},
 				| _ => match body.json_body.as_ref() {
 					| Some(json) => {
 						uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 						services
 							.uiaa
 							.create(sender_user, sender_device, &uiaainfo, json);
 						return Err(Error::Uiaa(uiaainfo));
 					},
 					| _ => {
 						return Err(Error::BadRequest(ErrorKind::NotJson, "Not json."));
 					},
 				},
 			}
 		},
 	}
@@ -92,3 +92,6 @@ const DEVICE_ID_LENGTH: usize = 10;
 /// generated user access token length
 const TOKEN_LENGTH: usize = 32;
 /// generated user session ID length
 const SESSION_ID_LENGTH: usize = service::uiaa::SESSION_ID_LENGTH;
@@ -8,9 +8,8 @@ use conduwuit::{
 	warn,
 };
 use conduwuit_core::{debug_error, debug_warn};
-use conduwuit_service::Services;
+use conduwuit_service::{Services, uiaa::SESSION_ID_LENGTH};
 use futures::StreamExt;
 use lettre::Address;
 use ruma::{
 	OwnedUserId, UserId,
 	api::client::{
@@ -27,10 +26,9 @@ use ruma::{
 			},
 			logout, logout_all,
 		},
-		uiaa::UserIdentifier,
+		uiaa,
 	},
 };
 use service::uiaa::Identity;
 use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
 use crate::Ruma;
@@ -82,7 +80,7 @@ pub(crate) async fn password_login(
 			.password_hash(lowercased_user_id)
 			.await
 			.map(|hash| (hash, lowercased_user_id))
-			.map_err(|_| err!(Request(Forbidden("Invalid identifier or password."))))?,
+			.map_err(|_| err!(Request(Forbidden("Wrong username or password."))))?,
 	};
 	if hash.is_empty() {
@@ -91,7 +89,7 @@ pub(crate) async fn password_login(
 	hash::verify_password(password, &hash)
 		.inspect_err(|e| debug_error!("{e}"))
-		.map_err(|_| err!(Request(Forbidden("Invalid identifier or password."))))?;
+		.map_err(|_| err!(Request(Forbidden("Wrong username or password."))))?;
 	Ok(user_id.to_owned())
 }
@@ -163,38 +161,28 @@ pub(super) async fn ldap_login(
 pub(crate) async fn handle_login(
 	services: &Services,
-	identifier: Option<&UserIdentifier>,
+	body: &Ruma<login::v3::Request>,
 	identifier: Option<&uiaa::UserIdentifier>,
 	password: &str,
 	user: Option<&String>,
 ) -> Result<OwnedUserId> {
 	debug!("Got password login type");
 	let user_id_or_localpart = match (identifier, user) {
 		| (Some(UserIdentifier::UserIdOrLocalpart(localpart)), _) => localpart,
 		| (Some(UserIdentifier::Email { address }), _) => {
 			let email = Address::try_from(address.to_owned())
 				.map_err(|_| err!(Request(InvalidParam("Email is malformed"))))?;
 			&services
 				.threepid
 				.get_localpart_for_email(&email)
 				.await
 				.ok_or_else(|| err!(Request(Forbidden("Invalid identifier or password"))))?
 		},
 		| (None, Some(user)) => user,
 		| _ => {
 			return Err!(Request(InvalidParam("Identifier type not recognized")));
 		},
 	};
 	let user_id =
-		UserId::parse_with_server_name(user_id_or_localpart, &services.config.server_name)
+				if let Some(uiaa::UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
-			.map_err(|_| err!(Request(InvalidUsername("User ID is malformed"))))?;
+					UserId::parse_with_server_name(user_id, &services.config.server_name)
 				} else if let Some(user) = user {
 					UserId::parse_with_server_name(user, &services.config.server_name)
 				} else {
 					return Err!(Request(Unknown(
 						debug_warn!(?body.login_info, "Valid identifier or username was not provided (invalid or unsupported login type?)")
 					)));
 				}
 				.map_err(|e| err!(Request(InvalidUsername(warn!("Username is invalid: {e}")))))?;
 	let lowercased_user_id = UserId::parse_with_server_name(
 		user_id.localpart().to_lowercase(),
 		&services.config.server_name,
-	)
+	)?;
 	.unwrap();
 	if !services.globals.user_is_local(&user_id)
 		|| !services.globals.user_is_local(&lowercased_user_id)
@@ -256,7 +244,7 @@ pub(crate) async fn login_route(
 			password,
 			user,
 			..
-		}) => handle_login(&services, identifier.as_ref(), password, user.as_ref()).await?,
+		}) => handle_login(&services, &body, identifier.as_ref(), password, user.as_ref()).await?,
 		| login::v3::LoginInfo::Token(login::v3::Token { token }) => {
 			debug!("Got token login type");
 			if !services.server.config.login_via_existing_session {
@@ -276,7 +264,7 @@ pub(crate) async fn login_route(
 			};
 			let user_id =
-				if let Some(UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
+				if let Some(uiaa::UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
 					UserId::parse_with_server_name(user_id, &services.config.server_name)
 				} else if let Some(user) = user {
 					UserId::parse_with_server_name(user, &services.config.server_name)
@@ -285,7 +273,7 @@ pub(crate) async fn login_route(
 						debug_warn!(?body.login_info, "Valid identifier or username was not provided (invalid or unsupported login type?)")
 					)));
 				}
-				.map_err(|_| err!(Request(InvalidUsername(warn!("User ID is malformed")))))?;
+				.map_err(|e| err!(Request(InvalidUsername(warn!("Username is invalid: {e}")))))?;
 			if !services.globals.user_is_local(&user_id) {
 				return Err!(Request(Unknown("User ID does not belong to this homeserver")));
@@ -382,13 +370,45 @@ pub(crate) async fn login_token_route(
 		return Err!(Request(Forbidden("Login via an existing session is not enabled")));
 	}
-	let sender_user = body.sender_user();
+	// This route SHOULD have UIA
 	// TODO: How do we make only UIA sessions that have not been used before valid?
 	let (sender_user, sender_device) = body.sender();
-	// Prompt the user to confirm with their password using UIAA
+	let mut uiaainfo = uiaa::UiaaInfo {
-	let _ = services
+		flows: vec![uiaa::AuthFlow { stages: vec![uiaa::AuthType::Password] }],
-		.uiaa
+		completed: Vec::new(),
-		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
+		params: Box::default(),
-		.await?;
+		session: None,
 		auth_error: None,
 	};
 	match &body.auth {
 		| Some(auth) => {
 			let (worked, uiaainfo) = services
 				.uiaa
 				.try_auth(sender_user, sender_device, auth, &uiaainfo)
 				.await?;
 			if !worked {
 				return Err(Error::Uiaa(uiaainfo));
 			}
 			// Success!
 		},
 		| _ => match body.json_body.as_ref() {
 			| Some(json) => {
 				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 				services
 					.uiaa
 					.create(sender_user, sender_device, &uiaainfo, json);
 				return Err(Error::Uiaa(uiaainfo));
 			},
 			| _ => {
 				return Err!(Request(NotJson("No JSON body was sent when required.")));
 			},
 		},
 	}
 	let login_token = utils::random_string(TOKEN_LENGTH);
 	let expires_in = services.users.create_login_token(sender_user, &login_token);
@@ -28,8 +28,7 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
        .ruma_route(&client::appservice_ping)
 		.ruma_route(&client::get_supported_versions_route)
 		.ruma_route(&client::get_register_available_route)
-		.ruma_route(&client::register::register_route)
+		.ruma_route(&client::register_route)
 		.ruma_route(&client::register::request_registration_token_via_email_route)
 		.ruma_route(&client::get_login_types_route)
 		.ruma_route(&client::login_route)
 		.ruma_route(&client::login_token_route)
@@ -37,13 +36,10 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 		.ruma_route(&client::logout_route)
 		.ruma_route(&client::logout_all_route)
 		.ruma_route(&client::change_password_route)
 		.ruma_route(&client::request_password_change_token_via_email_route)
 		.ruma_route(&client::deactivate_route)
-		.ruma_route(&client::threepid::third_party_route)
+		.ruma_route(&client::third_party_route)
-		.ruma_route(&client::threepid::request_3pid_management_token_via_email_route)
+		.ruma_route(&client::request_3pid_management_token_via_email_route)
-		.ruma_route(&client::threepid::request_3pid_management_token_via_msisdn_route)
+		.ruma_route(&client::request_3pid_management_token_via_msisdn_route)
 		.ruma_route(&client::threepid::add_3pid_route)
 		.ruma_route(&client::threepid::delete_3pid_route)
 		.ruma_route(&client::check_registration_token_validity)
 		.ruma_route(&client::get_capabilities_route)
 		.ruma_route(&client::get_pushrules_all_route)
@@ -2,13 +2,14 @@ use std::{mem, ops::Deref};
 use axum::{body::Body, extract::FromRequest};
 use bytes::{BufMut, Bytes, BytesMut};
-use conduwuit::{Error, Result, debug, debug_warn, err, trace};
+use conduwuit::{Error, Result, debug, debug_warn, err, trace, utils::string::EMPTY};
 use ruma::{
 	CanonicalJsonObject, CanonicalJsonValue, DeviceId, OwnedDeviceId, OwnedServerName,
 	OwnedUserId, ServerName, UserId, api::IncomingRequest,
 };
 use service::Services;
-use super::{auth, request, request::Request};
+use super::{auth, auth::Auth, request, request::Request};
 use crate::{State, service::appservice::RegistrationInfo};
 /// Extractor for Ruma request structs
@@ -107,7 +108,7 @@ where
 		}
 		let auth = auth::auth(services, &mut request, json_body.as_ref(), &T::METADATA).await?;
 		Ok(Self {
-			body: make_body::<T>(&mut request, json_body.as_mut())?,
+			body: make_body::<T>(services, &mut request, json_body.as_mut(), &auth)?,
 			origin: auth.origin,
 			sender_user: auth.sender_user,
 			sender_device: auth.sender_device,
@@ -117,11 +118,16 @@ where
 	}
 }
-fn make_body<T>(request: &mut Request, json_body: Option<&mut CanonicalJsonValue>) -> Result<T>
+fn make_body<T>(
 	services: &Services,
 	request: &mut Request,
 	json_body: Option<&mut CanonicalJsonValue>,
 	auth: &Auth,
 ) -> Result<T>
 where
 	T: IncomingRequest,
 {
-	let body = take_body(request, json_body);
+	let body = take_body(services, request, json_body, auth);
 	let http_request = into_http_request(request, body);
 	T::try_from_http_request(http_request, &request.path)
 		.map_err(|e| err!(Request(BadJson(debug_warn!("{e}")))))
@@ -145,11 +151,38 @@ fn into_http_request(request: &Request, body: Bytes) -> hyper::Request<Bytes> {
 }
 #[allow(clippy::needless_pass_by_value)]
-fn take_body(request: &mut Request, json_body: Option<&mut CanonicalJsonValue>) -> Bytes {
+fn take_body(
 	services: &Services,
 	request: &mut Request,
 	json_body: Option<&mut CanonicalJsonValue>,
 	auth: &Auth,
 ) -> Bytes {
 	let Some(CanonicalJsonValue::Object(json_body)) = json_body else {
 		return mem::take(&mut request.body);
 	};
 	let user_id = auth.sender_user.clone().unwrap_or_else(|| {
 		let server_name = services.globals.server_name();
 		UserId::parse_with_server_name(EMPTY, server_name).expect("valid user_id")
 	});
 	let uiaa_request = json_body
 		.get("auth")
 		.and_then(CanonicalJsonValue::as_object)
 		.and_then(|auth| auth.get("session"))
 		.and_then(CanonicalJsonValue::as_str)
 		.and_then(|session| {
 			services
 				.uiaa
 				.get_uiaa_request(&user_id, auth.sender_device.as_deref(), session)
 		});
 	if let Some(CanonicalJsonValue::Object(initial_request)) = uiaa_request {
 		for (key, value) in initial_request {
 			json_body.entry(key).or_insert(value);
 		}
 	}
 	let mut buf = BytesMut::new().writer();
 	serde_json::to_writer(&mut buf, &json_body).expect("value serialization can't fail");
 	buf.into_inner().freeze()
@@ -84,7 +84,6 @@ libc.workspace = true
 libloading.workspace = true
 libloading.optional = true
 log.workspace = true
 lettre.workspace = true
 num-traits.workspace = true
 rand.workspace = true
 rand_core = { version = "0.6.4", features = ["getrandom"] }
@@ -16,7 +16,6 @@ use either::{
 };
 use figment::providers::{Env, Format, Toml};
 pub use figment::{Figment, value::Value as FigmentValue};
 use lettre::message::Mailbox;
 use regex::RegexSet;
 use ruma::{
 	OwnedRoomId, OwnedRoomOrAliasId, OwnedServerName, OwnedUserId, RoomVersionId,
@@ -69,10 +68,6 @@ pub struct Config {
 	///
 	/// Also see the `[global.well_known]` config section at the very bottom.
 	///
 	/// If `client` is not set under `[global.well_known]`, the server name will
 	/// be used as the base domain for user-facing links (such as password
 	/// reset links) created by Continuwuity.
 	///
 	/// Examples of delegation:
 	/// - https://continuwuity.org/.well-known/matrix/server
 	/// - https://continuwuity.org/.well-known/matrix/client
@@ -757,9 +752,6 @@ pub struct Config {
 	#[serde(default)]
 	pub well_known: WellKnownConfig,
 	/// display: nested
 	pub smtp: Option<SmtpConfig>,
 	/// Enable OpenTelemetry OTLP tracing export. This replaces the deprecated
 	/// Jaeger exporter. Traces will be sent via OTLP to a collector (such as
 	/// Jaeger) that supports the OpenTelemetry Protocol.
@@ -2097,13 +2089,6 @@ pub struct Config {
 	#[serde(default)]
 	pub force_disable_first_run_mode: bool,
 	/// Allow search engines and crawlers to index Continuwuity's built-in
 	/// webpages served under the `/_continuwuity/` prefix.
 	///
 	/// default: false
 	#[serde(default)]
 	pub allow_web_indexing: bool,
 	/// display: nested
 	#[serde(default)]
 	pub ldap: LdapConfig,
@@ -2444,52 +2429,6 @@ pub struct DraupnirConfig {
 	pub secret: String,
 }
 #[derive(Clone, Debug, Deserialize)]
 #[config_example_generator(
 	filename = "conduwuit-example.toml",
 	section = "global.smtp",
 	optional = "true"
 )]
 pub struct SmtpConfig {
 	/// A `smtp://`` URI which will be used to connect to a mail server.
 	/// Uncommenting the [global.smtp] group and setting this option enables
 	/// features which depend on the ability to send email,
 	/// such as self-service password resets.
 	///
 	/// For most modern mail servers, format the URI like this:
 	/// 	`smtps://username:password@hostname:port`
 	/// Note that you will need to URL-encode the username and password. If your
 	/// username _is_ your email address, you will need to replace the `@` with
 	/// `%40`.
 	///
 	/// For a guide on the accepted URI syntax, consult Lettre's documentation:
 	/// https://docs.rs/lettre/latest/lettre/transport/smtp/struct.AsyncSmtpTransport.html#method.from_url
 	pub connection_uri: String,
 	/// The outgoing address which will be used for sending emails.
 	///
 	/// For a syntax guide, see https://datatracker.ietf.org/doc/html/rfc2822#section-3.4
 	///
 	/// ...or if you don't want to read the RFC, for some reason:
 	/// - `Name <address@domain.org>` to specify a sender name
 	/// - `address@domain.org` to not use a name
 	pub sender: Mailbox,
 	/// Whether to require that users provide an email address when they
 	/// register.
 	///
 	/// default: false
 	#[serde(default)]
 	pub require_email_for_registration: bool,
 	/// Whether to require that users who register with a registration token
 	/// provide an email address.
 	///
 	/// default: false
 	#[serde(default)]
 	pub require_email_for_token_registration: bool,
 }
 const DEPRECATED_KEYS: &[&str] = &[
 	"cache_capacity",
 	"conduit_cache_capacity_modifier",
@@ -1224,7 +1224,6 @@ fn can_send_event(event: &impl Event, ple: Option<&impl Event>, user_level: Int)
 }
 /// Confirm that the event sender has the required power levels.
 #[allow(clippy::cognitive_complexity)]
 fn check_power_levels(
 	room_version: &RoomVersion,
 	power_event: &impl Event,
@@ -75,7 +75,6 @@ type Result<T, E = Error> = crate::Result<T, E>;
 /// event is part of the same room.
 //#[tracing::instrument(level = "debug", skip(state_sets, auth_chain_sets,
 //#[tracing::instrument(level event_fetch))]
 #[allow(clippy::cognitive_complexity)]
 pub async fn resolve<'a, Pdu, Sets, SetIter, Hasher, Fetch, FetchFut, Exists, ExistsFut>(
 	room_version: &RoomVersionId,
 	state_sets: Sets,
@@ -415,6 +415,13 @@ impl<'a, 'de: 'a> de::Deserializer<'de> for &'a mut Deserializer<'de> {
 		tracing::instrument(level = "trace", skip_all, fields(?self.buf))
 	)]
 	fn deserialize_any<V: Visitor<'de>>(self, visitor: V) -> Result<V::Value> {
 		debug_assert_eq!(
 			conduwuit::debug::type_name::<V>(),
 			"serde_json::value::de::<impl serde_core::de::Deserialize for \
 			 serde_json::value::Value>::deserialize::ValueVisitor",
 			"deserialize_any: type not expected"
 		);
 		match self.record_peek_byte() {
 			| Some(b'{') => self.deserialize_map(visitor),
 			| Some(b'[') => serde_json::Deserializer::from_slice(self.record_next())
@@ -53,10 +53,6 @@ pub(super) static MAPS: &[Descriptor] = &[
 		name: "disabledroomids",
 		..descriptor::RANDOM_SMALL
 	},
 	Descriptor {
 		name: "email_localpart",
 		..descriptor::RANDOM_SMALL
 	},
 	Descriptor {
 		name: "eventid_outlierpdu",
 		cache_disp: CacheDisp::SharedWith("pduid_pdu"),
@@ -104,10 +100,6 @@ pub(super) static MAPS: &[Descriptor] = &[
 		name: "lazyloadedids",
 		..descriptor::RANDOM_SMALL
 	},
 	Descriptor {
 		name: "localpart_email",
 		..descriptor::RANDOM_SMALL
 	},
 	Descriptor {
 		name: "mediaid_file",
 		..descriptor::RANDOM_SMALL
@@ -120,10 +112,6 @@ pub(super) static MAPS: &[Descriptor] = &[
 		name: "onetimekeyid_onetimekeys",
 		..descriptor::RANDOM_SMALL
 	},
 	Descriptor {
 		name: "passwordresettoken_info",
 		..descriptor::RANDOM_SMALL
 	},
 	Descriptor {
 		name: "pduid_pdu",
 		cache_disp: CacheDisp::SharedWith("eventid_outlierpdu"),
@@ -1,4 +1,5 @@
 use std::{
 	env::args,
 	iter::once,
 	sync::{
 		Arc, OnceLock,
@@ -18,7 +19,7 @@ use tokio::runtime::Builder;
 use crate::{clap::Args, server::Server};
-const WORKER_NAME: &str = "conduwuit:worker";
+const WORKER_NAME: &str = "c10y:worker";
 const WORKER_MIN: usize = 2;
 const WORKER_KEEPALIVE: u64 = 36;
 const MAX_BLOCKING_THREADS: usize = 1024;
@@ -18,5 +18,5 @@ pub(crate) fn build(services: &Arc<Services>) -> (Router, Guard) {
 }
 async fn not_found(_uri: Uri) -> impl IntoResponse {
-	Error::Request(ErrorKind::Unrecognized, "not found :(".into(), StatusCode::NOT_FOUND)
+	Error::Request(ErrorKind::Unrecognized, "Not Found".into(), StatusCode::NOT_FOUND)
 }
@@ -91,7 +91,6 @@ conduwuit-database.workspace = true
 const-str.workspace = true
 either.workspace = true
 futures.workspace = true
 governor.workspace = true
 hickory-resolver.workspace = true
 http.workspace = true
 image.workspace = true
@@ -103,7 +102,6 @@ ldap3.optional = true
 log.workspace = true
 loole.workspace = true
 lru-cache.workspace = true
 nonzero_ext.workspace = true
 rand.workspace = true
 regex.workspace = true
 reqwest.workspace = true
@@ -123,9 +121,8 @@ webpage.workspace = true
 webpage.optional = true
 blurhash.workspace = true
 blurhash.optional = true
-recaptcha-verify = { version = "0.2.0", default-features = false }
+recaptcha-verify = { version = "0.1.5", default-features = false }
 yansi.workspace = true
 lettre.workspace = true
 [target.'cfg(all(unix, target_os = "linux"))'.dependencies]
 sd-notify.workspace = true
@@ -6,7 +6,6 @@ use conduwuit::{
 	config::{Config, check},
 	error, implement,
 };
 use url::Url;
 use crate::registration_tokens::{ValidToken, ValidTokenSource};
@@ -24,18 +23,6 @@ impl Service {
 			.clone()
 			.map(|token| ValidToken { token, source: ValidTokenSource::Config })
 	}
 	/// Get the base domain to use for user-facing URLs.
 	#[must_use]
 	pub fn get_client_domain(&self) -> Url {
 		self.well_known.client.clone().unwrap_or_else(|| {
 			let host = self.server_name.host();
 			format!("https://{host}")
 				.as_str()
 				.try_into()
 				.expect("server name should be a valid host")
 		})
 	}
 }
 #[async_trait]
@@ -122,7 +122,7 @@ impl Service {
 	/// if they were not.
 	pub async fn empower_first_user(&self, user: &UserId) -> Result<bool> {
 		#[derive(Template)]
-		#[template(path = "welcome.md")]
+		#[template(path = "welcome.md.j2")]
 		struct WelcomeMessage<'a> {
 			config: &'a Dep<config::Service>,
 			domain: &'a str,
@@ -228,34 +228,19 @@ impl Service {
 				);
 			},
 		}
 		if self.services.config.suspend_on_register {
 			eprintln!(
 				"{} Accounts created after yours will be suspended, as set in your \
 				 configuration.",
 				"Your account will not be suspended when you register.".green()
 			);
 		}
 		if let Some(smtp) = &self.services.config.smtp {
 			if smtp.require_email_for_registration || smtp.require_email_for_token_registration {
 				eprintln!(
 					"{} Accounts created after yours may be required to provide an email \
 					 address, as set in your configuration.",
 					"You will not be asked for your email address when you register.".yellow(),
 				);
 			}
 			eprintln!(
 				"If you wish to associate an email address with your account, you may do so \
 				 after registration in your client's settings (if supported)."
 			);
 		}
 		eprintln!(
 			"{} https://matrix.org/ecosystem/clients/",
 			"Find a list of Matrix clients here:".bold()
 		);
 		if self.services.config.suspend_on_register {
 			eprintln!(
 				"{} Because you enabled suspend-on-register in your configuration, accounts \
 				 created after yours will be automatically suspended.",
 				"Your account will not be suspended when you register.".green()
 			);
 		}
 		if self
 			.services
 			.config
@@ -1,49 +0,0 @@
 use askama::Template;
 use ruma::UserId;
 pub trait MessageTemplate: Template {
 	fn subject(&self) -> String;
 }
 #[derive(Template)]
 #[template(path = "mail/change_email.txt")]
 pub struct ChangeEmail<'a> {
 	pub server_name: &'a str,
 	pub user_id: Option<&'a UserId>,
 	pub verification_link: String,
 }
 impl MessageTemplate for ChangeEmail<'_> {
 	fn subject(&self) -> String { "Verify your email address".to_owned() }
 }
 #[derive(Template)]
 #[template(path = "mail/new_account.txt")]
 pub struct NewAccount<'a> {
 	pub server_name: &'a str,
 	pub verification_link: String,
 }
 impl MessageTemplate for NewAccount<'_> {
 	fn subject(&self) -> String { "Create your new Matrix account".to_owned() }
 }
 #[derive(Template)]
 #[template(path = "mail/password_reset.txt")]
 pub struct PasswordReset<'a> {
 	pub display_name: Option<&'a str>,
 	pub user_id: &'a UserId,
 	pub verification_link: String,
 }
 impl MessageTemplate for PasswordReset<'_> {
 	fn subject(&self) -> String { format!("Password reset request for {}", &self.user_id) }
 }
 #[derive(Template)]
 #[template(path = "mail/test.txt")]
 pub struct Test;
 impl MessageTemplate for Test {
 	fn subject(&self) -> String { "Test message".to_owned() }
 }
@@ -1,109 +0,0 @@
 use std::sync::Arc;
 use conduwuit::{Err, Result, err, info};
 use lettre::{
 	AsyncSmtpTransport, AsyncTransport, Tokio1Executor,
 	message::{Mailbox, MessageBuilder, header::ContentType},
 };
 use crate::{Args, mailer::messages::MessageTemplate};
 pub mod messages;
 type Transport = AsyncSmtpTransport<Tokio1Executor>;
 type TransportError = lettre::transport::smtp::Error;
 pub struct Service {
 	transport: Option<(Mailbox, Transport)>,
 }
 #[async_trait::async_trait]
 impl crate::Service for Service {
 	fn build(args: Args<'_>) -> Result<Arc<Self>> {
 		let transport = args
 			.server
 			.config
 			.smtp
 			.as_ref()
 			.map(|config| {
 				Ok((config.sender.clone(), Transport::from_url(&config.connection_uri)?.build()))
 			})
 			.transpose()
 			.map_err(|err: TransportError| err!("Failed to set up SMTP transport: {err}"))?;
 		Ok(Arc::new(Self { transport }))
 	}
 	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
 	async fn worker(self: Arc<Self>) -> Result<()> {
 		if let Some((_, ref transport)) = self.transport {
 			match transport.test_connection().await {
 				| Ok(true) => {
 					info!("SMTP connection test successful");
 					Ok(())
 				},
 				| Ok(false) => {
 					Err!("SMTP connection test failed")
 				},
 				| Err(err) => {
 					Err!("SMTP connection test failed: {err}")
 				},
 			}
 		} else {
 			info!("SMTP is not configured, email functionality will be unavailable");
 			Ok(())
 		}
 	}
 }
 impl Service {
 	/// Returns a mailer which allows email to be sent, if SMTP is configured.
 	#[must_use]
 	pub fn mailer(&self) -> Option<Mailer<'_>> {
 		self.transport
 			.as_ref()
 			.map(|(sender, transport)| Mailer { sender, transport })
 	}
 	pub fn expect_mailer(&self) -> Result<Mailer<'_>> {
 		self.mailer().ok_or_else(|| {
 			err!(Request(FeatureDisabled("This homeserver is not configured to send email.")))
 		})
 	}
 }
 pub struct Mailer<'a> {
 	sender: &'a Mailbox,
 	transport: &'a Transport,
 }
 impl Mailer<'_> {
 	/// Sends an email.
 	pub async fn send<Template: MessageTemplate>(
 		&self,
 		recipient: Mailbox,
 		message: Template,
 	) -> Result<()> {
 		let subject = message.subject();
 		let body = message
 			.render()
 			.map_err(|err| err!("Failed to render message template: {err}"))?;
 		let message = MessageBuilder::new()
 			.from(self.sender.clone())
 			.to(recipient)
 			.subject(subject)
 			.date_now()
 			.header(ContentType::TEXT_PLAIN)
 			.body(body)
 			.expect("should have been able to construct message");
 		self.transport
 			.send(message)
 			.await
 			.map_err(|err: TransportError| err!("Failed to send message: {err}"))?;
 		Ok(())
 	}
 }
@@ -21,10 +21,8 @@ pub mod federation;
 pub mod firstrun;
 pub mod globals;
 pub mod key_backups;
 pub mod mailer;
 pub mod media;
 pub mod moderation;
 pub mod password_reset;
 pub mod presence;
 pub mod pusher;
 pub mod registration_tokens;
@@ -33,7 +31,6 @@ pub mod rooms;
 pub mod sending;
 pub mod server_keys;
 pub mod sync;
 pub mod threepid;
 pub mod transactions;
 pub mod uiaa;
 pub mod users;
@@ -1,68 +0,0 @@
 use std::{
 	sync::Arc,
 	time::{Duration, SystemTime},
 };
 use conduwuit::utils::{ReadyExt, stream::TryExpect};
 use database::{Database, Deserialized, Json, Map};
 use ruma::{OwnedUserId, UserId};
 use serde::{Deserialize, Serialize};
 pub(super) struct Data {
 	passwordresettoken_info: Arc<Map>,
 }
 #[derive(Debug, Serialize, Deserialize)]
 pub struct ResetTokenInfo {
 	pub user: OwnedUserId,
 	pub issued_at: SystemTime,
 }
 impl ResetTokenInfo {
 	// one hour
 	const MAX_TOKEN_AGE: Duration = Duration::from_secs(60 * 60);
 	pub fn is_valid(&self) -> bool {
 		let now = SystemTime::now();
 		now.duration_since(self.issued_at)
 			.is_ok_and(|duration| duration < Self::MAX_TOKEN_AGE)
 	}
 }
 impl Data {
 	pub(super) fn new(db: &Arc<Database>) -> Self {
 		Self {
 			passwordresettoken_info: db["passwordresettoken_info"].clone(),
 		}
 	}
 	/// Associate a reset token with its info in the database.
 	pub(super) fn save_token(&self, token: &str, info: &ResetTokenInfo) {
 		self.passwordresettoken_info.raw_put(token, Json(info));
 	}
 	/// Lookup the info for a reset token.
 	pub(super) async fn lookup_token_info(&self, token: &str) -> Option<ResetTokenInfo> {
 		self.passwordresettoken_info
 			.get(token)
 			.await
 			.deserialized()
 			.ok()
 	}
 	/// Find a user's existing reset token, if any.
 	pub(super) async fn find_token_for_user(
 		&self,
 		user: &UserId,
 	) -> Option<(String, ResetTokenInfo)> {
 		self.passwordresettoken_info
 			.stream::<'_, String, ResetTokenInfo>()
 			.expect_ok()
 			.ready_find(|(_, info)| info.user == user)
 			.await
 	}
 	/// Remove a reset token.
 	pub(super) fn remove_token(&self, token: &str) { self.passwordresettoken_info.remove(token); }
 }
@@ -1,120 +0,0 @@
 mod data;
 use std::{sync::Arc, time::SystemTime};
 use conduwuit::{Err, Result, utils};
 use data::{Data, ResetTokenInfo};
 use ruma::OwnedUserId;
 use crate::{Dep, globals, users};
 pub const PASSWORD_RESET_PATH: &str = "/_continuwuity/account/reset_password";
 pub const RESET_TOKEN_QUERY_PARAM: &str = "token";
 const RESET_TOKEN_LENGTH: usize = 32;
 pub struct Service {
 	db: Data,
 	services: Services,
 }
 struct Services {
 	users: Dep<users::Service>,
 	globals: Dep<globals::Service>,
 }
 #[derive(Debug)]
 pub struct ValidResetToken {
 	pub token: String,
 	pub info: ResetTokenInfo,
 }
 impl crate::Service for Service {
 	fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
 		Ok(Arc::new(Self {
 			db: Data::new(args.db),
 			services: Services {
 				users: args.depend::<users::Service>("users"),
 				globals: args.depend::<globals::Service>("globals"),
 			},
 		}))
 	}
 	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
 }
 impl Service {
 	/// Generate a random string suitable to be used as a password reset token.
 	#[must_use]
 	pub fn generate_token_string() -> String { utils::random_string(RESET_TOKEN_LENGTH) }
 	/// Issue a password reset token for `user`, who must be a local user with
 	/// the `password` origin.
 	pub async fn issue_token(&self, user_id: OwnedUserId) -> Result<ValidResetToken> {
 		if !self.services.globals.user_is_local(&user_id) {
 			return Err!("Cannot issue a password reset token for remote user {user_id}");
 		}
 		if user_id == self.services.globals.server_user {
 			return Err!("Cannot issue a password reset token for the server user");
 		}
 		if self
 			.services
 			.users
 			.origin(&user_id)
 			.await
 			.unwrap_or_else(|_| "password".to_owned())
 			!= "password"
 		{
 			return Err!("Cannot issue a password reset token for non-internal user {user_id}");
 		}
 		if self.services.users.is_deactivated(&user_id).await? {
 			return Err!("Cannot issue a password reset token for deactivated user {user_id}");
 		}
 		if let Some((existing_token, _)) = self.db.find_token_for_user(&user_id).await {
 			self.db.remove_token(&existing_token);
 		}
 		let token = Self::generate_token_string();
 		let info = ResetTokenInfo {
 			user: user_id,
 			issued_at: SystemTime::now(),
 		};
 		self.db.save_token(&token, &info);
 		Ok(ValidResetToken { token, info })
 	}
 	/// Check if `token` represents a valid, non-expired password reset token.
 	pub async fn check_token(&self, token: &str) -> Option<ValidResetToken> {
 		self.db.lookup_token_info(token).await.and_then(|info| {
 			if info.is_valid() {
 				Some(ValidResetToken { token: token.to_owned(), info })
 			} else {
 				self.db.remove_token(token);
 				None
 			}
 		})
 	}
 	/// Consume the supplied valid token, using it to change its user's password
 	/// to `new_password`.
 	pub async fn consume_token(
 		&self,
 		ValidResetToken { token, info }: ValidResetToken,
 		new_password: &str,
 	) -> Result<()> {
 		if info.is_valid() {
 			self.db.remove_token(&token);
 			self.services
 				.users
 				.set_password(&info.user, Some(new_password))
 				.await?;
 		}
 		Ok(())
 	}
 }
@@ -1,7 +1,7 @@
 use std::{fmt::Debug, mem, sync::Arc};
 use bytes::BytesMut;
-use conduwuit::utils::response::LimitReadExt;
+use conduwuit::{debug, debug_info, utils::response::LimitReadExt};
 use conduwuit_core::{
 	Err, Event, Result, debug_warn, err, trace,
 	utils::{stream::TryIgnore, string_from_bytes},
@@ -220,7 +220,13 @@ impl Service {
 			}
 		}
-		let response = self.services.client.pusher.execute(reqwest_request).await;
+		let response = self
 			.services
 			.client
 			.pusher
 			.execute(reqwest_request)
 			.await
 			.inspect(|r| debug!("Received response from push gateway {dest}: {r:?}"));
 		match response {
 			| Ok(mut response) => {
@@ -490,9 +496,28 @@ impl Service {
 						.await
 						.ok();
 				}
-
+				debug_info!(
 					%url,
 					?notify,
 					?event,
 					"Sending notification to push gateway for {} in {}",
 					event.event_id(),
 					event.room_id_or_hash(),
 				);
 				self.send_request(&http.url, send_event_notification::v1::Request::new(notify))
-					.await?;
+					.await
 					.inspect(|_| {
 						debug_info!(
 							"Successfully sent push notification for {}",
 							event.event_id()
 						)
 					})
 					.inspect_err(|e| {
 						debug_warn!(
 							"Failed to send push notification for {}: {e}",
 							event.event_id()
 						)
 					})?;
 				Ok(())
 			},
@@ -13,6 +13,8 @@ use ruma::OwnedUserId;
 use crate::{Dep, config, firstrun};
 const RANDOM_TOKEN_LENGTH: usize = 16;
 pub struct Service {
 	db: Data,
 	services: Services,
@@ -101,11 +103,9 @@ impl crate::Service for Service {
 }
 impl Service {
 	const RANDOM_TOKEN_LENGTH: usize = 16;
 	/// Generate a random string suitable to be used as a registration token.
 	#[must_use]
-	pub fn generate_token_string() -> String { utils::random_string(Self::RANDOM_TOKEN_LENGTH) }
+	pub fn generate_token_string() -> String { utils::random_string(RANDOM_TOKEN_LENGTH) }
 	/// Issue a new registration token and save it in the database.
 	pub fn issue_token(
@@ -228,7 +228,7 @@ async fn acquire_notary_result(&self, missing: &mut Batch, server_keys: ServerSi
 	self.add_signing_keys(server_keys.clone()).await;
 	if let Some(key_ids) = missing.get_mut(server) {
-		key_ids.retain(|key_id| !key_exists(&server_keys, key_id));
+		key_ids.retain(|key_id| key_exists(&server_keys, key_id));
 		if key_ids.is_empty() {
 			missing.remove(server);
 		}
@@ -9,12 +9,12 @@ use tokio::sync::Mutex;
 use crate::{
 	account_data, admin, announcements, antispam, appservice, client, config, emergency,
-	federation, firstrun, globals, key_backups, mailer,
+	federation, firstrun, globals, key_backups,
 	manager::Manager,
-	media, moderation, password_reset, presence, pusher, registration_tokens, resolver, rooms,
+	media, moderation, presence, pusher, registration_tokens, resolver, rooms, sending,
-	sending, server_keys,
+	server_keys,
 	service::{self, Args, Map, Service},
-	sync, threepid, transactions, uiaa, users,
+	sync, transactions, uiaa, users,
 };
 pub struct Services {
@@ -27,8 +27,6 @@ pub struct Services {
 	pub globals: Arc<globals::Service>,
 	pub key_backups: Arc<key_backups::Service>,
 	pub media: Arc<media::Service>,
 	pub password_reset: Arc<password_reset::Service>,
 	pub mailer: Arc<mailer::Service>,
 	pub presence: Arc<presence::Service>,
 	pub pusher: Arc<pusher::Service>,
 	pub registration_tokens: Arc<registration_tokens::Service>,
@@ -40,7 +38,6 @@ pub struct Services {
 	pub server_keys: Arc<server_keys::Service>,
 	pub sync: Arc<sync::Service>,
 	pub transactions: Arc<transactions::Service>,
 	pub threepid: Arc<threepid::Service>,
 	pub uiaa: Arc<uiaa::Service>,
 	pub users: Arc<users::Service>,
 	pub moderation: Arc<moderation::Service>,
@@ -84,8 +81,6 @@ impl Services {
 			globals: build!(globals::Service),
 			key_backups: build!(key_backups::Service),
 			media: build!(media::Service),
 			password_reset: build!(password_reset::Service),
 			mailer: build!(mailer::Service),
 			presence: build!(presence::Service),
 			pusher: build!(pusher::Service),
 			registration_tokens: build!(registration_tokens::Service),
@@ -115,7 +110,6 @@ impl Services {
 			sending: build!(sending::Service),
 			server_keys: build!(server_keys::Service),
 			sync: build!(sync::Service),
 			threepid: build!(threepid::Service),
 			transactions: build!(transactions::Service),
 			uiaa: build!(uiaa::Service),
 			users: build!(users::Service),
@@ -1,3 +0,0 @@
 {%- block content %}{% endblock %}
 Message sent by Continuwuity {{ env!("CARGO_PKG_VERSION") }}. 🐈
@@ -1,13 +0,0 @@
 {% extends "_base.txt" %}
 {% block content -%}
 Hello!
 {% if let Some(user_id) = user_id -%}
 Somebody, probably you, tried to associate this email address with the Matrix account {{ user_id }}.
 {%- else -%}
 Somebody, probably you, tried to associate this email address with a Matrix account on {{ server_name }}.
 {%- endif %}
 If that was you, and this is your email address, click this link to proceed:
    {{ verification_link }}
 Otherwise, you can ignore this email. The above link will expire in one hour.
 {%- endblock %}
@@ -1,10 +0,0 @@
 {% extends "_base.txt" %}
 {% block content -%}
 Hello!
 Somebody, probably you, tried to create a Matrix account on {{ server_name }} using this email address.
 Use the link below to proceed with creating your account:
    {{ verification_link }}
 If you are not trying to create an account, you can ignore this email. The above link will expire in one hour.
 {%- endblock %}
@@ -1,14 +0,0 @@
 {% extends "_base.txt" %}
 {% block content -%}
 {%- if let Some(display_name) = display_name -%}
 Hello {{ display_name }} ({{ user_id }}),
 {%- else -%}
 Hello {{ user_id }},
 {%- endif %}
 Somebody, probably you, tried to reset your Matrix account's password.
 If you requested for your password to be reset, click this link to proceed:
    {{ verification_link }}
 Otherwise, you can ignore this email. The above link will expire in one hour.
 {%- endblock %}
@@ -1,5 +0,0 @@
 {% extends "_base.txt" %}
 {% block content -%}
 If you're seeing this, SMTP is configured correctly. :3
 {%- endblock %}
@@ -1,281 +0,0 @@
 use std::{borrow::Cow, collections::HashMap, sync::Arc};
 use conduwuit::{Err, Error, Result, result::FlatOk};
 use database::{Deserialized, Map};
 use governor::{DefaultKeyedRateLimiter, Quota, RateLimiter};
 use lettre::{Address, message::Mailbox};
 use nonzero_ext::nonzero;
 use ruma::{
 	ClientSecret, OwnedClientSecret, OwnedSessionId, SessionId, api::client::error::ErrorKind,
 };
 mod session;
 use crate::{
 	Args, Dep, config,
 	mailer::{self, messages::MessageTemplate},
 	threepid::session::{ValidationSessions, ValidationState, ValidationToken},
 };
 pub struct Service {
 	db: Data,
 	services: Services,
 	sessions: tokio::sync::Mutex<ValidationSessions>,
 	send_attempts: std::sync::Mutex<HashMap<(OwnedClientSecret, Address), usize>>,
 	ratelimiter: DefaultKeyedRateLimiter<Address>,
 }
 struct Data {
 	localpart_email: Arc<Map>,
 	email_localpart: Arc<Map>,
 }
 struct Services {
 	config: Dep<config::Service>,
 	mailer: Dep<mailer::Service>,
 }
 impl crate::Service for Service {
 	fn build(args: Args<'_>) -> Result<Arc<Self>> {
 		Ok(Arc::new(Self {
 			db: Data {
 				email_localpart: args.db["email_localpart"].clone(),
 				localpart_email: args.db["localpart_email"].clone(),
 			},
 			services: Services {
 				config: args.depend("config"),
 				mailer: args.depend("mailer"),
 			},
 			sessions: tokio::sync::Mutex::default(),
 			send_attempts: std::sync::Mutex::default(),
 			ratelimiter: RateLimiter::keyed(Self::EMAIL_RATELIMIT),
 		}))
 	}
 	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
 }
 impl Service {
 	// Each address gets two tickets to send an email, which refill at a rate of one
 	// per ten minutes. This allows two emails to be sent at once without waiting
 	// (in case the first one gets eaten), but requires a wait of at least ten
 	// minutes before sending another.
 	const EMAIL_RATELIMIT: Quota =
 		Quota::per_minute(nonzero!(10_u32)).allow_burst(nonzero!(2_u32));
 	const VALIDATION_URL_PATH: &str = "/_continuwuity/3pid/email/validate";
 	/// Send a validation message to an email address.
 	///
 	/// Returns the validation session ID on success.
 	#[allow(clippy::impl_trait_in_params)]
 	pub async fn send_validation_email<Template: MessageTemplate>(
 		&self,
 		recipient: Mailbox,
 		prepare_body: impl FnOnce(String) -> Template,
 		client_secret: &ClientSecret,
 		send_attempt: usize,
 	) -> Result<OwnedSessionId> {
 		let mailer = self.services.mailer.expect_mailer()?;
 		let mut sessions = self.sessions.lock().await;
 		let session = match sessions.get_session_by_client_secret(client_secret) {
 			// If a validation session already exists for this client secret, we can either
 			// reuse it with a new token or return early because it's already valid.
 			| Some(session) => {
 				match session.validation_state {
 					| ValidationState::Validated => {
 						// If the existing session is already valid, don't send an email.
 						return Ok(session.session_id.clone());
 					},
 					| ValidationState::Pending(ref mut token) => {
 						// Check ratelimiting for the target address.
 						if self.ratelimiter.check_key(&recipient.email).is_err() {
 							return Err(Error::BadRequest(
 								ErrorKind::LimitExceeded { retry_after: None },
 								"You're sending emails too fast, try again in a few minutes.",
 							));
 						}
 						// Check the send attempt for this session.
 						let mut send_attempts = self.send_attempts.lock().unwrap();
 						let last_send_attempt = send_attempts
 							.entry((session.client_secret.clone(), session.email.clone()))
 							.or_default();
 						if send_attempt <= *last_send_attempt {
 							// If the supplied send attempt isn't higher than the last
 							// one, don't send an email.
 							return Ok(session.session_id.clone());
 						}
 						// Save this send attempt.
 						*last_send_attempt = send_attempt;
 						drop(send_attempts);
 						// Create a new token for the existing session.
 						*token = ValidationToken::new_random();
 						session
 					},
 				}
 			},
 			// If no session exists, create a new one.
 			| None => sessions.create_session(recipient.email.clone(), client_secret.to_owned()),
 		};
 		// Clone this so it can outlive the lock we're holding on `sessions`
 		let session_id = session.session_id.clone();
 		let ValidationState::Pending(token) = &session.validation_state else {
 			unreachable!("session should be pending")
 		};
 		let mut validation_url = self
 			.services
 			.config
 			.get_client_domain()
 			.join(Self::VALIDATION_URL_PATH)
 			.unwrap();
 		validation_url
 			.query_pairs_mut()
 			.append_pair("session", session_id.as_str())
 			.append_pair("token", &token.token);
 		// Once the validation URL is built, we don't need any data borrowed from
 		// `sessions` anymore and can release our lock
 		drop(sessions);
 		let message = prepare_body(validation_url.to_string());
 		mailer.send(recipient, message).await?;
 		Ok(session_id)
 	}
 	/// Attempt to mark a validation session as valid using a validation token.
 	pub async fn try_validate_session(
 		&self,
 		session_id: &SessionId,
 		supplied_token: &str,
 	) -> Result<(), Cow<'static, str>> {
 		let mut sessions = self.sessions.lock().await;
 		let Some(session) = sessions.get_session(session_id) else {
 			return Err("Validation session does not exist".into());
 		};
 		session.validation_state = match &session.validation_state {
 			| ValidationState::Validated => {
 				// If the session is already validated, do nothing.
 				return Ok(());
 			},
 			| ValidationState::Pending(token) => {
 				// Otherwise check the token and mark the session as valid.
 				if *token != *supplied_token || !token.is_valid() {
 					return Err("Validation token is invalid or expired, please request a new \
 					            one"
 					.into());
 				}
 				ValidationState::Validated
 			},
 		};
 		Ok(())
 	}
 	/// Consume a validated validation session, removing it from the database
 	/// and returning the newly validated email address.
 	pub async fn consume_valid_session(
 		&self,
 		session_id: &SessionId,
 		client_secret: &ClientSecret,
 	) -> Result<Address, Cow<'static, str>> {
 		let mut sessions = self.sessions.lock().await;
 		let Some(session) = sessions.get_session(session_id) else {
 			return Err("Validation session does not exist".into());
 		};
 		if session.client_secret == client_secret
 			&& matches!(session.validation_state, ValidationState::Validated)
 		{
 			let session = sessions.remove_session(session_id);
 			Ok(session.email)
 		} else {
 			Err("This email address has not been validated. Did you use the link that was sent \
 			     to you?"
 				.into())
 		}
 	}
 	/// Associate a localpart with an email address.
 	pub async fn associate_localpart_email(
 		&self,
 		localpart: &str,
 		email: &Address,
 	) -> Result<()> {
 		match self.get_localpart_for_email(email).await {
 			| Some(existing_localpart) if existing_localpart != localpart => {
 				// Another account is already using the supplied email.
 				Err!(Request(ThreepidInUse("This email address is already in use.")))
 			},
 			| Some(_) => {
 				// The supplied localpart is already associated with the supplied email,
 				// no changes are necessary.
 				Ok(())
 			},
 			| None => {
 				// The supplied email is not already in use.
 				let email: &str = email.as_ref();
 				self.db.localpart_email.insert(localpart, email);
 				self.db.email_localpart.insert(email, localpart);
 				Ok(())
 			},
 		}
 	}
 	/// Given a localpart, remove its corresponding email address.
 	///
 	/// [`Self::get_localpart_for_email`] may be used if only the email is
 	/// known.
 	pub async fn disassociate_localpart_email(&self, localpart: &str) -> Option<Address> {
 		let email = self.get_email_for_localpart(localpart).await?;
 		self.db.localpart_email.remove(localpart);
 		self.db
 			.email_localpart
 			.remove(<Address as AsRef<str>>::as_ref(&email));
 		Some(email)
 	}
 	/// Get the email associated with a localpart, if one exists.
 	pub async fn get_email_for_localpart(&self, localpart: &str) -> Option<Address> {
 		self.db
 			.localpart_email
 			.get(localpart)
 			.await
 			.deserialized::<String>()
 			.ok()
 			.map(TryInto::try_into)
 			.flat_ok()
 	}
 	/// Get the localpart associated with an email, if one exists.
 	pub async fn get_localpart_for_email(&self, email: &Address) -> Option<String> {
 		self.db
 			.email_localpart
 			.get(<Address as AsRef<str>>::as_ref(email))
 			.await
 			.deserialized()
 			.ok()
 	}
 }
@@ -1,128 +0,0 @@
 use std::{
 	collections::HashMap,
 	time::{Duration, SystemTime},
 };
 use conduwuit::utils;
 use lettre::Address;
 use ruma::{ClientSecret, OwnedClientSecret, OwnedSessionId, SessionId};
 #[derive(Default)]
 pub(super) struct ValidationSessions {
 	sessions: HashMap<OwnedSessionId, ValidationSession>,
 	client_secrets: HashMap<OwnedClientSecret, OwnedSessionId>,
 }
 /// A pending or completed email validation session.
 #[derive(Debug)]
 pub(crate) struct ValidationSession {
 	/// The session's ID
 	pub session_id: OwnedSessionId,
 	/// The client's supplied client secret
 	pub client_secret: OwnedClientSecret,
 	/// The email address which is being validated
 	pub email: Address,
 	/// The session's validation state
 	pub validation_state: ValidationState,
 }
 /// The state of an email validation session.
 #[derive(Debug)]
 pub(crate) enum ValidationState {
 	/// The session is waiting for this validation token to be provided
 	Pending(ValidationToken),
 	/// The session has been validated
 	Validated,
 }
 #[derive(Clone, Debug)]
 pub(crate) struct ValidationToken {
 	pub token: String,
 	pub issued_at: SystemTime,
 }
 impl ValidationToken {
 	// one hour
 	const MAX_TOKEN_AGE: Duration = Duration::from_secs(60 * 60);
 	const RANDOM_TOKEN_LENGTH: usize = 16;
 	pub(super) fn new_random() -> Self {
 		Self {
 			token: utils::random_string(Self::RANDOM_TOKEN_LENGTH),
 			issued_at: SystemTime::now(),
 		}
 	}
 	pub(crate) fn is_valid(&self) -> bool {
 		let now = SystemTime::now();
 		now.duration_since(self.issued_at)
 			.is_ok_and(|duration| duration < Self::MAX_TOKEN_AGE)
 	}
 }
 impl PartialEq<str> for ValidationToken {
 	fn eq(&self, other: &str) -> bool { self.token == other }
 }
 impl ValidationSessions {
 	const RANDOM_SID_LENGTH: usize = 16;
 	#[must_use]
 	pub(super) fn generate_session_id() -> OwnedSessionId {
 		OwnedSessionId::parse(utils::random_string(Self::RANDOM_SID_LENGTH)).unwrap()
 	}
 	pub(super) fn create_session(
 		&mut self,
 		email: Address,
 		client_secret: OwnedClientSecret,
 	) -> &mut ValidationSession {
 		let session = ValidationSession {
 			session_id: Self::generate_session_id(),
 			client_secret,
 			email,
 			validation_state: ValidationState::Pending(ValidationToken::new_random()),
 		};
 		self.client_secrets
 			.insert(session.client_secret.clone(), session.session_id.clone());
 		self.sessions
 			.entry(session.session_id.clone())
 			.insert_entry(session)
 			.into_mut()
 	}
 	pub(super) fn get_session(
 		&mut self,
 		session_id: &SessionId,
 	) -> Option<&mut ValidationSession> {
 		self.sessions.get_mut(session_id)
 	}
 	pub(super) fn get_session_by_client_secret(
 		&mut self,
 		client_secret: &ClientSecret,
 	) -> Option<&mut ValidationSession> {
 		let session_id = self.client_secrets.get(client_secret)?;
 		let session = self
 			.sessions
 			.get_mut(session_id)
 			.expect("session should exist with session id");
 		Some(session)
 	}
 	pub(super) fn remove_session(&mut self, session_id: &SessionId) -> ValidationSession {
 		let session = self
 			.sessions
 			.remove(session_id)
 			.expect("session ID should exist");
 		self.client_secrets
 			.remove(&session.client_secret)
 			.expect("session should have an associated client secret");
 		session
 	}
 }
@@ -1,29 +1,24 @@
-use std::{
+use std::{collections::BTreeMap, sync::Arc};
 	borrow::Cow,
 	collections::{HashMap, HashSet, hash_map::Entry},
 	sync::Arc,
 };
-use conduwuit::{Err, Error, Result, error, utils, utils::hash};
+use conduwuit::{
-use lettre::Address;
+	Err, Error, Result, SyncRwLock, err, error, implement, utils,
 	utils::{hash, string::EMPTY},
 };
 use database::{Deserialized, Json, Map};
 use ruma::{
-	UserId,
+	CanonicalJsonValue, DeviceId, OwnedDeviceId, OwnedUserId, UserId,
 	api::client::{
 		error::{ErrorKind, StandardErrorBody},
-		uiaa::{
+		uiaa::{AuthData, AuthType, Password, UiaaInfo, UserIdentifier},
 			AuthData, AuthFlow, AuthType, EmailIdentity, Password, ReCaptcha, RegistrationToken,
 			ThirdpartyIdCredentials, UiaaInfo, UserIdentifier,
 		},
 	},
 };
 use serde_json::value::RawValue;
 use tokio::sync::Mutex;
-use crate::{Dep, config, globals, registration_tokens, threepid, users};
+use crate::{Dep, config, globals, registration_tokens, users};
 pub struct Service {
 	userdevicesessionid_uiaarequest: SyncRwLock<RequestMap>,
 	db: Data,
 	services: Services,
 	uiaa_sessions: Mutex<HashMap<String, UiaaSession>>,
 }
 struct Services {
@@ -31,191 +26,214 @@ struct Services {
 	users: Dep<users::Service>,
 	config: Dep<config::Service>,
 	registration_tokens: Dep<registration_tokens::Service>,
 	threepid: Dep<threepid::Service>,
 }
 struct Data {
 	userdevicesessionid_uiaainfo: Arc<Map>,
 }
 type RequestMap = BTreeMap<RequestKey, CanonicalJsonValue>;
 type RequestKey = (OwnedUserId, OwnedDeviceId, String);
 pub const SESSION_ID_LENGTH: usize = 32;
 impl crate::Service for Service {
 	fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
 		Ok(Arc::new(Self {
 			userdevicesessionid_uiaarequest: SyncRwLock::new(RequestMap::new()),
 			db: Data {
 				userdevicesessionid_uiaainfo: args.db["userdevicesessionid_uiaainfo"].clone(),
 			},
 			services: Services {
 				globals: args.depend::<globals::Service>("globals"),
 				users: args.depend::<users::Service>("users"),
 				config: args.depend::<config::Service>("config"),
 				registration_tokens: args
 					.depend::<registration_tokens::Service>("registration_tokens"),
 				threepid: args.depend::<threepid::Service>("threepid"),
 			},
 			uiaa_sessions: Mutex::new(HashMap::new()),
 		}))
 	}
 	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
 }
-struct UiaaSession {
+/// Creates a new Uiaa session. Make sure the session token is unique.
-	info: UiaaInfo,
+#[implement(Service)]
-	identity: Identity,
+pub fn create(
 	&self,
 	user_id: &UserId,
 	device_id: &DeviceId,
 	uiaainfo: &UiaaInfo,
 	json_body: &CanonicalJsonValue,
 ) {
 	// TODO: better session error handling (why is uiaainfo.session optional in
 	// ruma?)
 	self.set_uiaa_request(
 		user_id,
 		device_id,
 		uiaainfo.session.as_ref().expect("session should be set"),
 		json_body,
 	);
 	self.update_uiaa_session(
 		user_id,
 		device_id,
 		uiaainfo.session.as_ref().expect("session should be set"),
 		Some(uiaainfo),
 	);
 }
-/// Information about the authenticated user's identity.
+#[implement(Service)]
-///
+#[allow(clippy::useless_let_if_seq)]
-/// A field of this struct will only be Some if the user completed
+pub async fn try_auth(
-/// a stage which provided that information. If multiple stages provide
+	&self,
-/// the same field, authentication will fail if they do not all provide
+	user_id: &UserId,
-/// _identical_ values for that field.
+	device_id: &DeviceId,
-#[derive(Default, Clone)]
+	auth: &AuthData,
-pub struct Identity {
+	uiaainfo: &UiaaInfo,
-	/// The authenticated user's user ID, if it could be determined.
+) -> Result<(bool, UiaaInfo)> {
-	///
+	let mut uiaainfo = if let Some(session) = auth.session() {
-	/// This will be Some if:
+		self.get_uiaa_session(user_id, device_id, session).await?
-	/// - The user completed a m.login.password stage
+	} else {
-	/// - The user completed a m.login.email.identity stage, and their email has
+		uiaainfo.clone()
 	///   an associated user ID
 	pub localpart: Option<String>,
 	/// The authenticated user's email address, if it could be determined.
 	///
 	/// This will be Some if:
 	/// - The user completed a m.login.email.identity stage
 	/// - The user completed a m.login.password stage, and their user ID has an
 	///   associated email
 	pub email: Option<Address>,
 }
 macro_rules! identity_update_fn {
 	(fn $method:ident($field:ident : $type:ty)else $error:literal) => {
 		fn $method(&mut self, $field: $type) -> Result<(), StandardErrorBody> {
 			if self.$field.is_none() {
 				self.$field = Some($field);
 				Ok(())
 			} else if self.$field == Some($field) {
 				Ok(())
 			} else {
 				Err(StandardErrorBody {
 					kind: ErrorKind::InvalidParam,
 					message: $error.to_owned(),
 				})
 			}
 		}
 	};
 }
-impl Identity {
+	if uiaainfo.session.is_none() {
-	identity_update_fn!(fn try_set_localpart(localpart: String) else "User ID mismatch");
+		uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 	identity_update_fn!(fn try_set_email(email: Address) else "Email mismatch");
 	/// Create an Identity with the localpart of the provided user ID
 	/// and all other fields set to None.
 	#[must_use]
 	pub fn from_user_id(user_id: &UserId) -> Self {
 		Self {
 			localpart: Some(user_id.localpart().to_owned()),
 			..Default::default()
 		}
 	}
 }
-impl Service {
+	match auth {
-	const SESSION_ID_LENGTH: usize = 32;
+		// Find out what the user completed
 		| AuthData::Password(Password {
 			identifier,
 			password,
 			#[cfg(feature = "element_hacks")]
 			user,
 			..
 		}) => {
 			#[cfg(feature = "element_hacks")]
 			let username = if let Some(UserIdentifier::UserIdOrLocalpart(username)) = identifier {
 				username
 			} else if let Some(username) = user {
 				username
 			} else {
 				return Err(Error::BadRequest(
 					ErrorKind::Unrecognized,
 					"Identifier type not recognized.",
 				));
 			};
-	/// Perform the full UIAA authentication sequence for a route given its
+			#[cfg(not(feature = "element_hacks"))]
-	/// authentication data.
+			let Some(UserIdentifier::UserIdOrLocalpart(username)) = identifier else {
-	pub async fn authenticate(
+				return Err(Error::BadRequest(
-		&self,
+					ErrorKind::Unrecognized,
-		auth: &Option<AuthData>,
+					"Identifier type not recognized.",
-		flows: Vec<AuthFlow>,
+				));
-		params: Box<RawValue>,
+			};
 		identity: Option<Identity>,
 	) -> Result<Identity> {
 		match auth.as_ref() {
 			| None => {
 				let info = self.create_session(flows, params, identity).await;
-				Err(Error::Uiaa(info))
+			let user_id_from_username = UserId::parse_with_server_name(
-			},
+				username.clone(),
-			| Some(auth) => {
+				self.services.globals.server_name(),
-				let session: Cow<'_, str> = match auth.session() {
+			)
-					| Some(session) => session.into(),
+			.map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "User ID is invalid."))?;
-					| None => {
+
-						// Clients are allowed to send UIAA requests with an auth dict and no
+			// Check if the access token being used matches the credentials used for UIAA
-						// session if they want to start the UIAA exchange with existing
+			if user_id.localpart() != user_id_from_username.localpart() {
-						// authentication data. If that happens, we create a new session
+				return Err!(Request(Forbidden("User ID and access token mismatch.")));
-						// here.
+			}
-						self.create_session(flows, params, identity)
+			let user_id = user_id_from_username;
 			// Check if password is correct
 			let mut password_verified = false;
 			// First try local password hash verification
 			if let Ok(hash) = self.services.users.password_hash(&user_id).await {
 				password_verified = hash::verify_password(password, &hash).is_ok();
 			}
 			// If local password verification failed, try LDAP authentication
 			#[cfg(feature = "ldap")]
 			if !password_verified && self.services.config.ldap.enable {
 				// Search for user in LDAP to get their DN
 				if let Ok(dns) = self.services.users.search_ldap(&user_id).await {
 					if let Some((user_dn, _is_admin)) = dns.first() {
 						// Try to authenticate with LDAP
 						password_verified = self
 							.services
 							.users
 							.auth_ldap(user_dn, password)
 							.await
-							.session
+							.is_ok();
-							.unwrap()
+					}
 							.into()
 					},
 				};
 				match self.continue_session(auth, &session).await? {
 					| Ok(identity) => Ok(identity),
 					| Err(info) => Err(Error::Uiaa(info)),
 				}
-			},
+			}
 		}
 	}
-	/// A helper to perform UIAA authentication with just a password stage.
+			if !password_verified {
-	#[inline]
+				uiaainfo.auth_error = Some(StandardErrorBody {
-	pub async fn authenticate_password(
+					kind: ErrorKind::forbidden(),
-		&self,
+					message: "Invalid username or password.".to_owned(),
-		auth: &Option<AuthData>,
+				});
 		identity: Option<Identity>,
 	) -> Result<Identity> {
 		self.authenticate(
 			auth,
 			vec![AuthFlow::new(vec![AuthType::Password])],
 			Box::default(),
 			identity,
 		)
 		.await
 	}
-	/// Create a new UIAA session with a random session ID.
+				return Ok((false, uiaainfo));
-	///
+			}
 	/// If information about the user's identity is already known, it may be
 	/// supplied with the `identity` parameter. Authentication will fail if
 	/// flows provide different values for known identity information.
 	///
 	/// Returns the info of the newly created session.
 	async fn create_session(
 		&self,
 		flows: Vec<AuthFlow>,
 		params: Box<RawValue>,
 		identity: Option<Identity>,
 	) -> UiaaInfo {
 		let mut uiaa_sessions = self.uiaa_sessions.lock().await;
-		let session_id = utils::random_string(Self::SESSION_ID_LENGTH);
+			// Password was correct! Let's add it to `completed`
-		let mut info = UiaaInfo::new(flows, params);
+			uiaainfo.completed.push(AuthType::Password);
-		info.session = Some(session_id.clone());
+		},
 		| AuthData::ReCaptcha(r) => {
 			if self.services.config.recaptcha_private_site_key.is_none() {
 				return Err!(Request(Forbidden("ReCaptcha is not configured.")));
 			}
 			match recaptcha_verify::verify(
 				self.services
 					.config
 					.recaptcha_private_site_key
 					.as_ref()
 					.unwrap(),
 				r.response.as_str(),
 				None,
 			)
 			.await
 			{
 				| Ok(()) => {
 					uiaainfo.completed.push(AuthType::ReCaptcha);
 				},
 				| Err(e) => {
 					error!("ReCaptcha verification failed: {e:?}");
 					uiaainfo.auth_error = Some(StandardErrorBody {
 						kind: ErrorKind::forbidden(),
 						message: "ReCaptcha verification failed.".to_owned(),
 					});
 					return Ok((false, uiaainfo));
 				},
 			}
 		},
 		| AuthData::RegistrationToken(t) => {
 			let token = t.token.trim().to_owned();
-		uiaa_sessions.insert(session_id, UiaaSession {
+			if let Some(valid_token) = self
-			info: info.clone(),
+				.services
-			identity: identity.unwrap_or_default(),
+				.registration_tokens
-		});
+				.validate_token(token)
 				.await
 			{
 				self.services
 					.registration_tokens
 					.mark_token_as_used(valid_token);
-		info
+				uiaainfo.completed.push(AuthType::RegistrationToken);
-	}
+			} else {
-
+				uiaainfo.auth_error = Some(StandardErrorBody {
-	/// Proceed with UIAA authentication given a client's authorization data.
+					kind: ErrorKind::forbidden(),
-	async fn continue_session(
+					message: "Invalid registration token.".to_owned(),
-		&self,
+				});
-		auth: &AuthData,
+				return Ok((false, uiaainfo));
-		session: &str,
+			}
-	) -> Result<Result<Identity, UiaaInfo>> {
+		},
-		// Hold this lock for the entire function to make sure that, if try_auth()
+		| AuthData::Dummy(_) => {
-		// is called concurrently with the same session, only one call will succeed
+			uiaainfo.completed.push(AuthType::Dummy);
-		let mut uiaa_sessions = self.uiaa_sessions.lock().await;
+		},
-
+		| AuthData::FallbackAcknowledgement(_) => {
 		let Entry::Occupied(mut session) = uiaa_sessions.entry(session.to_owned()) else {
 			return Err!(Request(InvalidParam("Invalid session")));
 		};
 		if let &AuthData::FallbackAcknowledgement(_) = auth {
 			// The client is checking if authentication has succeeded out-of-band. This is
 			// possible if the client is using "fallback auth" (see spec section
 			// 4.9.1.4), which we don't support (and probably never will, because it's a
@@ -223,243 +241,109 @@ impl Service {
 			// Return early to tell the client that no, authentication did not succeed while
 			// it wasn't looking.
-			return Ok(Err(session.get().info.clone()));
+			return Ok((false, uiaainfo));
-		}
+		},
-
+		| k => error!("type not supported: {:?}", k),
 		let completed = {
 			let UiaaSession { info, identity } = session.get_mut();
 			let auth_type = auth.auth_type().expect("auth type should be set");
 			let flow_stages: Vec<HashSet<_>> = info
 				.flows
 				.iter()
 				.map(|flow| {
 					flow.stages
 						.iter()
 						.map(AuthType::as_str)
 						.map(ToOwned::to_owned)
 						.collect()
 				})
 				.collect();
 			let mut completed_stages: HashSet<_> = info
 				.completed
 				.iter()
 				.map(AuthType::as_str)
 				.map(ToOwned::to_owned)
 				.collect();
 			// Don't allow stages which aren't in any flows
 			if !flow_stages
 				.iter()
 				.any(|stages| stages.contains(auth_type.as_str()))
 			{
 				return Err!(Request(InvalidParam("No flows include the supplied stage")));
 			}
 			// If the provided stage hasn't already been completed, check it for completion
 			if !completed_stages.contains(auth_type.as_str()) {
 				match self.check_stage(auth, identity.clone()).await {
 					| Ok((completed_stage, updated_identity)) => {
 						info.auth_error = None;
 						completed_stages.insert(completed_stage.to_string());
 						info.completed.push(completed_stage);
 						*identity = updated_identity;
 					},
 					| Err(error) => {
 						info.auth_error = Some(error);
 					},
 				}
 			}
 			// UIAA is completed if all stages in any flow are completed
 			flow_stages
 				.iter()
 				.any(|stages| completed_stages.is_superset(stages))
 		};
 		if completed {
 			// This session is complete, remove it and return success
 			let (_, UiaaSession { identity, .. }) = session.remove_entry();
 			Ok(Ok(identity))
 		} else {
 			// The client needs to try again, return the updated session
 			Ok(Err(session.get().info.clone()))
 		}
 	}
-	/// Check if the provided authentication data is valid.
+	// Check if a flow now succeeds
-	///
+	let mut completed = false;
-	/// Returns the completed stage's type on success and error information on
+	'flows: for flow in &mut uiaainfo.flows {
-	/// failure.
+		for stage in &flow.stages {
-	async fn check_stage(
+			if !uiaainfo.completed.contains(stage) {
-		&self,
+				continue 'flows;
-		auth: &AuthData,
+			}
 		mut identity: Identity,
 	) -> Result<(AuthType, Identity), StandardErrorBody> {
 		// Note: This function takes ownership of `identity` because mutations to the
 		// identity must not be applied unless checking the stage succeeds. The
 		// updated identity is returned as part of the Ok value, and
 		// `continue_session` handles saving it to `uiaa_sessions`.
 		//
 		// This also means it's fine to mutate `identity` at any point in this function,
 		// because those mutations won't be saved unless the function returns Ok.
 		match auth {
 			| AuthData::Dummy(_) => Ok(AuthType::Dummy),
 			| AuthData::EmailIdentity(EmailIdentity {
 				thirdparty_id_creds: ThirdpartyIdCredentials { client_secret, sid, .. },
 				..
 			}) => {
 				match self
 					.services
 					.threepid
 					.consume_valid_session(sid, client_secret)
 					.await
 				{
 					| Ok(email) => {
 						if let Some(localpart) =
 							self.services.threepid.get_localpart_for_email(&email).await
 						{
 							identity.try_set_localpart(localpart)?;
 						}
 						identity.try_set_email(email)?;
 						Ok(AuthType::EmailIdentity)
 					},
 					| Err(message) => Err(StandardErrorBody {
 						kind: ErrorKind::ThreepidAuthFailed,
 						message: message.into_owned(),
 					}),
 				}
 			},
 			#[allow(clippy::useless_let_if_seq)]
 			| AuthData::Password(Password { identifier, password, .. }) => {
 				let user_id_or_localpart = match identifier {
 					| Some(UserIdentifier::UserIdOrLocalpart(username)) => username.to_owned(),
 					| Some(UserIdentifier::Email { address }) => {
 						let Ok(email) = Address::try_from(address.to_owned()) else {
 							return Err(StandardErrorBody {
 								kind: ErrorKind::InvalidParam,
 								message: "Email is malformed".to_owned(),
 							});
 						};
 						if let Some(localpart) =
 							self.services.threepid.get_localpart_for_email(&email).await
 						{
 							identity.try_set_email(email)?;
 							localpart
 						} else {
 							return Err(StandardErrorBody {
 								kind: ErrorKind::forbidden(),
 								message: "Invalid identifier or password".to_owned(),
 							});
 						}
 					},
 					| _ =>
 						return Err(StandardErrorBody {
 							kind: ErrorKind::Unrecognized,
 							message: "Identifier type not recognized".to_owned(),
 						}),
 				};
 				let Ok(user_id) = UserId::parse_with_server_name(
 					user_id_or_localpart,
 					self.services.globals.server_name(),
 				) else {
 					return Err(StandardErrorBody {
 						kind: ErrorKind::InvalidParam,
 						message: "User ID is malformed".to_owned(),
 					});
 				};
 				// Check if password is correct
 				let mut password_verified = false;
 				// First try local password hash verification
 				if let Ok(hash) = self.services.users.password_hash(&user_id).await {
 					password_verified = hash::verify_password(password, &hash).is_ok();
 				}
 				// If local password verification failed, try LDAP authentication
 				#[cfg(feature = "ldap")]
 				if !password_verified && self.services.config.ldap.enable {
 					// Search for user in LDAP to get their DN
 					if let Ok(dns) = self.services.users.search_ldap(&user_id).await {
 						if let Some((user_dn, _is_admin)) = dns.first() {
 							// Try to authenticate with LDAP
 							password_verified = self
 								.services
 								.users
 								.auth_ldap(user_dn, password)
 								.await
 								.is_ok();
 						}
 					}
 				}
 				if password_verified {
 					identity.try_set_localpart(user_id.localpart().to_owned())?;
 					Ok(AuthType::Password)
 				} else {
 					Err(StandardErrorBody {
 						kind: ErrorKind::forbidden(),
 						message: "Invalid identifier or password".to_owned(),
 					})
 				}
 			},
 			| AuthData::ReCaptcha(ReCaptcha { response, .. }) => {
 				let Some(ref private_site_key) = self.services.config.recaptcha_private_site_key
 				else {
 					return Err(StandardErrorBody {
 						kind: ErrorKind::forbidden(),
 						message: "ReCaptcha is not configured".to_owned(),
 					});
 				};
 				match recaptcha_verify::verify_v3(private_site_key, response, None).await {
 					| Ok(()) => Ok(AuthType::ReCaptcha),
 					| Err(e) => {
 						error!("ReCaptcha verification failed: {e:?}");
 						Err(StandardErrorBody {
 							kind: ErrorKind::forbidden(),
 							message: "ReCaptcha verification failed".to_owned(),
 						})
 					},
 				}
 			},
 			| AuthData::RegistrationToken(RegistrationToken { token, .. }) => {
 				let token = token.trim().to_owned();
 				if let Some(valid_token) = self
 					.services
 					.registration_tokens
 					.validate_token(token)
 					.await
 				{
 					self.services
 						.registration_tokens
 						.mark_token_as_used(valid_token);
 					Ok(AuthType::RegistrationToken)
 				} else {
 					Err(StandardErrorBody {
 						kind: ErrorKind::forbidden(),
 						message: "Invalid registration token".to_owned(),
 					})
 				}
 			},
 			| _ => Err(StandardErrorBody {
 				kind: ErrorKind::Unrecognized,
 				message: "Unsupported stage type".into(),
 			}),
 		}
-		.map(|auth_type| (auth_type, identity))
+		// We didn't break, so this flow succeeded!
 		completed = true;
 	}
 	if !completed {
 		self.update_uiaa_session(
 			user_id,
 			device_id,
 			uiaainfo.session.as_ref().expect("session is always set"),
 			Some(&uiaainfo),
 		);
 		return Ok((false, uiaainfo));
 	}
 	// UIAA was successful! Remove this session and return true
 	self.update_uiaa_session(
 		user_id,
 		device_id,
 		uiaainfo.session.as_ref().expect("session is always set"),
 		None,
 	);
 	Ok((true, uiaainfo))
 }
 #[implement(Service)]
 fn set_uiaa_request(
 	&self,
 	user_id: &UserId,
 	device_id: &DeviceId,
 	session: &str,
 	request: &CanonicalJsonValue,
 ) {
 	let key = (user_id.to_owned(), device_id.to_owned(), session.to_owned());
 	self.userdevicesessionid_uiaarequest
 		.write()
 		.insert(key, request.to_owned());
 }
 #[implement(Service)]
 pub fn get_uiaa_request(
 	&self,
 	user_id: &UserId,
 	device_id: Option<&DeviceId>,
 	session: &str,
 ) -> Option<CanonicalJsonValue> {
 	let key = (
 		user_id.to_owned(),
 		device_id.unwrap_or_else(|| EMPTY.into()).to_owned(),
 		session.to_owned(),
 	);
 	self.userdevicesessionid_uiaarequest
 		.read()
 		.get(&key)
 		.cloned()
 }
 #[implement(Service)]
 fn update_uiaa_session(
 	&self,
 	user_id: &UserId,
 	device_id: &DeviceId,
 	session: &str,
 	uiaainfo: Option<&UiaaInfo>,
 ) {
 	let key = (user_id, device_id, session);
 	if let Some(uiaainfo) = uiaainfo {
 		self.db
 			.userdevicesessionid_uiaainfo
 			.put(key, Json(uiaainfo));
 	} else {
 		self.db.userdevicesessionid_uiaainfo.del(key);
 	}
 }
 #[implement(Service)]
 async fn get_uiaa_session(
 	&self,
 	user_id: &UserId,
 	device_id: &DeviceId,
 	session: &str,
 ) -> Result<UiaaInfo> {
 	let key = (user_id, device_id, session);
 	self.db
 		.userdevicesessionid_uiaainfo
 		.qry(&key)
 		.await
 		.deserialized()
 		.map_err(|_| err!(Request(Forbidden("UIAA session does not exist."))))
 }
@@ -20,25 +20,12 @@ crate-type = [
 [dependencies]
 conduwuit-build-metadata.workspace = true
 conduwuit-service.workspace = true
 conduwuit-core.workspace = true
 async-trait.workspace = true
 askama.workspace = true
 axum.workspace = true
 axum-extra.workspace = true
 base64.workspace = true
 futures.workspace = true
 tracing.workspace = true
 rand.workspace = true
 ruma.workspace = true
 thiserror.workspace = true
 tower-http.workspace = true
 serde.workspace = true
 memory-serve = "2.1.0"
 validator = { version = "0.20.0", features = ["derive"] }
 tower-sec-fetch = { version = "0.1.2", features = ["tracing"] }
 [build-dependencies]
 memory-serve = "2.1.0"
 [lints]
 workspace = true
@@ -1,2 +0,0 @@
 [general]
 dirs = ["pages/templates"]
@@ -1 +0,0 @@
 fn main() { memory_serve::load_directory("./pages/resources"); }
@@ -0,0 +1,94 @@
 :root {
    color-scheme: light;
    --font-stack: sans-serif;
    --background-color: #fff;
    --text-color: #000;
    --bg: oklch(0.76 0.0854 317.27);
    --panel-bg: oklch(0.91 0.042 317.27);
    --name-lightness: 0.45;
    @media (prefers-color-scheme: dark) {
        color-scheme: dark;
        --text-color: #fff;
        --bg: oklch(0.15 0.042 317.27);
        --panel-bg: oklch(0.24 0.03 317.27);
        --name-lightness: 0.8;
    }
    --c1: oklch(0.44 0.177 353.06);
    --c2: oklch(0.59 0.158 150.88);
    --normal-font-size: 1rem;
    --small-font-size: 0.8rem;
 }
 body {
    color: var(--text-color);
    font-family: var(--font-stack);
    margin: 0;
    padding: 0;
    display: grid;
    place-items: center;
    min-height: 100vh;
 }
 html {
    background-color: var(--bg);
    background-image: linear-gradient(
        70deg,
        oklch(from var(--bg) l + 0.2 c h),
        oklch(from var(--bg) l - 0.2 c h)
    );
    font-size: 16px;
 }
 .panel {
    width: min(clamp(24rem, 12rem + 40vw, 48rem), calc(100vw - 3rem));
    border-radius: 15px;
    background-color: var(--panel-bg);
    padding-inline: 1.5rem;
    padding-block: 1rem;
    box-shadow: 0 0.25em 0.375em hsla(0, 0%, 0%, 0.1);
 }
@media (max-width: 24rem) {
    .panel {
        padding-inline: 0.25rem;
        width: calc(100vw - 0.5rem);
        border-radius: 0;
        margin-block-start: 0.2rem;
    }
    main {
        height: 100%;
    }
 }
 footer {
    padding-inline: 0.25rem;
    height: max(fit-content, 2rem);
 }
 .project-name {
    text-decoration: none;
    background: linear-gradient(
        130deg,
        oklch(from var(--c1) var(--name-lightness) c h),
        oklch(from var(--c2) var(--name-lightness) c h)
    );
    background-clip: text;
    color: transparent;
    filter: brightness(1.2);
 }
 b {
    color: oklch(from var(--c2) var(--name-lightness) c h);
 }
 .logo {
    width: 100%;
    height: 64px;
 }
@@ -1,114 +1,86 @@
 use std::any::Any;
 use askama::Template;
 use axum::{
 	Router,
-	extract::rejection::{FormRejection, QueryRejection},
+	extract::State,
-	http::{HeaderValue, StatusCode, header},
+	http::{StatusCode, header},
 	response::{Html, IntoResponse, Response},
 	routing::get,
 };
 use conduwuit_build_metadata::{GIT_REMOTE_COMMIT_URL, GIT_REMOTE_WEB_URL, version_tag};
 use conduwuit_service::state;
 use tower_http::{catch_panic::CatchPanicLayer, set_header::SetResponseHeaderLayer};
 use tower_sec_fetch::SecFetchLayer;
-use crate::pages::TemplateContext;
+pub fn build() -> Router<state::State> {
 	Router::<state::State>::new()
 		.route("/", get(index_handler))
 		.route("/_continuwuity/logo.svg", get(logo_handler))
 }
-mod pages;
+async fn index_handler(
 	State(services): State<state::State>,
 ) -> Result<impl IntoResponse, WebError> {
 	#[derive(Debug, Template)]
 	#[template(path = "index.html.j2")]
 	struct Index<'a> {
 		nonce: &'a str,
 		server_name: &'a str,
 		first_run: bool,
 	}
 	let nonce = rand::random::<u64>().to_string();
-type State = state::State;
+	let template = Index {
 		nonce: &nonce,
 		server_name: services.config.server_name.as_str(),
 		first_run: services.firstrun.is_first_run(),
 	};
 	Ok((
 		[(
 			header::CONTENT_SECURITY_POLICY,
 			format!("default-src 'nonce-{nonce}'; img-src 'self';"),
 		)],
 		Html(template.render()?),
 	))
 }
-const CATASTROPHIC_FAILURE: &str = "cat-astrophic failure! we couldn't even render the error template. \
+async fn logo_handler() -> impl IntoResponse {
-please contact the team @ https://continuwuity.org";
+	(
 		[(header::CONTENT_TYPE, "image/svg+xml")],
 		include_str!("templates/logo.svg").to_owned(),
 	)
 }
 #[derive(Debug, thiserror::Error)]
 enum WebError {
 	#[error("Failed to validate form body: {0}")]
 	ValidationError(#[from] validator::ValidationErrors),
 	#[error("{0}")]
 	QueryRejection(#[from] QueryRejection),
 	#[error("{0}")]
 	FormRejection(#[from] FormRejection),
 	#[error("{0}")]
 	BadRequest(String),
 	#[error("This page does not exist.")]
 	NotFound,
 	#[error("Failed to render template: {0}")]
 	Render(#[from] askama::Error),
 	#[error("{0}")]
 	InternalError(#[from] conduwuit_core::Error),
 	#[error("Request handler panicked! {0}")]
 	Panic(String),
 }
 impl IntoResponse for WebError {
 	fn into_response(self) -> Response {
 		#[derive(Debug, Template)]
 		#[template(path = "error.html.j2")]
-		struct Error {
+		struct Error<'a> {
-			error: WebError,
+			nonce: &'a str,
-			status: StatusCode,
+			err: WebError,
 			context: TemplateContext,
 		}
 		let nonce = rand::random::<u64>().to_string();
 		let status = match &self {
-			| Self::ValidationError(_)
+			| Self::Render(_) => StatusCode::INTERNAL_SERVER_ERROR,
 			| Self::BadRequest(_)
 			| Self::QueryRejection(_)
 			| Self::FormRejection(_) => StatusCode::BAD_REQUEST,
 			| Self::NotFound => StatusCode::NOT_FOUND,
 			| _ => StatusCode::INTERNAL_SERVER_ERROR,
 		};
-
+		let tmpl = Error { nonce: &nonce, err: self };
-		let template = Error {
+		if let Ok(body) = tmpl.render() {
-			error: self,
+			(
-			status,
+				status,
-			context: TemplateContext {
+				[(
-				// Statically set false to prevent error pages from being indexed.
+					header::CONTENT_SECURITY_POLICY,
-				allow_indexing: false,
+					format!("default-src 'none' 'nonce-{nonce}';"),
-			},
+				)],
-		};
+				Html(body),
-
+			)
-		if let Ok(body) = template.render() {
+				.into_response()
 			(status, Html(body)).into_response()
 		} else {
-			(status, CATASTROPHIC_FAILURE).into_response()
+			(status, "Something went wrong").into_response()
 		}
 	}
 }
 pub fn build() -> Router<state::State> {
 	#[allow(clippy::wildcard_imports)]
 	use pages::*;
 	Router::new()
 		.merge(index::build())
 		.nest(
 			"/_continuwuity/",
 			Router::new()
 				.merge(resources::build())
 				.merge(password_reset::build())
 				.merge(debug::build())
 				.merge(threepid::build())
 				.fallback(async || WebError::NotFound),
 		)
 		.layer(CatchPanicLayer::custom(|panic: Box<dyn Any + Send + 'static>| {
 			let details = if let Some(s) = panic.downcast_ref::<String>() {
 				s.clone()
 			} else if let Some(s) = panic.downcast_ref::<&str>() {
 				(*s).to_owned()
 			} else {
 				"(opaque panic payload)".to_owned()
 			};
 			WebError::Panic(details).into_response()
 		}))
 		.layer(SetResponseHeaderLayer::if_not_present(
 			header::CONTENT_SECURITY_POLICY,
 			HeaderValue::from_static("default-src 'self'; img-src 'self' data:;"),
 		))
 		.layer(SecFetchLayer::new(|policy| {
 			policy.allow_safe_methods().reject_missing_metadata();
 		}))
 }
@@ -1,98 +0,0 @@
 use askama::{Template, filters::HtmlSafe};
 use validator::ValidationErrors;
 /// A reusable form component with field validation.
 #[derive(Debug, Template)]
 #[template(path = "_components/form.html.j2", print = "code")]
 pub(crate) struct Form<'a> {
 	pub inputs: Vec<FormInput<'a>>,
 	pub validation_errors: Option<ValidationErrors>,
 	pub submit_label: &'a str,
 }
 impl HtmlSafe for Form<'_> {}
 /// An input element in a form component.
 #[derive(Debug, Clone, Copy)]
 pub(crate) struct FormInput<'a> {
 	/// The field name of the input.
 	pub id: &'static str,
 	/// The `type` property of the input.
 	pub input_type: &'a str,
 	/// The contents of the input's label.
 	pub label: &'a str,
 	/// Whether the input is required. Defaults to `true`.
 	pub required: bool,
 	/// The autocomplete mode for the input. Defaults to `on`.
 	pub autocomplete: &'a str,
 	// This is a hack to make the form! macro's support for client-only fields
 	// work properly. Client-only fields are specified in the macro without a type and aren't
 	// included in the POST body or as a field in the generated struct.
 	// To keep the field from being included in the POST body, its `name` property needs not to
 	// be set in the template. Because of limitations of macro_rules!'s repetition feature, this
 	// field needs to exist to allow the template to check if the field is client-only.
 	#[doc(hidden)]
 	pub type_name: Option<&'static str>,
 }
 impl Default for FormInput<'_> {
 	fn default() -> Self {
 		Self {
 			id: "",
 			input_type: "text",
 			label: "",
 			required: true,
 			autocomplete: "",
 			type_name: None,
 		}
 	}
 }
 /// Generate a deserializable struct which may be turned into a [`Form`]
 /// for inclusion in another template.
 #[macro_export]
 macro_rules! form {
    (
        $(#[$struct_meta:meta])*
        struct $struct_name:ident {
            $(
                $(#[$field_meta:meta])*
                $name:ident$(: $type:ty)? where { $($prop:ident: $value:expr),* }
            ),*
            submit: $submit_label:expr
        }
    ) => {
        #[derive(Debug, serde::Deserialize, validator::Validate)]
        $(#[$struct_meta])*
        struct $struct_name {
            $(
                $(#[$field_meta])*
                $(pub $name: $type,)?
            )*
        }
        impl $struct_name {
            /// Generate a [`Form`] which matches the shape of this struct.
            #[allow(clippy::needless_update)]
            fn build(validation_errors: Option<validator::ValidationErrors>) -> $crate::pages::components::form::Form<'static> {
                $crate::pages::components::form::Form {
                    inputs: vec![
                        $(
                            $crate::pages::components::form::FormInput {
                                id: stringify!($name),
                                $(type_name: Some(stringify!($type)),)?
                                $($prop: $value),*,
                                ..Default::default()
                            },
                        )*
                    ],
                    validation_errors,
                    submit_label: $submit_label,
                }
            }
        }
    };
 }
@@ -1,71 +0,0 @@
 use askama::{Template, filters::HtmlSafe};
 use base64::Engine;
 use conduwuit_core::result::FlatOk;
 use conduwuit_service::Services;
 use ruma::UserId;
 pub(super) mod form;
 #[derive(Debug)]
 pub(super) enum AvatarType<'a> {
 	Initial(char),
 	Image(&'a str),
 }
 #[derive(Debug, Template)]
 #[template(path = "_components/avatar.html.j2")]
 pub(super) struct Avatar<'a> {
 	pub(super) avatar_type: AvatarType<'a>,
 }
 impl HtmlSafe for Avatar<'_> {}
 #[derive(Debug, Template)]
 #[template(path = "_components/user_card.html.j2")]
 pub(super) struct UserCard<'a> {
 	pub user_id: &'a UserId,
 	pub display_name: Option<String>,
 	pub avatar_src: Option<String>,
 }
 impl HtmlSafe for UserCard<'_> {}
 impl<'a> UserCard<'a> {
 	pub(super) async fn for_local_user(services: &Services, user_id: &'a UserId) -> Self {
 		let display_name = services.users.displayname(user_id).await.ok();
 		let avatar_src = async {
 			let avatar_url = services.users.avatar_url(user_id).await.ok()?;
 			let avatar_mxc = avatar_url.parts().ok()?;
 			let file = services.media.get(&avatar_mxc).await.flat_ok()?;
 			Some(format!(
 				"data:{};base64,{}",
 				file.content_type
 					.unwrap_or_else(|| "application/octet-stream".to_owned()),
 				file.content
 					.map(|content| base64::prelude::BASE64_STANDARD.encode(content))
 					.unwrap_or_default(),
 			))
 		}
 		.await;
 		Self { user_id, display_name, avatar_src }
 	}
 	fn avatar(&'a self) -> Avatar<'a> {
 		let avatar_type = if let Some(ref avatar_src) = self.avatar_src {
 			AvatarType::Image(avatar_src)
 		} else if let Some(initial) = self
 			.display_name
 			.as_ref()
 			.and_then(|display_name| display_name.chars().next())
 		{
 			AvatarType::Initial(initial)
 		} else {
 			AvatarType::Initial(self.user_id.localpart().chars().next().unwrap())
 		};
 		Avatar { avatar_type }
 	}
 }
@@ -1,17 +0,0 @@
 use std::convert::Infallible;
 use axum::{Router, routing::get};
 use conduwuit_core::Error;
 use crate::WebError;
 pub(crate) fn build() -> Router<crate::State> {
 	Router::new()
 		.route("/_debug/panic", get(async || -> Infallible { panic!("Guru meditation error") }))
 		.route(
 			"/_debug/error",
 			get(async || -> WebError {
 				Error::Err(std::borrow::Cow::Borrowed("Guru meditation error")).into()
 			}),
 		)
 }
@@ -1,25 +0,0 @@
 use axum::{Router, extract::State, response::IntoResponse, routing::get};
 use crate::{WebError, template};
 pub(crate) fn build() -> Router<crate::State> {
 	Router::new()
 		.route("/", get(index))
 		.route("/_continuwuity/", get(index))
 }
 async fn index(State(services): State<crate::State>) -> Result<impl IntoResponse, WebError> {
 	template! {
 		struct Index<'a> use "index.html.j2" {
 			server_name: &'a str,
 			first_run: bool
 		}
 	}
 	Ok(Index::new(
 		&services,
 		services.globals.server_name().as_str(),
 		services.firstrun.is_first_run(),
 	)
 	.into_response())
 }
@@ -1,56 +0,0 @@
 mod components;
 pub(super) mod debug;
 pub(super) mod index;
 pub(super) mod password_reset;
 pub(super) mod resources;
 pub(super) mod threepid;
 #[derive(Debug)]
 pub(crate) struct TemplateContext {
 	pub allow_indexing: bool,
 }
 impl From<&crate::State> for TemplateContext {
 	fn from(state: &crate::State) -> Self {
 		Self {
 			allow_indexing: state.config.allow_web_indexing,
 		}
 	}
 }
 #[macro_export]
 macro_rules! template {
    (
        struct $name:ident $(<$lifetime:lifetime>)? use $path:literal {
            $($field_name:ident: $field_type:ty),*
        }
    ) => {
        #[derive(Debug, askama::Template)]
        #[template(path = $path)]
        struct $name$(<$lifetime>)? {
            context: $crate::pages::TemplateContext,
            $($field_name: $field_type,)*
        }
        impl$(<$lifetime>)? $name$(<$lifetime>)? {
            fn new(state: &$crate::State, $($field_name: $field_type,)*) -> Self {
                Self {
                    context: state.into(),
                    $($field_name,)*
                }
            }
        }
        #[allow(single_use_lifetimes)]
        impl$(<$lifetime>)? axum::response::IntoResponse for $name$(<$lifetime>)? {
            fn into_response(self) -> axum::response::Response {
                use askama::Template;
                match self.render() {
                    Ok(rendered) => axum::response::Html(rendered).into_response(),
                    Err(err) => $crate::WebError::from(err).into_response()
                }
            }
        }
    };
 }
@@ -1,119 +0,0 @@
 use axum::{
 	Router,
 	extract::{
 		Query, State,
 		rejection::{FormRejection, QueryRejection},
 	},
 	http::StatusCode,
 	response::{IntoResponse, Response},
 	routing::get,
 };
 use serde::Deserialize;
 use validator::Validate;
 use crate::{
 	WebError, form,
 	pages::components::{UserCard, form::Form},
 	template,
 };
 const INVALID_TOKEN_ERROR: &str = "Invalid reset token. Your reset link may have expired.";
 template! {
 	struct PasswordReset<'a> use "password_reset.html.j2" {
 		user_card: UserCard<'a>,
 		body: PasswordResetBody
 	}
 }
 #[derive(Debug)]
 enum PasswordResetBody {
 	Form(Form<'static>),
 	Success,
 }
 form! {
 	struct PasswordResetForm {
 		#[validate(length(min = 1, message = "Password cannot be empty"))]
 		new_password: String where {
 			input_type: "password",
 			label: "New password",
 			autocomplete: "new-password"
 		},
 		#[validate(must_match(other = "new_password", message = "Passwords must match"))]
 		confirm_new_password: String where {
 			input_type: "password",
 			label: "Confirm new password",
 			autocomplete: "new-password"
 		}
 		submit: "Reset Password"
 	}
 }
 pub(crate) fn build() -> Router<crate::State> {
 	Router::new()
 		.route("/account/reset_password", get(get_password_reset).post(post_password_reset))
 }
 #[derive(Deserialize)]
 struct PasswordResetQuery {
 	token: String,
 }
 async fn password_reset_form(
 	services: crate::State,
 	query: PasswordResetQuery,
 	reset_form: Form<'static>,
 ) -> Result<impl IntoResponse, WebError> {
 	let Some(token) = services.password_reset.check_token(&query.token).await else {
 		return Err(WebError::BadRequest(INVALID_TOKEN_ERROR.to_owned()));
 	};
 	let user_card = UserCard::for_local_user(&services, &token.info.user).await;
 	Ok(PasswordReset::new(&services, user_card, PasswordResetBody::Form(reset_form))
 		.into_response())
 }
 async fn get_password_reset(
 	State(services): State<crate::State>,
 	query: Result<Query<PasswordResetQuery>, QueryRejection>,
 ) -> Result<impl IntoResponse, WebError> {
 	let Query(query) = query?;
 	password_reset_form(services, query, PasswordResetForm::build(None)).await
 }
 async fn post_password_reset(
 	State(services): State<crate::State>,
 	query: Result<Query<PasswordResetQuery>, QueryRejection>,
 	form: Result<axum::Form<PasswordResetForm>, FormRejection>,
 ) -> Result<Response, WebError> {
 	let Query(query) = query?;
 	let axum::Form(form) = form?;
 	match form.validate() {
 		| Ok(()) => {
 			let Some(token) = services.password_reset.check_token(&query.token).await else {
 				return Err(WebError::BadRequest(INVALID_TOKEN_ERROR.to_owned()));
 			};
 			let user_id = token.info.user.clone();
 			services
 				.password_reset
 				.consume_token(token, &form.new_password)
 				.await?;
 			let user_card = UserCard::for_local_user(&services, &user_id).await;
 			Ok(PasswordReset::new(&services, user_card, PasswordResetBody::Success)
 				.into_response())
 		},
 		| Err(err) => Ok((
 			StatusCode::BAD_REQUEST,
 			password_reset_form(services, query, PasswordResetForm::build(Some(err))).await,
 		)
 			.into_response()),
 	}
 }
@@ -1,9 +0,0 @@
 use axum::Router;
 pub(crate) fn build() -> Router<crate::State> {
 	Router::new().nest(
 		"/resources/",
 		#[allow(unused_qualifications)]
 		memory_serve::load!().index_file(None).into_router(),
 	)
 }
@@ -1,185 +0,0 @@
 :root {
    color-scheme: light;
    --font-stack: sans-serif;
    --background-color: #fff;
    --text-color: #000;
    --secondary: #666;
    --bg: oklch(0.76 0.0854 317.27);
    --panel-bg: oklch(0.91 0.042 317.27);
    --c1: oklch(0.44 0.177 353.06);
    --c2: oklch(0.59 0.158 150.88);
    --name-lightness: 0.45;
    --background-lightness: 0.9;
    --background-gradient:
        radial-gradient(42.12% 56.13% at 100% 0%, oklch(from var(--c2) var(--background-lightness) c h) 0%, #fff0 100%),
        radial-gradient(42.01% 79.63% at 52.86% 0%, #d9ff5333 0%, #fff0 100%),
        radial-gradient(79.67% 58.09% at 0% 0%, oklch(from var(--c1) var(--background-lightness) c h) 0%, #fff0 100%);
    --normal-font-size: 1rem;
    --small-font-size: 0.8rem;
    --border-radius-sm: 5px;
    --border-radius-lg: 15px;
    @media (prefers-color-scheme: dark) {
        color-scheme: dark;
        --text-color: #fff;
        --secondary: #888;
        --bg: oklch(0.15 0.042 317.27);
        --panel-bg: oklch(0.24 0.03 317.27);
        --name-lightness: 0.8;
        --background-lightness: 0.2;
        --background-gradient:
            radial-gradient(
                42.12% 56.13% at 100% 0%,
                oklch(from var(--c2) var(--background-lightness) c h) 0%,
                #12121200 100%
            ),
            radial-gradient(55.81% 87.78% at 48.37% 0%, #000 0%, #12121200 89.55%),
            radial-gradient(
                122.65% 88.24% at 0% 0%,
                oklch(from var(--c1) var(--background-lightness) c h) 0%,
                #12121200 100%
            );
    }
 }
 * {
    box-sizing: border-box;
 }
 body {
    display: grid;
    margin: 0;
    padding: 0;
    place-items: center;
    min-height: 100vh;
    color: var(--text-color);
    font-family: var(--font-stack);
    line-height: 1.5;
 }
 html {
    background-color: var(--bg);
    background-image: var(--background-gradient);
    font-size: var(--normal-font-size);
 }
 footer {
    padding-inline: 0.25rem;
    height: max(fit-content, 2rem);
    .logo {
        width: 100%;
        height: 64px;
    }
 }
 p {
    margin: 1rem 0;
 }
 em {
    color: oklch(from var(--c2) var(--name-lightness) c h);
    font-weight: bold;
    font-style: normal;
 }
 small {
    color: var(--secondary);
 }
 small.error {
    display: block;
    color: red;
    font-size: small;
    font-style: italic;
    margin-bottom: 0.5rem;
 }
 .panel {
    --preferred-width: 12rem + 40dvw;
    --maximum-width: 48rem;
    width: min(clamp(24rem, var(--preferred-width), var(--maximum-width)), calc(100dvw - 3rem));
    border-radius: var(--border-radius-lg);
    background-color: var(--panel-bg);
    padding-inline: 1.5rem;
    padding-block: 1rem;
    box-shadow: 0 0.25em 0.375em hsla(0, 0%, 0%, 0.1);
    &.narrow {
        --preferred-width: 12rem + 20dvw;
        --maximum-width: 36rem;
        input, button {
            width: 100%;
        }
    }
 }
 label {
    display: block;
 }
 input, button {
    display: inline-block;
    padding: 0.5em;
    margin-bottom: 0.5em;
    font-size: inherit;
    font-family: inherit;
    color: white;
    background-color: transparent;
    border: none;
    border-radius: var(--border-radius-sm);
 }
 input {
    border: 2px solid var(--secondary);
    &:focus-visible {
        outline: 2px solid var(--c1);
        border-color: transparent;
    }
 }
 button {
    background-color: var(--c1);
    transition: opacity .2s;
    &:enabled:hover {
        opacity: 0.8;
        cursor: pointer;
    }
 }
 h1 {
    margin-top: 0;
    margin-bottom: 0.67em;
 }
@media (max-width: 425px) {
    main {
        padding-block-start: 2rem;
        width: 100%;
    }
    .panel {
        border-radius: 0;
        width: 100%;
    }
 }
@media (max-width: 799px) {
    input, button {
        width: 100%;
    }
 }
@@ -1,44 +0,0 @@
 .avatar {
    --avatar-size: 56px;
    display: inline-block;
    aspect-ratio: 1 / 1;
    inline-size: var(--avatar-size);
    border-radius: 50%;
    text-align: center;
    text-transform: uppercase;
    font-size: calc(var(--avatar-size) * 0.5);
    font-weight: 700;
    line-height: calc(var(--avatar-size) - 2px);
    color: oklch(from var(--c1) calc(l + 0.2) c h);
    background-color: var(--c1);
 }
 .user-card {
    display: flex;
    flex-direction: row;
    align-items: center;
    gap: 16px;
    background-color: oklch(from var(--panel-bg) calc(l - 0.05) c h);
    border-radius: var(--border-radius-lg);
    padding: 16px;
    .info {
        flex: 1 1;
        p {
            margin: 0;
            &.display-name {
                font-weight: 700;
            }
            &:nth-of-type(2) {
                color: var(--secondary);
            }
        }
    }
 }
@@ -1,13 +0,0 @@
 .k10y {
    font-family: monospace;
    font-size: x-small;
    font-weight: 700;
    transform: translate(1rem, 1.6rem);
    color: var(--secondary);
    user-select: none;
 }
 h1 {
    display: flex;
    align-items: center;
 }
@@ -1,11 +0,0 @@
 .project-name {
    text-decoration: none;
    background: linear-gradient(
        130deg,
        oklch(from var(--c1) var(--name-lightness) c h),
        oklch(from var(--c2) var(--name-lightness) c h)
    );
    background-clip: text;
    color: transparent;
    filter: brightness(1.2);
 }
@@ -1,43 +0,0 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!-- Created with Inkscape (http://www.inkscape.org/) -->
 <svg
   width="447.99823"
   height="447.99823"
   viewBox="0 0 447.99823 447.99823"
   version="1.1"
   id="svg1"
   xml:space="preserve"
   xmlns="http://www.w3.org/2000/svg"
   xmlns:svg="http://www.w3.org/2000/svg"><defs
     id="defs1" /><g
     id="layer1"
     transform="translate(-32.000893,-32.000893)"><circle
       style="fill:#9b4bd4;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-dasharray:none;stroke-opacity:1"
       id="path1"
       cy="256"
       cx="256"
       r="176" /><path
       style="fill:#de6cd3;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
       d="m 41,174 69,36 C 135,126 175,102 226,94 l -12,31 62,-44 -69,-44 15,30 C 128,69 84,109 41,172 Z"
       id="path7" /><path
       style="fill:#de6cd3;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
       d="m 338,41 -36,69 c 84,25 108,65 116,116 l -31,-12 44,62 44,-69 -30,15 C 443,128 403,84 340,41 Z"
       id="path6" /><path
       style="fill:#de6cd3;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
       d="m 471,338 -69,-36 c -25,84 -65,108 -116,116 l 12,-31 -62,44 69,44 -15,-30 c 94,-2 138,-42 181,-105 z"
       id="path8" /><path
       style="fill:#de6cd3;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
       d="m 174,471 36,-69 C 126,377 102,337 94,286 l 31,12 -44,-62 -44,69 30,-15 c 2,94 42,138 105,181 z"
       id="path9" /><g
       id="g15"
       transform="translate(-5.4157688e-4)"><path
         style="fill:none;stroke:#000000;stroke-width:10;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:normal"
         d="m 155.45977,224.65379 c -7.25909,13.49567 -7.25909,26.09161 -6.35171,39.58729 0.90737,11.69626 12.7034,24.29222 24.49943,26.09164 21.77727,3.59884 28.12898,-20.69338 28.12898,-20.69338 0,0 4.53693,-15.29508 5.4443,-40.48699"
         id="path11" /><path
         style="fill:none;stroke:#000000;stroke-width:10;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:normal"
         d="m 218.96706,278.05399 c 3.00446,17.12023 7.52704,24.88918 19.22704,28.48918 9,2.7 22.5,-4.5 22.5,-16.2 0.9,21.6 17.1,17.1 19.8,17.1 11.7,-1.8 18.9,-14.4 16.2,-30.6"
         id="path12" /><path
         style="fill:none;stroke:#000000;stroke-width:10;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:normal"
         d="m 305.6941,230.94317 c 1.8,27 6.3,40.5 6.3,40.5 8.1,27 28.8,19.8 28.8,19.8 18.9,-7.2 22.5,-24.3 22.5,-30.6 0,-25.2 -6.3,-35.1 -6.3,-35.1"
         id="path13" /></g></g></svg>
@@ -1,6 +0,0 @@
 {% match avatar_type %}
    {% when AvatarType::Initial with (initial) %}
    <span class="avatar" role="img">{{ initial }}</span>
    {% when AvatarType::Image with (src) %}
    <img class="avatar" src="{{ src }}">
 {% endmatch %}
@@ -1,30 +0,0 @@
 <form method="post">
    {% let validation_errors = validation_errors.clone().unwrap_or_default() %}
    {% let field_errors = validation_errors.field_errors() %}
    {% for input in inputs %}
        <p>
            <label for="{{ input.id }}">{{ input.label }}</label>
            {% let name = std::borrow::Cow::from(*input.id) %}
            {% if let Some(errors) = field_errors.get(name) %}
                {% for error in errors %}
                    <small class="error">
                        {% if let Some(message) = error.message %}
                            {{ message }}
                        {% else %}
                            Mysterious validation error <code>{{ error.code }}</code>!
                        {% endif %}
                    </small>
                {% endfor %}
            {% endif %}
            <input
                type="{{ input.input_type }}"
                id="{{ input.id }}"
                autocomplete="{{ input.autocomplete }}"
                {% if input.type_name.is_some() %}name="{{ input.id }}"{% endif %}
                {% if input.required %}required{% endif %}
            >
        </p>
    {% endfor %}
    <button type="submit">{{ submit_label }}</button>
 </form>
@@ -1,9 +0,0 @@
 <div class="user-card">
    {{ avatar() }}
    <div class="info">
        {% if let Some(display_name) = display_name %}
        <p class="display-name">{{ display_name }}</p>
        {% endif %}
        <p class="user_id">{{ user_id }}</p>
    </div>
 </div>
@@ -1,41 +0,0 @@
 {% extends "_layout.html.j2" %}
 {%- block head -%}
 <link rel="stylesheet" href="/_continuwuity/resources/error.css">
 {%- endblock -%}
 {%- block title -%}
 🐈 Request Error
 {%- endblock -%}
 {%- block content -%}
 <pre class="k10y" aria-hidden>
 　　　 　  ／＞　　 フ
 　　　 　  | 　_　 _|
 　 　　  ／` ミ＿xノ
 　　 　 /　　　 　 |
 　　　 /　 ヽ　　 ﾉ
 　 　 │　　|　|　|
 　／￣|　　 |　|　|
 　| (￣ヽ＿_ヽ_)__)
 　＼二つ
 </pre>
 <div class="panel">
    <h1>
        {% if status == StatusCode::NOT_FOUND %}
        Not found
        {% else if status == StatusCode::INTERNAL_SERVER_ERROR %}
        Internal server error
        {% else %}
        Bad request
        {% endif %}
    </h1>
    {% if status == StatusCode::INTERNAL_SERVER_ERROR %}
    <p>Please <a href="https://forgejo.ellis.link/continuwuation/continuwuity/issues/new">submit a bug report</a> 🥺</p>
    {% endif %}
    <pre><code>{{ error }}</code></pre>
 </div>
 {%- endblock -%}
@@ -1,18 +0,0 @@
 {% extends "_layout.html.j2" %}
 {%- block title -%}
 Reset Password
 {%- endblock -%}
 {%- block content -%}
 <div class="panel narrow">
    <h1>Reset Password</h1>
    {{ user_card }}
    {% match body %}
        {% when PasswordResetBody::Form(reset_form) %}
        {{ reset_form }}
        {% when PasswordResetBody::Success %}
        <p>Your password has been reset successfully.</p>
    {% endmatch %}
 </div>
 {%- endblock -%}
@@ -1,8 +0,0 @@
 {% extends "_layout.html.j2" %}
 {%- block content -%}
 <div class="panel">
    <h1>Email verification</h1>
    <p>Your email address has been verified. Return to your Matrix client to continue.</p>
 </div>
 {%- endblock content -%}
@@ -1,39 +0,0 @@
 use axum::{
 	Router,
 	extract::{Query, State, rejection::QueryRejection},
 	response::IntoResponse,
 	routing::get,
 };
 use ruma::OwnedSessionId;
 use serde::Deserialize;
 use crate::{WebError, template};
 template! {
 	struct ThreepidValidation use "threepid_validation.html.j2" {}
 }
 pub(crate) fn build() -> Router<crate::State> {
 	Router::new().route("/3pid/email/validate", get(threepid_validation))
 }
 #[derive(Deserialize)]
 struct ThreepidValidationQuery {
 	session: OwnedSessionId,
 	token: String,
 }
 async fn threepid_validation(
 	State(services): State<crate::State>,
 	query: Result<Query<ThreepidValidationQuery>, QueryRejection>,
 ) -> Result<impl IntoResponse, WebError> {
 	let Query(query) = query?;
 	services
 		.threepid
 		.try_validate_session(&query.session, &query.token)
 		.await
 		.map_err(|message| WebError::BadRequest(message.into_owned()))?;
 	Ok(ThreepidValidation::new(&services))
 }
@@ -5,24 +5,23 @@
    <meta charset="UTF-8" />
    <title>{% block title %}Continuwuity{% endblock %}</title>
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    {%- if !context.allow_indexing %}
    <meta name="robots" content="noindex" />
    {%- endif %}
-    <link rel="icon" href="/_continuwuity/resources/logo.svg">
+    <link rel="icon" href="/_continuwuity/logo.svg">
-    <link rel="stylesheet" href="/_continuwuity/resources/common.css">
+    <style type="text/css" nonce="{{ nonce }}">
-    <link rel="stylesheet" href="/_continuwuity/resources/components.css">
+        /*<![CDATA[*/
-    {% block head %}{% endblock %}
+            {{ include_str !("css/index.css") | safe }}
        /*]]>*/
    </style>
 </head>
 <body>
    <main>{%~ block content %}{% endblock ~%}</main>
    {%~ block footer ~%}
        <footer>
-            <img class="logo" src="/_continuwuity/resources/logo.svg">
+            <img class="logo" src="/_continuwuity/logo.svg">
            <p>Powered by <a href="https://continuwuity.org">Continuwuity</a> {{ env!("CARGO_PKG_VERSION") }}
-                {%~ if let Some(version_info) = conduwuit_build_metadata::version_tag() ~%}
+                {%~ if let Some(version_info) = self::version_tag() ~%}
-                    {%~ if let Some(url) = conduwuit_build_metadata::GIT_REMOTE_COMMIT_URL.or(conduwuit_build_metadata::GIT_REMOTE_WEB_URL) ~%}
+                    {%~ if let Some(url) = GIT_REMOTE_COMMIT_URL.or(GIT_REMOTE_WEB_URL) ~%}
                        (<a href="{{ url }}">{{ version_info }}</a>)
                    {%~ else ~%}
                        ({{ version_info }})
@@ -0,0 +1,20 @@
 {% extends "_layout.html.j2" %}
 {%- block title -%}
 Server Error
 {%- endblock -%}
 {%- block content -%}
 <h1>
    {%- match err -%}
    {% else -%} 500: Internal Server Error
    {%- endmatch -%}
 </h1>
 {%- match err -%}
    {% when WebError::Render(err) -%}
        <pre>{{ err }}</pre>
    {% else -%} <p>An error occurred</p>
 {%- endmatch -%}
 {%- endblock -%}
@@ -1,9 +1,4 @@
 {% extends "_layout.html.j2" %}
 {%- block head -%}
 <link rel="stylesheet" href="/_continuwuity/resources/index.css">
 {%- endblock -%}
 {%- block content -%}
 <div class="panel">
    <h1>
@@ -11,7 +6,7 @@
    </h1>
    <p>Continuwuity is successfully installed and working.</p>
    {%- if first_run %}
-    <p>To get started, <em>check the server logs</em> for instructions on how to create the first account.</p>
+    <p>To get started, <b>check the server logs</b> for instructions on how to create the first account.</p>
    <p>For support, take a look at the <a href="https://continuwuity.org/introduction">documentation</a> or join the <a href="https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org">Continuwuity Matrix room</a>.</p>
    {%- else %}
    <p>To get started, <a href="https://matrix.org/ecosystem/clients">choose a client</a> and connect to <code>{{ server_name }}</code>.</p>
@@ -0,0 +1 @@
 ../../../docs/public/assets/logo.svg
Author	SHA1	Message	Date
timedout	0f5ffd8676	fix: Helps when you refer to variables that exist	2026-03-09 16:43:09 +00:00
timedout	dbe024f645	feat: Add debug logs to pusher service	2026-03-09 16:37:51 +00:00
		`@@ -1 +0,0 @@`
			`Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger`
		`@@ -1 +0,0 @@`
			`Added support for using an admin command to issue self-service password reset links.`
		`@@ -1 +0,0 @@`
			Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger.
`@@ -1 +1 @@`
	`{"m.homeserver":{"base_url": "https://matrix.continuwuity.org"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.ellis.link"}]}`	`{"m.homeserver":{"base_url": "https://matrix.continuwuity.org"},"org.matrix.msc3575.proxy":{"url": "https://matrix.continuwuity.org"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.ellis.link"}]}`
		`@@ -1,3 +0,0 @@`
			`{%- block content %}{% endblock %}`

			`Message sent by Continuwuity {{ env!("CARGO_PKG_VERSION") }}. 🐈`
		`@@ -1 +0,0 @@`
			`fn main() { memory_serve::load_directory("./pages/resources"); }`