fix: Don't allow UIAA stages to be completed if no flow includes them

# Conflicts:
#	Cargo.lock
#	Cargo.toml

.forgejo/regsync/regsync.yml

@@ -62,10 +62,6 @@ sync:
     target: registry.gitlab.com/continuwuity/continuwuity
     type: repository
     <<: *tags-main
-  - source: *source
-    target: git.nexy7574.co.uk/mirrored/continuwuity
-    type: repository
-    <<: *tags-releases
   - source: *source
     target: ghcr.io/continuwuity/continuwuity
     type: repository

.github/FUNDING.yml

@@ -1,4 +1,4 @@
 github: [JadedBlueEyes, nexy7574, gingershaped]
 custom:
-  - https://ko-fi.com/nexy7574
+  - https://timedout.uk/donate.html
-  - https://ko-fi.com/JadedBlueEyes
+  - https://jade.ellis.link/sponsors

Cargo.toml

@@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.6"
+version = "0.5.7-alpha.1"
 
 [workspace.metadata.crane]
 name = "conduwuit"
@@ -99,7 +99,7 @@ features = [
 [workspace.dependencies.axum-extra]
 version = "0.12.0"
 default-features = false
-features = ["typed-header", "tracing"]
+features = ["typed-header", "tracing", "cookie"]
 
 [workspace.dependencies.axum-server]
 version = "0.7.2"
@@ -344,7 +344,7 @@ version = "0.1.2"
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
 #branch = "conduwuit-changes"
-rev = "bb12ed288a31a23aa11b10ba0fad22b7f985eb88"
+rev = "a97b91adcc012ef04991d823b8b5a79c6686ae48"
 features = [
     "compat",
     "rand",
@@ -559,6 +559,19 @@ version = "1.0.1"
 [workspace.dependencies.askama]
 version = "0.15.0"
 
+[workspace.dependencies.lettre]
+version = "0.11.19"
+default-features = false
+features = ["smtp-transport", "pool", "hostname", "builder", "rustls", "aws-lc-rs", "rustls-native-certs", "tokio1", "tokio1-rustls", "tracing", "serde"]
+
+[workspace.dependencies.governor]
+version = "0.10.4"
+default-features = false
+features = ["std"]
+
+[workspace.dependencies.nonzero_ext]
+version = "0.3.0"
+
 #
 # Patches
 #
@@ -919,7 +932,6 @@ fn_to_numeric_cast_any = "warn"
 format_push_string = "warn"
 get_unwrap = "warn"
 impl_trait_in_params = "warn"
-let_underscore_untyped = "warn"
 lossy_float_literal = "warn"
 mem_forget = "warn"
 missing_assert_message = "warn"
@@ -969,3 +981,6 @@ needless_raw_string_hashes = "allow"
 
 # TODO: Enable this lint & fix all instances
 collapsible_if = "allow"
+
+# TODO: break these apart
+cognitive_complexity = "allow"

changelog.d/+1770db35.feature.md

@@ -0,0 +1 @@
+Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger

changelog.d/+6368729a.feature.md

@@ -0,0 +1 @@
+Added support for using an admin command to issue self-service password reset links.

changelog.d/1527.feature.md

@@ -0,0 +1 @@
+Add new config option to allow or disallow search engine indexing through a `<meta ../>` tag. Defaults to blocking indexing (`content="noindex"`). Contributed by @s1lv3r and @ginger.

conduwuit-example.toml

@@ -25,6 +25,10 @@
 #
 # Also see the `[global.well_known]` config section at the very bottom.
 #
+# If `client` is not set under `[global.well_known]`, the server name will
+# be used as the base domain for user-facing links (such as password
+# reset links) created by Continuwuity.
+#
 # Examples of delegation:
 # - https://continuwuity.org/.well-known/matrix/server
 # - https://continuwuity.org/.well-known/matrix/client
@@ -1795,6 +1799,11 @@
 #
 #config_reload_signal = true
 
+# Allow search engines and crawlers to index Continuwuity's built-in
+# webpages served under the `/_continuwuity/` prefix.
+#
+#allow_web_indexing = false
+
 [global.tls]
 
 # Path to a valid TLS certificate file.
@@ -2028,3 +2037,41 @@
 # web->synapseHTTPAntispam->authorization
 #
 #secret =
+
+#[global.smtp]
+
+# A `smtp://`` URI which will be used to connect to a mail server.
+# Uncommenting the [global.smtp] group and setting this option enables
+# features which depend on the ability to send email,
+# such as self-service password resets.
+#
+# For most modern mail servers, format the URI like this:
+# 	`smtps://username:password@hostname:port`
+# Note that you will need to URL-encode the username and password. If your
+# username _is_ your email address, you will need to replace the `@` with
+# `%40`.
+#
+# For a guide on the accepted URI syntax, consult Lettre's documentation:
+# https://docs.rs/lettre/latest/lettre/transport/smtp/struct.AsyncSmtpTransport.html#method.from_url
+#
+#connection_uri =
+
+# The outgoing address which will be used for sending emails.
+#
+# For a syntax guide, see https://datatracker.ietf.org/doc/html/rfc2822#section-3.4
+#
+# ...or if you don't want to read the RFC, for some reason:
+# - `Name <address@domain.org>` to specify a sender name
+# - `address@domain.org` to not use a name
+#
+#sender =
+
+# Whether to require that users provide an email address when they
+# register.
+#
+#require_email_for_registration = false
+
+# Whether to require that users who register with a registration token
+# provide an email address.
+#
+#require_email_for_token_registration = false

docker/Dockerfile

@@ -10,7 +10,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean
 
 # Match Rustc version as close as possible
 # rustc -vV
-ARG LLVM_VERSION=20
+ARG LLVM_VERSION=21
 # ENV RUSTUP_TOOLCHAIN=${RUST_VERSION}
 
 # Install repo tools

docs/advanced/delegation.mdx

@@ -109,9 +109,6 @@ Restart Continuwuity and your reverse proxy. Once that's done, visit these route
 {
   "m.homeserver": {
     "base_url": "https://matrix.example.com/"
-  },
-  "org.matrix.msc3575.proxy": {
-    "url": "https://matrix.example.com/"
   }
 }
 ```

docs/deploying/docker-compose.for-traefik.yml

@@ -6,6 +6,7 @@ services:
     ### then you are ready to go.
     image: forgejo.ellis.link/continuwuation/continuwuity:latest
     restart: unless-stopped
+    command: /sbin/conduwuit
     volumes:
       - db:/var/lib/continuwuity
       #- ./continuwuity.toml:/etc/continuwuity.toml

docs/deploying/docker-compose.with-caddy.yml

@@ -23,6 +23,7 @@ services:
         ### then you are ready to go.
         image: forgejo.ellis.link/continuwuation/continuwuity:latest
         restart: unless-stopped
+        command: /sbin/conduwuit
         volumes:
             - db:/var/lib/continuwuity
             - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.

docs/deploying/docker-compose.with-traefik.yml

@@ -6,6 +6,7 @@ services:
     ### then you are ready to go.
     image: forgejo.ellis.link/continuwuation/continuwuity:latest
     restart: unless-stopped
+    command: /sbin/conduwuit
     volumes:
       - db:/var/lib/continuwuity
       - /etc/resolv.conf:/etc/resolv.conf:ro # Use the host's DNS resolver rather than Docker's.

docs/deploying/docker-compose.yml

@@ -6,6 +6,7 @@ services:
         ### then you are ready to go.
         image: forgejo.ellis.link/continuwuation/continuwuity:latest
         restart: unless-stopped
+        command: /sbin/conduwuit
         ports:
             - 8448:6167
         volumes:

docs/deploying/docker.mdx

@@ -78,7 +78,7 @@ docker run -d \
   -e CONTINUWUITY_ALLOW_REGISTRATION="false" \
   --name continuwuity \
   forgejo.ellis.link/continuwuation/continuwuity:latest \
-  --execute "users create-user admin"
+  /sbin/conduwuit --execute "users create-user admin"
 ```
 
 Replace `matrix.example.com` with your actual server name and `admin` with
@@ -141,7 +141,7 @@ compose file, add under the `continuwuity` service:
 services:
     continuwuity:
         image: forgejo.ellis.link/continuwuation/continuwuity:latest
-        command: --execute "users create-user admin"
+        command: /sbin/conduwuit --execute "users create-user admin"
         # ... rest of configuration
 ```
 

docs/deploying/kubernetes.mdx

@@ -39,6 +39,7 @@ spec:
         - name: continuwuity
           # use a sha hash <3
           image: forgejo.ellis.link/continuwuation/continuwuity:latest
+          command: ["/sbin/conduwuit"]
           imagePullPolicy: IfNotPresent
           ports:
             - name: http

docs/public/.well-known/matrix/client

@@ -1 +1 @@
-{"m.homeserver":{"base_url": "https://matrix.continuwuity.org"},"org.matrix.msc3575.proxy":{"url": "https://matrix.continuwuity.org"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.ellis.link"}]}
+{"m.homeserver":{"base_url": "https://matrix.continuwuity.org"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.ellis.link"}]}

docs/reference/admin/debug.md

@@ -130,6 +130,10 @@ Trim memory usage
 
 List database files
 
+## `!admin debug send-test-email`
+
+Send a test email to the invoking admin's email address
+
 ## `!admin debug tester`
 
 Developer test stubs

docs/reference/admin/users.md

@@ -12,6 +12,24 @@ Create a new user
 
 Reset user password
 
+## `!admin users issue-password-reset-link`
+
+Issue a self-service password reset link for a user
+
+## `!admin users get-email`
+
+Get a user's associated email address
+
+## `!admin users get-user-by-email`
+
+Get the user with the given email address
+
+## `!admin users change-email`
+
+Update or remove a user's email address.
+
+If `email` is not supplied, the user's existing address will be removed.
+
 ## `!admin users deactivate`
 
 Deactivate a user

flake.lock

@@ -3,11 +3,11 @@
     "advisory-db": {
       "flake": false,
       "locked": {
-        "lastModified": 1772776993,
+        "lastModified": 1773786698,
-        "narHash": "sha256-CpBa+UpogN0Xn1gMmgqQrzKGee+E8TCkgHar8/w6CRk=",
+        "narHash": "sha256-o/J7ZculgwSs1L4H4UFlFZENOXTJzq1X0n71x6oNNvY=",
         "owner": "rustsec",
         "repo": "advisory-db",
-        "rev": "b3472341e37cbd4b8c27b052b2abb34792f4d3c4",
+        "rev": "99e9de91bb8b61f06ef234ff84e11f758ecd5384",
         "type": "github"
       },
       "original": {
@@ -18,11 +18,11 @@
     },
     "crane": {
       "locked": {
-        "lastModified": 1772560058,
+        "lastModified": 1773189535,
-        "narHash": "sha256-NuVKdMBJldwUXgghYpzIWJdfeB7ccsu1CC7B+NfSoZ8=",
+        "narHash": "sha256-E1G/Or6MWeP+L6mpQ0iTFLpzSzlpGrITfU2220Gq47g=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "db590d9286ed5ce22017541e36132eab4e8b3045",
+        "rev": "6fa2fb4cf4a89ba49fc9dd5a3eb6cde99d388269",
         "type": "github"
       },
       "original": {
@@ -39,11 +39,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1772953398,
+        "lastModified": 1773732206,
-        "narHash": "sha256-fTTHCaEvPLzWyZFxPud/G9HM3pNYmW/64Kj58hdH4+k=",
+        "narHash": "sha256-HKibxaUXyWd4Hs+ZUnwo6XslvaFqFqJh66uL9tphU4Q=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "fc4863887d98fd879cf5f11af1d23d44d9bdd8ae",
+        "rev": "0aa13c1b54063a8d8679b28a5cd357ba98f4a56b",
         "type": "github"
       },
       "original": {
@@ -89,11 +89,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1772773019,
+        "lastModified": 1773734432,
-        "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
+        "narHash": "sha256-IF5ppUWh6gHGHYDbtVUyhwy/i7D261P7fWD1bPefOsw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "aca4d95fce4914b3892661bcb80b8087293536c6",
+        "rev": "cda48547b432e8d3b18b4180ba07473762ec8558",
         "type": "github"
       },
       "original": {
@@ -132,11 +132,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1772877513,
+        "lastModified": 1773697963,
-        "narHash": "sha256-RcRGv2Bng5I9y75XwFX7oK2l6mLH1dtbTTG9U8qun0c=",
+        "narHash": "sha256-xdKI77It9PM6eNrCcDZsnP4SKulZwk8VkDgBRVMnCb8=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "a1b86d600f88be98643e5dd61d6ed26eda17c09e",
+        "rev": "2993637174252ff60a582fd1f55b9ab52c39db6d",
         "type": "github"
       },
       "original": {
@@ -153,11 +153,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772660329,
+        "lastModified": 1773297127,
-        "narHash": "sha256-IjU1FxYqm+VDe5qIOxoW+pISBlGvVApRjiw/Y/ttJzY=",
+        "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "3710e0e1218041bbad640352a0440114b1e10428",
+        "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016",
         "type": "github"
       },
       "original": {

nix/packages/rust.nix

@@ -15,7 +15,7 @@
             file = inputs.self + "/rust-toolchain.toml";
 
             # See also `rust-toolchain.toml`
-            sha256 = "sha256-SJwZ8g0zF2WrKDVmHrVG3pD2RGoQeo24MEXnNx5FyuI=";
+            sha256 = "sha256-sqSWJDUxc+zaz1nBWMAJKTAGBuGWP25GCftIOlCEAtA=";
           };
         in
         {

package-lock.json

@@ -16,21 +16,21 @@
       }
     },
     "node_modules/@emnapi/core": {
-      "version": "1.8.1",
+      "version": "1.9.0",
-      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.8.1.tgz",
+      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.0.tgz",
-      "integrity": "sha512-AvT9QFpxK0Zd8J0jopedNm+w/2fIzvtPKPjqyw9jwvBaReTTqPBk9Hixaz7KbjimP+QNz605/XnjFcDAL2pqBg==",
+      "integrity": "sha512-0DQ98G9ZQZOxfUcQn1waV2yS8aWdZ6kJMbYCJB3oUBecjWYO1fqJ+a1DRfPF3O5JEkwqwP1A9QEN/9mYm2Yd0w==",
       "dev": true,
       "license": "MIT",
       "optional": true,
       "dependencies": {
-        "@emnapi/wasi-threads": "1.1.0",
+        "@emnapi/wasi-threads": "1.2.0",
         "tslib": "^2.4.0"
       }
     },
     "node_modules/@emnapi/runtime": {
-      "version": "1.8.1",
+      "version": "1.9.0",
-      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.8.1.tgz",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.0.tgz",
-      "integrity": "sha512-mehfKSMWjjNol8659Z8KxEMrdSJDDot5SXMq00dM8BN4o+CLNXQ0xH2V7EchNHV4RmbZLmmPdEaXZc5H2FXmDg==",
+      "integrity": "sha512-QN75eB0IH2ywSpRpNddCRfQIhmJYBCJ1x5Lb3IscKAL8bMnVAKnRg8dCoXbHzVLLH7P38N2Z3mtulB7W0J0FKw==",
       "dev": true,
       "license": "MIT",
       "optional": true,
@@ -39,9 +39,9 @@
       }
     },
     "node_modules/@emnapi/wasi-threads": {
-      "version": "1.1.0",
+      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.1.0.tgz",
+      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.2.0.tgz",
-      "integrity": "sha512-WI0DdZ8xFSbgMjR1sFsKABJ/C5OnRrjT06JXbZKexJGrDuPTzZdDYfFlsgcCXCyf+suG5QU2e/y1Wo2V/OapLQ==",
+      "integrity": "sha512-N10dEJNSsUx41Z6pZsXU8FjPjpBEplgH24sfkmITrBED1/U2Esum9F3lfLrMjKHHjmi557zQn7kR9R+XWXu5Rg==",
       "dev": true,
       "license": "MIT",
       "optional": true,
@@ -144,17 +144,22 @@
       }
     },
     "node_modules/@rsbuild/plugin-react": {
-      "version": "1.4.5",
+      "version": "1.4.6",
-      "resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-1.4.5.tgz",
+      "resolved": "https://registry.npmjs.org/@rsbuild/plugin-react/-/plugin-react-1.4.6.tgz",
-      "integrity": "sha512-eS2sXCedgGA/7bLu8yVtn48eE/GyPbXx4Q7OcutB01IQ1D2y8WSMBys4nwfrecy19utvw4NPn4gYDy52316+vg==",
+      "integrity": "sha512-LAT6xHlEyZKA0VjF/ph5d50iyG+WSmBx+7g98HNZUwb94VeeTMZFB8qVptTkbIRMss3BNKOXmHOu71Lhsh9oEw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@rspack/plugin-react-refresh": "^1.6.0",
+        "@rspack/plugin-react-refresh": "^1.6.1",
         "react-refresh": "^0.18.0"
       },
       "peerDependencies": {
         "@rsbuild/core": "^1.0.0 || ^2.0.0-0"
+      },
+      "peerDependenciesMeta": {
+        "@rsbuild/core": {
+          "optional": true
+        }
       }
     },
     "node_modules/@rspack/binding": {
@@ -695,13 +700,13 @@
       "license": "ISC"
     },
     "node_modules/@unhead/react": {
-      "version": "2.1.10",
+      "version": "2.1.12",
-      "resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.10.tgz",
+      "resolved": "https://registry.npmjs.org/@unhead/react/-/react-2.1.12.tgz",
-      "integrity": "sha512-z9IzzkaCI1GyiBwVRMt4dGc2mOvsj9drbAdXGMy6DWpu9FwTR37ZTmAi7UeCVyIkpVdIaNalz7vkbvGG8afFng==",
+      "integrity": "sha512-1xXFrxyw29f+kScXfEb0GxjlgtnHxoYau0qpW9k8sgWhQUNnE5gNaH3u+rNhd5IqhyvbdDRJpQ25zoz0HIyGaw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "unhead": "2.1.10"
+        "unhead": "2.1.12"
       },
       "funding": {
         "url": "https://github.com/sponsors/harlan-zw"
@@ -1573,9 +1578,9 @@
       }
     },
     "node_modules/hookable": {
-      "version": "6.0.1",
+      "version": "6.1.0",
-      "resolved": "https://registry.npmjs.org/hookable/-/hookable-6.0.1.tgz",
+      "resolved": "https://registry.npmjs.org/hookable/-/hookable-6.1.0.tgz",
-      "integrity": "sha512-uKGyY8BuzN/a5gvzvA+3FVWo0+wUjgtfSdnmjtrOVwQCZPHpHDH2WRO3VZSOeluYrHoDCiXFffZXs8Dj1ULWtw==",
+      "integrity": "sha512-ZoKZSJgu8voGK2geJS+6YtYjvIzu9AOM/KZXsBxr83uhLL++e9pEv/dlgwgy3dvHg06kTz6JOh1hk3C8Ceiymw==",
       "dev": true,
       "license": "MIT"
     },
@@ -2978,14 +2983,14 @@
       "license": "MIT"
     },
     "node_modules/oniguruma-to-es": {
-      "version": "4.3.4",
+      "version": "4.3.5",
-      "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.4.tgz",
+      "resolved": "https://registry.npmjs.org/oniguruma-to-es/-/oniguruma-to-es-4.3.5.tgz",
-      "integrity": "sha512-3VhUGN3w2eYxnTzHn+ikMI+fp/96KoRSVK9/kMTcFqj1NRDh2IhQCKvYxDnWePKRXY/AqH+Fuiyb7VHSzBjHfA==",
+      "integrity": "sha512-Zjygswjpsewa0NLTsiizVuMQZbp0MDyM6lIt66OxsF21npUDlzpHi1Mgb/qhQdkb+dWFTzJmFbEWdvZgRho8eQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "oniguruma-parser": "^0.12.1",
-        "regex": "^6.0.1",
+        "regex": "^6.1.0",
         "regex-recursion": "^6.0.2"
       }
     },
@@ -3720,9 +3725,9 @@
       }
     },
     "node_modules/unhead": {
-      "version": "2.1.10",
+      "version": "2.1.12",
-      "resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.10.tgz",
+      "resolved": "https://registry.npmjs.org/unhead/-/unhead-2.1.12.tgz",
-      "integrity": "sha512-We8l9uNF8zz6U8lfQaVG70+R/QBfQx1oPIgXin4BtZnK2IQpz6yazQ0qjMNVBDw2ADgF2ea58BtvSK+XX5AS7g==",
+      "integrity": "sha512-iTHdWD9ztTunOErtfUFk6Wr11BxvzumcYJ0CzaSCBUOEtg+DUZ9+gnE99i8QkLFT2q1rZD48BYYGXpOZVDLYkA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {

pkg/conduwuit.service

@@ -18,6 +18,7 @@ Environment="CONTINUWUITY_DATABASE_PATH=%S/conduwuit"
 Environment="CONTINUWUITY_CONFIG_RELOAD_SIGNAL=true"
 
 LoadCredential=conduwuit.toml:/etc/conduwuit/conduwuit.toml
+RefreshOnReload=yes
 
 ExecStart=/usr/bin/conduwuit --config ${CREDENTIALS_DIRECTORY}/conduwuit.toml
 

renovate.json

@@ -1,6 +1,6 @@
 {
     "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-    "extends": ["config:recommended", "replacements:all"],
+    "extends": ["config:recommended", "replacements:all", ":semanticCommitTypeAll(chore)"],
     "dependencyDashboard": true,
     "osvVulnerabilityAlerts": true,
     "lockFileMaintenance": {
@@ -36,10 +36,18 @@
     },
     "packageRules": [
         {
-            "description": "Batch patch-level Rust dependency updates",
+            "description": "Batch minor and patch Rust dependency updates",
+            "matchManagers": ["cargo"],
+            "matchUpdateTypes": ["minor", "patch"],
+            "matchCurrentVersion": ">=1.0.0",
+            "groupName": "rust-non-major"
+        },
+        {
+            "description": "Batch patch-level zerover Rust dependency updates",
             "matchManagers": ["cargo"],
             "matchUpdateTypes": ["patch"],
-            "groupName": "rust-patch-updates"
+            "matchCurrentVersion": ">=0.1.0,<1.0.0",
+            "groupName": "rust-zerover-patch-updates"
         },
         {
             "description": "Limit concurrent Cargo PRs",

rust-toolchain.toml

@@ -10,7 +10,7 @@
 
 [toolchain]
 profile = "minimal"
-channel = "1.90.0"
+channel = "1.92.0"
 components = [
     # For rust-analyzer
     "rust-src",

src/admin/Cargo.toml

@@ -80,6 +80,7 @@ conduwuit-macros.workspace = true
 conduwuit-service.workspace = true
 const-str.workspace = true
 futures.workspace = true
+lettre.workspace = true
 log.workspace = true
 ruma.workspace = true
 serde_json.workspace = true

src/admin/debug/commands.rs

@@ -19,6 +19,7 @@ use conduwuit::{
 	warn,
 };
 use futures::{FutureExt, StreamExt, TryStreamExt};
+use lettre::message::Mailbox;
 use ruma::{
 	CanonicalJsonObject, CanonicalJsonValue, EventId, OwnedEventId, OwnedRoomId,
 	OwnedRoomOrAliasId, OwnedServerName, RoomId, RoomVersionId,
@@ -876,3 +877,31 @@ pub(super) async fn trim_memory(&self) -> Result {
 
 	writeln!(self, "done").await
 }
+
+#[admin_command]
+pub(super) async fn send_test_email(&self) -> Result {
+	self.bail_restricted()?;
+
+	let mailer = self.services.mailer.expect_mailer()?;
+	let Some(sender) = self.sender else {
+		return Err!("No sender user provided in context");
+	};
+
+	let Some(email) = self
+		.services
+		.threepid
+		.get_email_for_localpart(sender.localpart())
+		.await
+	else {
+		return Err!("{} has no associated email address", sender);
+	};
+
+	mailer
+		.send(Mailbox::new(None, email.clone()), service::mailer::messages::Test)
+		.await?;
+
+	self.write_str(&format!("Test email successfully sent to {email}"))
+		.await?;
+
+	Ok(())
+}

src/admin/debug/mod.rs

@@ -225,6 +225,9 @@ pub enum DebugCommand {
 		level: Option<i32>,
 	},
 
+	/// Send a test email to the invoking admin's email address
+	SendTestEmail,
+
 	/// Developer test stubs
 	#[command(subcommand)]
 	#[allow(non_snake_case)]

src/admin/user/commands.rs

@@ -11,6 +11,7 @@ use conduwuit::{
 	warn,
 };
 use futures::{FutureExt, StreamExt};
+use lettre::Address;
 use ruma::{
 	OwnedEventId, OwnedRoomId, OwnedRoomOrAliasId, OwnedServerName, OwnedUserId, UserId,
 	events::{
@@ -296,6 +297,31 @@ pub(super) async fn reset_password(
 	Ok(())
 }
 
+#[admin_command]
+pub(super) async fn issue_password_reset_link(&self, username: String) -> Result {
+	use conduwuit_service::password_reset::{PASSWORD_RESET_PATH, RESET_TOKEN_QUERY_PARAM};
+
+	self.bail_restricted()?;
+
+	let mut reset_url = self
+		.services
+		.config
+		.get_client_domain()
+		.join(PASSWORD_RESET_PATH)
+		.unwrap();
+
+	let user_id = parse_local_user_id(self.services, &username)?;
+	let token = self.services.password_reset.issue_token(user_id).await?;
+	reset_url
+		.query_pairs_mut()
+		.append_pair(RESET_TOKEN_QUERY_PARAM, &token.token);
+
+	self.write_str(&format!("Password reset link issued for {username}: {reset_url}"))
+		.await?;
+
+	Ok(())
+}
+
 #[admin_command]
 pub(super) async fn deactivate_all(&self, no_leave_rooms: bool, force: bool) -> Result {
 	if self.body.len() < 2
@@ -1069,3 +1095,106 @@ pub(super) async fn enable_login(&self, user_id: String) -> Result {
 
 	self.write_str(&format!("{user_id} can now log in.")).await
 }
+
+#[admin_command]
+pub(super) async fn get_email(&self, user_id: String) -> Result {
+	self.bail_restricted()?;
+	let user_id = parse_local_user_id(self.services, &user_id)?;
+
+	match self
+		.services
+		.threepid
+		.get_email_for_localpart(user_id.localpart())
+		.await
+	{
+		| Some(email) =>
+			self.write_str(&format!("{user_id} has the associated email address {email}."))
+				.await,
+		| None =>
+			self.write_str(&format!("{user_id} has no associated email address."))
+				.await,
+	}
+}
+
+#[admin_command]
+pub(super) async fn get_user_by_email(&self, email: String) -> Result {
+	self.bail_restricted()?;
+
+	let Ok(email) = Address::try_from(email) else {
+		return Err!("Invalid email address.");
+	};
+
+	match self.services.threepid.get_localpart_for_email(&email).await {
+		| Some(localpart) => {
+			let user_id = OwnedUserId::parse(format!(
+				"@{localpart}:{}",
+				self.services.globals.server_name()
+			))
+			.unwrap();
+
+			self.write_str(&format!("{email} belongs to {user_id}."))
+				.await
+		},
+		| None =>
+			self.write_str(&format!("No user has {email} as their email address."))
+				.await,
+	}
+}
+
+#[admin_command]
+pub(super) async fn change_email(&self, user_id: String, email: Option<String>) -> Result {
+	self.bail_restricted()?;
+
+	let user_id = parse_local_user_id(self.services, &user_id)?;
+	let Ok(new_email) = email.map(Address::try_from).transpose() else {
+		return Err!("Invalid email address.");
+	};
+
+	if self.services.mailer.mailer().is_none() {
+		warn!("SMTP has not been configured on this server, emails cannot be sent.");
+	}
+
+	let current_email = self
+		.services
+		.threepid
+		.get_email_for_localpart(user_id.localpart())
+		.await;
+
+	match (current_email, new_email) {
+		| (None, None) =>
+			self.write_str(&format!(
+				"{user_id} already had no associated email. No changes have been made."
+			))
+			.await,
+		| (current_email, Some(new_email)) => {
+			self.services
+				.threepid
+				.associate_localpart_email(user_id.localpart(), &new_email)
+				.await?;
+
+			if let Some(current_email) = current_email {
+				self.write_str(&format!(
+					"The associated email of {user_id} has been changed from {current_email} to \
+					 {new_email}."
+				))
+				.await
+			} else {
+				self.write_str(&format!(
+					"{user_id} has been associated with the email {new_email}."
+				))
+				.await
+			}
+		},
+		| (Some(current_email), None) => {
+			self.services
+				.threepid
+				.disassociate_localpart_email(user_id.localpart())
+				.await;
+
+			self.write_str(&format!(
+				"The associated email of {user_id} has been removed (it was {current_email})."
+			))
+			.await
+		},
+	}
+}

src/admin/user/mod.rs

@@ -29,6 +29,30 @@ pub enum UserCommand {
 		password: Option<String>,
 	},
 
+	/// Issue a self-service password reset link for a user.
+	IssuePasswordResetLink {
+		/// Username of the user who may use the link
+		username: String,
+	},
+
+	/// Get a user's associated email address.
+	GetEmail {
+		user_id: String,
+	},
+
+	/// Get the user with the given email address.
+	GetUserByEmail {
+		email: String,
+	},
+
+	/// Update or remove a user's email address.
+	///
+	/// If `email` is not supplied, the user's existing address will be removed.
+	ChangeEmail {
+		user_id: String,
+		email: Option<String>,
+	},
+
 	/// Deactivate a user
 	///
 	/// User will be removed from all rooms by default.

src/api/Cargo.toml

@@ -85,6 +85,7 @@ http-body-util.workspace = true
 hyper.workspace = true
 ipaddress.workspace = true
 itertools.workspace = true
+lettre.workspace = true
 log.workspace = true
 rand.workspace = true
 reqwest.workspace = true

src/api/client/account.rs

@@ -1,980 +0,0 @@
-use std::fmt::Write;
-
-use axum::extract::State;
-use axum_client_ip::InsecureClientIp;
-use conduwuit::{
-	Err, Error, Event, Result, debug_info, err, error, info,
-	matrix::pdu::PduBuilder,
-	utils::{self, ReadyExt, stream::BroadbandExt},
-	warn,
-};
-use conduwuit_service::Services;
-use futures::{FutureExt, StreamExt};
-use register::RegistrationKind;
-use ruma::{
-	OwnedRoomId, UserId,
-	api::client::{
-		account::{
-			ThirdPartyIdRemovalStatus, change_password, check_registration_token_validity,
-			deactivate, get_3pids, get_username_availability,
-			register::{self, LoginType},
-			request_3pid_management_token_via_email, request_3pid_management_token_via_msisdn,
-			whoami,
-		},
-		uiaa::{AuthFlow, AuthType, UiaaInfo},
-	},
-	events::{
-		GlobalAccountDataEventType, StateEventType,
-		room::{
-			member::{MembershipState, RoomMemberEventContent},
-			message::RoomMessageEventContent,
-			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
-		},
-	},
-	push,
-};
-
-use super::{DEVICE_ID_LENGTH, SESSION_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
-use crate::Ruma;
-
-const RANDOM_USER_ID_LENGTH: usize = 10;
-
-/// # `GET /_matrix/client/v3/register/available`
-///
-/// Checks if a username is valid and available on this server.
-///
-/// Conditions for returning true:
-/// - The user id is not historical
-/// - The server name of the user id matches this server
-/// - No user or appservice on this server already claimed this username
-///
-/// Note: This will not reserve the username, so the username might become
-/// invalid when trying to register
-#[tracing::instrument(skip_all, fields(%client), name = "register_available", level = "info")]
-pub(crate) async fn get_register_available_route(
-	State(services): State<crate::State>,
-	InsecureClientIp(client): InsecureClientIp,
-	body: Ruma<get_username_availability::v3::Request>,
-) -> Result<get_username_availability::v3::Response> {
-	// workaround for https://github.com/matrix-org/matrix-appservice-irc/issues/1780 due to inactivity of fixing the issue
-	let is_matrix_appservice_irc = body.appservice_info.as_ref().is_some_and(|appservice| {
-		appservice.registration.id == "irc"
-			|| appservice.registration.id.contains("matrix-appservice-irc")
-			|| appservice.registration.id.contains("matrix_appservice_irc")
-	});
-
-	if services
-		.globals
-		.forbidden_usernames()
-		.is_match(&body.username)
-	{
-		return Err!(Request(Forbidden("Username is forbidden")));
-	}
-
-	// don't force the username lowercase if it's from matrix-appservice-irc
-	let body_username = if is_matrix_appservice_irc {
-		body.username.clone()
-	} else {
-		body.username.to_lowercase()
-	};
-
-	// Validate user id
-	let user_id =
-		match UserId::parse_with_server_name(&body_username, services.globals.server_name()) {
-			| Ok(user_id) => {
-				if let Err(e) = user_id.validate_strict() {
-					// unless the username is from the broken matrix appservice IRC bridge, we
-					// should follow synapse's behaviour on not allowing things like spaces
-					// and UTF-8 characters in usernames
-					if !is_matrix_appservice_irc {
-						return Err!(Request(InvalidUsername(debug_warn!(
-							"Username {body_username} contains disallowed characters or spaces: \
-							 {e}"
-						))));
-					}
-				}
-
-				user_id
-			},
-			| Err(e) => {
-				return Err!(Request(InvalidUsername(debug_warn!(
-					"Username {body_username} is not valid: {e}"
-				))));
-			},
-		};
-
-	// Check if username is creative enough
-	if services.users.exists(&user_id).await {
-		return Err!(Request(UserInUse("User ID is not available.")));
-	}
-
-	if let Some(ref info) = body.appservice_info {
-		if !info.is_user_match(&user_id) {
-			return Err!(Request(Exclusive("Username is not in an appservice namespace.")));
-		}
-	}
-
-	if services.appservice.is_exclusive_user_id(&user_id).await {
-		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
-	}
-
-	Ok(get_username_availability::v3::Response { available: true })
-}
-
-/// # `POST /_matrix/client/v3/register`
-///
-/// Register an account on this homeserver.
-///
-/// You can use [`GET
-/// /_matrix/client/v3/register/available`](fn.get_register_available_route.
-/// html) to check if the user id is valid and available.
-///
-/// - Only works if registration is enabled
-/// - If type is guest: ignores all parameters except
-///   initial_device_display_name
-/// - If sender is not appservice: Requires UIAA (but we only use a dummy stage)
-/// - If type is not guest and no username is given: Always fails after UIAA
-///   check
-/// - Creates a new account and populates it with default account data
-/// - If `inhibit_login` is false: Creates a device and returns device id and
-///   access_token
-#[allow(clippy::doc_markdown)]
-#[tracing::instrument(skip_all, fields(%client), name = "register", level = "info")]
-pub(crate) async fn register_route(
-	State(services): State<crate::State>,
-	InsecureClientIp(client): InsecureClientIp,
-	body: Ruma<register::v3::Request>,
-) -> Result<register::v3::Response> {
-	let is_guest = body.kind == RegistrationKind::Guest;
-	let emergency_mode_enabled = services.config.emergency_password.is_some();
-
-	// Allow registration if it's enabled in the config file or if this is the first
-	// run (so the first user account can be created)
-	let allow_registration =
-		services.config.allow_registration || services.firstrun.is_first_run();
-
-	if !allow_registration && body.appservice_info.is_none() {
-		match (body.username.as_ref(), body.initial_device_display_name.as_ref()) {
-			| (Some(username), Some(device_display_name)) => {
-				info!(
-					%is_guest,
-					user = %username,
-					device_name = %device_display_name,
-					"Rejecting registration attempt as registration is disabled"
-				);
-			},
-			| (Some(username), _) => {
-				info!(
-					%is_guest,
-					user = %username,
-					"Rejecting registration attempt as registration is disabled"
-				);
-			},
-			| (_, Some(device_display_name)) => {
-				info!(
-					%is_guest,
-					device_name = %device_display_name,
-					"Rejecting registration attempt as registration is disabled"
-				);
-			},
-			| (None, _) => {
-				info!(
-					%is_guest,
-					"Rejecting registration attempt as registration is disabled"
-				);
-			},
-		}
-
-		return Err!(Request(Forbidden(
-			"This server is not accepting registrations at this time."
-		)));
-	}
-
-	if is_guest && !services.config.allow_guest_registration {
-		info!(
-			"Guest registration disabled, rejecting guest registration attempt, initial device \
-			 name: \"{}\"",
-			body.initial_device_display_name.as_deref().unwrap_or("")
-		);
-		return Err!(Request(GuestAccessForbidden("Guest registration is disabled.")));
-	}
-
-	// forbid guests from registering if there is not a real admin user yet. give
-	// generic user error.
-	if is_guest && services.users.count().await < 2 {
-		warn!(
-			"Guest account attempted to register before a real admin user has been registered, \
-			 rejecting registration. Guest's initial device name: \"{}\"",
-			body.initial_device_display_name.as_deref().unwrap_or("")
-		);
-		return Err!(Request(Forbidden(
-			"This server is not accepting registrations at this time."
-		)));
-	}
-
-	let user_id = match (body.username.as_ref(), is_guest) {
-		| (Some(username), false) => {
-			// workaround for https://github.com/matrix-org/matrix-appservice-irc/issues/1780 due to inactivity of fixing the issue
-			let is_matrix_appservice_irc =
-				body.appservice_info.as_ref().is_some_and(|appservice| {
-					appservice.registration.id == "irc"
-						|| appservice.registration.id.contains("matrix-appservice-irc")
-						|| appservice.registration.id.contains("matrix_appservice_irc")
-				});
-
-			if services.globals.forbidden_usernames().is_match(username)
-				&& !emergency_mode_enabled
-			{
-				return Err!(Request(Forbidden("Username is forbidden")));
-			}
-
-			// don't force the username lowercase if it's from matrix-appservice-irc
-			let body_username = if is_matrix_appservice_irc {
-				username.clone()
-			} else {
-				username.to_lowercase()
-			};
-
-			let proposed_user_id = match UserId::parse_with_server_name(
-				&body_username,
-				services.globals.server_name(),
-			) {
-				| Ok(user_id) => {
-					if let Err(e) = user_id.validate_strict() {
-						// unless the username is from the broken matrix appservice IRC bridge, or
-						// we are in emergency mode, we should follow synapse's behaviour on
-						// not allowing things like spaces and UTF-8 characters in usernames
-						if !is_matrix_appservice_irc && !emergency_mode_enabled {
-							return Err!(Request(InvalidUsername(debug_warn!(
-								"Username {body_username} contains disallowed characters or \
-								 spaces: {e}"
-							))));
-						}
-					}
-
-					// Don't allow registration with user IDs that aren't local
-					if !services.globals.user_is_local(&user_id) {
-						return Err!(Request(InvalidUsername(
-							"Username {body_username} is not local to this server"
-						)));
-					}
-
-					user_id
-				},
-				| Err(e) => {
-					return Err!(Request(InvalidUsername(debug_warn!(
-						"Username {body_username} is not valid: {e}"
-					))));
-				},
-			};
-
-			if services.users.exists(&proposed_user_id).await {
-				return Err!(Request(UserInUse("User ID is not available.")));
-			}
-
-			proposed_user_id
-		},
-		| _ => loop {
-			let proposed_user_id = UserId::parse_with_server_name(
-				utils::random_string(RANDOM_USER_ID_LENGTH).to_lowercase(),
-				services.globals.server_name(),
-			)
-			.unwrap();
-			if !services.users.exists(&proposed_user_id).await {
-				break proposed_user_id;
-			}
-		},
-	};
-
-	if body.body.login_type == Some(LoginType::ApplicationService) {
-		match body.appservice_info {
-			| Some(ref info) =>
-				if !info.is_user_match(&user_id) && !emergency_mode_enabled {
-					return Err!(Request(Exclusive(
-						"Username is not in an appservice namespace."
-					)));
-				},
-			| _ => {
-				return Err!(Request(MissingToken("Missing appservice token.")));
-			},
-		}
-	} else if services.appservice.is_exclusive_user_id(&user_id).await && !emergency_mode_enabled
-	{
-		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
-	}
-
-	// UIAA
-	let mut uiaainfo = UiaaInfo {
-		flows: Vec::new(),
-		completed: Vec::new(),
-		params: Box::default(),
-		session: None,
-		auth_error: None,
-	};
-	let skip_auth = body.appservice_info.is_some() || is_guest;
-
-	// Populate required UIAA flows
-
-	if services.firstrun.is_first_run() {
-		// Registration token forced while in first-run mode
-		uiaainfo.flows.push(AuthFlow {
-			stages: vec![AuthType::RegistrationToken],
-		});
-	} else {
-		if services
-			.registration_tokens
-			.iterate_tokens()
-			.next()
-			.await
-			.is_some()
-		{
-			// Registration token required
-			uiaainfo.flows.push(AuthFlow {
-				stages: vec![AuthType::RegistrationToken],
-			});
-		}
-
-		if services.config.recaptcha_private_site_key.is_some() {
-			if let Some(pubkey) = &services.config.recaptcha_site_key {
-				// ReCaptcha required
-				uiaainfo
-					.flows
-					.push(AuthFlow { stages: vec![AuthType::ReCaptcha] });
-				uiaainfo.params = serde_json::value::to_raw_value(&serde_json::json!({
-					"m.login.recaptcha": {
-						"public_key": pubkey,
-					},
-				}))
-				.expect("Failed to serialize recaptcha params");
-			}
-		}
-
-		if uiaainfo.flows.is_empty() && !skip_auth {
-			// Registration isn't _disabled_, but there's no captcha configured and no
-			// registration tokens currently set. Bail out by default unless open
-			// registration was explicitly enabled.
-			if !services
-				.config
-				.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
-			{
-				return Err!(Request(Forbidden(
-					"This server is not accepting registrations at this time."
-				)));
-			}
-
-			// We have open registration enabled (😧), provide a dummy stage
-			uiaainfo = UiaaInfo {
-				flows: vec![AuthFlow { stages: vec![AuthType::Dummy] }],
-				completed: Vec::new(),
-				params: Box::default(),
-				session: None,
-				auth_error: None,
-			};
-		}
-	}
-
-	if !skip_auth {
-		match &body.auth {
-			| Some(auth) => {
-				let (worked, uiaainfo) = services
-					.uiaa
-					.try_auth(
-						&UserId::parse_with_server_name("", services.globals.server_name())
-							.unwrap(),
-						"".into(),
-						auth,
-						&uiaainfo,
-					)
-					.await?;
-				if !worked {
-					return Err(Error::Uiaa(uiaainfo));
-				}
-				// Success!
-			},
-			| _ => match body.json_body {
-				| Some(ref json) => {
-					uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
-					services.uiaa.create(
-						&UserId::parse_with_server_name("", services.globals.server_name())
-							.unwrap(),
-						"".into(),
-						&uiaainfo,
-						json,
-					);
-					return Err(Error::Uiaa(uiaainfo));
-				},
-				| _ => {
-					return Err!(Request(NotJson("JSON body is not valid")));
-				},
-			},
-		}
-	}
-
-	let password = if is_guest { None } else { body.password.as_deref() };
-
-	// Create user
-	services.users.create(&user_id, password, None).await?;
-
-	// Default to pretty displayname
-	let mut displayname = user_id.localpart().to_owned();
-
-	// If `new_user_displayname_suffix` is set, registration will push whatever
-	// content is set to the user's display name with a space before it
-	if !services.globals.new_user_displayname_suffix().is_empty()
-		&& body.appservice_info.is_none()
-	{
-		write!(displayname, " {}", services.server.config.new_user_displayname_suffix)?;
-	}
-
-	services
-		.users
-		.set_displayname(&user_id, Some(displayname.clone()));
-
-	// Initial account data
-	services
-		.account_data
-		.update(
-			None,
-			&user_id,
-			GlobalAccountDataEventType::PushRules.to_string().into(),
-			&serde_json::to_value(ruma::events::push_rules::PushRulesEvent {
-				content: ruma::events::push_rules::PushRulesEventContent {
-					global: push::Ruleset::server_default(&user_id),
-				},
-			})?,
-		)
-		.await?;
-
-	// Generate new device id if the user didn't specify one
-	let no_device = body.inhibit_login
-		|| body
-			.appservice_info
-			.as_ref()
-			.is_some_and(|aps| aps.registration.device_management);
-	let (token, device) = if !no_device {
-		// Don't create a device for inhibited logins
-		let device_id = if is_guest { None } else { body.device_id.clone() }
-			.unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into());
-
-		// Generate new token for the device
-		let new_token = utils::random_string(TOKEN_LENGTH);
-
-		// Create device for this account
-		services
-			.users
-			.create_device(
-				&user_id,
-				&device_id,
-				&new_token,
-				body.initial_device_display_name.clone(),
-				Some(client.to_string()),
-			)
-			.await?;
-		debug_info!(%user_id, %device_id, "User account was created");
-		(Some(new_token), Some(device_id))
-	} else {
-		(None, None)
-	};
-
-	let device_display_name = body.initial_device_display_name.as_deref().unwrap_or("");
-
-	// log in conduit admin channel if a non-guest user registered
-	if body.appservice_info.is_none() && !is_guest {
-		if !device_display_name.is_empty() {
-			let notice = format!(
-				"New user \"{user_id}\" registered on this server from IP {client} and device \
-				 display name \"{device_display_name}\""
-			);
-
-			info!("{notice}");
-			if services.server.config.admin_room_notices {
-				services.admin.notice(&notice).await;
-			}
-		} else {
-			let notice = format!("New user \"{user_id}\" registered on this server.");
-
-			info!("{notice}");
-			if services.server.config.admin_room_notices {
-				services.admin.notice(&notice).await;
-			}
-		}
-	}
-
-	// log in conduit admin channel if a guest registered
-	if body.appservice_info.is_none() && is_guest && services.config.log_guest_registrations {
-		debug_info!("New guest user \"{user_id}\" registered on this server.");
-
-		if !device_display_name.is_empty() {
-			if services.server.config.admin_room_notices {
-				services
-					.admin
-					.notice(&format!(
-						"Guest user \"{user_id}\" with device display name \
-						 \"{device_display_name}\" registered on this server from IP {client}"
-					))
-					.await;
-			}
-		} else {
-			#[allow(clippy::collapsible_else_if)]
-			if services.server.config.admin_room_notices {
-				services
-					.admin
-					.notice(&format!(
-						"Guest user \"{user_id}\" with no device display name registered on \
-						 this server from IP {client}",
-					))
-					.await;
-			}
-		}
-	}
-
-	if !is_guest {
-		// Make the first user to register an administrator and disable first-run mode.
-		let was_first_user = services.firstrun.empower_first_user(&user_id).await?;
-
-		// If the registering user was not the first and we're suspending users on
-		// register, suspend them.
-		if !was_first_user && services.config.suspend_on_register {
-			// Note that we can still do auto joins for suspended users
-			services
-				.users
-				.suspend_account(&user_id, &services.globals.server_user)
-				.await;
-			// And send an @room notice to the admin room, to prompt admins to review the
-			// new user and ideally unsuspend them if deemed appropriate.
-			if services.server.config.admin_room_notices {
-				services
-					.admin
-					.send_loud_message(RoomMessageEventContent::text_plain(format!(
-						"User {user_id} has been suspended as they are not the first user on \
-						 this server. Please review and unsuspend them if appropriate."
-					)))
-					.await
-					.ok();
-			}
-		}
-	}
-
-	if body.appservice_info.is_none()
-		&& !services.server.config.auto_join_rooms.is_empty()
-		&& (services.config.allow_guests_auto_join_rooms || !is_guest)
-	{
-		for room in &services.server.config.auto_join_rooms {
-			let Ok(room_id) = services.rooms.alias.resolve(room).await else {
-				error!(
-					"Failed to resolve room alias to room ID when attempting to auto join \
-					 {room}, skipping"
-				);
-				continue;
-			};
-
-			if !services
-				.rooms
-				.state_cache
-				.server_in_room(services.globals.server_name(), &room_id)
-				.await
-			{
-				warn!(
-					"Skipping room {room} to automatically join as we have never joined before."
-				);
-				continue;
-			}
-
-			if let Some(room_server_name) = room.server_name() {
-				match join_room_by_id_helper(
-					&services,
-					&user_id,
-					&room_id,
-					Some("Automatically joining this room upon registration".to_owned()),
-					&[services.globals.server_name().to_owned(), room_server_name.to_owned()],
-					&body.appservice_info,
-				)
-				.boxed()
-				.await
-				{
-					| Err(e) => {
-						// don't return this error so we don't fail registrations
-						error!(
-							"Failed to automatically join room {room} for user {user_id}: {e}"
-						);
-					},
-					| _ => {
-						info!("Automatically joined room {room} for user {user_id}");
-					},
-				}
-			}
-		}
-	}
-
-	Ok(register::v3::Response {
-		access_token: token,
-		user_id,
-		device_id: device,
-		refresh_token: None,
-		expires_in: None,
-	})
-}
-
-/// # `POST /_matrix/client/r0/account/password`
-///
-/// Changes the password of this account.
-///
-/// - Requires UIAA to verify user password
-/// - Changes the password of the sender user
-/// - The password hash is calculated using argon2 with 32 character salt, the
-///   plain password is
-/// not saved
-///
-/// If logout_devices is true it does the following for each device except the
-/// sender device:
-/// - Invalidates access token
-/// - Deletes device metadata (device id, device display name, last seen ip,
-///   last seen ts)
-/// - Forgets to-device events
-/// - Triggers device list updates
-#[tracing::instrument(skip_all, fields(%client), name = "change_password", level = "info")]
-pub(crate) async fn change_password_route(
-	State(services): State<crate::State>,
-	InsecureClientIp(client): InsecureClientIp,
-	body: Ruma<change_password::v3::Request>,
-) -> Result<change_password::v3::Response> {
-	// Authentication for this endpoint was made optional, but we need
-	// authentication currently
-	let sender_user = body
-		.sender_user
-		.as_ref()
-		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
-
-	let mut uiaainfo = UiaaInfo {
-		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
-		completed: Vec::new(),
-		params: Box::default(),
-		session: None,
-		auth_error: None,
-	};
-
-	match &body.auth {
-		| Some(auth) => {
-			let (worked, uiaainfo) = services
-				.uiaa
-				.try_auth(sender_user, body.sender_device(), auth, &uiaainfo)
-				.await?;
-
-			if !worked {
-				return Err(Error::Uiaa(uiaainfo));
-			}
-
-			// Success!
-		},
-		| _ => match body.json_body {
-			| Some(ref json) => {
-				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
-				services
-					.uiaa
-					.create(sender_user, body.sender_device(), &uiaainfo, json);
-
-				return Err(Error::Uiaa(uiaainfo));
-			},
-			| _ => {
-				return Err!(Request(NotJson("JSON body is not valid")));
-			},
-		},
-	}
-
-	services
-		.users
-		.set_password(sender_user, Some(&body.new_password))
-		.await?;
-
-	if body.logout_devices {
-		// Logout all devices except the current one
-		services
-			.users
-			.all_device_ids(sender_user)
-			.ready_filter(|id| *id != body.sender_device())
-			.for_each(|id| services.users.remove_device(sender_user, id))
-			.await;
-
-		// Remove all pushers except the ones associated with this session
-		services
-			.pusher
-			.get_pushkeys(sender_user)
-			.map(ToOwned::to_owned)
-			.broad_filter_map(async |pushkey| {
-				services
-					.pusher
-					.get_pusher_device(&pushkey)
-					.await
-					.ok()
-					.filter(|pusher_device| pusher_device != body.sender_device())
-					.is_some()
-					.then_some(pushkey)
-			})
-			.for_each(async |pushkey| {
-				services.pusher.delete_pusher(sender_user, &pushkey).await;
-			})
-			.await;
-	}
-
-	info!("User {sender_user} changed their password.");
-
-	if services.server.config.admin_room_notices {
-		services
-			.admin
-			.notice(&format!("User {sender_user} changed their password."))
-			.await;
-	}
-
-	Ok(change_password::v3::Response {})
-}
-
-/// # `GET /_matrix/client/v3/account/whoami`
-///
-/// Get `user_id` of the sender user.
-///
-/// Note: Also works for Application Services
-pub(crate) async fn whoami_route(
-	State(services): State<crate::State>,
-	body: Ruma<whoami::v3::Request>,
-) -> Result<whoami::v3::Response> {
-	let is_guest = services
-		.users
-		.is_deactivated(body.sender_user())
-		.await
-		.map_err(|_| {
-			err!(Request(Forbidden("Application service has not registered this user.")))
-		})? && body.appservice_info.is_none();
-	Ok(whoami::v3::Response {
-		user_id: body.sender_user().to_owned(),
-		device_id: body.sender_device.clone(),
-		is_guest,
-	})
-}
-
-/// # `POST /_matrix/client/r0/account/deactivate`
-///
-/// Deactivate sender user account.
-///
-/// - Leaves all rooms and rejects all invitations
-/// - Invalidates all access tokens
-/// - Deletes all device metadata (device id, device display name, last seen ip,
-///   last seen ts)
-/// - Forgets all to-device events
-/// - Triggers device list updates
-/// - Removes ability to log in again
-#[tracing::instrument(skip_all, fields(%client), name = "deactivate", level = "info")]
-pub(crate) async fn deactivate_route(
-	State(services): State<crate::State>,
-	InsecureClientIp(client): InsecureClientIp,
-	body: Ruma<deactivate::v3::Request>,
-) -> Result<deactivate::v3::Response> {
-	// Authentication for this endpoint was made optional, but we need
-	// authentication currently
-	let sender_user = body
-		.sender_user
-		.as_ref()
-		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
-
-	let mut uiaainfo = UiaaInfo {
-		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
-		completed: Vec::new(),
-		params: Box::default(),
-		session: None,
-		auth_error: None,
-	};
-
-	match &body.auth {
-		| Some(auth) => {
-			let (worked, uiaainfo) = services
-				.uiaa
-				.try_auth(sender_user, body.sender_device(), auth, &uiaainfo)
-				.await?;
-
-			if !worked {
-				return Err(Error::Uiaa(uiaainfo));
-			}
-			// Success!
-		},
-		| _ => match body.json_body {
-			| Some(ref json) => {
-				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
-				services
-					.uiaa
-					.create(sender_user, body.sender_device(), &uiaainfo, json);
-
-				return Err(Error::Uiaa(uiaainfo));
-			},
-			| _ => {
-				return Err!(Request(NotJson("JSON body is not valid")));
-			},
-		},
-	}
-
-	// Remove profile pictures and display name
-	let all_joined_rooms: Vec<OwnedRoomId> = services
-		.rooms
-		.state_cache
-		.rooms_joined(sender_user)
-		.map(Into::into)
-		.collect()
-		.await;
-
-	full_user_deactivate(&services, sender_user, &all_joined_rooms)
-		.boxed()
-		.await?;
-
-	info!("User {sender_user} deactivated their account.");
-
-	if services.server.config.admin_room_notices {
-		services
-			.admin
-			.notice(&format!("User {sender_user} deactivated their account."))
-			.await;
-	}
-
-	Ok(deactivate::v3::Response {
-		id_server_unbind_result: ThirdPartyIdRemovalStatus::NoSupport,
-	})
-}
-
-/// # `GET _matrix/client/v3/account/3pid`
-///
-/// Get a list of third party identifiers associated with this account.
-///
-/// - Currently always returns empty list
-pub(crate) async fn third_party_route(
-	body: Ruma<get_3pids::v3::Request>,
-) -> Result<get_3pids::v3::Response> {
-	let _sender_user = body.sender_user.as_ref().expect("user is authenticated");
-
-	Ok(get_3pids::v3::Response::new(Vec::new()))
-}
-
-/// # `POST /_matrix/client/v3/account/3pid/email/requestToken`
-///
-/// "This API should be used to request validation tokens when adding an email
-/// address to an account"
-///
-/// - 403 signals that The homeserver does not allow the third party identifier
-///   as a contact option.
-pub(crate) async fn request_3pid_management_token_via_email_route(
-	_body: Ruma<request_3pid_management_token_via_email::v3::Request>,
-) -> Result<request_3pid_management_token_via_email::v3::Response> {
-	Err!(Request(ThreepidDenied("Third party identifiers are not implemented")))
-}
-
-/// # `POST /_matrix/client/v3/account/3pid/msisdn/requestToken`
-///
-/// "This API should be used to request validation tokens when adding an phone
-/// number to an account"
-///
-/// - 403 signals that The homeserver does not allow the third party identifier
-///   as a contact option.
-pub(crate) async fn request_3pid_management_token_via_msisdn_route(
-	_body: Ruma<request_3pid_management_token_via_msisdn::v3::Request>,
-) -> Result<request_3pid_management_token_via_msisdn::v3::Response> {
-	Err!(Request(ThreepidDenied("Third party identifiers are not implemented")))
-}
-
-/// # `GET /_matrix/client/v1/register/m.login.registration_token/validity`
-///
-/// Checks if the provided registration token is valid at the time of checking.
-pub(crate) async fn check_registration_token_validity(
-	State(services): State<crate::State>,
-	body: Ruma<check_registration_token_validity::v1::Request>,
-) -> Result<check_registration_token_validity::v1::Response> {
-	// TODO: ratelimit this pretty heavily
-
-	let valid = services
-		.registration_tokens
-		.validate_token(body.token.clone())
-		.await
-		.is_some();
-
-	Ok(check_registration_token_validity::v1::Response { valid })
-}
-
-/// Runs through all the deactivation steps:
-///
-/// - Mark as deactivated
-/// - Removing display name
-/// - Removing avatar URL and blurhash
-/// - Removing all profile data
-/// - Leaving all rooms (and forgets all of them)
-pub async fn full_user_deactivate(
-	services: &Services,
-	user_id: &UserId,
-	all_joined_rooms: &[OwnedRoomId],
-) -> Result<()> {
-	services.users.deactivate_account(user_id).await.ok();
-
-	services
-		.users
-		.all_profile_keys(user_id)
-		.ready_for_each(|(profile_key, _)| {
-			services.users.set_profile_key(user_id, &profile_key, None);
-		})
-		.await;
-
-	// TODO: Rescind all user invites
-
-	let mut pdu_queue: Vec<(PduBuilder, &OwnedRoomId)> = Vec::new();
-
-	for room_id in all_joined_rooms {
-		let room_power_levels = services
-			.rooms
-			.state_accessor
-			.room_state_get_content::<RoomPowerLevelsEventContent>(
-				room_id,
-				&StateEventType::RoomPowerLevels,
-				"",
-			)
-			.await
-			.ok();
-
-		let user_can_demote_self =
-			room_power_levels
-				.as_ref()
-				.is_some_and(|power_levels_content| {
-					RoomPowerLevels::from(power_levels_content.clone())
-						.user_can_change_user_power_level(user_id, user_id)
-				}) || services
-				.rooms
-				.state_accessor
-				.room_state_get(room_id, &StateEventType::RoomCreate, "")
-				.await
-				.is_ok_and(|event| event.sender() == user_id);
-
-		if user_can_demote_self {
-			let mut power_levels_content = room_power_levels.unwrap_or_default();
-			power_levels_content.users.remove(user_id);
-			let pl_evt = PduBuilder::state(String::new(), &power_levels_content);
-			pdu_queue.push((pl_evt, room_id));
-		}
-
-		// Leave the room
-		pdu_queue.push((
-			PduBuilder::state(user_id.to_string(), &RoomMemberEventContent {
-				avatar_url: None,
-				blurhash: None,
-				membership: MembershipState::Leave,
-				displayname: None,
-				join_authorized_via_users_server: None,
-				reason: None,
-				is_direct: None,
-				third_party_invite: None,
-				redact_events: None,
-			}),
-			room_id,
-		));
-
-		// TODO: Redact all messages sent by the user in the room
-	}
-
-	super::update_all_rooms(services, pdu_queue, user_id).await;
-	for room_id in all_joined_rooms {
-		services.rooms.state_cache.forget(room_id, user_id);
-	}
-
-	Ok(())
-}

src/api/client/account/mod.rs

@@ -0,0 +1,426 @@
+use axum::extract::State;
+use axum_client_ip::InsecureClientIp;
+use conduwuit::{
+	Err, Event, Result, err, info,
+	pdu::PduBuilder,
+	utils::{ReadyExt, stream::BroadbandExt},
+};
+use conduwuit_service::Services;
+use futures::{FutureExt, StreamExt};
+use lettre::{Address, message::Mailbox};
+use ruma::{
+	OwnedRoomId, OwnedUserId, UserId,
+	api::client::{
+		account::{
+			ThirdPartyIdRemovalStatus, change_password, check_registration_token_validity,
+			deactivate, get_username_availability, request_password_change_token_via_email,
+			whoami,
+		},
+		uiaa::{AuthFlow, AuthType},
+	},
+	events::{
+		StateEventType,
+		room::{
+			member::{MembershipState, RoomMemberEventContent},
+			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
+		},
+	},
+};
+use service::{mailer::messages, uiaa::Identity};
+
+use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
+use crate::Ruma;
+
+pub(crate) mod register;
+pub(crate) mod threepid;
+
+/// # `GET /_matrix/client/v3/register/available`
+///
+/// Checks if a username is valid and available on this server.
+///
+/// Conditions for returning true:
+/// - The user id is not historical
+/// - The server name of the user id matches this server
+/// - No user or appservice on this server already claimed this username
+///
+/// Note: This will not reserve the username, so the username might become
+/// invalid when trying to register
+#[tracing::instrument(skip_all, fields(%client), name = "register_available", level = "info")]
+pub(crate) async fn get_register_available_route(
+	State(services): State<crate::State>,
+	InsecureClientIp(client): InsecureClientIp,
+	body: Ruma<get_username_availability::v3::Request>,
+) -> Result<get_username_availability::v3::Response> {
+	// Validate user id
+	let user_id =
+		match UserId::parse_with_server_name(&body.username, services.globals.server_name()) {
+			| Ok(user_id) => {
+				if let Err(e) = user_id.validate_strict() {
+					return Err!(Request(InvalidUsername(debug_warn!(
+						"Username {} contains disallowed characters or spaces: {e}",
+						body.username
+					))));
+				}
+
+				user_id
+			},
+			| Err(e) => {
+				return Err!(Request(InvalidUsername(debug_warn!(
+					"Username {} is not valid: {e}",
+					body.username
+				))));
+			},
+		};
+
+	// Check if username is creative enough
+	if services.users.exists(&user_id).await {
+		return Err!(Request(UserInUse("User ID is not available.")));
+	}
+
+	if let Some(ref info) = body.appservice_info {
+		if !info.is_user_match(&user_id) {
+			return Err!(Request(Exclusive("Username is not in an appservice namespace.")));
+		}
+	}
+
+	if services.appservice.is_exclusive_user_id(&user_id).await {
+		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
+	}
+
+	Ok(get_username_availability::v3::Response { available: true })
+}
+
+/// # `POST /_matrix/client/r0/account/password`
+///
+/// Changes the password of this account.
+///
+/// - Requires UIAA to verify user password
+/// - Changes the password of the sender user
+/// - The password hash is calculated using argon2 with 32 character salt, the
+///   plain password is
+/// not saved
+///
+/// If logout_devices is true it does the following for each device except the
+/// sender device:
+/// - Invalidates access token
+/// - Deletes device metadata (device id, device display name, last seen ip,
+///   last seen ts)
+/// - Forgets to-device events
+/// - Triggers device list updates
+#[tracing::instrument(skip_all, fields(%client), name = "change_password", level = "info")]
+pub(crate) async fn change_password_route(
+	State(services): State<crate::State>,
+	InsecureClientIp(client): InsecureClientIp,
+	body: Ruma<change_password::v3::Request>,
+) -> Result<change_password::v3::Response> {
+	let identity = if let Some(ref user_id) = body.sender_user {
+		// A signed-in user is trying to change their password, prompt them for their
+		// existing one
+
+		services
+			.uiaa
+			.authenticate(
+				&body.auth,
+				vec![AuthFlow::new(vec![AuthType::Password])],
+				Box::default(),
+				Some(Identity::from_user_id(user_id)),
+			)
+			.await?
+	} else {
+		// A signed-out user is trying to reset their password, prompt them for email
+		// confirmation. Note that we do not _send_ an email here, their client should
+		// have already hit `/account/password/requestToken` to send the email. We
+		// just validate it.
+
+		services
+			.uiaa
+			.authenticate(
+				&body.auth,
+				vec![AuthFlow::new(vec![AuthType::EmailIdentity])],
+				Box::default(),
+				None,
+			)
+			.await?
+	};
+
+	let sender_user = OwnedUserId::parse(format!(
+		"@{}:{}",
+		identity.localpart.expect("localpart should be known"),
+		services.globals.server_name()
+	))
+	.expect("user ID should be valid");
+
+	services
+		.users
+		.set_password(&sender_user, Some(&body.new_password))
+		.await?;
+
+	if body.logout_devices {
+		// Logout all devices except the current one
+		services
+			.users
+			.all_device_ids(&sender_user)
+			.ready_filter(|id| *id != body.sender_device())
+			.for_each(|id| services.users.remove_device(&sender_user, id))
+			.await;
+
+		// Remove all pushers except the ones associated with this session
+		services
+			.pusher
+			.get_pushkeys(&sender_user)
+			.map(ToOwned::to_owned)
+			.broad_filter_map(async |pushkey| {
+				services
+					.pusher
+					.get_pusher_device(&pushkey)
+					.await
+					.ok()
+					.filter(|pusher_device| pusher_device != body.sender_device())
+					.is_some()
+					.then_some(pushkey)
+			})
+			.for_each(async |pushkey| {
+				services.pusher.delete_pusher(&sender_user, &pushkey).await;
+			})
+			.await;
+	}
+
+	info!("User {} changed their password.", &sender_user);
+
+	if services.server.config.admin_room_notices {
+		services
+			.admin
+			.notice(&format!("User {} changed their password.", &sender_user))
+			.await;
+	}
+
+	Ok(change_password::v3::Response {})
+}
+
+/// # `POST /_matrix/client/v3/account/password/email/requestToken`
+///
+/// Requests a validation email for the purpose of resetting a user's password.
+pub(crate) async fn request_password_change_token_via_email_route(
+	State(services): State<crate::State>,
+	body: Ruma<request_password_change_token_via_email::v3::Request>,
+) -> Result<request_password_change_token_via_email::v3::Response> {
+	let Ok(email) = Address::try_from(body.email.clone()) else {
+		return Err!(Request(InvalidParam("Invalid email address.")));
+	};
+
+	let Some(localpart) = services.threepid.get_localpart_for_email(&email).await else {
+		return Err!(Request(ThreepidNotFound(
+			"No account is associated with this email address"
+		)));
+	};
+
+	let user_id =
+		OwnedUserId::parse(format!("@{localpart}:{}", services.globals.server_name())).unwrap();
+	let display_name = services.users.displayname(&user_id).await.ok();
+
+	let session = services
+		.threepid
+		.send_validation_email(
+			Mailbox::new(display_name.clone(), email),
+			|verification_link| messages::PasswordReset {
+				display_name: display_name.as_deref(),
+				user_id: &user_id,
+				verification_link,
+			},
+			&body.client_secret,
+			body.send_attempt.try_into().unwrap(),
+		)
+		.await?;
+
+	Ok(request_password_change_token_via_email::v3::Response::new(session))
+}
+
+/// # `GET /_matrix/client/v3/account/whoami`
+///
+/// Get `user_id` of the sender user.
+///
+/// Note: Also works for Application Services
+pub(crate) async fn whoami_route(
+	State(services): State<crate::State>,
+	body: Ruma<whoami::v3::Request>,
+) -> Result<whoami::v3::Response> {
+	let is_guest = services
+		.users
+		.is_deactivated(body.sender_user())
+		.await
+		.map_err(|_| {
+			err!(Request(Forbidden("Application service has not registered this user.")))
+		})? && body.appservice_info.is_none();
+	Ok(whoami::v3::Response {
+		user_id: body.sender_user().to_owned(),
+		device_id: body.sender_device.clone(),
+		is_guest,
+	})
+}
+
+/// # `POST /_matrix/client/r0/account/deactivate`
+///
+/// Deactivate sender user account.
+///
+/// - Leaves all rooms and rejects all invitations
+/// - Invalidates all access tokens
+/// - Deletes all device metadata (device id, device display name, last seen ip,
+///   last seen ts)
+/// - Forgets all to-device events
+/// - Triggers device list updates
+/// - Removes ability to log in again
+#[tracing::instrument(skip_all, fields(%client), name = "deactivate", level = "info")]
+pub(crate) async fn deactivate_route(
+	State(services): State<crate::State>,
+	InsecureClientIp(client): InsecureClientIp,
+	body: Ruma<deactivate::v3::Request>,
+) -> Result<deactivate::v3::Response> {
+	// Authentication for this endpoint is technically optional,
+	// but we require the user to be logged in
+	let sender_user = body
+		.sender_user
+		.as_ref()
+		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
+
+	// Prompt the user to confirm with their password using UIAA
+	let _ = services
+		.uiaa
+		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
+		.await?;
+
+	// Remove profile pictures and display name
+	let all_joined_rooms: Vec<OwnedRoomId> = services
+		.rooms
+		.state_cache
+		.rooms_joined(sender_user)
+		.map(Into::into)
+		.collect()
+		.await;
+
+	full_user_deactivate(&services, sender_user, &all_joined_rooms)
+		.boxed()
+		.await?;
+
+	info!("User {sender_user} deactivated their account.");
+
+	if services.server.config.admin_room_notices {
+		services
+			.admin
+			.notice(&format!("User {sender_user} deactivated their account."))
+			.await;
+	}
+
+	Ok(deactivate::v3::Response {
+		id_server_unbind_result: ThirdPartyIdRemovalStatus::Success,
+	})
+}
+
+/// # `GET /_matrix/client/v1/register/m.login.registration_token/validity`
+///
+/// Checks if the provided registration token is valid at the time of checking.
+pub(crate) async fn check_registration_token_validity(
+	State(services): State<crate::State>,
+	body: Ruma<check_registration_token_validity::v1::Request>,
+) -> Result<check_registration_token_validity::v1::Response> {
+	// TODO: ratelimit this pretty heavily
+
+	let valid = services
+		.registration_tokens
+		.validate_token(body.token.clone())
+		.await
+		.is_some();
+
+	Ok(check_registration_token_validity::v1::Response { valid })
+}
+
+/// Runs through all the deactivation steps:
+///
+/// - Mark as deactivated
+/// - Removing display name
+/// - Removing avatar URL and blurhash
+/// - Removing all profile data
+/// - Leaving all rooms (and forgets all of them)
+pub async fn full_user_deactivate(
+	services: &Services,
+	user_id: &UserId,
+	all_joined_rooms: &[OwnedRoomId],
+) -> Result<()> {
+	services.users.deactivate_account(user_id).await.ok();
+
+	if services.globals.user_is_local(user_id) {
+		let _ = services
+			.threepid
+			.disassociate_localpart_email(user_id.localpart())
+			.await;
+	}
+
+	services
+		.users
+		.all_profile_keys(user_id)
+		.ready_for_each(|(profile_key, _)| {
+			services.users.set_profile_key(user_id, &profile_key, None);
+		})
+		.await;
+
+	// TODO: Rescind all user invites
+
+	let mut pdu_queue: Vec<(PduBuilder, &OwnedRoomId)> = Vec::new();
+
+	for room_id in all_joined_rooms {
+		let room_power_levels = services
+			.rooms
+			.state_accessor
+			.room_state_get_content::<RoomPowerLevelsEventContent>(
+				room_id,
+				&StateEventType::RoomPowerLevels,
+				"",
+			)
+			.await
+			.ok();
+
+		let user_can_demote_self =
+			room_power_levels
+				.as_ref()
+				.is_some_and(|power_levels_content| {
+					RoomPowerLevels::from(power_levels_content.clone())
+						.user_can_change_user_power_level(user_id, user_id)
+				}) || services
+				.rooms
+				.state_accessor
+				.room_state_get(room_id, &StateEventType::RoomCreate, "")
+				.await
+				.is_ok_and(|event| event.sender() == user_id);
+
+		if user_can_demote_self {
+			let mut power_levels_content = room_power_levels.unwrap_or_default();
+			power_levels_content.users.remove(user_id);
+			let pl_evt = PduBuilder::state(String::new(), &power_levels_content);
+			pdu_queue.push((pl_evt, room_id));
+		}
+
+		// Leave the room
+		pdu_queue.push((
+			PduBuilder::state(user_id.to_string(), &RoomMemberEventContent {
+				avatar_url: None,
+				blurhash: None,
+				membership: MembershipState::Leave,
+				displayname: None,
+				join_authorized_via_users_server: None,
+				reason: None,
+				is_direct: None,
+				third_party_invite: None,
+				redact_events: None,
+			}),
+			room_id,
+		));
+
+		// TODO: Redact all messages sent by the user in the room
+	}
+
+	super::update_all_rooms(services, pdu_queue, user_id).await;
+	for room_id in all_joined_rooms {
+		services.rooms.state_cache.forget(room_id, user_id);
+	}
+
+	Ok(())
+}

src/api/client/account/register.rs

@@ -0,0 +1,601 @@
+use std::{collections::HashMap, fmt::Write};
+
+use axum::extract::State;
+use axum_client_ip::InsecureClientIp;
+use conduwuit::{
+	Err, Result, debug_info, error, info,
+	utils::{self},
+	warn,
+};
+use conduwuit_service::Services;
+use futures::{FutureExt, StreamExt};
+use lettre::{Address, message::Mailbox};
+use register::RegistrationKind;
+use ruma::{
+	OwnedUserId, UserId,
+	api::client::{
+		account::{
+			register::{self, LoginType},
+			request_registration_token_via_email,
+		},
+		uiaa::{AuthFlow, AuthType},
+	},
+	events::{GlobalAccountDataEventType, room::message::RoomMessageEventContent},
+	push,
+};
+use serde_json::value::RawValue;
+use service::mailer::messages;
+
+use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
+use crate::Ruma;
+
+const RANDOM_USER_ID_LENGTH: usize = 10;
+
+/// # `POST /_matrix/client/v3/register`
+///
+/// Register an account on this homeserver.
+///
+/// You can use [`GET
+/// /_matrix/client/v3/register/available`](fn.get_register_available_route.
+/// html) to check if the user id is valid and available.
+///
+/// - Only works if registration is enabled
+/// - If type is guest: ignores all parameters except
+///   initial_device_display_name
+/// - If sender is not appservice: Requires UIAA (but we only use a dummy stage)
+/// - If type is not guest and no username is given: Always fails after UIAA
+///   check
+/// - Creates a new account and populates it with default account data
+/// - If `inhibit_login` is false: Creates a device and returns device id and
+///   access_token
+#[allow(clippy::doc_markdown)]
+#[tracing::instrument(skip_all, fields(%client), name = "register", level = "info")]
+pub(crate) async fn register_route(
+	State(services): State<crate::State>,
+	InsecureClientIp(client): InsecureClientIp,
+	body: Ruma<register::v3::Request>,
+) -> Result<register::v3::Response> {
+	let is_guest = body.kind == RegistrationKind::Guest;
+	let emergency_mode_enabled = services.config.emergency_password.is_some();
+
+	// Allow registration if it's enabled in the config file or if this is the first
+	// run (so the first user account can be created)
+	let allow_registration =
+		services.config.allow_registration || services.firstrun.is_first_run();
+
+	if !allow_registration && body.appservice_info.is_none() {
+		match (body.username.as_ref(), body.initial_device_display_name.as_ref()) {
+			| (Some(username), Some(device_display_name)) => {
+				info!(
+					%is_guest,
+					user = %username,
+					device_name = %device_display_name,
+					"Rejecting registration attempt as registration is disabled"
+				);
+			},
+			| (Some(username), _) => {
+				info!(
+					%is_guest,
+					user = %username,
+					"Rejecting registration attempt as registration is disabled"
+				);
+			},
+			| (_, Some(device_display_name)) => {
+				info!(
+					%is_guest,
+					device_name = %device_display_name,
+					"Rejecting registration attempt as registration is disabled"
+				);
+			},
+			| (None, _) => {
+				info!(
+					%is_guest,
+					"Rejecting registration attempt as registration is disabled"
+				);
+			},
+		}
+
+		return Err!(Request(Forbidden(
+			"This server is not accepting registrations at this time."
+		)));
+	}
+
+	if is_guest && !services.config.allow_guest_registration {
+		info!(
+			"Guest registration disabled, rejecting guest registration attempt, initial device \
+			 name: \"{}\"",
+			body.initial_device_display_name.as_deref().unwrap_or("")
+		);
+		return Err!(Request(GuestAccessForbidden("Guest registration is disabled.")));
+	}
+
+	// forbid guests from registering if there is not a real admin user yet. give
+	// generic user error.
+	if is_guest && services.firstrun.is_first_run() {
+		warn!(
+			"Guest account attempted to register before a real admin user has been registered, \
+			 rejecting registration. Guest's initial device name: \"{}\"",
+			body.initial_device_display_name.as_deref().unwrap_or("")
+		);
+		return Err!(Request(Forbidden(
+			"This server is not accepting registrations at this time."
+		)));
+	}
+
+	// Appeservices and guests get to skip auth
+	let skip_auth = body.appservice_info.is_some() || is_guest;
+
+	let identity = if skip_auth {
+		// Appservices and guests have no identity
+		None
+	} else {
+		// Perform UIAA to determine the user's identity
+		let (flows, params) = create_registration_uiaa_session(&services).await?;
+
+		Some(
+			services
+				.uiaa
+				.authenticate(&body.auth, flows, params, None)
+				.await?,
+		)
+	};
+
+	// If the user didn't supply a username but did supply an email, use
+	// the email's user as their initial localpart to avoid falling back to
+	// a randomly generated localpart
+	let supplied_username = body.username.clone().or_else(|| {
+		if let Some(identity) = &identity
+			&& let Some(email) = &identity.email
+		{
+			Some(email.user().to_owned())
+		} else {
+			None
+		}
+	});
+
+	let user_id = determine_registration_user_id(
+		&services,
+		supplied_username,
+		is_guest,
+		emergency_mode_enabled,
+	)
+	.await?;
+
+	if body.body.login_type == Some(LoginType::ApplicationService) {
+		// For appservice logins, make sure that the user ID is in the appservice's
+		// namespace
+
+		match body.appservice_info {
+			| Some(ref info) =>
+				if !info.is_user_match(&user_id) && !emergency_mode_enabled {
+					return Err!(Request(Exclusive(
+						"Username is not in an appservice namespace."
+					)));
+				},
+			| _ => {
+				return Err!(Request(MissingToken("Missing appservice token.")));
+			},
+		}
+	} else if services.appservice.is_exclusive_user_id(&user_id).await && !emergency_mode_enabled
+	{
+		// For non-appservice logins, ban user IDs which are in an appservice's
+		// namespace (unless emergency mode is enabled)
+		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
+	}
+
+	let password = if is_guest { None } else { body.password.as_deref() };
+
+	// Create user
+	services.users.create(&user_id, password, None).await?;
+
+	// Set an initial display name
+	let mut displayname = user_id.localpart().to_owned();
+
+	// Apply the new user displayname suffix, if it's set
+	if !services.globals.new_user_displayname_suffix().is_empty()
+		&& body.appservice_info.is_none()
+	{
+		write!(displayname, " {}", services.server.config.new_user_displayname_suffix)?;
+	}
+
+	services
+		.users
+		.set_displayname(&user_id, Some(displayname.clone()));
+
+	// Initial account data
+	services
+		.account_data
+		.update(
+			None,
+			&user_id,
+			GlobalAccountDataEventType::PushRules.to_string().into(),
+			&serde_json::to_value(ruma::events::push_rules::PushRulesEvent {
+				content: ruma::events::push_rules::PushRulesEventContent {
+					global: push::Ruleset::server_default(&user_id),
+				},
+			})?,
+		)
+		.await?;
+
+	// Generate new device id if the user didn't specify one
+	let no_device = body.inhibit_login
+		|| body
+			.appservice_info
+			.as_ref()
+			.is_some_and(|aps| aps.registration.device_management);
+
+	let (token, device) = if !no_device {
+		// Don't create a device for inhibited logins
+		let device_id = if is_guest { None } else { body.device_id.clone() }
+			.unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into());
+
+		// Generate new token for the device
+		let new_token = utils::random_string(TOKEN_LENGTH);
+
+		// Create device for this account
+		services
+			.users
+			.create_device(
+				&user_id,
+				&device_id,
+				&new_token,
+				body.initial_device_display_name.clone(),
+				Some(client.to_string()),
+			)
+			.await?;
+		debug_info!(%user_id, %device_id, "User account was created");
+		(Some(new_token), Some(device_id))
+	} else {
+		(None, None)
+	};
+
+	// If the user registered with an email, associate it with their account.
+	if let Some(identity) = identity
+		&& let Some(email) = identity.email
+	{
+		// This may fail if the email is already in use, but we already check for that
+		// in `/requestToken`, so ignoring the error is acceptable here in the rare case
+		// that an email is sniped by another user between the `/requestToken` request
+		// and the `/register` request.
+		let _ = services
+			.threepid
+			.associate_localpart_email(user_id.localpart(), &email)
+			.await;
+	}
+
+	let device_display_name = body.initial_device_display_name.as_deref().unwrap_or("");
+
+	// log in conduit admin channel if a non-guest user registered
+	if body.appservice_info.is_none() && !is_guest {
+		if !device_display_name.is_empty() {
+			let notice = format!(
+				"New user \"{user_id}\" registered on this server from IP {client} and device \
+				 display name \"{device_display_name}\""
+			);
+
+			info!("{notice}");
+			if services.server.config.admin_room_notices {
+				services.admin.notice(&notice).await;
+			}
+		} else {
+			let notice = format!("New user \"{user_id}\" registered on this server.");
+
+			info!("{notice}");
+			if services.server.config.admin_room_notices {
+				services.admin.notice(&notice).await;
+			}
+		}
+	}
+
+	// log in conduit admin channel if a guest registered
+	if body.appservice_info.is_none() && is_guest && services.config.log_guest_registrations {
+		debug_info!("New guest user \"{user_id}\" registered on this server.");
+
+		if !device_display_name.is_empty() {
+			if services.server.config.admin_room_notices {
+				services
+					.admin
+					.notice(&format!(
+						"Guest user \"{user_id}\" with device display name \
+						 \"{device_display_name}\" registered on this server from IP {client}"
+					))
+					.await;
+			}
+		} else {
+			#[allow(clippy::collapsible_else_if)]
+			if services.server.config.admin_room_notices {
+				services
+					.admin
+					.notice(&format!(
+						"Guest user \"{user_id}\" with no device display name registered on \
+						 this server from IP {client}",
+					))
+					.await;
+			}
+		}
+	}
+
+	if !is_guest {
+		// Make the first user to register an administrator and disable first-run mode.
+		let was_first_user = services.firstrun.empower_first_user(&user_id).await?;
+
+		// If the registering user was not the first and we're suspending users on
+		// register, suspend them.
+		if !was_first_user && services.config.suspend_on_register {
+			// Note that we can still do auto joins for suspended users
+			services
+				.users
+				.suspend_account(&user_id, &services.globals.server_user)
+				.await;
+			// And send an @room notice to the admin room, to prompt admins to review the
+			// new user and ideally unsuspend them if deemed appropriate.
+			if services.server.config.admin_room_notices {
+				services
+					.admin
+					.send_loud_message(RoomMessageEventContent::text_plain(format!(
+						"User {user_id} has been suspended as they are not the first user on \
+						 this server. Please review and unsuspend them if appropriate."
+					)))
+					.await
+					.ok();
+			}
+		}
+	}
+
+	if body.appservice_info.is_none()
+		&& !services.server.config.auto_join_rooms.is_empty()
+		&& (services.config.allow_guests_auto_join_rooms || !is_guest)
+	{
+		for room in &services.server.config.auto_join_rooms {
+			let Ok(room_id) = services.rooms.alias.resolve(room).await else {
+				error!(
+					"Failed to resolve room alias to room ID when attempting to auto join \
+					 {room}, skipping"
+				);
+				continue;
+			};
+
+			if !services
+				.rooms
+				.state_cache
+				.server_in_room(services.globals.server_name(), &room_id)
+				.await
+			{
+				warn!(
+					"Skipping room {room} to automatically join as we have never joined before."
+				);
+				continue;
+			}
+
+			if let Some(room_server_name) = room.server_name() {
+				match join_room_by_id_helper(
+					&services,
+					&user_id,
+					&room_id,
+					Some("Automatically joining this room upon registration".to_owned()),
+					&[services.globals.server_name().to_owned(), room_server_name.to_owned()],
+					&body.appservice_info,
+				)
+				.boxed()
+				.await
+				{
+					| Err(e) => {
+						// don't return this error so we don't fail registrations
+						error!(
+							"Failed to automatically join room {room} for user {user_id}: {e}"
+						);
+					},
+					| _ => {
+						info!("Automatically joined room {room} for user {user_id}");
+					},
+				}
+			}
+		}
+	}
+
+	Ok(register::v3::Response {
+		access_token: token,
+		user_id,
+		device_id: device,
+		refresh_token: None,
+		expires_in: None,
+	})
+}
+
+/// Determine which flows and parameters should be presented when
+/// registering a new account.
+async fn create_registration_uiaa_session(
+	services: &Services,
+) -> Result<(Vec<AuthFlow>, Box<RawValue>)> {
+	let mut params = HashMap::<String, serde_json::Value>::new();
+
+	let flows = if services.firstrun.is_first_run() {
+		// Registration token forced while in first-run mode
+		vec![AuthFlow::new(vec![AuthType::RegistrationToken])]
+	} else {
+		let mut flows = vec![];
+
+		if services
+			.registration_tokens
+			.iterate_tokens()
+			.next()
+			.await
+			.is_some()
+		{
+			// Trusted registration flow with a token is available
+			let mut token_flow = AuthFlow::new(vec![AuthType::RegistrationToken]);
+
+			if let Some(smtp) = &services.config.smtp
+				&& smtp.require_email_for_token_registration
+			{
+				// Email is required for token registrations
+				token_flow.stages.push(AuthType::EmailIdentity);
+			}
+
+			flows.push(token_flow);
+		}
+
+		let mut untrusted_flow = AuthFlow::default();
+
+		if services.config.recaptcha_private_site_key.is_some() {
+			if let Some(pubkey) = &services.config.recaptcha_site_key {
+				// ReCaptcha is configured for untrusted registrations
+				untrusted_flow.stages.push(AuthType::ReCaptcha);
+
+				params.insert(
+					AuthType::ReCaptcha.as_str().to_owned(),
+					serde_json::json!({
+						"public_key": pubkey,
+					}),
+				);
+			}
+		}
+
+		if let Some(smtp) = &services.config.smtp
+			&& smtp.require_email_for_registration
+		{
+			// Email is required for untrusted registrations
+			untrusted_flow.stages.push(AuthType::EmailIdentity);
+		}
+
+		if !untrusted_flow.stages.is_empty() {
+			flows.push(untrusted_flow);
+		}
+
+		if flows.is_empty() {
+			// No flows are configured. Bail out by default
+			// unless open registration was explicitly enabled.
+			if !services
+				.config
+				.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
+			{
+				return Err!(Request(Forbidden(
+					"This server is not accepting registrations at this time."
+				)));
+			}
+
+			// We have open registration enabled (😧), provide a dummy flow
+			flows.push(AuthFlow::new(vec![AuthType::Dummy]));
+		}
+
+		flows
+	};
+
+	let params = serde_json::value::to_raw_value(&params).expect("params should be valid JSON");
+
+	Ok((flows, params))
+}
+
+async fn determine_registration_user_id(
+	services: &Services,
+	supplied_username: Option<String>,
+	is_guest: bool,
+	emergency_mode_enabled: bool,
+) -> Result<OwnedUserId> {
+	if let Some(supplied_username) = supplied_username
+		&& !is_guest
+	{
+		// The user gets to pick their username. Do some validation to make sure it's
+		// acceptable.
+
+		// Don't allow registration with forbidden usernames.
+		if services
+			.globals
+			.forbidden_usernames()
+			.is_match(&supplied_username)
+			&& !emergency_mode_enabled
+		{
+			return Err!(Request(Forbidden("Username is forbidden")));
+		}
+
+		// Create and validate the user ID
+		let user_id = match UserId::parse_with_server_name(
+			&supplied_username,
+			services.globals.server_name(),
+		) {
+			| Ok(user_id) => {
+				if let Err(e) = user_id.validate_strict() {
+					// Unless we are in emergency mode, we should follow synapse's behaviour on
+					// not allowing things like spaces and UTF-8 characters in usernames
+					if !emergency_mode_enabled {
+						return Err!(Request(InvalidUsername(debug_warn!(
+							"Username {supplied_username} contains disallowed characters or \
+							 spaces: {e}"
+						))));
+					}
+				}
+
+				// Don't allow registration with user IDs that aren't local
+				if !services.globals.user_is_local(&user_id) {
+					return Err!(Request(InvalidUsername(
+						"Username {supplied_username} is not local to this server"
+					)));
+				}
+
+				user_id
+			},
+			| Err(e) => {
+				return Err!(Request(InvalidUsername(debug_warn!(
+					"Username {supplied_username} is not valid: {e}"
+				))));
+			},
+		};
+
+		if services.users.exists(&user_id).await {
+			return Err!(Request(UserInUse("User ID is not available.")));
+		}
+
+		Ok(user_id)
+	} else {
+		// The user is a guest or didn't specify a username. Generate a username for
+		// them.
+
+		loop {
+			let user_id = UserId::parse_with_server_name(
+				utils::random_string(RANDOM_USER_ID_LENGTH).to_lowercase(),
+				services.globals.server_name(),
+			)
+			.unwrap();
+
+			if !services.users.exists(&user_id).await {
+				break Ok(user_id);
+			}
+		}
+	}
+}
+
+/// # `POST /_matrix/client/v3/register/email/requestToken`
+///
+/// Requests a validation email for the purpose of registering a new account.
+pub(crate) async fn request_registration_token_via_email_route(
+	State(services): State<crate::State>,
+	body: Ruma<request_registration_token_via_email::v3::Request>,
+) -> Result<request_registration_token_via_email::v3::Response> {
+	let Ok(email) = Address::try_from(body.email.clone()) else {
+		return Err!(Request(InvalidParam("Invalid email address.")));
+	};
+
+	if services
+		.threepid
+		.get_localpart_for_email(&email)
+		.await
+		.is_some()
+	{
+		return Err!(Request(ThreepidInUse("This email address is already in use.")));
+	}
+
+	let session = services
+		.threepid
+		.send_validation_email(
+			Mailbox::new(None, email),
+			|verification_link| messages::NewAccount {
+				server_name: services.config.server_name.as_ref(),
+				verification_link,
+			},
+			&body.client_secret,
+			body.send_attempt.try_into().unwrap(),
+		)
+		.await?;
+
+	Ok(request_registration_token_via_email::v3::Response::new(session))
+}

src/api/client/account/threepid.rs

@@ -0,0 +1,153 @@
+use std::time::SystemTime;
+
+use axum::extract::State;
+use conduwuit::{Err, Result, err};
+use lettre::{Address, message::Mailbox};
+use ruma::{
+	MilliSecondsSinceUnixEpoch,
+	api::client::account::{
+		ThirdPartyIdRemovalStatus, add_3pid, delete_3pid, get_3pids,
+		request_3pid_management_token_via_email, request_3pid_management_token_via_msisdn,
+	},
+	thirdparty::{Medium, ThirdPartyIdentifierInit},
+};
+use service::{mailer::messages, uiaa::Identity};
+
+use crate::Ruma;
+
+/// # `GET _matrix/client/v3/account/3pid`
+///
+/// Get a list of third party identifiers associated with this account.
+pub(crate) async fn third_party_route(
+	State(services): State<crate::State>,
+	body: Ruma<get_3pids::v3::Request>,
+) -> Result<get_3pids::v3::Response> {
+	let sender_user = body.sender_user();
+	let mut threepids = vec![];
+
+	if let Some(email) = services
+		.threepid
+		.get_email_for_localpart(sender_user.localpart())
+		.await
+	{
+		threepids.push(
+			ThirdPartyIdentifierInit {
+				address: email.to_string(),
+				medium: Medium::Email,
+				// We don't currently track these, and they aren't used for much
+				validated_at: MilliSecondsSinceUnixEpoch::now(),
+				added_at: MilliSecondsSinceUnixEpoch::from_system_time(SystemTime::UNIX_EPOCH)
+					.unwrap(),
+			}
+			.into(),
+		);
+	}
+
+	Ok(get_3pids::v3::Response::new(threepids))
+}
+
+/// # `POST /_matrix/client/v3/account/3pid/email/requestToken`
+///
+/// Requests a validation email for the purpose of changing an account's email.
+pub(crate) async fn request_3pid_management_token_via_email_route(
+	State(services): State<crate::State>,
+	body: Ruma<request_3pid_management_token_via_email::v3::Request>,
+) -> Result<request_3pid_management_token_via_email::v3::Response> {
+	let Ok(email) = Address::try_from(body.email.clone()) else {
+		return Err!(Request(InvalidParam("Invalid email address.")));
+	};
+
+	if services
+		.threepid
+		.get_localpart_for_email(&email)
+		.await
+		.is_some()
+	{
+		return Err!(Request(ThreepidInUse("This email address is already in use.")));
+	}
+
+	let session = services
+		.threepid
+		.send_validation_email(
+			Mailbox::new(None, email),
+			|verification_link| messages::ChangeEmail {
+				server_name: services.config.server_name.as_str(),
+				user_id: body.sender_user.as_deref(),
+				verification_link,
+			},
+			&body.client_secret,
+			body.send_attempt.try_into().unwrap(),
+		)
+		.await?;
+
+	Ok(request_3pid_management_token_via_email::v3::Response::new(session))
+}
+
+/// # `POST /_matrix/client/v3/account/3pid/msisdn/requestToken`
+///
+/// "This API should be used to request validation tokens when adding an email
+/// address to an account"
+///
+/// - 403 signals that The homeserver does not allow the third party identifier
+///   as a contact option.
+pub(crate) async fn request_3pid_management_token_via_msisdn_route(
+	_body: Ruma<request_3pid_management_token_via_msisdn::v3::Request>,
+) -> Result<request_3pid_management_token_via_msisdn::v3::Response> {
+	Err!(Request(ThreepidMediumNotSupported(
+		"MSISDN third-party identifiers are not supported."
+	)))
+}
+
+/// # `POST /_matrix/client/v3/account/3pid/add`
+pub(crate) async fn add_3pid_route(
+	State(services): State<crate::State>,
+	body: Ruma<add_3pid::v3::Request>,
+) -> Result<add_3pid::v3::Response> {
+	let sender_user = body.sender_user();
+
+	// Require password auth to add an email
+	let _ = services
+		.uiaa
+		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
+		.await?;
+
+	let email = services
+		.threepid
+		.consume_valid_session(&body.sid, &body.client_secret)
+		.await
+		.map_err(|message| err!(Request(ThreepidAuthFailed("{message}"))))?;
+
+	services
+		.threepid
+		.associate_localpart_email(sender_user.localpart(), &email)
+		.await?;
+
+	Ok(add_3pid::v3::Response::new())
+}
+
+/// # `POST /_matrix/client/v3/account/3pid/delete`
+pub(crate) async fn delete_3pid_route(
+	State(services): State<crate::State>,
+	body: Ruma<delete_3pid::v3::Request>,
+) -> Result<delete_3pid::v3::Response> {
+	let sender_user = body.sender_user();
+
+	if body.medium != Medium::Email {
+		return Ok(delete_3pid::v3::Response {
+			id_server_unbind_result: ThirdPartyIdRemovalStatus::NoSupport,
+		});
+	}
+
+	if services
+		.threepid
+		.disassociate_localpart_email(sender_user.localpart())
+		.await
+		.is_none()
+	{
+		return Err!(Request(ThreepidNotFound("Your account has no associated email.")));
+	}
+
+	Ok(delete_3pid::v3::Response {
+		id_server_unbind_result: ThirdPartyIdRemovalStatus::Success,
+	})
+}

src/api/client/capabilities.rs

@@ -30,8 +30,10 @@ pub(crate) async fn get_capabilities_route(
 		default: services.server.config.default_room_version.clone(),
 	};
 
-	// we do not implement 3PID stuff
+	// Only allow 3pid changes if SMTP is configured
-	capabilities.thirdparty_id_changes = ThirdPartyIdChangesCapability { enabled: false };
+	capabilities.thirdparty_id_changes = ThirdPartyIdChangesCapability {
+		enabled: services.mailer.mailer().is_some(),
+	};
 
 	capabilities.get_login_token = GetLoginTokenCapability {
 		enabled: services.server.config.login_via_existing_session,
@@ -51,7 +53,7 @@ pub(crate) async fn get_capabilities_route(
 		.await
 	{
 		// Advertise suspension API
-		capabilities.set("uk.timedout.msc4323", json!({"suspend":true, "lock": false}))?;
+		capabilities.set("uk.timedout.msc4323", json!({"suspend": true, "lock": false}))?;
 	}
 
 	Ok(get_capabilities::v3::Response { capabilities })

src/api/client/device.rs

@@ -1,17 +1,15 @@
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
-use conduwuit::{Err, Error, Result, debug, err, utils};
+use conduwuit::{Err, Result, debug, err, utils};
 use futures::StreamExt;
 use ruma::{
 	MilliSecondsSinceUnixEpoch, OwnedDeviceId,
-	api::client::{
+	api::client::device::{
-		device::{self, delete_device, delete_devices, get_device, get_devices, update_device},
+		self, delete_device, delete_devices, get_device, get_devices, update_device,
-		error::ErrorKind,
-		uiaa::{AuthFlow, AuthType, UiaaInfo},
 	},
 };
+use service::uiaa::Identity;
 
-use super::SESSION_ID_LENGTH;
 use crate::{Ruma, client::DEVICE_ID_LENGTH};
 
 /// # `GET /_matrix/client/r0/devices`
@@ -123,7 +121,7 @@ pub(crate) async fn delete_device_route(
 	State(services): State<crate::State>,
 	body: Ruma<delete_device::v3::Request>,
 ) -> Result<delete_device::v3::Response> {
-	let (sender_user, sender_device) = body.sender();
+	let sender_user = body.sender_user();
 	let appservice = body.appservice_info.as_ref();
 
 	if appservice.is_some_and(|appservice| appservice.registration.device_management) {
@@ -139,41 +137,11 @@ pub(crate) async fn delete_device_route(
 		return Ok(delete_device::v3::Response {});
 	}
 
-	// UIAA
+	// Prompt the user to confirm with their password using UIAA
-	let mut uiaainfo = UiaaInfo {
+	let _ = services
-		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
+		.uiaa
-		completed: Vec::new(),
+		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
-		params: Box::default(),
+		.await?;
-		session: None,
-		auth_error: None,
-	};
-
-	match &body.auth {
-		| Some(auth) => {
-			let (worked, uiaainfo) = services
-				.uiaa
-				.try_auth(sender_user, sender_device, auth, &uiaainfo)
-				.await?;
-
-			if !worked {
-				return Err!(Uiaa(uiaainfo));
-			}
-			// Success!
-		},
-		| _ => match body.json_body {
-			| Some(ref json) => {
-				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
-				services
-					.uiaa
-					.create(sender_user, sender_device, &uiaainfo, json);
-
-				return Err!(Uiaa(uiaainfo));
-			},
-			| _ => {
-				return Err!(Request(NotJson("Not json.")));
-			},
-		},
-	}
 
 	services
 		.users
@@ -200,7 +168,7 @@ pub(crate) async fn delete_devices_route(
 	State(services): State<crate::State>,
 	body: Ruma<delete_devices::v3::Request>,
 ) -> Result<delete_devices::v3::Response> {
-	let (sender_user, sender_device) = body.sender();
+	let sender_user = body.sender_user();
 	let appservice = body.appservice_info.as_ref();
 
 	if appservice.is_some_and(|appservice| appservice.registration.device_management) {
@@ -215,41 +183,11 @@ pub(crate) async fn delete_devices_route(
 		return Ok(delete_devices::v3::Response {});
 	}
 
-	// UIAA
+	// Prompt the user to confirm with their password using UIAA
-	let mut uiaainfo = UiaaInfo {
+	let _ = services
-		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
+		.uiaa
-		completed: Vec::new(),
+		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
-		params: Box::default(),
+		.await?;
-		session: None,
-		auth_error: None,
-	};
-
-	match &body.auth {
-		| Some(auth) => {
-			let (worked, uiaainfo) = services
-				.uiaa
-				.try_auth(sender_user, sender_device, auth, &uiaainfo)
-				.await?;
-
-			if !worked {
-				return Err(Error::Uiaa(uiaainfo));
-			}
-			// Success!
-		},
-		| _ => match body.json_body {
-			| Some(ref json) => {
-				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
-				services
-					.uiaa
-					.create(sender_user, sender_device, &uiaainfo, json);
-
-				return Err(Error::Uiaa(uiaainfo));
-			},
-			| _ => {
-				return Err(Error::BadRequest(ErrorKind::NotJson, "Not json."));
-			},
-		},
-	}
 
 	for device_id in &body.devices {
 		services.users.remove_device(sender_user, device_id).await;

src/api/client/keys.rs

@@ -7,7 +7,6 @@ use axum::extract::State;
 use conduwuit::{
 	Err, Error, Result, debug, debug_warn, err,
 	result::NotFound,
-	utils,
 	utils::{IterStream, stream::WidebandExt},
 };
 use conduwuit_service::{Services, users::parse_master_key};
@@ -22,7 +21,6 @@ use ruma::{
 				upload_signatures::{self},
 				upload_signing_keys,
 			},
-			uiaa::{AuthFlow, AuthType, UiaaInfo},
 		},
 		federation,
 	},
@@ -30,8 +28,8 @@ use ruma::{
 	serde::Raw,
 };
 use serde_json::json;
+use service::uiaa::Identity;
 
-use super::SESSION_ID_LENGTH;
 use crate::Ruma;
 
 /// # `POST /_matrix/client/r0/keys/upload`
@@ -174,16 +172,7 @@ pub(crate) async fn upload_signing_keys_route(
 	State(services): State<crate::State>,
 	body: Ruma<upload_signing_keys::v3::Request>,
 ) -> Result<upload_signing_keys::v3::Response> {
-	let (sender_user, sender_device) = body.sender();
+	let sender_user = body.sender_user();
-
-	// UIAA
-	let mut uiaainfo = UiaaInfo {
-		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
-		completed: Vec::new(),
-		params: Box::default(),
-		session: None,
-		auth_error: None,
-	};
 
 	match check_for_new_keys(
 		services,
@@ -207,32 +196,10 @@ pub(crate) async fn upload_signing_keys_route(
 			// Some of the keys weren't found, so we let them upload
 		},
 		| _ => {
-			match &body.auth {
+			let _ = services
-				| Some(auth) => {
+				.uiaa
-					let (worked, uiaainfo) = services
+				.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
-						.uiaa
+				.await?;
-						.try_auth(sender_user, sender_device, auth, &uiaainfo)
-						.await?;
-
-					if !worked {
-						return Err(Error::Uiaa(uiaainfo));
-					}
-					// Success!
-				},
-				| _ => match body.json_body.as_ref() {
-					| Some(json) => {
-						uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
-						services
-							.uiaa
-							.create(sender_user, sender_device, &uiaainfo, json);
-
-						return Err(Error::Uiaa(uiaainfo));
-					},
-					| _ => {
-						return Err(Error::BadRequest(ErrorKind::NotJson, "Not json."));
-					},
-				},
-			}
 		},
 	}
 

src/api/client/mod.rs

@@ -92,6 +92,3 @@ const DEVICE_ID_LENGTH: usize = 10;
 
 /// generated user access token length
 const TOKEN_LENGTH: usize = 32;
-
-/// generated user session ID length
-const SESSION_ID_LENGTH: usize = service::uiaa::SESSION_ID_LENGTH;

src/api/client/session.rs

@@ -8,8 +8,9 @@ use conduwuit::{
 	warn,
 };
 use conduwuit_core::{debug_error, debug_warn};
-use conduwuit_service::{Services, uiaa::SESSION_ID_LENGTH};
+use conduwuit_service::Services;
 use futures::StreamExt;
+use lettre::Address;
 use ruma::{
 	OwnedUserId, UserId,
 	api::client::{
@@ -26,9 +27,10 @@ use ruma::{
 			},
 			logout, logout_all,
 		},
-		uiaa,
+		uiaa::UserIdentifier,
 	},
 };
+use service::uiaa::Identity;
 
 use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
 use crate::Ruma;
@@ -80,7 +82,7 @@ pub(crate) async fn password_login(
 			.password_hash(lowercased_user_id)
 			.await
 			.map(|hash| (hash, lowercased_user_id))
-			.map_err(|_| err!(Request(Forbidden("Wrong username or password."))))?,
+			.map_err(|_| err!(Request(Forbidden("Invalid identifier or password."))))?,
 	};
 
 	if hash.is_empty() {
@@ -89,7 +91,7 @@ pub(crate) async fn password_login(
 
 	hash::verify_password(password, &hash)
 		.inspect_err(|e| debug_error!("{e}"))
-		.map_err(|_| err!(Request(Forbidden("Wrong username or password."))))?;
+		.map_err(|_| err!(Request(Forbidden("Invalid identifier or password."))))?;
 
 	Ok(user_id.to_owned())
 }
@@ -161,28 +163,38 @@ pub(super) async fn ldap_login(
 
 pub(crate) async fn handle_login(
 	services: &Services,
-	body: &Ruma<login::v3::Request>,
+	identifier: Option<&UserIdentifier>,
-	identifier: Option<&uiaa::UserIdentifier>,
 	password: &str,
 	user: Option<&String>,
 ) -> Result<OwnedUserId> {
 	debug!("Got password login type");
+	let user_id_or_localpart = match (identifier, user) {
+		| (Some(UserIdentifier::UserIdOrLocalpart(localpart)), _) => localpart,
+		| (Some(UserIdentifier::Email { address }), _) => {
+			let email = Address::try_from(address.to_owned())
+				.map_err(|_| err!(Request(InvalidParam("Email is malformed"))))?;
+
+			&services
+				.threepid
+				.get_localpart_for_email(&email)
+				.await
+				.ok_or_else(|| err!(Request(Forbidden("Invalid identifier or password"))))?
+		},
+		| (None, Some(user)) => user,
+		| _ => {
+			return Err!(Request(InvalidParam("Identifier type not recognized")));
+		},
+	};
+
 	let user_id =
-				if let Some(uiaa::UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
+		UserId::parse_with_server_name(user_id_or_localpart, &services.config.server_name)
-					UserId::parse_with_server_name(user_id, &services.config.server_name)
+			.map_err(|_| err!(Request(InvalidUsername("User ID is malformed"))))?;
-				} else if let Some(user) = user {
-					UserId::parse_with_server_name(user, &services.config.server_name)
-				} else {
-					return Err!(Request(Unknown(
-						debug_warn!(?body.login_info, "Valid identifier or username was not provided (invalid or unsupported login type?)")
-					)));
-				}
-				.map_err(|e| err!(Request(InvalidUsername(warn!("Username is invalid: {e}")))))?;
 
 	let lowercased_user_id = UserId::parse_with_server_name(
 		user_id.localpart().to_lowercase(),
 		&services.config.server_name,
-	)?;
+	)
+	.unwrap();
 
 	if !services.globals.user_is_local(&user_id)
 		|| !services.globals.user_is_local(&lowercased_user_id)
@@ -244,7 +256,7 @@ pub(crate) async fn login_route(
 			password,
 			user,
 			..
-		}) => handle_login(&services, &body, identifier.as_ref(), password, user.as_ref()).await?,
+		}) => handle_login(&services, identifier.as_ref(), password, user.as_ref()).await?,
 		| login::v3::LoginInfo::Token(login::v3::Token { token }) => {
 			debug!("Got token login type");
 			if !services.server.config.login_via_existing_session {
@@ -264,7 +276,7 @@ pub(crate) async fn login_route(
 			};
 
 			let user_id =
-				if let Some(uiaa::UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
+				if let Some(UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
 					UserId::parse_with_server_name(user_id, &services.config.server_name)
 				} else if let Some(user) = user {
 					UserId::parse_with_server_name(user, &services.config.server_name)
@@ -273,7 +285,7 @@ pub(crate) async fn login_route(
 						debug_warn!(?body.login_info, "Valid identifier or username was not provided (invalid or unsupported login type?)")
 					)));
 				}
-				.map_err(|e| err!(Request(InvalidUsername(warn!("Username is invalid: {e}")))))?;
+				.map_err(|_| err!(Request(InvalidUsername(warn!("User ID is malformed")))))?;
 
 			if !services.globals.user_is_local(&user_id) {
 				return Err!(Request(Unknown("User ID does not belong to this homeserver")));
@@ -370,45 +382,13 @@ pub(crate) async fn login_token_route(
 		return Err!(Request(Forbidden("Login via an existing session is not enabled")));
 	}
 
-	// This route SHOULD have UIA
+	let sender_user = body.sender_user();
-	// TODO: How do we make only UIA sessions that have not been used before valid?
-	let (sender_user, sender_device) = body.sender();
 
-	let mut uiaainfo = uiaa::UiaaInfo {
+	// Prompt the user to confirm with their password using UIAA
-		flows: vec![uiaa::AuthFlow { stages: vec![uiaa::AuthType::Password] }],
+	let _ = services
-		completed: Vec::new(),
+		.uiaa
-		params: Box::default(),
+		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
-		session: None,
+		.await?;
-		auth_error: None,
-	};
-
-	match &body.auth {
-		| Some(auth) => {
-			let (worked, uiaainfo) = services
-				.uiaa
-				.try_auth(sender_user, sender_device, auth, &uiaainfo)
-				.await?;
-
-			if !worked {
-				return Err(Error::Uiaa(uiaainfo));
-			}
-
-			// Success!
-		},
-		| _ => match body.json_body.as_ref() {
-			| Some(json) => {
-				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
-				services
-					.uiaa
-					.create(sender_user, sender_device, &uiaainfo, json);
-
-				return Err(Error::Uiaa(uiaainfo));
-			},
-			| _ => {
-				return Err!(Request(NotJson("No JSON body was sent when required.")));
-			},
-		},
-	}
 
 	let login_token = utils::random_string(TOKEN_LENGTH);
 	let expires_in = services.users.create_login_token(sender_user, &login_token);

src/api/router.rs

@@ -28,7 +28,8 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
         .ruma_route(&client::appservice_ping)
 		.ruma_route(&client::get_supported_versions_route)
 		.ruma_route(&client::get_register_available_route)
-		.ruma_route(&client::register_route)
+		.ruma_route(&client::register::register_route)
+		.ruma_route(&client::register::request_registration_token_via_email_route)
 		.ruma_route(&client::get_login_types_route)
 		.ruma_route(&client::login_route)
 		.ruma_route(&client::login_token_route)
@@ -36,10 +37,13 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 		.ruma_route(&client::logout_route)
 		.ruma_route(&client::logout_all_route)
 		.ruma_route(&client::change_password_route)
+		.ruma_route(&client::request_password_change_token_via_email_route)
 		.ruma_route(&client::deactivate_route)
-		.ruma_route(&client::third_party_route)
+		.ruma_route(&client::threepid::third_party_route)
-		.ruma_route(&client::request_3pid_management_token_via_email_route)
+		.ruma_route(&client::threepid::request_3pid_management_token_via_email_route)
-		.ruma_route(&client::request_3pid_management_token_via_msisdn_route)
+		.ruma_route(&client::threepid::request_3pid_management_token_via_msisdn_route)
+		.ruma_route(&client::threepid::add_3pid_route)
+		.ruma_route(&client::threepid::delete_3pid_route)
 		.ruma_route(&client::check_registration_token_validity)
 		.ruma_route(&client::get_capabilities_route)
 		.ruma_route(&client::get_pushrules_all_route)

src/api/router/args.rs

@@ -2,14 +2,13 @@ use std::{mem, ops::Deref};
 
 use axum::{body::Body, extract::FromRequest};
 use bytes::{BufMut, Bytes, BytesMut};
-use conduwuit::{Error, Result, debug, debug_warn, err, trace, utils::string::EMPTY};
+use conduwuit::{Error, Result, debug, debug_warn, err, trace};
 use ruma::{
 	CanonicalJsonObject, CanonicalJsonValue, DeviceId, OwnedDeviceId, OwnedServerName,
 	OwnedUserId, ServerName, UserId, api::IncomingRequest,
 };
-use service::Services;
 
-use super::{auth, auth::Auth, request, request::Request};
+use super::{auth, request, request::Request};
 use crate::{State, service::appservice::RegistrationInfo};
 
 /// Extractor for Ruma request structs
@@ -108,7 +107,7 @@ where
 		}
 		let auth = auth::auth(services, &mut request, json_body.as_ref(), &T::METADATA).await?;
 		Ok(Self {
-			body: make_body::<T>(services, &mut request, json_body.as_mut(), &auth)?,
+			body: make_body::<T>(&mut request, json_body.as_mut())?,
 			origin: auth.origin,
 			sender_user: auth.sender_user,
 			sender_device: auth.sender_device,
@@ -118,16 +117,11 @@ where
 	}
 }
 
-fn make_body<T>(
+fn make_body<T>(request: &mut Request, json_body: Option<&mut CanonicalJsonValue>) -> Result<T>
-	services: &Services,
-	request: &mut Request,
-	json_body: Option<&mut CanonicalJsonValue>,
-	auth: &Auth,
-) -> Result<T>
 where
 	T: IncomingRequest,
 {
-	let body = take_body(services, request, json_body, auth);
+	let body = take_body(request, json_body);
 	let http_request = into_http_request(request, body);
 	T::try_from_http_request(http_request, &request.path)
 		.map_err(|e| err!(Request(BadJson(debug_warn!("{e}")))))
@@ -151,38 +145,11 @@ fn into_http_request(request: &Request, body: Bytes) -> hyper::Request<Bytes> {
 }
 
 #[allow(clippy::needless_pass_by_value)]
-fn take_body(
+fn take_body(request: &mut Request, json_body: Option<&mut CanonicalJsonValue>) -> Bytes {
-	services: &Services,
-	request: &mut Request,
-	json_body: Option<&mut CanonicalJsonValue>,
-	auth: &Auth,
-) -> Bytes {
 	let Some(CanonicalJsonValue::Object(json_body)) = json_body else {
 		return mem::take(&mut request.body);
 	};
 
-	let user_id = auth.sender_user.clone().unwrap_or_else(|| {
-		let server_name = services.globals.server_name();
-		UserId::parse_with_server_name(EMPTY, server_name).expect("valid user_id")
-	});
-
-	let uiaa_request = json_body
-		.get("auth")
-		.and_then(CanonicalJsonValue::as_object)
-		.and_then(|auth| auth.get("session"))
-		.and_then(CanonicalJsonValue::as_str)
-		.and_then(|session| {
-			services
-				.uiaa
-				.get_uiaa_request(&user_id, auth.sender_device.as_deref(), session)
-		});
-
-	if let Some(CanonicalJsonValue::Object(initial_request)) = uiaa_request {
-		for (key, value) in initial_request {
-			json_body.entry(key).or_insert(value);
-		}
-	}
-
 	let mut buf = BytesMut::new().writer();
 	serde_json::to_writer(&mut buf, &json_body).expect("value serialization can't fail");
 	buf.into_inner().freeze()

src/core/Cargo.toml

@@ -84,6 +84,7 @@ libc.workspace = true
 libloading.workspace = true
 libloading.optional = true
 log.workspace = true
+lettre.workspace = true
 num-traits.workspace = true
 rand.workspace = true
 rand_core = { version = "0.6.4", features = ["getrandom"] }

src/core/config/mod.rs

@@ -16,6 +16,7 @@ use either::{
 };
 use figment::providers::{Env, Format, Toml};
 pub use figment::{Figment, value::Value as FigmentValue};
+use lettre::message::Mailbox;
 use regex::RegexSet;
 use ruma::{
 	OwnedRoomId, OwnedRoomOrAliasId, OwnedServerName, OwnedUserId, RoomVersionId,
@@ -68,6 +69,10 @@ pub struct Config {
 	///
 	/// Also see the `[global.well_known]` config section at the very bottom.
 	///
+	/// If `client` is not set under `[global.well_known]`, the server name will
+	/// be used as the base domain for user-facing links (such as password
+	/// reset links) created by Continuwuity.
+	///
 	/// Examples of delegation:
 	/// - https://continuwuity.org/.well-known/matrix/server
 	/// - https://continuwuity.org/.well-known/matrix/client
@@ -752,6 +757,9 @@ pub struct Config {
 	#[serde(default)]
 	pub well_known: WellKnownConfig,
 
+	/// display: nested
+	pub smtp: Option<SmtpConfig>,
+
 	/// Enable OpenTelemetry OTLP tracing export. This replaces the deprecated
 	/// Jaeger exporter. Traces will be sent via OTLP to a collector (such as
 	/// Jaeger) that supports the OpenTelemetry Protocol.
@@ -2089,6 +2097,13 @@ pub struct Config {
 	#[serde(default)]
 	pub force_disable_first_run_mode: bool,
 
+	/// Allow search engines and crawlers to index Continuwuity's built-in
+	/// webpages served under the `/_continuwuity/` prefix.
+	///
+	/// default: false
+	#[serde(default)]
+	pub allow_web_indexing: bool,
+
 	/// display: nested
 	#[serde(default)]
 	pub ldap: LdapConfig,
@@ -2429,6 +2444,52 @@ pub struct DraupnirConfig {
 	pub secret: String,
 }
 
+#[derive(Clone, Debug, Deserialize)]
+#[config_example_generator(
+	filename = "conduwuit-example.toml",
+	section = "global.smtp",
+	optional = "true"
+)]
+pub struct SmtpConfig {
+	/// A `smtp://`` URI which will be used to connect to a mail server.
+	/// Uncommenting the [global.smtp] group and setting this option enables
+	/// features which depend on the ability to send email,
+	/// such as self-service password resets.
+	///
+	/// For most modern mail servers, format the URI like this:
+	/// 	`smtps://username:password@hostname:port`
+	/// Note that you will need to URL-encode the username and password. If your
+	/// username _is_ your email address, you will need to replace the `@` with
+	/// `%40`.
+	///
+	/// For a guide on the accepted URI syntax, consult Lettre's documentation:
+	/// https://docs.rs/lettre/latest/lettre/transport/smtp/struct.AsyncSmtpTransport.html#method.from_url
+	pub connection_uri: String,
+
+	/// The outgoing address which will be used for sending emails.
+	///
+	/// For a syntax guide, see https://datatracker.ietf.org/doc/html/rfc2822#section-3.4
+	///
+	/// ...or if you don't want to read the RFC, for some reason:
+	/// - `Name <address@domain.org>` to specify a sender name
+	/// - `address@domain.org` to not use a name
+	pub sender: Mailbox,
+
+	/// Whether to require that users provide an email address when they
+	/// register.
+	///
+	/// default: false
+	#[serde(default)]
+	pub require_email_for_registration: bool,
+
+	/// Whether to require that users who register with a registration token
+	/// provide an email address.
+	///
+	/// default: false
+	#[serde(default)]
+	pub require_email_for_token_registration: bool,
+}
+
 const DEPRECATED_KEYS: &[&str] = &[
 	"cache_capacity",
 	"conduit_cache_capacity_modifier",

src/core/matrix/state_res/event_auth.rs

@@ -1224,6 +1224,7 @@ fn can_send_event(event: &impl Event, ple: Option<&impl Event>, user_level: Int)
 }
 
 /// Confirm that the event sender has the required power levels.
+#[allow(clippy::cognitive_complexity)]
 fn check_power_levels(
 	room_version: &RoomVersion,
 	power_event: &impl Event,

src/core/matrix/state_res/mod.rs

@@ -75,6 +75,7 @@ type Result<T, E = Error> = crate::Result<T, E>;
 /// event is part of the same room.
 //#[tracing::instrument(level = "debug", skip(state_sets, auth_chain_sets,
 //#[tracing::instrument(level event_fetch))]
+#[allow(clippy::cognitive_complexity)]
 pub async fn resolve<'a, Pdu, Sets, SetIter, Hasher, Fetch, FetchFut, Exists, ExistsFut>(
 	room_version: &RoomVersionId,
 	state_sets: Sets,

src/database/de.rs

@@ -415,13 +415,6 @@ impl<'a, 'de: 'a> de::Deserializer<'de> for &'a mut Deserializer<'de> {
 		tracing::instrument(level = "trace", skip_all, fields(?self.buf))
 	)]
 	fn deserialize_any<V: Visitor<'de>>(self, visitor: V) -> Result<V::Value> {
-		debug_assert_eq!(
-			conduwuit::debug::type_name::<V>(),
-			"serde_json::value::de::<impl serde_core::de::Deserialize for \
-			 serde_json::value::Value>::deserialize::ValueVisitor",
-			"deserialize_any: type not expected"
-		);
-
 		match self.record_peek_byte() {
 			| Some(b'{') => self.deserialize_map(visitor),
 			| Some(b'[') => serde_json::Deserializer::from_slice(self.record_next())

src/database/maps.rs

@@ -53,6 +53,10 @@ pub(super) static MAPS: &[Descriptor] = &[
 		name: "disabledroomids",
 		..descriptor::RANDOM_SMALL
 	},
+	Descriptor {
+		name: "email_localpart",
+		..descriptor::RANDOM_SMALL
+	},
 	Descriptor {
 		name: "eventid_outlierpdu",
 		cache_disp: CacheDisp::SharedWith("pduid_pdu"),
@@ -100,6 +104,10 @@ pub(super) static MAPS: &[Descriptor] = &[
 		name: "lazyloadedids",
 		..descriptor::RANDOM_SMALL
 	},
+	Descriptor {
+		name: "localpart_email",
+		..descriptor::RANDOM_SMALL
+	},
 	Descriptor {
 		name: "mediaid_file",
 		..descriptor::RANDOM_SMALL
@@ -112,6 +120,10 @@ pub(super) static MAPS: &[Descriptor] = &[
 		name: "onetimekeyid_onetimekeys",
 		..descriptor::RANDOM_SMALL
 	},
+	Descriptor {
+		name: "passwordresettoken_info",
+		..descriptor::RANDOM_SMALL
+	},
 	Descriptor {
 		name: "pduid_pdu",
 		cache_disp: CacheDisp::SharedWith("eventid_outlierpdu"),

src/router/router.rs

@@ -18,5 +18,5 @@ pub(crate) fn build(services: &Arc<Services>) -> (Router, Guard) {
 }
 
 async fn not_found(_uri: Uri) -> impl IntoResponse {
-	Error::Request(ErrorKind::Unrecognized, "Not Found".into(), StatusCode::NOT_FOUND)
+	Error::Request(ErrorKind::Unrecognized, "not found :(".into(), StatusCode::NOT_FOUND)
 }

src/service/Cargo.toml

@@ -91,6 +91,7 @@ conduwuit-database.workspace = true
 const-str.workspace = true
 either.workspace = true
 futures.workspace = true
+governor.workspace = true
 hickory-resolver.workspace = true
 http.workspace = true
 image.workspace = true
@@ -102,6 +103,7 @@ ldap3.optional = true
 log.workspace = true
 loole.workspace = true
 lru-cache.workspace = true
+nonzero_ext.workspace = true
 rand.workspace = true
 regex.workspace = true
 reqwest.workspace = true
@@ -121,8 +123,9 @@ webpage.workspace = true
 webpage.optional = true
 blurhash.workspace = true
 blurhash.optional = true
-recaptcha-verify = { version = "0.1.5", default-features = false }
+recaptcha-verify = { version = "0.2.0", default-features = false }
 yansi.workspace = true
+lettre.workspace = true
 
 [target.'cfg(all(unix, target_os = "linux"))'.dependencies]
 sd-notify.workspace = true

src/service/config/mod.rs

@@ -6,6 +6,7 @@ use conduwuit::{
 	config::{Config, check},
 	error, implement,
 };
+use url::Url;
 
 use crate::registration_tokens::{ValidToken, ValidTokenSource};
 
@@ -23,6 +24,18 @@ impl Service {
 			.clone()
 			.map(|token| ValidToken { token, source: ValidTokenSource::Config })
 	}
+
+	/// Get the base domain to use for user-facing URLs.
+	#[must_use]
+	pub fn get_client_domain(&self) -> Url {
+		self.well_known.client.clone().unwrap_or_else(|| {
+			let host = self.server_name.host();
+			format!("https://{host}")
+				.as_str()
+				.try_into()
+				.expect("server name should be a valid host")
+		})
+	}
 }
 
 #[async_trait]

src/service/firstrun/mod.rs

@@ -122,7 +122,7 @@ impl Service {
 	/// if they were not.
 	pub async fn empower_first_user(&self, user: &UserId) -> Result<bool> {
 		#[derive(Template)]
-		#[template(path = "welcome.md.j2")]
+		#[template(path = "welcome.md")]
 		struct WelcomeMessage<'a> {
 			config: &'a Dep<config::Service>,
 			domain: &'a str,
@@ -228,19 +228,34 @@ impl Service {
 				);
 			},
 		}
+
+		if self.services.config.suspend_on_register {
+			eprintln!(
+				"{} Accounts created after yours will be suspended, as set in your \
+				 configuration.",
+				"Your account will not be suspended when you register.".green()
+			);
+		}
+
+		if let Some(smtp) = &self.services.config.smtp {
+			if smtp.require_email_for_registration || smtp.require_email_for_token_registration {
+				eprintln!(
+					"{} Accounts created after yours may be required to provide an email \
+					 address, as set in your configuration.",
+					"You will not be asked for your email address when you register.".yellow(),
+				);
+			}
+			eprintln!(
+				"If you wish to associate an email address with your account, you may do so \
+				 after registration in your client's settings (if supported)."
+			);
+		}
+
 		eprintln!(
 			"{} https://matrix.org/ecosystem/clients/",
 			"Find a list of Matrix clients here:".bold()
 		);
 
-		if self.services.config.suspend_on_register {
-			eprintln!(
-				"{} Because you enabled suspend-on-register in your configuration, accounts \
-				 created after yours will be automatically suspended.",
-				"Your account will not be suspended when you register.".green()
-			);
-		}
-
 		if self
 			.services
 			.config

src/service/mailer/messages.rs

@@ -0,0 +1,49 @@
+use askama::Template;
+use ruma::UserId;
+
+pub trait MessageTemplate: Template {
+	fn subject(&self) -> String;
+}
+
+#[derive(Template)]
+#[template(path = "mail/change_email.txt")]
+pub struct ChangeEmail<'a> {
+	pub server_name: &'a str,
+	pub user_id: Option<&'a UserId>,
+	pub verification_link: String,
+}
+
+impl MessageTemplate for ChangeEmail<'_> {
+	fn subject(&self) -> String { "Verify your email address".to_owned() }
+}
+
+#[derive(Template)]
+#[template(path = "mail/new_account.txt")]
+pub struct NewAccount<'a> {
+	pub server_name: &'a str,
+	pub verification_link: String,
+}
+
+impl MessageTemplate for NewAccount<'_> {
+	fn subject(&self) -> String { "Create your new Matrix account".to_owned() }
+}
+
+#[derive(Template)]
+#[template(path = "mail/password_reset.txt")]
+pub struct PasswordReset<'a> {
+	pub display_name: Option<&'a str>,
+	pub user_id: &'a UserId,
+	pub verification_link: String,
+}
+
+impl MessageTemplate for PasswordReset<'_> {
+	fn subject(&self) -> String { format!("Password reset request for {}", &self.user_id) }
+}
+
+#[derive(Template)]
+#[template(path = "mail/test.txt")]
+pub struct Test;
+
+impl MessageTemplate for Test {
+	fn subject(&self) -> String { "Test message".to_owned() }
+}

src/service/mailer/mod.rs

@@ -0,0 +1,109 @@
+use std::sync::Arc;
+
+use conduwuit::{Err, Result, err, info};
+use lettre::{
+	AsyncSmtpTransport, AsyncTransport, Tokio1Executor,
+	message::{Mailbox, MessageBuilder, header::ContentType},
+};
+
+use crate::{Args, mailer::messages::MessageTemplate};
+
+pub mod messages;
+
+type Transport = AsyncSmtpTransport<Tokio1Executor>;
+type TransportError = lettre::transport::smtp::Error;
+
+pub struct Service {
+	transport: Option<(Mailbox, Transport)>,
+}
+
+#[async_trait::async_trait]
+impl crate::Service for Service {
+	fn build(args: Args<'_>) -> Result<Arc<Self>> {
+		let transport = args
+			.server
+			.config
+			.smtp
+			.as_ref()
+			.map(|config| {
+				Ok((config.sender.clone(), Transport::from_url(&config.connection_uri)?.build()))
+			})
+			.transpose()
+			.map_err(|err: TransportError| err!("Failed to set up SMTP transport: {err}"))?;
+
+		Ok(Arc::new(Self { transport }))
+	}
+
+	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
+
+	async fn worker(self: Arc<Self>) -> Result<()> {
+		if let Some((_, ref transport)) = self.transport {
+			match transport.test_connection().await {
+				| Ok(true) => {
+					info!("SMTP connection test successful");
+					Ok(())
+				},
+				| Ok(false) => {
+					Err!("SMTP connection test failed")
+				},
+				| Err(err) => {
+					Err!("SMTP connection test failed: {err}")
+				},
+			}
+		} else {
+			info!("SMTP is not configured, email functionality will be unavailable");
+			Ok(())
+		}
+	}
+}
+
+impl Service {
+	/// Returns a mailer which allows email to be sent, if SMTP is configured.
+	#[must_use]
+	pub fn mailer(&self) -> Option<Mailer<'_>> {
+		self.transport
+			.as_ref()
+			.map(|(sender, transport)| Mailer { sender, transport })
+	}
+
+	pub fn expect_mailer(&self) -> Result<Mailer<'_>> {
+		self.mailer().ok_or_else(|| {
+			err!(Request(FeatureDisabled("This homeserver is not configured to send email.")))
+		})
+	}
+}
+
+pub struct Mailer<'a> {
+	sender: &'a Mailbox,
+	transport: &'a Transport,
+}
+
+impl Mailer<'_> {
+	/// Sends an email.
+	pub async fn send<Template: MessageTemplate>(
+		&self,
+		recipient: Mailbox,
+		message: Template,
+	) -> Result<()> {
+		let subject = message.subject();
+		let body = message
+			.render()
+			.map_err(|err| err!("Failed to render message template: {err}"))?;
+
+		let message = MessageBuilder::new()
+			.from(self.sender.clone())
+			.to(recipient)
+			.subject(subject)
+			.date_now()
+			.header(ContentType::TEXT_PLAIN)
+			.body(body)
+			.expect("should have been able to construct message");
+
+		self.transport
+			.send(message)
+			.await
+			.map_err(|err: TransportError| err!("Failed to send message: {err}"))?;
+
+		Ok(())
+	}
+}

src/service/mod.rs

@@ -21,8 +21,10 @@ pub mod federation;
 pub mod firstrun;
 pub mod globals;
 pub mod key_backups;
+pub mod mailer;
 pub mod media;
 pub mod moderation;
+pub mod password_reset;
 pub mod presence;
 pub mod pusher;
 pub mod registration_tokens;
@@ -31,6 +33,7 @@ pub mod rooms;
 pub mod sending;
 pub mod server_keys;
 pub mod sync;
+pub mod threepid;
 pub mod transactions;
 pub mod uiaa;
 pub mod users;

src/service/password_reset/data.rs

@@ -0,0 +1,68 @@
+use std::{
+	sync::Arc,
+	time::{Duration, SystemTime},
+};
+
+use conduwuit::utils::{ReadyExt, stream::TryExpect};
+use database::{Database, Deserialized, Json, Map};
+use ruma::{OwnedUserId, UserId};
+use serde::{Deserialize, Serialize};
+
+pub(super) struct Data {
+	passwordresettoken_info: Arc<Map>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct ResetTokenInfo {
+	pub user: OwnedUserId,
+	pub issued_at: SystemTime,
+}
+
+impl ResetTokenInfo {
+	// one hour
+	const MAX_TOKEN_AGE: Duration = Duration::from_secs(60 * 60);
+
+	pub fn is_valid(&self) -> bool {
+		let now = SystemTime::now();
+
+		now.duration_since(self.issued_at)
+			.is_ok_and(|duration| duration < Self::MAX_TOKEN_AGE)
+	}
+}
+
+impl Data {
+	pub(super) fn new(db: &Arc<Database>) -> Self {
+		Self {
+			passwordresettoken_info: db["passwordresettoken_info"].clone(),
+		}
+	}
+
+	/// Associate a reset token with its info in the database.
+	pub(super) fn save_token(&self, token: &str, info: &ResetTokenInfo) {
+		self.passwordresettoken_info.raw_put(token, Json(info));
+	}
+
+	/// Lookup the info for a reset token.
+	pub(super) async fn lookup_token_info(&self, token: &str) -> Option<ResetTokenInfo> {
+		self.passwordresettoken_info
+			.get(token)
+			.await
+			.deserialized()
+			.ok()
+	}
+
+	/// Find a user's existing reset token, if any.
+	pub(super) async fn find_token_for_user(
+		&self,
+		user: &UserId,
+	) -> Option<(String, ResetTokenInfo)> {
+		self.passwordresettoken_info
+			.stream::<'_, String, ResetTokenInfo>()
+			.expect_ok()
+			.ready_find(|(_, info)| info.user == user)
+			.await
+	}
+
+	/// Remove a reset token.
+	pub(super) fn remove_token(&self, token: &str) { self.passwordresettoken_info.remove(token); }
+}

src/service/password_reset/mod.rs

@@ -0,0 +1,120 @@
+mod data;
+
+use std::{sync::Arc, time::SystemTime};
+
+use conduwuit::{Err, Result, utils};
+use data::{Data, ResetTokenInfo};
+use ruma::OwnedUserId;
+
+use crate::{Dep, globals, users};
+
+pub const PASSWORD_RESET_PATH: &str = "/_continuwuity/account/reset_password";
+pub const RESET_TOKEN_QUERY_PARAM: &str = "token";
+const RESET_TOKEN_LENGTH: usize = 32;
+
+pub struct Service {
+	db: Data,
+	services: Services,
+}
+
+struct Services {
+	users: Dep<users::Service>,
+	globals: Dep<globals::Service>,
+}
+
+#[derive(Debug)]
+pub struct ValidResetToken {
+	pub token: String,
+	pub info: ResetTokenInfo,
+}
+
+impl crate::Service for Service {
+	fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
+		Ok(Arc::new(Self {
+			db: Data::new(args.db),
+			services: Services {
+				users: args.depend::<users::Service>("users"),
+				globals: args.depend::<globals::Service>("globals"),
+			},
+		}))
+	}
+
+	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
+}
+
+impl Service {
+	/// Generate a random string suitable to be used as a password reset token.
+	#[must_use]
+	pub fn generate_token_string() -> String { utils::random_string(RESET_TOKEN_LENGTH) }
+
+	/// Issue a password reset token for `user`, who must be a local user with
+	/// the `password` origin.
+	pub async fn issue_token(&self, user_id: OwnedUserId) -> Result<ValidResetToken> {
+		if !self.services.globals.user_is_local(&user_id) {
+			return Err!("Cannot issue a password reset token for remote user {user_id}");
+		}
+
+		if user_id == self.services.globals.server_user {
+			return Err!("Cannot issue a password reset token for the server user");
+		}
+
+		if self
+			.services
+			.users
+			.origin(&user_id)
+			.await
+			.unwrap_or_else(|_| "password".to_owned())
+			!= "password"
+		{
+			return Err!("Cannot issue a password reset token for non-internal user {user_id}");
+		}
+
+		if self.services.users.is_deactivated(&user_id).await? {
+			return Err!("Cannot issue a password reset token for deactivated user {user_id}");
+		}
+
+		if let Some((existing_token, _)) = self.db.find_token_for_user(&user_id).await {
+			self.db.remove_token(&existing_token);
+		}
+
+		let token = Self::generate_token_string();
+		let info = ResetTokenInfo {
+			user: user_id,
+			issued_at: SystemTime::now(),
+		};
+
+		self.db.save_token(&token, &info);
+
+		Ok(ValidResetToken { token, info })
+	}
+
+	/// Check if `token` represents a valid, non-expired password reset token.
+	pub async fn check_token(&self, token: &str) -> Option<ValidResetToken> {
+		self.db.lookup_token_info(token).await.and_then(|info| {
+			if info.is_valid() {
+				Some(ValidResetToken { token: token.to_owned(), info })
+			} else {
+				self.db.remove_token(token);
+				None
+			}
+		})
+	}
+
+	/// Consume the supplied valid token, using it to change its user's password
+	/// to `new_password`.
+	pub async fn consume_token(
+		&self,
+		ValidResetToken { token, info }: ValidResetToken,
+		new_password: &str,
+	) -> Result<()> {
+		if info.is_valid() {
+			self.db.remove_token(&token);
+			self.services
+				.users
+				.set_password(&info.user, Some(new_password))
+				.await?;
+		}
+
+		Ok(())
+	}
+}

src/service/registration_tokens/mod.rs

@@ -13,8 +13,6 @@ use ruma::OwnedUserId;
 
 use crate::{Dep, config, firstrun};
 
-const RANDOM_TOKEN_LENGTH: usize = 16;
-
 pub struct Service {
 	db: Data,
 	services: Services,
@@ -103,9 +101,11 @@ impl crate::Service for Service {
 }
 
 impl Service {
+	const RANDOM_TOKEN_LENGTH: usize = 16;
+
 	/// Generate a random string suitable to be used as a registration token.
 	#[must_use]
-	pub fn generate_token_string() -> String { utils::random_string(RANDOM_TOKEN_LENGTH) }
+	pub fn generate_token_string() -> String { utils::random_string(Self::RANDOM_TOKEN_LENGTH) }
 
 	/// Issue a new registration token and save it in the database.
 	pub fn issue_token(

src/service/server_keys/acquire.rs

@@ -228,7 +228,7 @@ async fn acquire_notary_result(&self, missing: &mut Batch, server_keys: ServerSi
 	self.add_signing_keys(server_keys.clone()).await;
 
 	if let Some(key_ids) = missing.get_mut(server) {
-		key_ids.retain(|key_id| key_exists(&server_keys, key_id));
+		key_ids.retain(|key_id| !key_exists(&server_keys, key_id));
 		if key_ids.is_empty() {
 			missing.remove(server);
 		}

src/service/services.rs

@@ -9,12 +9,12 @@ use tokio::sync::Mutex;
 
 use crate::{
 	account_data, admin, announcements, antispam, appservice, client, config, emergency,
-	federation, firstrun, globals, key_backups,
+	federation, firstrun, globals, key_backups, mailer,
 	manager::Manager,
-	media, moderation, presence, pusher, registration_tokens, resolver, rooms, sending,
+	media, moderation, password_reset, presence, pusher, registration_tokens, resolver, rooms,
-	server_keys,
+	sending, server_keys,
 	service::{self, Args, Map, Service},
-	sync, transactions, uiaa, users,
+	sync, threepid, transactions, uiaa, users,
 };
 
 pub struct Services {
@@ -27,6 +27,8 @@ pub struct Services {
 	pub globals: Arc<globals::Service>,
 	pub key_backups: Arc<key_backups::Service>,
 	pub media: Arc<media::Service>,
+	pub password_reset: Arc<password_reset::Service>,
+	pub mailer: Arc<mailer::Service>,
 	pub presence: Arc<presence::Service>,
 	pub pusher: Arc<pusher::Service>,
 	pub registration_tokens: Arc<registration_tokens::Service>,
@@ -38,6 +40,7 @@ pub struct Services {
 	pub server_keys: Arc<server_keys::Service>,
 	pub sync: Arc<sync::Service>,
 	pub transactions: Arc<transactions::Service>,
+	pub threepid: Arc<threepid::Service>,
 	pub uiaa: Arc<uiaa::Service>,
 	pub users: Arc<users::Service>,
 	pub moderation: Arc<moderation::Service>,
@@ -81,6 +84,8 @@ impl Services {
 			globals: build!(globals::Service),
 			key_backups: build!(key_backups::Service),
 			media: build!(media::Service),
+			password_reset: build!(password_reset::Service),
+			mailer: build!(mailer::Service),
 			presence: build!(presence::Service),
 			pusher: build!(pusher::Service),
 			registration_tokens: build!(registration_tokens::Service),
@@ -110,6 +115,7 @@ impl Services {
 			sending: build!(sending::Service),
 			server_keys: build!(server_keys::Service),
 			sync: build!(sync::Service),
+			threepid: build!(threepid::Service),
 			transactions: build!(transactions::Service),
 			uiaa: build!(uiaa::Service),
 			users: build!(users::Service),

src/service/templates/mail/_base.txt

@@ -0,0 +1,3 @@
+{%- block content %}{% endblock %}
+
+Message sent by Continuwuity {{ env!("CARGO_PKG_VERSION") }}. 🐈

src/service/templates/mail/change_email.txt

@@ -0,0 +1,13 @@
+{% extends "_base.txt" %}
+
+{% block content -%}
+Hello!
+{% if let Some(user_id) = user_id -%}
+Somebody, probably you, tried to associate this email address with the Matrix account {{ user_id }}.
+{%- else -%}
+Somebody, probably you, tried to associate this email address with a Matrix account on {{ server_name }}.
+{%- endif %}
+If that was you, and this is your email address, click this link to proceed:
+    {{ verification_link }}
+Otherwise, you can ignore this email. The above link will expire in one hour.
+{%- endblock %}

src/service/templates/mail/new_account.txt

@@ -0,0 +1,10 @@
+{% extends "_base.txt" %}
+
+{% block content -%}
+Hello!
+
+Somebody, probably you, tried to create a Matrix account on {{ server_name }} using this email address.
+Use the link below to proceed with creating your account:
+    {{ verification_link }}
+If you are not trying to create an account, you can ignore this email. The above link will expire in one hour.
+{%- endblock %}

src/service/templates/mail/password_reset.txt

@@ -0,0 +1,14 @@
+{% extends "_base.txt" %}
+
+{% block content -%}
+{%- if let Some(display_name) = display_name -%}
+Hello {{ display_name }} ({{ user_id }}),
+{%- else -%}
+Hello {{ user_id }},
+{%- endif %}
+
+Somebody, probably you, tried to reset your Matrix account's password.
+If you requested for your password to be reset, click this link to proceed:
+    {{ verification_link }}
+Otherwise, you can ignore this email. The above link will expire in one hour.
+{%- endblock %}

src/service/templates/mail/test.txt

@@ -0,0 +1,5 @@
+{% extends "_base.txt" %}
+
+{% block content -%}
+If you're seeing this, SMTP is configured correctly. :3
+{%- endblock %}

src/service/threepid/mod.rs

@@ -0,0 +1,281 @@
+use std::{borrow::Cow, collections::HashMap, sync::Arc};
+
+use conduwuit::{Err, Error, Result, result::FlatOk};
+use database::{Deserialized, Map};
+use governor::{DefaultKeyedRateLimiter, Quota, RateLimiter};
+use lettre::{Address, message::Mailbox};
+use nonzero_ext::nonzero;
+use ruma::{
+	ClientSecret, OwnedClientSecret, OwnedSessionId, SessionId, api::client::error::ErrorKind,
+};
+
+mod session;
+
+use crate::{
+	Args, Dep, config,
+	mailer::{self, messages::MessageTemplate},
+	threepid::session::{ValidationSessions, ValidationState, ValidationToken},
+};
+
+pub struct Service {
+	db: Data,
+	services: Services,
+	sessions: tokio::sync::Mutex<ValidationSessions>,
+	send_attempts: std::sync::Mutex<HashMap<(OwnedClientSecret, Address), usize>>,
+	ratelimiter: DefaultKeyedRateLimiter<Address>,
+}
+
+struct Data {
+	localpart_email: Arc<Map>,
+	email_localpart: Arc<Map>,
+}
+
+struct Services {
+	config: Dep<config::Service>,
+	mailer: Dep<mailer::Service>,
+}
+
+impl crate::Service for Service {
+	fn build(args: Args<'_>) -> Result<Arc<Self>> {
+		Ok(Arc::new(Self {
+			db: Data {
+				email_localpart: args.db["email_localpart"].clone(),
+				localpart_email: args.db["localpart_email"].clone(),
+			},
+			services: Services {
+				config: args.depend("config"),
+				mailer: args.depend("mailer"),
+			},
+			sessions: tokio::sync::Mutex::default(),
+			send_attempts: std::sync::Mutex::default(),
+			ratelimiter: RateLimiter::keyed(Self::EMAIL_RATELIMIT),
+		}))
+	}
+
+	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
+}
+
+impl Service {
+	// Each address gets two tickets to send an email, which refill at a rate of one
+	// per ten minutes. This allows two emails to be sent at once without waiting
+	// (in case the first one gets eaten), but requires a wait of at least ten
+	// minutes before sending another.
+	const EMAIL_RATELIMIT: Quota =
+		Quota::per_minute(nonzero!(10_u32)).allow_burst(nonzero!(2_u32));
+	const VALIDATION_URL_PATH: &str = "/_continuwuity/3pid/email/validate";
+
+	/// Send a validation message to an email address.
+	///
+	/// Returns the validation session ID on success.
+	#[allow(clippy::impl_trait_in_params)]
+	pub async fn send_validation_email<Template: MessageTemplate>(
+		&self,
+		recipient: Mailbox,
+		prepare_body: impl FnOnce(String) -> Template,
+		client_secret: &ClientSecret,
+		send_attempt: usize,
+	) -> Result<OwnedSessionId> {
+		let mailer = self.services.mailer.expect_mailer()?;
+		let mut sessions = self.sessions.lock().await;
+
+		let session = match sessions.get_session_by_client_secret(client_secret) {
+			// If a validation session already exists for this client secret, we can either
+			// reuse it with a new token or return early because it's already valid.
+			| Some(session) => {
+				match session.validation_state {
+					| ValidationState::Validated => {
+						// If the existing session is already valid, don't send an email.
+						return Ok(session.session_id.clone());
+					},
+					| ValidationState::Pending(ref mut token) => {
+						// Check ratelimiting for the target address.
+						if self.ratelimiter.check_key(&recipient.email).is_err() {
+							return Err(Error::BadRequest(
+								ErrorKind::LimitExceeded { retry_after: None },
+								"You're sending emails too fast, try again in a few minutes.",
+							));
+						}
+
+						// Check the send attempt for this session.
+						let mut send_attempts = self.send_attempts.lock().unwrap();
+
+						let last_send_attempt = send_attempts
+							.entry((session.client_secret.clone(), session.email.clone()))
+							.or_default();
+
+						if send_attempt <= *last_send_attempt {
+							// If the supplied send attempt isn't higher than the last
+							// one, don't send an email.
+							return Ok(session.session_id.clone());
+						}
+
+						// Save this send attempt.
+						*last_send_attempt = send_attempt;
+						drop(send_attempts);
+
+						// Create a new token for the existing session.
+						*token = ValidationToken::new_random();
+
+						session
+					},
+				}
+			},
+			// If no session exists, create a new one.
+			| None => sessions.create_session(recipient.email.clone(), client_secret.to_owned()),
+		};
+
+		// Clone this so it can outlive the lock we're holding on `sessions`
+		let session_id = session.session_id.clone();
+
+		let ValidationState::Pending(token) = &session.validation_state else {
+			unreachable!("session should be pending")
+		};
+
+		let mut validation_url = self
+			.services
+			.config
+			.get_client_domain()
+			.join(Self::VALIDATION_URL_PATH)
+			.unwrap();
+
+		validation_url
+			.query_pairs_mut()
+			.append_pair("session", session_id.as_str())
+			.append_pair("token", &token.token);
+
+		// Once the validation URL is built, we don't need any data borrowed from
+		// `sessions` anymore and can release our lock
+		drop(sessions);
+
+		let message = prepare_body(validation_url.to_string());
+
+		mailer.send(recipient, message).await?;
+
+		Ok(session_id)
+	}
+
+	/// Attempt to mark a validation session as valid using a validation token.
+	pub async fn try_validate_session(
+		&self,
+		session_id: &SessionId,
+		supplied_token: &str,
+	) -> Result<(), Cow<'static, str>> {
+		let mut sessions = self.sessions.lock().await;
+
+		let Some(session) = sessions.get_session(session_id) else {
+			return Err("Validation session does not exist".into());
+		};
+
+		session.validation_state = match &session.validation_state {
+			| ValidationState::Validated => {
+				// If the session is already validated, do nothing.
+
+				return Ok(());
+			},
+			| ValidationState::Pending(token) => {
+				// Otherwise check the token and mark the session as valid.
+
+				if *token != *supplied_token || !token.is_valid() {
+					return Err("Validation token is invalid or expired, please request a new \
+					            one"
+					.into());
+				}
+
+				ValidationState::Validated
+			},
+		};
+
+		Ok(())
+	}
+
+	/// Consume a validated validation session, removing it from the database
+	/// and returning the newly validated email address.
+	pub async fn consume_valid_session(
+		&self,
+		session_id: &SessionId,
+		client_secret: &ClientSecret,
+	) -> Result<Address, Cow<'static, str>> {
+		let mut sessions = self.sessions.lock().await;
+
+		let Some(session) = sessions.get_session(session_id) else {
+			return Err("Validation session does not exist".into());
+		};
+
+		if session.client_secret == client_secret
+			&& matches!(session.validation_state, ValidationState::Validated)
+		{
+			let session = sessions.remove_session(session_id);
+
+			Ok(session.email)
+		} else {
+			Err("This email address has not been validated. Did you use the link that was sent \
+			     to you?"
+				.into())
+		}
+	}
+
+	/// Associate a localpart with an email address.
+	pub async fn associate_localpart_email(
+		&self,
+		localpart: &str,
+		email: &Address,
+	) -> Result<()> {
+		match self.get_localpart_for_email(email).await {
+			| Some(existing_localpart) if existing_localpart != localpart => {
+				// Another account is already using the supplied email.
+
+				Err!(Request(ThreepidInUse("This email address is already in use.")))
+			},
+			| Some(_) => {
+				// The supplied localpart is already associated with the supplied email,
+				// no changes are necessary.
+				Ok(())
+			},
+			| None => {
+				// The supplied email is not already in use.
+
+				let email: &str = email.as_ref();
+				self.db.localpart_email.insert(localpart, email);
+				self.db.email_localpart.insert(email, localpart);
+				Ok(())
+			},
+		}
+	}
+
+	/// Given a localpart, remove its corresponding email address.
+	///
+	/// [`Self::get_localpart_for_email`] may be used if only the email is
+	/// known.
+	pub async fn disassociate_localpart_email(&self, localpart: &str) -> Option<Address> {
+		let email = self.get_email_for_localpart(localpart).await?;
+
+		self.db.localpart_email.remove(localpart);
+		self.db
+			.email_localpart
+			.remove(<Address as AsRef<str>>::as_ref(&email));
+
+		Some(email)
+	}
+
+	/// Get the email associated with a localpart, if one exists.
+	pub async fn get_email_for_localpart(&self, localpart: &str) -> Option<Address> {
+		self.db
+			.localpart_email
+			.get(localpart)
+			.await
+			.deserialized::<String>()
+			.ok()
+			.map(TryInto::try_into)
+			.flat_ok()
+	}
+
+	/// Get the localpart associated with an email, if one exists.
+	pub async fn get_localpart_for_email(&self, email: &Address) -> Option<String> {
+		self.db
+			.email_localpart
+			.get(<Address as AsRef<str>>::as_ref(email))
+			.await
+			.deserialized()
+			.ok()
+	}
+}

src/service/threepid/session.rs

@@ -0,0 +1,128 @@
+use std::{
+	collections::HashMap,
+	time::{Duration, SystemTime},
+};
+
+use conduwuit::utils;
+use lettre::Address;
+use ruma::{ClientSecret, OwnedClientSecret, OwnedSessionId, SessionId};
+
+#[derive(Default)]
+pub(super) struct ValidationSessions {
+	sessions: HashMap<OwnedSessionId, ValidationSession>,
+	client_secrets: HashMap<OwnedClientSecret, OwnedSessionId>,
+}
+
+/// A pending or completed email validation session.
+#[derive(Debug)]
+pub(crate) struct ValidationSession {
+	/// The session's ID
+	pub session_id: OwnedSessionId,
+	/// The client's supplied client secret
+	pub client_secret: OwnedClientSecret,
+	/// The email address which is being validated
+	pub email: Address,
+	/// The session's validation state
+	pub validation_state: ValidationState,
+}
+
+/// The state of an email validation session.
+#[derive(Debug)]
+pub(crate) enum ValidationState {
+	/// The session is waiting for this validation token to be provided
+	Pending(ValidationToken),
+	/// The session has been validated
+	Validated,
+}
+
+#[derive(Clone, Debug)]
+pub(crate) struct ValidationToken {
+	pub token: String,
+	pub issued_at: SystemTime,
+}
+
+impl ValidationToken {
+	// one hour
+	const MAX_TOKEN_AGE: Duration = Duration::from_secs(60 * 60);
+	const RANDOM_TOKEN_LENGTH: usize = 16;
+
+	pub(super) fn new_random() -> Self {
+		Self {
+			token: utils::random_string(Self::RANDOM_TOKEN_LENGTH),
+			issued_at: SystemTime::now(),
+		}
+	}
+
+	pub(crate) fn is_valid(&self) -> bool {
+		let now = SystemTime::now();
+
+		now.duration_since(self.issued_at)
+			.is_ok_and(|duration| duration < Self::MAX_TOKEN_AGE)
+	}
+}
+
+impl PartialEq<str> for ValidationToken {
+	fn eq(&self, other: &str) -> bool { self.token == other }
+}
+
+impl ValidationSessions {
+	const RANDOM_SID_LENGTH: usize = 16;
+
+	#[must_use]
+	pub(super) fn generate_session_id() -> OwnedSessionId {
+		OwnedSessionId::parse(utils::random_string(Self::RANDOM_SID_LENGTH)).unwrap()
+	}
+
+	pub(super) fn create_session(
+		&mut self,
+		email: Address,
+		client_secret: OwnedClientSecret,
+	) -> &mut ValidationSession {
+		let session = ValidationSession {
+			session_id: Self::generate_session_id(),
+			client_secret,
+			email,
+			validation_state: ValidationState::Pending(ValidationToken::new_random()),
+		};
+
+		self.client_secrets
+			.insert(session.client_secret.clone(), session.session_id.clone());
+		self.sessions
+			.entry(session.session_id.clone())
+			.insert_entry(session)
+			.into_mut()
+	}
+
+	pub(super) fn get_session(
+		&mut self,
+		session_id: &SessionId,
+	) -> Option<&mut ValidationSession> {
+		self.sessions.get_mut(session_id)
+	}
+
+	pub(super) fn get_session_by_client_secret(
+		&mut self,
+		client_secret: &ClientSecret,
+	) -> Option<&mut ValidationSession> {
+		let session_id = self.client_secrets.get(client_secret)?;
+		let session = self
+			.sessions
+			.get_mut(session_id)
+			.expect("session should exist with session id");
+
+		Some(session)
+	}
+
+	pub(super) fn remove_session(&mut self, session_id: &SessionId) -> ValidationSession {
+		let session = self
+			.sessions
+			.remove(session_id)
+			.expect("session ID should exist");
+
+		self.client_secrets
+			.remove(&session.client_secret)
+			.expect("session should have an associated client secret");
+
+		session
+	}
+}

src/service/uiaa/mod.rs

@@ -1,24 +1,29 @@
-use std::{collections::BTreeMap, sync::Arc};
+use std::{
-
+	borrow::Cow,
-use conduwuit::{
+	collections::{HashMap, HashSet, hash_map::Entry},
-	Err, Error, Result, SyncRwLock, err, error, implement, utils,
+	sync::Arc,
-	utils::{hash, string::EMPTY},
 };
-use database::{Deserialized, Json, Map};
+
+use conduwuit::{Err, Error, Result, error, utils, utils::hash};
+use lettre::Address;
 use ruma::{
-	CanonicalJsonValue, DeviceId, OwnedDeviceId, OwnedUserId, UserId,
+	UserId,
 	api::client::{
 		error::{ErrorKind, StandardErrorBody},
-		uiaa::{AuthData, AuthType, Password, UiaaInfo, UserIdentifier},
+		uiaa::{
+			AuthData, AuthFlow, AuthType, EmailIdentity, Password, ReCaptcha, RegistrationToken,
+			ThirdpartyIdCredentials, UiaaInfo, UserIdentifier,
+		},
 	},
 };
+use serde_json::value::RawValue;
+use tokio::sync::Mutex;
 
-use crate::{Dep, config, globals, registration_tokens, users};
+use crate::{Dep, config, globals, registration_tokens, threepid, users};
 
 pub struct Service {
-	userdevicesessionid_uiaarequest: SyncRwLock<RequestMap>,
-	db: Data,
 	services: Services,
+	uiaa_sessions: Mutex<HashMap<String, UiaaSession>>,
 }
 
 struct Services {
@@ -26,214 +31,191 @@ struct Services {
 	users: Dep<users::Service>,
 	config: Dep<config::Service>,
 	registration_tokens: Dep<registration_tokens::Service>,
+	threepid: Dep<threepid::Service>,
 }
 
-struct Data {
-	userdevicesessionid_uiaainfo: Arc<Map>,
-}
-
-type RequestMap = BTreeMap<RequestKey, CanonicalJsonValue>;
-type RequestKey = (OwnedUserId, OwnedDeviceId, String);
-
-pub const SESSION_ID_LENGTH: usize = 32;
-
 impl crate::Service for Service {
 	fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
 		Ok(Arc::new(Self {
-			userdevicesessionid_uiaarequest: SyncRwLock::new(RequestMap::new()),
-			db: Data {
-				userdevicesessionid_uiaainfo: args.db["userdevicesessionid_uiaainfo"].clone(),
-			},
 			services: Services {
 				globals: args.depend::<globals::Service>("globals"),
 				users: args.depend::<users::Service>("users"),
 				config: args.depend::<config::Service>("config"),
 				registration_tokens: args
 					.depend::<registration_tokens::Service>("registration_tokens"),
+				threepid: args.depend::<threepid::Service>("threepid"),
 			},
+			uiaa_sessions: Mutex::new(HashMap::new()),
 		}))
 	}
 
 	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
 }
 
-/// Creates a new Uiaa session. Make sure the session token is unique.
+struct UiaaSession {
-#[implement(Service)]
+	info: UiaaInfo,
-pub fn create(
+	identity: Identity,
-	&self,
-	user_id: &UserId,
-	device_id: &DeviceId,
-	uiaainfo: &UiaaInfo,
-	json_body: &CanonicalJsonValue,
-) {
-	// TODO: better session error handling (why is uiaainfo.session optional in
-	// ruma?)
-	self.set_uiaa_request(
-		user_id,
-		device_id,
-		uiaainfo.session.as_ref().expect("session should be set"),
-		json_body,
-	);
-
-	self.update_uiaa_session(
-		user_id,
-		device_id,
-		uiaainfo.session.as_ref().expect("session should be set"),
-		Some(uiaainfo),
-	);
 }
 
-#[implement(Service)]
+/// Information about the authenticated user's identity.
-#[allow(clippy::useless_let_if_seq)]
+///
-pub async fn try_auth(
+/// A field of this struct will only be Some if the user completed
-	&self,
+/// a stage which provided that information. If multiple stages provide
-	user_id: &UserId,
+/// the same field, authentication will fail if they do not all provide
-	device_id: &DeviceId,
+/// _identical_ values for that field.
-	auth: &AuthData,
+#[derive(Default, Clone)]
-	uiaainfo: &UiaaInfo,
+pub struct Identity {
-) -> Result<(bool, UiaaInfo)> {
+	/// The authenticated user's user ID, if it could be determined.
-	let mut uiaainfo = if let Some(session) = auth.session() {
+	///
-		self.get_uiaa_session(user_id, device_id, session).await?
+	/// This will be Some if:
-	} else {
+	/// - The user completed a m.login.password stage
-		uiaainfo.clone()
+	/// - The user completed a m.login.email.identity stage, and their email has
-	};
+	///   an associated user ID
+	pub localpart: Option<String>,
 
-	if uiaainfo.session.is_none() {
+	/// The authenticated user's email address, if it could be determined.
-		uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
+	///
+	/// This will be Some if:
+	/// - The user completed a m.login.email.identity stage
+	/// - The user completed a m.login.password stage, and their user ID has an
+	///   associated email
+	pub email: Option<Address>,
+}
+
+macro_rules! identity_update_fn {
+	(fn $method:ident($field:ident : $type:ty)else $error:literal) => {
+		fn $method(&mut self, $field: $type) -> Result<(), StandardErrorBody> {
+			if self.$field.is_none() {
+				self.$field = Some($field);
+				Ok(())
+			} else if self.$field == Some($field) {
+				Ok(())
+			} else {
+				Err(StandardErrorBody {
+					kind: ErrorKind::InvalidParam,
+					message: $error.to_owned(),
+				})
+			}
+		}
+	};
+}
+
+impl Identity {
+	identity_update_fn!(fn try_set_localpart(localpart: String) else "User ID mismatch");
+
+	identity_update_fn!(fn try_set_email(email: Address) else "Email mismatch");
+
+	/// Create an Identity with the localpart of the provided user ID
+	/// and all other fields set to None.
+	#[must_use]
+	pub fn from_user_id(user_id: &UserId) -> Self {
+		Self {
+			localpart: Some(user_id.localpart().to_owned()),
+			..Default::default()
+		}
+	}
+}
+
+impl Service {
+	const SESSION_ID_LENGTH: usize = 32;
+
+	/// Perform the full UIAA authentication sequence for a route given its
+	/// authentication data.
+	pub async fn authenticate(
+		&self,
+		auth: &Option<AuthData>,
+		flows: Vec<AuthFlow>,
+		params: Box<RawValue>,
+		identity: Option<Identity>,
+	) -> Result<Identity> {
+		match auth.as_ref() {
+			| None => {
+				let info = self.create_session(flows, params, identity).await;
+
+				Err(Error::Uiaa(info))
+			},
+			| Some(auth) => {
+				let session: Cow<'_, str> = match auth.session() {
+					| Some(session) => session.into(),
+					| None => {
+						// Clients are allowed to send UIAA requests with an auth dict and no
+						// session if they want to start the UIAA exchange with existing
+						// authentication data. If that happens, we create a new session
+						// here.
+						self.create_session(flows, params, identity)
+							.await
+							.session
+							.unwrap()
+							.into()
+					},
+				};
+
+				match self.continue_session(auth, &session).await? {
+					| Ok(identity) => Ok(identity),
+					| Err(info) => Err(Error::Uiaa(info)),
+				}
+			},
+		}
 	}
 
-	match auth {
+	/// A helper to perform UIAA authentication with just a password stage.
-		// Find out what the user completed
+	#[inline]
-		| AuthData::Password(Password {
+	pub async fn authenticate_password(
-			identifier,
+		&self,
-			password,
+		auth: &Option<AuthData>,
-			#[cfg(feature = "element_hacks")]
+		identity: Option<Identity>,
-			user,
+	) -> Result<Identity> {
-			..
+		self.authenticate(
-		}) => {
+			auth,
-			#[cfg(feature = "element_hacks")]
+			vec![AuthFlow::new(vec![AuthType::Password])],
-			let username = if let Some(UserIdentifier::UserIdOrLocalpart(username)) = identifier {
+			Box::default(),
-				username
+			identity,
-			} else if let Some(username) = user {
+		)
-				username
+		.await
-			} else {
+	}
-				return Err(Error::BadRequest(
-					ErrorKind::Unrecognized,
-					"Identifier type not recognized.",
-				));
-			};
 
-			#[cfg(not(feature = "element_hacks"))]
+	/// Create a new UIAA session with a random session ID.
-			let Some(UserIdentifier::UserIdOrLocalpart(username)) = identifier else {
+	///
-				return Err(Error::BadRequest(
+	/// If information about the user's identity is already known, it may be
-					ErrorKind::Unrecognized,
+	/// supplied with the `identity` parameter. Authentication will fail if
-					"Identifier type not recognized.",
+	/// flows provide different values for known identity information.
-				));
+	///
-			};
+	/// Returns the info of the newly created session.
+	async fn create_session(
+		&self,
+		flows: Vec<AuthFlow>,
+		params: Box<RawValue>,
+		identity: Option<Identity>,
+	) -> UiaaInfo {
+		let mut uiaa_sessions = self.uiaa_sessions.lock().await;
 
-			let user_id_from_username = UserId::parse_with_server_name(
+		let session_id = utils::random_string(Self::SESSION_ID_LENGTH);
-				username.clone(),
+		let mut info = UiaaInfo::new(flows, params);
-				self.services.globals.server_name(),
+		info.session = Some(session_id.clone());
-			)
-			.map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "User ID is invalid."))?;
 
-			// Check if the access token being used matches the credentials used for UIAA
+		uiaa_sessions.insert(session_id, UiaaSession {
-			if user_id.localpart() != user_id_from_username.localpart() {
+			info: info.clone(),
-				return Err!(Request(Forbidden("User ID and access token mismatch.")));
+			identity: identity.unwrap_or_default(),
-			}
+		});
-			let user_id = user_id_from_username;
 
-			// Check if password is correct
+		info
-			let mut password_verified = false;
+	}
 
-			// First try local password hash verification
+	/// Proceed with UIAA authentication given a client's authorization data.
-			if let Ok(hash) = self.services.users.password_hash(&user_id).await {
+	async fn continue_session(
-				password_verified = hash::verify_password(password, &hash).is_ok();
+		&self,
-			}
+		auth: &AuthData,
+		session: &str,
+	) -> Result<Result<Identity, UiaaInfo>> {
+		// Hold this lock for the entire function to make sure that, if try_auth()
+		// is called concurrently with the same session, only one call will succeed
+		let mut uiaa_sessions = self.uiaa_sessions.lock().await;
 
-			// If local password verification failed, try LDAP authentication
+		let Entry::Occupied(mut session) = uiaa_sessions.entry(session.to_owned()) else {
-			#[cfg(feature = "ldap")]
+			return Err!(Request(InvalidParam("Invalid session")));
-			if !password_verified && self.services.config.ldap.enable {
+		};
-				// Search for user in LDAP to get their DN
-				if let Ok(dns) = self.services.users.search_ldap(&user_id).await {
-					if let Some((user_dn, _is_admin)) = dns.first() {
-						// Try to authenticate with LDAP
-						password_verified = self
-							.services
-							.users
-							.auth_ldap(user_dn, password)
-							.await
-							.is_ok();
-					}
-				}
-			}
 
-			if !password_verified {
+		if let &AuthData::FallbackAcknowledgement(_) = auth {
-				uiaainfo.auth_error = Some(StandardErrorBody {
-					kind: ErrorKind::forbidden(),
-					message: "Invalid username or password.".to_owned(),
-				});
-
-				return Ok((false, uiaainfo));
-			}
-
-			// Password was correct! Let's add it to `completed`
-			uiaainfo.completed.push(AuthType::Password);
-		},
-		| AuthData::ReCaptcha(r) => {
-			if self.services.config.recaptcha_private_site_key.is_none() {
-				return Err!(Request(Forbidden("ReCaptcha is not configured.")));
-			}
-			match recaptcha_verify::verify(
-				self.services
-					.config
-					.recaptcha_private_site_key
-					.as_ref()
-					.unwrap(),
-				r.response.as_str(),
-				None,
-			)
-			.await
-			{
-				| Ok(()) => {
-					uiaainfo.completed.push(AuthType::ReCaptcha);
-				},
-				| Err(e) => {
-					error!("ReCaptcha verification failed: {e:?}");
-					uiaainfo.auth_error = Some(StandardErrorBody {
-						kind: ErrorKind::forbidden(),
-						message: "ReCaptcha verification failed.".to_owned(),
-					});
-					return Ok((false, uiaainfo));
-				},
-			}
-		},
-		| AuthData::RegistrationToken(t) => {
-			let token = t.token.trim().to_owned();
-
-			if let Some(valid_token) = self
-				.services
-				.registration_tokens
-				.validate_token(token)
-				.await
-			{
-				self.services
-					.registration_tokens
-					.mark_token_as_used(valid_token);
-
-				uiaainfo.completed.push(AuthType::RegistrationToken);
-			} else {
-				uiaainfo.auth_error = Some(StandardErrorBody {
-					kind: ErrorKind::forbidden(),
-					message: "Invalid registration token.".to_owned(),
-				});
-				return Ok((false, uiaainfo));
-			}
-		},
-		| AuthData::Dummy(_) => {
-			uiaainfo.completed.push(AuthType::Dummy);
-		},
-		| AuthData::FallbackAcknowledgement(_) => {
 			// The client is checking if authentication has succeeded out-of-band. This is
 			// possible if the client is using "fallback auth" (see spec section
 			// 4.9.1.4), which we don't support (and probably never will, because it's a
@@ -241,109 +223,243 @@ pub async fn try_auth(
 
 			// Return early to tell the client that no, authentication did not succeed while
 			// it wasn't looking.
-			return Ok((false, uiaainfo));
+			return Ok(Err(session.get().info.clone()));
-		},
+		}
-		| k => error!("type not supported: {:?}", k),
+
-	}
+		let completed = {
-
+			let UiaaSession { info, identity } = session.get_mut();
-	// Check if a flow now succeeds
+
-	let mut completed = false;
+			let auth_type = auth.auth_type().expect("auth type should be set");
-	'flows: for flow in &mut uiaainfo.flows {
+
-		for stage in &flow.stages {
+			let flow_stages: Vec<HashSet<_>> = info
-			if !uiaainfo.completed.contains(stage) {
+				.flows
-				continue 'flows;
+				.iter()
-			}
+				.map(|flow| {
+					flow.stages
+						.iter()
+						.map(AuthType::as_str)
+						.map(ToOwned::to_owned)
+						.collect()
+				})
+				.collect();
+
+			let mut completed_stages: HashSet<_> = info
+				.completed
+				.iter()
+				.map(AuthType::as_str)
+				.map(ToOwned::to_owned)
+				.collect();
+
+			// Don't allow stages which aren't in any flows
+			if !flow_stages
+				.iter()
+				.any(|stages| stages.contains(auth_type.as_str()))
+			{
+				return Err!(Request(InvalidParam("No flows include the supplied stage")));
+			}
+
+			// If the provided stage hasn't already been completed, check it for completion
+			if !completed_stages.contains(auth_type.as_str()) {
+				match self.check_stage(auth, identity.clone()).await {
+					| Ok((completed_stage, updated_identity)) => {
+						info.auth_error = None;
+						completed_stages.insert(completed_stage.to_string());
+						info.completed.push(completed_stage);
+						*identity = updated_identity;
+					},
+					| Err(error) => {
+						info.auth_error = Some(error);
+					},
+				}
+			}
+
+			// UIAA is completed if all stages in any flow are completed
+			flow_stages
+				.iter()
+				.any(|stages| completed_stages.is_superset(stages))
+		};
+
+		if completed {
+			// This session is complete, remove it and return success
+			let (_, UiaaSession { identity, .. }) = session.remove_entry();
+
+			Ok(Ok(identity))
+		} else {
+			// The client needs to try again, return the updated session
+			Ok(Err(session.get().info.clone()))
 		}
-		// We didn't break, so this flow succeeded!
-		completed = true;
 	}
 
-	if !completed {
+	/// Check if the provided authentication data is valid.
-		self.update_uiaa_session(
+	///
-			user_id,
+	/// Returns the completed stage's type on success and error information on
-			device_id,
+	/// failure.
-			uiaainfo.session.as_ref().expect("session is always set"),
+	async fn check_stage(
-			Some(&uiaainfo),
+		&self,
-		);
+		auth: &AuthData,
+		mut identity: Identity,
+	) -> Result<(AuthType, Identity), StandardErrorBody> {
+		// Note: This function takes ownership of `identity` because mutations to the
+		// identity must not be applied unless checking the stage succeeds. The
+		// updated identity is returned as part of the Ok value, and
+		// `continue_session` handles saving it to `uiaa_sessions`.
+		//
+		// This also means it's fine to mutate `identity` at any point in this function,
+		// because those mutations won't be saved unless the function returns Ok.
 
-		return Ok((false, uiaainfo));
+		match auth {
-	}
+			| AuthData::Dummy(_) => Ok(AuthType::Dummy),
+			| AuthData::EmailIdentity(EmailIdentity {
+				thirdparty_id_creds: ThirdpartyIdCredentials { client_secret, sid, .. },
+				..
+			}) => {
+				match self
+					.services
+					.threepid
+					.consume_valid_session(sid, client_secret)
+					.await
+				{
+					| Ok(email) => {
+						if let Some(localpart) =
+							self.services.threepid.get_localpart_for_email(&email).await
+						{
+							identity.try_set_localpart(localpart)?;
+						}
 
-	// UIAA was successful! Remove this session and return true
+						identity.try_set_email(email)?;
-	self.update_uiaa_session(
-		user_id,
-		device_id,
-		uiaainfo.session.as_ref().expect("session is always set"),
-		None,
-	);
 
-	Ok((true, uiaainfo))
+						Ok(AuthType::EmailIdentity)
-}
+					},
+					| Err(message) => Err(StandardErrorBody {
+						kind: ErrorKind::ThreepidAuthFailed,
+						message: message.into_owned(),
+					}),
+				}
+			},
+			#[allow(clippy::useless_let_if_seq)]
+			| AuthData::Password(Password { identifier, password, .. }) => {
+				let user_id_or_localpart = match identifier {
+					| Some(UserIdentifier::UserIdOrLocalpart(username)) => username.to_owned(),
+					| Some(UserIdentifier::Email { address }) => {
+						let Ok(email) = Address::try_from(address.to_owned()) else {
+							return Err(StandardErrorBody {
+								kind: ErrorKind::InvalidParam,
+								message: "Email is malformed".to_owned(),
+							});
+						};
 
-#[implement(Service)]
+						if let Some(localpart) =
-fn set_uiaa_request(
+							self.services.threepid.get_localpart_for_email(&email).await
-	&self,
+						{
-	user_id: &UserId,
+							identity.try_set_email(email)?;
-	device_id: &DeviceId,
-	session: &str,
-	request: &CanonicalJsonValue,
-) {
-	let key = (user_id.to_owned(), device_id.to_owned(), session.to_owned());
-	self.userdevicesessionid_uiaarequest
-		.write()
-		.insert(key, request.to_owned());
-}
 
-#[implement(Service)]
+							localpart
-pub fn get_uiaa_request(
+						} else {
-	&self,
+							return Err(StandardErrorBody {
-	user_id: &UserId,
+								kind: ErrorKind::forbidden(),
-	device_id: Option<&DeviceId>,
+								message: "Invalid identifier or password".to_owned(),
-	session: &str,
+							});
-) -> Option<CanonicalJsonValue> {
+						}
-	let key = (
+					},
-		user_id.to_owned(),
+					| _ =>
-		device_id.unwrap_or_else(|| EMPTY.into()).to_owned(),
+						return Err(StandardErrorBody {
-		session.to_owned(),
+							kind: ErrorKind::Unrecognized,
-	);
+							message: "Identifier type not recognized".to_owned(),
+						}),
+				};
 
-	self.userdevicesessionid_uiaarequest
+				let Ok(user_id) = UserId::parse_with_server_name(
-		.read()
+					user_id_or_localpart,
-		.get(&key)
+					self.services.globals.server_name(),
-		.cloned()
+				) else {
-}
+					return Err(StandardErrorBody {
+						kind: ErrorKind::InvalidParam,
+						message: "User ID is malformed".to_owned(),
+					});
+				};
 
-#[implement(Service)]
+				// Check if password is correct
-fn update_uiaa_session(
+				let mut password_verified = false;
-	&self,
-	user_id: &UserId,
-	device_id: &DeviceId,
-	session: &str,
-	uiaainfo: Option<&UiaaInfo>,
-) {
-	let key = (user_id, device_id, session);
 
-	if let Some(uiaainfo) = uiaainfo {
+				// First try local password hash verification
-		self.db
+				if let Ok(hash) = self.services.users.password_hash(&user_id).await {
-			.userdevicesessionid_uiaainfo
+					password_verified = hash::verify_password(password, &hash).is_ok();
-			.put(key, Json(uiaainfo));
+				}
-	} else {
+
-		self.db.userdevicesessionid_uiaainfo.del(key);
+				// If local password verification failed, try LDAP authentication
+				#[cfg(feature = "ldap")]
+				if !password_verified && self.services.config.ldap.enable {
+					// Search for user in LDAP to get their DN
+					if let Ok(dns) = self.services.users.search_ldap(&user_id).await {
+						if let Some((user_dn, _is_admin)) = dns.first() {
+							// Try to authenticate with LDAP
+							password_verified = self
+								.services
+								.users
+								.auth_ldap(user_dn, password)
+								.await
+								.is_ok();
+						}
+					}
+				}
+
+				if password_verified {
+					identity.try_set_localpart(user_id.localpart().to_owned())?;
+
+					Ok(AuthType::Password)
+				} else {
+					Err(StandardErrorBody {
+						kind: ErrorKind::forbidden(),
+						message: "Invalid identifier or password".to_owned(),
+					})
+				}
+			},
+			| AuthData::ReCaptcha(ReCaptcha { response, .. }) => {
+				let Some(ref private_site_key) = self.services.config.recaptcha_private_site_key
+				else {
+					return Err(StandardErrorBody {
+						kind: ErrorKind::forbidden(),
+						message: "ReCaptcha is not configured".to_owned(),
+					});
+				};
+
+				match recaptcha_verify::verify_v3(private_site_key, response, None).await {
+					| Ok(()) => Ok(AuthType::ReCaptcha),
+					| Err(e) => {
+						error!("ReCaptcha verification failed: {e:?}");
+						Err(StandardErrorBody {
+							kind: ErrorKind::forbidden(),
+							message: "ReCaptcha verification failed".to_owned(),
+						})
+					},
+				}
+			},
+			| AuthData::RegistrationToken(RegistrationToken { token, .. }) => {
+				let token = token.trim().to_owned();
+
+				if let Some(valid_token) = self
+					.services
+					.registration_tokens
+					.validate_token(token)
+					.await
+				{
+					self.services
+						.registration_tokens
+						.mark_token_as_used(valid_token);
+
+					Ok(AuthType::RegistrationToken)
+				} else {
+					Err(StandardErrorBody {
+						kind: ErrorKind::forbidden(),
+						message: "Invalid registration token".to_owned(),
+					})
+				}
+			},
+			| _ => Err(StandardErrorBody {
+				kind: ErrorKind::Unrecognized,
+				message: "Unsupported stage type".into(),
+			}),
+		}
+		.map(|auth_type| (auth_type, identity))
 	}
 }
-
-#[implement(Service)]
-async fn get_uiaa_session(
-	&self,
-	user_id: &UserId,
-	device_id: &DeviceId,
-	session: &str,
-) -> Result<UiaaInfo> {
-	let key = (user_id, device_id, session);
-	self.db
-		.userdevicesessionid_uiaainfo
-		.qry(&key)
-		.await
-		.deserialized()
-		.map_err(|_| err!(Request(Forbidden("UIAA session does not exist."))))
-}

src/web/Cargo.toml

@@ -20,12 +20,25 @@ crate-type = [
 [dependencies]
 conduwuit-build-metadata.workspace = true
 conduwuit-service.workspace = true
+conduwuit-core.workspace = true
+async-trait.workspace = true
 askama.workspace = true
 axum.workspace = true
+axum-extra.workspace = true
+base64.workspace = true
 futures.workspace = true
 tracing.workspace = true
 rand.workspace = true
+ruma.workspace = true
 thiserror.workspace = true
+tower-http.workspace = true
+serde.workspace = true
+memory-serve = "2.1.0"
+validator = { version = "0.20.0", features = ["derive"] }
+tower-sec-fetch = { version = "0.1.2", features = ["tracing"] }
+
+[build-dependencies]
+memory-serve = "2.1.0"
 
 [lints]
 workspace = true

src/web/askama.toml

@@ -0,0 +1,2 @@
+[general]
+dirs = ["pages/templates"]

src/web/build.rs

@@ -0,0 +1 @@
+fn main() { memory_serve::load_directory("./pages/resources"); }

src/web/css/index.css

@@ -1,94 +0,0 @@
-:root {
-    color-scheme: light;
-    --font-stack: sans-serif;
-
-    --background-color: #fff;
-    --text-color: #000;
-
-    --bg: oklch(0.76 0.0854 317.27);
-    --panel-bg: oklch(0.91 0.042 317.27);
-
-    --name-lightness: 0.45;
-
-    @media (prefers-color-scheme: dark) {
-        color-scheme: dark;
-        --text-color: #fff;
-        --bg: oklch(0.15 0.042 317.27);
-        --panel-bg: oklch(0.24 0.03 317.27);
-
-        --name-lightness: 0.8;
-    }
-
-    --c1: oklch(0.44 0.177 353.06);
-    --c2: oklch(0.59 0.158 150.88);
-
-    --normal-font-size: 1rem;
-    --small-font-size: 0.8rem;
-}
-
-body {
-    color: var(--text-color);
-    font-family: var(--font-stack);
-    margin: 0;
-    padding: 0;
-    display: grid;
-    place-items: center;
-    min-height: 100vh;
-}
-
-html {
-    background-color: var(--bg);
-    background-image: linear-gradient(
-        70deg,
-        oklch(from var(--bg) l + 0.2 c h),
-        oklch(from var(--bg) l - 0.2 c h)
-    );
-    font-size: 16px;
-}
-
-.panel {
-    width: min(clamp(24rem, 12rem + 40vw, 48rem), calc(100vw - 3rem));
-    border-radius: 15px;
-    background-color: var(--panel-bg);
-    padding-inline: 1.5rem;
-    padding-block: 1rem;
-    box-shadow: 0 0.25em 0.375em hsla(0, 0%, 0%, 0.1);
-}
-
-@media (max-width: 24rem) {
-    .panel {
-        padding-inline: 0.25rem;
-        width: calc(100vw - 0.5rem);
-        border-radius: 0;
-        margin-block-start: 0.2rem;
-    }
-    main {
-        height: 100%;
-    }
-}
-
-footer {
-    padding-inline: 0.25rem;
-    height: max(fit-content, 2rem);
-}
-
-.project-name {
-    text-decoration: none;
-    background: linear-gradient(
-        130deg,
-        oklch(from var(--c1) var(--name-lightness) c h),
-        oklch(from var(--c2) var(--name-lightness) c h)
-    );
-    background-clip: text;
-    color: transparent;
-    filter: brightness(1.2);
-}
-
-b {
-    color: oklch(from var(--c2) var(--name-lightness) c h);
-}
-
-.logo {
-    width: 100%;
-    height: 64px;
-}

src/web/mod.rs

@@ -1,86 +1,114 @@
+use std::any::Any;
+
 use askama::Template;
 use axum::{
 	Router,
-	extract::State,
+	extract::rejection::{FormRejection, QueryRejection},
-	http::{StatusCode, header},
+	http::{HeaderValue, StatusCode, header},
 	response::{Html, IntoResponse, Response},
-	routing::get,
 };
-use conduwuit_build_metadata::{GIT_REMOTE_COMMIT_URL, GIT_REMOTE_WEB_URL, version_tag};
 use conduwuit_service::state;
+use tower_http::{catch_panic::CatchPanicLayer, set_header::SetResponseHeaderLayer};
+use tower_sec_fetch::SecFetchLayer;
 
-pub fn build() -> Router<state::State> {
+use crate::pages::TemplateContext;
-	Router::<state::State>::new()
-		.route("/", get(index_handler))
-		.route("/_continuwuity/logo.svg", get(logo_handler))
-}
 
-async fn index_handler(
+mod pages;
-	State(services): State<state::State>,
-) -> Result<impl IntoResponse, WebError> {
-	#[derive(Debug, Template)]
-	#[template(path = "index.html.j2")]
-	struct Index<'a> {
-		nonce: &'a str,
-		server_name: &'a str,
-		first_run: bool,
-	}
-	let nonce = rand::random::<u64>().to_string();
 
-	let template = Index {
+type State = state::State;
-		nonce: &nonce,
-		server_name: services.config.server_name.as_str(),
-		first_run: services.firstrun.is_first_run(),
-	};
-	Ok((
-		[(
-			header::CONTENT_SECURITY_POLICY,
-			format!("default-src 'nonce-{nonce}'; img-src 'self';"),
-		)],
-		Html(template.render()?),
-	))
-}
 
-async fn logo_handler() -> impl IntoResponse {
+const CATASTROPHIC_FAILURE: &str = "cat-astrophic failure! we couldn't even render the error template. \
-	(
+please contact the team @ https://continuwuity.org";
-		[(header::CONTENT_TYPE, "image/svg+xml")],
-		include_str!("templates/logo.svg").to_owned(),
-	)
-}
 
 #[derive(Debug, thiserror::Error)]
 enum WebError {
+	#[error("Failed to validate form body: {0}")]
+	ValidationError(#[from] validator::ValidationErrors),
+	#[error("{0}")]
+	QueryRejection(#[from] QueryRejection),
+	#[error("{0}")]
+	FormRejection(#[from] FormRejection),
+	#[error("{0}")]
+	BadRequest(String),
+
+	#[error("This page does not exist.")]
+	NotFound,
+
 	#[error("Failed to render template: {0}")]
 	Render(#[from] askama::Error),
+	#[error("{0}")]
+	InternalError(#[from] conduwuit_core::Error),
+	#[error("Request handler panicked! {0}")]
+	Panic(String),
 }
 
 impl IntoResponse for WebError {
 	fn into_response(self) -> Response {
 		#[derive(Debug, Template)]
 		#[template(path = "error.html.j2")]
-		struct Error<'a> {
+		struct Error {
-			nonce: &'a str,
+			error: WebError,
-			err: WebError,
+			status: StatusCode,
+			context: TemplateContext,
 		}
 
-		let nonce = rand::random::<u64>().to_string();
-
 		let status = match &self {
-			| Self::Render(_) => StatusCode::INTERNAL_SERVER_ERROR,
+			| Self::ValidationError(_)
+			| Self::BadRequest(_)
+			| Self::QueryRejection(_)
+			| Self::FormRejection(_) => StatusCode::BAD_REQUEST,
+			| Self::NotFound => StatusCode::NOT_FOUND,
+			| _ => StatusCode::INTERNAL_SERVER_ERROR,
 		};
-		let tmpl = Error { nonce: &nonce, err: self };
+
-		if let Ok(body) = tmpl.render() {
+		let template = Error {
-			(
+			error: self,
-				status,
+			status,
-				[(
+			context: TemplateContext {
-					header::CONTENT_SECURITY_POLICY,
+				// Statically set false to prevent error pages from being indexed.
-					format!("default-src 'none' 'nonce-{nonce}';"),
+				allow_indexing: false,
-				)],
+			},
-				Html(body),
+		};
-			)
+
-				.into_response()
+		if let Ok(body) = template.render() {
+			(status, Html(body)).into_response()
 		} else {
-			(status, "Something went wrong").into_response()
+			(status, CATASTROPHIC_FAILURE).into_response()
 		}
 	}
 }
+
+pub fn build() -> Router<state::State> {
+	#[allow(clippy::wildcard_imports)]
+	use pages::*;
+
+	Router::new()
+		.merge(index::build())
+		.nest(
+			"/_continuwuity/",
+			Router::new()
+				.merge(resources::build())
+				.merge(password_reset::build())
+				.merge(debug::build())
+				.merge(threepid::build())
+				.fallback(async || WebError::NotFound),
+		)
+		.layer(CatchPanicLayer::custom(|panic: Box<dyn Any + Send + 'static>| {
+			let details = if let Some(s) = panic.downcast_ref::<String>() {
+				s.clone()
+			} else if let Some(s) = panic.downcast_ref::<&str>() {
+				(*s).to_owned()
+			} else {
+				"(opaque panic payload)".to_owned()
+			};
+
+			WebError::Panic(details).into_response()
+		}))
+		.layer(SetResponseHeaderLayer::if_not_present(
+			header::CONTENT_SECURITY_POLICY,
+			HeaderValue::from_static("default-src 'self'; img-src 'self' data:;"),
+		))
+		.layer(SecFetchLayer::new(|policy| {
+			policy.allow_safe_methods().reject_missing_metadata();
+		}))
+}

src/web/pages/components/form.rs

@@ -0,0 +1,98 @@
+use askama::{Template, filters::HtmlSafe};
+use validator::ValidationErrors;
+
+/// A reusable form component with field validation.
+#[derive(Debug, Template)]
+#[template(path = "_components/form.html.j2", print = "code")]
+pub(crate) struct Form<'a> {
+	pub inputs: Vec<FormInput<'a>>,
+	pub validation_errors: Option<ValidationErrors>,
+	pub submit_label: &'a str,
+}
+
+impl HtmlSafe for Form<'_> {}
+
+/// An input element in a form component.
+#[derive(Debug, Clone, Copy)]
+pub(crate) struct FormInput<'a> {
+	/// The field name of the input.
+	pub id: &'static str,
+	/// The `type` property of the input.
+	pub input_type: &'a str,
+	/// The contents of the input's label.
+	pub label: &'a str,
+	/// Whether the input is required. Defaults to `true`.
+	pub required: bool,
+	/// The autocomplete mode for the input. Defaults to `on`.
+	pub autocomplete: &'a str,
+
+	// This is a hack to make the form! macro's support for client-only fields
+	// work properly. Client-only fields are specified in the macro without a type and aren't
+	// included in the POST body or as a field in the generated struct.
+	// To keep the field from being included in the POST body, its `name` property needs not to
+	// be set in the template. Because of limitations of macro_rules!'s repetition feature, this
+	// field needs to exist to allow the template to check if the field is client-only.
+	#[doc(hidden)]
+	pub type_name: Option<&'static str>,
+}
+
+impl Default for FormInput<'_> {
+	fn default() -> Self {
+		Self {
+			id: "",
+			input_type: "text",
+			label: "",
+			required: true,
+			autocomplete: "",
+
+			type_name: None,
+		}
+	}
+}
+
+/// Generate a deserializable struct which may be turned into a [`Form`]
+/// for inclusion in another template.
+#[macro_export]
+macro_rules! form {
+    (
+        $(#[$struct_meta:meta])*
+        struct $struct_name:ident {
+            $(
+                $(#[$field_meta:meta])*
+                $name:ident$(: $type:ty)? where { $($prop:ident: $value:expr),* }
+            ),*
+
+            submit: $submit_label:expr
+        }
+    ) => {
+        #[derive(Debug, serde::Deserialize, validator::Validate)]
+        $(#[$struct_meta])*
+        struct $struct_name {
+            $(
+                $(#[$field_meta])*
+                $(pub $name: $type,)?
+            )*
+        }
+
+        impl $struct_name {
+            /// Generate a [`Form`] which matches the shape of this struct.
+            #[allow(clippy::needless_update)]
+            fn build(validation_errors: Option<validator::ValidationErrors>) -> $crate::pages::components::form::Form<'static> {
+                $crate::pages::components::form::Form {
+                    inputs: vec![
+                        $(
+                            $crate::pages::components::form::FormInput {
+                                id: stringify!($name),
+                                $(type_name: Some(stringify!($type)),)?
+                                $($prop: $value),*,
+                                ..Default::default()
+                            },
+                        )*
+                    ],
+                    validation_errors,
+                    submit_label: $submit_label,
+                }
+            }
+        }
+    };
+}

src/web/pages/components/mod.rs

@@ -0,0 +1,71 @@
+use askama::{Template, filters::HtmlSafe};
+use base64::Engine;
+use conduwuit_core::result::FlatOk;
+use conduwuit_service::Services;
+use ruma::UserId;
+
+pub(super) mod form;
+
+#[derive(Debug)]
+pub(super) enum AvatarType<'a> {
+	Initial(char),
+	Image(&'a str),
+}
+
+#[derive(Debug, Template)]
+#[template(path = "_components/avatar.html.j2")]
+pub(super) struct Avatar<'a> {
+	pub(super) avatar_type: AvatarType<'a>,
+}
+
+impl HtmlSafe for Avatar<'_> {}
+
+#[derive(Debug, Template)]
+#[template(path = "_components/user_card.html.j2")]
+pub(super) struct UserCard<'a> {
+	pub user_id: &'a UserId,
+	pub display_name: Option<String>,
+	pub avatar_src: Option<String>,
+}
+
+impl HtmlSafe for UserCard<'_> {}
+
+impl<'a> UserCard<'a> {
+	pub(super) async fn for_local_user(services: &Services, user_id: &'a UserId) -> Self {
+		let display_name = services.users.displayname(user_id).await.ok();
+
+		let avatar_src = async {
+			let avatar_url = services.users.avatar_url(user_id).await.ok()?;
+			let avatar_mxc = avatar_url.parts().ok()?;
+			let file = services.media.get(&avatar_mxc).await.flat_ok()?;
+
+			Some(format!(
+				"data:{};base64,{}",
+				file.content_type
+					.unwrap_or_else(|| "application/octet-stream".to_owned()),
+				file.content
+					.map(|content| base64::prelude::BASE64_STANDARD.encode(content))
+					.unwrap_or_default(),
+			))
+		}
+		.await;
+
+		Self { user_id, display_name, avatar_src }
+	}
+
+	fn avatar(&'a self) -> Avatar<'a> {
+		let avatar_type = if let Some(ref avatar_src) = self.avatar_src {
+			AvatarType::Image(avatar_src)
+		} else if let Some(initial) = self
+			.display_name
+			.as_ref()
+			.and_then(|display_name| display_name.chars().next())
+		{
+			AvatarType::Initial(initial)
+		} else {
+			AvatarType::Initial(self.user_id.localpart().chars().next().unwrap())
+		};
+
+		Avatar { avatar_type }
+	}
+}

src/web/pages/debug.rs

@@ -0,0 +1,17 @@
+use std::convert::Infallible;
+
+use axum::{Router, routing::get};
+use conduwuit_core::Error;
+
+use crate::WebError;
+
+pub(crate) fn build() -> Router<crate::State> {
+	Router::new()
+		.route("/_debug/panic", get(async || -> Infallible { panic!("Guru meditation error") }))
+		.route(
+			"/_debug/error",
+			get(async || -> WebError {
+				Error::Err(std::borrow::Cow::Borrowed("Guru meditation error")).into()
+			}),
+		)
+}

src/web/pages/index.rs

@@ -0,0 +1,25 @@
+use axum::{Router, extract::State, response::IntoResponse, routing::get};
+
+use crate::{WebError, template};
+
+pub(crate) fn build() -> Router<crate::State> {
+	Router::new()
+		.route("/", get(index))
+		.route("/_continuwuity/", get(index))
+}
+
+async fn index(State(services): State<crate::State>) -> Result<impl IntoResponse, WebError> {
+	template! {
+		struct Index<'a> use "index.html.j2" {
+			server_name: &'a str,
+			first_run: bool
+		}
+	}
+
+	Ok(Index::new(
+		&services,
+		services.globals.server_name().as_str(),
+		services.firstrun.is_first_run(),
+	)
+	.into_response())
+}

src/web/pages/mod.rs

@@ -0,0 +1,56 @@
+mod components;
+pub(super) mod debug;
+pub(super) mod index;
+pub(super) mod password_reset;
+pub(super) mod resources;
+pub(super) mod threepid;
+
+#[derive(Debug)]
+pub(crate) struct TemplateContext {
+	pub allow_indexing: bool,
+}
+
+impl From<&crate::State> for TemplateContext {
+	fn from(state: &crate::State) -> Self {
+		Self {
+			allow_indexing: state.config.allow_web_indexing,
+		}
+	}
+}
+
+#[macro_export]
+macro_rules! template {
+    (
+        struct $name:ident $(<$lifetime:lifetime>)? use $path:literal {
+            $($field_name:ident: $field_type:ty),*
+        }
+    ) => {
+        #[derive(Debug, askama::Template)]
+        #[template(path = $path)]
+        struct $name$(<$lifetime>)? {
+            context: $crate::pages::TemplateContext,
+            $($field_name: $field_type,)*
+        }
+
+        impl$(<$lifetime>)? $name$(<$lifetime>)? {
+            fn new(state: &$crate::State, $($field_name: $field_type,)*) -> Self {
+                Self {
+                    context: state.into(),
+                    $($field_name,)*
+                }
+            }
+        }
+
+        #[allow(single_use_lifetimes)]
+        impl$(<$lifetime>)? axum::response::IntoResponse for $name$(<$lifetime>)? {
+            fn into_response(self) -> axum::response::Response {
+                use askama::Template;
+
+                match self.render() {
+                    Ok(rendered) => axum::response::Html(rendered).into_response(),
+                    Err(err) => $crate::WebError::from(err).into_response()
+                }
+            }
+        }
+    };
+}

src/web/pages/password_reset.rs

@@ -0,0 +1,119 @@
+use axum::{
+	Router,
+	extract::{
+		Query, State,
+		rejection::{FormRejection, QueryRejection},
+	},
+	http::StatusCode,
+	response::{IntoResponse, Response},
+	routing::get,
+};
+use serde::Deserialize;
+use validator::Validate;
+
+use crate::{
+	WebError, form,
+	pages::components::{UserCard, form::Form},
+	template,
+};
+
+const INVALID_TOKEN_ERROR: &str = "Invalid reset token. Your reset link may have expired.";
+
+template! {
+	struct PasswordReset<'a> use "password_reset.html.j2" {
+		user_card: UserCard<'a>,
+		body: PasswordResetBody
+	}
+}
+
+#[derive(Debug)]
+enum PasswordResetBody {
+	Form(Form<'static>),
+	Success,
+}
+
+form! {
+	struct PasswordResetForm {
+		#[validate(length(min = 1, message = "Password cannot be empty"))]
+		new_password: String where {
+			input_type: "password",
+			label: "New password",
+			autocomplete: "new-password"
+		},
+
+		#[validate(must_match(other = "new_password", message = "Passwords must match"))]
+		confirm_new_password: String where {
+			input_type: "password",
+			label: "Confirm new password",
+			autocomplete: "new-password"
+		}
+
+		submit: "Reset Password"
+	}
+}
+
+pub(crate) fn build() -> Router<crate::State> {
+	Router::new()
+		.route("/account/reset_password", get(get_password_reset).post(post_password_reset))
+}
+
+#[derive(Deserialize)]
+struct PasswordResetQuery {
+	token: String,
+}
+
+async fn password_reset_form(
+	services: crate::State,
+	query: PasswordResetQuery,
+	reset_form: Form<'static>,
+) -> Result<impl IntoResponse, WebError> {
+	let Some(token) = services.password_reset.check_token(&query.token).await else {
+		return Err(WebError::BadRequest(INVALID_TOKEN_ERROR.to_owned()));
+	};
+
+	let user_card = UserCard::for_local_user(&services, &token.info.user).await;
+
+	Ok(PasswordReset::new(&services, user_card, PasswordResetBody::Form(reset_form))
+		.into_response())
+}
+
+async fn get_password_reset(
+	State(services): State<crate::State>,
+	query: Result<Query<PasswordResetQuery>, QueryRejection>,
+) -> Result<impl IntoResponse, WebError> {
+	let Query(query) = query?;
+
+	password_reset_form(services, query, PasswordResetForm::build(None)).await
+}
+
+async fn post_password_reset(
+	State(services): State<crate::State>,
+	query: Result<Query<PasswordResetQuery>, QueryRejection>,
+	form: Result<axum::Form<PasswordResetForm>, FormRejection>,
+) -> Result<Response, WebError> {
+	let Query(query) = query?;
+	let axum::Form(form) = form?;
+
+	match form.validate() {
+		| Ok(()) => {
+			let Some(token) = services.password_reset.check_token(&query.token).await else {
+				return Err(WebError::BadRequest(INVALID_TOKEN_ERROR.to_owned()));
+			};
+			let user_id = token.info.user.clone();
+
+			services
+				.password_reset
+				.consume_token(token, &form.new_password)
+				.await?;
+
+			let user_card = UserCard::for_local_user(&services, &user_id).await;
+			Ok(PasswordReset::new(&services, user_card, PasswordResetBody::Success)
+				.into_response())
+		},
+		| Err(err) => Ok((
+			StatusCode::BAD_REQUEST,
+			password_reset_form(services, query, PasswordResetForm::build(Some(err))).await,
+		)
+			.into_response()),
+	}
+}

src/web/pages/resources.rs

@@ -0,0 +1,9 @@
+use axum::Router;
+
+pub(crate) fn build() -> Router<crate::State> {
+	Router::new().nest(
+		"/resources/",
+		#[allow(unused_qualifications)]
+		memory_serve::load!().index_file(None).into_router(),
+	)
+}

src/web/pages/resources/common.css

@@ -0,0 +1,185 @@
+:root {
+    color-scheme: light;
+    --font-stack: sans-serif;
+
+    --background-color: #fff;
+    --text-color: #000;
+    --secondary: #666;
+    --bg: oklch(0.76 0.0854 317.27);
+    --panel-bg: oklch(0.91 0.042 317.27);
+    --c1: oklch(0.44 0.177 353.06);
+    --c2: oklch(0.59 0.158 150.88);
+
+    --name-lightness: 0.45;
+    --background-lightness: 0.9;
+
+    --background-gradient:
+        radial-gradient(42.12% 56.13% at 100% 0%, oklch(from var(--c2) var(--background-lightness) c h) 0%, #fff0 100%),
+        radial-gradient(42.01% 79.63% at 52.86% 0%, #d9ff5333 0%, #fff0 100%),
+        radial-gradient(79.67% 58.09% at 0% 0%, oklch(from var(--c1) var(--background-lightness) c h) 0%, #fff0 100%);
+
+    --normal-font-size: 1rem;
+    --small-font-size: 0.8rem;
+
+    --border-radius-sm: 5px;
+    --border-radius-lg: 15px;
+
+    @media (prefers-color-scheme: dark) {
+        color-scheme: dark;
+        --text-color: #fff;
+        --secondary: #888;
+        --bg: oklch(0.15 0.042 317.27);
+        --panel-bg: oklch(0.24 0.03 317.27);
+
+        --name-lightness: 0.8;
+        --background-lightness: 0.2;
+
+        --background-gradient:
+            radial-gradient(
+                42.12% 56.13% at 100% 0%,
+                oklch(from var(--c2) var(--background-lightness) c h) 0%,
+                #12121200 100%
+            ),
+            radial-gradient(55.81% 87.78% at 48.37% 0%, #000 0%, #12121200 89.55%),
+            radial-gradient(
+                122.65% 88.24% at 0% 0%,
+                oklch(from var(--c1) var(--background-lightness) c h) 0%,
+                #12121200 100%
+            );
+    }
+}
+
+* {
+    box-sizing: border-box;
+}
+
+body {
+    display: grid;
+    margin: 0;
+    padding: 0;
+    place-items: center;
+    min-height: 100vh;
+
+    color: var(--text-color);
+    font-family: var(--font-stack);
+    line-height: 1.5;
+}
+
+html {
+    background-color: var(--bg);
+    background-image: var(--background-gradient);
+    font-size: var(--normal-font-size);
+}
+
+footer {
+    padding-inline: 0.25rem;
+    height: max(fit-content, 2rem);
+
+    .logo {
+        width: 100%;
+        height: 64px;
+    }
+}
+
+p {
+    margin: 1rem 0;
+}
+
+em {
+    color: oklch(from var(--c2) var(--name-lightness) c h);
+    font-weight: bold;
+    font-style: normal;
+}
+
+small {
+    color: var(--secondary);
+}
+
+small.error {
+    display: block;
+    color: red;
+    font-size: small;
+    font-style: italic;
+    margin-bottom: 0.5rem;
+}
+
+.panel {
+    --preferred-width: 12rem + 40dvw;
+    --maximum-width: 48rem;
+
+    width: min(clamp(24rem, var(--preferred-width), var(--maximum-width)), calc(100dvw - 3rem));
+    border-radius: var(--border-radius-lg);
+    background-color: var(--panel-bg);
+    padding-inline: 1.5rem;
+    padding-block: 1rem;
+    box-shadow: 0 0.25em 0.375em hsla(0, 0%, 0%, 0.1);
+
+    &.narrow {
+        --preferred-width: 12rem + 20dvw;
+        --maximum-width: 36rem;
+
+        input, button {
+            width: 100%;
+        }
+    }
+}
+
+label {
+    display: block;
+}
+
+input, button {
+    display: inline-block;
+    padding: 0.5em;
+    margin-bottom: 0.5em;
+
+    font-size: inherit;
+    font-family: inherit;
+    color: white;
+    background-color: transparent;
+
+    border: none;
+    border-radius: var(--border-radius-sm);
+}
+
+input {
+    border: 2px solid var(--secondary);
+
+    &:focus-visible {
+        outline: 2px solid var(--c1);
+        border-color: transparent;
+    }
+}
+
+button {
+    background-color: var(--c1);
+    transition: opacity .2s;
+
+    &:enabled:hover {
+        opacity: 0.8;
+        cursor: pointer;
+    }
+}
+
+h1 {
+    margin-top: 0;
+    margin-bottom: 0.67em;
+}
+
+@media (max-width: 425px) {
+    main {
+        padding-block-start: 2rem;
+        width: 100%;
+    }
+
+    .panel {
+        border-radius: 0;
+        width: 100%;
+    }
+}
+
+@media (max-width: 799px) {
+    input, button {
+        width: 100%;
+    }
+}

src/web/pages/resources/components.css

@@ -0,0 +1,44 @@
+.avatar {
+    --avatar-size: 56px;
+
+    display: inline-block;
+    aspect-ratio: 1 / 1;
+    inline-size: var(--avatar-size);
+    border-radius: 50%;
+
+    text-align: center;
+    text-transform: uppercase;
+    font-size: calc(var(--avatar-size) * 0.5);
+    font-weight: 700;
+    line-height: calc(var(--avatar-size) - 2px);
+
+    color: oklch(from var(--c1) calc(l + 0.2) c h);
+    background-color: var(--c1);
+}
+
+.user-card {
+    display: flex;
+    flex-direction: row;
+    align-items: center;
+    gap: 16px;
+
+    background-color: oklch(from var(--panel-bg) calc(l - 0.05) c h);
+    border-radius: var(--border-radius-lg);
+    padding: 16px;
+
+    .info {
+        flex: 1 1;
+
+        p {
+            margin: 0;
+
+            &.display-name {
+                font-weight: 700;
+            }
+
+            &:nth-of-type(2) {
+                color: var(--secondary);
+            }
+        }
+    }
+}

src/web/pages/resources/error.css

@@ -0,0 +1,13 @@
+.k10y {
+    font-family: monospace;
+    font-size: x-small;
+    font-weight: 700;
+    transform: translate(1rem, 1.6rem);
+    color: var(--secondary);
+    user-select: none;
+}
+
+h1 {
+    display: flex;
+    align-items: center;
+}

src/web/pages/resources/index.css

@@ -0,0 +1,11 @@
+.project-name {
+    text-decoration: none;
+    background: linear-gradient(
+        130deg,
+        oklch(from var(--c1) var(--name-lightness) c h),
+        oklch(from var(--c2) var(--name-lightness) c h)
+    );
+    background-clip: text;
+    color: transparent;
+    filter: brightness(1.2);
+}

src/web/pages/resources/logo.svg

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   width="447.99823"
+   height="447.99823"
+   viewBox="0 0 447.99823 447.99823"
+   version="1.1"
+   id="svg1"
+   xml:space="preserve"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><defs
+     id="defs1" /><g
+     id="layer1"
+     transform="translate(-32.000893,-32.000893)"><circle
+       style="fill:#9b4bd4;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-dasharray:none;stroke-opacity:1"
+       id="path1"
+       cy="256"
+       cx="256"
+       r="176" /><path
+       style="fill:#de6cd3;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
+       d="m 41,174 69,36 C 135,126 175,102 226,94 l -12,31 62,-44 -69,-44 15,30 C 128,69 84,109 41,172 Z"
+       id="path7" /><path
+       style="fill:#de6cd3;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
+       d="m 338,41 -36,69 c 84,25 108,65 116,116 l -31,-12 44,62 44,-69 -30,15 C 443,128 403,84 340,41 Z"
+       id="path6" /><path
+       style="fill:#de6cd3;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
+       d="m 471,338 -69,-36 c -25,84 -65,108 -116,116 l 12,-31 -62,44 69,44 -15,-30 c 94,-2 138,-42 181,-105 z"
+       id="path8" /><path
+       style="fill:#de6cd3;fill-opacity:1;stroke:#000000;stroke-width:10;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
+       d="m 174,471 36,-69 C 126,377 102,337 94,286 l 31,12 -44,-62 -44,69 30,-15 c 2,94 42,138 105,181 z"
+       id="path9" /><g
+       id="g15"
+       transform="translate(-5.4157688e-4)"><path
+         style="fill:none;stroke:#000000;stroke-width:10;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:normal"
+         d="m 155.45977,224.65379 c -7.25909,13.49567 -7.25909,26.09161 -6.35171,39.58729 0.90737,11.69626 12.7034,24.29222 24.49943,26.09164 21.77727,3.59884 28.12898,-20.69338 28.12898,-20.69338 0,0 4.53693,-15.29508 5.4443,-40.48699"
+         id="path11" /><path
+         style="fill:none;stroke:#000000;stroke-width:10;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:normal"
+         d="m 218.96706,278.05399 c 3.00446,17.12023 7.52704,24.88918 19.22704,28.48918 9,2.7 22.5,-4.5 22.5,-16.2 0.9,21.6 17.1,17.1 19.8,17.1 11.7,-1.8 18.9,-14.4 16.2,-30.6"
+         id="path12" /><path
+         style="fill:none;stroke:#000000;stroke-width:10;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:normal"
+         d="m 305.6941,230.94317 c 1.8,27 6.3,40.5 6.3,40.5 8.1,27 28.8,19.8 28.8,19.8 18.9,-7.2 22.5,-24.3 22.5,-30.6 0,-25.2 -6.3,-35.1 -6.3,-35.1"
+         id="path13" /></g></g></svg>

src/web/pages/templates/_components/avatar.html.j2

@@ -0,0 +1,6 @@
+{% match avatar_type %}
+    {% when AvatarType::Initial with (initial) %}
+    <span class="avatar" role="img">{{ initial }}</span>
+    {% when AvatarType::Image with (src) %}
+    <img class="avatar" src="{{ src }}">
+{% endmatch %}

src/web/pages/templates/_components/form.html.j2

@@ -0,0 +1,30 @@
+<form method="post">
+    {% let validation_errors = validation_errors.clone().unwrap_or_default() %}
+    {% let field_errors = validation_errors.field_errors() %}
+    {% for input in inputs %}
+        <p>
+            <label for="{{ input.id }}">{{ input.label }}</label>
+            {% let name = std::borrow::Cow::from(*input.id) %}
+            {% if let Some(errors) = field_errors.get(name) %}
+                {% for error in errors %}
+                    <small class="error">
+                        {% if let Some(message) = error.message %}
+                            {{ message }}
+                        {% else %}
+                            Mysterious validation error <code>{{ error.code }}</code>!
+                        {% endif %}
+                    </small>
+                {% endfor %}
+            {% endif %}
+            <input
+                type="{{ input.input_type }}"
+                id="{{ input.id }}"
+                autocomplete="{{ input.autocomplete }}"
+                {% if input.type_name.is_some() %}name="{{ input.id }}"{% endif %}
+                {% if input.required %}required{% endif %}
+            >
+        </p>
+    {% endfor %}
+
+    <button type="submit">{{ submit_label }}</button>
+</form>

src/web/pages/templates/_components/user_card.html.j2

@@ -0,0 +1,9 @@
+<div class="user-card">
+    {{ avatar() }}
+    <div class="info">
+        {% if let Some(display_name) = display_name %}
+        <p class="display-name">{{ display_name }}</p>
+        {% endif %}
+        <p class="user_id">{{ user_id }}</p>
+    </div>
+</div>

src/web/pages/templates/_layout.html.j2

@@ -5,23 +5,24 @@
     <meta charset="UTF-8" />
     <title>{% block title %}Continuwuity{% endblock %}</title>
     <meta name="viewport" content="width=device-width, initial-scale=1" />
+    {%- if !context.allow_indexing %}
+    <meta name="robots" content="noindex" />
+    {%- endif %}
 
-    <link rel="icon" href="/_continuwuity/logo.svg">
+    <link rel="icon" href="/_continuwuity/resources/logo.svg">
-    <style type="text/css" nonce="{{ nonce }}">
+    <link rel="stylesheet" href="/_continuwuity/resources/common.css">
-        /*<![CDATA[*/
+    <link rel="stylesheet" href="/_continuwuity/resources/components.css">
-            {{ include_str !("css/index.css") | safe }}
+    {% block head %}{% endblock %}
-        /*]]>*/
-    </style>
 </head>
 
 <body>
     <main>{%~ block content %}{% endblock ~%}</main>
     {%~ block footer ~%}
         <footer>
-            <img class="logo" src="/_continuwuity/logo.svg">
+            <img class="logo" src="/_continuwuity/resources/logo.svg">
             <p>Powered by <a href="https://continuwuity.org">Continuwuity</a> {{ env!("CARGO_PKG_VERSION") }}
-                {%~ if let Some(version_info) = self::version_tag() ~%}
+                {%~ if let Some(version_info) = conduwuit_build_metadata::version_tag() ~%}
-                    {%~ if let Some(url) = GIT_REMOTE_COMMIT_URL.or(GIT_REMOTE_WEB_URL) ~%}
+                    {%~ if let Some(url) = conduwuit_build_metadata::GIT_REMOTE_COMMIT_URL.or(conduwuit_build_metadata::GIT_REMOTE_WEB_URL) ~%}
                         (<a href="{{ url }}">{{ version_info }}</a>)
                     {%~ else ~%}
                         ({{ version_info }})

src/web/pages/templates/error.html.j2

@@ -0,0 +1,41 @@
+{% extends "_layout.html.j2" %}
+
+{%- block head -%}
+<link rel="stylesheet" href="/_continuwuity/resources/error.css">
+{%- endblock -%}
+
+{%- block title -%}
+🐈 Request Error
+{%- endblock -%}
+
+{%- block content -%}
+<pre class="k10y" aria-hidden>
+　　　 　  ／＞　　 フ
+　　　 　  | 　_　 _|
+　 　　  ／` ミ＿xノ
+　　 　 /　　　 　 |
+　　　 /　 ヽ　　 ﾉ
+　 　 │　　|　|　|
+　／￣|　　 |　|　|
+　| (￣ヽ＿_ヽ_)__)
+　＼二つ
+</pre>
+<div class="panel">
+    <h1>
+        {% if status == StatusCode::NOT_FOUND %}
+        Not found
+        {% else if status == StatusCode::INTERNAL_SERVER_ERROR %}
+        Internal server error
+        {% else %}
+        Bad request
+        {% endif %}
+    </h1>
+
+    {% if status == StatusCode::INTERNAL_SERVER_ERROR %}
+    <p>Please <a href="https://forgejo.ellis.link/continuwuation/continuwuity/issues/new">submit a bug report</a> 🥺</p>
+    {% endif %}
+
+    <pre><code>{{ error }}</code></pre>
+</div>
+
+{%- endblock -%}

src/web/pages/templates/index.html.j2

@@ -1,4 +1,9 @@
 {% extends "_layout.html.j2" %}
+
+{%- block head -%}
+<link rel="stylesheet" href="/_continuwuity/resources/index.css">
+{%- endblock -%}
+
 {%- block content -%}
 <div class="panel">
     <h1>
@@ -6,7 +11,7 @@
     </h1>
     <p>Continuwuity is successfully installed and working.</p>
     {%- if first_run %}
-    <p>To get started, <b>check the server logs</b> for instructions on how to create the first account.</p>
+    <p>To get started, <em>check the server logs</em> for instructions on how to create the first account.</p>
     <p>For support, take a look at the <a href="https://continuwuity.org/introduction">documentation</a> or join the <a href="https://matrix.to/#/#continuwuity:continuwuity.org?via=continuwuity.org&via=ellis.link&via=explodie.org&via=matrix.org">Continuwuity Matrix room</a>.</p>
     {%- else %}
     <p>To get started, <a href="https://matrix.org/ecosystem/clients">choose a client</a> and connect to <code>{{ server_name }}</code>.</p>

src/web/pages/templates/password_reset.html.j2

@@ -0,0 +1,18 @@
+{% extends "_layout.html.j2" %}
+
+{%- block title -%}
+Reset Password
+{%- endblock -%}
+
+{%- block content -%}
+<div class="panel narrow">
+    <h1>Reset Password</h1>
+    {{ user_card }}
+    {% match body %}
+        {% when PasswordResetBody::Form(reset_form) %}
+        {{ reset_form }}
+        {% when PasswordResetBody::Success %}
+        <p>Your password has been reset successfully.</p>
+    {% endmatch %}
+</div>
+{%- endblock -%}

src/web/pages/templates/threepid_validation.html.j2

@@ -0,0 +1,8 @@
+{% extends "_layout.html.j2" %}
+
+{%- block content -%}
+<div class="panel">
+    <h1>Email verification</h1>
+    <p>Your email address has been verified. Return to your Matrix client to continue.</p>
+</div>
+{%- endblock content -%}

src/web/pages/threepid.rs

@@ -0,0 +1,39 @@
+use axum::{
+	Router,
+	extract::{Query, State, rejection::QueryRejection},
+	response::IntoResponse,
+	routing::get,
+};
+use ruma::OwnedSessionId;
+use serde::Deserialize;
+
+use crate::{WebError, template};
+
+template! {
+	struct ThreepidValidation use "threepid_validation.html.j2" {}
+}
+
+pub(crate) fn build() -> Router<crate::State> {
+	Router::new().route("/3pid/email/validate", get(threepid_validation))
+}
+
+#[derive(Deserialize)]
+struct ThreepidValidationQuery {
+	session: OwnedSessionId,
+	token: String,
+}
+
+async fn threepid_validation(
+	State(services): State<crate::State>,
+	query: Result<Query<ThreepidValidationQuery>, QueryRejection>,
+) -> Result<impl IntoResponse, WebError> {
+	let Query(query) = query?;
+
+	services
+		.threepid
+		.try_validate_session(&query.session, &query.token)
+		.await
+		.map_err(|message| WebError::BadRequest(message.into_owned()))?;
+
+	Ok(ThreepidValidation::new(&services))
+}

src/web/templates/error.html.j2

@@ -1,20 +0,0 @@
-{% extends "_layout.html.j2" %}
-
-{%- block title -%}
-Server Error
-{%- endblock -%}
-
-{%- block content -%}
-<h1>
-    {%- match err -%}
-    {% else -%} 500: Internal Server Error
-    {%- endmatch -%}
-</h1>
-
-{%- match err -%}
-    {% when WebError::Render(err) -%}
-        <pre>{{ err }}</pre>
-    {% else -%} <p>An error occurred</p>
-{%- endmatch -%}
-
-{%- endblock -%}

src/web/templates/logo.svg

@@ -1 +0,0 @@
-../../../docs/public/assets/logo.svg